TEXAS COURT OF APPEALS, THIRD DISTRICT, AT AUSTIN
NO. 03-04-00743-CV
Greg Abbott, Attorney General of the State of Texas, Appellant
v.
Texas Department of Mental Health and Mental Retardation, Appellee
FROM THE DISTRICT COURT OF TRAVIS COUNTY, 261ST JUDICIAL DISTRICT
NO. GV400344, HONORABLE PATRICK KEEL, JUDGE PRESIDING
OPINION
A reporter made a public information request to the Texas Department of Mental
Health and Mental Retardation (the “Department”)1 asking for statistical information regarding
allegations of abuse and subsequent investigations of abuse in state facilities and for the names of
the facilities in which the alleged incidents occurred. The Department believed that the information
could not be released because it was protected health information prohibited from disclosure by the
Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) and asked the Attorney
General to provide an opinion as to whether the information could be released. See Pub. L. 104-191,
1
Effective September 1, 2004, the services provided by the Department were transferred to
different agencies. The mental health components of the Department were transferred to the
Department of State Health Services. The remaining services were transferred to the Department
of Aging and Disability Services. Act of June 2, 2003, 78th Leg., R.S., ch. 198, § 1.01, 2003 Tex.
Gen. Laws 611, 611. Because the distinction is not relevant in this appeal, we will refer to the
appellee as the Department.
110 Stat. 1936 (HIPAA codified in various sections of 8, 22, 26, 29 and 42 U.S.C.A.). The Attorney
General concluded that the information was subject to disclosure by the Public Information Act,
which requires the disclosure of public information in response to public requests. See Tex. Gov’t
Code Ann. §§ 552.001-.353 (West 2004 & Supp. 2005) (Public Information Act). The Department
contested the Attorney General’s opinion and filed suit in district court. The district court concluded
the information was confidential and not subject to disclosure. The Attorney General appeals the
decision of the district court. We will reverse the judgment of the district court.
BACKGROUND
The Department received a request for information under the Public Information Act
asking for statistics regarding alleged incidents of abuse and sexual assault occurring at facilities
operated by the Department. Specifically, the request asked for the following information
concerning the previous five years: (1) statistics regarding alleged incidents of sexual assault and
patient-client abuse at state hospitals and Department facilities; (2) statistics concerning any
subsequent investigation of the allegations; (3) the names of the facilities in which the incidents
allegedly occurred; (4) the dates the events allegedly occurred; and (5) the disposition of any
investigations. After receiving the request, the Department released a statistical report showing all
abuse allegations and subsequent investigations in Texas for fiscal years 1998 to 2003, but the report
did not provide information regarding individual facilities.
The Department requested that the Attorney General issue an opinion regarding
whether releasing the requested statistical information from individual facilities would violate
HIPAA and the federal rules implementing HIPAA—the Standards for Privacy of Individually
2
Identifiable Health Information (cumulatively, the “Privacy Rule”). See Tex. Gov’t Code Ann.
§ 552.301 (West 2004) (allowing governmental body seeking to withhold information from
disclosure to ask Attorney General whether information is excepted from disclosure); see Pub. L.
104-191, 110 Stat. 1936 (HIPAA); 45 C.F.R. pts. 160 & 164 (2005) (Privacy Rule).2 The
Department contended that, because the information concerns alleged sexual and other types of
abuse at various facilities and because the request asks for the names of the facilities where the
alleged incidents occurred, it is prohibited from disclosing the information because it is “individually
identifiable health information.”
The Attorney General issued a letter ruling stating that the information requested was
not excepted from the requirements of the Public Information Act and must be released. Tex. Att’y
Gen. LA-1451 (2004). The letter further concluded that requests for information made under the
Public Information Act fall under an exception to nondisclosure found in the Privacy Rule that
allows disclosure of health information if it is required by law and if the disclosure complies with
the requirements of the law in question. Id.; see 45 C.F.R. § 164.512(a). The letter also stated that,
although section 552.101 of the Public Information Act prohibits disclosure of information that is
considered confidential, the Privacy Rule does not render the information requested in this case
confidential, and it is, therefore, subject to disclosure. Tex. Att’y Gen. LA-1451; see Tex. Gov’t
Code Ann. § 552.101 (West 2004). In addition, the letter reasoned that, because the Privacy Rule
does not make the requested information confidential, the Department may not withhold the
information unless another exception to disclosure under the Public Information Act applies. Tex.
2
The Privacy Rule prohibits the disclosure of protected health information unless it falls
within an exception described in the Rule. See 45 C.F.R. pts. 160 & 164 (2005).
3
Att’y Gen. LA-1451. This letter ruling relied on a previous opinion released by the Attorney General
reaching similar conclusions. See Tex. Att’y Gen. ORD-681 (2004).
The Department filed suit challenging the opinion of the Attorney General. See Tex.
Gov’t Code Ann. § 552.324 (West 2004) (allowing governmental body to file suit contesting opinion
of Attorney General). The Department and the Attorney General filed cross motions for summary
judgment. In his motion for summary judgment, the Attorney General contended that the
information requested should be released under the Public Information Act. The Department, on the
other hand, argued that HIPAA and the Privacy Rule prohibit the release of the information or,
alternatively, that HIPAA and the Privacy Rule preempt the Public Information Act. The district
court granted the Department’s motion, concluding that the information requested was “confidential”
and, therefore, exempt from disclosure under the Public Information Act. The Attorney General
appeals both the denial of his motion for summary judgment and the granting of the Department’s
motion for summary judgment.
