Opinion
Opinion By: Jack Conway, Attorney General; James M. Herrick, Assistant Attorney General
Open Records Decision
The question presented in this appeal is whether the University of Kentucky violated the Open Records Act in its disposition of Brenna Angel's December 11, 2012, request to inspect records relating to a surgeon at the Kentucky Children's Hospital. For the reasons that follow, we conclude that the University's response was partially in violation of the Act.
In her December 11 request, Ms. Angel, a news reporter for WUKY-FM, requested to inspect or obtain copies of:
1) The number of surgeries performed by Dr. Mark Plunkett in 2010, 2011, and 2012. No patient information is requested.
2) The date of the last surgery performed by Dr. Mark Plunkett. No patient information is requested.
3) Payments received for surgeries performed by Dr. Mark Plunkett in 2010 and 2011.
4) The mortality rate of pediatric cardiothoracic surgery cases in 2010, 2011, and 2012.
5) Documentation related to any evaluations/accreditation of the pediatric cardiothoracic surgery program from 2010-2012.
On December 14, records custodian Bill Swinford responded on behalf of the University. He provided the information requested by items 1 and 3, but denied requests 2, 4, and 5.
In response to request 2, he stated: 1 "We are unable to provide you with the date that Dr. Plunkett performed his last surgery as this is protected by the Health Insurance Portability and Accountability Act of 1996 ('HIPAA'). HIPAA precludes the University's disclosure of medical records except as provided by the Privacy Rule."
In response to request 4, he stated:
We are unable to provide you with the mortality rate of pediatric cardiothoracic surgery cases as this is protected by [HIPAA]. Pursuant to the Patient Safety and Quality Improvement Act of 2005, Pub. L. 209-41, 42 U.S.C. 299b-21 -b-26, such information is also considered confidential. Further, this specific knowledge is protected pursuant to KRS Rule 502 as this is attorney-client privileged information. Additionally, this request is also denied pursuant to KRS 311.377 which provides that, "At all times in performing a designated professional review function, the proceedings, records, opinions, conclusions and recommendations of a committee, board, commission, medical staff, professional standards review organization, or other entity ? shall be confidential and privileged and shall not be subject to discovery, subpoena, or introduction into evidence in any civil action in any court or in any administrative proceeding before any board, body, or committee, whether federal, state, county, or city...." 2
We further rely on the Kentucky Supreme Court's decision in Adventist Health Systems/Sunbelt Health Care Corporation v. Trude, 880, S.W.2d 539 ([Ky.] 1994) which reaffirmed the confidentiality of medical peer review records under KRS 311.377 ? and prohibited the discovery of the proceedings, records, opinions, conclusion and recommendations of the hospitals' professional's [ sic ] review entities [.]
Responding to request 5, Mr. Swinford stated:
There is only one review for the pediatric cardiothoracic surgery program and we are unable to provide you with that evaluation/accreditation pursuant to KRS 61.878(1)(i) and (j) as these documents are either preliminary drafts, notes, correspondence with private individuals, other than correspondence which is intended to give notice of a final action of a public agency OR are preliminary recommendations, and preliminary memoranda in which opinions are expressed or policies formulated or recommended and are therefore, exempt.
He additionally cited HIPAA, the Patient Safety and Quality Improvement Act of 2005, KRE 503, and KRS 311.377.
Ms. Angel initiated this appeal on January 9, 2013. She emphasized that her request "was for dates and overall statistics, not individual patient information," and that she "was also not permitted to see documentation/correspondence related to a review of UK's pediatric cardiothoracic surgery program."
On January 18, 2013, University of Kentucky General Counsel William E. Thro responded to the appeal. Concerning the request for the date of Dr. Plunkett's last surgery (request number 2), he states:
[HIPAA] and its implementing regulations preclude the University from disclosing health information that identifies or may reasonably lead to the identification of the individual. See 45 C.F.R. 160.103. ? Because Dr. Plunkett performs relatively few surgeries and because all of his surgeries are highly complex surgeries, it is relatively easy to deduce the identity of his patients. Thus, disclosure of the date of his last surgery may reasonably lead to the identification of the patient. Accordingly, federal law precludes the University from disclosing this information.
