Greg Abbott, Attorney General of the State of Texas v. Texas Department of Mental Health and Mental Retardation

TEXAS COURT OF APPEALS, THIRD DISTRICT, AT AUSTIN

NO. 03-04-00743-CV

Greg Abbott, Attorney General of the State of Texas, Appellant

v.

Texas Department of Mental Health and Mental Retardation, Appellee

FROM THE DISTRICT COURT OF TRAVIS COUNTY, 261ST JUDICIAL DISTRICT
NO. GV400344, HONORABLE PATRICK KEEL, JUDGE PRESIDING

OPINION

A reporter made a public information request to the Texas Department of Mental

Health and Mental Retardation (the “Department”)1 asking for statistical information regarding

allegations of abuse and subsequent investigations of abuse in state facilities and for the names of

the facilities in which the alleged incidents occurred. The Department believed that the information

could not be released because it was protected health information prohibited from disclosure by the

Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) and asked the Attorney

General to provide an opinion as to whether the information could be released. See Pub. L. 104-191,

1
Effective September 1, 2004, the services provided by the Department were transferred to
different agencies. The mental health components of the Department were transferred to the
Department of State Health Services. The remaining services were transferred to the Department
of Aging and Disability Services. Act of June 2, 2003, 78th Leg., R.S., ch. 198, § 1.01, 2003 Tex.
Gen. Laws 611, 611. Because the distinction is not relevant in this appeal, we will refer to the
appellee as the Department.
110 Stat. 1936 (HIPAA codified in various sections of 8, 22, 26, 29 and 42 U.S.C.A.). The Attorney

General concluded that the information was subject to disclosure by the Public Information Act,

which requires the disclosure of public information in response to public requests. See Tex. Gov’t

Code Ann. §§ 552.001-.353 (West 2004 & Supp. 2005) (Public Information Act). The Department

contested the Attorney General’s opinion and filed suit in district court. The district court concluded

the information was confidential and not subject to disclosure. The Attorney General appeals the

decision of the district court. We will reverse the judgment of the district court.

BACKGROUND

The Department received a request for information under the Public Information Act

asking for statistics regarding alleged incidents of abuse and sexual assault occurring at facilities

operated by the Department. Specifically, the request asked for the following information

concerning the previous five years: (1) statistics regarding alleged incidents of sexual assault and

patient-client abuse at state hospitals and Department facilities; (2) statistics concerning any

subsequent investigation of the allegations; (3) the names of the facilities in which the incidents

allegedly occurred; (4) the dates the events allegedly occurred; and (5) the disposition of any

investigations. After receiving the request, the Department released a statistical report showing all

abuse allegations and subsequent investigations in Texas for fiscal years 1998 to 2003, but the report

did not provide information regarding individual facilities.

The Department requested that the Attorney General issue an opinion regarding

whether releasing the requested statistical information from individual facilities would violate

HIPAA and the federal rules implementing HIPAA—the Standards for Privacy of Individually

2
Identifiable Health Information (cumulatively, the “Privacy Rule”). See Tex. Gov’t Code Ann.

§ 552.301 (West 2004) (allowing governmental body seeking to withhold information from

disclosure to ask Attorney General whether information is excepted from disclosure); see Pub. L.

104-191, 110 Stat. 1936 (HIPAA); 45 C.F.R. pts. 160 & 164 (2005) (Privacy Rule).2 The

Department contended that, because the information concerns alleged sexual and other types of

abuse at various facilities and because the request asks for the names of the facilities where the

alleged incidents occurred, it is prohibited from disclosing the information because it is “individually

identifiable health information.”

The Attorney General issued a letter ruling stating that the information requested was

not excepted from the requirements of the Public Information Act and must be released. Tex. Att’y

Gen. LA-1451 (2004). The letter further concluded that requests for information made under the

Public Information Act fall under an exception to nondisclosure found in the Privacy Rule that

allows disclosure of health information if it is required by law and if the disclosure complies with

the requirements of the law in question. Id.; see 45 C.F.R. § 164.512(a). The letter also stated that,

although section 552.101 of the Public Information Act prohibits disclosure of information that is

considered confidential, the Privacy Rule does not render the information requested in this case

confidential, and it is, therefore, subject to disclosure. Tex. Att’y Gen. LA-1451; see Tex. Gov’t

Code Ann. § 552.101 (West 2004). In addition, the letter reasoned that, because the Privacy Rule

does not make the requested information confidential, the Department may not withhold the

information unless another exception to disclosure under the Public Information Act applies. Tex.

2
The Privacy Rule prohibits the disclosure of protected health information unless it falls
within an exception described in the Rule. See 45 C.F.R. pts. 160 & 164 (2005).

3
Att’y Gen. LA-1451. This letter ruling relied on a previous opinion released by the Attorney General

reaching similar conclusions. See Tex. Att’y Gen. ORD-681 (2004).

The Department filed suit challenging the opinion of the Attorney General. See Tex.