STATUTORY FRAMEWORK
Before addressing the merits of the parties’ arguments, a review of the statutory
framework governing this appeal is helpful. The first set of statutes at issue in this appeal is the
Public Information Act. See id. §§ 552.001-.353. The Act specifies that it is “the policy of this state
that each person is entitled, unless otherwise expressly provided by law, at all times to complete
information about the affairs of government.” Id. § 552.001(a) (West 2004). Further, the Act
provides that it “shall be liberally construed in favor of granting a request for information.” Id.
§ 552.001(b) (West 2004). Under the Act, “[p]ublic information is available to the public at a
4
minimum during the normal business hours of the governmental body.” Id. § 552.021 (West 2004).
In addition, the Act states:
This chapter does not authorize the withholding of public information or limit the
availability of public information to the public, except as expressly provided by this
chapter.
Id. § 552.006 (West 2004); see also id. §§ 552.002(a) (West 2004) (defining “public information”
as information collected, assembled, or maintained by governmental body), 552.003(1)(A) (West
2004) (defining “governmental body” to include department created by executive or legislative
branch), 552.101-.142 (providing exceptions to disclosure).
One exception to the general rule requiring disclosure provides that information
considered “to be confidential by law, either constitutional, statutory, or by judicial decision” is
excepted from disclosure. Id. § 552.101; see also id. § 552.352 (West 2004) (person who distributes
information considered confidential under Public Information Act is guilty of criminal offense).
Similarly, section 552.006 provides that nothing in the Act prohibits an agency from voluntarily
making its information available to the public unless the disclosure is “expressly prohibited by law
or the information is confidential under law.” Id. § 552.006.
The second area of law at issue in this appeal involves HIPAA and the Privacy Rule.
See Pub. L. 104-191, 110 Stat. 1936; 45 C.F.R. pts. 160 & 164. In 1996, Congress enacted HIPAA,
in part, to “improve the efficiency and effectiveness of the health care system by facilitating the
electronic exchange of information with respect to financial and administrative transactions carried
out by health plans, health care clearinghouses, and health care providers.” 67 Fed. Reg. 14776,
5
14776 (March 27, 2002). HIPAA authorized the U.S. Department of Health and Human Services
(“HHS”) to issue safeguards to protect the confidentiality and security of health information. Id.;
42 U.S.C.A. §§ 1320d-1(d), 1320d-2 (West 2003). HIPAA mandated that it was a federal offense
to disclose “individually identifiable health information,” see id. §§ 1320d-5, 1320d-6 (West 2003),
and authorized HHS to adopt standards for the electronic exchange of this type of information and
for the security and confidentiality of those exchanges, see id. § 1320d-2. HIPAA defines
“individually identifiable health information” as follows:
(6) Individually identifiable health information. The term “individually identifiable
health information” means any information, including demographic information
collected from an individual, that—
(A) is created or received by a health care provider, health plan, employer, or
health care clearinghouse; and
(B) relates to the past, present, or future physical or mental health or condition
of an individual, the provision of health care to an individual, or the past,
present, or future payment for the provision of health care to an individual,
and—
(i) identifies the individual; or
(ii) with respect to which there is a reasonable basis to believe that the
information can be used to identify the individual.
Id. § 1320d(6) (West 2003).
HHS, under the authority of HIPAA, promulgated the Privacy Rule under title 45 of
the Code of Federal Regulations. The commentary accompanying the Privacy Rule described the
rule as a “mandatory floor” for consumer protection that other government entities may exceed if
they choose. 65 Fed. Reg. 82462, 82471 (Dec. 28, 2000). The Privacy Rule prohibits a “covered
6
entity” from disclosing “protected health information” except as specifically permitted by the Rule.
45 C.F.R. § 164.502; see also id. §§ 164.506 (covered entities may disclose health information to
carry out treatment, payment, or health care operations or with individual’s consent), 164.508
(covered entity may not disclose protected health information without authorization). A “covered
entity” includes, among others, health care providers who transmit health information electronically
and health plans that either provide or pay for medical care. Id. § 160.103; see also 42 U.S.C.A.
§ 1320d(3), (5) (West 2003) (defining “health provider” and “health plan”). “Protected health
information” is defined as “individually identifiable health information . . . that is (i) transmitted by
electronic media; (ii) maintained in electronic media; or (iii) transmitted or maintained in any other
form or media.” 45 C.F.R. § 160.103.
The Privacy Rule lists certain exceptions to the general rule that a covered entity may
not disclose protected health information. See id. § 164.502. One such exception allows a covered
entity to disclose health information if the information is “de-identified” before it is released. See
id. § 164.502(d); see also id. § 164.514(a) ( “[h]ealth information that does not identify an individual
and with respect to which there is no reasonable basis to believe that the information can be used to
identify an individual is not individually identifiable health information”). In an attempt to prevent
health information from being linked with individuals, HHS established standards for de-identifying
health information. See id. § 164.514; see also 67 Fed. Reg. at 14798-99. Section 164.514 specifies
that a covered entity may determine that health information is not individually identifiable and may
be disclosed if (1) a statistician determines that the risk is very slight that the information could be
used to identify an individual or (2) several specific identifiers, including geographic identifiers like
7
street addresses and zip codes, are removed from the information prior to disclosure. 45 C.F.R.
