 ATTORNEY GENERAL OF TEXAS GREG ABBOTT | |
|
January 16, 2004 Ms. Susan Smith
OR2004-0404 Dear Ms. Smith: You ask whether certain information is subject to required public disclosure under chapter 552 of the Government Code. Your request was assigned ID# 194436. The TML Intergovernmental Employee Benefits Pool (the "TMLIEBP") received a request for information pertaining to "each employer member for both pool and mini-pool members." You claim that some of the requested information is excepted from disclosure under section 552.101 of the Government Code. We have considered the exception you claim and reviewed the submitted information. Section 552.101 of the Government Code excepts from disclosure "information considered to be confidential by law, either constitutional, statutory, or by judicial decision." This section encompasses information protected by other statutes. You claim that the Health Insurance Portability and Accountability Act of 1996 ("HIPAA"), 42 U.S.C. §§ 1320d-1320d-8, governs the release of the submitted information. At the direction of Congress, the Secretary of Health and Human Services ("HHS") promulgated regulations setting privacy standards for medical records, which HHS issued as the Federal Standards for Privacy of Individually Identifiable Health Information. See Health Insurance Portability and Accountability Act of 1996, 42 U.S.C. § 1320d-2 (Supp. IV 1998) (historical & statutory note); Standards for Privacy of Individually Identifiable Health Information, 45 C.F.R. Pts. 160, 164; see also Attorney General Opinion JC-0508 at 2 (2002). These standards govern the releasability of protected health information by a covered entity. See 45 C.F.R. Pts. 160, 164. Under these standards, a covered entity may not use or disclose protected health information, excepted as provided by parts 160 and 164 of the Code of Federal Regulations. See 45 C.F.R. § 164.502(a). Section 160.103 defines a covered entity as a health plan, a health clearinghouse, or a health care provider who transmits any health information in electronic form in connection with a transaction covered by subchapter C, Subtitle A of Title 45. See 45 C.F.R. § 160.103. You inform us that the purpose of the TMLIEBP is "to provide group health benefits to employees, officers, and retirees of member political subdivisions and to their dependents." You explain that the TMLIEBP is therefore a "health plan" as defined by HIPAA. Based on your representations, we conclude the TMLIEBP is a covered entity under HIPAA. Thus, we will next determine whether the information at issue is protected health information under the federal law. Protected health information is defined under HIPAA as "individually identifiable health information" maintained in any form or medium. 45 C.F.R. § 160.103. "Individually identifiable health information" is health information that is a subset of health information, including demographic information collected from an individual, and: (1) Is created or received by a health care provider, health plan, employer, or health care clearinghouse; and (2) Relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual; and (i) That identifies the individual; or (ii) With respect to which there is a reasonable basis to believe the information can be used to identify the individual. Id. The submitted information is "the amount per employer/per individual comprising claims in excess of $35,000.00, $125,000.00, and $250,000.00" for members of "the mini-pool," which is comprised of employer members with more than 100 employees in a group. You contend that this information is protected health information under HIPAA. We agree that the submitted information is information collected from an individual, received by a health plan, and relates to the past, present, or future payment for the provision of health care to the individual. However, we find you have not established, and there is no reasonable basis otherwise to believe, that the submitted information, which consists of only employer names and amounts, can be used to identify any individual. Therefore, because the information is not "individually identifiable health information," we find that none of the information constitutes "protected health information" for purposes of HIPAA. See 45 C.F.R. pts. 160, 164. Accordingly, because the submitted information does not contain protected health information, HIPAA does not apply, and we must conclude that the submitted information may not be withheld from disclosure under section 552.101 of the Government Code. The submitted information must be released to the requestor in its entirety. This letter ruling is limited to the particular records at issue in this request and limited to the facts as presented to us; therefore, this ruling must not be relied upon as a previous determination regarding any other records or any other circumstances. This ruling triggers important deadlines regarding the rights and responsibilities of the governmental body and of the requestor. For example, governmental bodies are prohibited from asking the attorney general to reconsider this ruling. Gov't Code § 552.301(f). If the governmental body wants to challenge this ruling, the governmental body must appeal by filing suit in Travis County within 30 calendar days. Id. § 552.324(b). In order to get the full benefit of such an appeal, the governmental body must file suit within 10 calendar days. Id. § 552.353(b)(3), (c). If the governmental body does not appeal this ruling and the governmental body does not comply with it, then both the requestor and the attorney general have the right to file suit against the governmental body to enforce this ruling. Id. § 552.321(a). If this ruling requires the governmental body to release all or part of the requested information, the governmental body is responsible for taking the next step. Based on the statute, the attorney general expects that, within 10 calendar days of this ruling, the governmental body will do one of the following three things: 1) release the public records; 2) notify the requestor of the exact day, time, and place that copies of the records will be provided or that the records can be inspected; or 3) notify the requestor of the governmental body's intent to challenge this letter ruling in court. If the governmental body fails to do one of these three things within 10 calendar days of this ruling, then the requestor should report that failure to the attorney general's Open Government Hotline, toll free, at (877) 673-6839. The requestor may also file a complaint with the district or county attorney. Id. § 552.3215(e). If this ruling requires or permits the governmental body to withhold all or some of the requested information, the requestor can appeal that decision by suing the governmental body. Id. § 552.321(a); Texas Dep't of Pub. Safety v. Gilbreath, 842 S.W.2d 408, 411 (Tex. App.--Austin 1992, no writ). Please remember that under the Act the release of information triggers certain procedures for costs and charges to the requestor. If records are released in compliance with this ruling, be sure that all charges for the information are at or below the legal amounts. Questions or complaints about over-charging must be directed to Hadassah Schloss at the Texas Building and Procurement Commission at (512) 475-2497. If the governmental body, the requestor, or any other person has questions or comments about this ruling, they may contact our office. We note that a third party may challenge this ruling by filing suit seeking to withhold information from a requestor. Gov't Code § 552.325. Although there is no statutory deadline for contacting us, the attorney general prefers to receive any comments within 10 calendar days of the date of this ruling. Sincerely, Karen Hattaway
c: Mr. Frank Simpson
POST OFFICE BOX 12548, AUSTIN, TEXAS 78711-2548 TEL: (512) 463-2100 WEB:WWW.OAG.STATE.TX.US |