Gov’t Code Ann. § 552.324 (West 2004) (allowing governmental body to file suit contesting opinion

of Attorney General). The Department and the Attorney General filed cross motions for summary

judgment. In his motion for summary judgment, the Attorney General contended that the

information requested should be released under the Public Information Act. The Department, on the

other hand, argued that HIPAA and the Privacy Rule prohibit the release of the information or,

alternatively, that HIPAA and the Privacy Rule preempt the Public Information Act. The district

court granted the Department’s motion, concluding that the information requested was “confidential”

and, therefore, exempt from disclosure under the Public Information Act. The Attorney General

appeals both the denial of his motion for summary judgment and the granting of the Department’s

motion for summary judgment.

STATUTORY FRAMEWORK

Before addressing the merits of the parties’ arguments, a review of the statutory

framework governing this appeal is helpful. The first set of statutes at issue in this appeal is the

Public Information Act. See id. §§ 552.001-.353. The Act specifies that it is “the policy of this state

that each person is entitled, unless otherwise expressly provided by law, at all times to complete

information about the affairs of government.” Id. § 552.001(a) (West 2004). Further, the Act

provides that it “shall be liberally construed in favor of granting a request for information.” Id.

§ 552.001(b) (West 2004). Under the Act, “[p]ublic information is available to the public at a

4
minimum during the normal business hours of the governmental body.” Id. § 552.021 (West 2004).

In addition, the Act states:

This chapter does not authorize the withholding of public information or limit the
availability of public information to the public, except as expressly provided by this
chapter.

Id. § 552.006 (West 2004); see also id. §§ 552.002(a) (West 2004) (defining “public information”

as information collected, assembled, or maintained by governmental body), 552.003(1)(A) (West

2004) (defining “governmental body” to include department created by executive or legislative

branch), 552.101-.142 (providing exceptions to disclosure).

One exception to the general rule requiring disclosure provides that information

considered “to be confidential by law, either constitutional, statutory, or by judicial decision” is

excepted from disclosure. Id. § 552.101; see also id. § 552.352 (West 2004) (person who distributes

information considered confidential under Public Information Act is guilty of criminal offense).

Similarly, section 552.006 provides that nothing in the Act prohibits an agency from voluntarily

making its information available to the public unless the disclosure is “expressly prohibited by law

or the information is confidential under law.” Id. § 552.006.

The second area of law at issue in this appeal involves HIPAA and the Privacy Rule.

See Pub. L. 104-191, 110 Stat. 1936; 45 C.F.R. pts. 160 & 164. In 1996, Congress enacted HIPAA,

in part, to “improve the efficiency and effectiveness of the health care system by facilitating the

electronic exchange of information with respect to financial and administrative transactions carried

out by health plans, health care clearinghouses, and health care providers.” 67 Fed. Reg. 14776,

5
14776 (March 27, 2002). HIPAA authorized the U.S. Department of Health and Human Services

(“HHS”) to issue safeguards to protect the confidentiality and security of health information. Id.;

42 U.S.C.A. §§ 1320d-1(d), 1320d-2 (West 2003). HIPAA mandated that it was a federal offense

to disclose “individually identifiable health information,” see id. §§ 1320d-5, 1320d-6 (West 2003),

and authorized HHS to adopt standards for the electronic exchange of this type of information and

for the security and confidentiality of those exchanges, see id. § 1320d-2. HIPAA defines

“individually identifiable health information” as follows:

(6) Individually identifiable health information. The term “individually identifiable
health information” means any information, including demographic information
collected from an individual, that—

(A) is created or received by a health care provider, health plan, employer, or
health care clearinghouse; and

(B) relates to the past, present, or future physical or mental health or condition
of an individual, the provision of health care to an individual, or the past,
present, or future payment for the provision of health care to an individual,
and—

(i) identifies the individual; or

(ii) with respect to which there is a reasonable basis to believe that the
information can be used to identify the individual.

Id. § 1320d(6) (West 2003).

HHS, under the authority of HIPAA, promulgated the Privacy Rule under title 45 of

the Code of Federal Regulations. The commentary accompanying the Privacy Rule described the

rule as a “mandatory floor” for consumer protection that other government entities may exceed if

they choose. 65 Fed. Reg. 82462, 82471 (Dec. 28, 2000). The Privacy Rule prohibits a “covered

6
entity” from disclosing “protected health information” except as specifically permitted by the Rule.

45 C.F.R. § 164.502; see also id. §§ 164.506 (covered entities may disclose health information to

carry out treatment, payment, or health care operations or with individual’s consent), 164.508

(covered entity may not disclose protected health information without authorization). A “covered

entity” includes, among others, health care providers who transmit health information electronically

and health plans that either provide or pay for medical care. Id. § 160.103; see also 42 U.S.C.A.

§ 1320d(3), (5) (West 2003) (defining “health provider” and “health plan”). “Protected health

information” is defined as “individually identifiable health information . . . that is (i) transmitted by

electronic media; (ii) maintained in electronic media; or (iii) transmitted or maintained in any other

form or media.” 45 C.F.R. § 160.103.

The Privacy Rule lists certain exceptions to the general rule that a covered entity may

not disclose protected health information. See id. § 164.502. One such exception allows a covered

entity to disclose health information if the information is “de-identified” before it is released. See

id. § 164.502(d); see also id. § 164.514(a) ( “[h]ealth information that does not identify an individual

and with respect to which there is no reasonable basis to believe that the information can be used to

identify an individual is not individually identifiable health information”). In an attempt to prevent

health information from being linked with individuals, HHS established standards for de-identifying

health information. See id. § 164.514; see also 67 Fed. Reg. at 14798-99. Section 164.514 specifies

that a covered entity may determine that health information is not individually identifiable and may

be disclosed if (1) a statistician determines that the risk is very slight that the information could be

used to identify an individual or (2) several specific identifiers, including geographic identifiers like

7
street addresses and zip codes, are removed from the information prior to disclosure. 45 C.F.R.

