Opinion
534345
03-16-2023
Letitia James, Attorney General, Albany (Kevin C. Hu of counsel), for appellant-respondent. Law Office of Jeffrey P. Mans, Albany (Jeffrey P. Mans of counsel), for respondent-appellant.
Letitia James, Attorney General, Albany (Kevin C. Hu of counsel), for appellant-respondent.
Law Office of Jeffrey P. Mans, Albany (Jeffrey P. Mans of counsel), for respondent-appellant.
Before: Clark, J.P., Pritzker, Reynolds Fitzgerald, Ceresia and McShan, JJ.
MEMORANDUM AND ORDER
McShan, J. Cross-appeals from a judgment of the Supreme Court (Richard B. Meyer, J.), entered September 27, 2021 in Essex County, which partially granted petitioner's application, in a proceeding pursuant to CPLR article 78, to annul a determination of respondent denying petitioner's Freedom of Information Law request.
Petitioner is a domestic not-for-profit corporation that operates in the Village of Saranac Lake, Franklin County and publishes a magazine alongside digital offerings that report on various issues that affect the Adirondack region. Respondent is a public authority (see Public Authorities Law § 2608 ) that was created to manage and operate the Olympic facilities used during the 1980 Winter Olympic Games in the Village of Lake Placid, Essex County. One of the facilities that respondent operates is Mt. Van Hoevenberg, a sport training and recreation venue for the sports of bobsled, skeleton, luge, Nordic skiing and biathlon. In July 2020, petitioner made a Freedom of Information Law (see Public Officers Law art 6 [hereinafter FOIL]) request to respondent for copies of injury reports from January 2015 through July 2020, and also from calendar year 2004, for sporting and athletic events and competitions that took place at Mt. Van Hoevenberg.
In response, respondent provided injury reports with certain information either redacted or withheld. Respondent claimed that the redacted and withheld information would constitute an unwarranted invasion of privacy or was exempt from disclosure under the Health Insurance Portability and Accountability Act of 1996 ( 42 USC § 1320d et seq. [hereinafter HIPAA]). Specifically, the documents, which consisted of respondent's medical incident reports, general incident reports, a modified standardized assessment of a concussion and injury registration documents, redacted all health-related information, leaving in place certain information pertaining to the event or venue, incident location, the date and time of accident, an incident number, if any existed, references to a participant's team or country and the applicable sliding sport discipline, depending on the form. Petitioner administratively appealed and respondent's FOIL appeals officer thereafter denied the appeal, finding that the information sought was exempt under both the invasion of privacy exemption and under HIPAA.
Petitioner then commenced the instant CPLR article 78 proceeding, seeking an order to compel respondent to comply with its obligations under FOIL and produce the injury reports from sporting and athletic events and competitions, including the nature of injuries and treatment provided to any individual participants without any personally identifying information, as well as an award of counsel fees. Following an in camera review of the documents, Supreme Court found that the lack of disclosure by respondent was affected by an error of law and ordered a more complete disclosure, subject to the deidentification methodology provided in the HIPAA Privacy Rule (45 CFR parts 160, 164), promulgated by the U.S. Department of Health and Human Services (hereinafter HHS). However, given the unique nature of the records, the court denied petitioner's request for counsel fees, having determined that there was a reasonable basis for respondent to withhold the information. Respondent appeals and petitioner cross-appeals.
It is well settled that "FOIL imposes a broad duty of disclosure on government agencies and all agency records are presumptively available for public inspection and copying unless one of the statutory exemptions applies, permitting the agency to withhold the records" ( Matter of Hepps v. New York State Dept. of Health, 183 A.D.3d 283, 287, 122 N.Y.S.3d 446 [3d Dept. 2020] [internal quotation marks, brackets and citations omitted], lv dismissed & denied 37 N.Y.3d 1001, 152 N.Y.S.3d 668, 174 N.E.3d 693 [2021] ; see Public Officers Law §§ 84, 87[2] ; Matter of Suhr v. New York State Dept. of Civ. Serv., 193 A.D.3d 129, 135, 142 N.Y.S.3d 616 [3d Dept. 2021], lv denied 37 N.Y.3d 907, 2021 WL 4099023 [2021] ). "Those exemptions are to be narrowly construed, with the burden resting on the agency to demonstrate that the requested material indeed qualifies for exemption" ( Matter of Hanig v. State of N.Y. Dept. of Motor Vehs., 79 N.Y.2d 106, 109, 580 N.Y.S.2d 715, 588 N.E.2d 750 [1992] [citation omitted]; see Matter of Tatko v. Village of Granville, 207 A.D.3d 975, 977, 172 N.Y.S.3d 233 [3d Dept. 2022] ; Matter of Hepps v. New York State Dept. of Health, 183 A.D.3d at 287, 122 N.Y.S.3d 446 ).
