2005-109

At its December 8, 2005 public meeting, the Government Records Council (“Council”) considered the December 2, 2005 Findings and Recommendations of the Executive Director and all related documentation submitted by the parties. The Council voted unanimously to adopt the entirety of said findings and recommendations. The Council, therefore, finds that pursuant to N.J.S.A. 47:1A-9.a and Health Insurance Portability Accountability Act of 1966 (HIPAA), and further supported by the decision of the Superior Court of NJ in Michelson v. Wyatt and City of Plainfield, the Custodian lawfully denied access to the requested cost of healthcare benefits supplied to each individual Council member.

This is the final administrative determination in this matter. Any further review should be pursued in the Appellate Division of the Superior Court of New Jersey within forty-five (45) days. Information about the appeals process can be obtained from the Appellate Division Clerk’s Office, Hughes Justice Complex, 25 W. Market St., PO Box 006, Trenton, NJ 08625-0006.

Final Decision Rendered by the
Government Records Council
On The 8^th Day of December, 2005

Diane Schonyers, Vice-Chair
Government Records Council

I attest the foregoing is a true and accurate record of the Government Records Council.

DeAnna Minus-Vincent, Secretary
Government Records Council

Findings and Recommendations of Executive Director

Custodian: Judith Silver
Request Made: April 19, 2005
Response Made: April 25, 2005
GRC Complaint filed: May 25, 2005

Complainant’s written Open Public Records Act (OPRA) request, “Re: OPRA Request.” The Complainant is requesting 5 items regarding the construction of the Police Headquarters, health care costs, employee salaries and lists of contracts.

E-mail from the Custodian to the Complainant, “Info requested.” The Custodian indicates the cost for healthcare for both Council members and Part time employees but states that “per our attorney, we cannot provide details by employee.”

E-mail from the Complainant to the Custodian, “Re: Info requested.” The Complainant poses questions to the Custodian regarding the information that was released. The Complainant is asking if the numbers include all Council members, if there is co-pay and if so how much.

E-mail from the Custodian to the Complainant, “Re: Info requested.” The Custodian responded to the questions posed by the Complainant in the previous e-mail and indicates that the names of the individuals currently covered cannot be released.

The Custodian asserts, through a letter brief submitted by the Township’s counsel on her behalf, that the Township responded to the Complainant by providing all the documents requested on April 19, 2005 “except that which the Township deemed to be confidential.” The Custodian states that the requestor was provided with a lump sum amount that is spent on insurance coverage for the Council. The Custodian feels that a breakdown of the individual costs for healthcare cannot be disclosed and therefore feels that the Township’s response to the request was complete and nothing further can be provided in response to the request.

The Custodian asserts that the Township offers health care coverage and directly pays the prescription and dental care minus co-pay for those Council members who choose to participate. The Custodian asserts that the documents requested are exempt from access under Executive Order 26(4(b)1) (EO26) which prohibits the release of information pertaining to a “person’s medical, psychiatric, or psychological history, diagnosis, treatment or evaluation” and goes on to add that the Health Insurance Portability and Accountability Act of 1996 (HIPAA), 45 CFR § 160.103, according to the Custodian, states, “personal health information (PHI) includes past, present or future payment for the provision of health care to an individual.”

The Custodian contends that because the Township of a self-insured entity for prescription drug and dental coverage they must comply with HIPAA and providing a breakdown of individual health insurance costs would require them to disclose the exact cost of medications purchased by those individuals, contrary to HIPAA. The Custodian states, “a violation of HIPAA in this instance would be a violation of EO26 because if would lead to the disclosure of a person’s medical treatment.” Based on this information the Custodian feels that access to the requested cost for health benefits on each Council member was appropriately denied.

