From Casetext: Smarter Legal Research

Gandhi v. Ctrs. for Medicare & Medicaid Servs.

United States District Court, District of Columbia
Mar 30, 2023
665 F. Supp. 3d 49 (D.D.C. 2023)

Opinion

Case No. 21-cv-2628 (CRC)

2023-03-30

Ashvin Dhiren GANDHI, et al., Plaintiffs, v. CENTERS FOR MEDICARE AND MEDICAID SERVICES, Defendant.

Remi Jaffre, Pro Hac Vice, Tali R. Leinwand, Pro Hac Vice, Jenner & Block LLP, New York, NY, Ishan Kharshedji Bhabha, Jenner and Block, LLP, Washington, DC, for Plaintiffs. Dedra Seibel Curteman, U.S. Attorney's Office, Civil Division, Washington, DC, for Defendant.


Remi Jaffre, Pro Hac Vice, Tali R. Leinwand, Pro Hac Vice, Jenner & Block LLP, New York, NY, Ishan Kharshedji Bhabha, Jenner and Block, LLP, Washington, DC, for Plaintiffs. Dedra Seibel Curteman, U.S. Attorney's Office, Civil Division, Washington, DC, for Defendant. MEMORANDUM OPINION CHRISTOPHER R. COOPER, United States District Judge

The central question in this case is whether the employer-identification numbers of health care organizations and their parent companies are confidential records that may be properly withheld from a Freedom of Information Act response. Answering no, and finding that release of the records at issue will not risk inadvertent disclosure of more sensitive personal information like social security numbers, the Court will grant summary judgment for Plaintiffs and against the responding agency, the Centers for Medicare and Medicaid Services.

I. Background

Health care providers covered under the Health Insurance Portability and Accountability Act ("HIPAA") must obtain a unique identification number known as a National Provider Identifier ("NPI"). Pls.' Cross-Mot. Summ. J. & Opp'n to Def.'s Mot. ("Pls.' Mot."), Ex. 2 at 3, 5 ("NPI Explainer"). To receive an NPI, all providers—ranging from individual physicians to organizations like hospitals and labs—must complete an application form and submit it to the Centers for Medicare and Medicaid Services ("CMS"). Id. at 5, 7; Def.'s Mot. Summ. J. ("Def.'s Mot."), Ex. 6 ¶ 8 ("Gilmore Decl."). The form contains numbered boxes calling for the applicant's name, address, and other identifying information. Pls.' Mot., Ex. 10 ("NPI Application"). Individual providers, including sole proprietorships, are prompted to provide their social security number or, in the case of an applicant who does not qualify for a social security number, an Individual Tax Identification Number ("ITIN"). Id. at 1-3. Organizational providers are asked to supply their Employer Identification Number ("EIN"), a type of tax-identification number assigned to businesses by the Internal Revenue Service. Id. at 2-3. The application form clearly instructs organizational applicants, in bold: "Do not report an SSN in the EIN field." Id. at 3. Organizational applicants, but not individuals, are also required to indicate the tax-identification number of any " 'parent' organization health care provider" ("Parent TIN"). Id. (Not to be confused with an ITIN, the Parent TIN called for in the application is, to be more precise, the EIN of the parent organization. An EIN, like a social security number or an ITIN, is a specific type of tax-identification number issued by the IRS.) The form further indicates that "information submitted on this application (except for Social Security Number, IRS Individual Tax Identification Number, and Date of Birth) may be made available on the internet." Id.

CMS maintains NPIs, along with associated names and tax identifiers, in a database of registered health care providers called the National Plan and Provider Enumeration System ("NPPES"). Gilmore Decl. ¶¶ 8, 13. CMS periodically extracts fields from the NPPES database showing basic identifying information for registered providers and makes them available to the public in a downloadable spreadsheet file, id. ¶ 13, which Plaintiffs refer to as the "full replacement monthly NPI File." Pls.' Mot., Ex. 12 ¶ 3 ("Gandhi Decl."). CMS excludes tax information, including the EIN, ITIN, and Parent TIN database fields, from the publicly released file. Gandhi Decl. ¶ 3.