§ 164.514.
Another exception allows covered entities to “disclose protected health information
to the extent that such use or disclosure is required by law and the use or disclosure complies with
and is limited to the relevant requirements of such law.” Id. § 164.512(a)(1).3 The phrase “required
by law” is defined as “a mandate contained in law that compels an entity to make a use or disclosure
of protected health information and that is enforceable in a court of law” and includes “statutes or
regulations that require the production of information.” Id. § 164.103.
STANDARD OF REVIEW
Both parties filed cross-motions for summary judgment. Because the parties agreed
that the relevant facts in question are not in dispute, summary judgment was proper in this case. See
3
Subsection 164.512(a)(1) reads, in relevant part, as follows:
A covered entity may use or disclose protected health information without
the written authorization of the individual, as described in § 164.508, or the
opportunity for the individual to agree or object as described in § 164.510, in the
situations covered by this section, subject to the applicable requirements of this
section. When the covered entity is required by this section to inform the
individual of, or when the individual may agree to, a use or disclosure permitted
by this section, the covered entity's information and the individual’s agreement
may be given orally.
(a) Standard: Uses and disclosures required by law. (1) A covered entity may
use or disclose protected health information to the extent that such use or
disclosure is required by law and the use or disclosure complies with and is
limited to the relevant requirements of such law.
45 C.F.R. § 164.512(a)(1) (2005).
8
City of Garland v. Dallas Morning News, 22 S.W.3d 351, 356 (Tex. 2000). When a district court
grants one motion and denies the other, an appellate court should determine all questions presented
and render the judgment the district court should have rendered. Id. at 356.
In a Public Information Act case, courts must determine if the requested information
is subject to an exception to disclosure. Thomas v. Cornyn, 71 S.W.3d 473, 482 (Tex. App.—Austin
2002, no pet.). An agency has the burden of proving that an exception to disclosure under the Public
Information Act applies before it may withhold the requested information. Id. at 488. In making this
determination, we must construe HIPAA, the Privacy Rule, and the Public Information Act and
determine the interaction between these laws. Matters of statutory construction present legal
questions. City of Garland, 22 S.W.3d at 357. In construing statutes, our goal is to give effect to
the legislature’s intent. Texas Dep’t of Protective & Regulatory Servs. v. Mega Child Care, Inc., 145
S.W.3d 170, 176 (Tex. 2004). This determination begins with the wording of the statutes involved.
In re Bay Area Citizens Against Lawsuit Abuse, 982 S.W.2d 371, 380 (Tex. 1998). We must
interpret the statute as written. See In re Doe, 19 S.W.3d 346, 351 (Tex. 2000). Every word in a
statute is presumed to have been used for a purpose and every word excluded is presumed to have
been excluded for a purpose. Laidlaw Waste Sys., Inc. v. City of Wilmer, 904 S.W.2d 656, 659 (Tex.
1995).
DISCUSSION
Protected Health Information
Before addressing the claims made by the parties in this case, we first note that the
information requested in this case does not seem to fall into the definitions of “protected health
9
information” given in either HIPAA or the Privacy Rule. The request asked for allegations and
investigations of abuse at various governmental facilities. Statistical information regarding
allegations of abuse and subsequent investigations does not seem to relate to issues regarding
health or condition in general and certainly does not relate to the health or condition of an individual,
“the provision of health care to an individual, or the past, present, or future payment for the provision
of health care to an individual.” See 42 U.S.C.A. § 1320d(6) (emphasis added); 45 C.F.R.
§ 160.103.
This interpretation of the phrase “protected health information” is supported by the
decisions of other courts that have concluded that specific types of information could be disclosed
because they did not constitute protected health information under HIPAA or the Privacy Rule. In
State ex. rel. Cincinnati Enquirer v. Daniels, the Ohio Supreme Court determined that certain
information requested by the Cincinnati Enquirer did not constitute protected health information.
811 N.E.2d 1181, 1183, 1186 (Ohio 2006). The Enquirer asked the Cincinnati Health Department
to release copies of lead-contamination notices it had sent to the residences of children whose blood
tests had indicated elevated levels of lead. The Ohio Supreme Court concluded that the information
was subject to disclosure under the Ohio Public Records Act. The court further concluded that the
notices did not contain protected health information, noting that they did not provide the name, age,
birth date, social security number, telephone number, family information, or any other identifier
other than address and did not contain any specific details regarding any medical examination,
assessment, diagnosis, or treatment. Id. at 1185.
10
A similar result was reached in Foley v. Samaritan Hospital, in which a New York
court concluded that the information sought through a discovery request did not constitute protected
health information. 11 Misc. 3d 1055A, *4 (Rensselaer County Feb. 3, 2006). The plaintiff in Foley
contended that the hospital’s negligent conduct resulted in the death of a patient. The plaintiff
wanted the hospital to release the names and addresses of the two other patients that were in the
same room as the deceased in order to obtain information from them. Id. at *2. The hospital refused
to disclose the information and argued that releasing the information would be a violation of HIPAA.