Respondent contends that it satisfied its burden for nondisclosure by establishing that the records at issue are exempted pursuant to Public Officers Law § 87(2) as medical records or histories of the individuals who were the subject of the relevant documents. Specifically, respondent points to Public Officers Law § 87(2)(b), which allows an agency to deny the disclosure of records where "disclos[ure] would constitute an unwarranted invasion of personal privacy." Respondent also relies upon Public Officers Law § 87(2)(a), which permits an agency to deny access to certain records if the records "are specifically exempted from disclosure by state or federal statute"; specifically, respondents contend that the requested records are exempt from disclosure pursuant to HIPAA. In this regard, the HIPAA Privacy Rule provides that "a covered entity may not use or disclose protected health information without an authorization that is valid under this section," subject to certain exceptions ( 45 CFR 164.508 [a][1]).
The records at issue consist of a variety of injury reports maintained by respondent in the course of operating Mt. Van Hoevenberg. Specifically, respondent provided its own medical incident reports, which constituted a majority of the relevant documents, alongside International Bobsleigh and Skeleton Federation (hereinafter IBSF) injury registration documents, which were occasionally accompanied by a "[f]it to [s]lide" document that was also prepared by IBSF. Beyond providing space to input basic demographic information, the medical incident reports contained, among other things, various prompts pertaining to the medical care received by a participant, including a subjective and objective physical assessment of any injuries suffered, treatment provided and the manner of discharge. The forms also contained spaces to input the event and incident location, as well as the date and time of the incident and an incident number. The IBSF reports were used to record the date and time of the incident and whether the athlete was cleared for continued participation. Further, those reports identified the track, the sliding sport discipline, the official event or race type, the anatomical location and type of injury, the symptoms and the treatment received. In each instance, the information on the report was generated by an on-site health care provider.
We initially find that the health-related information contained in the reports at issue is subject to the protections of both HIPAA and Public Officers Law § 87(2)(b). Specifically, the HIPAA Privacy Rule, among other things, addresses the use and disclosure of "individually identifiable health information," which is defined as "any information, including demographic information collected from an individual, that ... is created or received by a health care provider, ... relates to the past, present, or future physical or mental health or condition of an individual, the provision of health care to an individual, or the past, present, or future payment for the provision of health care to an individual, and ... identifies the individual ... or[,] with respect to which[,] there is a reasonable basis to believe that the information can be used to identify the individual" ( 42 USC § 1320d [6]). Further, as relevant here, Public Officers Law § 89(2)(b)(i) expressly provides for the protection of medical history, which refers to "information that one would reasonably expect to be included as a relevant and material part of a proper medical history" ( Matter of Hanig v. State of N.Y. Dept. of Motor Vehs, 79 N.Y.2d at 111–112, 580 N.Y.S.2d 715, 588 N.E.2d 750 [internal quotation marks omitted]; see Matter of Berger v. New York City Dept. of Health & Mental Hygiene, 137 A.D.3d 904, 907, 27 N.Y.S.3d 588 [2d Dept. 2016], lv denied 27 N.Y.3d 910, 2016 WL 3524313 [2016] ; Matter of Beyah v. Goord, 309 A.D.2d 1049, 1050, 766 N.Y.S.2d 222 [3d Dept. 2003] ). Upon our review, we conclude that the information provided on the subject forms falls within these protections, as it directly pertains to the relevant individual's present health condition and would reasonably be included as part of his or her medical history. Accordingly, as the information is subject to a specific exemption to disclosure, "the court need not engage in a balancing of the privacy interests at stake against the public interest in disclosure of the information" ( Matter of Police Benevolent Assn. of N.Y. State, Inc. v. State of New York, 165 A.D.3d 1434, 1437, 86 N.Y.S.3d 246 [3d Dept. 2018] [internal quotation marks, brackets and citations omitted]; see Matter of Abdur–Rashid v. New York City Police Dept., 31 N.Y.3d 217, 225, 76 N.Y.S.3d 460, 100 N.E.3d 799 [2018] ).
