Request By:
John Wilson
Anne E. Burnham
Sadiqa N. Reynolds
Opinion
Opinion By: Jack Conway, Attorney General; Amye L. Bensenhaver, Assistant Attorney General
Open Records Decision
The question presented in this appeal is whether the Cabinet for Health and Family Services' Office of Inspector General violated the Open Records Act in partially denying John Wilson's June 9, 2008, request for copies of "all completed investigations of Bluegrass/Oakwood Communities . . . for the year of 2008." For the reasons that follow, we find that the OIG's partial denial of Mr. Wilson's request constituted both a procedural and substantive violation of the Act.
In a response dated June 24, 2008, and post-marked June 27, 2008, Inspector General Sadiqa N. Reynolds notified Mr. Wilson that the records he requested "ha[d] been gathered and the copy and postage fee . . . determined." She advised him that "[u]pon receipt of payment, the information will be reviewed to comply with the confidentiality requirements of KRS 61.870 et seq .," noting that "[a]dditional time may be required for this process as well." On July 2, 2008, 1 the OIG mailed the requested records to Mr. Wilson, but explained that "[c]onfidential information ha[d] been redacted in compliance with KRS 61.878(1)(a), which provides that 'Public records containing information of a personal nature where the public disclosure thereof would constitute a clearly unwarranted invasion of personal privacy' be withheld." 2
Shortly thereafter, Mr. Wilson initiated this appeal asserting that the records disclosed to him "were so heavily redacted that they are useless." He provided this office with copies of records released to him in response to an earlier open records request, and the same records released to him after the request that gave rise to this appeal. Mr. Wilson explained that the instant appeal was prompted by:
the requested information not being provided due to the redacting of information that was not consistent with earlier redactions and not required by law.
He acknowledged the OIG's duty to redact "the name of the victim, social security number, date of birth, or other clearly personal identifying information about the victim," but requested that "the proper information . . . be provided without the improper redacting. "
In supplemental correspondence directed to this office following commencement of Mr. Wilson's appeal, Assistant Counsel Anne E. Burnham expanded on the bases for the OIG's partial denial of his request, advising that "there were additional grounds for the redaction of information from the records in question." She observed:
Specifically, the records were redacted in accordance with the Health Insurance Portability and Accountability Act codified at 45 C.F.R. Part 164. Under the so called "HIPAA Privacy Rule, absent a valid authorization or a HIPAA compliant subpoena or court order, information relative to a patient's diagnosis, medical treatment, etc. cannot be disclosed. Furthermore, the Cabinet is bound by KRS 194A.060 to keep confidential any records that "directly or indirectly identify a client or patient or former client or patient of the cabinet" . The information that was redacted from the records provided to Mr. Wilson included individual patient's diagnoses, medical treatment information, and was redacted to protect the privacy of the individual patient therein.
Continuing, Ms. Burnham described a May 19, 2008, OIG policy change relating to disclosure of OIG investigation records:
[A]fter careful review of the records in question, generally speaking, and a review of the statutes applicable to the Cabinet, it was decided that the Cabinet was not fulfilling its duty to its clients by not redacting medical information from these records.
Noting that this change in policy accounted for the heavier redactions in the records released to Mr. Wilson in July 2008, than the same records released to him in May 2008, she concluded that "medical information relative to patients identified in complaint investigations [would thenceforward] be redacted unless a valid HIPAA compliant release or subpoena was provided . . . ." It was the OIG's position that a review of the complaint investigation records provided to Mr. Wilson after the policy change confirmed that "the essence and nature of the complaint was not redacted . . . ." Respectfully, we disagree.
Although Kentucky's courts have not yet addressed the issue of the intersection between HIPAA and the state's open records law, at least two jurisdictions have. We find their analysis highly persuasive and adopt it as our own. In State ex rel. Cincinnati Enquirer v. Daniels, 108 Ohio St.3d 518, 844 N.E.2d 1181 (Ohio 2006), the Ohio Supreme Court declared that lead risk assessment reports maintained by a city health department, and lead citation notices issued to property owners, did not contain "protected health information" (PHI) as defined in HIPAA at 42 U.S.C.A. § 1320d et seq . and 45 CFR § 164.502(a), and that even if they did contain PHI, and the health department operated as a "covered entity" for HIPAA purposes, those assessment reports and citation notices would be subject to disclosure under the "required by law" exception to the HIPAA Privacy Rule. Because Ohio's Public Records Law required disclosure of the reports and notices, and HIPAA did not supercede state disclosure requirements, the court concluded that the health department had "a clear legal duty to make the [records] available . . . ." to the requester. Id . at 2188.