Plaintiffs Ashvin Gandhi and Samuel Antill are university professors researching "whether the Department of Health and Human Services and CMS collect accurate data on the ownership structures of health care providers." Pls.' Mot. at 15-16. In aid of that endeavor, Plaintiffs filed a Freedom of Information Act ("FOIA") request with CMS for "the unredacted Employer Identification Number (EIN) and Parent organization Taxpayer Identification Number (TIN) corresponding to all records in the full replacement monthly NPI File." Pls.' Mot., Ex. 1 at 1. Plaintiffs' request did not seek social security numbers or any data pertaining to individual health care providers or sole proprietorships.

After several searches, CMS identified responsive fields from the NPPES database for some 1.6 million registered providers, but invoked FOIA Exemptions 4 and 6 to withhold all of the records. Def.'s Reply & Opp'n to Pls.' Mot. Summ. J., Ex. 3 ¶¶ 9-11 ("Gilmore Supp. Decl."). Further, CMS asserted that it could not release the requested EINs and Parent TINs even if Exemptions 4 and 6 did not apply because some individual providers "may have" mistakenly provided their social security numbers (or ITINs) in the parts of the NPI application calling for organizational EINs or Parent TINs, and CMS has no way of removing those personal identifiers from the database fields Plaintiffs seek. Gilmore Decl. ¶¶ 29-38.

The parties have filed cross-motions for summary judgment along with supporting declarations. The Court heard oral argument on March 14, 2023.

II. Standard of Review

Summary judgment may be granted when the moving party establishes that there is no genuine issue of material fact and that it is entitled to judgment as a matter of law. Fed. R. Civ. P. 56(a). Summary judgment is the typical mechanism to determine whether an agency has met its FOIA obligations. See, e.g., Judicial Watch, Inc. v. CFPB, 60 F. Supp. 3d 1, 6 (D.D.C. 2014).

Under FOIA, an agency is first required to make an adequate search for any responsive records. See Rodriguez v. U.S. Dep't of Def., 236 F. Supp. 3d 26, 34 (D.D.C. 2017). In addition to demonstrating that it conducted an adequate search, the agency must also justify any withholdings it has made pursuant to a FOIA exemption. See, e.g., Larson v. Dep't of State, 565 F.3d 857, 862 (D.C. Cir. 2009). Justification can be provided through sufficiently detailed agency affidavits, see, e.g., id., which are "accorded a presumption of good faith." SafeCard Servs., Inc. v. SEC, 926 F.2d 1197, 1200 (D.C. Cir. 1991). Because the primary purpose of FOIA is disclosure, exemptions are construed narrowly. See, e.g., DiBacco v. U.S. Army, 795 F.3d 178, 183 (D.C. Cir. 2015).

Plaintiffs contested the adequacy of the initial search, which only produced around 275,000 lines of data, because public records indicated that considerably more health care providers have registered for NPIs. Pls.' Mot. at 5-7. After receiving Plaintiffs' cross-motion, CMS acknowledged that the initial search was unduly limited in several respects. Def.'s Reply at 4; Gilmore Supp. Decl. ¶¶ 8, 33. A supplemental search produced around 1.6 million lines of data, Def.'s Reply at 4, causing Plaintiffs to withdraw their adequacy objection, see Pls.' Reply at 2 ("[Plaintiffs] no longer have any reason to believe that CMS's search (as supplemented by the additional search it conducted after reviewing Plaintiffs' cross-motion) was inadequate[.]").

FOIA also requires "[a]ny reasonably segregable portion of a record [to] be provided to any person requesting such record after deletion of the portions which are exempt . . . ." 5 U.S.C. § 552(b). Thus, "non-exempt portions of a document must be disclosed unless they are inextricably intertwined with exempt portions." Mead Data Cent., Inc. v. Dep't of Air Force, 566 F.2d 242, 260 (D.C. Cir. 1977). Agencies must provide "the reasons behind their conclusions" that non-exempt material is not reasonably segregable. Id. at 261. "Nevertheless, '[a]gencies are entitled to a presumption that they complied with the obligation to disclose reasonably segregable material,' which must be overcome by some 'quantum of evidence' by the requester." Henderson v. ODNI, 151 F. Supp. 3d 170, 179 (D.D.C. 2016) (quoting Sussman v. U.S. Marshals Serv., 494 F.3d 1106, 1117 (D.C. Cir. 2007)).

