Greg Abbott, Attorney General of the State of Texas v. Texas Department of Mental Health and Mental Retardation

TEXAS COURT OF APPEALS, THIRD DISTRICT, AT AUSTIN 444444444444444444444444444 ON MOTION FOR REHEARING 444444444444444444444444444 NO. 03-04-00743-CV Greg Abbott, Attorney General of the State of Texas, Appellant v. Texas Department of Mental Health and Mental Retardation, Appellee FROM THE DISTRICT COURT OF TRAVIS COUNTY, 261ST JUDICIAL DISTRICT NO. GV400344, HONORABLE PATRICK KEEL, JUDGE PRESIDING OPINION Our opinion and judgment issued on June 16, 2006, are withdrawn, and the following opinion is substituted. A reporter made a public information request to the Texas Department of Mental Health and Mental Retardation (the “Department”)1 asking for statistical information regarding allegations of abuse and subsequent investigations of abuse in state facilities and for the names of the facilities in which the alleged incidents occurred. The Department believed that the information 1 Effective September 1, 2004, the services provided by the Department were transferred to different agencies. The mental health components of the Department were transferred to the Department of State Health Services. The remaining services were transferred to the Department of Aging and Disability Services. Act of June 2, 2003, 78th Leg., R.S., ch. 198, § 1.01, 2003 Tex. Gen. Laws 611, 611. Because the distinction is not relevant in this appeal, we will refer to the appellee as the Department. could not be released because it was protected health information prohibited from disclosure by the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) and asked the Attorney General to provide an opinion as to whether the information could be released. See Pub. L. 104-191, 110 Stat. 1936 (HIPAA codified in various sections of 8, 22, 26, 29 and 42 U.S.C.A.). The Attorney General concluded that the information was subject to disclosure by the Public Information Act, which requires the disclosure of public information in response to public requests. See Tex. Gov’t Code Ann. §§ 552.001-.353 (West 2004 & Supp. 2005) (Public Information Act). The Department contested the Attorney General’s opinion and filed suit in district court. The district court concluded the information was confidential and not subject to disclosure. The Attorney General appeals the decision of the district court. We will reverse the judgment of the district court. BACKGROUND The Department received a request for information under the Public Information Act asking for statistics regarding alleged incidents of abuse and sexual assault occurring at facilities operated by the Department. Specifically, the request asked for the following information concerning the previous five years: (1) statistics regarding alleged incidents of sexual assault and patient-client abuse at state hospitals and Department facilities; (2) statistics concerning any subsequent investigation of the allegations; (3) the names of the facilities in which the incidents allegedly occurred; (4) the dates the events allegedly occurred; and (5) the disposition of any investigations. After receiving the request, the Department released a statistical report showing all abuse allegations and subsequent investigations in Texas for fiscal years 1998 to 2003, but the report did not provide information regarding individual facilities. 2 The Department requested that the Attorney General issue an opinion regarding whether releasing the requested statistical information from individual facilities would violate HIPAA and the federal rules implementing HIPAA—the Standards for Privacy of Individually Identifiable Health Information (cumulatively, the “Privacy Rule”). See Tex. Gov’t Code Ann. § 552.301 (West 2004) (allowing governmental body seeking to withhold information from disclosure to ask Attorney General whether information is excepted from disclosure); see Pub. L. 104-191, 110 Stat. 1936 (HIPAA); 45 C.F.R. pts. 160 & 164 (2005) (Privacy Rule).2 The Department contended that, because the information concerns alleged sexual and other types of abuse at various facilities and because the request asks for the names of the facilities where the alleged incidents occurred, it is prohibited from disclosing the information because it is “individually identifiable health information.” The Attorney General issued a letter ruling stating that the information requested was not excepted from the requirements of the Public Information Act and must be released. Tex. Att’y Gen. LA-1451 (2004). The letter further concluded that requests for information made under the Public Information Act fall under an exception to nondisclosure found in the Privacy Rule that allows disclosure of health information if it is required by law and if the disclosure complies with the requirements of the law in question. Id.; see 45 C.F.R. § 164.512(a). The letter also stated that, although section 552.101 of the Public Information Act prohibits disclosure of information that is considered confidential, the Privacy Rule does not render the information requested in this case confidential, and it is, therefore, subject to disclosure. Tex. Att’y Gen. LA-1451; see Tex. Gov’t 2 The Privacy Rule prohibits the disclosure of protected health information unless it falls within an exception described in the Rule. See 45 C.F.R. pts. 160 & 164 (2005). 3 Code Ann. § 552.101 (West 2004). In addition, the letter reasoned that, because the Privacy Rule does not make the requested information confidential, the Department may not withhold the information unless another exception to disclosure under the Public Information Act applies. Tex. Att’y Gen. LA-1451. This letter ruling relied on a previous opinion released by the Attorney General reaching similar conclusions. See Tex. Att’y Gen. ORD-681 (2004). The Department filed suit challenging the opinion of the Attorney General. See Tex. Gov’t Code Ann. § 552.324 (West 2004) (allowing governmental body to file suit contesting opinion of Attorney General). The Department and the Attorney General filed cross motions for summary judgment. In his motion for summary judgment, the Attorney General contended that the information requested should be released under the Public Information Act. The Department, on the other hand, argued that HIPAA and the Privacy Rule prohibit the release of the information or, alternatively, that HIPAA and the Privacy Rule preempt the Public Information Act. The district court granted the Department’s motion, concluding that the information requested was “confidential” and, therefore, exempt from disclosure under the Public Information Act. The Attorney General appeals both the denial of his motion for summary judgment and the granting of the Department’s motion for summary