Click for home page
Office of the ATTORNEY GENERAL
GREG ABBOTT
image
 

July 1, 2003

Mr. Jeffrey S. Young
Associate General Counsel
Texas Tech University Health Sciences Center
3601 4th Street, Stop 6246
Lubbock, Texas 79430-6246

OR2003-4514

Dear Mr. Young:

You ask whether certain information is subject to required public disclosure under chapter 552 of the Government Code. Your request was assigned ID# 182928.

The Texas Tech University Health Sciences Center (the "center") received a request for all files maintained by a named individual concerning the requestor. You state that a portion of the requested information has been provided to the requestor. However, you claim that some of the requested information is excepted from disclosure under sections 552.101, 552.111, and 552.117 of the Government Code. We have considered the exceptions you claim and reviewed the submitted information.

First, we will address the exceptions you raise in regard to Exhibits E and G-147. Section 552.101 excepts from disclosure "information considered to be confidential by law, either constitutional, statutory, or by judicial decision." You claim that Exhibits E and G-147 are not subject to release pursuant to regulations promulgated pursuant to the Health Insurance Portability and Accountability Act of 1996 ("HIPAA"), and that the information is therefore excepted from disclosure under section 552.101 of the Government Code in conjunction with these regulations. At the direction of Congress, the Secretary of Health and Human Services ("HHS") promulgated regulations setting privacy standards for medical records, which HHS issued as the Federal Standards for Privacy of Individually Identifiable Health Information. See Health Insurance Portability and Accountability Act of 1996, 42 U.S.C. § 1320d-2 (Supp. IV 1998) (historical & statutory note); Standards for Privacy of Individually Identifiable Health Information, 45 C.F.R. Pts. 160, 164; see also Attorney General Opinion JC-0508 at 2 (2002). These standards govern the releasability of protected health information by a covered entity. See 45 C.F.R. Pts. 160, 164. Under these standards, a covered entity may not use or disclose protected health information, excepted as provided by parts 160 and 164 of the Code of Federal Regulations. 45 C.F.R. § 164.502(a).

Section 160.103 defines a covered entity as a health plan, a health clearinghouse, or a health care provider who transmits any health information in electronic form in connection with a transaction covered by subchapter C, Subtitle A of Title 45. 45 C.F.R. § 160.103. In this instance, the center explains that it is a health care provider for purposes of section 160.103.(1) Therefore, we will next determine whether the submitted information is protected health information under the federal law.

Section 160.103 of title 45 of the Code of Federal Regulations defines the following relevant terms as follows:

Health information means any information, whether oral or recorded in any form or medium, that:

(1) Is created or received by a health care provider, health plan, public health authority, employer, life insurer, school or university, or health clearinghouse; and

(2) Relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual.

Individually identifiable health information is information that is a subset of health information, including demographic information collected from an individual, and:

(1) Is created or received by a health care provider, health plan, employer, or health care clearinghouse; and

(2) Relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual; and

(i) That identifies the individual; or

(ii) With respect to which there is a reasonable basis to believe the information can be used to identify the individual.

Protected health information means individually identifiable health information:

(1) Except as provided in paragraph

(2) of this definition, that is:

(i) Transmitted by electronic media;

(ii) Maintained in electronic media;

(iii) Transmitted or maintained in any other form or medium.

45 C.F.R. § 160.103. You contend that the highlighted information in Exhibits E and G-147 constitutes individually identifiable protected health information. Upon review of the highlighted information, we agree that most of it is protected health information as contemplated by HIPAA. We have marked the information that is not protected health information under HIPAA. In regard to the protected health information, however, we note that a covered entity may use protected health information to create information that is not individually identifiable health information, i.e., information that is de-identified. 45 C.F.R. § 164.502(d)(1). The privacy standards that govern the uses and disclosures of protected health information do not apply to information de-identified in accordance with sections 164.514(a) and (b) of the Code of Federal Regulations. 45 C.F.R. § 164.502(d)(2).