At pages 1186 and 1187 of Daniels , the Ohio Supreme Court pointedly observed:
A review of HIPAA reveals a "required by law" exception to the prohibition against disclosure of protected health information. With respect to this position, Section 164.512(a)(1), Title 45, C.F.R. provides, "A covered entity may * * * disclose protected health information to the extent that such * * * disclosure is required by law * * *" (Emphasis added.) And the Ohio Public Records Act requires disclosure of records unless the disclosure or release is prohibited by federal law. R.C. 149.43(a)(1)(v).
Hence, we are confronted here with a problem of circular reference because the Ohio Public Records Act requires disclosure of information unless prohibited by federal law, while federal law allows disclosure of protected health information if required by state law. (Footnote reciting 45 C.F.R. § 164.512(a) omitted).
Continuing, the court explained the legislative context out of which the Privacy Rule arose:
[A]t the time of implementing these regulations, the Department of Health and Human Services, Office of the Secretary, promulgated Standards for Privacy of Individually Identifiable Health Information (000), 65 F.R. 82462, 82667-82668, stating, "[W]e intend [160.512(a)] to preserve access to information considered important enough by state or federal authorities to require its disclosure by law"; "we do not believe that Congress intended to preempt each such law"; and "[t]he rule's approach is simply intended to avoid any obstruction to the health plan or covered health care provider's ability to comply with its existing legal obligations."
Similarly, in reviewing federal Freedom of Information Act ("FOIA") requests, the secretary explains that federal FOIA requests "come within § 164.512(a) of the privacy regulation that permits uses or disclosures required by law if the uses or disclosures meet the relevant requirements of the law ." (Emphasis added.) 65 F.R. 82462, 82482.
Daniels at 1187. The court analogized an Ohio Public Records Act request submitted to a public agency like the Cincinnati Health Department to a FOIA request and concluded that the public agency "need determine only whether the requested disclosure is required by Ohio law to avoid violating HIPAA's Privacy Rule. " Id ., citing, Tex. Atty. Gen. Op. 681 (2004) 7, "which reached the same conclusion under Texas law."
Five months after the Ohio court determined that public agencies must look to their state's open records laws to assess the propriety of disclosure of public records in their custody, regardless of whether the agencies are "covered entities" and the requested records contain "protected health information," the Texas Court of Appeals reached the same conclusion. In Abbott v. Texas Department of Mental Health and Mental Retardation, 212 S.W.3d 648 (Tex. App. 2006), the Texas Court of Appeals held that if a public agency receives a request for records containing potentially protected health information under the state's Public Information Act, the agency must determine whether the state act compels disclosure, or authorizes nondisclosure, under the exception to HIPAA's Privacy Rule allowing disclosure of PHI to the extent "required by law." In Abbott , the Texas court analyzed the propriety of the Department of Mental Health and Mental Retardation's denial of a request for statistics relating to allegations of patient abuse and neglect. Like the Ohio court in Daniels , above, the Texas court rejected the "circular logic" advanced by the Department that agencies "contemplating disclosure under the Public Information Act are required to refer back to HIPAA, . . . HIPAA . . . prohibit[s] disclosure of [PHI], health information is considered confidential by law and, therefore, [PHI is] not subject to disclosure under the Act." Abbott at 662. In rejecting the argument, the court reasoned that the Department's:
interpretation would send us back to the start of the analysis and would prevent the disclosure of all protected health information despite the Public Information Act's default favoring disclosure of information.
Id .
The Texas court concluded that its construction of these laws:
properly balances the need for privacy under HIPAA . . . and the need for disclosure under the Public Information Act . . . correctly reconciles these two statutes. . . . [and is supported by] the Commentary to the Privacy Rule. . . .
. . .
Our construction comports with the policy of this state to disclose information regarding abuse and neglect at facilities caring for the mentally ill or mentally retarded [citations omitted]. It also is consistent with the public's interest in having access to information about the operation of these facilities.
Id. at 663 (citing State ex rel. Cincinnati Enquirer v. Daniels , above). As noted, we find the Ohio and Texas courts' analysis highly persuasive.
Kentucky's Open Records Law, which in this context parallels Ohio's Public Records Law and Texas' Public Information Act, and is determinative of the issue of access under the "required by law" exception to HIPAA's privacy rule, declares that "[a]ll public records shall be open for inspection by any person," 3 and "exhibits a general bias favoring disclosure. " 4 In light of the legislative recognition "that free and open examination of public records is in the public interest[,] . . . the exceptions provided for by KRS 61.878 or otherwise provided by law [must] be strictly construed, even though such examination may cause inconvenience or embarrassment to public officials or others." 5 Resolution of the access issue in this appeal turns on the propriety of the OIG's current interpretation of KRS 194.060(1) and whether it is consonant with the policy of strict construction of "the exceptions provided for by KRS 61.878 or otherwise provided by law ," id., (emphasis added), and thus "exhibits a general bias favoring disclosure. " Board of Examiners at 327. Our analysis of the OIG's original invocation of KRS 61.878(1)(a) mirrors our analysis of its invocation of KRS 194.060(1) inasmuch as both exceptions are aimed at protecting "the individual's right to privacy. "
KRS 194.060(1) provides:
(1) The secretary shall develop and promulgate administrative regulations that protect the confidential nature of all records and reports of the cabinet that directly or indirectly identify a client or patient or former client or patient of the cabinet and that insure that these records are not disclosed to or by any person except as, and insofar as:
Although the OIG cites no regulations supporting its policy change or, indeed, any state regulations promulgated under this statute, it asserts the necessity of now redacting its investigative records more heavily to fulfill its duty to its clients.
