This ruling has been modified by court action. The judgment can be viewed in PDF format here.

Click for home page
Office of the ATTORNEY GENERAL
GREG ABBOTT
image
 

October 2, 2003

Ms. Rebecca L. Payne
Assistant General Counsel
Texas Department of Human Services
P. O. Box 149030
Austin, Texas 78714-9030

OR2003-6978

Dear Ms. Payne:

You ask whether certain information is subject to required public disclosure under chapter 552 of the Government Code. Your request was assigned ID# 188779.

The Texas Department of Human Services (the "department") received a request for the January 2003 report regarding a specified assisted living facility. You state that you will be releasing a portion of the requested records but claim that portions of the responsive information are excepted from disclosure under section 552.101 of the Government Code. We have considered the exception you claim and reviewed the submitted information.

Section 552.101 of the Government Code excepts from disclosure "information considered to be confidential by law, either constitutional, statutory, or by judicial decision." This section encompasses information protected by other statutes. You claim that the Health Insurance Portability and Accountability Act of 1996 ("HIPAA") governs some of the requested information, which you have marked. At the direction of Congress, the Secretary of Health and Human Services ("HHS") promulgated regulations setting privacy standards for medical records, which HHS issued as the Federal Standards for Privacy of Individually Identifiable Health Information (the "privacy standards"). See Health Insurance Portability and Accountability Act of 1996, 42 U.S.C. § 1320d-2 (Supp. IV 1998) (historical & statutory note); Standards for Privacy of Individually Identifiable Health Information, 45 C.F.R. Pts. 160, 164; see also Attorney General Opinion JC-0508 at 2 (2002). These standards govern the releasability of protected health information by a covered entity. See 45 C.F.R. Pts. 160, 164.

Section 160.103 defines a covered entity as a health plan, a health clearinghouse, or a healthcare provider who transmits any health information in electronic form in connection with a transaction covered by this subchapter. 45 C.F.R. § 160.103. In this instance, the department explains that it is a covered entity under HIPAA because, as an administrator of part of the Medicaid program, the department is considered a health plan. Based on your representations, we conclude the department is a covered entity under HIPAA.

Under the privacy standards, a covered entity may not use or disclose protected health information, except as provided by the Code of Federal Regulations, parts 160 and 164.(1) 45 C.F.R. § 164.502(a). Section 160.103 of title 45 of the Code of Federal Regulations defines certain relevant terms and provides in relevant part as follows:

Health information means any information, whether oral or recorded in any form or medium, that:

(1) Is created or received by a health care provider, health plan, public health authority, employer, life insurer, school or university, or health clearinghouse; and

(2) Relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual.

Individually identifiable health information is information that is a subset of health information, including demographic information collected from an individual, and:

(1) Is created or received by a health care provider, health plan, employer, or health care clearinghouse; and

(2) Relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual; and

(i) That identifies the individual; or

(ii) With respect to which there is a reasonable basis to believe the information can be used to identify the individual.

Protected health information means individually identifiable health information:

(1) Except as provided in paragraph (2) of this definition, that is:

(i) Transmitted by electronic media;

(ii) Maintained in electronic media;

(iii) Transmitted or maintained in any other form or medium.

45 C.F.R. § 160.103. You contend the submitted information contains individually identifiable protected health information. Upon review of the submitted information, we agree that it contains individually identifiable protected health information as contemplated by HIPAA. However, a covered entity may de-identify protected health information to create information that is not individually identifiable health information. 45 C.F.R. § 164.502(d)(1). The privacy standards that govern the uses and disclosures of protected health information do not apply to information de-identified in accordance with subsections 164.514(a) and (b) of the Code of Federal Regulations. 45 C.F.R. § 164.502(d)(2).

Under HIPAA, a covered entity may determine health information is not individually identifiable only under certain circumstances. One method requires a person with specialized knowledge of generally accepted statistical and scientific principles and methods for rendering information de-identifiable to apply and document such methods and principles to determine release of protected health information would result in a very small risk of individual identification. 45 C.F.R. § 164.514(b)(1). The other method requires the covered entity to meet the following two criteria: 1) remove specific identifiers, including but not limited to, names, dates directly related to an individual, telecommunication numbers, vehicle identifiers, and any unique identifying number, characteristic, or code and 2) the covered entity must not have actual knowledge that the information could be used alone or in combination with other information to identify an individual who is a subject of the information. See 45 C.F.R. § 164.514(b)(2)(i), (ii).

In regard to the first method of de-identification, you state that "no statistician, mathematician, or other similar professional has concluded that the risk is very small that the information, alone or in combination with other reasonably available information, could be used to identify an individual." Thus, de-identification under this method is not applicable in this instance.

In this instance, the requestor knows the identity of one of the individuals whose protected health information is at issue. We therefore determine that neither of the two methods of de-identification described above would be sufficient to protect that individual's identity as required under HIPAA. Consequently, we determine that the information related to the individual whose identity is known by the requestor constitutes protected health information under HIPAA in its entirety. See 45 C.F.R. § 164.514(b)(2)(ii)(R). We therefore conclude that the department must withhold the information that we have marked related to that individual under section 552.101 of the Government Code in conjunction with HIPAA.