The government must also demonstrate at summary judgment that it has satisfied the standards imposed by the FOIA Improvement Act of 2016, which allow an agency to withhold information only if it "reasonably foresees that disclosure would harm an interest protected by an exemption" to FOIA or "disclosure is prohibited by law." 5 U.S.C. § 552(a)(8)(A)(i). The statute's "distinct foreseeable harm requirement . . . foreclose[s] the withholding of material unless the agency can articulate both the nature of the harm [from release] and the link between the specified harm and specific information contained in the material withheld." Reps. Comm. for Freedom of the Press v. FBI, 3 F.4th 350, 369 (D.C. Cir. 2021) (second alteration in original) (internal quotation marks omitted); see also Ctr. for Investigative Reporting v. U.S. Customs & Border Prot., 436 F. Supp 3d 90, 113 (D.D.C. 2019) ("The foreseeable-harm requirement, as applied to Exemption 4, enhances the useful 'tool' of FOIA.").

III. Analysis

CMS withheld all responsive records by relying on both Exemption 4, 5 U.S.C. § 552(b)(4), which shields confidential commercial or financial information from disclosure, and Exemption 6, 5 U.S.C. § 552(b)(6), which protects personnel records "the disclosure of which would constitute a clearly unwarranted invasion of personal privacy." CMS further asserts that even if the exemptions do not apply, it still cannot produce any data because it cannot segregate the EINs and Parent TINs from social security numbers that may have been inadvertently captured in the NPPES database due to errors made by individual providers in filing out the NPI application. Plaintiffs contest each of these claims.

A. Exemption 4

FOIA Exemption 4 permits an agency to withhold "trade secrets and commercial or financial information from a person [that are] privileged or confidential." 5 U.S.C. § 552(b)(4). To qualify for Exemption 4, the withheld information must be (1) "commercial or financial"; (2) "obtained from a person"; and (3) "privileged or confidential." Citizens for Responsibility and Ethics in Wash. v. Dep't of Justice, 58 F. 4th 1255, 1262 (D.C. Cir. 2023) ("CREW") (quoting Pub. Citizen Health Rsch. Grp. v. FDA, 704 F.2d 1280, 1290 (D.C. Cir. 1983)).

The Court will begin (and end) its analysis with the confidentiality requirement, which is the primary focus of the parties' briefing. For purposes of Exemption 4, information is considered confidential if it is "customarily kept private, or at least closely held, by the person imparting it." Food Mktg. Inst. v. Argus Leader Media, — U.S. —, 139 S. Ct. 2356, 2363, 204 L.Ed.2d 742 (2019). Information may also be considered confidential "if the party receiving it provides some assurance that it will remain secret." Id. While the first condition is mandatory, the Supreme Court has not definitively said whether the second condition is also required. See id. Nor has the D.C. Circuit. CREW, 58 F.4th at 1269 ("We likewise do not decide whether the second condition must be met[.]") As it stands, then, "[t]he current law of the D.C. Circuit . . . is that information is confidential under Exemption 4 'if it is of a kind that would customarily not be released to the public by the person [or entity] from whom it was obtained.' " Renewable Fuels Ass'n v. EPA, 519 F. Supp. 3d 1, 12 (D.D.C. 2021) (second alteration in original) (quoting Critical Mass Energy Project v. Nuclear Regulatory Comm'n, 975 F.2d 871, 879 (D.C. Cir. 1992)). "The party opposing disclosure bears the burden of proving the information is confidential." Ctr. for Auto Safety v. Nat'l Highway Traffic Safety Admin., 244 F.3d 144, 148 (D.C. Cir. 2001).

In assessing Exemption 4's confidentiality requirement, courts generally "consider how the particular party [providing the records] customarily treats the information, not how the industry as a whole treats the information." Id. That is a challenging task here, however, given that Plaintiffs' FOIA request implicates over 1.6 million health care providers, ranging from large, corporate hospitals to small clinics and physician groups. Still, the burden remains with CMS to show that at least some registered organizational providers keeps their EINs and Parent TINs confidential. Id.