Id. The court concluded that disclosing the names and addresses in response to a discovery request
would not violate HIPAA because the disclosure would not reveal “individually identifiable health
information.” Id. at *4.
Although the information at issue in this case does not seem to be the type of
information that would constitute “protected health information,” neither party sufficiently addresses
this point in their briefs. Even though the Attorney General briefly mentions that he disagrees with
the Department’s characterization of the information as protected health information, he does not
cite to any authority for this proposition. Rather, the whole thrust of the Attorney General’s original
letter opinion, his motion for summary judgment, and his briefs seems to assume that the information
is protected health information that is subject to disclosure via an exception in the Privacy Rule.
Therefore, for the purposes of this case, we will assume that the information is protected health
information. See Mathis, 377 F. Supp. 2d at 645 (concluding that requested information was not
protected health information and that, even if it was protected health information, it was still subject
to disclosure); Daniels, 811 N.E.2d at 1186 (same).
11
Issues on Appeal
On appeal, the Attorney General contends that the Department is required to release
the information requested under the Public Information Act. The Attorney General does not contest
that HIPAA generally applies or the Department’s assertion that the Department is a “covered entity”
subject to the requirements of HIPAA and the Privacy Rule. However, he argues that the “required
by law” exception to nondisclosure in section 164.512(a) of the Privacy Rule applies in this case and
authorizes disclosure of the information requested. See 45 C.F.R. § 164.512(a). Specifically, he
asserts that the Public Information Act qualifies under section 164.512(a) as a law requiring the
disclosure of protected health information. In addition, he contends that nothing in the Public
Information Act prohibits the release of the requested information and that the disclosure would
comply with all the requirements listed in the Act. Therefore, he argues the information must be
disclosed. Finally, he avers that, contrary to the assertions of the Department, HIPAA and the
Privacy Rule do not preempt the Public Information Act and that a covered entity may satisfy all the
requirements of both sets of statutes.
The Department, on the other hand, argues that the Public Information Act is not a
statute requiring the disclosure of protected health information, and, therefore, subsection 164.512(a)
does not authorize the release of the information requested. Rather, the Department asserts that the
Act is a general statute dealing with public information, not protected health information.
Alternatively, the Department contends that, even if the Public Information Act qualifies under the
terms of section 164.512(a), the information was still not subject to disclosure because the Act does
not authorize the release of information deemed confidential by law. Specifically, the Department
12
argues that, because HIPAA and the Privacy Rule prohibit the disclosure of protected health
information, protected health information is confidential. Finally, the Department insists that if the
Act requires the disclosure of the information requested in this case, it is preempted by the Privacy
Rule. We will address these arguments in the order described.
The Public Information Act Compels Disclosure of the Information Requested
The Public Information Act Qualifies Under Section 164.512(a)
In support of its assertion that the Public Information Act does not qualify under
section 164.512(a) of the Privacy Rule, the Department notes that health information is not
mentioned in the definition of “public information” provided in the Act. See Tex. Gov’t Code Ann.
§ 552.002 (“‘public information’ means information that is collected, assembled, or maintained
under a law or ordinance or in connection with the transaction of official business: (1) by a
governmental body; or (2) for a governmental body and the governmental body owns the information
or has a right of access to it”). In addition, the Department refers to a portion of the commentary
accompanying the Privacy Rule discussing the inclusion of section 164.512(a) in the Privacy Rule.
See 65 Fed. Reg. at 82666-67. The commentary states that subsection 164.512(a) was a necessary
addition to the Privacy Rule to “harmonize the rule with existing state and federal laws mandating
uses and disclosures of protected health information” and lists various types of laws that might
require disclosure, including national security, public health, and law enforcement. The Department
notes that public information statutes were not specifically mentioned.
Further, the Department contends that the Public Information Act does not sufficiently
limit the individuals to whom information may be released, the manner in which the information may
13
be released, and the purpose for which the information may be released to qualify it as a statute
requiring the disclosure of protected health information. In support of this contention, the
Department refers to another section of the commentary to the Privacy Rule describing federal laws
requiring release of protected health information, which states “[m]any federal laws require covered
entities to provide specific information to specific entities in specific circumstances” and lists several
laws requiring disclosure. Id. at 82485. Further, the Department refers to statutes that it argues are
sufficiently specific to authorize the release of information under section 164.512(a).4
In further support of this assertion, the Department refers to the other exceptions to
non-disclosure listed in section 164.512, which generally deal with law enforcement and public
health concerns, and insists that these required-by-law disclosures are limited by the purpose for
which disclosures may be made, the entity to whom information may be disclosed, and by the
4
For example, the Department refers to the Developmental Disabilities Assistance and Bill
of Rights Act and the Protection and Advocacy for Mentally Ill Individuals Act as examples of
statutes that sufficiently limit the purpose for which disclosure may occur and limits the entities to
which the information may be released. See 42 U.S.C.A. §§ 10801-10851 (West 2005); id.
§§ 15001-15115 (West 2005). Both statutes require states to protect individuals with developmental
disabilities or mental illness by developing agencies that have the authority to investigate incidents
of abuse and neglect of individuals. Id. §§ 10803(2), 15043(a)(1), (a)(2)(B). As part of their
investigative powers, these agencies have the authority to access individuals’ records. Id.
