Opinion
Opinion By: Jack Conway,Attorney General;Michelle D. Harrison,Assistant Attorney General
Open Records Decision
USA TODAY initiated this appeal challenging the disposition by the Cabinet for Health and Family Services ("CHFS") of reporter Alison Young's request for "access to and an electronic copy of data contained in the state's public use dataset of hospital inpatient discharge data for calendar years 2012, 2011 and 2010." Ms. Young sought release of this data without any restriction being imposed on the ability of USA TODAY to "report on the names of hospitals/healthcare providers identified in the database by 'Provider ID.'" 1 USA TODAY requested the data -- and comparable data from other states -- "as part of a major examination of rising rates of maternal morbidity and mortality in the United States." CHFS agreed to comply with Ms. Young's request but conditioned release of the data on her completion of its Agreement for Use of Kentucky Health Claims Data ("Use Agreement"), pursuant to which USA TODAY would be prohibited from using or permitting others to use the data "to learn the identity of any provider that may be represented in the data." 2
Quoting KRS 216.2927(3)(b), 3 CHFS initially advised that said Use Agreement "is a statutory construction pursuant to the first clause of the first sentence." In accordance with KRS 216.2927(3)(b), CHFS "provides guidelines for use and analysis related to provider quality, outcomes, or charges." As part of its Use Agreement, CHFS developed "guidelines for use and analysis related to provider quality, outcomes, or charges" which include "prohibiting the further release of provider names. This does nothing to prevent the initial release to the public. The names simply cannot be re-released." (original emphasis). CHFS maintained that "900 KAR 7:040, Section 4(1) requires signing of the agreement to receive the data. As it stands under Kentucky law a recipient must sign the specific agreement from 2008 that you have seen, and part of the agreement is that the recipient will not release provider names." 4 Following this exchange via e-mail, Ms. Young made her formal written request by letter dated May 9, 2014, in response to which General Counsel Christian Heavrin elaborated upon the agency's position regarding application of KRS 216.2927 and 216.2929.
The question presented is whether CHFS violated the Open Records Act by conditioning release of the data requested on Ms. Young's completion of the Use Agreement. Resolution of this issue turns on whether CHFS exceeded its authority under KRS 216.2927 by imposing a requirement in the Use Agreement, which restricts the release of provider names by recipients of the data. This would exceed its authority if the requirement impermissibly modifies or vitiates the legislative intent of that statute or is not "clearly authorized" by the statute. See KRS 13A.120(2)(i) and (j). We hold that, by incorporating the Use Agreement by reference, 40 KAR 7:040, Section 6, "exceeds statutory authority" and is "repugnant to the statutory scheme." 5 CHFS, accordingly, violated the Open Records Act by deferring to the plain language of the regulation and conditioning release of the data on Ms. Young's completion of the Agreement.
On appeal USA TODAY correctly noted that the "hospital discharge datasets Ms. Young seeks contain 'de-identified' data," as information relating to individuals has been removed in order to protect the privacy of patients, but names of hospitals contained in the datasets "are not personally identifiable data elements." Likewise, USA TODAY noted that even CHFS agrees that said names "are a matter of public record that must be disclosed." USA TODAY argued that, if the agency's interpretation of KRS 216.2927(3)(b) is accepted, "it would have the nonsensical result of allowing any person to access the same public information" requested, while "prohibiting any person from discussing or otherwise publicizing the same information." Relying upon 95-ORD-77, USA TODAY also correctly asserted that such a position directly conflicts with the well-established principle "that nothing 'permits an agency to restrict a person to whom records have been released from reproducing those records or sharing them with others.'" 6 Although specifying the need to protect individual patients' privacy, " USA TODAY concluded, neither the statute nor the regulation seeks to shield hospitals or providers from scrutiny or implies that facilities have any sort of need for privacy.
