Opinion
Opinion By: Gregory D. Stumbo,Attorney General;Michelle D. Harrison,Assistant Attorney General
Open Records Decision
At issue in these consolidated appeals is whether the Office of the Inspector General and Adult Protective Services Branch of the Cabinet for Health and Family Services violated the Kentucky Open Records Act in denying identical requests submitted by attorney Michael F. Sutton on behalf of Kindred Hospital for copies of "any and all complaints made by Stephanie Lee Grace or others related to the treatment of Eva Lee Grace while admitted at Kindred Hospital" in Louisville, Kentucky. With the exception of a procedural violation, the Cabinet, a hybrid entity under the Health Insurance Portability and Accountability Act of 1996, has fully complied with governing state and federal law in responding to the requests submitted by Mr. Sutton. Accordingly, this office affirms the OIG's denial of Mr. Sutton's request on the basis of 45 CFR § 164.512(c) in conjunction with KRS 61.878(1)(a) , (k) and (l), and KRS 194A.060(1). In addition, this office affirms the decision of APS to condition release of the requested APS records upon completion of the Cabinet's HIPAA compliant form or receipt of a court order in accordance with 45 CFR § 164.512(c) and § 164.508(6)(c)(1).
Factual Background
In letters dated December 27, 2004, Mr. Sutton submitted the subject requests to the OIG and APS. 1 Citing KRS 61.878(1)(a) 2 as authority, Jennifer Mitchell, Director, Division of Health Care Facilities and Services, denied Mr. Sutton's request on behalf of the OIG in a letter dated January 3, 2005, because his request "relates specifically to an identified individual who purportedly received treatment for a medical condition at Kindred Hospital." As observed by Ms. Mitchell:
Release of records compiled or created by the [CHFS] for a specific patient is subject to release only upon order of a court of competent jurisdiction. It is not possible to fill this request without releasing confidential medical information that is protected from disclosure by state and federal law. 3 If you desire general information concerning this facility, you should tailor your request in a manner that avoids identification of a specific patient or patients of the healthcare facility.
On January 7, 2005, Carrie Hall, Records Management Section, Division of Protection and Permanency, responded to Mr. Sutton's request on behalf of APS, advising Mr. Sutton that her office would "review [his] request and respond [in accordance with state and federal laws governing the privacy of records] within thirty (30) days." 4 According to Ms. Hall: "State and federal law requires this office to protect the privacy and confidentiality of any individuals who may be mentioned" in its records. Therefore, personal information 5 about other people "may be redacted" from the responsive records provided.
By letter dated January 17, 2005, Mr. Sutton, of Frost Brown Todd LLC (counsel for Kindred), initiated these appeals from the Cabinet's disposition of his requests. According to Mr. Sutton, Kindred made the subject requests "to assist it in preparing its defense to a complaint filed in Jefferson County Circuit Court by the Estate of Eva Lee Grace." Attached to Mr. Sutton's letter of appeal is a copy of the "cover" of this complaint for verification. In Kindred's estimation, KRS 61.878(1)(a) does not apply to the records requested as claimed by the OIG. To the contrary:
By initiating a civil action against Kindred, the Estate of Eva Lee Grace clearly has a reduced expectancy of confidentiality concerning Grace's records. In fact, the specific records Kindred seeks are complaints that Grace and her family filed against Kindred. It would be disingenuous to claim that Grace's family has a privacy interest in the fact that Grace was a resident of Kindred Hospital when the party seeking access to these records is Kindred itself.
These records would be used only for the purposes of preparing Kindred's defense and would not be disclosed to any persons or entities not involved in the planning and preparation for the case. As such, there is no threat of an invasion of personal privacy. Therefore, under the circumstances, the disclosure of these records is appropriate and Kindred should be allowed access to the requested information.
Citing KRS 61.880(1), Kindred further contends that APS is "long overdue in its determination of whether to comply." Accordingly, Kindred asks this office to issue a decision granting Kindred the right "to access any records in the possession of the [OIG or APS] that pertain to complaints filed by or on behalf of Eva Lee Grace in relation to her medical treatment" while a patient at Kindred.
