Office of the Attorney General — State of Texas John Cornyn Mr. Jim Loyd Executive Director Texas Health Care Information Council 206 East Ninth Street, Suite 19.140 Austin, Texas 78701

Re: Whether a hospital is authorized to report information required by chapter 108, Health and Safety Code, without obtaining the written consent of the affected patient (RQ-0481-JC)

Dear Mr. Loyd:

On behalf of the Texas Health Care Information Council (the "THCIC" or "council") you ask whether chapter 181 of the Health and Safety Code, enacted by Senate Bill 11 of the Seventy-seventh Legislature, requires hospitals to obtain written authorizations from patients prior to sending statutorily-required confidential identifying information to THCIC. See Act of May 27, 2001, 77th Leg., R.S., ch. 1511, § 1, 2001 Tex. Gen. Laws 5080, 5386. We conclude that chapter 181 of the Health and Safety Code does not require hospitals to obtain written authorizations from patients prior to sending confidential identifying information to the council.

The Texas Health Care Information Council is charged with developing a statewide health care data collection system "to collect health care charges, utilization data, provider quality data, and outcome data" and disseminating it for the benefit of employers, other health-care consumers, and health-care providers. See Tex. Health Safety Code Ann. § 108.006(a)(1), (3), (6) (Vernon 2001). See also Tex. Att'y Gen. Op. No. JC-0469 (2002) at 2-4 (describing council's work). It is to report to the Governor, the legislature, and the public. See Tex. Health Safety Code Ann. § 108.001 (Vernon 2001); see also id. § 108.013(a) (Vernon Supp. 2002) (data received by the council to be used for the benefit of the public). Hospitals, chemical dependency treatment facilities, birthing centers, and certain other health-care facilities,see id. § 108.002(10), (15) (Vernon Supp. 2002), must submit to the council the patient data required by chapter 108 of the Health and Safety Code. See id. § 108.009(a) (Vernon 2001).¹ But see id. § 108.009(c)-(d) (excepting rural providers, certain hospitals, and individual physicians).

Covered hospitals must submit to the council the discharge data described by section 1301.19(e) of title 25, Texas Administrative Code. See also 25 Tex. Admin. Code § 1301.12(a) (2002) (hospitals shall submit discharge files on inpatients). This includes the individual patient's name, birth date, address, sex, race, ethnicity, social security number, information about admission, diagnosis, surgical procedures, charges, source of payment, certain accounting information, name and number of the attending physician and the operating or other physician, and the name and address of the facility. See id. § 1301.19(e).

The council makes certain classes of data available to the public, subject to strict confidentiality provisions. See Tex. Health Safety Code Ann. §§ 108.010(c), (h), (i) (Vernon 2001) (collection and dissemination of provider quality data); .011 (dissemination, subject to restrictions, of public use data). See also Tex. Att'y Gen. Op. No.JC-0469 (2002) (explaining dissemination of data). Unless specifically authorized by chapter 108, the council may not release any data "that could reasonably be expected to reveal the identity of a patient" or "of a physician." Tex. Health Safety Code Ann. § 108.013(c) (Vernon Supp. 2002). See also id. § 108.013(d) (confidentiality provisions and criminal penalties from certain other statutes applicable to data collected and used by the Department of Health and the council under chapter 108, Health and Safety Code); (e) (data on patients and compilations of that data that identify patients are not subject to discovery or subpoena, nor are they admissible in civil, administrative, or criminal proceeding); (f) (data on physicians and compilations of that data that identify physicians are not discoverable or admissible); (i) (council and department may not provide information made confidential by Health and Safety Code section 108.013 to any other agency of this state). Health and Safety Code section 108.014 establishes a civil penalty for "[a] person who knowingly or negligently releases data in violation of this chapter," while section 108.0141 establishes a criminal penalty for a person who knowingly accesses data in violation of this chapter, or a person "who with criminal negligence releases data in violation of this chapter." Id. §§ 108.014, .0141 (Vernon 2001). Thus, information identifying patients that hospitals submit to the council is subject to comprehensive confidentiality provisions under Health and Safety Code chapter 108.

