Click for home page

February 13, 2004

Senator Robert Duncan
Chairman
Senate Committee on Jurisprudence
P.O. Box 12068
Austin, Texas 78711

Open Records Decision No. 681

Re: Questions concerning the applicability of the HIPAA Privacy Rule and state law to health information subject to the Public Information Act, chapter 552 of the Texas Government Code (ORQ-65).

Dear Senator Duncan:

You ask several questions regarding the interplay between the Federal Health Insurance Portability and Accountability Act of 1996 ("HIPAA"), Pub. L. No. 104-191, Stat. 1936 (codified in scattered sections of volumes 18, 26, 29 and 42 of the United States Code), and the Texas Public Information Act (the "PIA"), chapter 552 of the Government Code.

Congress enacted HIPAA to improve the Medicare and Medicaid programs and the efficiency and effectiveness of the nation's health care system by encouraging the development of a national health information system through the establishment of standards and requirements for the electronic transmission of health information. See 42 U.S.C.  1320d-1(d), 1320d-2 (2003). To that end, Congress directed the United States Department of Health and Human Services ("HHS") to issue safeguards to protect the security and confidentiality of health information. See id. To implement HIPAA's privacy requirements, HHS promulgated regulations setting national privacy standards for health information: the Standards for Privacy of Individually Identifiable Health Information (the "Privacy Rule"). See id.  1320d-2; 45 C.F.R. pts. 160, 164 (2003); South Carolina Med. Ass'n v. Thompson, 327 F.3d 346 (4th Cir. 2003), cert. denied, 2003 WL 21714043 (Nov. 3, 2003); see also Tex. Att'y Gen Op. No. GA-0138 (2004) at 7 (discussing privacy standards under HIPAA).

You ask six questions concerning the applicability of the Privacy Rule to records that are subject to the PIA:

1. What is a governmental body's burden under the [Privacy Rule]?

2. How does a governmental body that has adequately demonstrated that it is a "covered entity" or "hybrid entity" determine whether requested information is subject to the Privacy Rule?

3. Can a law enforcement agency such as the Lubbock Police Department or a first responder organization (1) disclose medical information it has documented as an observation of a law enforcement officer or has received from a hospital without violating the Privacy Rule?

4. How does a covered entity determine whether the Privacy Rule preempts a provision of Texas law such as a provision of chapter 159 of the Texas Medical Practice Act, subtitle B of the Occupations Code?

5. Under section 159.002(c) of the Occupations Code, may the Lubbock Police Department disclose to the public oral or written medical information received from a hospital regarding accident victims, crime victims or suspected perpetrators?

6. Under section 773.091(c) of the Health and Safety Code, may a Lubbock First Responder disclose to the public a patient's medical information obtained in the provision of emergency medical care? (2)

In answering these six questions, we will first discuss general guidelines for governmental bodies subject to the PIA. We will provide background information about the Privacy Rule and advice for governmental bodies that are presented with a request for protected health information. Next, we will determine whether the Privacy Rule applies to records of Lubbock first responders and records of the Lubbock Police Department that contain such information. We will then discuss the preemption of state law by the Privacy Rule. Finally, we will consider the question of public access to specific records under two Texas confidentiality statutes, section 159.002 of the Occupations Code and section 773.091 of the Health and Safety Code.

General Guidelines

The PIA generally makes information in the possession of a governmental body available to the public. See Tex. Gov't Code Ann. 552.021 (Vernon Supp. 2004); see also id.  552.002(a) (defining "public information" as information "collected, assembled, or maintained . . . by a governmental body" or "for" such a body if it "owns . . . or has a right of access to" the information), 552.003(1)(A) (defining "governmental body"). The PIA contains numerous exceptions to the general rule of required public disclosure, one of which applies to information made confidential by law. See id. 552.101. When a governmental body subject to the PIA receives a written request seeking information that it wishes to withhold as being within one of the PIA's exceptions to required public disclosure, the government body must ask for a decision from the attorney general about whether the information falls within the exception. See id. 552.301(a). The PIA places the burden on the governmental body to explain the applicability of a claimed exception. See id.  552.301(e)(1)(A) (requiring governmental body to state to attorney general reasons claimed exception applies); see also Tex. Att'y Gen. ORD-542 (1990), ORD-363 (1983). Thus, government records are presumed to be open to the public unless the governmental body shows that an exception to disclosure applies. It is in the context of the open records ruling process that you ask your first question about a governmental body's burden under the Privacy Rule and your second question about how a covered entity determines whether requested information is subject to the Privacy Rule. See Request Letter, supra note 2, at 2.

Background of HIPAA

The Privacy Rule sets national standards for the privacy and security of individually identifiable health information. See 45 C.F.R. pt. 164, subpt. E (2003). The general rule under these standards states that a covered entity may not use or disclose protected health information except as permitted or required by the rules. See id. 164.502(a); see also id.  164.103 (defining protected health information and use). The Privacy Rule applies to the following covered entities: (1) a health plan; (2) a health care clearinghouse; and (3) a health care provider who transmits any health information in electronic form in connection with certain transactions covered by subchapter C, subtitle A of title 45 of the Code of Federal Regulations. See 42 U.S.C. 1320d-1(a) (2003); 45 C.F.R. 160.102 (2003). The Privacy Rule defines each type of covered entity. See 45 C.F.R.  160.103 (2003). With the exception of certain small health plans that have an additional year to comply, these covered entities were required to comply with the Privacy Rule beginning on April 14, 2003. See 42 U.S.C.  1320d-4(b) (2003); 45 C.F.R. 164.534 (2003). HIPAA provides civil and criminal penalties for its violation. See 42 U.S.C.  1320d-5, 1320d-6 (2003). The Secretary of HHS is charged with enforcement of the Privacy Rule. See id. 1320d-5; 45 C.F.R. pt. 160, subpt. C (2003).