judgment. STATUTORY FRAMEWORK Before addressing the merits of the parties’ arguments, a review of the statutory framework governing this appeal is helpful. The first set of statutes at issue in this appeal is the Public Information Act. See id. §§ 552.001-.353. The Act specifies that it is “the policy of this state that each person is entitled, unless otherwise expressly provided by law, at all times to complete 4 information about the affairs of government.” Id. § 552.001(a) (West 2004). Further, the Act provides that it “shall be liberally construed in favor of granting a request for information.” Id. § 552.001(b) (West 2004). Under the Act, “[p]ublic information is available to the public at a minimum during the normal business hours of the governmental body.” Id. § 552.021 (West 2004). In addition, the Act states: This chapter does not authorize the withholding of public information or limit the availability of public information to the public, except as expressly provided by this chapter. Id. § 552.006 (West 2004); see also id. §§ 552.002(a) (West 2004) (defining “public information” as information collected, assembled, or maintained by governmental body), 552.003(1)(A) (West 2004) (defining “governmental body” to include department created by executive or legislative branch), 552.101-.142 (providing exceptions to disclosure). One exception to the general rule requiring disclosure provides that information considered “to be confidential by law, either constitutional, statutory, or by judicial decision” is excepted from disclosure. Id. § 552.101; see also id. § 552.352 (West 2004) (person who distributes information considered confidential under Public Information Act is guilty of criminal offense). Similarly, section 552.006 provides that nothing in the Act prohibits an agency from voluntarily making its information available to the public unless the disclosure is “expressly prohibited by law or the information is confidential under law.” Id. § 552.006. The second area of law at issue in this appeal involves HIPAA and the Privacy Rule. See Pub. L. 104-191, 110 Stat. 1936; 45 C.F.R. pts. 160 & 164. In 1996, Congress enacted HIPAA, in part, to “improve the efficiency and effectiveness of the health care system by facilitating the 5 electronic exchange of information with respect to financial and administrative transactions carried out by health plans, health care clearinghouses, and health care providers.” 67 Fed. Reg. 14776, 14776 (March 27, 2002). HIPAA authorized the U.S. Department of Health and Human Services (“HHS”) to issue safeguards to protect the confidentiality and security of health information. Id.; 42 U.S.C.A. §§ 1320d-1(d), 1320d-2 (West 2003). HIPAA mandated that it was a federal offense to disclose “individually identifiable health information,” see id. §§ 1320d-5, 1320d-6 (West 2003), and authorized HHS to adopt standards for the electronic exchange of this type of information and for the security and confidentiality of those exchanges, see id. § 1320d-2. HIPAA defines “individually identifiable health information” as follows: (6) Individually identifiable health information. The term “individually identifiable health information” means any information, including demographic information collected from an individual, that— (A) is created or received by a health care provider, health plan, employer, or health care clearinghouse; and (B) relates to the past, present, or future physical or mental health or condition of an individual, the provision of health care to an individual, or the past, present, or future payment for the provision of health care to an individual, and— (i) identifies the individual; or (ii) with respect to which there is a reasonable basis to believe that the information can be used to identify the individual. Id. § 1320d(6) (West 2003). HHS, under the authority of HIPAA, promulgated the Privacy Rule under title 45 of the Code of Federal Regulations. The commentary accompanying the Privacy Rule described the 6 rule as a “mandatory floor” for consumer protection that other government entities may exceed if they choose. 65 Fed. Reg. 82462, 82471 (Dec. 28, 2000). The Privacy Rule prohibits a “covered entity” from disclosing “protected health information” except as specifically permitted by the Rule. 45 C.F.R. § 164.502; see also id. §§ 164.506 (covered entities may disclose health information to carry out treatment, payment, or health care operations or with individual’s consent), 164.508 (covered entity may not disclose protected health information without authorization). A “covered entity” includes, among others, health care providers who transmit health information electronically and health plans that either provide or pay for medical care. Id. § 160.103; see also 42 U.S.C.A. § 1320d(3), (5) (West 2003) (defining “health provider” and “health plan”). “Protected health information” is defined as “individually identifiable health information . . . that is (i) transmitted by electronic media; (ii) maintained in electronic media; or (iii) transmitted or maintained in any other form or media.” 45 C.F.R. § 160.103. The Privacy Rule lists certain exceptions to the general rule that a covered entity may not disclose protected health information. See id. § 164.502. One such exception allows a covered entity to disclose health information if the information is “de-identified” before it is released. See id. § 164.502(d); see also id. § 164.514(a) ( “[h]ealth information that does not identify an individual and with respect to which there is no reasonable basis to believe that the information can be used to identify an individual is not individually identifiable health information”). In an attempt to prevent health information from being linked with individuals, HHS established standards for de-identifying health information. See id. § 164.514; see also 67 Fed. Reg. at 14798-99. Section 164.514 specifies that a covered entity may determine that health information is not individually identifiable and may be disclosed if (1) a statistician determines that the risk is very slight that the information could be 7 used to identify an individual or (2) several specific identifiers, including geographic identifiers like street addresses and zip codes, are removed from the information prior to disclosure. 