Upon receiving notification of Mr. Sutton's appeals from this office, John H. Walker, Assistant General Counsel, CHFS, responded on behalf of both the OIG and APS. As explained by Mr. Walker:
[APS and the OIG] received complaints from the family of the late Eva Lee Grace relating to issues on the quality of care provided [to] Ms. Grace while a patient at Kindred Hospital - Louisville. Both [APS and the OIG] investigated the allegations and found them unsubstantiated. There are reports of each review of the matter containing a narrative of the investigative process, including [PHI] pertaining to Ms. Grace. Frost Brown Todd asserts that it represents Kindred Healthcare in its letter of appeal. However, its request for records does not indicate who it represents or for what purpose the records are sought. 6
Both state and federal law limit access to [PHI] of private citizens. [HIPAA] even extends this protection to deceased individuals. Title 45 Code of Federal Regulations (C.F.R.) 164.502 (f) states: "A covered entity [i.e. the Cabinet] must comply with the requirements of this subpart with respect to the protected health information of a deceased individual." [APS], Records Management, and the [OIG] are unable under federal law to release data containing [PHI] to anyone who asks for it. In this situation and in situations similar to this, what is required by the [OIG] to release information of this nature is the written permission or authority of the individual appointed by the court to act as administrator or executor of the estate. In accordance with KRS 209.140, [APS] requires a written authorization from either: the person suspected of abuse or neglect or exploitation, or a medical agency with a legitimate interest in the case. KRS 209.140(1) and (3). 7
In conclusion, Mr. Walker reiterates that it is with "an abundance of caution that [APS], Records Management, and the [OIG] review requests for access to records containing [PHI]." While the Cabinet does not contend that its records are not public records, "it does argue that the sensitive nature of the content of those records as recognized by HIPAA and KRS 209.140," would constitute an unwarranted invasion of personal privacy pursuant to KRS 61.878(1)(a), (k) and (l), 8 "absent agreement or approval by the Administrator or Executor of the estate or an order from the Circuit Court in which an action is pending to release those records."
By letter dated January 28, 2005, Mr. Sutton challenges the Cabinet's position. According to Mr. Sutton, the right of privacy codified at KRS 61.878(1)(a) does not extend to deceased persons, as repeatedly recognized by the Attorney General in decisions such as OAG 92-24 and OAG 88-2, both of which were issued prior to the enactment of HIPAA. Although the Cabinet claims that it is a "covered entity" under HIPAA, Mr. Sutton emphasizes that it fails to explain why the entire Cabinet is a "covered entity" as that term is defined at 45 CFR 160.103. 9 If the Cabinet is not a covered entity, "it is not required to comply with the HIPAA Privacy Rule. " 10 As further argued by Mr. Sutton:
Moreover, even if the Cabinet is a covered entity, the HIPAA Privacy Rule permits a covered entity to use and disclose protected health information as required by other law, including state law. See 45 CFR 164.512(a). Kentucky law states that "[a]ll public records shall be open for inspection by any person, except as otherwise provided by KRS 61.870 to 61.884." KRS 61.872 (emphasis added). Since state law mandates the disclosure of the records and, as noted above, the Office of the Attorney General has clearly stated that the right to privacy does not extend beyond the death of an individual, the Cabinet should make the disclosure.
Citing MacHacek v. Harris, 106 Misc[.]2d 388, 389, 431 N.Y.S.2d 927, 928 (1980), Kindred further contends that "courts of other states have also found that complainants cannot expect privacy to be maintained when they make complaints to public agencies in similar contexts."
Upon receiving Kindred's supplemental correspondence, the undersigned forwarded a copy to the Cabinet for response. In a letter dated February 15, 2005, Mr. Walker elaborates upon the Cabinet's position as follows:
Frost Brown Todd is incorrect in its application of the HIPAA law to the [CHFS]. The Cabinet is a hybrid entity under the federal act. It is required to protect [PHI] in the absence of written consent to release. The federally imposed obligation is found at 45 CFR 164.502(f). 11 In the absence of a waiver from the individual involved or the executor or other representative of the estate of the individual, PHI may not be released, even on a dead person.
In 1981, the [Office of the Attorney General] upheld an appeal by the Kentucky Post from a decision of the Registrar of Vital Statistics not to allow access to death certificates in Campbell County. At that time, the Office of the Attorney General specifically ruled that dead people have no privacy rights under the open records law. [If that was] the only basis for denial of access to the records of the [OIG] containing [PHI], it would carry the day. However, as an entity covered by [HIPAA], the [CHFS] is obligated to protect records containing [PHI] on deceased persons from general access by the public. See 45 CFR 164.502(f). The open records law recognizes an exception to the general rule of disclosure of records [or] access to records otherwise made confidential by federal law or regulation. See KRS 61.878(1)(k).
The [CHFS] cannot release records containing PHI without at least one of the following: (1) an order from the court directing release of those records, or (2) a written waiver from the authorized representative of the estate. The Cabinet notes that Frost Brown Todd represents Kindred Hospital in litigation filed by the estate in Jefferson Circuit Court. If the defense firm were to obtain an order from the circuit court directing the [OIG] to release the information as a part of the discovery process[, the OIG could honor its request].
