Opinion
Opinion By: Gregory D. Stumbo, Attorney General; Robert S. Jones, Assistant Attorney General
Open Records Decision
The question presented in this appeal is whether the Covington Police Department properly relied on KRS 61.878(1)(a) and the Health Insurance Portability and Accountability Act of 1996 in partially denying The Kentucky Enquirer's requests for specifically identified accident and incident reports generated by that public agency. For the reasons that follow, we find that the department's partial denial of these requests was procedurally deficient and substantively incorrect.
By letter dated April 20, 2004, Kentucky Enquirer Reporter Jim Hannah requested a copy of the accident report "of the overturned CSI garbage truck taken at 9:30 a.m. Tuesday [April 20, 2004] at Madison and Hands Pike." In a response dated April 26, 2004, Lt. Col. Michael Kraft provided Mr. Hannah with a copy of the report after the following information was redacted:
3. The name and address of an "involved person" who apparently died on April 22, 2004.
Lt. Col. Kraft cited no exception authorizing these redactions and offered no explanation for the Department's partial denial of the request.
On May 11, 2004, Mr. Hannah submitted a written request for copies of:
1. The incident report for a May 6, 2004, shooting on East 13th Street in Covington;
2. The accident report for a May 1, 2004, auto accident on Hands Pike at Edwin Drive; and
3. A letter dated May 2003, signed by Dan Miles, outlining the Department's policy on the release of reports, which had at one time been posted at the Covington Police Department.
On May 14, 2004, Lt. Col. Kraft responded to this request by agreeing to release copies of the requested records upon prepayment of reasonable copying fees. Following payment for, and receipt of, the copies, The Enquirer determined that the Department had again redacted, without statutory citation, or accompanying explanation, the name, address, date of birth, social security number, race, and gender of persons identified in the records, as well as vehicle ID and registration numbers. Shortly thereafter, The Kentucky Enquirer initiated this appeal, challenging both the procedural and substantive irregularities in the Department's disposition of these requests.
In supplemental correspondence directed to this office following commencement of The Enquirer's appeal, Assistant City Solicitor Farrah D. Vaughn indicated that "the name, address, and date of birth of persons involved in [these] accidents who had received medical treatment from the City's emergency medical service [were] redacted, consistent with the policy outlined in City Solicitor John Jay Fossett's July 31, 2003 letter to [ Enquirer reporter] Shelley Whitehead . . . ." In support, she attached a copy of Mr. Fossett's letter and expressed the belief that the Department's "policy regarding release of information contained in accident and incident reports is consistent with the requirements of the Kentucky Open Records Act and the Health Insurance Portability and Accountability Act (HIPAA)."
In the referenced letter, Mr. Fossett explained:
In light of recently enacted HIPAA requirements, I have advised the City Police and Fire personnel to not release any information that would identify a person who has been treated by the City's emergency medical personnel. To do so, in my opinion, would be a violation of HIPAA and would subject the City to monetary and criminal liability.
Continuing, Mr. Fossett observed:
KRS 61.878 specifically states that "all records or information, the disclosure of which is prohibited by federal law or regulation" are excluded from application of the Kentucky Open Records Act and are subject to inspection only upon court order. Furthermore, KRS 61.878(1)(a) exempts personal information contained in ambulance or police reports from disclosure under the Act. In Kentucky Attorney General Opinion OAG 92-75, the Attorney General recognized that a public agency may adopt a policy of confidentiality under KRS 61.878(1)(a) to prohibit the disclosure of personal information when a person is treated for injuries. In OAG 83-344, the Attorney General held that this exception's protection extends to the name, address, and age of the person being transported by an ambulance service, where the person was picked up, where the person was taken, and the nature of the run. We believe that police reports, which can provide the same information, are also subject to this exemption. The Attorney General has also recognized that "the disclosure and publication of the identity of an individual transported to a hospital or treatment facility renders that individual vulnerable to 'certain predatory types such as thieves and con artists.'" OAG 76-568 at page 2.
In closing, Mr. Fossett expressed the view that "the personal information [sought] . . . is exempt under the Kentucky Open Records Act and disclosing it would be a violation of HIPAA." While we are cognizant of the need to proceed with caution in analyzing records access issues implicating HIPAA and the personal privacy exception to the Open Records Act, we cannot agree that the cited provisions operate as a statutory bar to inspection of those portions of the records withheld.