45 C.F.R. § 164.514. Another exception allows covered entities to “disclose protected health information to the extent that such use or disclosure is required by law and the use or disclosure complies with and is limited to the relevant requirements of such law.” Id. § 164.512(a)(1).3 The phrase “required by law” is defined as “a mandate contained in law that compels an entity to make a use or disclosure of protected health information and that is enforceable in a court of law” and includes “statutes or regulations that require the production of information.” Id. § 164.103. STANDARD OF REVIEW Both parties filed cross-motions for summary judgment. Because the parties agreed that the relevant facts in question are not in dispute, summary judgment was proper in this case. See 3 Subsection 164.512(a)(1) reads, in relevant part, as follows: A covered entity may use or disclose protected health information without the written authorization of the individual, as described in § 164.508, or the opportunity for the individual to agree or object as described in § 164.510, in the situations covered by this section, subject to the applicable requirements of this section. When the covered entity is required by this section to inform the individual of, or when the individual may agree to, a use or disclosure permitted by this section, the covered entity's information and the individual’s agreement may be given orally. (a) Standard: Uses and disclosures required by law. (1) A covered entity may use or disclose protected health information to the extent that such use or disclosure is required by law and the use or disclosure complies with and is limited to the relevant requirements of such law. 45 C.F.R. § 164.512(a)(1) (2005). 8 City of Garland v. Dallas Morning News, 22 S.W.3d 351, 356 (Tex. 2000). When a district court grants one motion and denies the other, an appellate court should determine all questions presented and render the judgment the district court should have rendered. Id. at 356. In a Public Information Act case, courts must determine if the requested information is subject to an exception to disclosure. Thomas v. Cornyn, 71 S.W.3d 473, 482 (Tex. App.—Austin 2002, no pet.). An agency has the burden of proving that an exception to disclosure under the Public Information Act applies before it may withhold the requested information. Id. at 488. In making this determination, we must construe HIPAA, the Privacy Rule, and the Public Information Act and determine the interaction between these laws. Matters of statutory construction present legal questions. City of Garland, 22 S.W.3d at 357. In construing statutes, our goal is to give effect to the legislature’s intent. Texas Dep’t of Protective & Regulatory Servs. v. Mega Child Care, Inc., 145 S.W.3d 170, 176 (Tex. 2004). This determination begins with the wording of the statutes involved. In re Bay Area Citizens Against Lawsuit Abuse, 982 S.W.2d 371, 380 (Tex. 1998). We must interpret the statute as written. See In re Doe, 19 S.W.3d 346, 351 (Tex. 2000). Every word in a statute is presumed to have been used for a purpose and every word excluded is presumed to have been excluded for a purpose. Laidlaw Waste Sys., Inc. v. City of Wilmer, 904 S.W.2d 656, 659 (Tex. 1995). DISCUSSION Protected Health Information Before addressing the claims made by the parties in this case, we first note that the information requested in this case does not seem to fall into the definitions of “protected health 9 information” given in either HIPAA or the Privacy Rule. The request asked for allegations and investigations of abuse at various governmental facilities. Statistical information regarding allegations of abuse and subsequent investigations does not seem to relate to issues regarding health or condition in general and certainly does not relate to the health or condition of an individual, “the provision of health care to an individual, or the past, present, or future payment for the provision of health care to an individual.”4 See 42 U.S.C.A. § 1320d(6) (emphasis added); 45 C.F.R. § 160.103. This interpretation of the phrase “protected health information” is supported by the decisions of other courts that have concluded that specific types of information could be disclosed because they did not constitute protected health information under HIPAA or the Privacy Rule. In State ex. rel. Cincinnati Enquirer v. Daniels, the Ohio Supreme Court determined that certain information requested by the Cincinnati Enquirer did not constitute protected health information. 811 N.E.2d 1181, 1183, 1186 (Ohio 2006). The Enquirer asked the Cincinnati Health Department to release copies of lead-contamination notices it had sent to the residences of children whose blood tests had indicated elevated levels of lead. The Ohio Supreme Court concluded that the information was subject to disclosure under the Ohio Public Records Act. The court further concluded that the notices did not contain protected health information, noting that they did not provide the name, age, birth date, social security number, telephone number, family information, or any other identifier 4 In making this statement, we do not imply that statistical information can never constitute protected health information. Rather, we merely state that the information requested in this case does not seem to fall within the definitions of protected health information found in HIPAA or the Privacy Rule. 10 other than address and did not contain any specific details regarding any medical examination, assessment, diagnosis, or treatment. Id. at 1185. A similar result was reached in Foley v. Samaritan Hospital, in which a New York court concluded that the information sought through a discovery request did not constitute protected health information. 11 Misc. 3d 1055A, *4 (Rensselaer County Feb. 3, 2006). The plaintiff in Foley contended that the hospital’s negligent conduct resulted in the death of a patient. The plaintiff wanted the hospital to release the names and addresses of the two other patients that were in the same room as the deceased in order to obtain information from them. Id. at *2. The hospital refused to disclose the information and argued that releasing the information would be a violation of HIPAA. Id. The court concluded that disclosing the names and addresses in response to a discovery request would not violate HIPAA because the disclosure would not reveal “individually identifiable health information.” Id. at *4.5 5 The court concluded that there was also no impediment to the release of the information requested under state discovery rules because disclosing the identity of the plaintiff’s roommates in the emergency room would not reveal the medical status of the roommates. Foley v. Samaritan Hospital, 11 Misc. 3d 1055A, *3 (Rensselaer County Feb. 3, 2006). Compare Rabinowitz v. St. John’s Episcopal Church, 808 N.Y.S.2d 280, 282 (N.Y. App. Div. 2d Dep’t, Dec. 12, 2005) (due to wide range of services and medical conditions treated in emergency room, disclosure of identity of patients would not violate patients’ right to keep health information confidential) with Gunn v. Sound Shore Med. Ctr., 772 N.Y.S.2d 714, 715 (N.Y. App. Div. 2d Dep’t., Mar. 8, 2004) (release of names of patients being treated in