Under HIPAA, a covered entity may determine health information is not individually identifiable only under certain circumstances. One method requires a person with specialized knowledge of generally accepted statistical and scientific principles and methods for rendering information de-identifiable to apply and document such methods and principles to determine release of protected health information would result in a very small risk of individual identification. 45 C.F.R. § 164.514(b)(1). The other method requires the covered entity to meet the following two criteria: 1) remove specific identifiers, including but not limited to, names, dates directly related to an individual, telecommunication numbers, vehicle identifiers, and any other unique identifying number, characteristic, or code and 2) have no actual knowledge that the information could be used alone or in combination with other information to identify an individual who is a subject of the information. See 45 C.F.R. § 164.514(b)(2)(i), (ii). We have marked the specific identifiers in the submitted protected health information. See 45 C.F.R. § 164.514(b)(2)(i)(A)-(R). To the extent that the center has no actual knowledge that release of the de-identified information could be used alone or in combination with other information to identify the subject of the health information, you must withhold the information we have marked in Exhibits E and G-147 under section 552.101 of the Government Code in conjunction with HIPAA, and release the remaining de-identified information, subject to the Medical Practices Act (the "MPA") discussion. However, if the center has actual knowledge that release of the de-identified information could be used alone or in combination with other information to identify the subject of the health information, you must withhold the protected health information in Exhibits E and G-147 in its entirety under section 552.101 of the Government Code in conjunction with HIPAA.

Next, we note the applicability of section 159.002 of the Occupations Code, a section of the MPA, to the de-identified health information in Exhibits E and G-147. Generally, HIPAA preempts a contrary provision of state law. See 45 C.F.R. § 160.203. For purposes of HIPAA, "contrary" means the following:

(1) A covered entity would find it impossible to comply with both the State and federal requirements; or

(2) The provision of State law stands as an obstacle to the accomplishment and execution of the full purposes and objectives of part C of title XI of the Act or section 264 of Pub. L. 104-191, as applicable.

45 C.F.R. § 160.202. It is not impossible for the center to comply with both section 159.002 and HIPAA. Furthermore, section 159.002 is not an obstacle to the accomplishment and execution of the full purposes and objectives of HIPAA. In fact, one of the purposes of section 159.002 is to protect patient privacy. Therefore, HIPAA does not preempt section 159.002.

Section 159.002 provides in pertinent part:

(b) A record of the identity, diagnosis, evaluation, or treatment of a patient by a physician that is created or maintained by a physician is confidential and privileged and may not be disclosed except as provided by this chapter.

(c) A person who receives information from a confidential communication or record as described by this chapter, other than a person listed in Section 159.004 who is acting on the patient's behalf, may not disclose the information except to the extent that disclosure is consistent with the authorized purposes for which the information was first obtained.

Occ. Code § 159.002( b), (c). Information that is subject to the MPA includes both medical records and information obtained from those medical records. See Occ. Code § 159.002(a), (b), (c); Open Records Decision No. 598 (1991). Based on our review of the submitted information, we have marked the information in Exhibits E and G-147 that is subject to the MPA. In this case, this marked information must be withheld from disclosure under section 552.101 of the Government Code. However, the remaining information in Exhibits E and G-147 was not created or maintained by a physician or someone under the supervision of a physician and does not contain information obtained from medical records. Therefore, the MPA is inapplicable to the remainder of Exhibits E and G-147.

In regard to the remaining information in Exhibit G, you assert section 552.111 of the Government Code. Section 552.111 excepts from disclosure "an interagency or intraagency memorandum or letter that would not be available by law to a party in litigation with the agency." In Open Records Decision No. 615 (1993), this office reexamined the predecessor to the section 552.111 exception in light of the decision in Texas Department of Public Safety v. Gilbreath, 842 S.W.2d 408 (Tex. App.--Austin 1992, no writ), and held that section 552.111 excepts only those internal communications consisting of advice, recommendations, opinions, and other material reflecting the policymaking processes of the governmental body. City of Garland v. Dallas Morning News, 22 S.W.3d 351, 364 (Tex. 2000); Arlington Indep. Sch. Dist. v. Texas Attorney Gen., 37 S.W.3d 152 (Tex. App.--Austin 2001, no pet.). An agency's policymaking functions do not encompass internal administrative or personnel matters; disclosure of information relating to such matters will not inhibit free discussion among agency personnel as to policy issues. ORD 615 at 5-6. Additionally, section 552.111 does not generally except from disclosure purely factual information that is severable from the opinion portions of internal memoranda. Arlington Indep. Sch. Dist., 37 S.W.3d at 160; ORD 615 at 4-5. Having reviewed the information at issue, we conclude that the remaining information in Exhibit G does not consist of advice, opinions, recommendations, or other material reflecting the policymaking processes of the center. Therefore, you may not withhold any portion of the remaining information in Exhibit G under section 552.111 of the Government Code.

