    OFFICE OF THE ATTORNEY GENERAL . STATE OF TEXAS

    JOHN      CORNYN




                                                     May 24,2002



Mr. Jim Loyd                                                  Opinion No. JC-0508
Executive Director
Texas Health Care Information Council                         Re: Whether a hospital is authorized to report
206 East Ninth Street, Suite 19.140                           information required by chapter 108, Health and
Austin, Texas 78701                                           Safety Code, without obtaining the written
                                                              consent of the affected patient (RQ-048 1-JC)


Dear Mr. Loyd:

          On behalf of the Texas Health Care Information Council (the “THCIC” or “council”) you
ask whether chapter 18 1 of the Health and Safety Code, enacted by Senate Bill 11 of the Seventy-
seventh Legislature, requires hospitals to obtain written authorizations from patients prior to sending
statutorily-required confidential identifying information to THCIC. See Act of May 27,2001,77th
Leg., R.S., ch. 15 11, 5 1,200l Tex. Gen. Laws 5080, 5386. We conclude that chapter 181 of the
Health and Safety Code does not require hospitals to obtain written authorizations from patients prior
to sending confidential identifying information to the council.

         The Texas Health Care Information Council is charged with developing a statewide health
care data collection system “to collect health care charges, utilization data, provider quality data, and
outcome data” and disseminating it for the benefit of employers, other health-care consumers, and
health-care providers. See TEX. HEALTH & SAFETYCODEANN. 4 108.006(a)(l), (3), (6) (Vernon
2001). See also Tex. Att’y Gen. Op. No. JC-0469 (2002) at 2-4 (describing council’s work). It is
to report to the Governor, the legislature, and the public. See TEX.HEALTH& SAFETYCODEANN. 8
108.001 (Vernon 2001); see also id. 8 108.013(a) (Vernon Supp. 2002) (datareceived by the council
to be used for the benefit of the public). Hospitals, chemical dependency treatment facilities,
birthing centers, and certain other health-care facilities, see id. 8 108.002 (lo), (15) (Vernon Supp.
2002), must submit to the council the patient data required by chapter 108 of the Health and Safety
Code. See id. 8 108.009(a) (Vernon 2001).’ But see id. 5 108.009(c)-(d) (excepting rural providers,
certain hospitals, and individual physicians).




           ‘The council also must collect data reflecting provider quality from hospitals, other health-care facilities, and
physicians. See TEX. HEALTH& SAFETY CODE ANN. 0 108.010(a) (Vernon 2001); see also id. $ 108.002(10), (15), (16)
(Vernon Supp. 2002) (defining “health care facility,” “provider,” and “provider quality”). See also id. 0 108.0065
(Vernon 2001) (data collection with respect to Medicaid managed care organizations).
Mr. Jim Loyd - Page 2                        (JC-0508)




        Covered hospitals must submit to the council the discharge data described by section
1301.19(e) of title 25, Texas Administrative Code. See also 25 TEX. ADMIN. CODE 8 1301.12(a)
(2002) (hospitals shall submit discharge files on inpatients). This includes the individual patient’s
name, birth date, address, sex, race, ethnicity, social security number, information about admission,
diagnosis, surgical procedures, charges, source of payment, certain accounting information, name
and number of the attending physician and the operating or other physician, and the name and
address of the facility. See id. 8 1301.19(e).

          The council makes certain classes of data available to the public, subject to strict
confidentiality provisions. See TEX. HEALTH& SAFETYCODEANN. 8 8 108.01 O(c), (h), (i) (Vernon
2001) (collection and dissemination of provider quality data); ,011 (dissemination,        subject to
restrictions, of public use data). See also Tex. Att’y Gen. Op. No. JC-0469 (2002) (explaining
dissemination of data). Unless specifically authorized by chapter 108, the council may not release
any data “that could reasonably be expected to reveal the identity of a patient” or “of a physician.”
TEX. HEALTH& SAFETYCODE ANN. 9 108.013(c) (Vernon Supp. 2002). See also id. 5 108.013(d)
(confidentiality provisions and criminal penalties from certain other statutes applicable to data
collected and used by the Department of Health and the council under chapter 108, Health and Safety
Code); (e) (data on patients and compilations of that data that identify patients are not subject to
discovery or subpoena, nor are they admissible in civil, administrative, or criminal proceeding); (f)
(data on physicians and compilations of that data that identify physicians are not discoverable or
admissible); (i) (council and department may not provide information made confidential by Health
and Safety Code section 108.013 to any other agency of this state). Health and Safety Code section
108.014 establishes a civil penalty for “[a] person who knowingly or negligently releases data in
violation of this chapter,” while section 108.0141 establishes a criminal penalty for a person who
knowingly accesses data in violation of this chapter, or a person “who with criminal negligence
releases data in violation of this chapter.” Id. 85 108.014, .0141 (Vernon 2001). Thus, information
identifying patients that hospitals submit to the council is subject to comprehensive confidentiality
provisions under Health and Safety Code chapter 108.