§§ 10805(a)(4), 15043(a)(2)(I), (J).
The Department also refers to section 261.402 of the family code, which authorizes state
agencies to (1) notify law enforcement agencies of reports concerning abuse, neglect, and
exploitation of children in state-operated facilities and (2) compile and make available statistics on
incidences of abuse, neglect, and exploitation of children in state-run facilities. See Tex. Fam. Code
Ann. § 261.402 (West 2002). The Department contends that there is no comparable statute
mandating an agency to disclose information regarding abuse allegations of adults living in state-run
facilities, especially to non-law-enforcement entities, and insists that this supports its contention that
the type of information requested in this case is not subject to disclosure.
14
circumstances under which disclosures may be made. See 45 C.F.R. § 164.512(b)-(l).5 The
Department contends that the exception listed in subsection (a) should be interpreted in a similarly
narrow fashion: it should allow disclosure of “protected health information” only if another law
specifically requires the disclosure of this type of information.
Because the information requested involves allegations of abuse and neglect, the
Department also asserts that a determination of whether the information can be released must be
construed in light of section 164.512(c) of the Privacy Rule. Section 164.512(c) allows a covered
entity to disclose to governmental authorities information concerning an individual the covered entity
believes to be the victim of abuse and neglect. 45 C.F.R. § 164.512(c). The Department contends
that release of the information requested to a reporter would be a violation of this subsection.
We disagree with the Department’s assertion that the Public Information Act does not
qualify under section 164.512(a). Nothing in the definition of “public information” expressly
exempts health information. See Tex. Gov’t Code Ann. § 552.002. Further, due to the Act’s
emphasis on providing information on governmental activities to citizens, public information
requests made to agencies providing health care services may in certain cases involve the disclosure
5
The remaining exceptions cited by the Department allow the release of protected health
information (1) to public health authorities authorized to receive that type of information; (2) to law
enforcement authorities authorized to receive reports of abuse, neglect, or domestic violence; (3) to
health oversight agencies; (4) to courts or administrative agencies in response to an order or
subpoena; (5) to law enforcement agencies if a law requires the reporting of certain types of injuries,
if a court or administrative agency orders it, or if used for identifying or locating a suspect; (6) to
coroners and medical examiners to identify deceased individuals; (7) to organ procurement
organizations for the purpose of facilitating transplants; (8) for research purposes; (9) to avert serious
health threats to individuals or the public; and (10) to military authorities if they deem it necessary
to assure the execution of a military mission. 45 C.F.R. § 164.512(b)-(l) (2005).
15
of health information. See id. § 552.001. Although the Act allows for disclosure of information to
a greater number of individuals and for less specific reasons than the statutes referred to by the
Department, this does not necessarily remove public information statutes from consideration under
section 164.512 of the Privacy Rule. There is nothing in the language of the Privacy Rule or HIPAA
that limits the application of subsection 164.512(a) to statutes authorizing the disclosure of
specifically enumerated types of health information.
Although the Privacy Rule’s commentary listing types of statutes that might require
disclosure of protected health information does not specifically include public information statutes,
there is no indication that the list is exhaustive. See 65 Fed. Reg. at 82666-67. Rather, the language
specifies that the types of federal and state statutes requiring disclosure by law occur in a myriad of
contexts. The commentary merely provides a range of possible areas of the law that might require
disclosure.
Further, in a separate section, the commentary describes the interaction between the
Privacy Rule and the federal counterpart to the Public Information Act—the Freedom of Information
Act. This section indicates that public information statutes are statutes that might result in the
disclosure of protected health information and provides that disclosures under the Freedom of
Information Act fall under section 164.512(a) of the Privacy Rule if the disclosures meet the relevant
requirements of the Act. Id. at 82482. The commentary further states that if an agency receives a
request for protected health information, the agency must first determine whether the Act requires
the disclosure or if an exemption applies, in which case the agency may redact the protected
information. Id. The commentary makes it clear that when determining whether to release protected
16
health information in response to a Freedom of Information Act request, an agency must look to the
limits and exemptions in the Act, not to the Privacy Rule.
We disagree with the Department’s contention that releasing information under
subsection 164.512(a) in response to a public information request would violate subsection
164.512(c). See 45 C.F.R. § 164.512(a), (c). These two subsections provide alternative methods in
which protected health information may be disclosed and apply in different contexts. Subsection (c)
authorizes covered entities to release protected health information about an individual the entity
believes is the victim of abuse or neglect to governmental entities that are specifically authorized by
law to receive that type of information, such as protective service agencies. Id. § 164.512(c).
Subsection (a), on the other hand, authorizes the release of protected health information if it is
required by any type of law, not just laws concerning suspected victims of abuse or neglect, and does
not specifically limit disclosure to governmental agencies. Id. § 164.512(a). Further, in this case,
an individual sought the disclosure of aggregate statistical information, not information concerning
a specific victim of abuse. Therefore, subsection (c) is not implicated in this request.
Accordingly, for all these reasons, we conclude that the Public Information Act is a
statute requiring the disclosure of protected health information as described in section 164.512(a)
of the Privacy Rule.