Although Frost Brown Todd cites 45 CFR 164.512(a) as authority for the proposition that the Cabinet must comply with the Open Records Act notwithstanding the specific language of 164.502(f) regarding protection of PHI on deceased persons, a careful review of § 164.512 reveals that "the general statement of compliance with other laws is limited by section[s] (c), (e) and (f). See 45 CFR 164.512(a)(2)." 12 Under § 164.512(c), "the Cabinet must give information on abuse and neglect as authorized by law." See 45 CFR 164.512(c)(1)(i). 13 As previously suggested, "a written confirmation of authority to provide records to Frost Brown Todd would assist the agency in responding" to the request for APS records as the Cabinet must provide access to health information pursuant to court orders upon receiving assurance that the other party has been provided with satisfactory notice. See 45 CFR 164.512(e)(1). In addition, the Cabinet must provide records for law enforcement purposes pursuant to 45 CFR § 164.512(e) . With respect to the APS records requested, KRS 209.140(1) authorizes release of reports on completed investigations to the suspected abuser (Kindred). "If Frost Brown Todd supplies the agency with a statement by [Kindred] authorizing release of records to Frost Brown Todd on its behalf," the Cabinet will release those records. As correctly observed by Mr. Walker, this would be consistent with 45 CFR § 164.512(c).
By letter dated February 23, 2005, Mr. Sutton replies to the arguments of CHFS on behalf of Kindred. Attached to Mr. Sutton's reply is a copy of an undated letter directed to Mr. Walker by Matthew B. Steinberg, Director and Counsel Liability Claims, Kindred Healthcare, Inc., authorizing Frost Brown Todd to "directly receive" the requested APS reports. Also enclosed is a copy of the Cabinet's response dated February 22, 2005, in which Ms. Hall advises Kindred that the Cabinet is "subject to state and federal laws" governing the privacy of the requested records. In addition, Ms. Hall notifies Kindred that her office will review its request "and respond accordingly within thirty (30) days" without further explanation. Accompanying Ms. Hall's response is a "CHFS-305, Authorization for Disclosure of Protected Health Information," which Kindred must complete before the Cabinet can release the records. In Mr. Sutton's view, "the Cabinet is not doing what it said it would do."
With respect to the OIG records at issue, Kindred challenges the Cabinet's position that Kindred is not entitled to access because the records contain Ms. Grace's PHI since "Kindred already has Ms. Grace's health information" and Ms. Grace, "being deceased, has no privacy rights under state law. " As observed by Mr. Sutton:
Although the Cabinet concedes that Kentucky law requires the disclosure of the records in this context, the Cabinet argues that HIPAA prevents it from disclosing the records. The Cabinet assumes, without attempting to explain how, it is a covered entity under HIPAA. The Cabinet merely states that it is a "hybrid entity" and does not indicate which, if any of its functions in question, are covered by HIPAA.
Regardless of whether the Cabinet is indeed a covered entity or not, the Cabinet's position that HIPAA requires the nondisclosure of the records in this context is not a correct statement of the law. In fact, the HIPAA Privacy Rule clearly permits a covered entity to disclose protected information as required by other law, including state law. 45 CFR 164.512(a).
The Cabinet's only response to this clear mandate of disclosure is that 45 CFR 164.512(a) is limited by subsections (c), (e) and (f). However, once again the Cabinet's argument misses the mark as none of those subsections add any requirements that would prevent the Cabinet from releasing the records in this context.
In conclusion, Mr. Sutton argues that KSR 61.878(1)(a) "lends no support to the Cabinet's position." To the contrary, the applicable federal law, 45 CFR 164.512(a), does not prohibit the disclosure, "deferring instead to state law, which the Cabinet concedes 'would carry the day.'"
As evidenced by the record, the Cabinet acknowledged receipt of Mr. Sutton's letter dated February 17th, which Mr. Walker immediately forwarded to the Records Management Branch where APS records are prepared for distribution. In response, Records Management sent the attached Form 305 which, according to the regulations concerning "disclosure of protection and permanency records," namely, 922 KAR 1:050, a copy of which is attached to the Cabinet's response, "must be completed by Kindred before the records can be released." Although Mr. Walker inquired as to whether the written authorization from Mr. Steinberg would suffice for this purpose, he was advised that the Form 305 is "HIPAA compliant," and the Cabinet must have the form in the event of an audit by the federal oversight agencies which monitor compliance with HIPAA.