§ 164.514.

Another exception allows covered entities to “disclose protected health information

to the extent that such use or disclosure is required by law and the use or disclosure complies with

and is limited to the relevant requirements of such law.” Id. § 164.512(a)(1).3 The phrase “required

by law” is defined as “a mandate contained in law that compels an entity to make a use or disclosure

of protected health information and that is enforceable in a court of law” and includes “statutes or

regulations that require the production of information.” Id. § 164.103.

STANDARD OF REVIEW

Both parties filed cross-motions for summary judgment. Because the parties agreed

that the relevant facts in question are not in dispute, summary judgment was proper in this case. See

3
Subsection 164.512(a)(1) reads, in relevant part, as follows:

A covered entity may use or disclose protected health information without
the written authorization of the individual, as described in § 164.508, or the
opportunity for the individual to agree or object as described in § 164.510, in the
situations covered by this section, subject to the applicable requirements of this
section. When the covered entity is required by this section to inform the
individual of, or when the individual may agree to, a use or disclosure permitted
by this section, the covered entity's information and the individual’s agreement
may be given orally.

(a) Standard: Uses and disclosures required by law. (1) A covered entity may
use or disclose protected health information to the extent that such use or
disclosure is required by law and the use or disclosure complies with and is
limited to the relevant requirements of such law.

45 C.F.R. § 164.512(a)(1) (2005).

8
City of Garland v. Dallas Morning News, 22 S.W.3d 351, 356 (Tex. 2000). When a district court

grants one motion and denies the other, an appellate court should determine all questions presented

and render the judgment the district court should have rendered. Id. at 356.

In a Public Information Act case, courts must determine if the requested information

is subject to an exception to disclosure. Thomas v. Cornyn, 71 S.W.3d 473, 482 (Tex. App.—Austin

2002, no pet.). An agency has the burden of proving that an exception to disclosure under the Public

Information Act applies before it may withhold the requested information. Id. at 488. In making this

determination, we must construe HIPAA, the Privacy Rule, and the Public Information Act and

determine the interaction between these laws. Matters of statutory construction present legal

questions. City of Garland, 22 S.W.3d at 357. In construing statutes, our goal is to give effect to

the legislature’s intent. Texas Dep’t of Protective & Regulatory Servs. v. Mega Child Care, Inc., 145

S.W.3d 170, 176 (Tex. 2004). This determination begins with the wording of the statutes involved.

In re Bay Area Citizens Against Lawsuit Abuse, 982 S.W.2d 371, 380 (Tex. 1998). We must

interpret the statute as written. See In re Doe, 19 S.W.3d 346, 351 (Tex. 2000). Every word in a

statute is presumed to have been used for a purpose and every word excluded is presumed to have

been excluded for a purpose. Laidlaw Waste Sys., Inc. v. City of Wilmer, 904 S.W.2d 656, 659 (Tex.

1995).

DISCUSSION

Protected Health Information

Before addressing the claims made by the parties in this case, we first note that the

information requested in this case does not seem to fall into the definitions of “protected health

9
information” given in either HIPAA or the Privacy Rule. The request asked for allegations and

investigations of abuse at various governmental facilities. Statistical information regarding

allegations of abuse and subsequent investigations does not seem to relate to issues regarding

health or condition in general and certainly does not relate to the health or condition of an individual,

“the provision of health care to an individual, or the past, present, or future payment for the provision

of health care to an individual.” See 42 U.S.C.A. § 1320d(6) (emphasis added); 45 C.F.R.

§ 160.103.

This interpretation of the phrase “protected health information” is supported by the

decisions of other courts that have concluded that specific types of information could be disclosed

because they did not constitute protected health information under HIPAA or the Privacy Rule. In

State ex. rel. Cincinnati Enquirer v. Daniels, the Ohio Supreme Court determined that certain

information requested by the Cincinnati Enquirer did not constitute protected health information.

811 N.E.2d 1181, 1183, 1186 (Ohio 2006). The Enquirer asked the Cincinnati Health Department

to release copies of lead-contamination notices it had sent to the residences of children whose blood

tests had indicated elevated levels of lead. The Ohio Supreme Court concluded that the information

was subject to disclosure under the Ohio Public Records Act. The court further concluded that the

notices did not contain protected health information, noting that they did not provide the name, age,

birth date, social security number, telephone number, family information, or any other identifier

other than address and did not contain any specific details regarding any medical examination,

assessment, diagnosis, or treatment. Id. at 1185.

10
 A similar result was reached in Foley v. Samaritan Hospital, in which a New York

court concluded that the information sought through a discovery request did not constitute protected

health information. 11 Misc. 3d 1055A, *4 (Rensselaer County Feb. 3, 2006). The plaintiff in Foley

contended that the hospital’s negligent conduct resulted in the death of a patient. The plaintiff

wanted the hospital to release the names and addresses of the two other patients that were in the

same room as the deceased in order to obtain information from them. Id. at *2. The hospital refused

to disclose the information and argued that releasing the information would be a violation of HIPAA.