Finally, you assert section 552.117 of the Government Code in regard to the highlighted information in Exhibit F. Section 552.117(1) excepts from disclosure the home addresses and telephone numbers, social security numbers, and family member information of current or former officials or employees of a governmental body who request that this information be kept confidential under section 552.024. Whether a particular piece of information is protected by section 552.117(1) must be determined at the time the request for it is made. See Open Records Decision No. 530 at 5 (1989). Therefore, the center may only withhold information under section 552.117(1) on behalf of current or former officials or employees who made a request for confidentiality under section 552.024 prior to the date on which the request for this information was made. We note that section 552.117(1) is inapplicable to an employee's work telephone number. For an employee who timely elected to keep her personal information confidential, you must withhold the employee's home telephone number and social security number. The center may not withhold this information under section 552.117(1) for an employee who did not make a timely election to keep the information confidential.

In summary, we conclude that to the extent that the center has no knowledge that release of the de-identified information in Exhibits E and G-147 could be used alone or in combination with other information to identify the subject of the health information, you must withhold the information we have marked under section 552.101 of the Government Code in conjunction with HIPAA, and release the remaining de-identified information, subject to the MPA discussion. However, if the center has knowledge that release of the de-identified information could be used alone or in combination with other information to identify the subject of the health information, you must withhold the protected health information in Exhibits E and G-147 in its entirety under section 552.101 of the Government Code in conjunction with HIPAA. Additionally, we conclude that: 1) the additional information we have marked in Exhibit E is subject to the MPA, and it must be withheld under section 552.101 of the Government Code; and 2) if the employee in question made a timely section 552.024 election, you must withhold her home telephone number and social security number under section 552.117 of the Government Code. All remaining information must be released.

This letter ruling is limited to the particular records at issue in this request and limited to the facts as presented to us; therefore, this ruling must not be relied upon as a previous determination regarding any other records or any other circumstances.

This ruling triggers important deadlines regarding the rights and responsibilities of the governmental body and of the requestor. For example, governmental bodies are prohibited from asking the attorney general to reconsider this ruling. Gov't Code § 552.301(f). If the governmental body wants to challenge this ruling, the governmental body must appeal by filing suit in Travis County within 30 calendar days. Id. § 552.324(b). In order to get the full benefit of such an appeal, the governmental body must file suit within 10 calendar days. Id. § 552.353(b)(3), (c). If the governmental body does not appeal this ruling and the governmental body does not comply with it, then both the requestor and the attorney general have the right to file suit against the governmental body to enforce this ruling. Id. § 552.321(a).

If this ruling requires the governmental body to release all or part of the requested information, the governmental body is responsible for taking the next step. Based on the statute, the attorney general expects that, within 10 calendar days of this ruling, the governmental body will do one of the following three things: 1) release the public records; 2) notify the requestor of the exact day, time, and place that copies of the records will be provided or that the records can be inspected; or 3) notify the requestor of the governmental body's intent to challenge this letter ruling in court. If the governmental body fails to do one of these three things within 10 calendar days of this ruling, then the requestor should report that failure to the attorney general's Open Government Hotline, toll free, at (877) 673-6839. The requestor may also file a complaint with the district or county attorney. Id. § 552.3215(e).

If this ruling requires or permits the governmental body to withhold all or some of the requested information, the requestor can appeal that decision by suing the governmental body. Id. § 552.321(a); Texas Dep't of Pub. Safety v. Gilbreath, 842 S.W.2d 408, 411 (Tex. App.--Austin 1992, no writ).

Please remember that under the Act the release of information triggers certain procedures for costs and charges to the requestor. If records are released in compliance with this ruling, be sure that all charges for the information are at or below the legal amounts. Questions or complaints about over-charging must be directed to Hadassah Schloss at the Texas Building and Procurement Commission at (512) 475-2497.

If the governmental body, the requestor, or any other person has questions or comments about this ruling, they may contact our office. We note that a third party may challenge this ruling by filing suit seeking to withhold information from a requestor. Gov't Code § 552.325. Although there is no statutory deadline for contacting us, the attorney general prefers to receive any comments within 10 calendar days of the date of this ruling.

Sincerely,

W. Montgomery Meitler
Assistant Attorney General
Open Records Division
WMM/lmt
Ref: ID# 182928
Enc: Submitted documents

c: Ms. Jennifer Cunningham
2128 54th Street
Lubbock, Texas 79412
(w/o enclosures)


 

Footnotes

1. Pursuant to section 552.303(c) of the Government Code, on June 17, 2003 this office sent a notice to the center via facsimile requesting that it provide further information regarding the applicability of HIPAA. The center submitted its response on June 23, 2003.
 

POST OFFICE BOX 12548, AUSTIN, TEXAS 78711-2548 TEL: (512) 463-2100 WEB: WWW.OAG.STATE.TX.US
An Equal Employment Opportunity Employer

Home | ORLs