The Honorable Tracey Bright Ector County Attorney Ector County Courthouse Room 201 Odessa, Texas 79761
Re: Whether individual county commissioners are entitled to access medical insurance coverage information regarding a former commissioner and his wife (RQ-0077-GA)
Dear Ms. Bright:
You ask whether individual county commissioners are entitled to access medical insurance coverage information regarding a former commissioner and his wife.1
I. Facts Ector County provides its employees with health care coverage under a self-insured plan. See Request Letter, supra note 1, at 1.2 The plan pays benefits directly, although the county has "stop loss" coverage for larger claims. Id. The plan provides benefits with the assistance of a third-party claims administrator, the county insurance department, and the commissioners court insurance committee. See Caddel Letter, supra note 2, at 1-2.
At a special meeting, the Ector County Commissioners Court authorized an investigation concerning the payment of claims for health services rendered to a former commissioner's spouse. See id.3 The county commissioners had learned that the former commissioner had not made monthly premium payments for retiree dependent health coverage for 22 months. See Request Letter, supra note 1, at 1. The investigation concerned reports that the former commissioner and the head of the Ector County insurance department agreed to a payment schedule to make up the arrearage.See id. The investigation also concerned reports that one or more commissioners had attempted to obtain health plan information about county employees from the third-party claims administrator and from the county insurance department. See Caddel Letter,supra note 2, at 1. The county judge has taken the position that authority granted to access certain health insurance information is granted "to the Court acting as a body and not to the individual members." Id. at 2.
II. The Questions In light of these circumstances, you ask:
1) Are the individual County Commissioners allowed to access and review all of the records of the ex-commissioner's insurance status including his and his wife's signup documents, claims, and premiums payment histories? In this regard, would there be any documents that the County Commissioners could not access and review?
2) Are the individual County Commissioners allowed to access and review the records in question, in spite of an ongoing criminal investigation, if appropriate measures are taken to protect the integrity and security of the records?
Request Letter, supra note 1, at 2. You clarify that the "individual County Commissioners are not requesting the records in question be made public, only that they be allowed to review them to fulfill their elective duties, e.g.[,] determining [the] cause and extent of the problem, discipline of the employee who made the mistake, protection of the County finances, etc." Id.
III. Authority of Individual Commissioners Your questions concern the authority that an individual commissioner holds independent of the county commissioners court's corporate powers. Texas counties are divided into four commissioners precincts and each precinct elects a commissioner.See Tex. Const. art. V, § 18(b). The four commissioners, with the county judge as presiding officer, make up the county commissioners court. See id.; Tex. Loc. Gov't Code Ann. § 81.001 (Vernon 1999). Although commissioners are elected by precinct, the "`court is manifestly a unit, and is the agency of the whole county. The respective members of the commissioners court are therefore primarily representatives of the whole county, and not merely representatives of their respective precincts. The duty of the commissioners court is to transact the business, protect the interests, and promote the welfare of the county as a whole.'"Canales v. Laughlin, 214 S.W.2d 451, 454 (Tex. 1948) (quotingStovall v. Shivers, 103 S.W.2d 363, 366 (Tex. 1937)). An individual commissioner acting alone does not have the authority to bind the county by agreement or conduct. See Hill Farm, Inc.v. Hill County, 436 S.W.2d 320, 324 (Tex. 1969); Canales,214 S.W.2d at 455. Consequently, county authority is generally vested in the commissioners court as a governmental body and not in individual commissioners.
You suggest that individual commissioners are entitled to access county employee health records as "custodian[s]" under the Public Information Act ("PIA"). Under the PIA, "[e]ach elected county officer is the officer for public information and the custodian, as defined by Section 201.003, Local Government Code, of the information created or received by that county officer's office."See Tex. Gov't Code Ann. § 552.201(b) (Vernon Supp. 2004). While a county commissioner is an elected official, Government Code section 552.201(b) does not specify whether, when the official is a member of a board or commission, authority must be exercised collectively. See, e.g., Tex. Educ. Code Ann. § 51.903(a) (Vernon 1996) (referring to a "commissioners court of any county" as a "custodian of public records"). Moreover, assuming that individual commissioners are custodians of commissioners court records, it is not clear that they would be the custodian of records created or received by, for example, the county's insurance department or the employee health plan. See Tex. Loc. Gov't Code Ann. § 201.003(2) (Vernon 1999) (defining "custodian" as "the appointed or elected public officer who by the state constitution, state law, ordinance, or administrative policy isin charge of an office that creates or receives local government records"). We need not decide these issues here, however, because a commissioner possesses authority to access records involving county business independent of any rights under The PIA.