Given the scarcity of authority on the issues presented, the Attorney General asked the Cabinet to provide this office with additional information pursuant to KRS 61.880(2)(c), in a letter directed to Mr. Walker by the undersigned on March 16, 2005. More specifically, this office asked Mr. Walker to elaborate upon his assertion that the Cabinet is a "hybrid entity" under HIPAA, specifically identifying which functions are covered, in order to assist us in resolving this threshold issue. In response, Mr. Walker explained:
[HIPAA] protects the confidentiality of [PHI]. The Cabinet, as the primary provider of health services in the executive branch, obtains and transmits PHI from covered entities throughout the nation. As such, the agency is a covered entity under 45 CFR 160.103(2) and (3). The agency would be characterized as a "hybrid" entity in that it contains both covered and non-covered components with some of its functions [] not routinely involved in the collection and transmission of PHI as a function of its activity. However, to the extent that any component of the Cabinet receives or transmits PHI, the HIPAA law applies. The federal act applies not only because the Cabinet has received or obtained PHI, but also because the entities from which PHI was transmitted [] or obtained by the Cabinet were covered entities in their own right and the obligation upon those organizations to protect PHI continues to the Cabinet. According to the federal Office of Civil Rights it may very well be a HIPAA violation to wrongfully release PHI even if the recipient of the information shared is a non-covered entity.
The [CHFS'] primary PHI entities include the Department for Mental Health and Mental Retardation Services, the Department for Public Health, the Department for Medicaid Services, Adult Protective Services, Child Protective Services, the Guardianship Program, Family Services, and the Adoptions Program. To the extent that other organizational units of the Cabinet obtain or receive PHI, the HIPAA obligation attaches and it is the responsibility of the Cabinet to protect that record. For instance, the [OIG] in its activities surrounding investigations of complaints against health care providers often reviews and obtains medical records and other data containing PHI. It may not release those records except as allowed by HIPAA and other state and federal laws, regulations and agreements, e.g. the state/federal Medicare-Medicaid agreement. The APS program often receives PHI in conjunction with its investigation of abuse, neglect and exploitation. Access to those records is governed by KRS 209.140 and 45 CFR 164.512(c). See above.
Legal Analysis - APS Records
Because the Privacy Rule only applies to covered entities, a public agency to which a request for public records is submitted must initially determine whether it qualifies as a health plan, a health care clearinghouse, or a health care provider which transmits health information electronically in connection with a transaction covered by the Rule before addressing the issue of whether the requested records contain PHI. 14 No credible argument can be made that the Cabinet does not qualify as both a health care clearinghouse and a health care provider under the definitions of each codified at 45 CFR § 160.103. More specifically, the Cabinet is properly characterized as a "hybrid entity" pursuant to 45 CFR § 164.504(a), which provides: " Hybrid entity means a single legal entity: "
(1) That is a covered entity;
(2) Whose business activities include both covered and non-covered functions; and
(3) That designates health care components in accordance with paragraph (c)(3)(iii) of this section.
In our view, the Cabinet has now satisfied its statutory burden of proof relative to this threshold issue. 15
Because the OIG and APS are among those entities within the Cabinet which perform "covered" functions, both must comply with the provisions of HIPAA, including 45 § 164.502(f), which expressly provides that a covered entity must afford the protections of Part 164, Security and Privacy, Subpart E, Privacy of Individually Identifiable Health Information, to the PHI of deceased individuals such as Eva Lee Grace. 45 § 164.502(f) is incorporated into the Open Records Act by operation of KRS 61.878(1)(k). Contrary to Kindred's assertion, 164.502(f), the more specific of the relevant provisions, applies here, as opposed to prior decisions of this office holding that a deceased person has no personal privacy rights, which would otherwise dictate the outcome. In light of this determination, the questions become whether the Cabinet properly denied Mr. Sutton's request as to the OIG records on the basis of 45 CFR § 164.512(c), in conjunction with KRS 61.878(1)(k) and KRS 61.878(1)(a), and whether the Cabinet properly conditioned release of the requested APS records upon receipt of either a completed Form 305 or a court order. Having reviewed the relevant provisions of both HIPAA and the Open Records Act, and considered the arguments of both parties, this office agrees with the Cabinet's interpretation in all respects.
When asked to explain the distinction, if any, between records in the custody of the OIG and those in the custody of APS, the Cabinet provided the following guidance:
The distinction between the records of the [OIG] and [APS] can be found in the comparison of the scope of authority for each organizational unit. [APS] investigates allegations of abuse, neglect and exploitation of adults pursuant to KRS Chapter 209. It may substantiate or fail to substantiate the allegation based upon its findings. Information routinely obtained by APS in its investigation of allegations may include medical records or other [PHI].
The [OIG] investigates allegations of patient rights [being violated] or abuse under authority of KRS 194A.030(5), 16 together with compliance with Medicare standards pursuant to an agreement with the federal government. Its investigations and inspections delve directly into medical facility and provider records to ascertain the condition of an individual and the care provided to him or her. What is in either file may differ depending upon the nature of the allegation.