In response to Courtney French's May 19, 2014, appeal on behalf of USA TODAY , CHFS observed that, prior to 2008 "there was no restriction on the dissemination of information regarding providers. However, KRS 216.2927 was amended to include subsection (3)(b) . . . . That change has been interpreted as a restriction, among other things, on the release of provider-specific information contained in the dataset. " CHFS also noted that KRS 216.2929(2) was passed, "which seems to restrict the utilization of quality and outcome measures for providers to certain nationally recognized quality indicators and to release those measures only through specific websites." To comply with said amendments, CHFS advised, it created the Agreement that Ms. Young was asked to sign and incorporated that Agreement into its regulation. However, as a result of Ms. Young's May 9 request, CHFS " would like to change the regulation and allow any requestor to have the data set without placing restrictions on its use, if it is allowed to do so under the applicable statutes ." 7 (emphasis added). CHFS included a copy of its May 21 request for an advisory opinion from the Attorney General, 8 in which Ms. Heavrin acknowledged that "[a]rguably," the prohibition against the "'sale or further release of data'" found at KRS 216.2927(3)(b), "was a restriction for the purpose of ensuring that [CHFS] was the only entity to release and/or sell the dataset itself, not a restriction on the release of analysis of the data, including data that may include the names of providers. " This reading of the statutory language, CHFS observed, supports the agency's desire "to promote transparency in healthcare, particularly the ability of the public to base perceptions of quality and outcomes on data rather than less reliable indicia such as word of mouth." According to Ms. Heavrin, "the picture is complicated by KRS 216.2929," which was amended in the same 2008 bill to add specific guidelines applicable to the CHFS for the public release of charge data (KRS 216.2929(1)(a)-(c)) and the public release of quality and outcome data (KRS 216.2929(2)(a)-(c)). The CHFS " has no objection to revising the Agreement " in order to allow USA TODAY to publish the provider specific information but is concerned the 2008 statutory amendments require it to "strictly limit the public release of provider-specific quality and outcome data." (emphasis added).
However, the CHFS acknowledged that an alternative reading of KRS 216.2929(2), which is "more supportive of transparency," would be that the requirements of the data use agreement were purposely more general in order to allow CHFS "more flexibility to determine appropriate guidelines for use of the data for non-governmental entities such as researchers, media, nonprofit organizations, healthcare providers, and other interested parties." Indeed, Ms. Heavrin observed, "if KRS 216.2927 intended to apply parallel restrictions on non-governmental use of the data to those contained in KRS 216.2929, a cross-reference so indicating would be a clear way to achieve that end." The text of KRS 216.2927, she concluded, "does not necessarily compel the reading that release of public use data set analysis that identifies providers by name is prohibited unless the analysis references national quality indicators as required by KRS 216.2929."
USA TODAY succinctly argued on appeal that KRS 216.2929(2) governs how CHFS must use and analyze the data it collects from healthcare providers, but that "has no bearing on how members of the public may analyze, report, or disseminate public portions of the data," and therefore does not give CHFS authority to restrict use of providers' names. This office agrees. It is undisputed that the privacy of individual patients must be protected; however, KRS 216.2927 and 900 KAR 7:040 are not concerned with shielding providers or hospitals from public scrutiny. KRS 216.2929 requires, "[d]ata on health-care services charges and quality and outcome measures to be publicly available on [the] cabinet's web site" and governs the issuance of reports by CHFS that are publicly accessible. KRS 216.2927, however, limits the "[t]ypes of data not to be published, released, or subject to inspection -- Public-use data agreements and privacy rules - Confidentiality of raw data," and is, therefore, concerned with protecting individual patient information. Accordingly, the concerns of CHFS regarding the perceived implications of KRS 216.2929 do not justify the impermissible restrictions and further discussion or analysis of KRS 216.2929 is unwarranted.