Since the Privacy Rule only applies to a covered entity, a governmental body must determine whether it meets the definition of one of the three covered entities: a health plan, a health care clearinghouse, or a health care provider who transmits any health information in electronic form in connection with a transaction covered by the rule. See 45 C.F.R.  160.103 (2003) (defining health plan, health care clearinghouse, health care provider). An example of how a governmental body can determine whether it is a covered entity is instructive.

Our example is a city fire department emergency medical services provider ("EMS provider"). The definition of covered entity includes a health care provider who transmits health information in electronic form in connection with a transaction covered by the rules. An EMS provider is this kind of covered entity because: (1) it meets the definition of a health care provider; (3) (2) it transmits health information, (4) as defined in the rules, in electronic form; and (3) it transmits the health information in connection with a transaction, as defined in the rules. "Transaction means the transmission of information between two parties to carry out financial or administrative activities related to health care." Id. It includes eleven types of information transmissions, including, for example, transmission for claims, payment, coordination of benefits, and enrollment in a health plan. See id.; see also id. pt. 162 (2003) (HHS rules for covered transactions). In the normal course of its business, the EMS ambulance crew uses medical equipment and drugs to diagnose an individual's health condition and render medical care and services to individuals in emergency medical situations while communicating with physicians and other healthcare professionals. See Tex. Health & Safety Code Ann. 773.003(8) (defining emergency medical services), (11) (defining emergency medical services provider). The EMS provider transmits health information electronically when it files claims for payment with individuals, private insurers, Medicaid, Medicare, and the Texas Worker's Compensation Commission. Thus, we see that the EMS provider meets the definition of a health care provider that transmits health information in electronic form in connection with covered transactions. (5)

You next ask how a governmental body that is a covered entity determines whether requested information is subject to the Privacy Rule. See Request Letter, supra note 2, at 2. Requested information is subject to the Privacy Rule if it is protected health information, as defined in the Privacy Rule. See 45 C.F.R. 164.502(a) (2003) (general rule on disclosure or use applies to protected health information); see also id.  160.103 (defining disclosure and use). Health information means any information, whether oral or recorded in any form or medium that

(1) Is created or received by a health care provider, health plan, public health authority, employer, life insurer, school or university, or health clearinghouse; and

(2) Relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual.

42 U.S.C. 1320d(4) (2003); 45 C.F.R. 160.103 (2003). Individually identifiable health information is information that is a subset of health information, including demographic information collected from an individual, and

(1) Is created or received by a health care provider, health plan, employer, or health care clearinghouse; and

(2) Relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual; and

(i) That identifies the individual; or

(ii) With respect to which there is a reasonable basis to believe that information can be used to identify the individual.

42 U.S.C. 1320d(6) (2003); 45 C.F.R. 160.103 (2003). Under this definition, a covered entity must determine who created or received the information; whether the content of the information concerns the past, present, or future physical or mental health or condition of an individual, the provision of health care to an individual, or the past, present or future payment for health care; and whether the information identifies an individual or reasonably could be used to identify an individual. Protected health information means individually identifiable health information:

(1) Except as provided in paragraph (2) of this definition, that is:

(i) Transmitted by electronic media;

(ii) Maintained in electronic media; or

(iii) Transmitted or maintained in any other form or medium.

Id. (6) Thus, we see that protected health information is not just in electronic records, but may also be individually identifiable health information transmitted or maintained in any form or medium, such as paper or microfilm. See id. Paragraph two of the definition excludes individually identifiable health information in education records covered by the Family Educational Rights and Privacy Act, section 1232g of title 20 of the United States Code, and employment records held by a covered entity in its role as employer. (7) See id. Therefore, and in summary, in determining whether requested information is protected health information subject to the Privacy Rule, a covered entity must consider the rule's definitions of three terms: health information, individually identifiable health information, and protected health information. See 45 C.F.R. 160.103 (2003).

B. Responding to Requests for Protected Health Information

Once a governmental body determines that it is a covered entity under the Privacy Rule and that requested information is protected health information, the covered entity must determine whether the Privacy Rule permits or requires the specific disclosure. See id. 164.502(a). The Privacy Rule limits disclosure of health information based on numerous factors such as the content of the record, the purpose of the disclosure, authorization by the individual affected, the nature, role and structure of the entities involved, the degree that the entity or entities are HIPAA-compliant, and many other factors. See id. pt. 164; Tex. Att'y Gen. Op. No. GA-0138 (2004) at 7. This opinion does not address the question of the permissible disclosure of protected health information in any specific circumstance. However, we will provide some general observations as guidance to covered entities making disclosure decisions about protected health information requested under the PIA.

Generally, a covered entity may not use or disclose protected health information without a valid authorization. (8) See 45 C.F.R. 164.508 (2003). However, the rule requires and permits certain disclosures. See id. 164.502(a)(2). For example, one of the rule's required disclosures is to the individual who is the subject of the information, when requested under and as required by section 164.524 or 164.528 of the rule. See id.  164.502(a)(2)(i); see also id. 164.524 (access of individual to protected health information), 164.528 (accounting of disclosures of protected health information). A covered entity must treat a personal representative as the individual for purposes of the Privacy Rule, except as provided in subsections (g)(3) and (5) of section 164.502. See id. 164.502(g). In addition, the rule requires a covered entity to disclose protected health information when required by the HHS Secretary for enforcement purposes. See id.  164.502(a)(2). Thus, the rule mandates disclosure only in two situations: to the individual who is the subject of the information or the individual's representative, and to the Secretary. See id.

