 ATTORNEY GENERAL OF TEXAS GREG ABBOTT | |
 |
January 21, 2011 Ms. Renee Mauzy General Counsel Texas Department of Information Resources P.O. Box 13564 Austin, Texas 78711-3564 OR2011-01080 Dear Ms. Mauzy: You ask whether certain information is subject to required public disclosure under the Public Information Act (the "Act"), chapter 552 of the Government Code. Your request was assigned ID# 406491. The Texas Department of Information Resources (the "department") received a request for all e-mails in a named individual's e-mail mailbox during a specified time period. You state the department is releasing some of the requested information. You claim that portions of the submitted information are excepted from disclosure under sections 552.101 and 552.139 of the Government Code. Additionally, you state you have notified third parties of the request. See Gov't Code § 552.304 (interested third party may submit comments stating why information should or should not be released). We have considered the exceptions you claim and reviewed the submitted information. Section 552.101 of the Government Code excepts from disclosure "information considered to be confidential by law, either constitutional, statutory, or by judicial decision." Gov't Code § 552.101. Thus, section 552.101 encompasses information other statutes make confidential. For information to be confidential under section 552.101, the provision of law must explicitly require confidentiality. You contend portions of the submitted information are protected under the federal Health Insurance Portability and Accountability Act of 1996 ("HIPAA"), 42 U.S.C. §§ 1320d-1320d-8. At the direction of Congress, the Secretary of Health and Human Services ("HHS") promulgated regulations setting privacy standards for medical records, which HHS issued as the Federal Standards for Privacy of Individually Identifiable Health Information. See Health Insurance Portability and Accountability Act of 1996, 42 U.S.C. § 1320d-2 (Supp. IV 1998) (historical & statutory note); Standards for Privacy of Individually Identifiable Health Information, 45 C.F.R. Pts. 160, 164 ("Privacy Rule"); see also Attorney General Opinion JC-0508 at 2 (2002). These standards govern the releasability of protected health information by a covered entity. See 45 C.F.R. pts. 160, 164. Under these standards, a covered entity may not use or disclose protected health information, except as provided by parts 160 and 164 of the Code of Federal Regulations. See id. § 164.502(a). This office has addressed the interplay of the Privacy Rule and the Act. In Open Records Decision No. 681 (2004), we noted section 164.512 of title 45 of the Code of Federal Regulations provides a covered entity may use or disclose protected health information to the extent such use or disclosure is required by law and the use or disclosure complies with and is limited to the relevant requirements of such law. See 45 C.F.R. § 164.512(a)(1). We further noted the Act "is a mandate in Texas law that compels Texas governmental bodies to disclose information to the public." ORD 681 at 8; see also Gov't Code §§ 552.002, .003, .021. Therefore, we held the disclosures under the Act come within section 164.512(a). Consequently, the Privacy Rule does not make information confidential for the purpose of section 552.101 of the Government Code. See Abbott v. Tex. Dep't of Mental Health & Mental Retardation, 212 S.W.3d 648 (Tex. App.--Austin 2006, no pet.); ORD 681 at 9; see also Open Records Decision No. 478 (1987) (as general rule, statutory confidentiality requires express language making information confidential). Thus, because the Privacy Rule does not make information that is subject to disclosure under the Act confidential, the department may withhold protected health information from the public only if the information is confidential under other law or an exception in subchapter C of the Act applies. Section 552.101 also encompasses the common-law right of privacy, which protects information if it (1) contains highly intimate or embarrassing facts, the publication of which would be highly objectionable to a reasonable person, and (2) is not of legitimate concern to the public. Indus. Found. v. Tex. Indus. Accident Bd., 540 S.W.2d 668, 685 (Tex. 1976). To demonstrate the applicability of common-law privacy, both prongs of this test must be established. Id. at 681-82. The type of information considered intimate and embarrassing by the Texas Supreme Court in Industrial Foundation included information relating to sexual assault, pregnancy, mental or physical abuse in the workplace, illegitimate children, psychiatric treatment of mental disorders, attempted suicide, and injuries to sexual organs. Id. at 683. Whether information is subject to a legitimate public interest and therefore not protected by common-law privacy must be determined on a case-by-case basis. See Open Records Decision No. 373 (1983). This office has found that some kinds of medical information or information indicating disabilities or specific illnesses are excepted from required public disclosure under common-law privacy. See Open Records Decision Nos. 470 (1987) (illness from severe emotional and job-related stress), 455 (1987) (prescription drugs, illnesses, operations, and physical handicaps). Upon review, we find that the information you have marked as subject to section 552.101 is either not highly intimate or embarrassing, or it is of legitimate public concern. Therefore, the department may not withhold this information pursuant to section 552.101 of the Government Code in conjunction with common-law privacy. We note the submitted information contains information that may be subject to section 552.117 of the Government Code. (1) Section 552.117 excepts from disclosure the home addresses and telephone numbers, social security numbers, and family member information of current or former officials or employees of a governmental body who request that this information be kept confidential under section 552.024 of the Government Code. Gov't Code § 552.117(a)(1). Section 552.117 is also applicable to personal pager and cellular telephone numbers, provided the cellular telephone service or pager service is not paid for by a governmental body. See Open Records Decision No. 506 at 5-6 (1988) (statutory predecessor to section 552.117 of the Government Code not applicable to cellular telephone numbers provided and paid for by governmental body and intended for official use). We note that section 552.117(a)(1) is not applicable to a former spouse or the fact that a governmental employee has been divorced. Whether a particular piece of information is protected by section 552.117(a)(1) must be determined at the time the request for it is made. See Open Records Decision No. 530 at 5 (1989). Therefore, the department must withhold information under section 552.117 on behalf of current or former officials or employees only if these individuals made a request for confidentiality under section 552.024 prior to the date on which the request for this information was made. Accordingly, if the individuals whose information is at issue are current or former employees who timely-elected to keep their personal information confidential pursuant to section 552.024, the department must withhold the employee family member information and cellular telephone numbers we have marked. However, the department must withhold the cellular telephone numbers we have marked only if the employees pay for the cellular telephone service with personal funds. The department may not withhold this information under section 552.117 for individuals who are not employees or for employees who did not make a timely election to keep the information confidential. You contend portions of the remaining information are excepted from disclosure under section 552.139 of the Government Code, which provides: (a) Information is excepted from [required public disclosure] if it is information that relates to computer network security, to restricted information under Section 2059.055 [of the Government Code], or to the design, operation, or defense of a computer network. (b) The following information is confidential: (1) a computer network vulnerability report; and (2) any other assessment of the extent to which data processing operations, a computer, or a computer program, network, system, or system interface, or software of a governmental body or of a contractor of a governmental body is vulnerable to unauthorized access or harm, including an assessment of the extent to which the governmental body's or contractor's electronically stored information containing sensitive or critical information is vulnerable to alteration, damage, erasure, or inappropriate use. Gov't Code § 552.139. Section 2059.055 of the Government Code provides in pertinent part: (b) Network security information is confidential under this section if the information is: (1) related to passwords, personal identification numbers, access codes, encryption, or other components of the security system of a state agency; (2) collected, assembled, or maintained by or for a governmental entity to prevent, detect, or investigate criminal activity; or (3) related to an assessment, made by or for a governmental entity or maintained by a governmental entity, of the vulnerability of a network to criminal activity. Id. § 2059.055(b). You state the information you have marked under section 552.139 constitutes "security sensitive information relating to routable IP addresses, network device serial numbers, device model numbers with the address where the device is deployed, proxcard serial numbers, circuit ID numbers and locations, addresses where information technology issues or problems have been reported to the help desk, points of contact at network locations and user names and passwords[.]" You explain this information "could be used . . . by individuals who are attempting to breach Texas state government information technology systems and networks." We agree some of the information you have marked falls within the scope of section 552.139. However, the contact names, phone numbers, and e-mail addresses of government employees you have marked are not related to computer network security, to confidential network security information under section 2059.055, or to the design, operation, or defense of a computer network; thus, the department may not withhold this information, which we have marked for release, under section 552.139. As such, with the exception of the information we have marked for release, the department must withhold the information it has marked under section 552.139 of the Government Code. In summary: (1) to the extent the employees whose information is at issue timely-elected confidentiality under section 552.024, the department must withhold the family member information and cellular telephone numbers we have marked, if the employees pay for the cellular service with personal funds, under section 552.117(a)(1) of the Government Code; and (2) with the exception of the information we have marked for release, the department must withhold the information you have marked under section 552.139 of the Government Code. The remaining information must be released. This letter ruling is limited to the particular information at issue in this request and limited to the facts as presented to us; therefore, this ruling must not be relied upon as a previous determination regarding any other information or any other circumstances. This ruling triggers important deadlines regarding the rights and responsibilities of the governmental body and of the requestor. For more information concerning those rights and responsibilities, please visit our website at http://www.oag.state.tx.us/open/index_orl.php, or call the Office of the Attorney General's Open Government Hotline, toll free, at (877) 673-6839. Questions concerning the allowable charges for providing public information under the Act must be directed to the Cost Rules Administrator of the Office of the Attorney General, toll free at (888) 672-6787. Sincerely, Lindsay E. Hale Assistant Attorney General Open Records Division LEH/em Ref: ID# 406491 Enc. Submitted documents c: Requestor (w/o enclosures) Third Parties (w/o enclosures) Footnotes1. The Office of the Attorney General will raise a mandatory exception on behalf of a governmental body, but ordinarily will not raise other exceptions. See Open Records Decision Nos. 481 (1987), 480 (1987), 470 (1987).
POST OFFICE BOX 12548, AUSTIN, TEXAS 78711-2548 TEL: (512) 463-2100 WEB: WWW.OAG.STATE.TX.US |