Custodian’s counsel’s letter, “Re: John M. Fox v. Township of Parsippany Dkt No.: 2005-109.” The Custodian’s counsel asserts that in a recently published Appellate Division case Michelson v. Wyatt and City of Plainfield, N.J.Super. 611, 880 A.2d 458 (August 2, 2005)[2] it was determined that “medical health information, including the type of coverage received by an employee (e.g., single, married, etc.) was not disclosable” because information exchanged between a public entity and its insurance carrier is confidential and should not be disclosed pursuant to the OPRA. The Custodian’s counsel states that the court held that under the common law this information may be disclosed if the requestor shown sufficient need for the information outweighing the privacy interest of the information however the Custodian’s counsel states that the Complainant did not request this information under the common law and so only the OPRA applies. As such, the Custodian’s counsel asserts that the requested information should not be disclosed pursuant to the OPRA because the Complainant is requesting specific information regarding the coverage, or cost thereof, that each Council member receives.

Government Records Council (GRC) staff e-mail to the Custodian. The GRC staff requests a more specific citation from HIPAA exempting the requested documents from disclosure.

Custodian’s counsel’s letter to the GRC staff. The custodian’s counsel states that the Township is a self-insured entity and therefore required to comply with HIPAA regulations, 45 C.F.R. § 160.103. The Custodian’s counsel cites 45 C.F.R. § 160.502 which precludes personal health information (PHI) from disclosure. There are certain exceptions to this rule such as when a person provides a signed release for the information 45 C.F.R. § 160.512, 514, and some “public health activities, health oversight activities, judicial and administrative proceedings and for law enforcement purposes, Id. The Custodian’s counsel asserts that HIPAA was designed to prevent medical information from being released in the event of a general inquiry. The Custodian’s counsel states, “PHI cannot be disclosed by a HIPAA covered entity to people making general inquiries regarding private health information. 45 C.F.R. § 160.103.” The custodian’s counsel contends that the requested information falls within HIPAA’s definition of PHI and none of the exceptions to non-disclosure as stated above apply to allow the records to be released.

GRC staff e-mail to the Custodian’s counsel. The GRC staff asks for a certification regarding the number of individuals covered by the Township for prescription drug and dental coverage.

Robert Strechay, Business Administrator’s certification in response to the November 28, 2005 GRC staff e-mail to the Custodian’s counsel. The Business Administrator certifies that there are 517 individuals covered by the Township’s dental benefits plan and 510 individuals covered by the Township’s prescription drug plan.

WHETHER the Custodian lawfully denied access to the requested cost of healthcare benefits supplied to each individual Council member pursuant to EO26, HIPAA and OPRA?

“…government records shall be readily accessible for inspection, copying, or examination by the citizens of this State, with certain exceptions…” N.J.S.A. 47:1A-1.

“…any paper, written or printed book, document, drawing, map, plan, photograph, microfilm, data processed or image processed document, information stored or maintained electronically or by sound-recording or in a similar device, or any copy thereof, that has been made, maintained or kept on file… or that has been received in the course of his or its official business…” N.J.S.A. 47:1A-1.1.

The OPRA places the onus on the Custodian to prove that a denial of access is lawful. Specifically, OPRA states:

“…The public agency shall have the burden of proving that the denial of access is authorized by law…” N.J.S.A. 47:1A-6.

"The provisions of [OPRA] shall not abrogate any exemption of a public record or government record from public access heretofore made pursuant to [OPRA]; any other statute; resolution of either or both Houses of the Legislature; regulation promulgated under the authority of any statute or Executive Order of the Governor; Executive Order of the Governor; Rules of Court; any federal law; federal regulation; or federal order…"

The Complainant asserts that a lump sum amount was provided to him but he was denied the breakdown of cost for individual Council members’ health benefit coverage. The Complainant does not agree that “details by employee” cannot be given out. The Complainant contends that the release of this information does not violate any HIPPA regulation since he is not asking to look at personal records. The Custodian contends that because the Township is a self-insured entity for prescription drug and dental coverage, they must comply with HIPAA and providing a breakdown of individual health insurance costs would require them to disclose the exact cost of medications purchased by those individuals, contrary to HIPAA, 45 C.F.R. § 160.103. The Business Administrator certifies that there are 517 individuals covered by the Township’s dental benefit plan and 510 individuals covered by the Township’s prescription drug plan. The Custodian states, “a violation of HIPAA in this instance would be a violation of EO26 because if would lead to the disclosure of a person’s medical treatment.” Based on this information the Custodian feels that access to the requested cost for health benefits on each Council member was appropriately denied.

