 Office of the ATTORNEY GENERAL GREG ABBOTT | |
|
November 25, 2003 Mr. Robert R. Ray
OR2003-8500 Dear Mr. Ray: You ask whether certain information is subject to required public disclosure under chapter 552 of the Government Code. Your request was assigned ID# 191723. The Longview Fire Department (the "department") received a request for medical records pertaining to a named individual. You claim that the requested information is excepted from disclosure under section 552.101 of the Government Code. We have considered the exception you claim and reviewed the submitted information. We begin by noting that one of the submitted documents was created after the date that the department received the instant request for information. Thus, such information is not responsive to the present request and this ruling will not address that information. We have marked this document, which the department need not release in response to this request. Section 552.101 excepts from disclosure "information considered to be confidential by law, either constitutional, statutory, or by judicial decision." You claim that the regulations promulgated pursuant to the Health Insurance Portability and Accountability Act of 1996 ("HIPAA") prohibit the release of the submitted information, and that the information is therefore excepted from disclosure under section 552.101 of the Government Code in conjunction with these regulations. At the direction of Congress, the Secretary of Health and Human Services ("HHS") promulgated regulations setting privacy standards for medical records, which HHS issued as the Federal Standards for Privacy of Individually Identifiable Health Information. See Health Insurance Portability and Accountability Act of 1996, 42 U.S.C. § 1320d-2 (Supp. IV 1998) (historical & statutory note); Standards for Privacy of Individually Identifiable Health Information, 45 C.F.R. Pts. 160, 164; see also Attorney General Opinion JC-0508 at 2 (2002). These standards govern the releasability of protected health information by a covered entity. See 45 C.F.R. Pts. 160, 164. Under these standards, a covered entity may not use or disclose protected health information, excepted as provided by parts 160 and 164 of the Code of Federal Regulations. 45 C.F.R. § 164.502(a). Section 160.103 defines a covered entity as a health plan, a health clearinghouse, or a health care provider who transmits any health information in electronic form in connection with a transaction covered by subchapter C, Subtitle A of Title 45. 45 C.F.R. § 160.103. You assert that the department's Emergency Medical Services ("EMS") is a covered entity for purposes of section 160.103. You state that the department's ambulances "respond to calls regarding traffic accidents, injuries resulting from criminal activity or accident, heart attacks, stroke, severe illnesses, and any other health-related emergency." You also explain that ambulance crews consist of emergency medical technicians, at least one of whom is a paramedic, that use medical equipment and drugs to supply care and services to individuals in emergency medical situations while communicating with physicians and other healthcare professionals via radio. HIPAA defines health care as care, services, or supplies related to the health of an individual, and a health care provider as, among other things, a provider of medical or health services and an organization who furnishes, bills, or is paid for health care in the normal course of business. See 45 C.F.R. § 160.103. We understand you to assert that the department's EMS furnishes "health care" as defined in section 160.103 in the normal course of business. Additionally, you state that the department's "EMS Billing" maintains records and "files claims for payment with private insurers and with Medicare." Finally, you state that "some of the information generated by the ambulance crews and managed or generated by EMS Billing is transmitted electronically to Medicare, private health insurers, and the state." Section 160.103 defines a transaction as the transmission of information between two parties to carry out financial or administrative activities related to health care, including health care payment or equivalent encounter information. Upon review of your arguments, we agree that the department is a covered entity for purposes of section 160.103 because it is a health care provider that transmits health information in electronic form and conducts "covered transactions." Therefore, we will next determine whether the submitted information is confidential as protected health information under the federal law. Section 160.103 of title 45 of the Code of Federal Regulations defines the following relevant terms as follows: Health information means any information, whether oral or recorded in any form or medium, that: (1) Is created or received by a health care provider, health plan, public health authority, employer, life insurer, school or university, or health clearinghouse; and (2) Relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual. Individually identifiable health information is information that is a subset of health information, including demographic information collected from an individual, and: (1) Is created or received by a health care provider, health plan, employer, or health care clearinghouse; and (2) Relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual; and (i) That identifies the individual; or (ii) With respect to which there is a reasonable basis to believe the information can be used to identify the individual. Protected health information means individually identifiable health information: (1) Except as provided in paragraph (2) of this definition, that is: (i) Transmitted by electronic media; (ii) Maintained in electronic media; (iii) Transmitted or maintained in any other form or medium. 45 C.F.R. § 160.103. You contend that the submitted information constitutes individually identifiable protected health information. Upon review of the information, we agree that it is protected health information as contemplated by HIPAA. However, we note that a covered entity may use protected health information to create information that is not individually identifiable health information, i.e., de-identified. 