Office of the Attorney General — State of Texas John Cornyn The Honorable José R. Rodriguez County Attorney, El Paso County County Courthouse 500 East San Antonio, Room 203 El Paso, Texas 79901

Re: Whether the Board of Trustees of the Risk Pool for the El Paso County Health Benefits Program may meet in executive session to consider a complaint against the third party administrator for the program (RQ-0369-JC)

Dear Mr. Rodriguez:

You ask whether the Board of Trustees of the Risk Pool for the El Paso County Health Benefits Program (the "Board") may consider a complaint against the third party administrator of the Benefits Program in an executive session. The Texas Open Meetings Act does not permit the Board to consider a complaint about its third party administrator in an executive session. You also ask whether the Federal Standards for Privacy of Individually Identifiable Health Information promulgated under the Health Insurance Portability and Accountability Act of 1996 (the "HIPAA") authorizes the Board to hear a complaint against its third party administrator in closed session. See Health Insurance Portability and Accountability Act of 1996, Pub.L. No. 104-191,110 Stat. 2024 (codified as amended in scattered sections of 42 U.S.C.). These regulations are not applicable until April 14, 2003, and the United States Department of Health and Human Services provides assistance to covered entities to help them comply with the regulations. We advise the Board to direct its question to that federal agency.

The Commissioners Court of El Paso County has acted under chapter 172 of the Local Government Code to provide health and accident coverage for county officers, employees, retirees, and their dependents. See Tex. Loc. Gov't Code Ann. § 172.004 (Vernon 1999).¹ The contributions paid by county officials, employees, and retirees are deposited into a risk pool administered by a board of trustees appointed by the commissioners court. See id. §§ 172.004-.009 (Vernon 1999 Supp. 2001). The Board is a governmental body within the meaning of the Open Meetings Act, which defines "governmental body" to include:

a deliberative body that has rulemaking or quasi-judicial power and that is classified as a department, agency, or political subdivision of a county or municipality.

Tex. Gov't Code Ann. § 551.001(3)(D) (Vernon Supp. 2001). The Board exercises governmental authority as an agent of the county. See Tex. Loc. Gov't Code Ann. §§ 172.006(a) (Vernon Supp. 2001) (board of trustees supervises operation of risk pool); .009(a) (Vernon 1999) (trustees of risk pool shall invest pool's money); .011 (trustees shall declare pool insolvent if they determine that it is unable to pay valid claims within specified time period). Accordingly, the Board must comply with the Open Meetings Act.

You inform us that the Board has contracted with a third party administrator to administer the Risk Pool. See id. § 172.006 (Vernon Supp. 2001) (board may contract with third party administrator). You state that at times a person covered by the County Health Benefits Program will complain to the Board about some action by the third party administrator, such as denial of a claim.²

In reviewing the administrator's handling of such claims, the Board may consider information presented orally by the complainant, including details of medical history, diagnosis, and treatment, as well as medical records and other documentation provided by the complainant. You ask whether the Board may meet in an executive session under section 551.074 of the Government Code to review the third party administrator's actions in these cases.

Pursuant to section 551.074 of the Government Code, a governmental body is not required to conduct an open meeting:

(1) to deliberate the appointment, employment, evaluation, reassignment, duties, discipline, or dismissal of a public officer or employee; or

(2) to hear a complaint or charge against an officer or employee.

Tex. Gov't Code Ann. § 551.074(a) (Vernon 1994). This provision does not apply if the officer or employee who is the subject of the deliberation or hearing requests a public hearing. See id. § 551.074(b).

Section 551.074 authorizes a governmental body to meet in executive session to deliberate about a public officer or employee, but it does not authorize closed deliberations about other agents of a governmental body, such as an independent contractor. See Bd. of Trs. v. Cox Enters., Inc., 679 S.W.2d 86,90-91 (Tex.App.-Texarkana 1984), rev'd in part on other grounds,706 S.W.2d 956 (Tex. 1986); Tex. Att'y Gen. Op. No. MW-129 (1980) at 2. See also Tex. Att'y Gen. Op. No. DM-149 (1992) (members of advisory committees appointed by Texas Commission on Fire Protection are neither officers nor employees, and commission may not meet in executive session to discuss qualifications of persons under consideration for appointment). The third party administrator is neither an officer nor an employee of the Risk Pool.