We have examined the OIG investigative records, both pre- and post-policy change, proffered by Mr. Wilson to support his position that the redactions are too heavy, rendering those records meaningless, and we agree with him. Extracting a single paragraph from those records, we find the following:
Before
The facility failed to protect resident (s) from neglect; i.e., On February 12, 2008 at 2:05 p.m., classroom staff Kelly Russell reported that when classroom staff I brought resident to the resident was lying over in her wheelchair with her head on her lap and her hands handing down the sides of the wheelchair. The resident had blood on her left arm. Medical was notified and noted that the nails were off of the resident's right ring finger and right middle finger. The top of the resident's ring finger was cut and 2-3 lacerations were noted to the ring finger between the 1st and 2nd knuckle. The resident was transferred to the local hospital where x-rays were negative for fractures. Upon review of the video cameras, it was discovered that staff member was transporting the resident in a reckless manner that may have contributed to the resident's injuries.
After
The facility failed to protect resident (s) from neglect; i.e., On February 12, 2008 at 2:05 p.m.,classroom staff reported that whenclassroom staff brought resident the resident was The resident Medical was notified and noted thatresident's The he resident was. Upon review of the video cameras, it was discovered that staff memberwas transporting the resident in a reckless manner that may have contributed to the resident's
We concur with Mr. Wilson in the view that the information redacted from the post-policy change investigative report neither "directly [n]or indirectly identif[ies] a client or patient or former client or patient of the cabinet. " KRS 194.060(1). While it describes the condition of an Oakwood resident that gave rise to an investigation, that resident is not identified by name, age, birth date, social security number, photograph, or any other personal identifier. There is no reasonable basis to believe that the redacted information can be used to identify that individual. We therefore conclude that the information was improperly redacted under KRS 194A.160(1), and that its disclosure would not have constituted a clearly unwarranted invasion of personal privacy under KRS 61.878(1)(a).
Pursuant to KRS 194A.030(1)(c), the Office of the Inspector General is responsible for:
The conduct of audits and investigations for detecting the perpetration of fraud or abuse of any program by any client, or by any vendor of services with whom the cabinet has contracted; and the conduct of special investigations requested by the secretary, commissioners, or office heads of the cabinet into matters related to the cabinet or its programs[.]
We find that the OIG's new policy requiring heavy redaction of its investigative records does not strike the proper balance between the individual's right of privacy and the public's right to know that the OIG discharged its statutory duty. As noted, the Open Records Act recognizes the public's interest in free and open examination of public records and is:
premised upon the public's right to expect its agencies properly to execute their statutory functions. In general, inspection of records may reveal whether the public servants are indeed serving the public, and the policy of disclosure provides impetus for an agency steadfastly to pursue the public good.
Board of Examiners at 328. Under the policy adopted by the OIG on May 19, 2008, the public is effectively foreclosed from monitoring the agency's conduct in discharging its statutory duty to investigate abuse and neglect at this state owned and operated facility for individuals with developmental disabilities. The policy therefore violates the Open Records Act, incorporating KRS 194.060(1), as the controlling law in the resolution of this dispute under the "required by law" exception to the HIPAA Privacy Rule.
A party aggrieved by this decision may appeal it by initiating action in the appropriate circuit court pursuant to KRS 61.880(5) and KRS 61.882. Pursuant to KRS 61.880(3), the Attorney General should be notified of any action in circuit court, but should not be named as a party in that action or in any subsequent proceeding.
Footnotes
Footnotes
1 The OIG's July 2 response was post-marked July 7.
2 The OIG violated KRS 61.880(1) by failing to respond to Mr. Wilson's request within three business days. Although the OIG cited KRS 61.878(1)(a) as the "statement of the exception authorizing the withholding" of portions of the records, the OIG did not provide "a brief explanation of how the exception applies" to those portions of the records withheld. Additionally, we note that nearly one month elapsed between the date of his request and the date on which the redacted records were mailed to him.
3 KRS 61.872(1).
4 Kentucky Board of Examiners of Psychologists v. Courier-Journal and Louisville Times Co., 826 S.W.2d 324, 327 (Ky. 1992)
5 KRS 61.871.