cardiac center of hospital would reveal that patients were undergoing treatment for heart-related conditions). On rehearing, the Department contends that our reference to the Foley opinion might extend our ultimate holding in this opinion to the discovery context. However, our citation to Foley is not meant as an endorsement or comment on disclosures of protected health information in the discovery context. Rather, we cite to Foley merely for support of our preliminary statement that the type of information requested in this case does not seem to fit into the definitions of protected health information in HIPAA or the Privacy Rule. Moreover, discovery requests are subject to their own limits on disclosure, including information considered privileged. See, e.g., Tex. R. Civ. P. 192.3 (party may obtain discovery of matters not privileged including names, addresses, and telephone 11 Although the information at issue in this case does not seem to be the type of information that would constitute “protected health information,” neither party sufficiently addresses this point in their briefs. Even though the Attorney General briefly mentions that he disagrees with the Department’s characterization of the information as protected health information, he does not cite to any authority for this proposition. Rather, the whole thrust of the Attorney General’s original letter opinion, his motion for summary judgment, and his briefs seems to assume that the information is protected health information that is subject to disclosure via an exception in the Privacy Rule. Therefore, for the purposes of this case, we will assume that the information is protected health information. See Mathis, 377 F. Supp. 2d at 645 (concluding that requested information was not protected health information and that, even if it was protected health information, it was still subject to disclosure); Daniels, 811 N.E.2d at 1186 (same). Issues on Appeal On appeal, the Attorney General contends that the Department is required to release the information requested under the Public Information Act. The Attorney General does not contest that HIPAA generally applies or the Department’s assertion that the Department is a “covered entity” subject to the requirements of HIPAA and the Privacy Rule. However, he argues that the “required numbers of people with knowledge of facts relevant to case), 192.4 (limitations on scope of discovery), 192.5 (work product); see also Tex. R. Evid. 503 (attorney-client privilege), 509 (physician-patient privilege includes records identifying and diagnosing patient). In addition, the Privacy Rule itself provides a procedure for the disclosure of protected health information in response to discovery requests. See 45 C.F.R. § 164.512(e). 12 by law” exception to nondisclosure in section 164.512(a) of the Privacy Rule applies in this case and authorizes disclosure of the information requested. See 45 C.F.R. § 164.512(a). Specifically, he asserts that the Public Information Act qualifies under section 164.512(a) as a law requiring the disclosure of protected health information. In addition, he contends that nothing in the Public Information Act prohibits the release of the requested information and that the disclosure would comply with all the requirements listed in the Act. Therefore, he argues the information must be disclosed. Finally, he avers that, contrary to the assertions of the Department, HIPAA and the Privacy Rule do not preempt the Public Information Act and that a covered entity may satisfy all the requirements of both sets of statutes. The Department, on the other hand, argues that the Public Information Act is not a statute requiring the disclosure of protected health information, and, therefore, subsection 164.512(a) does not authorize the release of the information requested. Rather, the Department asserts that the Act is a general statute dealing with public information, not protected health information. Alternatively, the Department contends that, even if the Public Information Act qualifies under the terms of section 164.512(a), the information was still not subject to disclosure because the Act does not authorize the release of information deemed confidential by law. Specifically, the Department argues that, because HIPAA and the Privacy Rule prohibit the disclosure of protected health information, protected health information is confidential. Finally, the Department insists that if the Act requires the disclosure of the information requested in this case, it is preempted by the Privacy Rule. We will address these arguments in the order described. 13 The Public Information Act Compels Disclosure of the Information Requested The Public Information Act Qualifies Under Section 164.512(a) In support of its assertion that the Public Information Act does not qualify under section 164.512(a) of the Privacy Rule, the Department notes that health information is not mentioned in the definition of “public information” provided in the Act. See Tex. Gov’t Code Ann. § 552.002 (“‘public information’ means information that is collected, assembled, or maintained under a law or ordinance or in connection with the transaction of official business: (1) by a governmental body; or (2) for a governmental body and the governmental body owns the information or has a right of access to it”). In addition, the Department refers to a portion of the commentary accompanying the Privacy Rule discussing the inclusion of section 164.512(a) in the Privacy Rule. See 65 Fed. Reg. at 82666-67. The commentary states that subsection 164.512(a) was a necessary addition to the Privacy Rule to “harmonize the rule with existing state and federal laws mandating uses and disclosures of protected health information” and lists various types of laws that might require disclosure, including national security, public health, and law enforcement. The Department notes that public information statutes were not specifically mentioned. Further, the Department contends that the Public Information Act does not sufficiently limit the individuals to whom information may be released, the manner in which the information may be released, and the purpose for which the information may be released to qualify it as a statute requiring the disclosure of protected health information. In support of this contention, the Department refers to another section of the commentary to the Privacy Rule describing federal laws requiring release of protected health information, which states “[m]any federal laws require covered entities to provide specific information to specific entities in specific circumstances” and lists several 14 laws requiring disclosure. Id. at 82485. Further, the Department refers to statutes that it argues are sufficiently specific to authorize the release