A third party administrator is "a person who collects premiums or contributions from or who adjusts or settles claims in connection with life, health, and accident benefits . . . for residents of this state." Tex. Ins. Code Ann. art. 21.07-6, § 1(1) (Vernon Supp. 2001); 28 Tex. Admin. Code § 7.1601 (2001) (provisions regulating third party administrators). A county risk pool "may be administered by a staff employed by the pool, an entity created by the political subdivision . . . or a third party administrator." Tex. Loc. Gov't Code Ann. § 172.006(b) (Vernon Supp. 2001). The statute distinguishes between a third party administrator and staff employed to administer the pool, thus recognizing that a third party administrator is not an employee. A board of trustees and other governmental bodies contract for the services of a third party administrator. See id. § 172.006(c);see also Tex. Att'y Gen. Op. Nos. DM-418 (1996) at 9-13, JM-1038 (1989) (considering whether contract for services of third party administrator is exempt from competitive bidding law as contract for professional services). An employee, in contrast, would be employed by a board of trustees to work for salary or wages. See V Oxford English Dictionary 191 (2d ed. 1989); Black's Law Dictionary 543 (7th ed. 1999). The Board does not have an employer-employee relationship with the third party administrator.

Nor is the third party administrator an officer of the Risk Pool. A public officer generally has a fixed term and may be removed only in accordance with law. Aldine Indep. Sch. Dist. v.Standley, 280 S.W.2d 578, 581 (Tex. 1955). Moreover, a public officer is an individual in whom a sovereign function of the government is conferred to be exercised for the benefit of the public, largely independent of the control of others. Id. at 583. A third party administrator is subject to contractual and regulatory controls and does not exercise any sovereign function of the government largely independent of the control of others. The Board may not deliberate in executive session under section551.074 of the Government Code about complaints made against the third party administrator.

You also ask whether the Federal Standards for Privacy of Individually Identifiable Health Information, 45 C.F.R. parts 160 and 164, permit closed-meeting deliberations about complaints concerning administration of a county health benefits program when individually identifiable health information is involved, and whether these regulations prohibit open-meeting deliberation about such complaints. See 45 C.F.R. pt. 160 (2000);65 Fed. Reg. 82462, 82802-829 (Dec. 28, 2000); 66 Fed. Reg. 12434 (Feb. 26, 2001) (to be codified at 45 C.F.R. pt. 164).

As part of the HIPAA, Congress directed the Secretary of Health and Human Services to promulgate regulations setting privacy standards for medical records. See Health Insurance Portability and Accountability Act of 1996, Pub.L. No. 104-191, § 264,110 Stat. 2024 (codified at 42 U.S.C. § 1320d-2 (Supp. IV 1998) (historical statutory note). Pursuant to this directive, the Secretary has issued Standards for Privacy of Individually Identifiable Health Information, codified at 45 C.F.R. parts 160 and 164. The standards were effective April 14, 2001, but they will not apply until April 14, 2003, or April 14, 2004, in the case of small health plans. See 65 Fed. Reg. 82462, 82829 (Dec. 28, 2000); 66 Fed. Reg. 12434 (Feb. 26, 2001) (to be codified at45 C.F.R. § 164.534). With certain exceptions, the privacy regulations preempt contrary state law. See 42 U.S.C. § 1320d-7 (Supp. IV 1998); 65 Fed. Reg. 82462, 82800 (Dec. 28, 2000);66 Fed. Reg. 12434 (Feb. 26, 2001) (to be codified at45 C.F.R. § 160.201-.205).

Your question requires us to determine whether the El Paso County Health Benefits Program is a "covered entity" subject to the standards set out in 45 C.F.R. parts 160 and 164. See45 C.F.R. § 160.102(a), .103 (2000) (defining "covered entity"). A covered entity may not use or disclose protected health information, except as permitted or required by 45 C.F.R. part 160, subpart C, or part 164. See 65 Fed. Reg. 82462, 82805 (Dec. 28, 2000);66 Fed. Reg. 12434 (Feb. 26, 2001) (to be codified at45 C.F.R. § 164.502(a)). We would thus have to consider whether the Board would disclose protected health information in violation of the regulations if it were to deliberate in open session about medical information and medical records provided at the meeting by a beneficiary of the program. The privacy regulations do not expressly state whether or not deliberations about medical information at public meetings would be an unauthorized disclosure of protected health information. See65 Fed. Reg. 82462, 82803 (Dec. 28, 2000); 66 Fed. Reg. 12434 (Feb. 26, 2001) (to be codified at 45 C.F.R. § 164.501) (disclosure defined to include divulging in any manner of information outside the entity holding the information).