45 C.F.R. § 164.502(d)(1). The privacy standards that govern the uses and disclosures of protected health information do not apply to information de-identified in accordance with sections 164.514(a) and (b) of the Code of Federal Regulations. 45 C.F.R. § 164.502(d)(2). Under HIPAA, a covered entity may determine health information is not individually identifiable only under certain circumstances. One method requires a person with specialized knowledge of generally accepted statistical and scientific principles and methods for rendering information de-identifiable to apply and document such methods and principles to determine release of protected health information would result in a very small risk of individual identification. 45 C.F.R. § 164.514(b)(1). The other method requires the covered entity to meet the following two criteria: 1) remove specific identifiers, including but not limited to, names, dates directly related to an individual, telecommunication numbers, vehicle identifiers, and any other unique identifying number, characteristic, or code and 2) have no actual knowledge that the information could be used alone or in combination with other information to identify an individual who is a subject of the information. See 45 C.F.R. § 164.514(b)(2)(i), (ii). In this instance, the requestor is aware of the identity of the individual whose protected health information is at issue. Therefore, we conclude that using either of the methods of de-identification described above would be insufficient to protect the individual's identity as required under HIPAA. Accordingly, we find that the submitted information in its entirety constitutes protected health information under HIPAA. See 45 C.F.R. § 164.514(b)(2)(ii)(R). Thus, the department must withhold the information under section 552.101 of the Government Code in conjunction with HIPAA. However, we note that in this instance, the requestor has provided the department with an authorization signed by the parent of the individual whose protected health information is at issue. Under HIPAA, an individual has a right of access to inspect and obtain a copy of protected health information about the individual. 45 C.F.R. § 164.524(a)(1). Further, we note that a covered entity may not disclose protected health information without a valid authorization. Section 164.508 of title 45 of the Code of Federal Regulations states that a valid authorization must meet the following requirements: . . . . (c) Implementation specifications: Core elements and requirements. (1) Core elements. A valid authorization under this section must contain at least the following elements: (i) A description of the information to be used or disclosed that identifies the information in a specific and meaningful fashion. (ii) The name or other specific identification of the person(s), or class of persons, authorized to make the requested use or disclosure. (iii) The name or other specific identification of the person(s), or class of persons, to whom the covered entity may make the requested use or disclosure. (iv) A description of each purpose of the requested use or disclosure. The statement "at the request of the individual" is a sufficient description of the purpose when an individual initiates the authorization and does not, or elects not to, provide a statement of the purpose. (v) An expiration date or an expiration event that relates to the individual or the purpose of the use or disclosure. The statement "end of the research study," "none," or similar language is sufficient if the authorization is for a use or disclosure of protected health information for research, including for the creation and maintenance of a research database or research repository. (vi) Signature of the individual and date. If the authorization is signed by a personal representative of the individual, a description of such representative's authority to act for the
individual must also be provided. (2) Required statements. In addition to the core elements, the authorization must contain statements adequate to place the individual on notice of all of the following: (i) The individual's right to revoke the authorization in writing, and either: (A) The exceptions to the right to revoke and a description of how the individual may revokethe authorization; or (B) To the extent that the information in paragraph (c)(2)(i)(A) of this section is included in the notice required by § 164.520, a reference to the covered entity's notice. (ii) The ability or inability to condition treatment, payment, enrollment or eligibility for benefits on the authorization, by stating either: (A) The covered entity may not condition treatment, payment, enrollment or eligibility for benefits on whether the individual signs the authorization when the prohibition on conditioning of authorizations in paragraph (b)(4) of this section applies; or (B) The consequences to the individual of a refusal to sign the authorization when, in accordance with paragraph (b)(4) of this section, the covered entity can condition treatment, enrollment in the health plan, or eligibility for benefits on failure to obtain such authorization. (iii) The potential for information disclosed pursuant to the authorization to be subject to redisclosure by the recipient and no longer be protected by this subpart. (3) Plain language requirement. The authorization must be written in plain language. (4) Copy to the individual. If a covered entity seeks an authorization from an individual for a use or disclosure of protected health information, the covered entity must provide the individual with a copy of the signed authorization. 