Opinion
Opinion By: Jack Conway, Attorney General; James M. Herrick, Assistant Attorney General
Open Records Decision
The question presented in this appeal is whether the Department for Public Health violated the Open Records Act in its disposition of attorney Dustyn Jones' February 3, 2014, request to inspect records relating to certain practices followed by local health departments. For the reasons that follow, we find no substantive violation of the Act by the Department.
In her February 3 request, Ms. Jones, on behalf of her client, the Kentucky Spirit Health Plan ("Kentucky Spirit"), requested copies of the following:
1. All documents relating to any "changes in the coding method, starting October 2013, used by Local Health Departments (LHDs) for billing medical services provided in school settings," as referred to in the January Meeting Minutes for the January 21, 2014 Medical Director Meeting, Kentucky Medicaid Managed Care Plans, attached hereto and hereinafter referred to as Exhibit A, including but not limited to any documents discussing the role of "the Secretary" in these changes, the nature of the changes and the reasons for the changes.
2. All documents relating to any "request of the MCOs to encourage 'right billing, '" as referred to in Exhibit A, including but not limited to any such request, any discussion or analysis of the request by the Cabinet for Health and Family Services ("CHFS") or Department for Medicaid Services ("DMS"), any communications with the LHDs regarding billing practices, and any response to the MCOs.
3. All documents relating to the "significant reduction in reimbursements" to LHDs, as referred to in Exhibit A.
4. All documents relating to any actions by LHDs to "eliminat[e] their school nurses" or to "reduc[e] services to offer a school nurse only one or two days a week," as referred to in Exhibit A.
5. All documents relating to the Department of Education "providing funds to LHD's to help offset these expenses," as referred to in Exhibit A.
6. All documents relating to the claim that LHDs "were already operating at a deficit in their school health programs," as referred to in Exhibit A.
7. All documents relating to the claim that LHDs "will be forced to eliminate services," as referred to in Exhibit A.
8. All documents relating to any analysis of the anticipated effect of any such elimination of services on "overall health, office visits, urgent treatment visits, and ED/hospitalization for many of our children; potentially leading to increased expenses for the MCOs," as referred to in Exhibit A.
9. All documents relating to any discussion of modifying rules, regulations, practices, and/or MCO capitation rates to allow MCOs to continue to reimburse "medical services provided in school settings," as referred to in Exhibit A.
On February 6, 2014, Staff Assistant David Spenard responded that approximately 426 pages of responsive records had been found, advised Ms. Jones of the cost, and inquired whether a compact disc or paper copies were desired. All but one of the records were sent to Ms. Jones on February 11, but by agreement the Department was allowed more time "to research an issue relating to redactions" as to the final document.
On February 14, 2014, the Department provided Ms. Jones with a redacted copy of a lengthy database-generated printout. The record is not clear as to exactly what this document represents. Ms. Jones, in her appeal, describes the document as "records entitled 'LHD Preventive Medicaid Receipts; All Provider Type Services Reimbursement FY 2012' and what appears to be internal billing records held by each local health department." Mr. Spenard explained the redactions:
KRS 61.878(1)(k) provides an exemption for "all public records or information the disclosure of which is prohibited by federal law or regulation. " DPH asserts this exemption in compliance with HIPAA [the Health Insurance Portability and Accountability Act]. Pursuant to KRS 61.878(4), DPH provides the material which is not exempt under HIPAA. DPH, therefore provides a report with redactions of the HIPAA-protected information exempt under KRS 61.878(1)(k).
DPH asserts that the redacted information is exempt under HIPAA as it describes and relates to the provision of health care to individuals. There is a reasonable basis to believe that in its non-redacted form, information from the report could be used in combination with other information to identify an individual (and thereby disclose protected health information). In order to comply with HIPAA, DPH has conducted a de-identification of the report using the Safe Harbor method of 45 CFR Section 164.514(b)(2).
Through the Safe Harbor method, DPH removes the geographic information (that is present in the report on a smaller than state basis). De-identification through this type of redaction is allowed under and consistent with 45 CFR 164.514(b)(1)(i)(B) [ sic ]. 1 DPH acknowledges that de-identification can be achieved through an alternative method, 45 CFR 164.514(b)(1), the Expert Determination method. DPH did not utilize this alternative for three (3) separate, independent reasons.
F[ir]st, DPH has the discretion to select between de-identification through the Safe Harbor method or the Expert Determination method. The use of the Expert Determination method requires a study by an expert in statistical and scientific principles and methods. Section 164.514(b)(1). No such study has been conducted for this information to date. DPH has an equally adequate and permissible method available through the Safe Harbor method. DPH does not believe that it is required to fund and conduct such a study (and produce a separate report that does not presently exist). Second, application of the Safe Harbor method to this report takes less time than the Expert Determination method. Finally, application of the Safe Harbor method is through removal (redaction) of specific, known identifiers, as defined by HIPAA, while the Expert Determination method requires a more complex process that is subject to arguments over whether the methods and results of the study are reasonable.