Nevertheless, our review does not end there, as both relevant exemptions to disclosure provide a mechanism to disclose such information by way of deidentification. As to the protection of health information under HIPAA, the HIPAA Privacy Rule provides that "[h]ealth information that does not identify an individual and with respect to which there is no reasonable basis to believe that the information can be used to identify an individual is not individually identifiable health information" ( 45 CFR 164.514 [a]), and sets forth the standard for deidentification of that information (see 45 CFR 164.514 [b]). As is relevant to this proceeding, the safe harbor method for deidentification, which is intended "to provide a means to produce some de[ ]identified information that could be used for many purposes with a very small risk of privacy violation" ( 65 Fed Reg 82462–01, 82543 [2000] ), sets forth an exhaustive list of information that must be removed in order to deidentify individually identifiable health information (see 45 CFR 165.514[b][2][i]) and further requires that "[t]he covered entity does not have actual knowledge that the information could be used alone or in combination with other information to identify an individual who is a subject of the information" (45 CFR 165.514[b][2][ii]). The relevant HHS guidance elaborates that "actual knowledge means clear and direct knowledge" (U.S. Department of Health and Human Services, Guidance on De-identification of Protected Health Information § 3.6 at 27 [Nov. 26, 2012], available at https://www.hhs.gov/sites/default/files/ocr/privacy/hipaa/understanding/coveredentities/De-identification/hhs_deid_guidance.pdf [last accessed Feb. 23, 2023] [emphasis added] [hereinafter Guidance on De-identification]). Similarly, Public Officers Law § 89(2)(c)(i) adds that, "[u]nless otherwise provided ..., disclosure shall not be construed to constitute an unwarranted invasion of personal privacy ... when identifying details are deleted." While FOIL contains no guidance as to the extent of deletion necessary to satisfy this requirement, we find that the stringent deidentification procedure provided in the HIPAA Privacy Rule is sufficient to meet the analogous requirement in Public Officers Law § 89(2)(c)(i) (see generally Matter of Miguel M. [Barron], 17 N.Y.3d 37, 42, 926 N.Y.S.2d 371, 950 N.E.2d 107 [2011] ). Accordingly, the question on this appeal distills to whether the information contained in the reports could be properly deidentified in accordance with the requirements of the HIPAA Privacy Rule in order to permit disclosure (see generally Matter of Data Tree, LLC v. Romaine, 9 N.Y.3d 454, 464, 849 N.Y.S.2d 489, 880 N.E.2d 10 [2007] ; Matter of Scott, Sardano & Pomeranz v. Records Access Officer of City of Syracuse, 65 N.Y.2d 294, 298, 491 N.Y.S.2d 289, 480 N.E.2d 1071 [1985] ).
The HIPAA Privacy Rule also allows for deidentification through the use of an expert, a method which is not at issue in this matter (see 45 CFR 164.514 [b][1]).
While respondent suggests that it was only necessary to prove the mere possibility that identification of the persons could result, we note that the HIPAA Privacy Rule ultimately adopted the "actual knowledge" standard in response to public comment that the proposed standard, which would have required that the covered entity "have ‘no reason to believe’ that the information remained identifiable after the enumerated identifiers were removed," created too much uncertainty for those entities seeking to comply with the Rule (65 Fed Reg 82462–01 at 82543 ). To this end, HHS has acknowledged that both methods of deidentification, "even when properly applied, yield de[ ]identified data that retains some risk of identification" (Guidance on De-identification § 1.3 at 6; see 65 Fed Reg 82462–01 at 82543 ). Accordingly, the protections of HIPAA, and the effect of deidentification pursuant to the safe harbor method, is not intended to foreclose the risk of identification in an absolute sense.
In this regard, respondent contends that it possesses actual knowledge that the medical information contained on any given form, after deidentification, could be used alone or in combination with other information to identify the specific individual to whom the form pertains. Respondent specifically posits that, since the records largely concerned Olympic athletes and the sliding sports in question consisted of a limited number of highly specialized international athletes, the remaining information would allow for those containing "insider knowledge" to identify the subjects of respondent's reports. We disagree, as respondent's submissions fail to establish that it possessed such knowledge or that a blanket redaction of the information contained in the records was necessary to prevent identification (see Matter of Police Benevolent Assn. of N.Y. State, Inc. v. State of New York, 165 A.D.3d at 1436, 86 N.Y.S.3d 246 ). In support of its position, respondent relies upon the affidavits of its general manager and the chief medical officer of IBSF, who both opine, in sum and substance, that members of the sliding sports community possess unique knowledge that would allow them to identify the subjects of the medical reports by utilizing the information pertaining to, among other things, the individual athlete's treatment and the location of the accident, which was previously redacted, alongside the information on the incident reports that was previously disclosed. However, accepting that certain individuals may possess the ability to make such a connection utilizing information concerning a particular injury suffered alongside other general information contained in the disclosed reports, we find that such information could have been properly redacted in the first instance in accordance with the mandates of the HIPAA Privacy Rule. Specifically, the HIPAA Privacy Rule requires that a covered entity remove, among other things, "[a]ll elements of dates (except year) for dates that are directly related to an individual" ( 45 CFR 164.514 [b][2][i][C]). While respondent suggests that the limited information provided – such as the time, place and event during which the injury took place – would allow insiders to discover the identity of the subject of the report, it was improper to provide specific date information connected with the individual in the first instance. Further, the redacted records improperly disclosed unique characteristics of the individuals that inherently limited the pool of persons that could be the subject of the reports (see Guidance on De-identification § 3.8 at 28). The failure to redact the particular sliding sport discipline of the individual, alongside the individual's team affiliation, was an improper disclosure of an identifiable characteristic that distinguished that individual and, coupled with certain information pertaining to the medical treatment provided, could allow for identification (see 45 CFR 164.514 [b][2][i][R]).