Id. The court concluded that disclosing the names and addresses in response to a discovery request

would not violate HIPAA because the disclosure would not reveal “individually identifiable health

information.” Id. at *4.

Although the information at issue in this case does not seem to be the type of

information that would constitute “protected health information,” neither party sufficiently addresses

this point in their briefs. Even though the Attorney General briefly mentions that he disagrees with

the Department’s characterization of the information as protected health information, he does not

cite to any authority for this proposition. Rather, the whole thrust of the Attorney General’s original

letter opinion, his motion for summary judgment, and his briefs seems to assume that the information

is protected health information that is subject to disclosure via an exception in the Privacy Rule.

Therefore, for the purposes of this case, we will assume that the information is protected health

information. See Mathis, 377 F. Supp. 2d at 645 (concluding that requested information was not

protected health information and that, even if it was protected health information, it was still subject

to disclosure); Daniels, 811 N.E.2d at 1186 (same).

11
Issues on Appeal

On appeal, the Attorney General contends that the Department is required to release

the information requested under the Public Information Act. The Attorney General does not contest

that HIPAA generally applies or the Department’s assertion that the Department is a “covered entity”

subject to the requirements of HIPAA and the Privacy Rule. However, he argues that the “required

by law” exception to nondisclosure in section 164.512(a) of the Privacy Rule applies in this case and

authorizes disclosure of the information requested. See 45 C.F.R. § 164.512(a). Specifically, he

asserts that the Public Information Act qualifies under section 164.512(a) as a law requiring the

disclosure of protected health information. In addition, he contends that nothing in the Public

Information Act prohibits the release of the requested information and that the disclosure would

comply with all the requirements listed in the Act. Therefore, he argues the information must be

disclosed. Finally, he avers that, contrary to the assertions of the Department, HIPAA and the

Privacy Rule do not preempt the Public Information Act and that a covered entity may satisfy all the

requirements of both sets of statutes.

The Department, on the other hand, argues that the Public Information Act is not a

statute requiring the disclosure of protected health information, and, therefore, subsection 164.512(a)

does not authorize the release of the information requested. Rather, the Department asserts that the

Act is a general statute dealing with public information, not protected health information.

Alternatively, the Department contends that, even if the Public Information Act qualifies under the

terms of section 164.512(a), the information was still not subject to disclosure because the Act does

not authorize the release of information deemed confidential by law. Specifically, the Department

12
argues that, because HIPAA and the Privacy Rule prohibit the disclosure of protected health

information, protected health information is confidential. Finally, the Department insists that if the

Act requires the disclosure of the information requested in this case, it is preempted by the Privacy

Rule. We will address these arguments in the order described.

The Public Information Act Compels Disclosure of the Information Requested

The Public Information Act Qualifies Under Section 164.512(a)

In support of its assertion that the Public Information Act does not qualify under

section 164.512(a) of the Privacy Rule, the Department notes that health information is not

mentioned in the definition of “public information” provided in the Act. See Tex. Gov’t Code Ann.

§ 552.002 (“‘public information’ means information that is collected, assembled, or maintained

under a law or ordinance or in connection with the transaction of official business: (1) by a

governmental body; or (2) for a governmental body and the governmental body owns the information

or has a right of access to it”). In addition, the Department refers to a portion of the commentary

accompanying the Privacy Rule discussing the inclusion of section 164.512(a) in the Privacy Rule.

See 65 Fed. Reg. at 82666-67. The commentary states that subsection 164.512(a) was a necessary

addition to the Privacy Rule to “harmonize the rule with existing state and federal laws mandating

uses and disclosures of protected health information” and lists various types of laws that might

require disclosure, including national security, public health, and law enforcement. The Department

notes that public information statutes were not specifically mentioned.

Further, the Department contends that the Public Information Act does not sufficiently

limit the individuals to whom information may be released, the manner in which the information may

13
be released, and the purpose for which the information may be released to qualify it as a statute

requiring the disclosure of protected health information. In support of this contention, the

Department refers to another section of the commentary to the Privacy Rule describing federal laws

requiring release of protected health information, which states “[m]any federal laws require covered

entities to provide specific information to specific entities in specific circumstances” and lists several

laws requiring disclosure. Id. at 82485. Further, the Department refers to statutes that it argues are

sufficiently specific to authorize the release of information under section 164.512(a).4

In further support of this assertion, the Department refers to the other exceptions to

non-disclosure listed in section 164.512, which generally deal with law enforcement and public

health concerns, and insists that these required-by-law disclosures are limited by the purpose for

which disclosures may be made, the entity to whom information may be disclosed, and by the

4
For example, the Department refers to the Developmental Disabilities Assistance and Bill
of Rights Act and the Protection and Advocacy for Mentally Ill Individuals Act as examples of
statutes that sufficiently limit the purpose for which disclosure may occur and limits the entities to
which the information may be released. See 42 U.S.C.A. §§ 10801-10851 (West 2005); id.
§§ 15001-15115 (West 2005). Both statutes require states to protect individuals with developmental
disabilities or mental illness by developing agencies that have the authority to investigate incidents
of abuse and neglect of individuals. Id. §§ 10803(2), 15043(a)(1), (a)(2)(B). As part of their
investigative powers, these agencies have the authority to access individuals’ records. Id.
§§ 10805(a)(4), 15043(a)(2)(I), (J).