CMS does not really attempt to satisfy this burden. Rather, the agency focuses on its perceived obligations to keep EINs and Parent TINs confidential. Specifically, CMS indicates that it consulted with the IRS, which explained that it keeps EINs and TINs confidential and only releases them with consent of the taxpayer. Def.'s Mot. at 10. CMS thus concludes that it "cannot release these EINs and TINs under lower standards than those that the IRS (who has created these EINs) requires." Gilmore Decl. ¶ 21. The only support CMS offers for this position is a provision of the Internal Revenue Code that requires tax return information, including "a taxpayer's identity," to be kept confidential absent the taxpayer's consent. Def.'s Mot. at 10-11; see 26 U.S.C. § 6103 (a), (b)(2)(A), (c). But CMS acknowledges that it does not receive the EINs and Parent TINs from health care providers for tax purposes. Gilmore Decl. ¶ 21. Nor does it seek to withhold the EINs under Exemption 3, which applies to records exempted from release under FOIA by another statute. See 5 U.S.C. § 552(b)(3). As it relates to Exemption 4, the tax code's confidentiality provision does not speak to the central question at hand: whether institutional health care providers treat EINs and Parent TINs as confidential.

Any suggestion that 26 U.S.C. § 6103 prevents CMS from disclosing EINs is also belied by, as discussed below, CMS's own acknowledgement that EINs are disclosable under FOIA and the widespread release of EINs by other agencies outside the tax context.

Plaintiffs, meanwhile, offer substantial evidence that many businesses do not treat their EINs and Parent TINs as private information. For example, they point out that publicly traded companies include their EINs in filings with the Securities and Exchange Commission, which are accessible to the public through the Commission's EDGAR database. See Pls.' Reply at 6; Gandhi Decl. ¶ 9. They also attest that over 800,000 companies with retirement and welfare benefit plans, public and private alike, include their EINs on an IRS form which the Department of Labor makes public each year. Gandhi Decl. ¶ 9. Finally, Plaintiffs note online databases where one can search for companies' EINs for a fee. See, e.g., Pls.' Mot. at 11 & n. 15; Pl.'s Reply at 5.

Plaintiffs also maintain that health care providers are "frequently required to identify [themselves] by [their] EIN and Parent TIN" when filing claims with an insurer. Pls.' Mot. at 8. That may well be so. But giving an insurance carrier an EIN would not, by itself, evidence an expectation on the part of the provider that the insurer would then release the EIN publicly.

CMS does not contest these examples of public disclosure of EINs and acknowledges that they can be obtained through "pay-for-subscription services." Gilmore Supp. Decl. ¶ 56. The agency instead tacks to the second factor that courts consider in assessing the confidentially prong of Exemption 4: whether the party receiving the information in question has provided an assurance of privacy to the provider. CMS argues that it gave registered health care providers such an assurance in a 2013 "Read Me" notice discussing the data that CMS includes in the publicly released file of NPPES providers. Def.'s Mot., Ex. 5 at 5-6 ("Read Me"). The notice advised that some providers had mistakenly provided their SSN or ITIN in parts of the NPI application that called for a business EIN. Id. To ensure that such inadvertently provided personal information was not included in the "FOIA-disclosable fields" of the database, CMS explained that it had previously "t[aken] action to temporarily suppress reported EINs" from the public NPPES file, "even though they are disclosable under FOIA." Id. at 5. The agency further explained that it was continuing the "suppression of the EINs and the suppression of the Subpart Parent Organization TINs of all Organizations in the downloadable file." Id. at 6. CMS went on to indicate, however, that it "expects to lift the suppression of EINs and Parent Organization TINs in the future." Id. It also "urged health care providers to review their NPPES FOIA-disclosable data to ensure that it is correct and to remove any inappropriate or sensitive information[.]" Id. at 5.