Regarding the application of KRS 216.2927(3)(b), this office further agrees with USA TODAY that restricting its right to publish the names of the providers contained in these public datasets "directly undercuts the legislature's intent to educate consumers about the quality of healthcare in Kentucky." KRS 216.2927(3)(b) requires data-use agreements only in those instances where CHFS releases patient-specific data. Nothing in that provision allows CHFS to prohibit a requester from re-releasing the names of providers contained in the datasets. Rather, as USA TODAY argued, KRS 216.2927(3)(b) "does not apply to the de-identified data Ms. Young is requesting, which [CHFS] agrees it is legally obligated to provide to the public." The statutory reference to HIPAA further establishes that KRS 216.2927(3)(b) "is aimed at protecting patient privacy, not the privacy of providers. Notably, even HIPAA's Privacy Rule is irrelevant to the [CHFS's] release of the data Ms. Young has requested, since the records do not contain individually identifiable patient information. See 45 C.F.R. 164.514(a)."
Under KRS 216.2921, CHFS "shall collect, pursuant to KRS 216.2925, analyze, and disseminate information in a timely manner on the cost, quality, and outcomes of health services provided by health facilities and health-care providers in the Commonwealth." Further, CHFS "shall make every effort to make health data findings that can serve as a basis to educate consumers and providers for the purpose of improving patient morbidity and mortality outcomes available to the public, . . . through the cost-effective and timely use of the media and the Internet . . . ." KRS 216.2921. As with any decision involving statutory interpretation, our duty "is to ascertain and give effect to the intent of the General Assembly." Beckham v. Board of Educ. of Jefferson County, 873 S.W.2d 575, 577 (Ky. 1994), citing Gateway Construction Co. v. Wallbaum, 356 S.W.2d 247 (Ky. 1962). In so doing, this office must refer to the plain meaning of the statute as enacted rather than surmising the meaning that may have been intended but not articulated. Stogner v. Commonwealth, 35 S.W.3d 831, 835 (Ky. App. 2000). "[I]it is neither the duty nor the prerogative of the judiciary [or this office] to breathe into the statute that which the Legislature has not put there." Commonwealth of Ky. v. Gaitherwright, 70 S.W.3d 411, 413 (Ky. 2002) (citation omitted).
The relevant statutory amendments were intended to strengthen existing provisions governing health data collection and reporting - and to ensure that consumers are provided with sufficient data regarding the costs and quality of healthcare services available to make informed healthcare decisions. To that end, CHFS Office of Health Policy ("OHP") collects and maintains both inpatient hospital discharge and outpatient services data per 900 KAR 7:030. OHP has created public use datasets containing such information, release of which is governed by 900 KAR 7:040, which expressly states that "KRS 216.2923 requires the [CHFS] to publish and make available information relating to the health care delivery and finance system that is in the public interest. KRS 216.2927 mandates that personally identifying data collected by the [CHFS] from health care providers not be released to the general public" or be released for public inspection per KRS 61.870 to 61.884 (the Open Records Act) (emphasis added). 900 KAR 7:040 further "establishes the guidelines for distribution and publication of data collected by the cabinet pursuant to 900 KAR 7:030, while maintaining patient confidentiality and further protecting personally identifying information." (emphasis added). The statutory language codified at KRS 216.2927(3)(b), requiring users of the data to abide by a public-use agreement and by HIPPA privacy rules, and prohibiting the sale or further release of data, must be viewed in this context.