The Department also refers to section 261.402 of the family code, which authorizes state
agencies to (1) notify law enforcement agencies of reports concerning abuse, neglect, and
exploitation of children in state-operated facilities and (2) compile and make available statistics on
incidences of abuse, neglect, and exploitation of children in state-run facilities. See Tex. Fam. Code
Ann. § 261.402 (West 2002). The Department contends that there is no comparable statute
mandating an agency to disclose information regarding abuse allegations of adults living in state-run
facilities, especially to non-law-enforcement entities, and insists that this supports its contention that
the type of information requested in this case is not subject to disclosure.

14
circumstances under which disclosures may be made. See 45 C.F.R. § 164.512(b)-(l).5 The

Department contends that the exception listed in subsection (a) should be interpreted in a similarly

narrow fashion: it should allow disclosure of “protected health information” only if another law

specifically requires the disclosure of this type of information.

Because the information requested involves allegations of abuse and neglect, the

Department also asserts that a determination of whether the information can be released must be

construed in light of section 164.512(c) of the Privacy Rule. Section 164.512(c) allows a covered

entity to disclose to governmental authorities information concerning an individual the covered entity

believes to be the victim of abuse and neglect. 45 C.F.R. § 164.512(c). The Department contends

that release of the information requested to a reporter would be a violation of this subsection.

We disagree with the Department’s assertion that the Public Information Act does not

qualify under section 164.512(a). Nothing in the definition of “public information” expressly

exempts health information. See Tex. Gov’t Code Ann. § 552.002. Further, due to the Act’s

emphasis on providing information on governmental activities to citizens, public information

requests made to agencies providing health care services may in certain cases involve the disclosure

5
The remaining exceptions cited by the Department allow the release of protected health
information (1) to public health authorities authorized to receive that type of information; (2) to law
enforcement authorities authorized to receive reports of abuse, neglect, or domestic violence; (3) to
health oversight agencies; (4) to courts or administrative agencies in response to an order or
subpoena; (5) to law enforcement agencies if a law requires the reporting of certain types of injuries,
if a court or administrative agency orders it, or if used for identifying or locating a suspect; (6) to
coroners and medical examiners to identify deceased individuals; (7) to organ procurement
organizations for the purpose of facilitating transplants; (8) for research purposes; (9) to avert serious
health threats to individuals or the public; and (10) to military authorities if they deem it necessary
to assure the execution of a military mission. 45 C.F.R. § 164.512(b)-(l) (2005).

15
of health information. See id. § 552.001. Although the Act allows for disclosure of information to

a greater number of individuals and for less specific reasons than the statutes referred to by the

Department, this does not necessarily remove public information statutes from consideration under

section 164.512 of the Privacy Rule. There is nothing in the language of the Privacy Rule or HIPAA

that limits the application of subsection 164.512(a) to statutes authorizing the disclosure of

specifically enumerated types of health information.

Although the Privacy Rule’s commentary listing types of statutes that might require

disclosure of protected health information does not specifically include public information statutes,

there is no indication that the list is exhaustive. See 65 Fed. Reg. at 82666-67. Rather, the language

specifies that the types of federal and state statutes requiring disclosure by law occur in a myriad of

contexts. The commentary merely provides a range of possible areas of the law that might require

disclosure.

Further, in a separate section, the commentary describes the interaction between the

Privacy Rule and the federal counterpart to the Public Information Act—the Freedom of Information

Act. This section indicates that public information statutes are statutes that might result in the

disclosure of protected health information and provides that disclosures under the Freedom of

Information Act fall under section 164.512(a) of the Privacy Rule if the disclosures meet the relevant

requirements of the Act. Id. at 82482. The commentary further states that if an agency receives a

request for protected health information, the agency must first determine whether the Act requires

the disclosure or if an exemption applies, in which case the agency may redact the protected

information. Id. The commentary makes it clear that when determining whether to release protected

16
health information in response to a Freedom of Information Act request, an agency must look to the

limits and exemptions in the Act, not to the Privacy Rule.

We disagree with the Department’s contention that releasing information under

subsection 164.512(a) in response to a public information request would violate subsection

164.512(c). See 45 C.F.R. § 164.512(a), (c). These two subsections provide alternative methods in

which protected health information may be disclosed and apply in different contexts. Subsection (c)

authorizes covered entities to release protected health information about an individual the entity

believes is the victim of abuse or neglect to governmental entities that are specifically authorized by

law to receive that type of information, such as protective service agencies. Id. § 164.512(c).

Subsection (a), on the other hand, authorizes the release of protected health information if it is

required by any type of law, not just laws concerning suspected victims of abuse or neglect, and does

not specifically limit disclosure to governmental agencies. Id. § 164.512(a). Further, in this case,

an individual sought the disclosure of aggregate statistical information, not information concerning

a specific victim of abuse. Therefore, subsection (c) is not implicated in this request.

Accordingly, for all these reasons, we conclude that the Public Information Act is a

statute requiring the disclosure of protected health information as described in section 164.512(a)

of the Privacy Rule.

