Ezel / AG Opinions / NC
NC NC AG Advisory Opinion (1996-07-03) 1996-07-03

Is information about individual State Health Plan members (eligibility, claims, medical history) a public record in North Carolina, and which outsiders can the Plan share it with?

Short answer: No. Patient-level data held by the State Health Plan, its Board of Trustees, Executive Administrator, or Claims Processor is confidential under N.C. Gen. Stat. § 135-37 and is expressly carved out of the Public Records Law in Chapter 132. The Plan may release confidential information only to the State Auditor, the Attorney General, persons designated under § 135-39.3, or to persons and organizations approved by the Executive Administrator and Board of Trustees, and the recipient must keep the same confidentiality. The mental-health case manager is treated as a Claims Processor and bound by the same confidentiality.
Currency note: this opinion is from 1996
Subsequent statutory amendments, court decisions, or later AG opinions may have changed the analysis. Treat this page as historical context, not current legal advice. Verify current law before relying on any specific rule, deadline, or remedy mentioned here.
Disclaimer: This is an official North Carolina Attorney General advisory opinion. AG opinions are persuasive authority but not binding precedent like a court ruling. This summary is for informational purposes only and is not legal advice. Consult a licensed North Carolina attorney for advice on your specific situation.
About this page: The plain-English summary, reader guidance, and Q&A below were written by Ezel based on the official AG opinion. The original opinion (linked at the bottom of this page) is the authoritative source for any reliance.

Plain-English summary

Evelyn Terry, General Counsel of the Teachers' and State Employees' Comprehensive Major Medical Plan, gave the AG a list of forty-two outside individuals and entities that might request information from the Plan. She asked whether and how confidentiality requirements applied across that list.

Senior Deputy AG Reginald Watkins and Assistant AG V. Lori Fuller answered without resolving each of the forty-two specific cases (the request had no factual background for each one). The opinion instead lays out the general framework.

The confidentiality rule. § 135-37 puts a confidentiality blanket over any information the Plan, Executive Administrator, Board of Trustees, or Claims Processor possesses about individual participants. The covered information includes coverage status (whether the person is covered or not, whether a claim has been filed, whether a claim has been paid), medical information, and "any other information or materials concerning a Plan participant." This category is what the opinion calls "patient-level data."

The statute explicitly says this information is "exempt from the provisions of Chapter 132 of the General Statutes or any other provision requiring information and records held by State agencies to be made public or accessible to the public." So the General Public Records Law (§ 132-1 et seq.) does not reach this material.

The decisional test. When a request comes in, the Plan asks: is this information patient-level data within § 135-37? If yes, it is confidential and not releasable under the Public Records Law. If no (for example, aggregate plan financial data, vendor contracts not naming individuals, governance documents), it falls back to whatever other release rules apply.

Limited releases permitted. § 135-37 itself authorizes release to:

  • The State Auditor (for audit purposes)
  • The Attorney General (for legal duties)
  • Persons designated under § 135-39.3 (which sets up specific designees for Plan purposes)
  • Such persons or organizations as may be designated and approved by the Executive Administrator and Board of Trustees acting jointly

A critical feature: the confidentiality obligation "attaches to and follows the released information." Any recipient must maintain the same level of confidentiality as the Plan itself. The opinion advises the Plan to routinely notify recipients of this continuing duty. Unauthorized re-release by a recipient would be unlawful.

Mental-health case manager. Terry also asked what information the Executive Administrator could require the mental-health case manager to produce. The opinion's answer: the case manager is a "party contracting with the State to administer the Plan benefits," so the Claims Processor definition in § 135-40 reaches them. Their information is governed by the same confidentiality rules. The Executive Administrator may require the case manager to produce any documents that could be required of the Claims Processor, including documents relating to the contractual obligations between the case manager and the Plan. § 135-30.4A(f) is the operative section: the case manager is "assisting the Executive Administrator in the performance of his duties and responsibilities."

Practical contracting recommendation. The opinion suggests the Plan include the confidentiality provisions explicitly in its contracts with third-party administrators. That gives the Plan a contractual remedy alongside the statutory protection.

Currency note

This opinion was issued in 1996. Subsequent statutory amendments, court decisions, or later AG opinions may have changed the analysis. Treat this page as historical context, not current legal advice. Verify current law before relying on any specific rule, deadline, or remedy mentioned here. HIPAA (which took effect in 1996 itself, with privacy-rule compliance dates in 2003-2004) and the HITECH Act fundamentally reshaped state health plan confidentiality. The Genetic Information Nondiscrimination Act, the Affordable Care Act, and subsequent CMS guidance also affect this area. The current statutory text of § 135-37 has been amended multiple times, and the Plan operates under both state and federal privacy frameworks. Anyone facing a current request for State Health Plan member information should consult HIPAA, the current text of Chapter 135, and any superseding federal rules.