The Confidentiality Exception Does not Apply
The Department contends alternatively that, even if the Public Information Act
qualifies as a statute requiring the release of protected health information, release of the requested
information is improper. Specifically, the Department asserts that, because the Privacy Rule
17
prohibits the disclosure of protected health information, protected health information is confidential
under section 552.101 of the Public Information Act and, therefore, not subject to disclosure. See
Tex. Gov’t Code Ann. § 552.101. Although the Privacy Rule does not explicitly state that protected
health information is “confidential,” the Department argues that the fact that the information is not
subject to disclosure renders it confidential. The Department also notes that the commentary to the
Privacy Rule describes the importance of protecting “confidential” health information. Cf. In re City
of Georgetown, 53 S.W.3d 328, 334 (Tex. 2001) (rules of civil procedure and evidence that prohibit
disclosure of certain information made information “confidential”: “A law does not have to use the
word ‘confidential’ to expressly impose confidentiality. . . . The rules expressly provide that certain
types of work product do not have to be disclosed, which means they are confidential.”); see 65 Fed.
Reg. at 82463-64 (describing need to protect confidential health information); see also Tex. Health
& Safety Code Ann. § 576.005 (West 2003) (“Records of a mental health facility that directly or
indirectly identify a present, former, or proposed patient are confidential unless disclosure is
permitted by other state law.”).
Because the information requested was allegedly confidential, the Department argues
that the manner in which it chose to release the information—namely releasing statewide statistics
of allegations of abuse not broken down by individual facilities—was proper. The Department
asserts that protected health information cannot be released without either (1) having a statistician
determine that release of the information in question will not lead to the identification of individuals
or (2) removing the eighteen identifiers listed in section 164.514(b)(1)(ii)(B) of the Privacy Rule,
including the addresses of the facilities where the individuals were allegedly abused. See 45 C.F.R.
18
§ 164.514(b)(1)(ii)(B). In this case, the Department argues it chose to remove potential identifiers,
including the names of facilities, before releasing the information.
In support of its position, the Department compares the Public Information Act with
the Freedom of Information Act, and refers to commentary in the preamble to the Privacy Rule
specifically addressing the interaction between these two laws. Under subsection 552(a) of the
Freedom of Information Act, governmental agencies are required to release public information. 5
U.S.C.A. § 552(a) (West 1996 & Supp. 2005). Like the Public Information Act, the Freedom of
Information Act also lists exceptions to the general rule of disclosure. See id. § 552(b) (West 1996
& Supp. 2005). The sixth exception exempts from disclosure “personnel and medical files and
similar files[6] the disclosure of which would constitute a clearly unwarranted invasion of personal
privacy.” Id. § 552(b)(6).7
6
Although the Public Information Act contains a similar provision for personnel files, it does
not specifically include “medical files and similar files” in this provision. See Tex. Gov’t Code
552.102 (West 2004).
7
The Department contends that the Freedom of Information Act is similar to the Public
Information Act in its purpose and in the exceptions it applies to prevent disclosures. The
Department refers to several cases in which the Supreme Court determined information was not
subject to disclosure under the Freedom of Information Act as instructive in the determination of
whether information is subject to disclosure under the Public Information Act. See United States
Dep’t of State v. Washington Post Co., 456 U.S. 595 (1982); United States Dep’t of Def. v. Federal
Labor Relations Auth., 510 U.S. 487 (1994); United States Dep’t of Justice v. Reporters Comm. for
Freedom of Press, 489 U.S. 749 (1989).
However, none of the cases cited by the Department concern the type of information
requested in this case: statistical information about alleged abuse that does not contain the names of
any particular individual. See Washington Post Co., 456 U.S. at 596 (requesting documents
regarding whether two Iranian nationals living in Iran were American citizens); Federal Labor
Relations, 510 U.S. at 489 (requesting disclosure of names and home addresses of federal civil
service employees from agencies employees worked for); Reporters Comm., 489 U.S. at 751 (third
party requesting criminal identification records for individual from Federal Bureau of Investigation).
19
The Privacy Rule’s commentary states that if a request seeks documents that include
protected health information, the agency, when appropriate, must refuse the release of medical files
or otherwise redact identifying details before disclosing the remaining information. 65 Fed. Reg.
82462, 82482; see also 5 U.S.C.A. § 552(b)(6). Finally, the commentary specifies, “We believe that
generally a disclosure of protected health information, when requested under [the Freedom of
Information Act], would come within . . . Exemption 6.” 65 Fed. Reg. at 82482. The Department
contends that, like agencies receiving a request under the Freedom of Information Act, Texas
agencies must first determine if the information requested is confidential by law under the Privacy
Rule and then redact any confidential information.
The Department also asserts that the Attorney General’s interpretation of the
interaction between the Privacy Rule and the Public Information Act would lead to unreasonable
results. See C&H Nationwide, Inc. v. Thompson, 903 S.W.2d 315, 322 n.5 (Tex. 1994) (statutes
should not be construed in manner that leads to absurd conclusions). It asserts that, under the
Attorney General’s interpretation, anyone may request confidential health information from covered
entities if they file a request under the Public Information Act, which would render meaningless the
remaining exceptions allowing disclosure under section 164.512. Further, it urges that protected
health information disclosed by a non-governmental covered entity to a governmental agency would
be subject to disclosure under the Public Information Act despite the fact that the non-governmental
entity would be prohibited from disclosing the information. In essence, the Department suggests that
Further, the type of information requested in this case reveals information concerning agency
conduct and does not amount to the release of an individual’s record.
