  -* OFFICE OF THE ATTORNEY GEKERAL . STATE OF TEXAS

    JOHN      CORNYN




                                                September 20,200l




The Honorable Jose R. Rodriguez                             Opinion No. JC-0411
County Attorney, El Paso County
County Courthouse                                           Re: Whether the Board of Trustees of the Risk
500 East San Antonio, Room 203                              Pool for the El Paso County Health Benefits
El Paso, Texas 79901                                        Program may meet in executive session to
                                                            consider a complaint against the third party
                                                            administrator for the program (RQ-0369-JC)



Dear Mr. Rodriguez:

         You ask whether the Board of Trustees of the Risk Pool for the El Paso County Health
Benefits Program (the “Board”) may consider a complaint against the third party administrator of
the Benefits Program in an executive session. The Texas Open Meetings Act does not permit the
Board to consider a complaint about its third party administrator in an executive session. You also
ask whether the Federal Standards for Privacy of Individually Identifiable Health Information
promulgated under the Health Insurance Portability and Accountability Act of 1996 (the “HIPAA”)
authorizes the Board to hear a complaint against its third party administrator in closed session. See
Health Insurance Portability and Accountability Act of 1996, Pub. L. No. 104-l 91, 110 Stat. 2024
(codified as amended in scattered sections of 42 U.S.C.). These regulations are not applicable until
April 14,2003, and the United States Department of Health and Human Services provides assistance
to covered entities to help them comply with the regulations.      We advise the Board to direct its
question to that federal agency.

       The Commissioners   Court of El Paso County has acted under chapter 172 of the Local
Government Code to provide health and accident coverage for county officers, employees, retirees,
and their dependents.   See TEX. Lot. GOV’T CODE ANN. 8 172.004 (Vernon 1999).’ The


         ‘Chapter 172 of the Local Government Code was amended during the last legislative session by House Bill
1254 to authorize coverage of an “affiliated service contractor,” defined as a non-profit organization “that provides
governmental or quasi-governmental   services on behalf of a political subdivision and derives more than 50 percent of
                                                                                                         (continued.. .)
The Honorable Jose R. Rodriguez           - Page 2      (JC-04   11)




contributions paid by county officials, employees, and retirees are deposited into a risk pool
administered by a board of trustees appointed by the commissioners court. See id. @ 172.004-.009
(Vernon 1999 & Supp. 2001). The Board is a governmental body within the meaning of the Open
Meetings Act, which defines “governmental body” to include:

                  a deliberative body that has rulemaking or quasi-judicial power and
                  that is classified as a department, agency, or political subdivision of
                  a county or municipality.

TEX. GOV’T CODE ANN. 0 551.001(3)(D)       (V emon Supp. 2001). The Board exercises governmental
authority as an agent of the county. See TEX.LOC. GOV’T CODE ANN. $8 172.006(a) (Vernon Supp.
2001) (board of trustees supervises operation of risk pool); .009(a) (Vernon 1999) (trustees of risk
pool shall invest pool’s money); .Ol 1 (trustees shall declare pool insolvent if they determine that it
is unable to pay valid claims within specified time period). Accordingly, the Board must comply
with the Open Meetings Act.

         You inform us that the Board has contracted with a third party administrator to administer
the Risk Pool. See id. 8 172.006 (Vernon Supp. 2001) (board may contract with third party
administrator). You state that at times a person covered by the County Health Benefits Program will
complain to the Board about some action by the third party administrator, such as denial of a claim?
In reviewing the administrator’s handling of such claims, the Board may consider information
presented orally by the complainant, including details of medical history, diagnosis, and treatment,
as well as medical records and other documentation provided by the complainant. You ask whether
the Board may meet in an executive session under section 551.074 of the Government Code to
review the third party administrator’s actions in these cases.