The Confidentiality Exception Does not Apply

The Department contends alternatively that, even if the Public Information Act

qualifies as a statute requiring the release of protected health information, release of the requested

information is improper. Specifically, the Department asserts that, because the Privacy Rule

17
prohibits the disclosure of protected health information, protected health information is confidential

under section 552.101 of the Public Information Act and, therefore, not subject to disclosure. See

Tex. Gov’t Code Ann. § 552.101. Although the Privacy Rule does not explicitly state that protected

health information is “confidential,” the Department argues that the fact that the information is not

subject to disclosure renders it confidential. The Department also notes that the commentary to the

Privacy Rule describes the importance of protecting “confidential” health information. Cf. In re City

of Georgetown, 53 S.W.3d 328, 334 (Tex. 2001) (rules of civil procedure and evidence that prohibit

disclosure of certain information made information “confidential”: “A law does not have to use the

word ‘confidential’ to expressly impose confidentiality. . . . The rules expressly provide that certain

types of work product do not have to be disclosed, which means they are confidential.”); see 65 Fed.

Reg. at 82463-64 (describing need to protect confidential health information); see also Tex. Health

& Safety Code Ann. § 576.005 (West 2003) (“Records of a mental health facility that directly or

indirectly identify a present, former, or proposed patient are confidential unless disclosure is

permitted by other state law.”).

Because the information requested was allegedly confidential, the Department argues

that the manner in which it chose to release the information—namely releasing statewide statistics

of allegations of abuse not broken down by individual facilities—was proper. The Department

asserts that protected health information cannot be released without either (1) having a statistician

determine that release of the information in question will not lead to the identification of individuals

or (2) removing the eighteen identifiers listed in section 164.514(b)(1)(ii)(B) of the Privacy Rule,

including the addresses of the facilities where the individuals were allegedly abused. See 45 C.F.R.

18
§ 164.514(b)(1)(ii)(B). In this case, the Department argues it chose to remove potential identifiers,

including the names of facilities, before releasing the information.

In support of its position, the Department compares the Public Information Act with

the Freedom of Information Act, and refers to commentary in the preamble to the Privacy Rule

specifically addressing the interaction between these two laws. Under subsection 552(a) of the

Freedom of Information Act, governmental agencies are required to release public information. 5

U.S.C.A. § 552(a) (West 1996 & Supp. 2005). Like the Public Information Act, the Freedom of

Information Act also lists exceptions to the general rule of disclosure. See id. § 552(b) (West 1996

& Supp. 2005). The sixth exception exempts from disclosure “personnel and medical files and

similar files[6] the disclosure of which would constitute a clearly unwarranted invasion of personal

privacy.” Id. § 552(b)(6).7

6
Although the Public Information Act contains a similar provision for personnel files, it does
not specifically include “medical files and similar files” in this provision. See Tex. Gov’t Code
552.102 (West 2004).
7
The Department contends that the Freedom of Information Act is similar to the Public
Information Act in its purpose and in the exceptions it applies to prevent disclosures. The
Department refers to several cases in which the Supreme Court determined information was not
subject to disclosure under the Freedom of Information Act as instructive in the determination of
whether information is subject to disclosure under the Public Information Act. See United States
Dep’t of State v. Washington Post Co., 456 U.S. 595 (1982); United States Dep’t of Def. v. Federal
Labor Relations Auth., 510 U.S. 487 (1994); United States Dep’t of Justice v. Reporters Comm. for
Freedom of Press, 489 U.S. 749 (1989).

However, none of the cases cited by the Department concern the type of information
requested in this case: statistical information about alleged abuse that does not contain the names of
any particular individual. See Washington Post Co., 456 U.S. at 596 (requesting documents
regarding whether two Iranian nationals living in Iran were American citizens); Federal Labor
Relations, 510 U.S. at 489 (requesting disclosure of names and home addresses of federal civil
service employees from agencies employees worked for); Reporters Comm., 489 U.S. at 751 (third
party requesting criminal identification records for individual from Federal Bureau of Investigation).

19
 The Privacy Rule’s commentary states that if a request seeks documents that include

protected health information, the agency, when appropriate, must refuse the release of medical files

or otherwise redact identifying details before disclosing the remaining information. 65 Fed. Reg.

82462, 82482; see also 5 U.S.C.A. § 552(b)(6). Finally, the commentary specifies, “We believe that

generally a disclosure of protected health information, when requested under [the Freedom of

Information Act], would come within . . . Exemption 6.” 65 Fed. Reg. at 82482. The Department

contends that, like agencies receiving a request under the Freedom of Information Act, Texas

agencies must first determine if the information requested is confidential by law under the Privacy

Rule and then redact any confidential information.

The Department also asserts that the Attorney General’s interpretation of the

interaction between the Privacy Rule and the Public Information Act would lead to unreasonable

results. See C&H Nationwide, Inc. v. Thompson, 903 S.W.2d 315, 322 n.5 (Tex. 1994) (statutes

should not be construed in manner that leads to absurd conclusions). It asserts that, under the

Attorney General’s interpretation, anyone may request confidential health information from covered

entities if they file a request under the Public Information Act, which would render meaningless the

remaining exceptions allowing disclosure under section 164.512. Further, it urges that protected

health information disclosed by a non-governmental covered entity to a governmental agency would

be subject to disclosure under the Public Information Act despite the fact that the non-governmental

entity would be prohibited from disclosing the information. In essence, the Department suggests that

Further, the type of information requested in this case reveals information concerning agency
conduct and does not amount to the release of an individual’s record.