The rule also permits certain disclosures of protected health information in certain circumstances. See id. 164.502(a)(1). Section 164.502 lists several permissible disclosures, one of which is the disclosure permitted by section 164.512. See id.  164.502(a)(1)(vi). Section 164.512 lists several different disclosure situations in which a covered entity may disclose or use protected health information without the individual's written authorization. One situation is of particular importance for governmental bodies subject to the PIA, subsection (a)(1).

Subsection (a)(1) states that

A covered entity may use or disclose protected health information to the extent that such use or disclosure is required by law and the use or disclosure complies with and is limited to the relevant requirements of such law.

Id. 164.512(a)(1). "Required by law" means "a mandate contained in law that compels an entity to make a use or disclosure of protected health information and that is enforceable in a court of law . . . [and] includes . . . statutes or regulations that require the production of information . . . ." Id. 164.103. The disclosures permitted by subsection 164.512(a) must comply with the requirement of that subsection that "the use or disclosure complies with and is limited to the relevant requirements of such law." See id. 164.512(a); see also 65 Fed. Reg. 82462, 82524-25 (2000).

Section 552.021 of the PIA is a mandate in Texas law that compels Texas governmental bodies to disclose information to the public. See Tex. Gov't Code Ann.  552.021 (Vernon Supp. 2004); see also id. 552.002(a) (defining "public information"), 552.003(1)(A) (defining "governmental body"), 552.203 (requiring officer for public information to make public information available for public inspection and copying). Furthermore, a disclosure under the PIA is enforceable in a court of law. See id. 552.321, 552.3215. In the preamble to the Privacy Rule, the Office for Civil Rights of HHS (the "OCR") explains that the uses and disclosures required by the federal counterpart to the PIA, the Freedom of Information Act ("FOIA"), 5 U.S.C. 552, come within section 164.512(a). See 65 Fed. Reg. 82462, 82482 (2000). FOIA provides for public disclosure, upon the request of any person, of certain information in the possession of the federal government, subject to several exemptions and exclusions. See 5 U.S.C. 552 (1996). In responding to comments on section 164.512(a), the OCR also explains that "the rule's approach is simply intended to avoid any obstruction to [a covered entity's] ability to comply with its existing legal obligations." See 65 Fed. Reg. 82462, 82668 (2000). The PIA imposes on covered entities that are governmental bodies a legal obligation to release requested protected health information. We, therefore, believe that the disclosures under the PIA come within section 164.512(a). Consequently, when a covered entity that is a governmental body subject to the PIA is presented with a written request under the PIA for protected health information, it must evaluate each disclosure under the PIA as it does now under current procedures.

In many cases involving a request for protected health information, section 552.101 of the PIA, which excepts from the requirements of section 552.021 "information considered to be confidential by law, either constitutional, statutory, or by judicial decision," will except the information from required public disclosure. See Tex. Gov't Code Ann. 552.101 (Vernon Supp. 2004). This is true because numerous state confidentiality statutes apply to protected health information, and the doctrines of common-law and constitutional privacy, which also may protect health information in some cases, are also encompassed by section 552.101. See Indus. Found. v. Tex. Indus. Accident Bd., 540 S.W.2d 668, 685 (Tex. 1976), cert. denied, 430 U.S. 931 (1977). (9) However, the Privacy Rule does not make confidential information that is required to be disclosed by law. Information that is required to be disclosed pursuant to a state law is, therefore, not protected from disclosure by the Privacy Rule. Thus, the Privacy Rule does not make information subject to the PIA confidential for the purpose of section 552.101.

Therefore, a governmental body begins its inquiry by first determining whether it is a covered entity under the Privacy Rule. If it is a covered entity, it then looks to the Privacy Rule for a permitted or required disclosure, recognizing that section 164.512 permits a mandated disclosure. Because the PIA mandates disclosure of requested information (unless an exception applies), the governmental body has found a disclosure permitted under section 164.512(a) and so, completes its inquiry by examining the parameters of the PIA. We note that for federal agencies that receive requests for protected health information and that must comply with both FOIA and the Privacy Rule, the OCR has advised that section 164.512(a) of the Privacy Rule, permitting uses or disclosures required by law if the uses or disclosures "meet the relevant requirements of the law," requires them to look to the law under FOIA to determine to what extent the documents must be disclosed. See 65 Fed. Reg. 82462, 82482 (2000). The OCR advised: "Thus, a federal agency must determine whether it may apply an exemption or exclusion [in FOIA] to redact the protected health information when responding to a FOIA request." Id. Through section 164.512(a), then, federal agency FOIA disclosure decisions are moved from the Privacy Rule to FOIA. Similarly, governmental bodies in Texas must shift their focus from the Privacy Rule to the PIA when responding to a PIA request for protected health information. When an exception to required public disclosure does not apply in a particular circumstance, section 552.021 of the PIA requires public disclosure of the information. Therefore, in that circumstance, a governmental body can release requested protected health information without violating the Privacy Rule and without the need to request a ruling from this office. (10) See Tex. Gov't Code Ann.  552.021 (Vernon Supp. 2004). We advise governmental bodies subject to the Privacy Rule to seek a ruling from this office only when they wish to withhold requested protected health information from the public under an exception in subchapter C of the PIA, including a confidentiality law incorporated into the PIA under section 552.101 of that subchapter.