DPH is aware of KRS 61.878(2). The exemptions of the Open Records law do not prohibit disclosure of statistical information not descriptive of any readily identifiable person. Nonetheless, DPH reads KRS 61.878(2) in tandem with KRS 61.878(1)(k) and, in turn, HIPAA. Under HIPAA, geographic subdivision information that is smaller than a state is an identifier; therefore, there is a requirement for DPH to de-identify the identifier information in the report. This comports with both HIPAA and KRS 61.878(1)(k) and KRS 61.878(2).
Ms. Jones appealed to the Attorney General on March 10, 2014.
In her appeal, Ms. Jones alleges that the Department failed to produce responsive records in response to her request, either through failure to conduct a diligent search or through intentional withholding of records. In response to items 1, 3, 4,6, and 8 of her request, she claims that additional records should exist which were not provided. As to items 2, 5, 7, and 9, in response to which no records were provided, she argues that the Department must explain why no records exist. Finally, as to the redactions, she argues that HIPAA does not preempt the Open Records Act and that the redacted information is not "protected health information" because it cannot reasonably be used to identify individuals.
In a letter dated March 18, 2014, Assistant Counsel Catherine York, Cabinet for Health and Family Services, asserts that the Department conducted a diligent search for records and "is unaware of any [other] documents that exist that are responsive to the request. No documents have been destroyed or archived." She explains the absence of any additional records as follows:
Ms. Jones specifically alleges that surely a change in coding practice, characterized in her request # 1, could not be accomplished through a one paragraph note. She is correct. She is wrong, however, in her inference that the one paragraph was all that was used in transitioning to a new coding method and in her statement that a list of codes was referenced in the meeting request. That one paragraph note referenced a training that was conducted so that the local health departments would be aware of the imminent changes in practice which became effective after the training, it made no reference to a list of codes. The training was conducted [o]n July 18, 2013, and the changes in coding method (for which the training was conducted) became effective in October 2013. The Power Point presentation used in conducting the training was provided to Ms. Jones. ? The document, entitled "Coding Criteria for Coordinated School Health" was not attached to the note and was later created as an overview. ? Dr. White was the person involved in the new policy and aware of all aspects of the policy. She could locate no other document responsive to the request, and is unaware of any other documents that exist. DPH provided all documents responsive to Ms. Jones' request and no other documents exist. No documents were withheld.
Ms. Jones does not make any specific allegation with reference to the documents produced for requests numbered 3, 4, 6, and 8. DPH diligently searched its files and produced all responsive documents located. DPH is unaware of the existence of any other documents. No documents were withheld.
Ms. Jones also alleges that records must exist showing the MCO request referenced in her request number 2. This allegation ignores the fact that requests can be and often are made orally and never reduced to writing. Dr. White is [e]minently qualified to draw from oral representations to make a policy change and to formulate an opinion or express facts as she understands them. Mr. Spenard consulted with Dr. White and, despite a good faith effort, no documents responsive to that request could be located. Ms. Jones also claims that some document must exist related to a "presentation" made by Dr. White. Clearly an oral presentation does not require any written documents. Further, the statements made by Dr. White do not require written support. Related to request number 5, the information referenced came through oral representations. Related to request number 7, common sense tells us that if there is a reduction in budget, there will likely be a corresponding reduction in services. Related to request number 9, no "discussion of modifying rules, regulation, practices, and/or MCO capitation rates to allow MCOs to continue to reimburse 'medical services provided in school settings'" is actually referenced in the Exhibit. Despite this, DPH has searched both its electronic and paper files for responsive documents. No responsive documents have been located.
A public agency cannot afford a requester access to a record that it does not have or that does not exist. 99-ORD-98. The agency discharges its duty under the Open Records Act by affirmatively so stating. 99-ORD-150. In general, it is not our duty to investigate in order to locate documents which the public agency states do not exist.
The Kentucky Open Records Act was substantially amended in 1994. The General Assembly recognized "an essential relationship between the intent of [the Act] and that of KRS 171.410 to 171.740, dealing with the management of public records. . . ." KRS 61.8715. Given the explanations provided by the Department in light of the mandate of this statute, we find no fault with the representation that no additional responsive records existed. 2 Furthermore, it appears that a diligent search was made. We therefore find no violation of the Open Records Act in regard to the alleged existence of additional records.