We begin by noting that the Covington Police Department's responses to each of Mr. Hannah's requests were procedurally deficient. KRS 61.880(1) mandates that if inspection of all or any portion of a requested record is denied, the agency's official custodian of records must cite the specific exception authorizing nondisclosure of the record, or portion thereof, and briefly explain how the exception applies to the record withheld. Because the Department failed to cite the statutory exception(s) upon which it relied in partially denying Mr. Hannah's requests, and explain the application of the cited exception(s) to those portions of the requested records withheld, its response violated KRS 61.880(1). The fact that the Department had previously notified an Enquirer reporter that, in its view, HIPAA precluded access to personal information appearing on accident and/or incident reports did not relieve the Department of its duties under KRS 61.880(1) relative to Mr. Hannah's requests. We urge the Covington Police Department to bear in mind, in responding to open records requests, that:
The language of the statute directing agency action is exact. It requires the custodian of records to provide particular and detailed information in response to a request for documents.
Edmondson v. Alig, Ky. App., 926 S.W.2d 856, 858 (1996). A "limited and perfunctory response" does not "amount[] to substantial compliance." Id.
Turning to the substantive issue in this appeal, we find that because the Covington Police Department is not a "covered entity, " for purposes of HIPAA analysis, records generated by police officers do not contain "protected health information," and such records are therefore not governed by HIPAA's Privacy Rule. Resolution of the question presented in this appeal, to wit, whether the Department properly redacted personally identifiable information appearing in accident and incident reports, therefore turns on the application of the open records exception upon which it relies to the information withheld. 1
The goal of HIPAA, as we understand it, is "to improve the efficiency and effectiveness of the nation's health care system" and to insure the security and confidentiality of health information. 42 U.S.C. §§ 1320(d)-1320d-8. In enacting HIPAA, Congress directed the United States Department of Health and Human Services to promulgate regulations establishing national privacy standards for health information. HHS did so in the Standards for Privacy of Individually Identifiable Health Information, also known as the "Privacy Rule. " See id. § 1320d-2; 45 C.F.R. pts. 160, 164. In general, the Privacy Rule prohibits the use or disclosure of protected health care information by a covered entity except as otherwise permitted or required by the Rule. See id. § 164.502(a); § 164.103. The Privacy Rule applies to: (1) a health plan; (2) a health care clearinghouse; and (3) a health care provider who transmits any health information in electronic form in connection with transactions governed by subchapter C, subtitle A of Title 45 of the Code of Federal Regulations. See 42 U.S.C. § 1320d-1(a); 45 C.F.R. § 160.102 . These, then, are the "covered entities, " defined at 45 C.F.R. § 160.103, to which the Privacy Rule applies. Because the Privacy Rule only applies to covered entities, a public agency to which a records request has been submitted must first determine whether it qualifies as a health plan, a health care clearinghouse, or a health care provider which transmits any health information in electronic form in connection with a transaction covered by the Rule. Only if the agency resolves this issue affirmatively must it proceed to a determination of whether the requested records contain protected health information 2 that is subject to the Privacy Rule. 45 C.F.R. § 164.502(a).
The Covington Police Department is neither a health plan, a health clearinghouse, nor a health care provider that transmits health information in electronic form in connection with a transaction that is subject to the Privacy Rule. As noted by the Texas Attorney General in the only existing legal analysis of these issues:
[A police department] is not a covered health care provider because it is not a provider of services as defined in the two pertinent federal provisions referenced in the definition of health care provider, or an entity that furnishes, bills, or is paid for health care in the normal course of business. See [45 C.F.R. § 160.103]. The Assistant Secretary for Planning and Education at [Health and Human Services], in commenting on the Privacy Rule, stated that: "this rule regulates the ability of health care clearinghouses, health plans, and covered providers to use and disclose information. It does not regulate the behavior of law enforcement officials . . . or prevent states from regulating law enforcement officers."
Tex. Att'y Gen. ORD-681 (2004), p. 9, citing 65 Fed. Reg. 82462, 82680 (2000). Records generated by police officers do not contain protected health information, even if those records reflect the officer's observations of an individual's medical condition, and such records are not governed by the Privacy Rule. The incidental delivery of emergency aid by a police officer does not transform the police officer into a health care provider since his primary function is the protection of public safety. Simply stated, HIPAA has no application to records generated by a police department in discharging its duty to protect public safety. Our decision therefore turns on the application of the Open Records Act, and the exception cited, to those portions of the records withheld.
With reference to the Covington Police Department's redaction of personally identifiable information from the requested accident reports, we refer the parties to 02-ORD-19. In that decision, the Attorney General held that the Lexington Fayette Urban County Government Division of Police improperly relied on KRS 61.878(1)(a) in partially denying the requesting newsgathering organization access to portions of accident reports containing personal information. We reasoned that because KRS 189.635(6) places no restriction on the information in the accident reports that must be disclosed to newsgathering organizations, limiting only the uses to which the information may be put, these organizations are entitled to unrestricted access to accident reports per KRS 189.635(5). A copy of that decision is attached hereto and incorporated by reference. Because The Kentucky Enquirer is a newsgathering organization whose purpose in obtaining the accident reports is to publish the news, the Covington Police Department must furnish The Enquirer with unredacted copies of the reports.