We emphasize that the guidance we now provide to governmental bodies is only for their limited use in making PIA disclosure decisions. In all other respects, including disclosure of information that is not requested under the PIA, governmental bodies that are covered entities must comply with the Privacy Rule. We further emphasize that Texas law, like HIPAA, protects the privacy interests of individuals in their health information. Texas statutory law contains a myriad of protections specifically for health information. For example, and to name but a small sample of those statutes, section 241.152 of the Health and Safety Code protects hospital health care information; section 159.002 of the Occupations Code protects physician medical records; section 611.002 of the Health and Safety Code protects mental health records; section 773.091 of the Health and Safety Code protects EMS medical records; and sections 12.003 and 21.012 of the Human Resources Code protect information about Medicaid recipients. The PIA also protects from required public disclosure records of medical conditions and medical histories of applicants or employees deemed confidential under Title I of the Americans with Disabilities Act of 1990, 42 U.S.C. 12101-12213. See Tex. Att'y Gen. ORD-641 (1996).

In addition, information that is intimate or embarrassing and in which the public has no legitimate interest is protected from required public disclosure under Texas commonlaw. See Indus. Found. v. Tex. Indus. Accident Bd., 540 S.W.2d 668, 685 (Tex. 1976); Morales v. Ellen, 840 S.W.2d 519 (Tex. App.--El Paso 1992, writ denied). See supra note 9, at 9. Moreover, the PIA protects information deemed confidential under the United States Constitution. See Indus. Found. v. Tex. Indus. Accident Bd., 540 S.W.2d 668, 678 (Tex. 1976). Under Texas law, individuals have "the right to be free from the government disclosing private facts about its citizens and from the government inquiring into matters in which it does not have a legitimate and proper concern." Ramie v. City of Hedwig Village, Tex., 765 F.2d 490, 492 (5th Cir. 1985); see also Fadjo v. Coon, 633 F.2d 1172, 1176 (5th Cir. 1981). (11) Information regarding an individual's illnesses or operations, physical handicaps, and use of prescription drugs is intimate personal information that is protected from required public disclosure under the PIA. See Tex. Att'y. Gen. ORD-455 (1987). Furthermore, this office will raise these privacy doctrines on behalf of a governmental body even if the governmental body fails to raise them in seeking an open records ruling and will require the governmental body to withhold the information from public disclosure whenever it is apparent from the information that the release of the information would implicate an individual's privacy interests. See Tex. Att'y. Gen. ORD-481 (1987), ORD-480 (1987), ORD-470 (1987).

The privacy of health information in Texas is vigorously protected and will continue to be protected by governmental bodies responding to requests for protected health information in accordance with this state's numerous existing safeguards.

II. City of Lubbock Records

Your third question presents an opportunity to use the general guidelines we have set out above in determining whether the Privacy Rule would apply to specific records. You ask whether a law enforcement agency such as the Lubbock Police Department or a first responder organization may disclose medical information it has documented as an observation of a law enforcement officer or has received from a hospital without violating the Privacy Rule. See Request Letter, supra note 2, at 2. Although we have no records or arguments to review, we can make some general observations in response to your question.

A. Lubbock First Responders

The Lubbock Fire Department first responders provide emergency medical care to patients at an emergency scene before an ambulance arrives. See supra note 1, at 2. The City of Lubbock explains that if EMS requires assistance with a patient, first responder personnel will assist EMS personnel in the ambulance. We understand that a first responder may administer prescription drugs orally, by injection, or by intravenous solutions, and may also administer oxygen and provide CPR services, which may include taking an EKG. See Tex. Att'y Gen. Op. No. JC-0420 (2001) at 4; see also Tex. Health & Safety Code Ann.  773.014(a) (Vernon 2003) (concerning EMS personnel administration of epinephrine). These facts show how first responders furnish health care in the normal course of their business. See 45 C.F.R. 160.103 (2003). Based on the Privacy Rule definitions of health care and health care provider, we believe the first responder is a health care provider under the Privacy Rule. See id. However, without information about whether the first responders transmit health information in electronic form and conduct covered transactions, we cannot conclude that the first responders are a covered entity. However, regardless of whether Lubbock's first responders are a covered entity under the Privacy Rule, when responding to a PIA request for protected health information, their public disclosure decisions must be based on the PIA, rather than the Privacy Rule.

B. Lubbock Police Department

A police department is not a covered entity. It is not a health plan, a health clearinghouse, or a health care provider that transmits any health information in electronic form in connection with a transaction covered by the rules as defined in the Privacy Rule. See 45 C.F.R. 160.103 (2003). In particular, it is not a covered health care provider because it is not a provider of services as defined in the two pertinent federal provisions referenced in the definition of health care provider, or an entity that furnishes, bills, or is paid for health care in the normal course of business. See id. The Assistant Secretary for Planning and Education at HHS, in commenting on the Privacy Rule, stated that: "[t]his rule regulates the ability of health care clearinghouses, health plans, and covered providers to use and disclose information. It does not regulate the behavior of law enforcement officials . . . or prevent states from regulating law enforcement officers." See 65 Fed. Reg. 82462, 82680 (2000). Thus, a record created by a police officer, including a record that documents an officer's observation of the medical condition of an individual, cannot be protected health information subject to the Privacy Rule. Nor is health information the police department obtains through a Privacy Rule exception (12) from a covered entity, such as a hospital, subject to the Privacy Rule. See 45 C.F.R. 160.102 (2003). Once a non-covered entity obtains information, HHS has no authority to enforce the non-covered entity's use or subsequent disclosure of the information. See id. pt. 160, subpt. C; 42 U.S.C. 1320d-1(a) (2003). However, while the Privacy Rule is not applicable to a police department record, state law may apply to a medical record the police obtain from a covered entity, such as a hospital or physician. (13) We will consider the applicability of state law to a medical record the police department obtains from a covered entity in section IV of this decision.