Having established that HIPAA applies, the outcome of this appeal hinges on the application of 45 CFR § 164.512, the provisions of which are incorporated into the Open Records Act by operation of KRS 61.878(1)(k), as acknowledged by both parties. 45 CFR § 164.512, "Uses and Disclosures for which an authorization or opportunity to agree or object is not required," initially provides:
A covered entity may use or disclose protected health information without the written authorization of the individual, as described in § 164.508, or the opportunity for the individual to agree or object as described in § 164.510, in the situations covered by this section, subject to the applicable requirements of this section.
Pursuant to (a)(1) of this provision: "A covered entity may use or disclose protected health information to the extent that such use or disclosure is required by law and the use or disclosure complies with and is limited to the relevant requirements of such law." Of particular relevance here, this general language is limited by (2), which provides that a covered entity must meet the requirements of (c), (e) or (f) of this section for uses or disclosures required by law. Subsection (c), which contains the standard for disclosures about victims of abuse, neglect or domestic violence, clearly applies on the facts presented. More specifically, 164.512(c)(1)(i) and (iii) permit the Cabinet to disclose PHI regarding victims of abuse and neglect to the extent the disclosure is "required by law and the disclosure complies with and is limited to the relevant requirements of such law," or is "expressly authorized by statute or regulation, " respectively. 17 It is beyond dispute that KRS 209.140 is the applicable state law/ statute relative to the APS records. 18 Chapter 209 governs the "Protection of Adults." KRS 209.140 , Confidentiality of Information, incorporated into the Open Records Act by operation of KRS 61.878(1)(l), provides:
All information obtained by the department staff or its delegated representative, as a result of an investigation made pursuant to this chapter, shall not be divulged to anyone except:
Because the Cabinet concedes that Frost Brown Todd, acting on behalf of Kindred, qualifies as a party to which the records may be released pursuant to both KRS 209.140(1) and (3), further elaboration as to this issue is unnecessary. At this point, the narrow question remaining with regard to the APS records is whether the Cabinet properly conditioned release of the requested reports upon completion of the Form 305, a copy of which the Cabinet provided to Mr. Sutton. Based on the following, our answer is an unqualified "yes."
Even assuming that § 164.512 does not implicitly authorize the Cabinet to require completion of such a form, 922 KAR 1:510, Authorization for Disclosure of Protection and Permanency Records, explicitly requires the Cabinet to take such measures. 19 Pursuant to Section 3(1), Authorization for Disclosure of Protection and Permanency Records, if a person submits a request for disclosure of protection and permanency records which include health information or PHI, 20 the official custodian shall require the person to authorize such a disclosure:
(a) By completing and signing a "DPP-010, Open Records Request" in accordance with KRS 61.872(2), if the written request is insufficient to locate and retrieve the records requested [which is not the case here];
(b) In accordance with 45 CFR 164.508(c), by completing and signing a:
In addition, Section 5(b) incorporates the Form 305 by reference. Copies of both the Form 305 and 922 KAR 1:510 are attached to Mr. Walker's correspondence of March 2, 2005. A review of 45 CFR § 164.508 further validates the Cabinet's position. Pursuant to 164.508(6), Documentation: "A covered entity must document and retain any signed authorization under this section as required by § 164.530(j)." Subsection (c), Core Elements, provides that a valid authorization must contain at least six named elements, most of which are lacking from the written authorization which Kindred argues should suffice. 21 In our view, neither the relevant HIPAA provisions nor the related administrative regulations can be so interpreted. Accordingly, the Cabinet did not violate the Open Records Act in requiring Kindred to complete the Form 305 before releasing the requested investigatory records absent a court order, but must honor Mr. Sutton's request upon receipt of the completed form as agreed.
Legal Analysis - OIG Records
Turning to the OIG records at issue, the analysis of 45 CFR § 164.512 is equally applicable. However, KRS Chapter 194 rather than Chapter 209 governs the records generated by the OIG. Pursuant to KRS 194A.060, incorporated into the Open Records Act by operation of KRS 61.878(1)(l):
(1) The secretary shall develop and promulgate administrative regulations that protect the confidential nature of all records and reports of the cabinet that directly or indirectly identify a client or patient or former client or patient of the cabinet and insure that these records are not disclosed to or by any person except as, and insofar as:
In addition, Subsection (2) expressly provides: "In all instances, the individual's right to privacy is to be respected." When viewed in conjunction, as mandated by HIPAA, 45 CFR § 164.512 and KRS 194A.060, remove any doubt as to the confidentiality of the requested OIG records. In other words, HIPAA mandates compliance with state law, which, in turn, precludes access without consent.