In this vein, we would note that, to the extent that the redacted information contained in the records identifies the particular roles of those individuals in their respective sliding sport disciplines, such information would also be subject to redaction (see Guidance on De-identification § 3.5 at 26).
All told, our review of the submissions reveals that the risk of identification relied upon by respondent is only implicated by virtue of its own failure to properly deidentify the necessary information in accordance with the HIPAA Privacy Rule (see 45 CFR 165.514[b][2]). Thus, had respondent removed the aforementioned information at the outset, there would be no reasonable basis to believe that identification of the individuals in the reports was likely. However, we are mindful that the previously released documents that were not properly redacted could be compared with the newly unredacted documents and additional information about the subject individuals may therefore be discerned. We nevertheless find that this risk is adequately mitigated by employing the proper deidentification methodology provided in the HIPAA Privacy Rule, including the use of additional redactions authorized by that rule beyond what might otherwise have been originally required (see generally Matter of Police Benevolent Assn. of N.Y. State, Inc. v. State of New York, 165 A.D.3d at 1436, 86 N.Y.S.3d 246 ). Accordingly, it is our view that Supreme Court appropriately ordered disclosure of the records in accordance with the requirements for deidentification of individually identifiable health information provided in the HIPAA Privacy Rule.
For instance, although the HIPAA Privacy Rule does not require redaction of the name of a treating physician in most instances (see Guidance on De-identification § 3.8 at 28–29), such redaction may be appropriate in order to satisfy the actual knowledge standard under the circumstances presented, as respondent must now take steps to limit the ability to compare the two sets of disclosed documents and extrapolate the newly unredacted information alongside the previously redacted information.
It is uncontested that certain records included in the disclosure do not pertain to elite athletes and instead concern members of the general public and employees of the facility. As to these records, we find respondent's contention that the disclosed health information could lead to identification by anyone who knows the subject individual is unpersuasive, as it again relies on the use of information that should have been redacted in the first instance and the risk of such identification can be mitigated in a similar manner.
Turning to petitioner's cross-appeal, "[p]ursuant to Public Officers Law § 89(4)(c)(i), reasonable counsel fees and other litigation costs may be awarded where a petitioner has substantially prevailed in a FOIL proceeding and the court finds that the agency lacked a reasonable basis for denying access to the requested records" ( Matter of Vertucci v. New York State Dept. of Transp., 195 A.D.3d 1209, 1210, 150 N.Y.S.3d 786 [3d Dept. 2021], lv denied 37 N.Y.3d 917, 157 N.Y.S.3d 849, 179 N.E.3d 663 [2022] ). "Where, as here, the statutory prerequisites are satisfied, the decision whether to award counsel fees rests in the discretion of the court and will not be overturned in the absence of an abuse of such discretion" ( Matter of Competitive Enter. Inst. v. Attorney Gen. of N.Y., 161 A.D.3d 1283, 1287, 76 N.Y.S.3d 640 [3d Dept. 2018] [internal quotation marks and citation omitted]; see Matter of New York State Defenders Assn. v. New York State Police, 87 A.D.3d 193, 195, 927 N.Y.S.2d 423 [3d Dept. 2011] ). Upon our review, we agree with Supreme Court's determination that respondent did not act unreasonably in justifying its claimed exemptions pursuant to Public Officers Law § 87(2). Even though respondent did not properly redact its records as required under the HIPAA Privacy Rule, that fact alone does not render its actions unreasonable, and we find that respondent's desire to protect the sensitive medical information of others and to avoid the significant penalties for violating HIPAA provided adequate justification for its position. Accordingly, we find that respondent had a reasonable basis for claiming the proferred exemptions and do not believe that Supreme Court abused its discretion in declining to award counsel fees (see Matter of Jewish Press, Inc. v. Kingsborough Community Coll., 201 A.D.3d 547, 549, 160 N.Y.S.3d 42 [1st Dept. 2022] ; Matter of Norton v. Town of Islip, 17 A.D.3d 468, 470, 793 N.Y.S.2d 133, 793 N.Y.S.2d 133 [2d Dept. 2005], lv denied 6 N.Y.3d 709, 813 N.Y.S.2d 45, 846 N.E.2d 476 [2006] ).
Clark, J.P., Pritzker, Reynolds Fitzgerald and Ceresia, JJ., concur.
ORDERED that the judgement is affirmed, without costs.