The Fort Bend County Attorney’s office is recommending that Commissioners Court members hire a Dallas law firm to conduct a detailed analysis of whether county government operations comply with the federal Health Insurance Portability and Accountability Act.
The recommendation comes on the heels of a HIPAA audit of county operations by Sugar Land’s HIPAA Solutions LC, which mushroomed into a political dispute.
Fort Bend County Clerk Dianne Wilson and other county officials were critical of the audit. Wilson maintained Precinct 3 Commissioner Andy Meyers orchestrated its release just before the March 7 primary election because voters could perceive it to be critical of her record-keeping policies.
County Attorney Mary Reveles refused to release the report to FortBendNow or other news publications last month, despite requests under the Texas Public Information Act.
Texas Assistant Attorney General James Coggeshall ruled last week that the county acted improperly in withholding the audit report.
Among other things, the audit suggests as the result of answers they provided to a series of questions, Wilson and other county officials should review HIPAA regulations and consider whether their offices are in compliance with the federal law. Among other things, HIPAA regulates how government and business entities treat citizens’ personal information, such as medical reports.
Last month, Wilson expressed surprise that HIPAA Solutions consultant Peter MacKoul suggested records in her custody must comply with HIPAA regulations.
“I have never had anyone in this county or in this state or elsewhere tell me that,” Wilson said in an email to Reveles, which she released to the public. “Even the one-hour required Open Records/Open Meeting training by the (Texas Attorney General’s Office) in College Station last month did not mention that my records fell under HIPAA.”
County Judge Bob Hebert said the Ohio Supreme Court recently ruled that HIPAA regulations do not apply to county government operations as they relate to public records maintained by county clerks.
Hebert said officials understand that the county’s risk management, emergency services, jail operations and indigent health care services generate personally identifiable information protected under HIPAA.
“The issue here seems to be, do you bring the county clerks and district clerks under HIPAA?,” Hebert said. “We don’t believe there’s anything in state law that allows for redacting of any public information.”
Assistant County Attorney Glen Dunbar said any attorney would agree that HIPAA, as federal law, preempts state law.
However, he said he believes the county is “complying with the heart of HIPAA,” and has designated a privacy officer at the Department of Emergency Medical Service, for example. Dunbar also said other county entities are operating in what HIPAA terms a “business associate” relationship with county offices that collect medical information.
But to assure the county meets its obligations under HIPAA, Dunbar said, his office has recommended hiring Dallas law firm Gardere Wynne Sewell LLP to conduct an in-depth analysis.
Meyers said Monday Gardere is a “third-party administrator legal advisory firm.” He said the county has hired such a firm before, but he doesn’t believe its advice left the county protected legally.
“My preference would be to go to a national law firm that has specific HIPAA expertise as it applies to local governments,” Meyers said. He identified Foley & Lardner LLP as such a firm.
Meyers said the controversy over the audit has been blown out of proportion, adding “all it was intended to do was tell us whether we needed to take additional steps” in complying with HIPAA.
Hebert agreed, but added, “There still seems to be a question over whether we’re doing everything we need to be doing under federal and state law.
“The real question is, are you doing the right thing under the law as you understand it, and are you doing everything you need to do to understand the law?”
Hebert said if the county attorney’s office believes Gardere is the best law firm to assist the county in assessing its ability to comply with HIPAA, then he will support hiring that firm.
Meanwhile, despite the attorney general’s ruling, the county attorney’s office still will not release copies of the HIPAA Solutions’ report, although it may be viewed in the office.
Because of concerns the company had over copyright issues, Dunbar said, his office would not release copies of the document without written permission from the Sugar Land company.
Dunbar’s office crafted a release form and sent it to HIPAA Solutions. However, principal Brian Gaston said his company’s attorneys found a clause in the release document too broad. He declined further comment.
“HIPAA Solutions LC hereby releases Fort Bend County, its officers and administrators and employees from all legal responsibility or liability resulting from the release of such information, and waives on behalf of HSLC, its heirs and assigns and any persons who may have interests in the matter, all provisions of law relating to disclosure of such information,” the county release statement says in part.
On Friday, HIPAA Solutions modified that statement to say: “HIPAA Solutions LC hereby releases Fort Bend County, its officers and administrators and employees from all legal responsibility or liability resulting from the release of such information.”
The county attorney’s office has not agreed to release copies of the document under that conditional statement.
The recommendation comes on the heels of a HIPAA audit of county operations by Sugar Land’s HIPAA Solutions LC, which mushroomed into a political dispute.
Fort Bend County Clerk Dianne Wilson and other county officials were critical of the audit. Wilson maintained Precinct 3 Commissioner Andy Meyers orchestrated its release just before the March 7 primary election because voters could perceive it to be critical of her record-keeping policies.