         You inquire only about chapter 18 1 of the Health and Safety Code, and your question is
answered by the provisions of this statute. However, because chapter 181 refers to the federal
privacy standards adopted under the Federal Health Insurance Portability and Accountability Act of
 1996 (,‘HIPAA”), see TEX. HEALTH& SAFETYCODEANN. $0 181.001, .lOl (Vernon Supp. 2002),
we will briefly describe the federal law. See Health Insurance Portability and Accountability Act
of 1996, Pub. L. No. 104-191, 110 Stat. 2024 (codified as amended in scattered sections of 42
U.S.C.). See also Tex. Att’y Gen. Op. No. JC-0411 (2001) at 1,4-5 (discussing privacy standards
under HIPAA). In the HIPAA, Congress directed the Secretary of Health and Human Services to
promulgate regulations setting privacy standards for medical records, and these have been issued as
the Federal Standards for Privacy of Individually Identifiable Health Information.        See Health
Insurance Portability and Accountability Act of 1996, Pub. L. No. 104-l 91, 8 264, 110 Stat. 2024
(codified at 42 U.S.C. 8 1320d-2 (Supp. IV 1998) (historical & statutory note)); Standards for
Privacy of Individually Identifiable Health Information, 65 Fed. Reg. 82462,82829 (Dec. 28,200O)
(to be codified at 45 C.F.R. pts. 160,164). With certain exceptions, they preempt contrary state law.
Mr. Jim Loyd - Page 3                                 (JC-0508)




See 42 U.S.C. 0 1320d-7 (Supp. IV 1998). The rules became effective April 14,2001, but they will
not apply until April 14,2003, or April 14,2004, in the case of small health plans. See 65 Fed. Reg.
82462,82829; 66 Fed. Reg. 12434 (Feb. 26,200l) (to be codified at 45 C.F.R. 8 164.534). They
require an individual’s written authorization for disclosure of certain health information. See 65 Fed.
Reg. 82462,828ll     (Dec. 28,200O) (to be codified as 45 C.F.R. 5 164.508); see also Tex. Att’y Gen.
Op. No. JC-0411 (2001) at 4. The Secretary of Health and Human Services has proposed
modifications to the rules, but the answer to your question regarding Health and Safety Code chapter
181 is not affected by these. See 67 Fed. Reg. 14776 (2002) (proposed modification in rule entitled
“Standards for Privacy of Individually Identifiable Health Information”).*

         A “covered entity” within Health and Safety Code chapter 18 1 must comply with the privacy
standards adopted under HIPAA, including the standards relating to “uses and disclosures of
protected health information” and the applicable consent requirements. See TEX. HEALTH & SAFETY
CODE ANN. 5 181.101(3) (V emon Supp. 2002). Section 181.001(b)(l) of the Health and Safety
Code defines “covered entity” to mean any person who:

                           (A) for commercial, financial, or professional gain, monetary fees, or
                  dues, or on a cooperative, nonprofit, or pro bono basis, engages, in whole or
                  in part, and with real or constructive knowledge, in the practice of
                  assembling, collecting, analyzing, using, evaluating, storing, or transmitting
                  protected health information. The term includes a business associate, health
                  care payer, governmental unit, information or computer management entity,
                  school, health researcher, health care facility, clinic, health care provider, or
                  person who maintains an Internet site;

                            (B) comes into possession of protected health information;

                          (C) obtains or stores protected health information              under this
                  chapter; or

                           (D) is an employee, agent, or contractor of a person described
                  by Paragraph     (A), (W, or (C) insofar as the employee, agent, or
                  contractor creates, receives, obtains, maintains, uses, or transmits
                  protected health information.

Id. $j 181.001(b)(l).