The PIA concerns the public's right of access to governmental records. See Tex. Gov't Code Ann. §§ 552.001 (Vernon 1994) (stating the purpose of PIA); 552.021 (Vernon Supp. 2004) (providing that public information is available to the public). A member of a governing body has a right to access the documents of that body, not merely as a member of the public, or as a custodian under The PIA, but because of the member's inherent powers of office. While there do not appear to be Texas court decisions directly concerning the issue, on several occasions this office has observed that a member of a governing body has an inherent right of access to the records of that body when requested in the member's official capacity and for the member's performance of official duties. See Tex. Att'y Gen. Op. Nos.JC-0283 (2000) at 3-4, JC-0120 (1999) at 3-5, JM-119 (1983) at 3; Tex. Att'y Gen. LO-93-069, at 1-2.
In JM-119, we determined that because the board of trustees of a college district was responsible for the governance and control of the district, individual trustees were entitled to access audit records concerning the district. See Tex. Att'y Gen. Op. No. JM-119 (1983) at 3. Further, because the member had asked in the member's official capacity and not as a member of the general public, the custodian of records could not deny access under The PIA. See id. In JC-0283, this office determined that the chief executive and members of a governing body of a municipality were entitled to access individual fire fighter and police officer personnel files as a necessary power incident to the governing body's responsibility to oversee the police chief and fire chief.See Tex. Att'y Gen. Op. No. JC-0283 (2000) at 3-4.
In LO-93-069, this office determined that members of the Texas State Board of Medical Examiners were entitled to examine personnel files of its employees, including confidential material such as medical health history. See Tex. Att'y Gen. LO-93-069, at 2.4 Also, in JC-0120, this office determined that a city council member was entitled to review a confidential and privileged tape recording of an executive session of the council. See Tex. Att'y Gen. Op. No. JC-0120 (1999) at 3-4. In light of the confidential nature of the tape, however, this office advised that it was proper for the council to adopt procedures to preserve the tape's confidentiality, but the council could not absolutely prohibit a member from reviewing the records. See id. at 5.
From these principles, we conclude that the authority of an individual commissioner to review records involving the county is largely coextensive with that of the commissioners court as a governmental body. When there are competing confidentiality or security concerns, it may be proper for the court to establish reasonable procedures to preserve confidentiality, but the commissioners court may not absolutely prohibit an individual commissioner from viewing records involving county business that are otherwise properly available to the court as a governmental body. We next consider the commissioners court's authority as a governmental body to access plan records.
IV. Authority of Commissioners Court The county commissioners court's primary duty is to administer the county's business affairs. See City of San Antonio v. City ofBoerne, 111 S.W.3d 22, 27 (Tex. 2003). Although its authority must ultimately be grounded in the constitution and statutes, it has broad supervisory responsibility over the expenditure of county funds as the "general business and contracting agency of the county." Anderson v. Wood, 152 S.W.2d 1084, 1085 (Tex. 1941). The employment benefits Ector County provides its employees are, of course, county business. On behalf of the county, the commissioners court has entered into a contractual arrangement with its employees to pay certain health benefits under a self-insured plan.5 As you state, the responsibility of managing Ector County's self-insured employee health plan "falls on the commissioners court."6 The Plan Document charges Ector County, as plan sponsor and plan administrator, with certain authority and responsibilities concerning plan oversight and maintenance of plan documents and records. See Plan Document, supra note 5. Accordingly, the authority and responsibility of the county with respect to plan records appears to be governed at a contractual level by the terms of the Plan Document. See id.
V. Statutory Limits on Access You identify two possible statutory limitations on commissioners' access to medical records, the Texas Medical Practice Act ("MPA"), see Tex. Occ. Code Ann. §§ 159.001-.009 (Vernon 2004), and the Federal Health Insurance Portability and Accountability Act of 1996 ("HIPAA"), Pub.L. No. 104-191, 110 Stat. 1936 (codified in scattered sections of volumes 18, 26, 29 and 42 of the United States Code). See Request Brief, supra note 6, at 1-2.