Regarding the redactions made to the final document provided to Ms. Jones, Ms. York reiterates Mr. Spenard's reliance on HIPAA, but additionally invokes KRS 61.878(1)(a). She states as follows:
Pursuant to 45 C.F.R. § 164.502(a) which provides the standard for disclosure of protected health information (PHI), "A covered entity or business associate may not use or disclose protected health information, except as permitted or required by this subpart or by subpart C of part 160 of this subchapter." 45 C.F.R. § 164.502. Neither Ms. Jones, nor her client fall into any category permitted or required to access PHI.
The fields at issue contain PHI because there is a reasonable basis to believe that they could be used to identify an individual and disclose protected health information. DPH used a publication entitled "Guidance Regarding Methods for De-identification of Protected Health Information in Accordance with the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule" that was issued on November 26, 2012. That document ? clearly states that information that would not normally be considered PHI becomes PHI when it is combined with health data and must be redacted. ? By virtue of a contract executed in July 2011, Kentucky Spirit possesses significant health data related to its former members. When that data is viewed alongside the geographic data redacted, the identities of the recipients of services are ascertainable.
? 45 C.F.R. 154.514 sets forth the information that must be redacted when de-identifying documents. This information includes geographical data of less than a statewide scope, the fields withheld. DPH did not randomly or reflexively select the fields to redact, but rather, determined which fields could be used to identify a person when listed with health data by using the federal regulations and the Guidance on de-identification. After review of the Guidance, DPH determined that the Safe Harbor method best met the needs of the information. Those fields, which were geographic in nature were redacted consistent with 45 C.F.R. § 164.514(b)(1)(i)(B)[ sic ]. Such a methodology is not only approved by federal regulation but also by the Kentucky Supreme Court in Kentucky New Era, Inc. v. City of Hopkinsville, 415 S.W.3d 76 (Ky. 2013). In that case, the Supreme Court expressly approved the use of categorical redaction. Id. at 89.
?
The information redacted is also protected under KRS 61.878(a)(1) [ sic ] as the release of that information would constitute an unwarranted invasion of privacy. The New Era case is also significant in that it held that "Kentucky's private citizens retain more than de minim[i]s interest in the confidentiality of the personally identifiable information collected from them by the state." Kentucky New Era at 85. While the private interest might be trumped in some instances if the information could shed significant light on the agency's conduct, the Court concluded that "the Open Records Act is meant to open the state's public agencies to meaningful public oversight, to enable Kentuckians to know 'what their government is up to.' It is not meant to turn the state's agencies into a clearing house of personal information about private citizens readily available to anyone upon request. To insure that that is not its effect, the ORA includes an express exemption for agency records the disclosure of which would amount to a clearly unwarranted invasion of personal privacy. " Id. at 89. The Attorney General has previously held that "[w]ith respect to information that identifies Medicaid recipients, we believe the private/public interest balance tips in favor of non-disclosure." 14-ORD-024[.] As such, the redaction was entirely appropriate.
(Emphasis added.)
As a matter of established precedent, we are unable to affirm the use of HIPAA as a basis for denial of access to public records. This office has repeatedly ruled that HIPAA does not preempt the Kentucky Open Records Act. In 2008, we cited cases from Ohio and Texas for the conclusion that "protected health information" under HIPAA can be disclosed to comply with the Open Records Act under what is known as the "required by law" exception to the HIPAA privacy rule. See 08-ORD-166 (copy attached).
45 C.F.R. § 164.512(a)(1) contains this exception, which is formulated as follows:
A covered entity may use or disclose protected health information to the extent that such use or disclosure is required by law and the use or disclosure complies with and is limited to the relevant requirements of such law.
The Texas case we cited in 08-ORD-166, Abbott v. Texas Dept. of Mental Health and Mental Retardation, 212 S.W.3d 648 (Tex. App. 2006), refers to the HHS commentary to 45 C.F.R. § 164.512, which states in pertinent part:
These rules permit covered entities to make disclosures that are required by state Freedom of Information Act (FOIA) laws under 164.512(a). Thus, if a state FOIA law designates death records and autopsy reports as public information that must be disclosed, a covered entity may disclose it without an authorization under the rule. To the extent that such information is required to be disclosed by FOIA or other law, such disclosures are permitted under the final rule. In addition, to the extent that death records and autopsy reports are obtainable from non-covered entities, such as state legal authorities, access to this information is not impeded by this rule.
Thus, we have consistently held that HIPAA defers to the state Open Records Act and is therefore no obstacle to the public's access to public records under the Act. See 08-ORD-188; 09-ORD-166; 10-ORD-161; 11-ORD-096; 12-ORD-039; 13-ORD-046. Accordingly, HIPAA in and of itself provides no basis for redaction of the records.