You inquire only about chapter 181 of the Health and Safety Code, and your question is answered by the provisions of this statute. However, because chapter 181 refers to the federal privacy standards adopted under the Federal Health Insurance Portability and Accountability Act of 1996 ("HIPAA"), see Tex. Health Safety Code Ann. §§ 181.001, .101 (Vernon Supp. 2002), we will briefly describe the federal law. See Health Insurance Portability and Accountability Act of 1996, Pub.L. No.104-191, 110 Stat. 2024 (codified as amended in scattered sections of 42 U.S.C.). See also Tex. Att'y Gen. Op. No. JC-0411 (2001) at 1, 4-5 (discussing privacy standards under HIPAA). In the HIPAA, Congress directed the Secretary of Health and Human Services to promulgate regulations setting privacy standards for medical records, and these have been issued as the Federal Standards for Privacy of Individually Identifiable Health Information. See Health Insurance Portability and Accountability Act of 1996, Pub.L. No. 104-191, § 264, 110 Stat. 2024 (codified at 42 U.S.C. § 1320d-2 (Supp. IV 1998) (historical statutory note)); Standards for Privacy of Individually Identifiable Health Information, 65 Fed. Reg. 82462, 82829 (Dec. 28, 2000) (to be codified at 45 C.F.R. pts. 160, 164). With certain exceptions, they preempt contrary state law. See 42 U.S.C. § 1320d-7 (Supp. IV 1998). The rules became effective April 14, 2001, but they will not apply until April 14, 2003, or April 14, 2004, in the case of small health plans. See65 Fed. Reg. 82462, 82829; 66 Fed. Reg. 12434 (Feb. 26, 2001) (to be codified at 45 C.F.R. § 164.534). They require an individual's written authorization for disclosure of certain health information. See65 Fed. Reg. 82462, 82811 (Dec. 28, 2000) (to be codified as45 C.F.R. § 164.508); see also Tex. Att'y Gen. Op. No. JC-0411 (2001) at 4. The Secretary of Health and Human Services has proposed modifications to the rules, but the answer to your question regarding Health and Safety Code chapter 181 is not affected by these. See67 Fed. Reg. 14776 (2002) (proposed modification in rule entitled "Standards for Privacy of Individually Identifiable Health Information").²

A "covered entity" within Health and Safety Code chapter 181 must comply with the privacy standards adopted under HIPAA, including the standards relating to "uses and disclosures of protected health information" and the applicable consent requirements. See Tex. Health Safety Code Ann. § 181.101(3) (Vernon Supp. 2002). Section181.001(b)(1) of the Health and Safety Code defines "covered entity" to mean any person who:

(A) for commercial, financial, or professional gain, monetary fees, or dues, or on a cooperative, nonprofit, or pro bono basis, engages, in whole or in part, and with real or constructive knowledge, in the practice of assembling, collecting, analyzing, using, evaluating, storing, or transmitting protected health information. The term includes a business associate, health care payer, governmental unit, information or computer management entity, school, health researcher, health care facility, clinic, health care provider, or person who maintains an Internet site;

(B) comes into possession of protected health information;

(C) obtains or stores protected health information under this chapter; or

(D) is an employee, agent, or contractor of a person described by Paragraph (A), (B), or (C) insofar as the employee, agent, or contractor creates, receives, obtains, maintains, uses, or transmits protected health information.

Id. § 181.001(b)(1).

A hospital is a covered entity within this definition. It is a person that, on a commercial or nonprofit basis, engages, "with real or constructive knowledge, in the practice of assembling, collecting, analyzing, using, evaluating, storing, or transmitting protected health information." Id.; see also id. § 108.002(12) (defining "hospital" to include a public, for-profit, or nonprofit institution licensed or owned by the state). Hospitals collect "protected health information," which chapter 181 defines to mean "individually identifiable health information" relating to the physical or mental health or condition of an individual, to the provision of health care to an individual, or to the payment for the provision of health care to an individual, and that identifies the individual. Id. § 181.001(b)(5). See also 25 Tex. Admin. Code § 1301.19(e) (2002).