Background and statutory framework

The Teachers' and State Employees' Comprehensive Major Medical Plan (later renamed the State Health Plan for Teachers and State Employees) covers North Carolina state employees, teachers, retirees, and their dependents. It is the second-largest employer-sponsored health plan in the southeastern United States, covering hundreds of thousands of lives. Article 3 of Chapter 135 is its enabling legislation.

Because the Plan is a state government program, the default rule under the Public Records Law (§ 132-1 et seq.) would be that records held by the Plan are public. § 135-37 is the specific statutory exemption that carves patient-level data out of that default. The legislature recognized in 1986 (the operative year of the statute the opinion quotes) that medical information cannot be made publicly accessible if the Plan is to function. That carve-out aligns the Plan's confidentiality posture with commercial group health plans and with the broader legal expectation that medical information is private.

The 1996 opinion does not address HIPAA (which had been signed into law on August 21, 1996, six weeks after this opinion). The opinion's framework is purely state-law: § 135-37 read against Chapter 132's public-records default. HIPAA's privacy rule, once it took effect, added a federal floor of protection that runs alongside the state confidentiality regime.

The "Claims Processor" concept matters because in the 1990s the Plan, like most large group health plans, contracted with third-party administrators (Blue Cross Blue Shield of North Carolina at various times, plus mental-health and pharmacy-benefit subcontractors). § 135-40 defined "Claims Processor" broadly enough to reach those contractors, and § 135-30.4A(f) extended the Executive Administrator's authority over them. The opinion's treatment of the mental-health case manager as a Claims Processor closed a potential gap.

The "forty-two entities" framing of the request is itself instructive. The Plan was being asked for information by a wide range of outsiders, including legislators, agencies, researchers, contractors, accreditation bodies, federal agencies, and the like. The AG opinion's case-by-case approach reflects the reality that some of those entities might fall within the § 135-37 enumerated recipients (Auditor, AG, designees), some might need joint Board/Administrator approval, and some might be asking for non-patient-level data that doesn't trigger the confidentiality rule at all.

Common questions

Could a journalist file a public records request for State Health Plan claims data?

For patient-level data, no. § 135-37 carved that out of Chapter 132. For aggregate or de-identified data not tied to individuals, the request could potentially be granted under the public records framework, since the confidentiality statute only covers individual-level information.

What about a legislative committee?

If the committee includes persons designated under § 135-39.3, yes (subject to confidentiality). If it is a general legislative inquiry without § 135-39.3 designation, the Plan would need joint Board/Administrator approval. Legislative bodies do not have an automatic right to patient-level data under § 135-37.

Could a Plan member's spouse get the member's claims information?

The opinion does not directly address this. The general rule under § 135-37 is that release is only to enumerated categories. A spouse would not be on the list of enumerated recipients unless the spouse fell within Board/Administrator approval (which would be unusual for a single individual). HIPAA and Plan-specific authorization forms now govern this in practice.

What if a recipient (like the State Auditor) wanted to share Plan data with an outside contractor?

The opinion's framework would require the outside contractor to maintain the same confidentiality. The Auditor's authority to receive the data does not allow it to be re-released to someone outside the § 135-37 enumeration. The Auditor's contractor would need to be brought within the confidentiality envelope, either by Board/Administrator designation or by Auditor-side confidentiality controls.

Did this opinion address HIPAA?

No. HIPAA was signed into law six weeks after this opinion. The 1996 opinion is purely state-law and predates the federal medical-privacy framework that now governs the Plan alongside state law.

What information about the Plan itself is publicly available?

Plan financial reports, governance records, vendor contracts, premium structures, plan documents (subject to redaction of individual data), and aggregated utilization data generally fall outside the § 135-37 patient-level exemption and would be available under the Public Records Law to the extent no other exemption applies.

Source

Citations

  • N.C. Gen. Stat. § 135-37
  • N.C. Gen. Stat. § 135-30.4A
  • N.C. Gen. Stat. § 135-39.3
  • N.C. Gen. Stat. § 135-40
  • N.C. Gen. Stat. § 132-1

Original opinion text

July 3, 1996

Evelyn Terry, General Counsel
State of North Carolina Teachers' and State Employees' Comprehensive Major Medical Plan
4509 Creedmoor Road, Suite 102
Raleigh, NC 27612

RE: Advisory Opinion; Confidentiality Requirements for State Health Plan Member Information

Dear Ms. Terry:

In a memorandum dated May 1, 1996, you requested our opinion as to the confidentiality requirements for State Health Plan member information as related to forty-two individuals or entities who may request information from the State Health Plan. You gave no factual background as to what information, if any, had been requested by each of the forty-two listed entities nor in what context such requests had arisen.