45 C.F.R. § 164.508. Therefore, upon receipt of a valid authorization, we conclude that the department must release the protected health information to the requestor. Additionally, we note that the submitted documents are EMS records. Access to EMS records is governed by the provisions of the Emergency Medical Services Act, Health and Safety Code sections 773.091-.173. See Open Records Decision No. 598 (1991). Section 773.091 of the Emergency Medical Services Act provides in part: (b) Records of the identity, evaluation, or treatment of a patient by emergency medical services personnel or by a physician providing medical supervision that are created by the emergency medical services personnel or physician or maintained by an emergency medical services provider are confidential and privileged and may not be disclosed except as provided by this chapter. . . . . (g) The privilege of confidentiality under this section does not extend to information regarding the presence, nature of injury or illness, age, sex, occupation, and city of residence of a patient who is receiving emergency medical services . . . . Confidential EMS records may be released to "any person who bears a written consent of the patient or other persons authorized to act on the patient's behalf." Health & Safety Code § 773.092(e)(4). This consent must be written and signed by the patient, authorized representative, or personal representative and must specify (1) the information to be covered by the release, (2) reasons or purposes for the release, and (3) the person to whom the information is to be released. Health & Safety Code § 773.093(a). Section 773.093(c) also requires that any subsequent release of medical records be consistent with the purposes for which the governmental body obtained the records. Under HIPAA, a standard, requirement, or implementation specification that is contrary to a provision of state law preempts the provision of state law, except if the provision of state law relates to the privacy of individually identifiable health information and is more stringent. 45 C.F.R. § 160.203. For purposes of HIPAA, "contrary" means the following: (1) A covered entity would find it impossible to comply with both the State and federal requirements; or (2) The provision of State law stands as an obstacle to the accomplishment and execution of the full purposes and objectives of part C of title XI of the Act or section 264 of Pub. L. 104-191, as applicable. 45 C.F.R. § 160.202. In this instance, it is impossible for the department to comply with both section 773.093 of the Health and Safety Code and section 164.508 of title 45 of the Code of Federal Regulations. Further, for comparison of a provision of state law, HIPAA states that "more stringent" means a state law that meets the following pertinent criteria: . . . . (2) With respect to the rights of an individual, who is the subject of the individually identifiable health information, regarding access to or amendment of individually identifiable health information, permits greater rights of access or amendment, as applicable. 45 C.F.R. § 160.202. We find that the consent requirements of section 773.093 of the Health and Safety Code permit a greater right of access to the individual than the authorization requirements under HIPAA. Consequently, section 773.093 of the Health and Safety Code is "more stringent" than HIPAA, and, thus, it is not preempted by HIPAA. Therefore, we conclude that the department may comply with section 773.093 of the Health and Safety Code without violating HIPAA. If the department receives a valid consent under section 773.093 of the Health and Safety Code, the department must release the EMS records to the requestor. See Health & Safety Code §§ 773.092, .093; Open Records Decision No. 632 (1995). This letter ruling is limited to the particular records at issue in this request and limited to the facts as presented to us; therefore, this ruling must not be relied upon as a previous determination regarding any other records or any other circumstances. This ruling triggers important deadlines regarding the rights and responsibilities of the governmental body and of the requestor. For example, governmental bodies are prohibited from asking the attorney general to reconsider this ruling. Gov't Code § 552.301(f). If the governmental body wants to challenge this ruling, the governmental body must appeal by filing suit in Travis County within 30 calendar days. Id. § 552.324(b). In order to get the full benefit of such an appeal, the governmental body must file suit within 10 calendar days. Id. § 552.353(b)(3), (c). If the governmental body does not appeal this ruling and the governmental body does not comply with it, then both the requestor and the attorney general have the right to file suit against the governmental body to enforce this ruling. Id. § 552.321(a). If this ruling requires the governmental body to release all or part of the requested information, the governmental body is responsible for taking the next step. Based on the statute, the attorney general expects that, within 10 calendar days of this ruling, the governmental body will do one of the following three things: 1) release the public records; 2) notify the requestor of the exact day, time, and place that copies of the records will be provided or that the records can be inspected; or 3) notify the requestor of the governmental body's intent to challenge this letter ruling in court. If the governmental body fails to do one of these three things within 10 calendar days of this ruling, then the requestor should report that failure to the attorney general's Open Government Hotline, toll free, at (877)673-6839. The requestor may also file a complaint with the district or county attorney. Id. § 552.3215(e). If this ruling requires or permits the governmental body to withhold all or some of the requested information, the requestor can appeal that decision by suing the governmental body. Id. § 552.321(a); Texas Dep't of Pub. Safety v. Gilbreath, 842 S.W.2d 408, 411 (Tex. App.--Austin 1992, no writ). Please remember that under the Act the release of information triggers certain procedures for costs and charges to the requestor. If records are released in compliance with this ruling, be sure that all charges for the information are at or below the legal amounts. Questions or complaints about over-charging must be directed to Hadassah Schloss at the Texas Building and Procurement Commission at (512)475-2497. If the governmental body, the requestor, or any other person has questions or comments about this ruling, they may contact our office. We note that a third party may challenge this ruling by filing suit seeking to withhold information from a requestor. Gov't Code § 552.325. Although there is no statutory deadline for contacting us, the attorney general prefers to receive any comments within 10 calendar days of the date of this ruling. Sincerely, Cindy Nettles
c: Mr. Keith Miller
POST OFFICE BOX 12548, AUSTIN, TEXAS 78711-2548 TEL: (512) 463-2100 WEB: WWW.OAG.STATE.TX.US |