"Administrative regulations properly adopted and filed have the full effect of law and are required to be enforced." Harrison's Sanitarium, Inc. v. Dep't of Health, 417 S.W.2d 137, 138 (Ky. 1967) (citation omitted); Ky. Ass'n of Chiropractors, Inc. v. Jefferson County Med. Soc'y, 549 S.W.2d 817 (Ky. 1977). However, such regulations "[m]ust be within the authority conferred upon the administrative agency. The power to make regulations is not the power to legislate in the true sense, and under the guise of regulation legislation may not be enacted." Henry v. Parrish, 211 S.W.2d 418, 422 (Ky. 1948). Rather, a statute which is being administered "may not be altered or added to by the exercise of a power to make regulations thereunder. A rule which is broader than the statute empowering the making of rules cannot be sustained." Id . Simply put, regulations must be "consistent with the statutes authorizing them." 97-ORD-136, p. 2 (addressing concerns with a regulation) ; see also 96-ORD-221; but see 13-ORD-127 (affirming the regulation) . If, on the other hand, a regulation "exceeds statutory authority or [is], in some way, . . . repugnant to the statutory scheme," there is a problem. See Joy Tech., Inc., 838 S.W.2d 406; see also Curtis v. Belden Elec. Wire & Cable, 760 S.W.2d 97 (Ky. App. 1988). Likewise, KRS 13A.120(2)(i), provides that, an administrative agency, such as CHFS, "cannot, by its rules and regulations, amend, alter, enlarge, or limit the terms of a legislative enactment." Curtis at 99; 97-ORD-136. By deferring to the plain language of the regulation and prohibiting data recipients from releasing the names of providers contained in the datasets, the agency did exactly that.
Section 2 of 900 KAR 7:040 specifies the "Encounter-Level Data" that shall be released, which includes the data element, "Provider ID." USA TODAY explained that CHFS provides data elements "routinely released" in other states. It, however, releases data fields that identify the hospital/provider IDs only after requiring the requester sign the Use Agreement prohibiting disclosure of any hospital/provider names. The Use Agreement references KRS 216.2920 - 216.2947, under which all of the health claims data is collected. "Patient level health claims data" has been "purged" of "Personal identifiers" to prevent disclosure of individual patient identification, consistent with KRS 216.2927, and the recipient of the data, therefore, must agree that information derived or summarized from patient-level data which could result in the identification of any specific individual will not be released or made public. Identifiers for hospitals, clinics, physicians, and other healthcare providers are "included on patient level records in compliance with the aforementioned statute for the purpose of making cost, quality, and outcome comparisons among providers. " Significantly, providers "shall not be identified directly or by inference in disseminated material," and users of the data "shall not contact providers for the purpose of verifying received data or summaries derived therefrom."
As written, the Use Agreement simultaneously promotes and thwarts the legislative intent of making such data publicly available so that consumers are better equipped to make cost, quality, and outcome comparisons among providers. It does so by emphasizing that "Establishment identifiers" are included for this purpose yet prohibiting recipients of the data from releasing the names of the providers. Neither the statute nor the corresponding regulation prohibits "further release" of provider/ hospital names expressly or by implication. "As a general rule of statutory construction, expressio unius est exclusio alterius provides that an enumeration of a particular thing demonstrates that the omission of another thing is an intentional exclusion." Palmer v. Com., 3 S.W.3d 763, 764 (Ky. App. 1999). Section 4 of 900 KAR 7:040 specifies the conditions governing release of data, 9 but noticeably absent is any mention of prohibiting requesters from identifying providers/ hospitals. To the contrary, Section 3(3) prohibits CHFS from withholding data "based solely on an unfavorable profile of a provider or group of providers, if the data is deemed reliable, accurate, and sufficiently free of error, as determined by the cabinet and pursuant to 900 KAR 7:030."
Any reference to provider names (or KRS 216.2929) is equally lacking from KRS 216.2927. Subsection (1) identifies the data that shall be deemed as relating to " personal privacy and, except by court order, shall not be published or otherwise released" and shall not be subject to disclosure under the Open Records Act, including any data that identifies or could be used to identify "any individual patient or member of the general public" or " any individual employee of a provider, " without express permission. (emphasis added). Data that CHFS considers "incomplete, preliminary, substantially in error, or not representative, the release of which could produce misleading information" must also be withheld. KRS 216.2927(1)(c) . Under subsection(3)(a), CHFS "shall make all aggregate data which does not allow disclosure of the identity of any individual patient, and which was obtained for the annual period covered by the reports, available to the public." In keeping with the legislative intent to ensure that personally identifiable data remains protected, subsection (b) then requires that requesters of the data abide by a public-use data agreement prohibiting the sale or further release of that data.
