 Office of the ATTORNEY GENERAL GREG ABBOTT | |
|
July 25, 2003 Ms. Rebecca L. Payne
OR2003-5152 Dear Ms. Payne: You ask whether certain information is subject to required public disclosure under chapter 552 of the Government Code. Your request was assigned ID# 184849. The Texas Department of Human Services (the "department") received a written request for records pertaining to the decertification of Interim Healthcare, Inc. ("Interim"), including "copies of Medicare certification and State licensure surveys, disclosure of ownership, and legal proceedings for the past three years." You state that the department has released some responsive information to the requestor. You also state that the department will withhold some responsive information from the requestor pursuant to the previous determination issued in Open Records Letter No. 2001-5348 (2001). See Gov't Code § 552.301(a); see also Open Records Decision No. 673 at 6-9 (2001) (delineating instances in which attorney general decision constitutes previous determination under Gov't Code § 552.301). You claim, however, that portions of the remaining requested information are excepted from disclosure pursuant to section 552.101 of the Government Code. We have considered the exception you claim and have reviewed the submitted information. Before we address the applicability of the exception you raised, we must first address certain procedural matters. Section 552.301 of the Government Code dictates the procedure that a governmental body must follow when it seeks a decision from the attorney general as to whether requested information falls within an exception to disclosure. Among other requirements, the governmental body must submit to this office within fifteen business days of receipt of an information request "written comments stating the reasons why the stated exceptions apply that would allow the information to be withheld" and "a copy of the specific information requested, or . . . representative samples of the information if a voluminous amount of information was requested." Gov't Code § 552.301(e)(1)(A), (D). Otherwise, the requested information "is presumed to be subject to required public disclosure and must be released unless there is a compelling reason to withhold the information." Gov't Code § 552.302. You did not submit your briefing or the requested information to this office in a timely manner. The department received the records request on May 5, 2003. You did not submit your arguments for non-disclosure or copies of the requested information until July 21, 2003; consequently, the requested information is presumed to be public unless we are presented with a compelling reason to withhold the requested information. See Open Records Decision No. 150 (1977) (demonstration that information is made confidential by statute or comes under the protection of exception to disclosure intended to protect privacy interests constitutes compelling reason for non-disclosure). Because section 552.101 of the Government Code protects "information considered to be confidential by law, either constitutional, statutory, or by judicial decision," we will consider the applicability of this exception to the information at issue, despite that fact that you did not submit your written comments or the requested information to us in a timely manner. You claim that certain information that is contained within the submitted state Statements of Licensing Violations and Plans of Correction forms (the "state forms") is not subject to release under regulations promulgated pursuant to the Health Insurance Portability and Accountability Act of 1996 ("HIPAA"), and is, thus, excepted from disclosure pursuant to section 552.101 of the Government Code in conjunction with these regulations. At the direction of Congress, the Secretary of Health and Human Services ("HHS") promulgated regulations setting privacy standards for medical records, which HHS issued as the Federal Standards for Privacy of Individually Identifiable Health Information. See Health Insurance Portability and Accountability Act of 1996, 42 U.S.C. § 1320d-2 (Supp. IV 1998) (historical & statutory note); Standards for Privacy of Individually Identifiable Health Information, 45 C.F.R. Pts. 160, 164; see also Attorney General Opinion JC-0508 at 2 (2002). These standards govern the releasability of protected health information by a covered entity. See 45 C.F.R. Pts. 160, 164. Under these standards, a covered entity may not use or disclose protected health information, excepted as provided by parts 160 and 164 of the Code of Federal Regulations. See 45 C.F.R. § 164.502(a). Section 160.103 defines a covered entity as a health plan, a health clearinghouse, or a health care provider who transmits any health information in electronic form in connection with a transaction covered by subchapter C, Subtitle A of Title 45. See 45 C.F.R. § 160.103. In this instance, you explain that the department is a health plan under HIPAA because as an administrator of part of the Medicaid program, the department is considered a health plan. Based on your representations, we conclude the department is a covered entity under HIPAA. Therefore, we will next determine whether the information at issue is protected health information under the federal law. Section 160.103 of title 45 of the Code of Federal Regulations defines the following relevant terms as follows: Health information means any information, whether oral or recorded in any form or medium, that: (1) Is created or received by a health care provider, health plan, public health authority, employer, life insurer, school or university, or health clearinghouse; and (2) Relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual. Individually identifiable health information is information that is a subset of health information, including demographic information collected from an individual, and: (1) Is created or received by a health care provider, health plan, employer, or health care clearinghouse; and (2) Relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual; and (i) That identifies the individual; or (ii) With respect to which there is a reasonable basis to believe the information can be used to identify the individual. Protected health information means individually identifiable health information: (1) Except as provided in paragraph (2) of this definition, that is: (i) Transmitted by electronic media; (ii) Maintained in electronic media; (iii) Transmitted or maintained in any other form or medium. 