        Pursuant to section 55 1.074 of the Government            Code, a governmental      body is not required
to conduct an open meeting:

                          (1) to deliberate the appointment, employment, evaluation,
                  reassignment, duties, discipline, or dismissal of a public officer or
                  employee; or




           ‘(...continued)
its gross revenues from grants or funding from the political subdivision.” See Act of May 17,2001,     77th Leg., R.S.,
ch. 491, 2001 Tex. Sess. Law Serv. WL TX LEGIS 491 (2001) (effective Sept. 1,200l).

         2Letter from Honorable   Jose R. Rodriguez, El Paso County Attorney,    to Honorable   John   Cornyn,   Texas
Attorney General (Mar. 21,200l)    (on file with Opinion Committee).
The Honorable     Jose R. Rodriguez    - Page 3      (JC-04   11)




                        (2) to hear a complaint         or charge   against   an officer   or
                 employee.

TEX. GOV’T CODE ANN. $ 55 1.074(a) (Vernon 1994). This provision            does not apply if the officer
or employee    who is the subject of the deliberation    or hearing requests a public hearing. See id. 8
55 1.074(b).

         Section 55 1.074 authorizes a governmental body to meet in executive session to deliberate
about a public officer or employee, but it does not authorize closed deliberations about other agents
of a governmental body, such as an independent contractor. See Bd. ufTrs. v. Cox Enters., Inc., 679
S.W.2d 86, 90-91 (Tex. App.-Texarkana        1984), rev’d in part on other grounds, 706 S.W.2d 956
(Tex. 1986); Tex. Att’y Gen. Op. No. MW-129 (1980) at 2. See also Tex. Att’y Gen. Op. No. DM-
149 (1992) (members of advisory committees appointed by Texas Commission on Fire Protection
are neither officers nor employees, and commission may not meet in executive session to discuss
qualifications of persons under consideration for appointment).      The third party administrator is
neither an officer nor an employee of the Risk Pool.

         A third party administrator is “a person who collects premiums or contributions from or who
 adjusts or settles claims in connection with life, health, and accident benefits . . . for residents of this
 state.” TEX. INS. CODE ANN. art. 21.07-6, 8 l(1) (Vernon Supp. 2001); 28 TEX. ADMIN. CODE 8
 7.1601 (2001) (p rovisions regulating third party administrators).       A county risk pool “may be
administered by a staff employed by the pool, an entity created by the political subdivision . . . or
a third party administrator.” TEX. Lot. GOV’T CODEANN. 5 172.006(b) (Vernon Supp. 2001). The
statute distinguishes between a third party administrator and staff employed to administer the pool,
thus recognizing that a third party administrator is not an employee. A board of trustees and other
governmental bodies contract for the services of a third party administrator. See id. 8 172.006(c);
see also Tex. Att’y Gen. Op. Nos. DM-418 (1996) at 9-l 3, JM-1038 (1989) (considering whether
contract for services of third party administrator is exempt from competitive bidding law as contract
for professional services). An employee, in contrast, would be employed by a board of trustees to
work for salary or wages. See V OXFORDENGLISHDICTIONARY191 (2d ed. 1989); BLACK’S LAW
DICTIONARY543 (7th ed. 1999). The Board does not have an employer-employee                relationship with
the third party administrator.

         Nor is the third party administrator an officer of the Risk Pool. A public officer generally
has a fixed term and may be removed only in accordance with law. Aldine Indep. Sch. Dist. v.
Standley, 280 S.W.2d 578, 581 (Tex. 1955). Moreover, a public officer is an individual in whom
a sovereign function of the government is conferred to be exercised for the benefit of the public,
largely independent of the control of others. Id. at 583. A third party administrator is subject to
contractual and regulatory controls and does not exercise any sovereign function of the government
largely independent of the control of others. The Board may not deliberate in executive session
The Honorable   Jose R. Rodriguez    - Page 4    (JC-04 11)




under section 55 1.074 of the Government      Code about complaints     made against the third party
administrator.