The Privacy Rule and Preemption of State Law

You next ask how a covered entity determines whether the Privacy Rule preempts a provision of Texas law, such as a provision of chapter 159 of the Texas Medical Practice Act, subtitle B of the Occupations Code. See Request Letter, supra note 2, at 2. A covered entity may need to make a preemption determination in some situations when it receives a request for protected health information outside of the PIA context. Both HIPAA and the Privacy Rule address the effect of HIPAA on state law. See 42 U.S.C. 1320d-7 (2003); 45 C.F.R. pt. 160, subpt. B (2003). Congress and the HHS Secretary have established a general approach to protecting from explicit preemption state laws that are more protective of privacy than the protections set forth in the Privacy Rule. See 45 Fed. Reg. 82462, 82513 (2000). The general rule on the preemption of state law is that the Privacy Rule preempts a contrary provision of state law. See 42 U.S.C. 1320d-7(1) (2003); 45 C.F.R. 160.203 (2003); see also C.F.R. 160.202 (2003) (defining state law as "a constitution, statute, regulation, rule, common law, or other State action having force and effect of law"). According to the Privacy Rule, contrary means

(1) A covered entity would find it impossible to comply with both the State and federal requirements; or

(2) The provision of State law stands as an obstacle to the accomplishment and execution of the full purposes and objectives of [HIPAA].

45 C.F.R. 160.202 (2003). (14)

If it is determined that a Privacy Rule provision is contrary to a provision in Texas law that applies to requested government information, a covered entity must consider whether one of four exceptions to the rule of preemption applies. See 42 U.S.C.  1320d-7(a)(1) (2003); 45 C.F.R. 160.202 (2003). The four exceptions to the general rule are: (1) the Secretary of HHS determines that the state law is necessary for one of four reasons; (15) (2) the state law is more stringent than the Privacy Rule; (3) the state law provides for the reporting of disease or injury, child abuse, birth, or death, or for the conduct of public health surveillance, investigation, or intervention; or (4) the state law requires a health plan to report, or to provide access to, information for the purpose of management audits, financial audits, program monitoring and evaluation, or the licensure or certification of facilities or individuals. 45 C.F.R. 160.202, 160.203 (2003); see South Carolina Med. Ass'n, 327 F.3d at 354-355 (concerning vagueness challenge to exception to general rule of preemption of state law for laws that are "more stringent" than Privacy Rule). If exceptions one, three and four do not apply, a covered entity must determine whether the state law relates to the privacy of individually identifiable health information and is more stringent than a standard, requirement, or implementation in the Privacy Rule. See 45 C.F.R.  160.203 (2003). "Relates to the privacy of individually identifiable health information" means that the state law has the specific purpose of protecting the privacy of health information or affects the privacy of health information in a direct, clear, and substantial way. Id.  160.202. The Privacy Rule also provides a definition of "more stringent," which means a state law that meets one or more of six criteria. (16) See id.; South Carolina Med. Ass'n, 327 F.3d at 354-55. Thus, when a covered entity is faced with a request for protected health information that is not under the PIA and that raises a preemption issue, these criteria provide guidance in making the determination as to whether the state law prevails. See 65 Fed. Reg. 82462, 82584 (2000).

In 2003, the Seventy-eighth Legislature enacted section 181.251 of the Health and Safety Code, which requires the Office of the Attorney General to perform an analysis of state law to determine which provisions related to the privacy of individually identifiable health information are preempted by HIPAA and the Privacy Rule. See Tex. Health & Safety Code Ann. 181.251 (Vernon Supp. 2004). "Not later than November 1, 2004, the attorney general shall file a report with the presiding officer of each house of the legislature that identifies the laws that the attorney general believes are preempted" by HIPAA and the Privacy Rule. Id. 181.253. The report must contain the attorney general's recommendation for legislation to make the state laws consistent with HIPAA and the Privacy Rule. See id. The attorney general has appointed the members of his HIPAA Preemption Analysis Task Force, which is presently engaged in a systematic preemption analysis of all Texas laws that are related to the privacy of individually identifiable health information.

State Law

A. Section 159.002 of the Occupations Code

Your fifth question is whether, under section 159.002(c) of the Occupations Code, the Lubbock Police Department may disclose to the public oral or written medical information received from a hospital regarding accident victims, crime victims, or suspected perpetrators. See Request Letter, supra note 2, at 2. Chapter 159 of the Occupations Code governs access to medical records and confidential physician-patient communications. See Tex. Occ. Code Ann. 159.002-.009 (Vernon 2004); Tex. Att'y Gen. ORD-598 (1991). Section 159.002 provides in pertinent part:

(a) A communication between a physician and a patient, relative to or in connection with any professional services as a physician to the patient, is confidential and privileged and may not be disclosed except as provided by this chapter.

(b) A record of the identity, diagnosis, evaluation, or treatment of a patient by a physician that is created or maintained by a physician is confidential and privileged and may not be disclosed except as provided by this chapter.

(c) A person who receives information from a confidential communication or record as described by this chapter, other than a person listed in Section 159.004 who is acting on the patient's behalf, may not disclose the information except to the extent that disclosure is consistent with the authorized purposes for which the information was first obtained.