20
protected health information would lose the protection afforded by the Privacy Rule once it was
disclosed to a governmental agency.
We disagree with the Department’s interpretation of the interaction among HIPAA,
the Privacy Rule, and the Public Information Act. The confusion in this case arises due to the cross
references to other statutes found in both the Privacy Rule and the Public Information Act. Under
the Department’s interpretation, governmental bodies contemplating disclosure under the Public
Information Act are required to refer back to HIPAA and the Privacy Rule; it argues that, because
HIPAA and the Privacy Rule prohibit the disclosure of protected health information, health
information is considered confidential by law and, therefore, not subject to disclosure under the Act.
However, we cannot adopt this circular logic. The Department’s interpretation would send us back
to the start of the analysis and would prevent the disclosure of all protected health information
despite the Public Information Act’s default favoring disclosure of information.
We conclude that covered entities faced with a request for disclosure involving
potentially protected health information must examine the information in light of HIPAA and the
Privacy Rule to determine if the information is protected health information that is generally not
subject to disclosure. 42 U.S.C.A. § 1320d(6); 45 C.F.R. § 160.103. If the request does not involve
protected health information, then HIPAA and the Privacy Rule do not prohibit disclosure of the
information. If the request asks for information that is protected health information, then the agency
must ascertain if any exception to non-disclosure in the Privacy Rule applies. If no exception
applies, the agency may release the information if potential identifiers are redacted or if a statistician
determines that release of the information cannot be used to identify any individual. 45 C.F.R.
§ 164.514. If an exception to non-disclosure does apply, the agency must release the information.
21
For example, if the request is made under the authority of a statute that requires disclosure, then the
exception found in section 164.512(a) applies, and the agency must disclose the information as long
as the disclosure complies with all relevant requirements of the statute compelling disclosure. Id.
§ 164.512(a)(1).
If a request for protected health information is made under the Public Information
Act, then the exception to non-disclosure found in section 164.512(a) of the Privacy Rule applies,
and the agency must determine whether the Act compels the disclosure or whether the information
is excepted from disclosure under the Act. For example, if the information is considered confidential
by judicial decision, statute, or the constitution, then the information is not subject to disclosure
under the “confidential” exception to disclosure found in the Public Information Act. See Tex. Gov’t
Code Ann. § 552.101; see also Tex. Occ. Code Ann. § 159.002 (West 2004) (patient records and
communications between patient and physician confidential).
Our construction of the statutes properly balances the need for privacy under HIPAA
and the Privacy Rule and the need for disclosure under the Public Information Act and correctly
reconciles these two statutes. First, the overall purpose behind the Public Information Act is that
information is presumed to be subject to disclosure unless an exception applies. See generally Tex.
Gov’t Code Ann. § 552.001-.353. Second, the commentary to the Privacy Rule also supports this
construction. The commentary specifies that
if a conflict appears to exist because a previous statute or regulation requires a
specific use or disclosure of protected health information that the rules below
appear to prohibit, the use or disclosure pursuant to that statute or regulation
would not be a violation of the privacy regulation because § 164.512(a) permits
covered entities to use or disclose protected health information as required by
law.
22
65 Fed. Reg. at 82482 (emphasis added). In discussing the interaction between the Privacy Rule and
other laws, the commentary further states that “if a covered entity is required to disclose protected
health information pursuant to a specific statutory or regulatory scheme, the covered entity generally
will be permitted under § 614.512(a) to make these disclosures without a consent or authorization
. . . .” Id. at 82591. In addition, in addressing concerns that were raised by the inclusion of section
164.512(a), the commentary provides that subsection (a) is intended “to preserve access to
information considered important enough by state or federal authorities to require its disclosure by
law” and that it is not appropriate for HHS “to reassess the legitimacy of or the need for each of these
mandates . . . .” Id. at 82667. Finally, the commentary states that, given the variety of laws that
might require disclosure of health information and the context in which they might arise, “we do not
believe that Congress intended to preempt each such law unless HHS specifically recognized the law
or purpose in the regulation.” Id.
Our construction comports with the policy of this State to disclose information
regarding abuse and neglect at facilities caring for the mentally ill or mentally retarded. Cf. Tex.
Health & Safety Code Ann. §§ 242.121-.135 (West 2001 & Supp. 2005); Capital Senior Mgmt. 1,
Inc. v. Texas Dep’t of Human Servs., 132 S.W.3d 71, 79 (Tex. App.—Austin 2003, pet. filed);. It
also is consistent with the public’s interest in having access to information about the operation of
these facilities. See Capital Senior Mgmt. 1, 132 S.W.3d at 79.
Additionally, our construction is supported by the decision reached by the Ohio
Supreme Court in Daniels and by information posted on HHS’s website under its frequently asked
questions section by the Office for Civil Rights, which is charged with enforcing the Privacy Rule.