        You also ask whether the Federal Standards for Privacy of Individually Identifiable Health
Information, 45 C.F.R. parts 160 and 164, permit closed-meeting deliberations about complaints
concerning administration of a county health benefits program when individually identifiable health
information is involved, and whether these regulations prohibit open-meeting deliberation about such
complaints. See 45 C.F.R. pt. 160 (2000); 65 Fed. Reg. 82462,82802-829 (Dec. 28,200O); 66 Fed.
Reg. 12434 (Feb. 26,200l) (to be codified at 45 C.F.R. pt. 164).

         As part of the HIPAA, Congress directed the Secretary of Health and Human Services to
promulgate regulations setting privacy standards for medical records.         See Health Insurance
Portability and Accountability Act of 1996, Pub. L. No. 104-l 91, 0 264, 110 Stat. 2024 (codified
at 42 U.S.C. 8 1320d-2 (Supp. IV 1998) (historical & statutory note). Pursuant to this directive, the
Secretary has issued Standards for Privacy of Individually Identifiable Health Information, codified
at 45 C.F.R. parts 160 and 164. The standards were effective April 14,2001, but they will not apply
until April 14,2003, or April 14,2004, in the case of small health plans. See 65 Fed. Reg. 82462,
82829 (Dec. 28,200O); 66 Fed. Reg. 12434 (Feb. 26,200l) (to be codified at 45 C.F.R. 8 164.534).
With certain exceptions, the privacy regulations preempt contrary state law. See 42 U.S.C. 9 1320d-
7 (Supp. IV 1998); 65 Fed. Reg. 82462,828OO (Dec. 28,200O); 66 Fed. Reg. 12434 (Feb. 26,200l)
(to be codified at 45 C.F.R. $0 160.201-.205).

         Your question requires us to determine whether the El Paso County Health Benefits Program
is a “covered entity” subject to the standards set out in 45 C.F.R. parts 160 and 164. See 45 C.F.R.
§§ 160.102(a), ,103 (2000) (defining “covered entity”). A covered entity may not use or disclose
protected health information, except as permitted or required by 45 C.F.R. part 160, subpart C, or
part 164. See 65 Fed. Reg. 82462,82805 (Dec. 28,200O); 66 Fed. Reg. 12434 (Feb. 26,200l) (to
be codified at 45 C.F.R. 0 164.502(a)). We would thus have to consider whether the Board would
disclose protected health information in violation of the regulations if it were to deliberate in open
session about medical information and medical records provided at the meeting by a beneficiary of
the program. The privacy regulations do not expressly state whether or not deliberations about
medical information at public meetings would be an unauthorized disclosure of protected health
information. See 65 Fed. Reg. 82462,82803 (Dec. 28,200O); 66 Fed. Reg. 12434 (Feb. 26,200l)
(to be codified at 45 C.F.R. @ 164.501) (disclosure defined to include divulging in any manner of
information outside the entity holding the information).

        Your request raises questions of first impression about the federal regulations. Moreover,
the United States Department of Health and Human Services, the federal agency in charge of
enforcing the regulations, has not yet issued any guidelines or other interpretations of them. See 65
Fed. Reg. 82462,82801-802      (Dec. 28,200O); 66 Fed. Reg. 12434 (Feb. 26,200l) (to be codified
at 45 C.F.R. 89 160.300-.3 12). The regulations are complex, and determining how they affect the
The Honorable          Jose R. Rodriguez     - Page 5      (JC-04   11)