Tex. Occ. Code Ann. 159.002(a)-(c) (Vernon 2004). Subsections (a) and (b) impart confidentiality to physician-patient communications about the physician's professional care of the patient as well as to the medical records created or maintained by a physician. See id.; see also id. 159.001 (defining medical record and patient), 151.002(12) (defining physician). Because hospital treatment is routinely conducted under the supervision of physicians, documents relating to a patient's diagnosis and treatment while at a hospital constitute protected records under the Occupations Code. See Tex. Att'y Gen. ORD-546 (1990). Subsection (c) governs the subsequent release of confidential information by persons who obtain the information under an exception to disclosure in chapter 159. See Tex. Occ. Code. Ann.  159.002(c) (Vernon 2004). The chapter provides numerous exceptions to the section 159.002 rule of confidentiality for medical records and physician-patient communications. See id.  159.003 (providing exceptions to confidentiality in court or administrative proceedings), 159.004 (providing exceptions to confidentiality in other situations). In addition, a patient may consent to the disclosure of confidential information under section 159.005. See id. 159.005. We will assume the police department obtained the confidential information from the hospital through an exception to confidentiality in chapter 159 of the Occupations Code. See id.  159.004. Subsection (c) prohibits the disclosure of "information from a confidential communication or record described by this chapter" except to the extent that disclosure is consistent with the authorized purposes for which the information was first obtained. See id. 159.002(c); Tex. Att'y Gen Op. No. JC-0555 (2002) at 4. The subsection (c) prohibition applies to the disclosure of the confidential information without regard to the oral or written form of the disclosure. Thus, for medical information received from a hospital about accident victims, crime victims, or suspected perpetrators, section 159.002(c) prohibits the police department's disclosure to the public, whether oral or written, of a confidential communication between a physician and a patient made in connection with the physician's professional services to the patient, or a medical record of a patient's identity, diagnosis, evaluation, or treatment that was created or maintained by a physician, except to the extent that disclosure is consistent with the authorized purposes for which the police department obtained the information. See Tex. Occ. Code Ann. 159.002(c) (Vernon 2004); Tex. Att'y Gen. Op. No. JC-0555 (2002); Tex. Att'y Gen. ORD-598 (1991), ORD-565 (1990). We advise the Lubbock Police Department to seek a ruling from this office whenever it receives a request for information under the PIA and wishes to withhold requested records under section 159.002 of the Occupations Code. See Tex. Gov't Code Ann.  552.301(a) (Vernon Supp. 2004).

B. Section 773.091 of the Health and Safety Code

Finally, you ask about the permissible public disclosure of first responder emergency medical service ("EMS") records. See Request Letter, supra note 2, at 2. You ask whether under section 773.091(c) of the Health and Safety Code, a Lubbock first responder may disclose to the public a patient's medical information obtained in providing emergency medical care. See id. Access to EMS records is governed by the Emergency Medical Services Act, chapter 773 of the Health and Safety Code. See Tex. Health & Safety Code Ann. 773.091-.093 (Vernon 2003); Tex. Att'y Gen. ORD-598 (1991). Section 773.091 reads in pertinent part as follows:

(a) A communication between certified emergency medical services personnel or a physician providing medical supervision and a patient that is made in the course of providing emergency medical services to the patient is confidential and privileged and may not be disclosed except as provided by this chapter.

(b) Records of the identity, evaluation, or treatment of a patient by emergency medical services personnel or by a physician providing medical supervision that are created by the emergency medical services personnel or physician or maintained by an emergency medical services provider are confidential and privileged and may not be disclosed except as provided by this chapter.

(c) Any person who receives information from confidential communications or records as described by this chapter, other than a person listed in Section 773.092 who is acting on the survivor's behalf, may not disclose the information except to the extent that disclosure is consistent with the authorized purposes for which the information was obtained.

. . . .

(g) The privilege of confidentiality under this section does not extend to information regarding the presence, nature of injury or illness, age, sex, occupation, and city of residence of a patient who is receiving emergency medical services. Nothing in this subsection shall be construed as requiring or permitting emergency services personnel to make a diagnosis.

Tex. Health & Safety Code Ann. 773.091(a)-(c), (g) (Vernon 2003). Thus, not only does the confidentiality apply to patient-physician communications and physician EMS medical records, but also to communications between a patient and certified EMS personnel and to medical records of the identity, evaluation, or treatment of a patient by EMS personnel that are created or maintained by the EMS provider. See id. 773.091(a)-(b). A first responder organization is a group or association of certified EMS personnel. See id.  773.003(16); see also id. 773.003(10) (defining emergency medical services personnel). Under subsection (g), section 773.091 does not make confidential information regarding the presence, nature of injury or illness, age, sex, occupation, and city of residence of a patient who is receiving emergency medical services. See id. 773.091(g). Thus, with the exception of the subsection (g) information, records of a first responder's treatment of a patient that were created or maintained by the first responder and communications between a patient and a first responder are confidential and must not be disclosed except as provided in chapter 773 of the Health and Safety Code. See id.  773.091(a)-(b), 773.092, 773.093. As with section 159.002 of the Occupations Code, we advise the city to seek a ruling from this office if it receives a request for information under the PIA and it wishes to withhold requested records under section 773.091 of the Health and Safety Code. See Tex. Gov't Code Ann. 552.301(a) (Vernon Supp. 2004).