The definitions of HIPAA provide that health plan means "an individual or group plan that provides, or pays the costs of, medical care ..." 45 CFR Sec. 160.103. Group health plan is defined as "an employee welfare benefit plan ... including insured and self-insured plans, to the extent that the plan provides medical care ..., including items and services paid for as medical care, to employees or their dependents directly or through insurance, reimbursement, or otherwise, that: (1) [h]as 50 or more participants..., or (2) [i]s administered by an entity other than the employer that established and maintains the plan." Id. The Township is therefore a “covered entity” since it is self-insured and provides coverage to more than 50 individuals.

Taking this into consideration, the Township must comply with HIPAA since it a covered entity. Specifically, HIPAA provides that "[a] covered entity must comply with the applicable standards, implementation specifications, and requirements ... with respect to electronic protected health information." 45 CFR Sec. 164.302. HIPAA prohibits the disclosure of "individually identifiable health information" by covered entities to anyone outside the covered entity. 45 CFR Sec. 164.502(a). HIPAA defines individually identifiable health information as "information that is a subset of health information, including demographic information collected from an individual, and: (1) [i]s created by a ... health plan..., and (2) [r]elates to... the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual; and (i) [t]hat identifies the individual; or (ii) [w]ith respect to which there is a reasonable basis to believe the information can be used to identify the individual." 45 CFR Sec. 160.103.

Additionally, HIPAA provides that "[c]overed entity may not use or disclose protected health information, except as permitted or required by [HIPAA]." 45 CFR Sec. 164.502(a). Permitted uses and disclosures by covered entities under HIPAA are (1) to the individual to whom the information pertains, (2) for treatment, payment, or health care operations, (3) incident to a use or disclosure otherwise permitted or required, (4) pursuant to and in compliance with a valid authorization, (5) pursuant to an agreement, and (6) as permitted by and in compliance with this section. 45 CFR 164.502 (a)(1)(i)-(vi). Required disclosures by covered entities under HIPAA are (1) to the individual, and (2) when required by the Secretary of the Department of Health and Human Services. 45 CFR Sec. 160.502(a)(2)(i)-(ii).

Since the Complainant's request does not fit within the permitted or required uses and disclosure of protected health information under HIPAA, the Custodian is prohibited from disclosing the "individual" records to the Complainant pursuant to HIPAA and N.J.S.A. 47:1A-9.a.

The Custodian also cites Michelson v. Wyatt and City of Plainfield, 379 N.J.Super. 611, 880 A.2d 458 (August 2, 2005) which was decided after the denial of access occurred. The New Jersey Superior Court, Appellate Division found that a similar records request was lawfully denied by the Custodian, consistent with both State and federal law. The court held that OPRA explicitly states that personnel and pension information other than a person's name, title, position, salary, payroll record, length of service, date of separation, and type and amount of pension is not considered a government record and is, therefore, not subject to disclosure pursuant to N.J.S.A. 47:1A-10. Id. at 621. The court further stated that information gathered by a municipal employer for transmission to its insurance carrier is not a government record and, therefore is not subject to disclosure pursuant to N.J.S.A. 47:1A-1.1. Id. That court also determined that Executive Order 26, Section 4 (b)(1) prohibited the disclosure of the individual health history of municipal employees. Id. at 620. Lastly, the court held that HIPAA prohibits covered entities from using or disclosing personal health information except as permitted by regulation (45 CFR Sec. 164.502(a)). Id. at 622-623.

Pursuant to N.J.S.A. 47:1A-9.a and HIPAA, and further supported by the decision of the Superior Court of NJ in Michelson v. Wyatt and City of Plainfield, the Custodian lawfully denied access to the requested cost of healthcare benefits supplied to each individual Council member.

[1] The Denial of Access Complaint states the request was for “Insurance cost for Council members/which Council members receive health coverage and the cost for each member/total amount paid out for prescriptions for council collectively (not individually) in the year 2004.”
[2] The Custodian’s counsel cites, “Michelson v. Wyatt and City of Plainfield, N.J.Super. 2005 W.L.2043597, *5 (App. Div., August 11, 2005)”