Texas Appeals Court: Public Records Law Trumps HIPAA
 
August 8, 2006
 

A Texas appellate court is the latest authority to hold that a state’s public records act does not take a back seat to a federal statute that requires entities such as health care providers and insurance companies to keep health records private.

The Texas Court of Appeals in Austin held that the Texas Department of Mental Health and Mental Retardation must provide specific statistical information related to allegations of abuse in state facilities. The court held that a reporter from KDFW TV was entitled to the information under the Texas Public Information Act (Texas PIA) and that the federal Health Insurance Portability and Accountability Act (HIPAA) did not relieve the state of its obligations under the Texas law.

According to the Texas PIA, “each person is entitled, unless otherwise expressly provided by law, at all times to complete information about the affairs of government.” The broad Texas PIA provides that information “considered to be confidential by law, either constitutional, statutory, or by judicial decision” is excepted from disclosure requirements. The Texas PIA also provides that disclosure may be made unless it is “expressly prohibited by law or the information is confidential under law.”

Under HIPAA, it is a federal offense for an entity covered by the law to disclose “individually identifiable health information.” The regulations promulgated under HIPAA include the Privacy Rule, which provides that a “covered entity” may not disclose “protected health information” except as specifically permitted by the Rule. “Protected health information” is “individually identifiable health information … that is (i) transmitted by electronic media; (ii) maintained in electronic media; or (iii) transmitted or maintained in any other form or media.” There are exceptions to the Rule, including that covered entities may “disclose protected health information to the extent that such use or disclosure is required by law and the use or disclosure complies with and is limited to the relevant requirements of such law.”

The request in Abbott v. Texas Department of Mental Health and Mental Retardation sought statistics regarding alleged incidents of sexual assault and patient-client abuse at state facilities, the names of the facilities and the dispositions of any investigations. In response to the request, the state released a statistical report addressing all abuse investigations and subsequent investigations, but it did not release information regarding specific facilities. In response to a request for his opinion, the Texas Attorney General issued a letter ruling stating that the information requested had to be released under the Texas PIA. The department successfully challenged the letter in District Court, which held the information was confidential and not subject to disclosure. The Attorney General appealed that decision.

The court of appeals in its June 16, 2006, decision noted that the information requested – statistical information regarding allegations of abuse and subsequent investigations – did not seem to be “protected health information” under HIPAA, but for purposes of the appeal the court assumed that it was. Nonetheless, the court held that the Texas PIA is a statute requiring the release of protected health information that qualifies as an exception to the federal Privacy Rule and, therefore, the disclosure would not violate HIPAA. The court also held that the information did not fall under the “confidential” exception to disclosure in the Texas PIA. The appeals court held the department must produce the specific statistical information requested.

The decision was consistent with an open records decision that the Attorney General of Texas issued in 2004, finding that a state entity has to evaluate its options under the Texas PIA when presented with a written request for health information otherwise protected under HIPAA. Tex. Att’y Gen. ORD 681 (2004). That same open records decision also found that a police department is not even covered under the federal law. The Kentucky Attorney General also has found that, a police department was not a covered entity under HIPAA and, under Kentucky’s Open Records Act, was required to produce certain accident and incident reports without redacting identities. Ky. Att’y Gen. Open Records Decision 04-ORD-143 (2004).

In the wake of Congress’ passage of HIPAA in 1996, some journalists have found it harder to obtain basic information about public health and safety issues. The Texas decision should make it more difficult for the government to withhold this information.

For more information, e-mail Charles Tobin at charles.tobin@hklaw.com or call toll free, 1-888-688-8500.