of information under section 164.512(a).6 In further support of this assertion, the Department refers to the other exceptions to non-disclosure listed in section 164.512, which generally deal with law enforcement and public health concerns, and insists that these required-by-law disclosures are limited by the purpose for which disclosures may be made, the entity to whom information may be disclosed, and by the circumstances under which disclosures may be made. See 45 C.F.R. § 164.512(b)-(l).7 The 6 For example, the Department refers to the Developmental Disabilities Assistance and Bill of Rights Act and the Protection and Advocacy for Mentally Ill Individuals Act as examples of statutes that sufficiently limit the purpose for which disclosure may occur and limits the entities to which the information may be released. See 42 U.S.C.A. §§ 10801-10851 (West 2005); id. §§ 15001-15115 (West 2005). Both statutes require states to protect individuals with developmental disabilities or mental illness by developing agencies that have the authority to investigate incidents of abuse and neglect of individuals. Id. §§ 10803(2), 15043(a)(1), (a)(2)(B). As part of their investigative powers, these agencies have the authority to access individuals’ records. Id. §§ 10805(a)(4), 15043(a)(2)(I), (J). The Department also refers to section 261.402 of the family code, which authorizes state agencies to (1) notify law enforcement agencies of reports concerning abuse, neglect, and exploitation of children in state-operated facilities and (2) compile and make available statistics on incidences of abuse, neglect, and exploitation of children in state-run facilities. See Tex. Fam. Code Ann. § 261.402 (West 2002). The Department contends that there is no comparable statute mandating an agency to disclose information regarding abuse allegations of adults living in state-run facilities, especially to non-law-enforcement entities, and insists that this supports its contention that the type of information requested in this case is not subject to disclosure. 7 The remaining exceptions cited by the Department allow the release of protected health information (1) to public health authorities authorized to receive that type of information; (2) to law enforcement authorities authorized to receive reports of abuse, neglect, or domestic violence; (3) to health oversight agencies; (4) to courts or administrative agencies in response to an order or subpoena; (5) to law enforcement agencies if a law requires the reporting of certain types of injuries, if a court or administrative agency orders it, or if used for identifying or locating a suspect; (6) to coroners and medical examiners to identify deceased individuals; (7) to organ procurement organizations for the purpose of facilitating transplants; (8) for research purposes; (9) to avert serious health threats to individuals or the public; and (10) to military authorities if they deem it necessary to assure the execution of a military mission. 45 C.F.R. § 164.512(b)-(l) (2005). 15 Department contends that the exception listed in subsection (a) should be interpreted in a similarly narrow fashion: it should allow disclosure of “protected health information” only if another law specifically requires the disclosure of this type of information. Because the information requested involves allegations of abuse and neglect, the Department also asserts that a determination of whether the information can be released must be construed in light of section 164.512(c) of the Privacy Rule. Section 164.512(c) allows a covered entity to disclose to governmental authorities information concerning an individual the covered entity believes to be the victim of abuse and neglect. 45 C.F.R. § 164.512(c). The Department contends that release of the information requested to a reporter would be a violation of this subsection. We disagree with the Department’s assertion that the Public Information Act does not qualify under section 164.512(a). Nothing in the definition of “public information” expressly exempts health information. See Tex. Gov’t Code Ann. § 552.002. Further, due to the Act’s emphasis on providing information on governmental activities to citizens, public information requests made to agencies providing health care services may in certain cases involve the disclosure of health information. See id. § 552.001. Although the Act allows for disclosure of information to a greater number of individuals and for less specific reasons than the statutes referred to by the Department, this does not necessarily remove public information statutes from consideration under section 164.512 of the Privacy Rule. There is nothing in the language of the Privacy Rule or HIPAA that limits the application of subsection 164.512(a) to statutes authorizing the disclosure of specifically enumerated types of health information. Although the Privacy Rule’s commentary listing types of statutes that might require disclosure of protected health information does not specifically include public information statutes, 16 there is no indication that the list is exhaustive. See 65 Fed. Reg. at 82666-67. Rather, the language specifies that the types of federal and state statutes requiring disclosure by law occur in a myriad of contexts. The commentary merely provides a range of possible areas of the law that might require disclosure. Further, in a separate section, the commentary describes the interaction between the Privacy Rule and the federal counterpart to the Public Information Act—the Freedom of Information Act. This section indicates that public information statutes are statutes that might result in the disclosure of protected health information and provides that disclosures under the Freedom of Information Act fall under section 164.512(a) of the Privacy Rule if the disclosures meet the relevant requirements of the Act. Id. at 82482. The commentary further states that if an agency receives a request for protected health information, the agency must first determine whether the Act requires the disclosure or if an exemption applies, in which case the agency may redact the protected information. Id. The commentary makes it clear that when determining whether to release protected health information in response to a Freedom of Information Act request, an agency must look to the limits and exemptions in the Act, not to the Privacy Rule. We disagree with the Department’s contention that releasing information under subsection 164.512(a) in response to a public information request would violate subsection 164.512(c). See 45 C.F.R. § 164.512(a), (c). These two subsections provide alternative methods in which protected health information may be disclosed and apply in different contexts. Subsection (c) authorizes covered entities to release protected health information about an individual the entity believes is the victim of abuse or neglect to governmental entities that are specifically authorized by law to receive that type of information, such as protective service agencies. Id. § 164.512(c). 