SUMMARY

When a covered entity that is a governmental body subject to the PIA is presented with a request under the PIA for protected health information from a member of the public, it must evaluate each disclosure under the PIA as it does now under current procedures. The Privacy Rule does not make information confidential for the purpose of section 552.101 of the Government Code. A governmental body that is subject to both the PIA and the Privacy Rule must comply with the Privacy Rule in disclosing protected health information that is not requested under the PIA. A record created by a police officer, including a record that documents an officer's observation of the medical condition of an individual or a record that contains health information obtained from a covered entity, is not subject to the Privacy Rule since a police department is not a covered entity under the rule. A first responder organization must release protected health information to the public when the information is requested under the PIA and no exception to disclosure in subchapter C of the PIA applies. For disclosures of protected health information that are not requested under the PIA, this office will address the preemption of particular state laws in preparing an analysis for the legislature that identifies the laws that the attorney general believes are preempted by HIPAA and the Privacy Rule. We advise the City of Lubbock to seek a ruling from this office when it receives a request for information under the PIA and it seeks to withhold requested records under section 159.002(c) of the Occupations Code or chapter 773 of the Health and Safety Code.

Very truly yours,

Abbott signature

GREG ABBOTT
Attorney General of Texas

BARRY R. MCBEE
First Assistant Attorney General

DON R. WILLETT
Deputy Attorney General - General Counsel

KATHERINE MINTER CARY
Chief, Open Records Division

GREGORY T. SIMPSON
Deputy Chief, Open Records Division

Kay Hastings
Assistant Attorney General, Open Records Division


Footnotes

1. A first responder organization (hereinafter "first responders") is a group or association of certified emergency medical services personnel that, working in cooperation with a licensed emergency medical services provider, provides immediate on-scene care to ill or injured persons but does not transport those persons. Tex. Health & Safety Code Ann. 773.004(16) (Vernon 2003); see 25 Tex. Admin. Code. 157.14(a) (2003).

2. Letter from Honorable Robert Duncan, Chair, Senate Committee on Jurisprudence, Texas State Senate, to Honorable Greg Abbott, Texas Attorney General (Aug. 4, 2003) (on file with Open Records Division) (footnote added) [hereinafter Request Letter].

3. A health care provider means a provider of services (as defined in section 1861(u) of the Social Security Act, 42 U.S.C. 1395x(u)), a provider of medical or health services (as defined in section 1861(s) of the Social Security Act, 42 U.S.C. 1395x(s)), and any other person or organization who furnishes, bills, or is paid for health care in the normal course of business. See 45 C.F.R. 160.103 (2003). The rule also defines health care as care, services, or supplies related to the health of an individual and lists several examples of health care. See id.

4. Health information means any information, whether oral or recorded in any form or medium, that:

(1) is created or received by a health care provider, health plan, public health authority, employer, life insurer, school or university, or health care clearinghouse; and

(2) relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual.

Id.

5. A covered entity may choose to be a hybrid entity, which is a covered entity whose business activities include both covered and non-covered functions. See 45 C.F.R. 164.103(a). A hybrid entity must designate a health care component or components in accordance with paragraph (a)(2)(iii)(c) of section 164.105 of the rules. See id.  164.105(a). The Privacy Rule requires hybrid entities with a health care component to establish safeguard policies and procedures to prevent any access to protected health information by the larger entity that would not be permitted by the Privacy Rule. See id. 164.105(a)(2)(ii). The covered entity in the hybrid entity situation is responsible for ensuring that the health care components comply with the Privacy Rule. See id.  164.105(a)(2)(iii). Once an entity determines that it qualifies as a hybrid entity and has chosen to identify itself as a hybrid entity by designating and documenting the designation of its health component or components, the general rule for a hybrid entity is that the privacy requirements only apply to the health care component or components of the entity and not to the entire entity. See id. 164.105(a)(1). This means that the requirements in the Privacy Rule apply to protected health information that is created by or received by or on behalf of a health component of a hybrid entity. Therefore, the Privacy Rule does not apply to information that is not maintained by the health component of the hybrid entity. For example, with respect to a university as a hybrid entity that has designated its hospital facilities that bill electronically as the health component, the disclosure provisions of the Privacy Rule only apply to the hospital facility and not the university. See id.

6. "Electronic media means the mode of electronic transmission. It includes the Internet (wide-open), Extranet (using Internet technology to link a business with information only accessible to collaborating parties), and those transmissions that are physically moved from one location to another using magnetic tape, disk, or compact disk media." Id. 162.103.

7. Employers are required to obtain health information about their employees as part of their routine employment activities such as administration of sick leave and leave of absence forms which may require the employee to provide medical information about the reason for the absence. Records of a covered entity's activities as an employer are not protected health information. See id. 164.501. Individually identifiable health information maintained or transmitted by a covered entity in its health care capacity continues to be treated as protected health information.

8. Health information that has been de-identified in accordance with section 164.514 is considered not to be individually identifiable health information. See 45 C.F.R. 164.502(d)(2)(2003). The requirements of the Privacy Rule concerning the privacy of individually identifiable health information, sections 164.500 through 164.534, do not apply to such de-identified information. See id.

9. The type of information considered intimate and embarrassing by the Supreme Court of Texas in Industrial Foundation includes information relating to sexual assault, pregnancy, mental or physical abuse in the workplace, illegitimate children, psychiatric treatment of mental disorders, attempted suicide, and injuries to sexual organs. Indus. Found. v. Tex. Indus. Accident Bd., 540 S.W.2d 668, 683 (Tex. 1976). Constitutional privacy consists of two interrelated types of privacy:  (1) the right to make certain kinds of decisions independently; and (2) an individual's interest in avoiding disclosure of personal matters. See Tex. Att'y Gen. ORD-455 (1987) at 4. The first type protects an individual's autonomy within "zones of privacy" which include matters related to marriage, procreation, contraception, family relationships, and child rearing and education. See id. The second type of constitutional privacy requires a balancing between the individual's privacy interests and the public's need to know information of public concern. See id. The scope of information protected is narrower than that under the common law doctrine of privacy; the information must concern the "most intimate aspects of human affairs." Id. at 5 (citing Ramie v. City of Hedwig Village, Tex., 765 F.2d 490 (5th Cir. 1985)).