This office has repeatedly ruled that HIPAA does not preempt the Kentucky Open Records Act. In 2008, we cited cases from Ohio and Texas for the conclusion that "protected health information" under HIPAA can be disclosed to comply with the Open Records Act under what is known as the "required by law" exception to the HIPAA privacy rule. 08-ORD-166 (copy attached and reasoning adopted as the basis for our decision herein).
45 C.F.R. § 164.512(a)(1) contains this exception, which is formulated as follows:
A covered entity may use or disclose protected health information to the extent that such use or disclosure is required by law and the use or disclosure complies with and is limited to the relevant requirements of such law.
The Texas case we cited in 08-ORD-166, Abbott v. Texas Dept. of Mental Health and Mental Retardation, 212 S.W.3d 648 (Tex. App. 2006), refers to the HHS commentary to 45 C.F.R. § 164.512, which states in pertinent part:
These rules permit covered entities to make disclosures that are required by state Freedom of Information Act (FOIA) laws under 164.512(a). Thus, if a state FOIA law designates death records and autopsy reports as public information that must be disclosed, a covered entity may disclose it without an authorization under the rule. To the extent that such information is required to be disclosed by FOIA or other law, such disclosures are permitted under the final rule. In addition, to the extent that death records and autopsy reports are obtainable from non-covered entities, such as state legal authorities, access to this information is not impeded by this rule.
Thus, we have consistently held that HIPAA defers to the state Open Records Act and is therefore no obstacle to the public's access to public records under the Act. See 08-ORD-188; 09-ORD-166; 10-ORD-161; 11-ORD-096; 12-ORD-039. Accordingly, even if Ms. Angel's request were seeking "protected health information," an assertion which is questionable at best, HIPAA would present no basis for denial of the records. Thus, the University has not sustained its burden to justify withholding records showing the date of Dr. Plunkett's last surgery pursuant to request number 2.
As to Ms. Angel's request for mortality statistics (request number 4), Mr. Thro states:
[HIPAA] precludes the disclosure of information that may reasonably lead to the identification of individual patients. Very few pediatric cardiothoracic operations are performed at the University and the overwhelming majority of those are done by Dr. Plunkett. If the University were to disclose the number of patients and the number of deaths, it would be relatively easy for someone to deduce the identity of the patients. Therefore, the University may not disclose the mortality statistics for pediatric cardiothoracic surgery cases is precluded from disclosing [ sic ].
To be sure, there may be circumstances where revealing mortality statistics would not reasonably lead to the identification of the individual patient. For example, mortality statistics for all types of surgery the [sic] entire University of Kentucky hospital over an extended period likely would not reasonably lead to the identification of individuals. Yet, when, as here, the request is confined to a small number of surgeries over a relatively short time, the mortality statistics may reasonably lead to the identification of individuals.
Moreover, even if HIPAA did not preclude disclosure, both the federal Patient Safety and Quality Improvement Act of 2005, 42 U.S.C. 299b-21-b-26 [ sic ], and KRS 311.377 prohibit disclosure of the mortality statistics. Those statutes effectively establish a privilege for the University's internal discussions regarding improving patient safety. When a patient dies, it is appropriate for the University's physicians, nurses, and attorneys to have candid discussions as to why the patient died. Such discussions are the only way to improve patient safety. Mortality statistics for a particular program are certainly relevant to those discussions and, thus, are privileged. Therefore, the University cannot disclose the mortality statistics.
Mr. Thro does not address the denial of the evaluation/accreditation records (request number 5), but we assume the University stands by the arguments articulated by Mr. Swinford, including the provisions of KRS 311.377. The record is unclear as to the exact nature of the documents withheld from inspection on the basis of this statute. Nowhere does the University identify or describe the "review for the pediatric cardiothoracic surgery program" or "evaluation/accreditation" to which it refers. With so little information, we are unable to determine that the University properly invoked KRS 311.377 as incorporated into the Open Records Act by KRS 61.878(1)(l).
Furthermore, the University has completely refused to comply with this office's request to provide a copy of the records for confidential review pursuant to KRS 61.880(2)(c) . In so refusing, the University relies primarily upon HIPAA, and secondarily upon the Patient Safety and Quality Improvement Act of 2005 ("PSQIA"), 42 U.S.C. § 299b-21 et seq.