1. Medical Practice Act The MPA, codified in chapter 159 of the Occupations Code, concerns physician-patient communications. See Tex. Occ. Code Ann. §§ 159.001-.009 (Vernon 2004). Under section 159.002, certain physician-patient communications and records created or maintained by a physician are privileged and confidential:
(a) A communication between a physician and a patient, relative to or in connection with any professional services as a physician to the patient, is confidential and privileged and may not be disclosed except as provided by this chapter.
(b) A record of the identity, diagnosis, evaluation, or treatment of a patient by a physician that is created or maintained by a physician is confidential and privileged and may not be disclosed except as provided by this chapter.
Id. § 159.002(a)-(b). Additionally, subsection (c) provides:
(c) A person who receives information from a confidential communication or record as described by this chapter, other than a person listed in Section 159.004 who is acting on the patient's behalf, may not disclose the information except to the extent that disclosure is consistent with the authorized purposes for which the information was first obtained.
Id. § 159.002(c). A person aggrieved by an unauthorized release of confidential and privileged communications may bring a private cause of action. See id. § 159.009.
The MPA contains exceptions that allow disclosure of otherwise confidential and privileged communications and records. A patient may consent to disclosure under section 159.005. See id. § 159.005. Also, there is an exception for certain disclosures in connection with a court or administrative proceeding. See id. § 159.003. Finally, section 159.004 provides the only exceptions to the privilege of confidentiality, other than in administrative or judicial proceedings, which permit a physician to disclose confidential information. Id. § 159.004.7 For example, section 159.004 permits a physician to disclose confidential information "with respect to . . . a person, corporation, or governmental agency involved in the payment or collection of fees for medical services provided by a physician." Id. § 159.004(6).
Whether a particular record concerning the former commissioner's spouse is confidential and privileged under the MPA depends, in the first instance, on whether information in the record derives from a physician-patient communication under section 159.002(a) or a record created or maintained by a physician containing a patient's identity, diagnosis, evaluation, or treatment under section 159.002(b). See id. § 159.002(a)-(b). If so, then such a record or communication may not be disclosed unless it meets one of the exceptions under the MPA. Id. Moreover, if the MPA authorizes a disclosure for a particular purpose, then the MPA permits redisclosure only to the extent it is consistent with that purpose. See id. § 159.002(c). Consequently, whether the MPA would allow disclosure of a particular document depends on the document's or record's content, the circumstances of its creation and maintenance, and the purposes of the disclosure. See id. §§ 159.002-.005. However, even if the MPA does not preclude a particular disclosure, the disclosure may still be subject to privacy provisions under HIPAA, as discussed next.
2. HIPAA Your primary concern is whether access to certain employee health records would be permitted under HIPAA. HIPAA provides civil and criminal penalties for its violation. See 42 U.S.C. § 1320d-5,1320d-6 (2000). Pursuant to HIPAA, the U.S. Department of Health and Human Services ("HHS") has promulgated extensive regulations, known as the Privacy Rule, to establish a national standard to protect certain health information. See HIPAA, Pub.L. No.104-191, § 264(b), (c)(1), 110 Stat. 2033 (directing HHS to promulgate privacy regulations should Congress not enact governing legislation); 45 C.F.R. pts. 160, 164 (2003) (the "Privacy Rule").
The Privacy Rule limits disclosure of health information based on myriad factors such as the content of the record, the purpose of the disclosure, authorization by the individual affected, the nature, role, and structure of the various entities involved, the degree that the entity or entities are HIPAA-compliant, and numerous other factors. See generally HHS, Office for Civil Rights Privacy Brief, Summary of the HIPAA Privacy Rule ("OCR Summary").8 Consequently, an opinion from this office concerning commissioners' access to specific documents cannot take the place of advice from counsel with intimate knowledge of the county's current plan, the county's delegation of responsibilities under the plan, the contents of the documents sought, and the requirements of HIPAA and the Privacy Rule. Moreover, within HHS, the Office for Civil Rights has responsibility for implementing the Privacy Rule and provides resources for addressing HIPAA concerns. See id.9 Nonetheless, we will make some general observations that may or may not be applicable to your present circumstances.