45 C.F.R. § 160.103. You contend that portions of the information in the submitted state forms constitute protected health information. Upon review of the information at issue, we agree that all of this information constitutes protected health information as contemplated by HIPAA. However, we note that a covered entity may use protected health information to create information that is not individually identifiable health information, i.e., information that is de-identified. See 45 C.F.R. § 164.502(d)(1). The privacy standards that govern the uses and disclosures of protected health information do not apply to information that is de-identified in accordance with sections 164.514(a) and (b) of the Code of Federal Regulations. See 45 C.F.R. § 164.502(d)(2). Under HIPAA, a covered entity may determine health information is not individually identifiable only under certain circumstances. One method requires a person with specialized knowledge of generally accepted statistical and scientific principles and methods for rendering information de-identifiable to apply and document such methods and principles to determine release of protected health information would result in a very small risk of individual identification. See 45 C.F.R. § 164.514(b)(1). The other method requires the covered entity to meet the following two criteria: 1) remove specific identifiers, including but not limited to, names, dates directly related to an individual, telecommunication numbers, vehicle identifiers, and any other unique identifying number, characteristic, or code and 2) have no actual knowledge that the information could be used alone or in combination with other information to identify an individual who is a subject of the information. See 45 C.F.R. § 164.514(b)(2)(i), (ii). You assert that the department can de-identify the protected health information in the state form by redacting the month and day of any dates that relate directly to the referenced individuals. We understand you to assert that the department has no knowledge that the release of the remaining de-identified information could be used alone or in combination with other information to identify the subjects of the health information. Based on our review of your representations and the information at issue, we agree that the redaction of the dates that you have marked properly de-identifies the protected health information under HIPAA. See 45 C.F.R. §§ 164.514(b)(2)(i)(A)-(R). We have marked some additional information that also must be withheld under HIPAA. We note that the regulations promulgated pursuant to HIPAA permit the disclosure of protected health information to a public health authority that is authorized by law to collect or receive health information for purposes of preventing or controlling disease, injury, or disability. See 45 C.F.R. § 164.512(b)(1)(i). In this instance, the requestor has identified herself as a consultant with the State of Florida's Agency for Health Care Administration. However, you state that the requestor "has not given the department the necessary information that would allow the department to conclude that the requestor has the necessary authority and a valid purpose for getting information under the HIPAA privacy rules." Based on your representations, we conclude that the department must de-identify the protected health information contained in the state form before disclosing the form to the requestor. We note the applicability of the MPA, chapter 159 of the Occupations Code, to the de-identified health information in the state forms. Generally, HIPAA preempts a contrary provision of state law. See 45 C.F.R. § 160.203. For purposes of HIPAA, "contrary" means the following: (1) A covered entity would find it impossible to comply with both the State and federal requirements; or (2) The provision of State law stands as an obstacle to the accomplishment and execution of the full purposes and objectives of part C of title XI of the Act or section 264 of Pub. L. 104-191, as applicable. 45 C.F.R. § 160.202. It is not impossible for the department to comply with both section 159.002 and HIPAA. Furthermore, section 159.002 is not an obstacle to the accomplishment and execution of the full purposes and objectives of HIPAA. In fact, one of the purposes of section 159.002 is to protect patient privacy. Therefore, HIPAA does not preempt section 159.002. Section 159.002 of the MPA provides in part: (b) A record of the identity, diagnosis, evaluation, or treatment of a patient by a physician that is created or maintained by a physician is confidential and privileged and may not be disclosed except as provided by this chapter. (c) A person who receives information from a confidential communication or record as described by this chapter, other than a person listed in Section 159.004 who is acting on the patient's behalf, may not disclose the information except to the extent that disclosure is consistent with the authorized purposes for which the information was first obtained. Occ. Code § 159.002(b), (c). Information that is subject to the MPA includes both medical records and information obtained from those medical records. See Occ. Code §§ 159.002, .004; see also Open Records Decision No. 598 (1991). You state that you have marked the information in the state form "that is information obtained from a medical record created by a physician." Based on your representation and our review of the submitted information, we agree that all of the information in the state forms that you have marked as subject to the MPA may only be disclosed in accordance with that statute. In this case, however, that information must be withheld under section 552.101 of the Government Code. You next contend that section 142.004 of the Health & Safety Code governs some of the submitted licensing information. Section 142.004(d) provides as follows: Information received by the department relating to the competence and financial resources of the applicant or a controlling person with respect to the applicant is confidential and may not be disclosed to the public. Health & Safety Code § 142.004(d). Based on your representations and our review of the submitted information, we agree that the portions of the submitted documents that consist of answers to questions concerning criminal convictions constitute confidential information as they relate to the competence of an applicant. See Health & Safety Code § 142.004(d). Therefore, the department must withhold all of the information you have marked under section 552.101 of the Government Code in conjunction with section 142.004(d) of the Health and Safety Code. You also claim that some of the submitted information is confidential under section 142.009(d)(5) of the Health and Safety Code. This section provides that "reports, records, and working