20
protected health information would lose the protection afforded by the Privacy Rule once it was

disclosed to a governmental agency.

We disagree with the Department’s interpretation of the interaction among HIPAA,

the Privacy Rule, and the Public Information Act. The confusion in this case arises due to the cross

references to other statutes found in both the Privacy Rule and the Public Information Act. Under

the Department’s interpretation, governmental bodies contemplating disclosure under the Public

Information Act are required to refer back to HIPAA and the Privacy Rule; it argues that, because

HIPAA and the Privacy Rule prohibit the disclosure of protected health information, health

information is considered confidential by law and, therefore, not subject to disclosure under the Act.

However, we cannot adopt this circular logic. The Department’s interpretation would send us back

to the start of the analysis and would prevent the disclosure of all protected health information

despite the Public Information Act’s default favoring disclosure of information.

We conclude that covered entities faced with a request for disclosure involving

potentially protected health information must examine the information in light of HIPAA and the

Privacy Rule to determine if the information is protected health information that is generally not

subject to disclosure. 42 U.S.C.A. § 1320d(6); 45 C.F.R. § 160.103. If the request does not involve

protected health information, then HIPAA and the Privacy Rule do not prohibit disclosure of the

information. If the request asks for information that is protected health information, then the agency

must ascertain if any exception to non-disclosure in the Privacy Rule applies. If no exception

applies, the agency may release the information if potential identifiers are redacted or if a statistician

determines that release of the information cannot be used to identify any individual. 45 C.F.R.

§ 164.514. If an exception to non-disclosure does apply, the agency must release the information.

21
For example, if the request is made under the authority of a statute that requires disclosure, then the

exception found in section 164.512(a) applies, and the agency must disclose the information as long

as the disclosure complies with all relevant requirements of the statute compelling disclosure. Id.

§ 164.512(a)(1).

If a request for protected health information is made under the Public Information

Act, then the exception to non-disclosure found in section 164.512(a) of the Privacy Rule applies,

and the agency must determine whether the Act compels the disclosure or whether the information

is excepted from disclosure under the Act. For example, if the information is considered confidential

by judicial decision, statute, or the constitution, then the information is not subject to disclosure

under the “confidential” exception to disclosure found in the Public Information Act. See Tex. Gov’t

Code Ann. § 552.101; see also Tex. Occ. Code Ann. § 159.002 (West 2004) (patient records and

communications between patient and physician confidential).

Our construction of the statutes properly balances the need for privacy under HIPAA

and the Privacy Rule and the need for disclosure under the Public Information Act and correctly

reconciles these two statutes. First, the overall purpose behind the Public Information Act is that

information is presumed to be subject to disclosure unless an exception applies. See generally Tex.

Gov’t Code Ann. § 552.001-.353. Second, the commentary to the Privacy Rule also supports this

construction. The commentary specifies that

if a conflict appears to exist because a previous statute or regulation requires a
specific use or disclosure of protected health information that the rules below
appear to prohibit, the use or disclosure pursuant to that statute or regulation
would not be a violation of the privacy regulation because § 164.512(a) permits
covered entities to use or disclose protected health information as required by
law.

22
65 Fed. Reg. at 82482 (emphasis added). In discussing the interaction between the Privacy Rule and

other laws, the commentary further states that “if a covered entity is required to disclose protected

health information pursuant to a specific statutory or regulatory scheme, the covered entity generally

will be permitted under § 614.512(a) to make these disclosures without a consent or authorization

. . . .” Id. at 82591. In addition, in addressing concerns that were raised by the inclusion of section

164.512(a), the commentary provides that subsection (a) is intended “to preserve access to

information considered important enough by state or federal authorities to require its disclosure by

law” and that it is not appropriate for HHS “to reassess the legitimacy of or the need for each of these

mandates . . . .” Id. at 82667. Finally, the commentary states that, given the variety of laws that

might require disclosure of health information and the context in which they might arise, “we do not

believe that Congress intended to preempt each such law unless HHS specifically recognized the law

or purpose in the regulation.” Id.

Our construction comports with the policy of this State to disclose information

regarding abuse and neglect at facilities caring for the mentally ill or mentally retarded. Cf. Tex.

Health & Safety Code Ann. §§ 242.121-.135 (West 2001 & Supp. 2005); Capital Senior Mgmt. 1,

Inc. v. Texas Dep’t of Human Servs., 132 S.W.3d 71, 79 (Tex. App.—Austin 2003, pet. filed);. It

also is consistent with the public’s interest in having access to information about the operation of

these facilities. See Capital Senior Mgmt. 1, 132 S.W.3d at 79.

Additionally, our construction is supported by the decision reached by the Ohio

Supreme Court in Daniels and by information posted on HHS’s website under its frequently asked

questions section by the Office for Civil Rights, which is charged with enforcing the Privacy Rule.