In arguing that KRS 61.872, the general mandate of the Open Records Act, requires disclosure, Mr. Sutton fails to recognize the statutory exceptions codified at KRS 61.878(1) , relying instead upon the faulty premise that the right to privacy does not extend to the deceased even assuming that HIPAA applies. To the contrary, HIPAA applies, as previously noted, and the specific language of 45 § 164.502(f) overrides the more general provisions of both HIPAA and state law. As correctly argued by the Cabinet, KRS 61.878(1)(a), (k), and (l) apply here. 22 Because the subject request identifies the patient, Ms. Grace, any information relating to her care would effectively be a release of PHI, which the Cabinet is permitted to disclose only upon receipt of either an authorization from her estate or a court order, both of which are lacking in this case. 23 Authority for this conclusion includes the definition of PHI, codified at 45 CFR § 160.103, and the rules governing de-identification, codified at 45 CFR § 164.514. More specifically, 45 CFR § 164.514(h)(1)(iii)(B) lends further support to the Cabinet's position. 24
When asked by the undersigned to clarify whether completion of the Form 305 would entitle Mr. Sutton to access not only the APS records, but also the OIG records, Mr. Walker offered the following insight:
The OIG records are not covered by KRS 209.140. The completion of the Form 305 would not allow release. With respect to the OIG records, an order from the Jefferson Circuit Court following proper notice to the family would be the preferred approach. That way, any reservations about release of information could be addressed to the court by the family prior to the entry of the order. If we have a HIPAA compliant order (one which limits access to the PHI and which addresses disposition of the PHI upon completion of the case), we can release the information.
As with the APS records, the Cabinet is merely complying with the applicable provisions of both HIPAA and state law, namely, KRS 194A.060(1) and the Open Records Act, in addressing Mr. Sutton's request. Accordingly, this office affirms the Cabinet's denial as to the OIG records.
In sum, APS properly conditioned release of the requested APS records upon completion of the Cabinet's HIPAA compliant form, the "Form 305," or receipt of a court order in accordance with 45 CFR § 164.512(c) and 45 CFR § 164.508(6)(c)(1). Likewise, the OIG properly denied the subject request on the basis of 45 CFR § 164.512(c) in conjunction with KRS 61.878(1)(a), (k) and (l).
A party aggrieved by this decision may appeal it by initiating an action in the appropriate circuit court pursuant to KRS 61.880(5) and KRS 61.882. Pursuant to KRS 61.880(3), the Attorney General should be notified of any action in circuit court, but should not be named as a party in that action or in any subsequent proceeding.
Michael F. SuttonFrost Brown Todd LLC400 West Market Street, 32nd FloorLouisville, KY 40202-3363
Robert J. Benvenuti IIIInspector GeneralOffice of Inspector GeneralCabinet for Health and Family Services275 East Main Street, 5E-AFrankfort, KY 40621-0001
Jennifer MitchellDirectorDivision of Health Care Facilities and ServicesOffice of the Inspector GeneralCabinet for Health and Family Services275 East Main Street, 5 EastFrankfort, KY 40621-0001
Carrie HallRecords Management SectionDivision of Protection and Permanency Cabinet for Health and Family Services275 East Main Street, 3E-GFrankfort, KY 40621-0001
David FleenorGeneral CounselCabinet for Health and Family Services275 East Main Street, 4W-BFrankfort, KY 40621-0001 John H. WalkerAssistant General CounselOffice of Legal ServicesCabinet for Health and Family Services275 East Main Street, 5W-BFrankfort, KY 40621-0001
Footnotes
Footnotes
1 Although this office has historically criticized "open-ended-any-and-all-records-that-relate-type requests," holding that such a request is not properly framed and generally need not be honored, neither the OIG nor APS have raised this argument. Given our resolution of the substantive issues presented, further elaboration is therefore unwarranted. See 05-ORD-014, pp. 5-7, for the analysis normally employed by this office in reviewing such requests.
2 Among those records excluded from the application of the Open Records Act by virtue of KRS 61.878 are those described at (1)(a): "Public records containing information of a personal nature where the public disclosure thereof would constitute a clearly unwarranted invasion of personal privacy [.]"
3 In denying Mr. Sutton's request, Ms. Mitchell neglected to cite the specific statutory exception authorizing the withholding of the records as explicitly required by KRS 61.880(1). To this extent, the OIG's initial response is procedurally deficient.
4 Noticeably absent from Ms. Hall's response is a detailed explanation of the cause for the delay. In applying KRS 61.880(1), the Attorney General has consistently recognized that the Open Records Act contemplates production of the requested records on the third business day after receipt of the request, and not simply notification that the agency will comply. On this issue, 04-ORD-253, a copy of which is attached hereto and incorporated by reference, is controlling. Although APS may very well have been justified in delaying production of the records, its failure to either provide Mr. Sutton with copies of any existing records which are responsive to his request within three days or explain in detail the reason for the delay constitutes a procedural violation of the Open Records Act.