The Privacy Rule applies directly to a "covered entity," which is a health plan, health care clearinghouse, and a health care provider who engages in certain transactions.45 C.F.R. § 160.102-.103 (2003). Health plans subject to the Privacy Rule include some private and government employer-sponsored group health plans. See id. § 160.103. Previously, in a related open records proceeding, you indicated that Ector County's plan is a covered entity under the Privacy Rule.10
In general, the Privacy Rule prohibits covered entities from using or disclosing protected health information except as the rule permits. See id. § 164.502(a). See generally South CarolinaMed. Ass'n v. Thompson, 327 F.3d 346 (4th Cir. 2003), cert.denied, 124 S. Ct. 464 (2003). In general, state law that is "contrary" to the Privacy Rule is preempted. 45 C.F.R. § 160.203 (2003). A state statute is contrary if it would be impossible to comply with both the state statute and with HIPAA, or if state law would be an obstacle to "accomplishing the full purposes and objectives of the Administrative Simplification portions of HIPAA." OCR Summary, supra note 8, at 16; 45 C.F.R. § 160.202 (2003). Moreover, the Privacy Rule does not exempt state statutes that are "more stringent." 45 C.F.R. § 160.202-.203 (2003). Generally, a state statute is more stringent than the Privacy Rule if it "provides greater privacy protection for the individual who is the subject of the individually identifiable health information." Id. § 160.202(6); see generally SouthCarolina Med. Ass'n., 327 F.3d at 354-55.
"Protected health information" under the Privacy Rule includes "individually identifiable health information."45 C.F.R. § 160.103 (2003) (defining "protected health information"). "Individually identifiable health information" is "information that is a subset of health information, including demographic information collected from an individual," and:
(1) Is created or received by a health care provider, health plan, employer, or health care clearinghouse; and
(2) Relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual; and
(i) That identifies the individual; or
(ii) With respect to which there is a reasonable basis to believe the information can be used to identify the individual.
Id. (emphasis added).
Generally, a covered entity using, disclosing, or requesting protected health information "must make reasonable efforts to limit protected health information to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request." Id. § 164.502(b)(1).11 The Privacy Rule permits a covered entity to "use or disclose protected health information for its own treatment, payment, or health care operations." Id. § 164.506(c)(1). "Payment" is defined to include:
(1) The activities undertaken by:
(i) A health plan to obtain premiums or to determine or fulfill its responsibility for coverage and provision of benefits under the health plan; or
(ii) A health care provider or health plan to obtain or provide reimbursement for the provision of health care; and
(2) The activities in paragraph (1) of this definition relate to the individual to whom health care is provided and include, but are not limited to:
(i) Determinations of eligibility or coverage (including coordination of benefits or the determination of cost sharing amounts), and adjudication or subrogation of health benefit claims;
(ii) Risk adjusting amounts due based on enrollee health status and demographic characteristics;
(iii) Billing, claims management, collection activities, obtaining payment under a contract for reinsurance (including stop-loss insurance and excess of loss insurance), and related health care data processing;
(iv) Review of health care services with respect to medical necessity, coverage under a health plan, appropriateness of care, or justification of charges;
. . . .
Id. § 164.501. Also, an individual may authorize or agree to certain uses or disclosures of protected health information. Id. § 164.506(b)(1).
An employer that is not a health plan, health care clearinghouse, or a health care provider is not a covered entity under the rule. Accordingly, Ector County, in its capacity as an employer, is not a covered entity. Moreover, "[e]mployment records held by a covered entity in its role as employer" are excluded from the definition of protected health information. Id. § 160.103. However, the Plan Document indicates that Ector County, as plan sponsor, is responsible for administering the plan. See Plan Document, supra note 5, at 40. Depending on its function under the plan, Ector County may very well be considered as a "business associate" under the Privacy Rule. See 45 C.F.R. § 160.103 (2003) (defining "business associate" to include one who performs or assists in activities such as claims processing or administration that involve the use or disclosure of individually identifiable information). In that case, the plan must impose certain written safeguards on the county with respect to its use of protected health information. See id. §§ 164.502(e), .504(e), .532.