17 Subsection (a), on the other hand, authorizes the release of protected health information if it is required by any type of law, not just laws concerning suspected victims of abuse or neglect, and does not specifically limit disclosure to governmental agencies. Id. § 164.512(a). Further, in this case, an individual sought the disclosure of aggregate statistical information, not information concerning a specific victim of abuse. Therefore, subsection (c) is not implicated in this request. Accordingly, for all these reasons, we conclude that the Public Information Act is a statute requiring the disclosure of protected health information as described in section 164.512(a) of the Privacy Rule. The Confidentiality Exception Does not Apply The Department contends alternatively that, even if the Public Information Act qualifies as a statute requiring the release of protected health information, release of the requested information is improper. Specifically, the Department asserts that, because the Privacy Rule prohibits the disclosure of protected health information, protected health information is confidential under section 552.101 of the Public Information Act and, therefore, not subject to disclosure. See Tex. Gov’t Code Ann. § 552.101. Although the Privacy Rule does not explicitly state that protected health information is “confidential,” the Department argues that the fact that the information is not subject to disclosure renders it confidential. The Department also notes that the commentary to the Privacy Rule describes the importance of protecting “confidential” health information. Cf. In re City of Georgetown, 53 S.W.3d 328, 334 (Tex. 2001) (rules of civil procedure and evidence that prohibit disclosure of certain information made information “confidential”: “A law does not have to use the word ‘confidential’ to expressly impose confidentiality. . . . The rules expressly provide that certain 18 types of work product do not have to be disclosed, which means they are confidential.”); see 65 Fed. Reg. at 82463-64 (describing need to protect confidential health information); see also Tex. Health & Safety Code Ann. § 576.005 (West 2003) (“Records of a mental health facility that directly or indirectly identify a present, former, or proposed patient are confidential unless disclosure is permitted by other state law.”). Because the information requested was allegedly confidential, the Department argues that the manner in which it chose to release the information—namely releasing statewide statistics of allegations of abuse not broken down by individual facilities—was proper. The Department asserts that protected health information cannot be released without either (1) having a statistician determine that release of the information in question will not lead to the identification of individuals or (2) removing the eighteen identifiers listed in section 164.514(b)(1)(ii)(B) of the Privacy Rule, including the addresses of the facilities where the individuals were allegedly abused. See 45 C.F.R. § 164.514(b)(1)(ii)(B). In this case, the Department argues it chose to remove potential identifiers, including the names of facilities, before releasing the information. In support of its position, the Department compares the Public Information Act with the Freedom of Information Act, and refers to commentary in the preamble to the Privacy Rule specifically addressing the interaction between these two laws. Under subsection 552(a) of the Freedom of Information Act, governmental agencies are required to release public information. 5 U.S.C.A. § 552(a) (West 1996 & Supp. 2005). Like the Public Information Act, the Freedom of Information Act also lists exceptions to the general rule of disclosure. See id. § 552(b) (West 1996 & Supp. 2005). The sixth exception exempts from disclosure “personnel and medical files and 19 similar files[8] the disclosure of which would constitute a clearly unwarranted invasion of personal privacy.” Id. § 552(b)(6).9 The Privacy Rule’s commentary states that if a request seeks documents that include protected health information, the agency, when appropriate, must refuse the release of medical files or otherwise redact identifying details before disclosing the remaining information. 65 Fed. Reg. 82462, 82482; see also 5 U.S.C.A. § 552(b)(6). Finally, the commentary specifies, “We believe that generally a disclosure of protected health information, when requested under [the Freedom of Information Act], would come within . . . Exemption 6.” 65 Fed. Reg. at 82482. The Department contends that, like agencies receiving a request under the Freedom of Information Act, Texas 8 Although the Public Information Act contains a similar provision for personnel files, it does not specifically include “medical files and similar files” in this provision. See Tex. Gov’t Code 552.102 (West 2004). 9 The Department contends that the Freedom of Information Act is similar to the Public Information Act in its purpose and in the exceptions it applies to prevent disclosures. The Department refers to several cases in which the Supreme Court determined information was not subject to disclosure under the Freedom of Information Act as instructive in the determination of whether information is subject to disclosure under the Public Information Act. See United States Dep’t of State v. Washington Post Co., 456 U.S. 595 (1982); United States Dep’t of Def. v. Federal Labor Relations Auth., 510 U.S. 487 (1994); United States Dep’t of Justice v. Reporters Comm. for Freedom of Press, 489 U.S. 749 (1989). However, none of the cases cited by the Department concern the type of information requested in this case: statistical information about alleged abuse that does not contain the names of any particular individual. See Washington Post Co., 456 U.S. at 596 (requesting documents regarding whether two Iranian nationals living in Iran were American citizens); Federal Labor Relations, 510 U.S. at 489 (requesting disclosure of names and home addresses of federal civil service employees from agencies employees worked for); Reporters Comm., 489 U.S. at 751 (third party requesting criminal identification records for individual from Federal Bureau of Investigation). Further, the type of information requested in this case reveals information concerning agency conduct and does not amount to the release of an individual’s record. 