See 811 N.E.2d at 1187-88; 65 Fed. Reg. at 82472. In Daniels, the Ohio Supreme Court determined

23
that a health department’s lead-contamination notices were subject to disclosure under section

164.512(a) of the Privacy Rule because the Ohio Public Records Act compels the disclosure of the

information. 811 N.E.2d at 1186-88. The Ohio Supreme Court was faced with similar circular

references: the Public Records Act requires disclosure unless disclosure is prohibited by federal law,

and the Privacy Rule allows disclosure if it is required by other law, including state law. Id. at 1186-

87.8 Under the frequently asked questions section of the website, the Office of Civil Rights posted

an answer describing the interaction between state public information laws and the Privacy Rule.

The answer stated that if a state agency is a covered entity, the Privacy Rule applies to disclosures

of protected health information. However, the answer also stated that the Privacy Rule permits a

covered entity to disclose protected health information if mandated by law, provided that the

disclosure complies with the requirements of the public information law.

8
The Department contends that this portion of the Ohio decision is inapplicable for several
reasons. First, the Department contends this portion of the opinion is dicta because the Ohio
Supreme Court had previously concluded that the information requested was not protected health
information. See State ex. rel. Cincinnati Enquirer v. Daniels, 811 N.E.2d 1181, 1186 (Ohio 2006).
However, even if we were to conclude that the alternative holding in this case is in fact dicta, we find
the analysis provided in the opinion persuasive.

Second, the Department contends that, unlike the Public Information Act, the Ohio Public
Records Act does not contain a “confidential by law” exception to disclosure. However, we have
already concluded that the “confidential” exception, without more, does not prevent disclosure of
requested information simply because the Privacy Rule would prohibit disclosure. Finally, the
Department argues that the Ohio Supreme Court made this decision without addressing the
requirement that a covered entity, prior to releasing health information, either employ the services
of a statistician to determine that the risk of identification is small or remove identifiers listed in the
Privacy Rule. See 45 C.F.R. § 164.514(b) (2005). However, this argument ignores the portion of
the Privacy Rule allowing disclosure of protected health information if it is required by law
irrespective of whether a statistician concludes the information may safely be released or whether
certain identifiers are removed. See id. § 164.512(a).

24
 Accordingly, we conclude that the information requested in this case was subject to

disclosure. Section 164.512(a) of the Privacy Rule permits disclosure of protected health

information if required by law, as long as the disclosure comports with the requirements of that law.

45 C.F.R. § 164.512(a). The Public Information Act requires disclosure of public information unless

an exception applies. See generally Tex. Gov’t Code Ann. §§ 552.001-.353. No exception to

disclosure in the Public Information Act applies to the release of statistical information regarding

abuse at individual government facilities. See id. §§ 552.101-.1425. The confidentiality exception

listed in section 552.101 does not apply because no law renders the information confidential, and the

Department has not referred us to any case, and we have found none, holding that aggregate

statistical information of the type requested in this case is confidential.9

Therefore, we conclude that disclosure of the information requested will comply with

all relevant requirements of the Public Information Act, HIPAA, and the Privacy Rule. See 45

C.F.R. § 164.512(a). Accordingly, we sustain the Attorney General’s first issue on appeal.

Preemption

In their motion for summary judgment and on appeal, the Department contends that

if the Public Information Act requires disclosure of the information in question, then the Privacy

Rule preempts the Act. Specifically, it argues that if the Public Information Act mandates the release

of protected health information, then covered entities cannot satisfy the directives of the Privacy Rule

9
Our conclusion that the information requested in this case is not confidential under the
Public Information Act is buttressed by the fact that the reporter was able to obtain the requested
information from another agency, the Texas Department of Protective and Regulatory Services,
which is not a covered entity under HIPAA.

25
and the Act, and, therefore, the Privacy Rule must preempt the Act. In addition, it asserts that the

Act is not specifically exempted from preemption by HIPAA, see 42 U.S.C.A. § 1320d-7(a) (West

2003) (listing types of statutes exempted from preemption and stating that HIPAA shall “supersede

any contrary provision of State law”), nor is it one of the types of laws listed in the commentary to

the Privacy Rule as a non-preempted statute. Further, it contends that no Texas official has

petitioned the Secretary of HHS and requested that the Secretary exempt the Act from preemption.

See 45 C.F.R. § 160.204 (allowing state official to ask Secretary of HHS to exempt portion of statute

from preemption).

With certain exceptions, section 160.203 of the Privacy Rule provides that if the

Privacy Rule requires action contrary to an action mandated by a state law, then the state law is

preempted. 45 C.F.R. § 160.203. Further, the Privacy Rule explains that a state law provision is

“contrary” to the Privacy Rule if “[a] covered entity would find it impossible to comply with both

the State and federal requirements” or “[t]he provision of State law stands as an obstacle to the

accomplishment and execution of the full purposes and objectives of” HIPAA. Id. § 160.202.

However, we have previously concluded that the Privacy Rule allows the disclosure

of the information in question under section 164.512(a). Because the Department can comply with

both the Privacy Rule and with the Public Information Act, the Public Information Act is not

preempted by the Privacy Rule.

CONCLUSION

Having sustained the Attorney General’s first issue on appeal and having concluded

that the Public Information Act is not preempted, we reverse the judgment of the district court and

26
render judgment that the information requested in this case is not confidential and is, therefore,

subject to release under the Public Information Act.

David Puryear, Justice

Before Chief Justice Law, Justices Patterson and Puryear

Reversed and Rendered

Filed: June 16, 2006

27