Additionally, a group health plan subject to the Privacy Rule must satisfy certain organizational requirements in order to disclose protected health information to a plan sponsor. See id. § 164.504(f); see also id. § 164.502(e)(1)(ii)(B) (providing that business associate disclosure standards do not apply to a group health plan's disclosures to the plan sponsor "to the extent that the requirements of § 164.504(f) apply and are met"). The Privacy Rule requires amendment of the plan documents to establish adequate separation between a group plan and the plan's sponsor.See id. § 164.504(f)(2)(iii). The plan documents must describe the employees or classes of employees who will be given access to protected health information, restrict their use of the information to that necessary for the administration of the group plan, and provide an effective mechanism to deal with noncompliance. See id. § 164.504(f)(2)(iii)(A)-(C). The plan documents must establish the permitted and required uses of information by the plan sponsor, which must be consistent with the Privacy Rule. See id. § 165.504(f)(1)(i). The plan must also contain, among other things, the plan sponsor's agreement (1) not to use or further disclose information other than as permitted by the plan documents or as required by law; (2) not to use or disclose health information for employment-related actions and decisions, or in connection with any other benefit or employee benefit plan of the plan sponsor; (3) to ensure that all agents and "business associates" agree to the same limitations; (4) to report any privacy violation to the group plan; (5) to make available information to provide an accounting of disclosures as required; and (6) if feasible, to return, destroy or limit further uses of the protected health information it has received.Id. § 165.504(f)(1), (2)(ii); see also id. § 164.314(b)(1), (2).See generally 65 Fed. Reg. 82462, 82507-08 (Dec. 28, 2000) (discussing special considerations concerning group health plans and plan sponsors; stating that the Privacy Rule does "not attempt to directly regulate employers or other plan sponsors, but . . . place[s] restrictions on the flow of information from covered entities to non-covered entities").
These are but some of the provisions of the Privacy Rule that may impact the disclosure of protected health information by the plan. The health insurance "signup documents, claims, and premiums payment histories," see Request Letter, supra note 1, at 2, of the former commissioner and his spouse would almost certainly contain individually identifiable health information subject to the Privacy Rule. Whether the Privacy Rule permits disclosure of particular documents cannot be answered definitively without full investigation and resolution of fact questions beyond the scope of the opinion process. See Tex. Att'y Gen. Op. No. GA-0003 (2002) at 1.
VI. Criminal Investigation One aspect of your second question is whether individual commissioners may access and review documents "in spite of an ongoing criminal investigation." See Request Letter, supra note 1, at 2. You confirm that the criminal investigation initiated at the request of the Commissioners Court has terminated, but clarify that for future reference you wish to know whether an ongoing criminal investigation may limit a commissioner's right to access or use otherwise accessible documents that are potentially subject to the investigation.12 We are unaware of any statute or case law that, per se, precludes an individual commissioner from using documents the commissioner is otherwise entitled to use because of an ongoing criminal investigation. The PIA excepts from public disclosure certain matters relating to detection, investigation, or prosecution of crime. See Tex. Gov't Code Ann. § 552.108 (Vernon Supp. 2004); Hobson v. Moore,734 S.W.2d 340, 340-41 (Tex. 1987). See generally Holmes v. Morales,924 S.W.2d 920 (Tex. 1996). However, as discussed previously, a commissioner's right to access county documents rests on a different basis than a member of the public seeking disclosure under the PIA. Of course, a person with knowledge that a criminal investigation is pending may not alter, destroy, or conceal a record or document, or thing "with intent to impair its verity, legibility, or availability as evidence in the investigation." Tex. Pen. Code Ann. § 37.09(a)(1) (Vernon 2003); Pannell v.State, 7 S.W.3d 222, 223 (Tex.App.-Dallas 1999, pet. ref'd). Also, in a given case, a warrant, subpoena, injunction, or other process could issue that restricts use of or denies access to documents or records involved in the investigation. But without reference to specific circumstances, we cannot speculate how an ongoing criminal investigation might impact the commissioners' access to county records.