We have previously determined that HIPAA does not impede the Open Records Act, and we note the PSQIA's similarity to HIPAA in its protection of "individually identifiable health information," which it explicitly defines by reference to HIPAA confidentiality regulations. 42 U.S.C. § 299b-21(2)(C). Without going into exhaustive detail, we observe that "identifiable patient safety work product, " which is the subject of the PSQIA's confidentiality provisions, also includes data and records which allow the identification of a provider or a reporting individual and which:
(I) are assembled or developed by a provider for reporting to a patient safety organization and are reported to a patient safety organization; or
(II) are developed by a patient safety organization for the conduct of patient safety activities;
and which could result in improved patient safety, health care quality, or health care outcomes; or
...which identify or constitute the deliberations or analysis of, or identify the fact of reporting pursuant to, a patient safety evaluation system.
42 U.S.C. § 299b-21(7)(a). "Nonidentifiable patient safety work product, " which does not allow identification of a provider, patient, or reporting individual, is not confidential. 42 U.S.C. § 299b-22(2)(B). Furthermore, "patient safety work product" as a whole "does not include information that is collected, maintained, or developed separately, or exists separately, from a patient safety evaluation system. Such separate information or a copy thereof reported to a patient safety organization shall not by reason of its reporting be considered patient safety work product. " 42 U.S.C. § 299b-21(7)(B) (emphasis added). Given the complexities of these definitions, it is crucial for us to know the form in which the subject records are maintained, whether the mortality statistic in question "exists separately ? from a patient safety evaluation system," and myriad other details that can only be afforded by an in camera review of the withheld records.
"'It has been, and remains, our practice,' pursuant to KRS 61.880(2)(c), to conduct 'an in camera inspection of the "records involved" to determine if the agency against which the appeal was brought properly denied access to those records.'" 12-ORD-220 (quoting 08-ORD-052). When a public agency refuses to comply with our request to examine the disputed records, we are "severely handicapped in conducting our review." 96-ORD-206. As a rule, we find that an agency making such a refusal has failed to meet its burden of proof, and this case is no exception. ( See 10-ORD-079, copy attached, and authorities cited therein.)
Due to the University's failure to cooperate with our request to conduct a confidential in camera review of the records pursuant to KRS 61.880(2)(c), it is impossible for us to ascertain whether the mortality statistic and/or the unspecified "review for the pediatric cardiothoracic surgery program" falls inside or outside the PSQIA's protection or that of KRS 311.377, or indeed whether any of the material is "preliminary" under the exceptions listed in KRS 61.878(1)(i) and (j). All "exceptions provided for by KRS 61.878 or otherwise provided by law shall be strictly construed," KRS 61.871, and "[t]he burden of proof in sustaining the action shall rest with the agency." KRS 61.880(2)(c). The University has failed to meet its burden of proof to sustain its denial of inspection of the public records identified in the requests numbered 4 and 5. 3
Lastly, as to KRE 503, which the University throws in without citing a specific subsection or explaining its applicability, we likewise find that the University has failed to meet its burden of establishing an exemption in connection with that rule of evidence. "An agency response denying, in whole or in part, inspection of any record shall include a statement of the specific exception authorizing the withholding of the record and a brief explanation of how the exception applies to the record withheld. " KRS 61.880(1). This statutory language requires "particular and detailed information in response to a request for documents." Edmondson v. Alig, 926 S.W.2d 856, 858 (Ky. App. 1996). Since this was not provided, we find that no grounds for an exemption have been established. We therefore must conclude that the University's disposition of Ms. Angel's request failed to comply with the Open Records Act insofar as it denied access to the requested records.
A party aggrieved by this decision may appeal it by initiating action in the appropriate circuit court pursuant to KRS 61.880(5) and KRS 61.882. Pursuant to KRS 61.880(3), the Attorney General should be notified of any action in circuit court, but should not be named as a party in that action or in any subsequent proceedings.
Distributed to:
Ms. Brenna AngelBill Swinford, Esq.William E. Thro, Esq.
Footnotes
Footnotes