20 agencies must first determine if the information requested is confidential by law under the Privacy Rule and then redact any confidential information. The Department also asserts that the Attorney General’s interpretation of the interaction between the Privacy Rule and the Public Information Act would lead to unreasonable results. See C&H Nationwide, Inc. v. Thompson, 903 S.W.2d 315, 322 n.5 (Tex. 1994) (statutes should not be construed in manner that leads to absurd conclusions). It asserts that, under the Attorney General’s interpretation, anyone may request confidential health information from covered entities if they file a request under the Public Information Act, which would render meaningless the remaining exceptions allowing disclosure under section 164.512. Further, it urges that protected health information disclosed by a non-governmental covered entity to a governmental agency would be subject to disclosure under the Public Information Act despite the fact that the non-governmental entity would be prohibited from disclosing the information. In essence, the Department suggests that protected health information would lose the protection afforded by the Privacy Rule once it was disclosed to a governmental agency. We disagree with the Department’s interpretation of the interaction among HIPAA, the Privacy Rule, and the Public Information Act. The confusion in this case arises due to the cross references to other statutes found in both the Privacy Rule and the Public Information Act. Under the Department’s interpretation, governmental bodies contemplating disclosure under the Public Information Act are required to refer back to HIPAA and the Privacy Rule; it argues that, because HIPAA and the Privacy Rule prohibit the disclosure of protected health information, health information is considered confidential by law and, therefore, not subject to disclosure under the Act. However, we cannot adopt this circular logic. The Department’s interpretation would send us back 21 to the start of the analysis and would prevent the disclosure of all protected health information despite the Public Information Act’s default favoring disclosure of information. We conclude that covered entities faced with a request for disclosure involving potentially protected health information must examine the information in light of HIPAA and the Privacy Rule to determine if the information is protected health information that is generally not subject to disclosure. 42 U.S.C.A. § 1320d(6); 45 C.F.R. § 160.103. If the request does not involve protected health information, then HIPAA and the Privacy Rule do not prohibit disclosure of the information. If the request asks for information that is protected health information, then the agency must ascertain if any exception to non-disclosure in the Privacy Rule applies. If no exception applies, the agency may release the information if potential identifiers are redacted or if a statistician determines that release of the information cannot be used to identify any individual. 45 C.F.R. § 164.514. If an exception to non-disclosure does apply, the agency must release the information. For example, if the request is made under the authority of a statute that requires disclosure, then the exception found in section 164.512(a) applies, and the agency must disclose the information as long as the disclosure complies with all relevant requirements of the statute compelling disclosure. Id. § 164.512(a)(1). If a request for protected health information is made under the Public Information Act, then the exception to non-disclosure found in section 164.512(a) of the Privacy Rule applies, and the agency must determine whether the Act compels the disclosure or whether the information is excepted from disclosure under the Act. For example, if the information is considered confidential by judicial decision, statute, or the constitution, then the information is not subject to disclosure under the “confidential” exception to disclosure found in the Public Information Act. See Tex. Gov’t 22 Code Ann. § 552.101; see also Tex. Occ. Code Ann. § 159.002 (West 2004) (patient records and communications between patient and physician confidential). Our construction of the statutes properly balances the need for privacy under HIPAA and the Privacy Rule and the need for disclosure under the Public Information Act and correctly reconciles these two statutes. First, the overall purpose behind the Public Information Act is that information is presumed to be subject to disclosure unless an exception applies. See generally Tex. Gov’t Code Ann. § 552.001-.353. Second, the commentary to the Privacy Rule also supports this construction. The commentary specifies that if a conflict appears to exist because a previous statute or regulation requires a specific use or disclosure of protected health information that the rules below appear to prohibit, the use or disclosure pursuant to that statute or regulation would not be a violation of the privacy regulation because § 164.512(a) permits covered entities to use or disclose protected health information as required by law. 65 Fed. Reg. at 82482 (emphasis added). In discussing the interaction between the Privacy Rule and other laws, the commentary further states that “if a covered entity is required to disclose protected health information pursuant to a specific statutory or regulatory scheme, the covered entity generally will be permitted under § 614.512(a) to make these disclosures without a consent or authorization . . . .” Id. at 82591. In addition, in addressing concerns that were raised by the inclusion of section 164.512(a), the commentary provides that subsection (a) is intended “to preserve access to information considered important enough by state or federal authorities to require its disclosure by law” and that it is not appropriate for HHS “to reassess the legitimacy of or the need for each of these mandates . . . .” Id. at 82667. Finally, the commentary states that, given the variety of laws that might require disclosure of health information and the context in which they might arise, “we do not 23 believe that Congress intended to preempt each such law unless HHS specifically recognized the law or purpose in the regulation.” Id. Our construction comports with the policy of this State to disclose information regarding abuse and neglect at facilities caring for the mentally ill or mentally retarded. Cf. Tex. Health & Safety Code Ann. §§ 242.121-.135 (West 2001 & Supp. 2005); Capital Senior Mgmt. 1, Inc. v. Texas Dep’t of Human Servs., 132 S.W.3d 71, 79 (Tex. App.