SUMMARY An individual county commissioner is entitled to access employee insurance records as necessary to effectively perform the commissioner's official duties as a member of the court, subject to privacy constraints imposed by state or federal law. The Medical Practice Act ("MPA") makes confidential patient-physician communications and records, and limits their disclosure and subsequent redisclosure. Under the MPA, any redisclosure of confidential information must be consistent with the authorized purposes for which the information was first obtained. Whether the Privacy Rule under the Federal Health Insurance Portability and Accountability Act of 1996 permits disclosure of medical insurance coverage information regarding a former commissioner and his wife cannot be answered without a full investigation and resolution of fact questions, which is beyond the scope of the opinion process. The exception in the Public Information Act relating to criminal investigations does not preclude county commissioners from accessing county records that they are otherwise entitled review.
Very truly yours,
GREG ABBOTT Attorney General of Texas
BARRY McBEE First Assistant Attorney General
DON R. WILLETT Deputy Attorney General for Legal Counsel
NANCY S. FULLER Chair, Opinion Committee
William A. Hill Assistant Attorney General, Opinion Committee
1 See Letter from Honorable Tracey Bright, Ector County Attorney, to Honorable Greg Abbott, Texas Attorney General (July 7, 2003) (on file with Opinion Committee) [hereinafter Request Letter].
2 See also Letter from Honorable Jerry D. Caddel, Ector County Judge, to Nancy S. Fuller, Chair, Opinion Committee, Office of Attorney General (Aug. 27, 2003) (on file with Opinion Committee) [hereinafter Caddel Letter].
3 See also Meeting Minutes from the Ector County Commissioners Court (June 13, 2003), available at http://www.co.ector.tx.us/annex/c_court/Minutes/02/03/M_ 03-06-13.htm.
4 But see discussion at part V.2., infra, concerning the promulgation of federal privacy standards pursuant to the Health Insurance Portability and Accountability Act of 1996, Pub.L. No.104-191, 110 Stat. 1936.
5 See Plan Document and Summary Plan Description, Ector County, Employee Benefit Plan, Effective October 1, 2000 [hereinafter Plan Document] (on file with Opinion Committee) (submitted by Ector County in response to a related public information request, see Tex. Att'y Gen. OR2003-6136 (informal letter ruling)).
6 Brief from Honorable Tracey Bright, at 1 (attached to Request Letter, supra note 1) [hereinafter Request Brief].
7 Section 159.004 provides:
An exception to the privilege of confidentiality in a situation other than a court or administrative proceeding, allowing disclosure of confidential information by a physician, exists only with respect to the following:
(1) a governmental agency, if the disclosure is required or authorized by law;
(2) medical or law enforcement personnel, if the physician determines that there is a probability of:
(A) imminent physical injury to the patient, the physician, or another person; or
(B) immediate mental or emotional injury to the patient;
(3) qualified personnel for research or for a management audit, financial audit, or program evaluation, but the personnel may not directly or indirectly identify a patient in any report of the research, audit, or evaluation or otherwise disclose identity in any manner;(4) those parts of the medical records reflecting specific services provided if necessary in the collection of fees for medical services provided by a physician, professional association, or other entity qualified to provide or arrange for medical services;
(5) a person who has consent, as provided by Section 159.005;
(6) a person, corporation, or governmental agency involved in the payment or collection of fees for medical services provided by a physician;(7) another physician or other personnel acting under the direction of the physician who participate in the diagnosis, evaluation, or treatment of the patient;
(8) an official legislative inquiry regarding state hospitals or state schools, if:
(A) information or a record that identifies a patient or client is not released for any purpose unless proper consent to the release is given by the patient; and
(B) only records created by the state hospital or school or its employees are included; or
(9) health care personnel of a penal or other custodial institution in which the patient is detained if the disclosure is for the sole purpose of providing health care to the patient.
Tex. Occ. Code Ann. § 159.004 (Vernon 2004).
8 Available at http://www.hhs.gov/ocr/privacysummary.rtf (last revised May 2003).
9 See also http://www.hhs.gov/ocr/hipaa.
10 See Tex. Att'y Gen. OR2003-6136, at 1.
11 The minimum-necessary standard does not apply to certain disclosures, uses, or requests such as disclosures or requests by a health care provider for treatment, certain uses or disclosures to the individual, uses or disclosures under a proper authorization, and certain other uses or disclosures. See45 C.F.R. § 164.502(b)(2)(i)-(vi) (2003).
12 Telephone conservation with Honorable Tracey Bright, Ector County Attorney (Nov. 13, 2003).