           *The Department of Health and Human Services provides assistance to help covered entities comply with the
regulations.   See 65 Fed. Reg. 82462, 82801 (Dec. 28,200O); 66 Fed. Reg. 12434 (Feb. 26,200l)         (to be codified at
45 C.F.R. 5 160.304); see also Department of Health and Human Services, Office for Civil Rights, Internet site on
HIPAA privacy standards, available at <http://www.hhs.novlocrlhipa~>       (accessed Apr. 16,2002). The Texas Health
and Human Services Commission also provides information about HIPAA through the National Data Interchange
Standards Task Force. See <http://www.hhsc.state.tx.us/NDISTaskForce.htlm>          (accessed Apr. 16,2002).
Mr. Jim Loyd    - Page 4                       (JC-0508)




         A hospital is a covered entity within this definition. It is a person that, on a commercial or
nonprofit basis, engages, “with real or constructive knowledge, in the practice of assembling,
collecting, analyzing, using, evaluating, storing, or transmitting protected health information.” Id.;
see also id. 8 108.002( 12) (defining “hospital” to include a public, for-profit, or nonprofit institution
licensed or owned by the state). Hospitals collect “protected health information,” which chapter 18 1
defines to mean “individually identifiable health information” relating to the physical or mental
health or condition of an individual, to the provision of health care to an individual, or to the
payment for the provision of health care to an individual, and that identifies the individual. Id.
9 181.001(b)(5). S ee also 25 TEX. ADMIN. CODE 0 1301.19(e) (2002).

        Even though a hospital is a covered entity within Health and Safety Code chapter 18 1, it need
not obtain written authorizations from patients prior to sending confidential identifying information
to THCIC as required by the HIPAA privacy regulations. It is exempted from securing written
authorizations by section 18 1.103 of the Health and Safety Code, which provides as follows:

                        A covered entity may use or disclose protected health
                information    without the express written authorization      of the
                individual for public health activities or to comply with the
                requirements of any federal or state health benefit program or any
                federal or state law. A covered entity may disclose protected health
                information:

                              (1) to a public health authority that is authorized by law
                to collect or receive such information for the purpose of preventing
                or controlling disease, injury, or disability, including the reporting of
                disease, injury, vital events such as birth or death, and the conduct of
                public health surveillance, public health investigations, and public
                interventions;

                            (2) to a public health authority or other appropriate
                government authority authorized by law to receive reports of child or
                adult abuse, neglect, or exploitation; and

                             (3) to any state agency in conjunction    with a federal or
                state health benefit program.

TEX.HEALTH& SAFETYCODEAN-N.5 18 1.103 (Vernon Supp. 2002). There are two branches to this
exception. The first one permits a covered entity to “use or disclose protected health information
without the express written authorization of the individual” for public health activities, to comply
with the requirements of a federal or state health benefit program, or to comply with federal or state
law. Because a hospital is required by state law, specifically chapter 108 of the Health and Safety
Code, to disclose protected health information to THCIC, it may do so pursuant to this branch of
section 18 1.103 without the individual’s express written authorization.
Mr. Jim Loyd - Page 5                         (JC-0508)




         The second branch of section 18 1.103 permits a covered entity to “disclose protected health
information” (1) to a public health authority that is authorized by law to collect or receive such
information for various public health purposes; (2) to a public health authority or other government
authority authorized by law to receive reports of child or adult abuse, neglect, or exploitation; and
(3) to any state agency in conjunction with a federal or state health benefit program. This branch
covers specific instances where the legislature made it very clear that covered entities could disclose
certain protected health information to health authorities or governmental entities. See generaZZy
HOUSERESEARCH       ORGANIZATION,  BILL ANALYSIS,Tex. Comm. Sub. S.B. 11,77th Leg., R.S. (2001)
at 3-4; SENATEBUSINESS& COMMERCE        COMM.,BILLANALYSIS,Tex. S.B. 11,77th Leg., R.S. (2001)
(summaries of section 18 1.103 reflect the two branches of this provision). A hospital’s disclosure
of protected health information to THCIC is excepted by the first branch of section 108.103 and does
not need to fall within the second branch of this provision as well. We conclude that a hospital may
submit to the THCIC the data required by chapter 108 of the Health and Safety Code without
obtaining the written consent of the affected patients.
Mr. Jim Loyd - Page 6                        (JC-0508)




                                        SUMMARY

                        Chapter 181 of the Health and Safety Code does not require
               hospitals to obtain written authorizations from patients prior to
               sending confidential identifying information to the Texas Health Care
               Information Council pursuant to chapter 108 of the Health and Safety
               Code. Section 18 1.103 of the Health and Safety Code expressly
               provides that a covered entity may use or disclose protected health
               information     without the express written authorization        of the
               individual to comply with the requirements of any state law. Because
               hospitals are required by chapter 108 of the Health and Safety Code
               to disclose protected health information to the council, they are within
               this exemption.       Information regarding patient identity that is
               submitted by hospitals to the council is protected by strict
               confidentiality provisions included in Health and Safety Code chapter
               108.




                                               Attorney General of Texas



HOWARD G. BALDWIN, JR.
First Assistant Attorney General

NANCY FULLER
Deputy Attorney General - General Counsel

SUSAN DENMON GUSKY
Chair, Opinion Committee

Susan L. Garrison
Assistant Attorney General, Opinion Committee