Privacy, however, is a different matter. Although belatedly invoked by the agency on appeal, we find the argument under KRS 61.878(1)(a) to be well founded. That subsection authorizes public agencies to withhold:
Public records containing information of a personal nature where the public disclosure thereof would constitute a clearly unwarranted invasion of personal privacy.
In 1992, the Kentucky Supreme Court established a standard by which we judge the propriety of a public agency's reliance on KRS 61.878(1)(a) as a basis for denying access to public records. At pages 327 and 328 of Kentucky Board of Examiners of Psychologists v. Courier-Journal and Louisville Times Co., 826 S.W.2d 324 (Ky. 1992), the Court articulated the following standard:
[G]iven the privacy interest on the one hand and, on the other, the general rule of inspection and its underlying policy of openness for the public good, there is but one available mode of decision, and that is by comparative weighing of the antagonistic interests. Necessarily, the circumstances of a particular case will affect the balance. The statute contemplates a case specific approach by providing for de novo judicial review of agency actions, and by requiring that the agency sustain its action by proof. Moreover, the question of whether an invasion of privacy is "clearly unwarranted" is intrinsically situational, and can only be determined within a specific context.
The Court admonished that "the policy of disclosure is purposed to subserve the public interest, not to satisfy the public's curiosity . . . ." Id.
In a subsequent analysis of the privacy exemption, the Court of Appeals refined this standard. Zink v. Com., Dept. of Workers' Claims, 902 S.W.2d 825 (Ky.App. 1994). At page 828 of that opinion, the court discussed its "mode of decision":
[O]ur analysis begins with a determination of whether the subject information is of a 'personal nature.' If we find that it is, we must then determine whether public disclosure 'would constitute a clearly unwarranted invasion of personal privacy. ' This latter determination entails a 'comparative weighing of antagonistic interests' in which the privacy interest in nondisclosure is balanced against the general rule of inspection and its underlying policy of openness for the public good. [ Board of Examiners ] at 327. As the Supreme Court noted, the circumstances of a given case will affect the balance. Id. at 328.
In 14-ORD-024 (copy attached), as the Department points out, we acknowledged the significant privacy interest in personal identifying information recognized by the Court in Kentucky New Era, supra, particularly in the context of health information. Indeed, the existence of HIPAA itself is a substantial indication of the strong public policy supporting the privacy of personally identifiable health information.
Accordingly, we consider the specifics of 45 C.F.R. § 164.514 as a useful guide for the implementation of this privacy interest. Subsection (b) states in part:
A covered entity may determine that health information is not individually identifiable health information only if:
(Emphasis added.) To implement subsection (b)(1) would require the availability of a statistician, who must make an expert determination that a particular disclosure is unlikely to enable the identification of individuals. Evidently the Department does not employ a statistician with the requisite expertise; furthermore, retaining such a person ad hoc would go far beyond any requirements of the Open Records Act. Cf. 05-ORD-208 ("a public agency is not obligated to compile a list or create a record to satisfy an open records request"). The alternative, subsection (b)(2), is referred to as the "Safe Harbor" method and includes the challenged removal of geographic information.
This office is not privy to exactly what information Kentucky Spirit possesses concerning its former members; however, it is clear that "as a managed care contractor, Kentucky Spirit routinely accessed and shared PHI [protected health information] with the state." 14-ORD-024. It was, therefore, not unreasonable for the Department to believe that without the redactions made, "the information could be used ? in combination with other information to identify an individual." 45 C.F.R. § 164.514(b)(2)(ii). Thus, we cannot conclude that the "Safe Harbor" method of redaction removed any more information than was necessary to protect individual health information.
As in 14-ORD-024, we find that the public purpose served by disclosure of the data in question is outweighed by the substantial interest in personal privacy as to individual health information concerning former Kentucky Spirit members. As the Court noted in Kentucky New Era, supra, "the Open Records Act ? is not meant to turn the state's agencies into a clearing house of personal information about private citizens readily available to anyone upon request." 415 S.W.3d at 89. We therefore affirm the Department's decision to redact the geographic identifiers from the local health department data pursuant to the federal "Safe Harbor" method. Accordingly, the Department for Public Health did not violate the Open Records Act.
A party aggrieved by this decision may appeal it by initiating action in the appropriate circuit court pursuant to KRS 61.880(5) and KRS 61.882. Pursuant to KRS 61.880(3), the Attorney General should be notified of any action in circuit court, but should not be named as a party in that action or in any subsequent proceedings.
Distributed to:
Dustyn Jones, Esq.Catherine York, Esq.
Footnotes
Footnotes