El Paso County Health Benefits Program would require more information about the operation of that
program than is provided by your request letter and chapter 172 of the Local Government Code. We
cannot investigate and resolve fact questions in an attorney general opinion. See, e.g., Tex. Att’y
Gen. Op. Nos. JC-0328 (2000) at 6, JC-0152 (1999) at 12, JC-0020 (1999) at 2, DM-98 (1992) at
3,H-56 (1973) at 3, M-187 (1968) at 3,0-2911 (1940) at 2. TheDepartment           ofHealthandHuman
Services provides assistance to help covered entities comply with the regulations. See 65 Fed. Reg.
82462,828Ol (Dec. 28,200O); 66 Fed. Reg. 12434 (Feb. 26,200l) (to be codified at 45 C.F.R. 8
 160.304); see also Department of Health and Human Services, Office for Civil Rights, intemet site
on HIPAA privacy standards, available at http:l/www.hhs.gov/ocr/hipaaf.3           The El Paso County
Health Benefits Program has at least until April 14, 2003, to decide how the privacy regulations
apply to it, or if it is deemed a small health plan, until April 14,2004. Thus, the Board may request
information on how the federal regulations apply to the Risk Pool from the federal agency in charge
of enforcing them. Under these circumstances, we advise its representatives to seek information and
assistance on its questions from the United States Department of Health and Human Services.

         We note that recently enacted state legislation, Senate Bill 11 of the Seventy-seventh
Legislature, requires a “covered entity” to comply with certain privacy standards adopted under the
Health Insurance Portability and Accountability Act of 1996, including those relating to “uses and
disclosures of protected health information.” Act of May 27,2001,77th       Leg., R.S., ch. 15 11, 5 1,
sec. 181.101(3), 2001 Tex. Sess. Law Serv. WL TX LEGIS 15 11 (2001) (to be codified at TEX.
HEALTH& SAFETY CODE ANN. ch. 18 1). A covered entity includes, among other entities, any person
who “on a cooperative, nonprofit, or pro bono basis, engages . . . in the practice of assembling,
collecting, analyzing, using, evaluating, storing, or transmitting protected health information.” Id.
at 8 1, sec. 181.001(b)(l)(A).     A “covered entity” may include a governmental unit. See id.
However, there is an exemption for an employee benefit plan or a covered entity or other person
acting in connection with an employee benefit plan. See id. at 8 1, sec. 181.055. A covered entity
is required to comply with the requirements of chapter 18 1 of the Health and Safety Code, as added
by Senate Bill 11, “not later than September 1,2003.” Id. at 8 5(b). Thus, assuming the Risk Pool
is a covered entity within Senate Bill 11, it should know what the federal privacy standards require
of it by the time it becomes subject to the provisions of chapter 18 1.




              3The Texas Health and Human Services Commission also provides information about the Health Insurance
Portability     and Accountability Act. See http://www.hhsc.state.tx.us/NDIS/NDISTaskForce.html (information about
HIPAA).
The Honorable Jose R. Rodriguez     - Page 6       (JC-04   11)




                                       SUMMARY

                        The Board of Trustees of the Risk Pool for the El Paso
               County Health Benefits Program may not deliberate about complaints
               against its third party administrator in an executive session under the
               personnel exception to the Texas Open Meetings Act. The third party
               administrator is not an officer or employee within that exception.

                        The Standards for Privacy of Individually Identifiable Health
               Information promulgated under the Health Insurance Portability and
               Accountability Act of 1996 (the “HIPAA”), Pub. L. No. 104-l 91,
               preempt contrary state law. The Board of Trustees of the El Paso
               County Health Benefits Program should seek advice from the United
               States Department     of Health and Human Services about the
               application of these standards to the El Paso County Health Benefits
               Program and to public meetings in which the Board of Trustees
               deliberates about complaints against its third party administrator
               involving individually identifiable health information.

                                               Y     rsv      trul )



                                            4JY!f-
                                               JOHN     CORNYN
                                               Attorney General of Texas



HOWARD G. BALDWIN, JR.
First Assistant Attorney General

NANCY FULLER
Deputy Attorney General - General Counsel

SUSAN D. GUSKY
Chair, Opinion Committee

Susan’. Garrison
Assistant Attorney General, Opinion Committee
