 Office of the ATTORNEY GENERAL GREG ABBOTT | |
|
August 15, 2003 Mr. Jeffrey S. Young
OR2003-5744 Dear Mr. Young: You ask whether certain information is subject to required public disclosure under chapter 552 of the Government Code. Your request was assigned ID# 186073. The Texas Tech University Health Sciences Center (the "center") received a written request for "all written evaluations and in service exam results and any and all other records related to physician performance for all resident anesthesiologists in training at [the center] during the period from January 1999 through June 2000." (Emphasis in original.) You contend that the requested information is excepted from required disclosure pursuant to sections 552.101 and 552.117 of the Government Code. Section 552.101 of the Government Code excepts from required public disclosure "information considered to be confidential by law, either constitutional, statutory, or by judicial decision." This exception encompasses information that other statutes make confidential. You claim that some of the submitted information is not subject to release under the regulations promulgated pursuant to the federal Health Insurance Portability and Accountability Act of 1996 ("HIPAA") and that this information is therefore excepted from disclosure under section 552.101 of the Government Code in conjunction with these regulations.(1) At the direction of Congress, the Secretary of Health and Human Services ("HHS") promulgated regulations setting privacy standards for medical records, which HHS issued as the Federal Standards for Privacy of Individually Identifiable Health Information. See Health Insurance Portability and Accountability Act of 1996, 42 U.S.C. § 1320d-2 (Supp. IV 1998) (historical & statutory note); Standards for Privacy of Individually Identifiable Health Information, 45 C.F.R. Pts. 160, 164; see also Attorney General Opinion JC-0508 at 2 (2002). These standards govern the releasability of protected health information by a covered entity. See 45 C.F.R. Pts. 160, 164. Under the federal standards, a covered entity may not use or disclose protected health information, except as provided by parts 160 and 164 of the Code of Federal Regulations. See id. § 164.502(a). Section 160.103 of title 45 of the Code of Federal Regulations defines a covered entity as a health plan, a health clearinghouse, or a health care provider that transmits any health information in electronic form in connection with a transaction covered by subchapter C, subtitle A of title 45. See id. § 160.103. You inform this office that the center is a covered entity under section 160.103, by virtue of being a health care provider that "transmits health information in electronic form in connection with a transaction covered by HIPAA." Therefore, we will next determine whether any portion of the submitted information is protected health information under the federal law. Section 160.103 of title 45 of the Code of Federal Regulations defines the following relevant terms as follows: Health information means any information, whether oral or recorded in any form or medium, that: (1) Is created or received by a health care provider, health plan, public health authority, employer, life insurer, school or university, or health clearinghouse; and (2) Relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual. 45 C.F.R. § 160.103. Individually identifiable health information is information that is a subset of health information, including demographic information collected from an individual, and: (1) Is created or received by a health care provider, health plan, employer, or health care clearinghouse; and (2) Relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual; and (i) That identifies the individual; or (ii) With respect to which there is a reasonable basis to believe the information can be used to identify the individual. Id. Protected health information means individually identifiable health information: (1) Except as provided in paragraph (2) of this definition, that is: (i) Transmitted by electronic media; (ii) Maintained in electronic media; (iii) Transmitted or maintained in any other form or medium. Id. You assert that the submitted information contains protected health information. Upon review of the information in question, we agree that it contains protected health information under HIPAA. With regard to this information, however, we note that a covered entity may use protected health information to create information that is not individually identifiable health information, i.e., information that has been de-identified. See id. § 164.502(d)(1). The privacy standards that govern the uses and disclosures of protected health information under HIPAA do not apply to information that has been de-identified in accordance with sections 164.514(a) and (b) of the Code of Federal Regulations. See id. § 164.502(d)(2).(2) Under HIPAA, a covered entity may determine that health information is not individually identifiable only under certain circumstances. One method requires a person with specialized knowledge of generally accepted statistical and scientific principles and methods for rendering information de-identifiable to apply and document such methods and principles to determine that release of protected health information would result in a very small risk of individual identification. See id. § 164.514(b)(1). The other method requires the covered entity to meet the following two criteria: (1) remove specific identifiers, including but not limited to names, dates directly related to an individual, telecommunication numbers, vehicle identifiers, and any other unique identifying number, characteristic, or code, and (2) have no actual knowledge that the information could be used alone or in combination with other information to identify an individual who is a subject of the information. See id. § 164.514(b)(2)(i), (ii). We have marked the specific identifiers in the submitted protected health information. See id. § 164.514(b)(2)(i)(A)-(R). To the extent that the center has no actual knowledge that the de-identified information could be used alone or in combination with other information to identify the subject of the health information, the center must withhold the types of information that we have marked under section 552.101 of the Government Code in conjunction with HIPAA. However, if the center has actual knowledge that the de-identified information could be used alone or in combination with other information to identify the subject of the health information, then the center must withhold the marked documents in their entirety under section 552.101 of the Government Code in conjunction with HIPAA. You also contend that the submitted information is confidential under section 552.101 in conjunction with Texas statutory law. Because HIPAA may not require the center to withhold all of the