You do not inform us that the requestor knows the identities of the other individuals whose protected health information is also at issue. Consistent with the second method of de-identification, we have marked for redaction specific identifiers in the remaining submitted protected health information. See 45 C.F.R. § 164.514(b)(2)(i)(A)-(R). In regard to the second method of de-identification, you assert that the "name of the facility reveals the street address, city, and zip code of the individuals who reside in the facility," and that de-identification would require the removal of this information. In this case, we disagree that de-identification under section 164.514(b)(2)(i) requires that facility names be removed from the submitted information. You also contend that de-identification "would be impossible in circumstances like this one, where a requestor asks for a report regarding a particular facility." If the department has actual knowledge that the de-identified information, as we have marked it, could be used alone or in combination with other information to identify the subject of the health information, then the department must withhold the protected health information in its entirety under section 552.101 of the Government Code in conjunction with HIPAA. To the extent that the department has no actual knowledge that the de-identified information, as we have marked it, could be used alone or in combination with other information to identify the subject of the health information, the department must withhold under section 552.101 of the Government Code in conjunction with HIPAA only the types of information that we have marked in the remaining records.

We next address the applicability of the Medical Practice Act (the "MPA"), chapter 159 of the Occupations Code, and section 48.101 of the Human Resources Code to the de-identified information and other information that is not subject to HIPAA. Generally, HIPAA preempts a contrary provision of state law. See 45 C.F.R. § 160.203. For purposes of HIPAA, "contrary" means the following:

(1) A covered entity would find it impossible to comply with both the State and federal requirements; or

(2) The provision of State law stands as an obstacle to the accomplishment and execution of the full purposes and objectives of part C of title XI of the Act or section 264 of Pub. L. 104-191, as applicable.

45 C.F.R. § 160.202. It is not impossible for the department to comply with sections 48.101, 159.002, and HIPAA. Furthermore, neither section 48.101 nor section 159.002 is an obstacle to the accomplishment and execution of the full purposes and objectives of HIPAA. In fact, one of the purposes of both of these provisions is to protect patient privacy. Therefore, HIPAA does not preempt section 48.101 or 159.002.

Section 159.002 of the MPA reads, in part, as follows:

(a) A communication between a physician and a patient, relative to or in connection with any professional services as a physician to the patient, is confidential and privileged and may not be disclosed except as provided by this chapter.

(b) A record of the identity, diagnosis, evaluation, or treatment of a patient by a physician that is created or maintained by a physician is confidential and privileged and may not be disclosed except as provided by this chapter.

(c) A person who receives information from a confidential communication or record as described by this chapter, other than a person listed in Section 159.004 who is acting on the patient's behalf, may not disclose the information except to the extent that disclosure is consistent with the authorized purposes for which the information was first obtained.

Occ. Code § 159.002(a), (b), (c). This office has concluded that the protection afforded by section 159.002 extends only to records created by either a physician or someone under the supervision of a physician. See Open Records Decision Nos. 487 (1987), 370 (1983), 343 (1982). Information subject to the MPA includes both medical records and information obtained from those medical records. See Occ. Code §§ 159.002, .004; Open Records Decision No. 598 (1991). You inform us that the information you have marked as subject to the MPA was obtained from a medical record created by a physician. Moreover, you explain disclosure of this information would not be consistent with the purposes for which the department obtained that information. Based on your representations and our review of the information, we conclude the department must withhold the information that we have marked as being subject to the MPA. See Open Records Decision No. 598 (1991).

Section 48.101 of the Human Resources Code provides in relevant part:

(a) The following information is confidential and not subject to disclosure under Chapter 552, Government Code:

(1) a report of abuse, neglect, or exploitation made under this chapter;

(2) the identity of the person making the report; and

(3) except as provided by this section, all files, reports, records, communications, and working papers used or developed in an investigation made under this chapter or in providing services as a result of an investigation.

Hum. Res. Code § 48.101(a). You inform this office that the department is responsible for licensing assisted living facilities. You further state that, as the licensing agency, the department is also responsible for investigating complaints of abuse, neglect, or exploitation involving these types of facilities. See id. § 48.301. Based on your representations, we believe that the remaining submitted information constitutes files, reports, records, communications, and working papers used or developed in an investigation made under chapter 48 of the Human Resources Code or in providing services as a result of an investigation. The remaining submitted information is therefore confidential under section 48.101 of the Human Resources Code.

Section 48.101 further provides that "[c]onfidential information may be disclosed only for a purpose consistent with this chapter and as provided by [Department of Protective and Regulatory Services] or investigating state agency rule and applicable federal law." Id. § 48.101(b). You inform this office that the rules adopted by the department for the release of information used or developed in an investigation are found at section 92.106 of title 40 of the Texas Administrative Code. Section 92.106 provides in relevant part:

(a) Confidentiality. All reports, records, and working papers used or developed by the Texas Department of Human Services (DHS) in an investigation are confidential, and may be released only as provided in this subsection.