—Austin 2003, pet. filed);. It also is consistent with the public’s interest in having access to information about the operation of these facilities. See Capital Senior Mgmt. 1, 132 S.W.3d at 79. Additionally, our construction is supported by the decision reached by the Ohio Supreme Court in Daniels and by information posted on HHS’s website under its frequently asked questions section by the Office for Civil Rights, which is charged with enforcing the Privacy Rule. See 811 N.E.2d at 1187-88; 65 Fed. Reg. at 82472. In Daniels, the Ohio Supreme Court determined that a health department’s lead-contamination notices were subject to disclosure under section 164.512(a) of the Privacy Rule because the Ohio Public Records Act compels the disclosure of the information. 811 N.E.2d at 1186-88. The Ohio Supreme Court was faced with similar circular references: the Public Records Act requires disclosure unless disclosure is prohibited by federal law, and the Privacy Rule allows disclosure if it is required by other law, including state law. Id. at 1186- 87.10 Under the frequently asked questions section of the website, the Office of Civil Rights posted 10 The Department contends that this portion of the Ohio decision is inapplicable for several reasons. First, the Department contends this portion of the opinion is dicta because the Ohio Supreme Court had previously concluded that the information requested was not protected health information. See State ex. rel. Cincinnati Enquirer v. Daniels, 811 N.E.2d 1181, 1186 (Ohio 2006). However, even if we were to conclude that the alternative holding in this case is in fact dicta, we find the analysis provided in the opinion persuasive. 24 an answer describing the interaction between state public information laws and the Privacy Rule. The answer stated that if a state agency is a covered entity, the Privacy Rule applies to disclosures of protected health information. However, the answer also stated that the Privacy Rule permits a covered entity to disclose protected health information if mandated by law, provided that the disclosure complies with the requirements of the public information law. Accordingly, we conclude that the information requested in this case was subject to disclosure. Section 164.512(a) of the Privacy Rule permits disclosure of protected health information if required by law, as long as the disclosure comports with the requirements of that law. 45 C.F.R. § 164.512(a). The Public Information Act requires disclosure of public information unless an exception applies. See generally Tex. Gov’t Code Ann. §§ 552.001-.353. No exception to disclosure in the Public Information Act applies to the release of statistical information regarding abuse at individual government facilities. See id. §§ 552.101-.1425. The confidentiality exception listed in section 552.101 does not apply because no law renders the information confidential, and the Second, the Department contends that, unlike the Public Information Act, the Ohio Public Records Act does not contain a “confidential by law” exception to disclosure. However, we have already concluded that the “confidential” exception, without more, does not prevent disclosure of requested information simply because the Privacy Rule would prohibit disclosure. Finally, the Department argues that the Ohio Supreme Court made this decision without addressing the requirement that a covered entity, prior to releasing health information, either employ the services of a statistician to determine that the risk of identification is small or remove identifiers listed in the Privacy Rule. See 45 C.F.R. § 164.514(b) (2005). However, this argument ignores the portion of the Privacy Rule allowing disclosure of protected health information if it is required by law irrespective of whether a statistician concludes the information may safely be released or whether certain identifiers are removed. See id. § 164.512(a). 25 Department has not referred us to any case, and we have found none, holding that aggregate statistical information of the type requested in this case is confidential.11 Therefore, we conclude that disclosure of the information requested will comply with all relevant requirements of the Public Information Act, HIPAA, and the Privacy Rule. See 45 C.F.R. § 164.512(a). Accordingly, we sustain the Attorney General’s first issue on appeal. Preemption In their motion for summary judgment and on appeal, the Department contends that if the Public Information Act requires disclosure of the information in question, then the Privacy Rule preempts the Act. Specifically, it argues that if the Public Information Act mandates the release of protected health information, then covered entities cannot satisfy the directives of the Privacy Rule and the Act, and, therefore, the Privacy Rule must preempt the Act. In addition, it asserts that the Act is not specifically exempted from preemption by HIPAA, see 42 U.S.C.A. § 1320d-7(a) (West 2003) (listing types of statutes exempted from preemption and stating that HIPAA shall “supersede any contrary provision of State law”), nor is it one of the types of laws listed in the commentary to the Privacy Rule as a non-preempted statute. Further, it contends that no Texas official has petitioned the Secretary of HHS and requested that the Secretary exempt the Act from preemption. See 45 C.F.R. § 160.204 (allowing state official to ask Secretary of HHS to exempt portion of statute from preemption). 11 Our conclusion that the information requested in this case is not confidential under the Public Information Act is buttressed by the fact that the reporter was able to obtain the requested information from another agency, the Texas Department of Protective and Regulatory Services, which is not a covered entity under HIPAA. 26 With certain exceptions, section 160.203 of the Privacy Rule provides that if the Privacy Rule requires action contrary to an action mandated by a state law, then the state law is preempted. 45 C.F.R. § 160.203. Further, the Privacy Rule explains that a state law provision is “contrary” to the Privacy Rule if “[a] covered entity would find it impossible to comply with both the State and federal requirements” or “[t]he provision of State law stands as an obstacle to the accomplishment and execution of the full purposes and objectives of” HIPAA. Id. § 160.202. However, we have previously concluded that the Privacy Rule allows the disclosure of the information in question under section 164.512(a). Because the Department can comply with both the Privacy Rule and with the Public Information Act, the Public Information Act is not preempted by the Privacy Rule. CONCLUSION Having sustained the Attorney General’s first issue on appeal and having concluded that the Public Information Act is not preempted, we reverse the judgment of the district court and render judgment that the information requested in this case is not confidential and is, therefore, subject to release under the Public Information Act. David Puryear, Justice Before Chief Justice Law, Justices Patterson and Puryear Justice Patterson Not Participating Reversed and Rendered Filed: August 30, 2006 27