This decade-old notice hardly offered providers an assurance of confidentiality. Not only does it explicitly inform providers (contrary to the agency's position in this case) that EINs "are disclosable under FOIA," it warns them that withholding of EINs from the public domain was only a temporary fix to enable physicians to correct any errors in their own listings. What's more, the NPI application form itself tells providers that, except for their SSNs, ITINs, and dates of birth, all of the information submitted in the application, which includes EINs and Parent ITINs, "may be made available on the internet." NPI Application at 3. Based on all this, CMS has not established that it assured providers that it would keep their EINs and Parent TINs private.

Similarly, CMS has not established that a foreseeable harm would occur if the EINs were released. Even though many businesses' EINs are already in the public domain, the government sounds an alarm that releasing NPPES providers' EINs and Parent TINs would increase the risk of corporate identity theft for those entities whose EINs may not be accessible currently. Def.'s Mot. at 10. The Court echoed this concern at oral argument, particularly for small medical practices that may not have the resources to detect or prevent a bad actor from misusing its EIN. Mot. Hr'g at 32-35. The Court wondered aloud whether someone could use a small business's EIN to fraudulently obtain, say, a line of credit or government relief funds. Id.

Yet, CMS offers no competent evidence of a risk of corporate identity theft, or any other harm for that matter, stemming from the release of the EINs and Parent TINs at issue in this case. Government counsel conceded at oral argument that there is no such evidence in the record. Id. at 20-21. Moreover, the Small Business Association acknowledged in a recent FOIA case in this district (again, contrary to the government's litigating position in this case) that EINs are not subject to FOIA withholding generally. See WP Company LLC v. U.S. Small Business Administration, No. 20-1240 (JEB), 2021 WL 2982173 at *2 (D.D.C. July 15, 2021) ("SBA admitted that EINS are not themselves exempt from disclosure[.]"). That acknowledgment, particularly by an agency that routinely handles sensitive information received from small businesses, suggests the risks of harm are low.

CMS does cite to two short blog posts discussing the potential dangers of corporate identity theft. Gilmore Supp. Decl. ¶ 23. But the posts are not sourced or authenticated.

The EINs in WP Company were ultimately held not to be subject to release due to segregability concerns different from those raised by CMS here. WP Company LLC v. U.S. Small Business Administration (V), 575 F. Supp. 3d 114, 120-21 (D.D.C. 2021).

Accordingly, CMS has failed to provide sufficient evidence that health care providers treat EINs and Parent TINs as confidential. Plaintiffs are therefore entitled to summary judgment as to CMS's reliance on Exemption 4.

B. Exemption 6

CMS's reliance on Exemption 6 fares no better. Under Exemption 6, an agency may withhold "personnel and medical files and similar files the disclosure of which would constitute a clearly unwarranted invasion of personal privacy." 5 U.S.C. § 552(b)(6). But Exemption 6 is designed to protect "personal privacy," not the privacy interests of business entities. See Sims v. CIA, 642 F.2d 562, 572 n.47 (D.C. Cir. 1980) ("Exemption 6 is applicable only to individuals."); Nat. Parks and Conservation Ass'n v. Kleppe, 547 F.2d 673, 685 n.44 (D.C. Cir. 1976) ("The sixth exemption has not been extended to protect the privacy interests of businesses or corporations.") Plaintiffs stress in their cross-motion that they do not request SSNs, ITINs, or any other information pertaining to individuals, Pls.' Mot. at 15, which is consistent with their FOIA request. The agency is silent on this issue in its Reply, effectively waiving its reliance on Exemption 6. See Monroe-Evans v. Berryhill, No. 16-1081, 2017 WL 4075158, at *4 (D.D.C. September 13, 2017) (arguments not responded to in briefing are conceded).

Accordingly, the Court will also grant summary judgment for Plaintiffs as to CMS's invocation of Exemption 6.

C. Segregability

Lastly, CMS maintains that, even if the requested EINs and Parent TINs are not protected by any FOIA exemptions, the agency still must withhold them because it cannot separate the responsive data from exempt SSNs and ITINs in the NPPES database. Def.'s Mot. at 12-14. CMS asserts that individuals "may have provided SSNs" in parts of the NPI applications, but the agency "does not have any electronic means within NPPES data fields to segregate data like SSNs or ITINs that is related to sole proprietors from data like EINs that is related to businesses, partnerships, or corporations." Gilmore Decl. ¶¶ 33-35. CMS also asserts that the EIN fields themselves "may actually contain SSNs instead of EINs" due to "error in input by the submitter, or from a sole proprietor entering their SSN information in the field." Id. ¶ 36.