Even though a hospital is a covered entity within Health and Safety Code chapter 181, it need not obtain written authorizations from patients prior to sending confidential identifying information to THCIC as required by the HIPAA privacy regulations. It is exempted from securing written authorizations by section 181.103 of the Health and Safety Code, which provides as follows:

A covered entity may use or disclose protected health information without the express written authorization of the individual for public health activities or to comply with the requirements of any federal or state health benefit program or any federal or state law. A covered entity may disclose protected health information:

(1) to a public health authority that is authorized by law to collect or receive such information for the purpose of preventing or controlling disease, injury, or disability, including the reporting of disease, injury, vital events such as birth or death, and the conduct of public health surveillance, public health investigations, and public interventions;

(2) to a public health authority or other appropriate government authority authorized by law to receive reports of child or adult abuse, neglect, or exploitation; and

(3) to any state agency in conjunction with a federal or state health benefit program.

Tex. Health Safety Code Ann. § 181.103 (Vernon Supp. 2002). There are two branches to this exception. The first one permits a covered entity to "use or disclose protected health information without the express written authorization of the individual" for public health activities, to comply with the requirements of a federal or state health benefit program, or to comply with federal or state law. Because a hospital is required by state law, specifically chapter 108 of the Health and Safety Code, to disclose protected health information to THCIC, it may do so pursuant to this branch of section 181.103 without the individual's express written authorization.

The second branch of section 181.103 permits a covered entity to "disclose protected health information" (1) to a public health authority that is authorized by law to collect or receive such information for various public health purposes; (2) to a public health authority or other government authority authorized by law to receive reports of child or adult abuse, neglect, or exploitation; and (3) to any state agency in conjunction with a federal or state health benefit program. This branch covers specific instances where the legislature made it very clear that covered entities could disclose certain protected health information to health authorities or governmental entities. See generally House Research Organization, Bill Analysis, Tex. Comm. Sub. S.B. 11, 77th Leg., R.S. (2001) at 3-4; Senate Business Commerce Comm., Bill Analysis, Tex. S.B. 11, 77th Leg., R.S. (2001) (summaries of section 181.103 reflect the two branches of this provision). A hospital's disclosure of protected health information to THCIC is excepted by the first branch of section 108.103 and does not need to fall within the second branch of this provision as well. We conclude that a hospital may submit to the THCIC the data required by chapter 108 of the Health and Safety Code without obtaining the written consent of the affected patients.

SUMMARY Chapter 181 of the Health and Safety Code does not require hospitals to obtain written authorizations from patients prior to sending confidential identifying information to the Texas Health Care Information Council pursuant to chapter 108 of the Health and Safety Code. Section 181.103 of the Health and Safety Code expressly provides that a covered entity may use or disclose protected health information without the express written authorization of the individual to comply with the requirements of any state law. Because hospitals are required by chapter 108 of the Health and Safety Code to disclose protected health information to the council, they are within this exemption. Information regarding patient identity that is submitted by hospitals to the council is protected by strict confidentiality provisions included in Health and Safety Code chapter 108.

Yours very truly,

JOHN CORNYN Attorney General of Texas

HOWARD G. BALDWIN, JR. First Assistant Attorney General

NANCY FULLER Deputy Attorney General — General Counsel

SUSAN DENMON GUSKY Chair, Opinion Committee

Susan L. Garrison Assistant Attorney General, Opinion Committee

¹ The council also must collect data reflecting provider quality from hospitals, other health-care facilities, and physicians. See Tex. Health Safety Code Ann. § 108.010(a) (Vernon 2001); see also id. § 108.002(10), (15), (16) (Vernon Supp. 2002) (defining "health care facility," "provider," and "provider quality"). See also id. § 108.0065 (Vernon 2001) (data collection with respect to Medicaid managed care organizations).

² The Department of Health and Human Services provides assistance to help covered entities comply with the regulations. See65 Fed. Reg. 82462, 82801 (Dec. 28, 2000); 66 Fed. Reg. 12434 (Feb. 26, 2001) (to be codified at 45 C.F.R. § 160.304); see also Department of Health and Human Services, Office for Civil Rights, Internet site on HIPAA privacy standards, available at http://www.hhs.gov/ocr/hipaa/(accessed Apr. 16, 2002). The Texas Health and Human Services Commission also provides information about HIPAA through the National Data Interchange Standards Task Force. See http://www.hhsc.state.tx.us/ndis/NDISTaskForce.html (accessed Apr. 16, 2002).