For purposes of drawing a legal conclusion, we must apply the pertinent laws to specific facts on a case-by-case basis. In the absence of the necessary factual background, we herein provide basic guidelines for your use in evaluating future requests for information from the Plan.

Article 3 of Chapter 135, the enabling legislation for the State Employees' Comprehensive Major Medical Plan (hereinafter the Plan), states that certain information in possession of the Plan is confidential. N.C.G.S. § 135-37 (1986) is cited in pertinent part:

Any information as herein described in this section which is in the possession of the Executive Administrator and the Board of Trustees of the Teachers' and State Employees' Comprehensive Major Medical Plan or its Claims Processor . . . shall be confidential and shall be exempt from the provisions of Chapter 132 of the General Statutes or any other provision requiring information and records held by State agencies to be made public or accessible to the public. This section shall apply to all information concerning individuals including the fact of coverage or noncoverage, whether or not a claim has been filed, medical information, whether or not a claim has been paid, and any other information or materials concerning a Plan participant.

This section specifically applies to the Plan, the Executive Administrator, the Board of Trustees, or the Claims Processor and to the information within their possession or control. Basically, any information about individual plan participants, often referred to as "patient-level data", is protected under this confidentiality provision. This provision expressly carves out an exception to the Public Records Law found in N.C.G.S. § 132-1 et seq.

Whenever the Plan receives an information request, the Plan must first determine whether the requested information is patient-level data as described in the statute. If so, the information is not available pursuant to the Public Records Law or any other provision applicable to information in the possession or control of a public agency. If the information requested does not fall into the above-cited definition, then the data is not considered confidential and may be released to the extent allowed by other applicable statutes.

The confidentiality statute does provide for release of confidential information in limited circumstances. In pertinent part, the statute reads as follows:

Provided, however, such information may be released to the State Auditor, or the Attorney General, or to the persons designated under N.C.G.S. § 135-39.3 in furtherance of their statutory duties and responsibilities, or to such persons or organizations as may be designated and approved by the Executive Administrator and Board of Trustees of the Teachers' and State Employees' Comprehensive Major Medical Plan, but any information so released shall remain confidential as stated above and any party obtaining such information shall assume the same level of responsibility for maintaining such confidentiality as that of the Executive Administrator and Board of Trustees of the Teachers' and State Employees' Comprehensive Major Medical Plan. N.C.G.S. § 135-37 (1986).

Clearly, confidential information may be released by the Plan to the State Auditor, the Attorney General or to persons designated under N.C.G.S. § 135-39.3, or to such persons or organizations as jointly designated by the Executive Administrator and Board of Trustees. It is important to note that the requirement to maintain confidentiality attaches to and follows the released information. Any party obtaining confidential information from the Plan pursuant to N.C.G.S. § 135-37 must maintain the same level of confidentiality as required of the Executive Administrator and Board of Trustees. It would therefore be unlawful for the entity receiving the confidential information to release it to non-authorized persons. The Plan should routinely inform recipients of their continuing duty to maintain such confidentiality.

You also asked what information in possession of the mental health case manager may the Executive Administrator require the case manager to produce. According to N.C.G.S. § 135-40, the term "Claims Processor" is defined as "the administrator, third party administrator or other party contracting with the State to administer the Plan benefits." Therefore, whenever the duties of the Claims Processor are set out by statute, those same duties apply to the mental health case manager as a "party contracting with the State to administer the Plan benefits." The confidentiality requirements set out above are also applicable to the mental health case manager. Further, the mental health case manager as "a party contracting with the State to administer the Plan benefits" is assisting the Executive Administrator "in the performance of his duties and responsibilities under [Article 3 of Chapter 135]." N.C.G.S. § 135-30.4A(f) (1991). The Executive Administrator may require the mental health case manager to produce any documents which could be required of the Claims Processor; that is, documents relating to the contractual obligations between the third party and the Plan.

In practical terms, the Plan should include such provisions in its contracts with third parties who administer the Plan benefits.

We hope you find this information useful. As specific factual circumstances arise relating to these issues, there may be new factors which could require additional analysis. Please do not hesitate to contact us when you deem such analysis is appropriate.

Reginald L. Watkins
Senior Deputy Attorney General

V. Lori Fuller
Assistant Attorney General