5 "Health Information," as defined at42 U.S.C. § 1320d(4) and 45 CFR § 160.103, means any information, whether oral or recorded in any form or medium, that:
(1) Is created or received by a health care provider, health plan, public health authority, employer, life insurer, school or university, or health care clearinghouse; and
(2) Relates to the past, present or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual.
"Individually identifiable health information" is a subset of "health information, including demographic information collected from an individual," which either identifies the individual or with respect to which "there is a reasonable basis to believe the information can be used to identify the individual." 42 U.S.C. § 1320d(6); 45 CFR § 160.103. "Protected Health Information," or PHI, is "individually, identifiable health information:"
(1) Except as provided in paragraph (2) of this definition, that is:
(i) Transmitted by electronic media;
(ii) Maintained by electronic media; or
(iii) Transmitted or maintained in any other form or medium.
42 U.S.C. § 1320d(6); 45 CFR § 160.103.
- - - - - - - - - - - - - - - - -End Footnotes- - - - - - - - - - - - - - - - -
6 Under normal circumstances, neither the identity of the requester nor the purpose for which the records are being sought is relevant in the context of an Open Records appeal. However, the Cabinet must confirm that Frost Brown Todd is authorized to act on behalf of Kindred given the inherently sensitive nature of the information contained in the requested reports in order to comply with HIPAA.
7 As an alternative, Mr. Walker suggests:
In the event the representative of the estate refuses to provide authority to share data in the possession of the [OIG], there is an action pending before the courts against the facility in which she died. Nothing prevents counsel for the facility from filing a motion for an order of production [for] the records sought with the circuit court. In a judicial forum, all parties in the litigation can then come before the court to address issues relating to access, if any. Upon receipt of circuit court orders, and with the exception of routine HIPAA concerns over the form or content of that order which would be addressed in clarifying motions to the court, the [CHFS] will respect the ruling of the circuit court.
Given the complexities and stringent requirements of HIPAA, this is perhaps the most efficient approach on the facts presented.
- - - - - - - - - - - - - - - - -End Footnotes- - - - - - - - - - - - - - - - -
8 KRS 61.878(1)(k) excludes from the application of the Open Records Act: "All public records or information the disclosure of which is prohibited or restricted by federal law or regulation [,]" whereas KRS 61.878(1)(l) excludes: "All public records or information the disclosure of which is prohibited or restricted or otherwise made confidential by an enactment of the General Assembly."
- - - - - - - - - - - - - - - - -End Footnotes- - - - - - - - - - - - - - - - -
9 Pursuant to45 CFR § 160.103, "Covered entity" means:
(1) A health plan.
(2) A health clearinghouse.
(3) A health care provider who transmits any health information in electronic form in connection with a transaction covered by this subchapter.
Definitions for each of the above are codified at 42 U.S.C. § 1320d.
10 In short, the goal of HIPAA is "to improve the efficiency and effectiveness of the nation's health care system," and ensure the security and confidentiality of health information. 42 U.S.C. §§ 1320d-1320d-8; 04-ORD-143. Upon enacting HIPAA, Congress directed the United States Department of Health and Human Services to promulgate regulations establishing national privacy standards for the security and privacy of health information. HHS complied with this directive in the Standards for Privacy of Individually Identifiable Health Information, also known as the "Privacy Rule. " Id. at § 1320d-2; 45 CFR §§ 160, 164. In general, the Privacy Rule prohibits the use or disclosure of protected health care information by a covered entity except as expressly permitted or required by the Rule. Id. at § 1320d-2; 45 CFR §§ 160, 164. The Privacy Rule applies only to the "covered entities" defined at 45 CFR § 160.103.
- - - - - - - - - - - - - - - - -End Footnotes- - - - - - - - - - - - - - - - -
11 45 CFR 164.502(f) provides:
Standard: Deceased individuals. A covered entity must comply with the requirements of this subpart with respect to the protected health information of a deceased individual.
- - - - - - - - - - - - - - - - -End Footnotes- - - - - - - - - - - - - - - - -
12 45 CFR § 164.512(a)(2) provides: "A covered entity must meet the requirements described in paragraph (c), (e) or (f) of this section for uses or disclosures required by law."
13 45 CFR § 164.512(c)(1), Permitted disclosures, provides that "a covered entity may disclose protected health information about an individual whom the covered entity reasonably believes to be a victim of abuse, neglect, or domestic violence to a governmental authority" authorized by law to receive reports of such abuse neglect, or domestic violence, except for reports of child abuse or neglect otherwise permitted:
(i) To the extent the disclosure is required by law and the disclosure complies with and is limited to the relevant requirements of such law[.]