submitted information, we also must consider the applicability of the state statutory provisions that you have raised. We note that HIPAA generally preempts a contrary provision of state law. See 45 C.F.R. § 160.203. For purposes of HIPAA, "contrary" means the following: (1) A covered entity would find it impossible to comply with both the State and federal requirements; or (2) The provision of State law stands as an obstacle to the accomplishment and execution of the full purposes and objectives of part C of title XI of the Act or section 264 of Pub. L. 104-191, as applicable. Id. § 160.202. You contend that the confidentiality provision found in section 160.007 of the Occupations Code is applicable to the documents that we have de-identified under HIPAA. We find that it is not impossible for the center to comply with both HIPAA and section 160.007. We likewise find that section 160.007 does not stand as an obstacle to the accomplishment and execution of the full purposes and objectives of HIPAA. We will therefore consider the applicability of section 160.007 to the remaining information at issue. You advise that the documents at issue are records of a medical peer review committee. Medical peer review is defined by the Medical Practice Act (the "MPA"), found at subtitle B of title 3 of the Occupations Code, to mean "the evaluation of medical and health care services, including evaluation of the qualifications of professional health care practitioners and of patient care rendered by those practitioners ." Occ. Code § 151.002(a)(7). A medical peer review committee is "a committee of a health care entity . . . or the medical staff of a health care entity, that operates under written bylaws approved by the policy-making body or the governing board of the health care entity and is authorized to evaluate the quality of medical and health care services[.] . . . ." Id. § 151.002(a)(8). Section 160.007 of the MPA states that, "[e]xcept as otherwise provided by this subtitle, each proceeding or record of a medical peer review committee is confidential, and any communication made to a medical peer review committee is privileged." Occ. Code § 160.007. After reviewing the submitted documents and your brief to this office, we agree that the information at issue here is protected by medical peer review committee confidentiality. See St. Luke's Episcopal Hosp. v. Agbor, 952 S.W.2d 503, 505 (Tex. 1997); Memorial Hosp.-the Woodlands v. McCown, 927 S.W.2d 1, 5 (Tex. 1996) (finding that review by medical staff committee of application for staff privileges qualifies as medical peer review because it necessarily involves review of physician's qualifications, competence, and ethics). Therefore, the responsive information you have submitted must be withheld under section 552.101 of the Government Code in conjunction with section 160.007 of the Occupations Code except to the extent the information is made confidential under HIPAA.(3) This letter ruling is limited to the particular records at issue in this request and limited to the facts as presented to us; therefore, this ruling must not be relied upon as a previous determination regarding any other records or any other circumstances. This ruling triggers important deadlines regarding the rights and responsibilities of the governmental body and of the requestor. For example, governmental bodies are prohibited from asking the attorney general to reconsider this ruling. Gov't Code § 552.301(f). If the governmental body wants to challenge this ruling, the governmental body must appeal by filing suit in Travis County within 30 calendar days. Id. § 552.324(b). In order to get the full benefit of such an appeal, the governmental body must file suit within 10 calendar days. Id. § 552.353(b)(3), (c). If the governmental body does not appeal this ruling and the governmental body does not comply with it, then both the requestor and the attorney general have the right to file suit against the governmental body to enforce this ruling. Id. § 552.321(a). If this ruling requires the governmental body to release all or part of the requested information, the governmental body is responsible for taking the next step. Based on the statute, the attorney general expects that, within 10 calendar days of this ruling, the governmental body will do one of the following three things: 1) release the public records; 2) notify the requestor of the exact day, time, and place that copies of the records will be provided or that the records can be inspected; or 3) notify the requestor of the governmental body's intent to challenge this letter ruling in court. If the governmental body fails to do one of these three things within 10 calendar days of this ruling, then the requestor should report that failure to the attorney general's Open Government Hotline, toll free, at (877) 673-6839. The requestor may also file a complaint with the district or county attorney. Id. § 552.3215(e). If this ruling requires or permits the governmental body to withhold all or some of the requested information, the requestor can appeal that decision by suing the governmental body. Id. § 552.321(a); Texas Dep't of Pub. Safety v. Gilbreath, 842 S.W.2d 408, 411 (Tex. App.--Austin 1992, no writ). Please remember that under the Act the release of information triggers certain procedures for costs and charges to the requestor. If records are released in compliance with this ruling, be sure that all charges for the information are at or below the legal amounts. Questions or complaints about over-charging must be directed to Hadassah Schloss at the Texas Building and Procurement Commission at (512) 475-2497. If the governmental body, the requestor, or any other person has questions or comments about this ruling, they may contact our office. We note that a third party may challenge this ruling by filing suit seeking to withhold information from a requestor. Gov't Code § 552.325. Although there is no statutory deadline for contacting us, the attorney general prefers to receive any comments within 10 calendar days of the date of this ruling. Sincerely, James W. Morris, III
c: Mr. Paul Bryant
Footnotes 1. We note that a federal statute or an administrative regulation enacted pursuant to statutory authority can provide statutory confidentiality for purposes of section 552.101. See Open Records Decision No. 476 (1987) (addressing statutory predecessor). 2. We note that a covered entity must comply with the requirements of subpart E of part 164 of title 45 of the Code of Federal Regulations with respect to the protected health information of a deceased individual. See 45 C.F.R. § 164.502(f). 3. Because we resolve this aspect of your request under section 160.007, we need not address your other arguments for withholding the requested information. POST OFFICE BOX 12548, AUSTIN, TEXAS 78711-2548 TEL: (512) 463-2100 WEB: WWW.OAG.STATE.TX.US |