Nothing in KRS 216.2927 authorizes or requires the agency to condition release of the public use datasets on the user's agreement not to disclose the names of the providers contained therein. CHFS exceeded its authority under the statute by conditioning release of the health claims data on the agreement of those who request and obtain the data "to not attempt to use or permit others to use the data to learn the identity of any provider that may be represented in the data." Accordingly, CHFS violated the Open Records Act in declining to provide USA TODAY with "data contained in the state's public use dataset of hospital inpatient discharge data" for 2010-2012 unless it agreed not to "re-release" the names of providers. In light of this holding, and the possibility that future requests would be impermissibly thwarted due to application of 900 KAR 7:040 as written, CHFS may need to reevaluate this regulation. Either party may appeal this decision by initiating action in the appropriate circuit court under KRS 61.880(5) and KRS 61.882. Pursuant to KRS 61.880(3), the Attorney General should be notified of any action in circuit court, but should not be named as a party in that action or in any subsequent proceeding.
Footnotes
Footnotes
1 Ms. Young also sought "a copy of the database layout and any other related documentation that describes the database, the fields it contains, any definitions and related codes."
2 The definition of healthcare provider or "provider" is codified at KRS 216.2920(5); "Facility" is defined at 216.2920(4) and "Hospital" is defined at 216.2920(6).
3 KRS 216.2927(3)(b) provides:
Persons or organizations requesting use of the data shall agree to abide by a public-use data agreement and by HIPAA privacy rules referenced in 45 C.F.R. Part 164. The public-use data agreement shall include, at a minimum, a prohibition against the sale or further release of data, and guidelines for the use and analysis of the data released to the public related to provider quality, outcomes, or charges.
4 900 KAR 7:040, entitled, "Release of public data sets for health care discharge data," references KRS 194A.050(1), 216.2923(2)(c), and 216.2925(1), and (2) under statutory authority; 900 KAR 7:030, entitled, "Data reporting by health care providers," references KRS 216.2923(3) and 216.2925 under statutory authority.
5 Revenue Cabinet v. Joy Tech., Inc., 838 S.W.2d 406, 409 (Ky. App. 1992)(citations omitted).
6 The only restrictions that may be imposed on secondary use of records obtained under KRS 61.874(1) are codified at KRS 61.874(5), which is inapplicable on the facts presented. 96-ORD-77.
7 CHFS further indicated that "it will waive the ($ 1500.00) fee per year of requested data, provided that the Attorney General opinion allows us to release the data." Discussion of whether this fee is excessive, as USA TODAY also contended, is unwarranted in light of this decision.
8 Ms. Heavrin advised that if the agency's interpretation of the restrictions imposed is not correct "and the Agreement is too restrictive," CHFS intends to revise the Agreement "to allow those who obtain the dataset to release provider specific information." By letter dated June 24, 2014, the Attorney General respectfully declined to render an advisory opinion because this office does not opine regarding questions relative to application of the Open Records Act except in very rare circumstances and not when the question has already been presented in the context of a pending Open Records Appeal filed under KRS 61.880(2)(a).
9 Section 4, Release of Data, provides:
(1) A person or agency shall, as a condition for receiving data from the cabinet, sign an "Agreement for Use of Kentucky Health Claims Data." A person or agency receiving data shall agree to adhere to the confidentiality requirements established in subsection (2) of this section and KRS 216.2927.
(2) To protect patient confidentiality:
(a) A report or summary of data that consists of five (5) or fewer records shall not be released or made public;
(b) A person or agency receiving data shall not redistribute or sell data in the original format;
(c) Distribution of data received by the cabinet shall be approved by the custodial agency prior to receipt of the data;
(d) The data collected pursuant to 900 KAR 7:030 shall be used only for the purpose of health statistical data reporting and analysis or as specified in the user's written request for the data; and
(e) A user shall not attempt to link the public use data set with an individually identifiable record from another data set.