Your request raises questions of first impression about the federal regulations. Moreover, the United States Department of Health and Human Services, the federal agency in charge of enforcing the regulations, has not yet issued any guidelines or other interpretations of them. See 65 Fed. Reg. 82462, 82801-802 (Dec. 28, 2000); 66 Fed. Reg. 12434 (Feb. 26, 2001) (to be codified at 45 C.F.R. § 160.300-.312). The regulations are complex, and determining how they affect the El Paso County Health Benefits Program would require more information about the operation of that program than is provided by your request letter and chapter 172 of the Local Government Code. We cannot investigate and resolve fact questions in an attorney general opinion. See, e.g., Tex. Att'y Gen. Op. Nos. JC-0328 (2000) at 6,JC-0152 (1999) at 12, JC-0020 (1999) at 2, DM-98 (1992) at 3,H-56 (1973) at 3, M-187 (1968) at 3, O-2911 (1940) at 2. The Department of Health and Human Services provides assistance to help covered entities comply with the regulations. See65 Fed. Reg. 82462, 82801 (Dec. 28, 2000); 66 Fed. Reg. 12434 (Feb. 26, 2001) (to be codified at 45 C.F.R. § 160.304); see also Department of Health and Human Services, Office for Civil Rights, internet site on HIPAA privacy standards, available at http://www.hhs.gov/ocr/hipaa/.³ The El Paso County Health Benefits Program has at least until April 14, 2003, to decide how the privacy regulations apply to it, or if it is deemed a small health plan, until April 14, 2004. Thus, the Board may request information on how the federal regulations apply to the Risk Pool from the federal agency in charge of enforcing them. Under these circumstances, we advise its representatives to seek information and assistance on its questions from the United States Department of Health and Human Services.

We note that recently enacted state legislation, Senate Bill 11 of the Seventy-seventh Legislature, requires a "covered entity" to comply with certain privacy standards adopted under the Health Insurance Portability and Accountability Act of 1996, including those relating to "uses and disclosures of protected health information." Act of May 27, 2001, 77th Leg., R.S., ch. 1511, § 1, sec. 181.101(3), 2001 Tex. Sess. Law Serv. WL TX LEGIS 1511 (2001) (to be codified at Tex. Health Safety Code Ann. ch. 181). A covered entity includes, among other entities, any person who "on a cooperative, nonprofit, or pro bono basis, engages . . . in the practice of assembling, collecting, analyzing, using, evaluating, storing, or transmitting protected health information." Id. at § 1, sec. 181.001(b)(1)(A). A "covered entity" may include a governmental unit. See id. However, there is an exemption for an employee benefit plan or a covered entity or other person acting in connection with an employee benefit plan.See id. at § 1, sec. 181.055. A covered entity is required to comply with the requirements of chapter 181 of the Health and Safety Code, as added by Senate Bill 11, "not later than September 1, 2003." Id. at § 5(b). Thus, assuming the Risk Pool is a covered entity within Senate Bill 11, it should know what the federal privacy standards require of it by the time it becomes subject to the provisions of chapter 181.

SUMMARY The Board of Trustees of the Risk Pool for the El Paso County Health Benefits Program may not deliberate about complaints against its third party administrator in an executive session under the personnel exception to the Texas Open Meetings Act. The third party administrator is not an officer or employee within that exception.

The Standards for Privacy of Individually Identifiable Health Information promulgated under the Health Insurance Portability and Accountability Act of 1996 (the "HIPAA"), Pub.L. No. 104-191, preempt contrary state law. The Board of Trustees of the El Paso County Health Benefits Program should seek advice from the United States Department of Health and Human Services about the application of these standards to the El Paso County Health Benefits Program and to public meetings in which the Board of Trustees deliberates about complaints against its third party administrator involving individually identifiable health information.

Yours very truly,

JOHN CORNYN Attorney General of Texas

HOWARD G. BALDWIN, JR. First Assistant Attorney General

NANCY FULLER Deputy Attorney General — General Counsel

SUSAN D. GUSKY Chair, Opinion Committee

Susan L. Garrison Assistant Attorney General, Opinion Committee

¹ Chapter 172 of the Local Government Code was amended during the last legislative session by House Bill 1254 to authorize coverage of an "affiliated service contractor," defined as a non-profit organization "that provides governmental or quasi-governmental services on behalf of a political subdivision and derives more than 50 percent of its gross revenues from grants or funding from the political subdivision." See Act of May 17, 2001, 77th Leg., R.S., ch. 491, 2001 Tex. Sess. Law Serv. WL TX LEGIS 491 (2001) (effective Sept. 1, 2001).

² Letter from Honorable José R. Rodréguez, El Paso County Attorney, to Honorable John Cornyn, Texas Attorney General (Mar. 21, 2001) (on file with Opinion Committee).

³ The Texas Health and Human Services Commission also provides information about the Health Insurance Portability and Accountability Act. See http://www.hhsc.state.tx.us/NDIS/NDISTaskForce.html (information about HIPAA).