To return to this list after selecting an opinion, click on the "View entire list" link above the opinion title.
March 26, 2004; City of Thief River Falls
3/26/2004 10:14:43 AM
This is an opinion of the Commissioner of Administration issued pursuant to section 13.072 of Minnesota Statutes, Chapter 13 - the Minnesota Government Data Practices Act. It is based on the facts and information available to the Commissioner as described below.
Facts and Procedural History:On February 2, 2004, IPAD received a letter dated January 27, 2004, from Jodie Torkelson, City Administrator for the City of Thief River Falls. In her letter, Ms. Torkelson asked the Commissioner to issue an advisory opinion regarding the classification of certain data that the City maintains. A summary of the facts is as follows. Ms. Torkelson wrote: At a seminar conducted by a private company, the City was told that the dollar value benefit towards an employee's health insurance payment would be considered private health information under HIPAA [Health Insurance Portability and Accountability Act of 1996] law. If the City releases the dollar value benefit provided to an employee for health insurance coverage, that information would reveal the specific coverage plan that an employee has opted for. (For example, an employee receives a benefit from the City of $600.00 per month for family health insurance that provides 100% coverage. An employee receives a benefit from the City of $25 for single health insurance that provides 100% coverage.) These insurance benefits are outlined in the employment contracts, which are public documents. ...The City of Thief River Falls provides employee health insurance coverage through the Northwest Service Cooperative Self Insurance Pool . The pool members consist of several northwest Minnesota counties, cities, and other governmental agencies. The City collects a portion of the health insurance premium from each employee and remits it, along with the City's share, to the Northwest Service Cooperative. Quarterly, the City receives a summary of claims from the Northwest Service Cooperative, which contains no identifiable personal health insurance data. (Data is printed as summary information only). The only personal health information which is collected or received by the City is the employee's health insurance application, which according to an article (updated 04/04/04) from the League of Minnesota Cities, does not alone make the City a covered entity. The Northwest Service Cooperative has a contract with Blue Cross/Blue Shield of Minnesota to provide service for its participant members. Issue:In her request for an opinion, Ms. Torkelson asked the Commissioner to address the following issue:
Discussion:Data on individuals collected because the individual is or was an employee of a government entity are classified pursuant to Minnesota Statutes, section 13.43. Subdivision 2 of section 13.43 lists the types of personnel data that are public. Subdivision 4 of section 13.43 classifies most other types of personnel data as private. Data on individuals is defined as all government data in which any individual is or can be identified as the subject of the data, unless the appearance of the name or other identifying data clearly can be demonstrated to be only incidental to the data. (See section 13.02, subdivision 5.) At issue in this opinion is the classification of the amount the City pays toward an employee's health insurance coverage. Section 13.43, subdivision 2(a)(1), provides that the value and nature of employer paid fringe benefits are public. Therefore, pursuant to state law, the data at issue are public. The remaining question is whether HIPAA treats the data differently, i.e., not public. (The regulations that implement HIPAA are found at 45 C.F.R. Parts 160 and 164. These regulations include standards for privacy of health information, security for protection of electronic health information, and general administrative requirements.) For information to be protected by HIPAA, the entity involved must be a covered entity, which is defined as a health plan, a health plan clearinghouse, or a health care provider who transmits any health care information in electronic form in connection with a transaction covered by this subchapter. (See 45 C.F.R. section 160.103) In addition, the information must be protected health information, which is defined as individually identifiable health information. Individually identified health information is defined as:
...information that is a subset of health information, including demographic information collected from an individual and:
(See 45 C.F.R. section 160.103.) Upon review of HIPAA, the Commissioner is unable to determine, with certainly, whether the City is a covered entity. If it is, under HIPAA the data in question appear to fall within the definition of protected health information. That is because the dollar value (and, in turn, the fact that an employee has single or family coverage) relates to the provision of health care to an individual; or the past, present, or future payment for the provision of heath care to an individual that identifies the individual. Thus, if the City is a covered entity, the data in question are protected. In attempting to determine whether the City is or is not a covered entity, IPAD contacted the United States Department of Health and Human Services (HHS), which has jurisdiction over HIPAA. IPAD submitted a letter to the Office for Civil Rights (OCR) at HHS posing the question raised by Ms. Torkelson. OCR is charged with interpreting and enforcing the HIPAA regulations. IPAD does not know when or if the OCR will respond. IPAD also contacted staff in the HHS General Counsel Office. Staff there pointed IPAD to 45 C.F.R. section 164.512; however, HHS did not take an official position on the issue. The provision cited by HHS General Counsel staff addresses situations in which a covered entity may use and disclose protected health information, without requiring the entity (1) to obtain, from the data subject, an authorization to release or (2) to offer the data subject an opportunity to agree or object. 45 C.F.R. section164.512(a)(1) states:
(a) Standard: uses and disclosures required by law.
This provision seems to allow the City, if it is considered to be a covered entity, to release, upon request, the dollar value of an employee's health insurance benefit. The Legislature, in enacting section 13.43, clearly intended that the value and nature of employer paid fringe benefits be public data. Further, pursuant to section 13.03, the disclosure of public data is required. Thus, if the City is a covered entity, and it receives a data request, pursuant to section 13.03, for the data in question, 45 C.F.R. section 164.512 appears to apply and the City should release the data as required by sections 13.03 and 13.43. If the City is not a covered entity, HIPAA does not apply and the data are public. Opinion:Based on the facts and information provided, my opinion on the issue that Ms. Torkelson raised is as follows:
Signed:
Brian J. Lamb
Dated: March 26, 2004 |
Personnel data
HIPAA (Health Insurance Portability and Accountability Act; 45 C.F.R. Parts 160 and 164)
Fringe benefits