See 811 N.E.2d at 1187-88; 65 Fed. Reg. at 82472. In Daniels, the Ohio Supreme Court determined
23
that a health department’s lead-contamination notices were subject to disclosure under section
164.512(a) of the Privacy Rule because the Ohio Public Records Act compels the disclosure of the
information. 811 N.E.2d at 1186-88. The Ohio Supreme Court was faced with similar circular
references: the Public Records Act requires disclosure unless disclosure is prohibited by federal law,
and the Privacy Rule allows disclosure if it is required by other law, including state law. Id. at 1186-
87.8 Under the frequently asked questions section of the website, the Office of Civil Rights posted
an answer describing the interaction between state public information laws and the Privacy Rule.
The answer stated that if a state agency is a covered entity, the Privacy Rule applies to disclosures
of protected health information. However, the answer also stated that the Privacy Rule permits a
covered entity to disclose protected health information if mandated by law, provided that the
disclosure complies with the requirements of the public information law.
8
The Department contends that this portion of the Ohio decision is inapplicable for several
reasons. First, the Department contends this portion of the opinion is dicta because the Ohio
Supreme Court had previously concluded that the information requested was not protected health
information. See State ex. rel. Cincinnati Enquirer v. Daniels, 811 N.E.2d 1181, 1186 (Ohio 2006).
However, even if we were to conclude that the alternative holding in this case is in fact dicta, we find
the analysis provided in the opinion persuasive.
Second, the Department contends that, unlike the Public Information Act, the Ohio Public
Records Act does not contain a “confidential by law” exception to disclosure. However, we have
already concluded that the “confidential” exception, without more, does not prevent disclosure of
requested information simply because the Privacy Rule would prohibit disclosure. Finally, the
Department argues that the Ohio Supreme Court made this decision without addressing the
requirement that a covered entity, prior to releasing health information, either employ the services
of a statistician to determine that the risk of identification is small or remove identifiers listed in the
Privacy Rule. See 45 C.F.R. § 164.514(b) (2005). However, this argument ignores the portion of
the Privacy Rule allowing disclosure of protected health information if it is required by law
irrespective of whether a statistician concludes the information may safely be released or whether
certain identifiers are removed. See id. § 164.512(a).
24
Accordingly, we conclude that the information requested in this case was subject to
disclosure. Section 164.512(a) of the Privacy Rule permits disclosure of protected health
information if required by law, as long as the disclosure comports with the requirements of that law.
45 C.F.R. § 164.512(a). The Public Information Act requires disclosure of public information unless
an exception applies. See generally Tex. Gov’t Code Ann. §§ 552.001-.353. No exception to
disclosure in the Public Information Act applies to the release of statistical information regarding
abuse at individual government facilities. See id. §§ 552.101-.1425. The confidentiality exception
listed in section 552.101 does not apply because no law renders the information confidential, and the
Department has not referred us to any case, and we have found none, holding that aggregate
statistical information of the type requested in this case is confidential.9
Therefore, we conclude that disclosure of the information requested will comply with
all relevant requirements of the Public Information Act, HIPAA, and the Privacy Rule. See 45
C.F.R. § 164.512(a). Accordingly, we sustain the Attorney General’s first issue on appeal.
Preemption
In their motion for summary judgment and on appeal, the Department contends that
if the Public Information Act requires disclosure of the information in question, then the Privacy
Rule preempts the Act. Specifically, it argues that if the Public Information Act mandates the release
of protected health information, then covered entities cannot satisfy the directives of the Privacy Rule
9
Our conclusion that the information requested in this case is not confidential under the
Public Information Act is buttressed by the fact that the reporter was able to obtain the requested
information from another agency, the Texas Department of Protective and Regulatory Services,
which is not a covered entity under HIPAA.
25
and the Act, and, therefore, the Privacy Rule must preempt the Act. In addition, it asserts that the
Act is not specifically exempted from preemption by HIPAA, see 42 U.S.C.A. § 1320d-7(a) (West
2003) (listing types of statutes exempted from preemption and stating that HIPAA shall “supersede
any contrary provision of State law”), nor is it one of the types of laws listed in the commentary to
the Privacy Rule as a non-preempted statute. Further, it contends that no Texas official has
petitioned the Secretary of HHS and requested that the Secretary exempt the Act from preemption.
See 45 C.F.R. § 160.204 (allowing state official to ask Secretary of HHS to exempt portion of statute
from preemption).
With certain exceptions, section 160.203 of the Privacy Rule provides that if the
Privacy Rule requires action contrary to an action mandated by a state law, then the state law is
preempted. 45 C.F.R. § 160.203. Further, the Privacy Rule explains that a state law provision is
“contrary” to the Privacy Rule if “[a] covered entity would find it impossible to comply with both
the State and federal requirements” or “[t]he provision of State law stands as an obstacle to the
accomplishment and execution of the full purposes and objectives of” HIPAA. Id. § 160.202.
However, we have previously concluded that the Privacy Rule allows the disclosure
of the information in question under section 164.512(a). Because the Department can comply with
both the Privacy Rule and with the Public Information Act, the Public Information Act is not
preempted by the Privacy Rule.
CONCLUSION
Having sustained the Attorney General’s first issue on appeal and having concluded
that the Public Information Act is not preempted, we reverse the judgment of the district court and
26
render judgment that the information requested in this case is not confidential and is, therefore,
subject to release under the Public Information Act.
David Puryear, Justice
Before Chief Justice Law, Justices Patterson and Puryear
Reversed and Rendered
Filed: June 16, 2006
27