As an initial matter, it is irrelevant whether applicants may have entered SSNs or ITINs in response to questions on the NPI application calling for information other than the EINs and Parent EINs Plaintiffs seek. Any such entries would not have wound up in the EIN and Parent TIN fields of the NPPES disclosure, which are the only fields at issue in this case.

As for whether isolated SSNs may be erroneously included in the EIN or Parent TIN fields, CMS has not met its burden to support withholding based on segregability. First of all, there is no evidence before the Court that current versions of database contain mistakenly submitted SSNs (or ITINs) in the EIN field. By CMS's own admission, it cannot tell the difference between a nine-digit SSN and a nine-digit EIN, id. ¶ 38, and it only speculates that some applicants "may" have submitted an SSN in error. The only supporting evidence CMS offers is the 2013 "Read Me" notice discussed above. The notice does indicate that "providers reported SSNs in the EIN field." Read Me at 5-6. As noted previously, however, that document was last updated in 2013 and appears to be referencing issues that arose as early as 2008. Id. at 1, 6. And the notice was issued to fix the problem by alerting providers to the issue and urging them to check their data to ensure that no sensitive information was included. CMS does not say whether these data-entry errors persist today.

CMS's segregability argument is further undercut by instructions on the NPI application which repeatedly caution applicants not to provided SSNs in the fields calling for business EINs and Parent TINs. See NPI Application at 1-4. The instructions could not be more clear. For example, the first page of the application cautions twice in bold print that "Social Security Number (SSN) or IRS Individual Taxpayer Identification Number (ITIN) should only be listed in block 18 or 19 of this form. DO NOT report SSN and ITIN information in any other section of this form." Id. at 1. The application also instructs organizational providers in large, bold, and italicized letters: Do not report an SSN in the EIN field ." Id. at 3. This instruction appears directly above the box for an EIN. Id. Further to the point, individuals, including sole proprietors, are instructed not to answer the prompts for an EIN and Parent TIN, which are reserved for organizations. Id. at 1-3.

So, for CMS's data-error concern to materialize, an individual health care provider or sole proprietor filing out the NPI application must ignore the instruction not to fill out the "Organization Section," then ignore the instructions to not provide a SSN or ITIN unless specifically requested, then ignore the boxes that specifically request SSNs or ITINs, then ignore the instruction not to provide an SSN in the EIN section specifically, and instead offer one of the most sensitive pieces of personal information in response to a prompt that does not ask for it. CMS simply has not established the likelihood of this scenario.

The Court, accordingly, rejects CMS's argument that disclosing the responsive fields will meaningly risk disclosure of more sensitive SSNs and Individual TINs.

IV. Conclusion

For these reasons, the Court will grant Plaintiffs' Motion for Summary Judgment and deny CMS's Motion for Summary Judgment.

A separate Order shall accompany this opinion.


Summaries of

Gandhi v. Ctrs. for Medicare & Medicaid Servs.

United States District Court, District of Columbia
Mar 30, 2023
665 F. Supp. 3d 49 (D.D.C. 2023)
Case details for

Gandhi v. Ctrs. for Medicare & Medicaid Servs.

Case Details

Full title:ASHVIN DHIREN GANDHI, et al., Plaintiffs, v. CENTERS FOR MEDICARE AND…

Court:United States District Court, District of Columbia

Date published: Mar 30, 2023

Citations

665 F. Supp. 3d 49 (D.D.C. 2023)

Citing Cases

Yazdanpanahderav v. U.S. Dep't of State

The Court may treat an argument to which a party fails to respond as conceded. See, e.g., Gandhi v. Ctrs. for…

Vibra Rehab. Hosp. of El Paso v. Illarramendi

The several Highlands Rehabilitation Hospitals are all listed with unique "EIN" numbers, which can be…