- - - - - - - - - - - - - - - - -End Footnotes- - - - - - - - - - - - - - - - -
14 45 CFR § 164.502(a) provides: "A covered entity may not use or disclose protected health information, except as permitted or required by this subpart or by subpart C of part 160 of this subchapter."
15 Although the Attorney General has implicitly treated the Cabinet as a covered entity in the past, this appeal presents the first opportunity for this office to conclusively establish its status for purposes of HIPAA analysis. See 04-ORD-047; 03-ORD-194.
- - - - - - - - - - - - - - - - -End Footnotes- - - - - - - - - - - - - - - - -
16 In relevant part,KRS 194A.030(5) provides:
The Office of the Inspector General shall be responsible for:
(a) The conduct of audits and investigations for detecting the perpetration of fraud or abuse of any program by any client, or by any vendor of services with whom the cabinet has contracted; and the conduct of special investigations requested by the secretary, commissioners, or office heads of the cabinet into matters related to the cabinet or its programs[.]
- - - - - - - - - - - - - - - - -End Footnotes- - - - - - - - - - - - - - - - -
17 164.512 (c)(1)(ii) permits disclosure if the individual whom the Cabinet reasonably believes to be a victim agrees, which would presumably be problematic given the underlying litigation between Kindred and the Grace estate.
18 When asked to explain in further detail theCabinet's position as to the interplay between the relevant provisions of HIPAA and KRS 209.140, Mr. Walker correctly observed:
[HIPAA] is designed to and focused upon the protection of confidentiality of [PHI]. When read in conjunction with KRS 209.140, the federal act emphasizes the importance of maintenance of confidentiality of [APS] records containing [PHI]. [HIPAA] recognizes that even deceased persons have rights to confidential treatment of health information. See 45 CFR 164.502(f). As [previously explained], any suggestion that HIPAA does not apply is without merit. The provisions of 45 CFR 164.512 when read carefully also emphasize that in order to access state records, one must comply with the requirements of state laws governing confidentiality. A careful review of section 164.512 shows that the general statement of compliance with other laws is limited by section(s) (c), (e) and (f). See 45 CFR 164.512(a)(2). Moreover, under section 164.512(c), the Cabinet must give information on abuse and neglect as authorized by state law and to the extent the disclosure is limited to and complies with the relevant state law. See 45 CFR 164.512(c)(1)(i).
In closing, Mr. Walker also acknowledged that the Cabinet must provide access to health information for law enforcement purposes under 45 CFR 164.512(e) and in judicial or administrative proceedings pursuant to court order in accordance with 45 CFR 164.512(e)(1).
- - - - - - - - - - - - - - - - -End Footnotes- - - - - - - - - - - - - - - - -
19 922 KAR 1:510 expressly "relates to:" KRS 61.870-61.884, 45 CFR 160.103, 164.501, 164.502, 164.508, 164.512, and 164.524. "KRS 61.876 authorizes the cabinet to adopt administrative regulations regarding protection and disclosure of public records in conformity with KRS 61.870 to 61.884 [the Open Records Act] . KRS 194B.060(1) authorizes the secretary to promulgate regulations for the protection and disclosure of confidential records and reports of the cabinet's clients and former clients." Pursuant to 922 KAR 1:510 (5): "'Protection and permanency records' means a public record as defined in KRS 61870(2) and that is prepared, owned, used, in the possession of, or retained by departmental staff providing protection and permanency services."
20 Section 1(2) provides that "Health information" is defined by 45 CFR 160.103, while (4) provides that "Protected Health Information" or "PHI" is defined by 45 CFR 160.103.
- - - - - - - - - - - - - - - - -End Footnotes- - - - - - - - - - - - - - - - -
21 Having spoken with both Mr. Sutton and Mr. Walker with regard to this issue, it appears that Kindred is in the process of completing the Form 305. Because the Cabinet has acknowledged that Kindred is entitled to receive copies of the requested records upon completing the form, this office assumes that any issues relative to the APS records have been or soon will be resolved to the satisfaction of both parties.
- - - - - - - - - - - - - - - - -End Footnotes- - - - - - - - - - - - - - - - -
22 See 02-ORD-36 for the fact specific analysis employed by this office in determining whether an agency has properly invoked KRS 61.878(1)(a).
23 Although neither an authorization nor a court order would be required if the requested records could be sufficiently redacted, the level of redacting required to remove all PHI in compliance with KRS 61.878(1)(a) and KRS 61.878(1)(k) would necessarily render the records devoid of useful information.
24 164.514(h)(1)(iii)(B) provides:
If a request is made pursuant to legal process, warrant, subpoena, order, or other legal process issued by a grand jury or a judicial or administrative tribunal it is presumed to constitute legal authority.
- - - - - - - - - - - - - - - - -End Footnotes- - - - - - - - - - - - - - - - -