papers used or developed in an investigation made under this section are confidential and may not be released or made public except . . . (5) on a form developed by the department that identifies any deficiencies found without identifying a person, other than the home and community support services agency[.]" Health & Safety Code § 142.009(d)(5). You acknowledge that the department is required to release the submitted state forms under section 142.009(d)(5). You claim, however, that this section requires the department to withhold the identifying information contained in the state forms. You have marked that information. We agree that the department must withhold this marked information pursuant to section 552.101 of the Government Code in conjunction with section 142.009(d)(5) of the Health and Safety Code. Finally, you contend that the social security numbers contained in the submitted documents are confidential under section 552.101 in conjunction with section 231.302 of the Family Code. In relevant part, section 231.302 states the following: (c) To assist in the administration of laws relating to child support enforcement under Parts A and D of Title IV of the federal Social Security Act (42 U.S.C. Sections 601-617 and 651-669): (1) each licensing authority shall request and each applicant for a license shall provide the applicant's social security number[.] . . . . (e) Except as provided by Subsection (d), a social security number provided under this section is confidential and may be disclosed only for the purposes of responding to a request for information from an agency operating under the provisions of Part A or D of Title IV of the federal Social Security Act (42 U.S.C. Sections 601 et seq. and 651 et seq). . . . . (g) In this section, "licensing authority" has the meaning assigned by Section 232.001. Fam. Code § 231.302(c)(1), (e), (g). You inform us that the Department is a licensing authority as defined by section 232.001 of the Family Code. See Fam. Code § 232.001(2) (defining "licensing authority" as a department . . . of the state . . . that issues a license). Further, you explain that, in this instance, disclosure of the social security numbers would not be for a permitted purpose under section 231.302(e) of the Family Code. See Fam. Code § 231.302(e). Based on your representations and our review of the information, we conclude the Department must withhold the social security numbers contained in the submitted records in accordance with section 552.101 in conjunction with section 231.302(e) of the Family Code.(1) In summary, the department must withhold the information that it has marked pursuant to HIPAA and the MPA in conjunction with section 552.101. The department must also withhold all of the information that it has marked as confidential under sections 142.004(d) and 142.009(d)(5) of the Health and Safety Code pursuant to section 552.101 of the Government Code. The submitted social security numbers must be withheld pursuant to section 231.302 of the Family Code in conjunction with section 552.101 of the Government Code. The department must release the remaining submitted information to the requestor. This letter ruling is limited to the particular records at issue in this request and limited to the facts as presented to us; therefore, this ruling must not be relied upon as a previous determination regarding any other records or any other circumstances. This ruling triggers important deadlines regarding the rights and responsibilities of the governmental body and of the requestor. For example, governmental bodies are prohibited from asking the attorney general to reconsider this ruling. Gov't Code § 552.301(f). If the governmental body wants to challenge this ruling, the governmental body must appeal by filing suit in Travis County within 30 calendar days. Id. § 552.324(b). In order to get the full benefit of such an appeal, the governmental body must file suit within 10 calendar days. Id. § 552.353(b)(3), (c). If the governmental body does not appeal this ruling and the governmental body does not comply with it, then both the requestor and the attorney general have the right to file suit against the governmental body to enforce this ruling. Id. § 552.321(a). If this ruling requires the governmental body to release all or part of the requested information, the governmental body is responsible for taking the next step. Based on the statute, the attorney general expects that, within 10 calendar days of this ruling, the governmental body will do one of the following three things: 1) release the public records; 2) notify the requestor of the exact day, time, and place that copies of the records will be provided or that the records can be inspected; or 3) notify the requestor of the governmental body's intent to challenge this letter ruling in court. If the governmental body fails to do one of these three things within 10 calendar days of this ruling, then the requestor should report that failure to the attorney general's Open Government Hotline, toll free, at (877) 673-6839. The requestor may also file a complaint with the district or county attorney. Id. § 552.3215(e). If this ruling requires or permits the governmental body to withhold all or some of the requested information, the requestor can appeal that decision by suing the governmental body. Id. § 552.321(a); Texas Dep't of Pub. Safety v. Gilbreath, 842 S.W.2d 408, 411 (Tex. App.--Austin 1992, no writ). Please remember that under the Act the release of information triggers certain procedures for costs and charges to the requestor. If records are released in compliance with this ruling, be sure that all charges for the information are at or below the legal amounts. Questions or complaints about over-charging must be directed to Hadassah Schloss at the Texas Building and Procurement Commission at (512) 475-2497. If the governmental body, the requestor, or any other person has questions or comments about this ruling, they may contact our office. We note that a third party may challenge this ruling by filing suit seeking to withhold information from a requestor. Gov't Code § 552.325. Although there is no statutory deadline for contacting us, the attorney general prefers to receive any comments within 10 calendar days of the date of this ruling. Sincerely, Michael A. Pearle
MAP/RWP/sdk Ref: ID# 184849 Enc. Marked documents c: Ms. Richelle Cook
Footnotes 1. Because we resolve this aspect of your request under section 231.302, we need not address your other arguments for withholding the social security numbers. POST OFFICE BOX 12548, AUSTIN, TEXAS 78711-2548 TEL: (512) 463-2100 WEB: WWW.OAG.STATE.TX.US |