With reference to the Covington Police Department's redaction of personally identifiable information from the requested incident report, which involved a shooting, we refer the parties to 02-ORD-36. In that decision, the Attorney General held that the City of Louisville Division of Police's policy of blanket redaction of personally identifiable information from police incident reports was not legally supportable.
While the Attorney General has recognized, and continues to recognize, that victims of crime have a privacy interest in records which relate to them which may, in some instances, outweigh the public's interest in disclosure of those records, we have not abandoned extensive interpretation of the Open Records Law as it relates to records which reveal the identities of crime victims. On this basis, the Attorney General has consistently recognized a public agency cannot adopt a policy of blanket nondisclosure relative to records revealing victims identities. 94-ORD-133 (public agency cannot adopt policy under which all entries on 911 dispatch log are withheld) .
The Kentucky Supreme Court held in Kentucky Board of Examiners of Psychologists v. The Courier-Journal and Louisville Times Co., Ky., 826 S.W.2d 324 (1992), application of KRS 61.878(1)(a) requires case specific balancing of policy favoring free and open examination of public records against privacy interests and the possibly unwarranted invasion of privacy. Prior to that decision the Attorney General had similarly held that "in a given case, the privacy interests of the victims could outweigh the public's right to inspect government records." OAG 91-94, p. 5. Against this privacy interest, we must weigh the competing public interest in determining "whether the public servants are indeed serving the public" and public agencies are properly executing their statutory functions. Board of Examiners at 828.
The narrow question presented in this appeal is whether the public's interest in monitoring the manner in which the Covington Police Department discharges its duties outweighs the privacy interests of the victim and other private citizens in information redacted from the incident report. Zink v. Commonwealth, Ky. App., 902 S.W.2d 825(1994). Disclosure of the identities of the victim and "involved persons" provides opportunity for public review of the manner in which the Covington Police carry out the public business of law enforcement and crime investigation. Further, the nature of the offense, homicide, does not implicate a heightened privacy interest inuring to the victim or "involved persons", absent some extenuating circumstance. Compare 02-ORD-36 and 03-ORD-153 (victims of sexual offenses have a fundamental right to privacy due to the inherently private nature of the crime which outweighs the public interest served by disclosure of the victim's identity). Therefore, to the extent identities were redacted the Covington Police Department was in error.
On the other hand, disclosure of personal information beyond the identities of the crime victim or "involved persons", in this instance addresses and dates of birth, only minimally serves the purposes of the Act since disclosure of the identity of the victim and "involved persons" is sufficient to allow public scrutiny of the actions of the police department. Consequently, these personal details which are "generally accepted by society" as carrying an expectation of privacy outweigh the minimal public interest in disclosure. Zink, at 828-829; accord Hines v. Commonwealth, Department of Treasury, Ky.App., 41 S.W.3d 872, 876(2001). In so holding, we are guided by the observations that "information is no less private simply because that information is available someplace." Zink at 828. Moreover, "the policy of disclosure is purposed to subserve the public interest, not to satisfy the public's curiosity." Board of Examiners at 328. We find no violation in the redaction of addresses and dates of birth by the Covington Police Department under the facts of this case.
A party aggrieved by this decision may appeal it by initiating action in the appropriate circuit court pursuant to KRS 61.880(5) and KRS 61.882. Pursuant to KRS 61.880(3), the Attorney General should be notified of any action in circuit court, but should not be named as a party in that action or in any subsequent proceeding.
Footnotes
Footnotes
1 We are indebted to the Office of the Texas Attorney General for the thorough and well-reasoned analysis of the interplay between HIPAA and that state's Public Information Act found at Tex. Att'y Gen. ORD-681 (2004), determining, inter alia, that a police department is not a "covered entity" and its records are not subject to HIPAA's Privacy Rule.
2 "Health information" is defined at 42 U.S.C. § 1320d(4) and 45 C.F.R. § 160.103 as oral or recorded information, in any form or medium, that is created or received by seven named entities and "relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual, or the past, present, or future payment for the provision of health care to an individual." "Individually identifiable health information" is a subset of "health information" that includes demographic information and identifies an individual or can reasonably be used to identify an individual. 42 U.S.C. § 1320d(6); 45 C.F.R. § 160.103. "Protected Health Information" is "individually, identifiable health information that is transmitted or maintained in electronic media" or transmitted or maintained "in any other form or medium." 42 U.S.C. § 1320d(6); 45 C.F.R. § 160.103.