10. Another circumstance, in responding to requests for protected health information, could require a governmental body to disclose protected health information under the Privacy Rule when the information would also be excepted from disclosure under a confidentiality statute or under subchapter C of the PIA. This decision does not address this particular circumstance. See discussion of preemption in section III of this decision.

11. In Tex. State Employees Union v. Tex. Dep't of Mental Health & Mental Retardation, 746 S.W.2d 203 (Tex. 1987), the Texas Supreme Court held that the Texas Constitution protects personal privacy from unreasonable intrusion. The court stated that the Texas Constitution contains no express guarantee of a right of privacy, but it does contain several provisions similar to those in the United States Constitution that have been recognized as implicitly creating protected "zones of privacy." 746 S.W.2d at 205.

12. The Privacy Rule limits the information that a covered entity may provide to a law enforcement official. The rule permits a covered entity to disclose protected health information for a law enforcement purpose to a law enforcement official only under certain conditions. See id. 164.512(f). For example, the rule permits a covered health care provider providing emergency health care in response to a medical emergency, other than such emergency on the premises of the covered health care provider, to disclose protected health information to a law enforcement official if such disclosure appears necessary to alert law enforcement to (1) the commission and nature of a crime, (2) the location of such crime or of the victim(s) of such crime, and (3) the identity, description, and location of the perpetrator of such crime. A disclosure is not permitted under this section if the health care provider believes that the medical emergency is the result of abuse, neglect, or domestic violence of the individual in need of emergency health care. In such cases, disclosures to law enforcement would be governed by paragraph (c) of this section. See id. 164.512(f)(6), 65 Fed. Reg. 82462, 82533 (2000).

13. As to what constitutes protected health information in the context of a criminal investigation, the Assistant Secretary for Planning and Evaluation at HHS clarified that items such as cells and tissues are not protected health information, but that analyses of them are. The same treatment would be given other physical items, such as clothing, weapons, or a bloody knife. While these items are not protected health information and may be disclosed, some communications that could accompany the disclosure will be protected health information under the rule. If a person provides a bullet to law enforcement, and tells law enforcement that the bullet was extracted from an identified individual, the person has disclosed the fact that the individual was treated for a wound, and the additional statement is a disclosure of protected health information. See 45 Fed. Reg. 82462, 82533-34.

14. The tests in the definition of "contrary" were adopted from the jurisprudence of "conflict preemption." See 65 Fed. Reg. 82580 (2000); see generally id. (discussing definition of contrary).

15. The four reasons the HHS Secretary may determine a state law is necessary are (1)to prevent fraud and abuse related to the provision of or payment for health care; (2) to ensure appropriate state regulation of insurance and health plans to the extent expressly authorized by statute or regulation; (3) for state reporting on health care delivery or cost; or (4) for purposes of serving a compelling need related to pubic health, safety, or welfare, and if a standard, requirement, or implementation specification under part 164 is at issue, if the Secretary determines that the intrusion into privacy is warranted when balanced against the need to be served. See 45 C.F.R. 160.203(a); see also id. 160.204 (process for requesting exception determinations). The rules authorize a state's chief elected official, or his or her designee, to request an exception determination from the HHS Secretary. See id.  160.204(a).

16. Section 160.202 provides:

More stringent means, in the context of a comparison of a provision of State law and a standard, requirement, or implementation specification adopted under subpart E of part 164 of this subchapter, a State law that meets one or more of the following criteria:

(1) With respect to a use or disclosure, the law prohibits or restricts a use or disclosure in circumstances under which such use or disclosure otherwise would be permitted under this subchapter, except if the disclosure is:

(i) Required by the Secretary in connection with determining whether a covered entity is in compliance with this subchapter; or

(ii) To the individual who is the subject of the individually identifiable health information.

(2) With respect to the rights of an individual who is the subject of the individually identifiable health information of access to or amendment of individually identifiable health information, permits greater rights of access or amendment, as applicable; provided that, nothing in this subchapter may be construed to preempt any State law to the extent that it authorizes or prohibits disclosure of protected health information about a minor to a parent, guardian, or person acting in loco parentis of such minor.

(3) With respect to information to be provided to an individual who is the subject of the individually identifiable health information about a use, a disclosure, rights, and remedies, provides the greater amount of information.

(4) With respect to the form or substance of an authorization or consent for use or disclosure of individually identifiable health information, provides requirements that narrow the scope or duration, increase the privacy protections afforded (such as by expanding the criteria for), or reduce the coercive effect of the circumstances surrounding the authorization or consent, as applicable.

(5) With respect to recordkeeping or requirements relating to accounting of disclosures, provides for the retention or reporting of more detailed information or for a longer duration.

(6) With respect to any other matter, provides greater privacy protection for the individual who is the subject of the individually identifiable health information.

45 C.F.R. 160.202 (2003).


POST OFFICE BOX 12548, AUSTIN, TEXAS 78711-2548 TEL: (512) 463-2100 WWW.OAG.STATE.TX.US
An Equal Employment Opportunity Employer

Home | Opinions