. . .

(2) Completed written investigation reports are open to the public, provided the report is deidentified. The process of deidentification means removing all names and other personally identifiable data, including any information from witnesses and others furnished to the department as part of the investigation.

40 T.A.C. § 92.106(a)(2). You indicate that the records you submitted to this office pertain to investigations conducted under the authority of chapter 48 of the Human Resources Code into complaints of abuse or neglect of residents of assisted living facilities. You state that the report among these documents was created pursuant to chapter 48. Therefore, we agree that all remaining personally identifiable information in the report is excepted from disclosure pursuant to section 552.101 of the Government Code in conjunction with section 48.101 of the Human Resources Code and section 92.106 of title 40 of the Texas Administrative Code. We further conclude that the remaining documents used or developed during the course of the underlying investigation are made confidential under section 48.101 and therefore must be withheld in their entirety. We have marked the documents accordingly. Because we are able to make this determination, we need not address your other arguments for withholding information contained in these documents.

In summary, the department must withhold the marked information related to the individual whose identity is known by the requestor under section 552.101 of the Government Code in conjunction with HIPAA. To the extent that the department has no actual knowledge that the remaining de-identified information, as we have marked it, could be used alone or in combination with other information to identify the subject of the health information, the department must withhold under section 552.101 of the Government Code in conjunction with HIPAA only the types of information that we have marked. You must also withhold the information we have marked under the MPA. The department must withhold all remaining identifying information contained in the report created pursuant to section 48.101 of the Human Resources Code. The department must also withhold in their entirety all other records used or developed in the investigation pursuant to section 48.101. The remaining submitted information must be released to the requestor. As our ruling is dispositive, we need not address your remaining arguments.

This letter ruling is limited to the particular records at issue in this request and limited to the facts as presented to us; therefore, this ruling must not be relied upon as a previous determination regarding any other records or any other circumstances.

This ruling triggers important deadlines regarding the rights and responsibilities of the governmental body and of the requestor. For example, governmental bodies are prohibited from asking the attorney general to reconsider this ruling. Gov't Code § 552.301(f). If the governmental body wants to challenge this ruling, the governmental body must appeal by filing suit in Travis County within 30 calendar days. Id. § 552.324(b). In order to get the full benefit of such an appeal, the governmental body must file suit within 10 calendar days. Id. § 552.353(b)(3), (c). If the governmental body does not appeal this ruling and the governmental body does not comply with it, then both the requestor and the attorney general have the right to file suit against the governmental body to enforce this ruling. Id. § 552.321(a).

If this ruling requires the governmental body to release all or part of the requested information, the governmental body is responsible for taking the next step. Based on the statute, the attorney general expects that, within 10 calendar days of this ruling, the governmental body will do one of the following three things: 1) release the public records; 2) notify the requestor of the exact day, time, and place that copies of the records will be provided or that the records can be inspected; or 3) notify the requestor of the governmental body's intent to challenge this letter ruling in court. If the governmental body fails to do one of these three things within 10 calendar days of this ruling, then the requestor should report that failure to the attorney general's Open Government Hotline, toll free, at (877)673-6839. The requestor may also file a complaint with the district or county attorney. Id. § 552.3215(e).

If this ruling requires or permits the governmental body to withhold all or some of the requested information, the requestor can appeal that decision by suing the governmental body. Id. § 552.321(a); Texas Dep't of Pub. Safety v. Gilbreath, 842 S.W.2d 408, 411 (Tex. App.--Austin 1992, no writ).

Please remember that under the Act the release of information triggers certain procedures for costs and charges to the requestor. If records are released in compliance with this ruling, be sure that all charges for the information are at or below the legal amounts. Questions or complaints about over-charging must be directed to Hadassah Schloss at the Texas Building and Procurement Commission at (512)475-2497.

If the governmental body, the requestor, or any other person has questions or comments about this ruling, they may contact our office. We note that a third party may challenge this ruling by filing suit seeking to withhold information from a requestor. Gov't Code § 552.325. Although there is no statutory deadline for contacting us, the attorney general prefers to receive any comments within 10 calendar days of the date of this ruling.

Sincerely,

Cindy Nettles
Assistant Attorney General
Open Records Division
CN/sdk
Ref: ID# 188779
Enc. Submitted documents

c: Ms. Linda Kaderka
15754 Sweetwater Creek Drive
Houston, Texas 77095
(w/o enclosures)


 

Footnotes

1. We note that a covered entity must comply with the requirements of subpart E of part 164 of title 45 of the Code of Federal Regulations with respect to the protected health information of a deceased individual. See 45 C.F.R. § 164.502(f).
 

POST OFFICE BOX 12548, AUSTIN, TEXAS 78711-2548 TEL: (512) 463-2100 WEB: WWW.OAG.STATE.TX.US
An Equal Employment Opportunity Employer

Home | ORLs