Summary
concluding that public record subject to disclosure under Ohio Public Records Law was not protected by HIPAA, "even if ... [it] did contain ‘protected health information’ as defined by HIPAA, and even if the [public agency] operated as a ‘covered entity’ pursuant to HIPAA"
Summary of this case from Comm'r of Mental Health & Addiction Servs. v. Freedom of Info. Comm'nOpinion
No. 2005-0068.
Submitted October 11, 2005.
Decided March 17, 2006.
APPEAL from the Court of Appeals for Hamilton County, No. C-040064, 2004-Ohio-7130.
Graydon, Head Ritchey, L.L.P., John C. Greiner, John A. Flanagan, and Katherine M. Lasher, for appellant.
Julia L. McNeil and Terrance A. Nestor, Office of the Cincinnati City Solicitor, for appellees.
{¶ 1} We focus our attention in this appeal on the question of whether the Cincinnati Enquirer, a division of Gannett Satellite Information Network, Inc., may, pursuant to R.C. 149.43, Ohio's Public Records Act, obtain copies of the Cincinnati Health Department's lead-contamination notices issued to property owners of units reported to be the residences of children whose blood tests indicated elevated lead levels. Relying on the Standards for Privacy of Individually Identifiable Health Information contained in the federal Health Insurance Portability and Accountability Act ("HIPAA"), 110 Stat. 1938, the city of Cincinnati and the Health Commissioner and Assistant Health Commissioner of the Cincinnati Health Department declined to release copies of the requested citations.
{¶ 2} Upon careful review of the record and the Ohio Public Records Act and the privacy provisions of HIPAA, we conclude, first, that the requested lead citations and lead-assessment reports do not contain protected health information as defined by federal law, HIPAA, and are, therefore, subject to disclosure; second, that even if we did determine that those lead citations and risk-assessment reports contained protected health information and even if we determined that the Cincinnati Health Department operated as a covered entity as defined by HIPAA, the requested lead-assessment reports would still be subject to disclosure under the "required by law" exception to the HIPAA privacy rule because the Ohio Public Records Law, R.C. 149.43, requires disclosure of these reports, and federal law, HIPAA, does not supersede state disclosure requirements.
{¶ 3} Accordingly, for the following reasons, we grant the requested writ of mandamus in favor of the Cincinnati Enquirer and order the release of the requested citations related to lead-contaminated properties in Cincinnati.
{¶ 4} The history of this case reflects that on January 16, 2004, Cincinnati Enquirer reporter Sharon Coolidge requested that the Assistant Health Commissioner of the Cincinnati Health Department, Walter Handy, provide "copies of the 343 lead citations and any others that were issued between 1994 and the present."
{¶ 5} The Cincinnati Health Department, citing Section 1320d et seq., Title 42, U.S. Code, the HIPAA Standards for Privacy of Individually Identifiable Health Information (Privacy Rule, Part 160, subparts A and B and Part 164, Title 45, C.F.R.) expressed its inability to accommodate the Enquirer's request.
{¶ 6} Thereafter, on February 11, 2004, the Enquirer filed a mandamus action in the Hamilton County Court of Appeals seeking to compel the health commissioner and assistant health commissioner to make the requested records available for inspection and copying in accordance with R.C. 149.43, the Ohio Public Records Act. On December 30, 2004, the court of appeals denied the writ, reasoning that although "the lead-investigation reports are public records generated as a result of the health department's mission in the community," appellees had established "an exception to disclosure because of the reference to blood test results for children currently residing at particular addresses." State ex rel. Cincinnati Enquirer v. Adcock, Hamilton App. No. C-040064, 2004-Ohio-7130, 2004 WL 3015324, at ¶ 9.
{¶ 7} This cause is now before the court upon the Enquirer's appeal as of right. Before our consideration of the matter, however, we referred this case to mediation. Thereafter, the health department released 170 of the lead citations that had been issued to property owners of other than single-family residences. In reliance on HIPAA, however, the health department still maintains its inability to provide access to unredacted copies of the remaining 173 lead citations issued to owners of single-family residential property.
{¶ 8} We begin our review by examining the law with respect to disclosure of public records. The state of Ohio has a long-standing public policy committed to open public records, as expressed in R.C. 149.43, and the Supreme Court of Ohio has consistently enforced that policy in its decisions in connection with requests pursuant to that statute. In State ex rel. Miami Student v. Miami Univ. (1997), 79 Ohio St.3d 168, 170, 680 N.E.2d 956, we stated, "The Ohio Public Records Act is intended to be liberally construed `to ensure that governmental records be open and made available to the public * * * subject to only a few very limited and narrow exceptions.' State ex rel. Williams v. Cleveland (1992), 64 Ohio St.3d 544, 549, 597 N.E.2d 147, 151. R.C. 149.43 therefore provides for full access to all public records upon request unless the requested records fall within one of the specific exceptions listed in the Act."
{¶ 9} The Cincinnati Enquirer asserts its entitlement to the lead citations pursuant to R.C. 149.43 on the basis that they constitute public records, not exempt from disclosure, and that HIPAA's privacy rule does not apply to the citations issued by the Cincinnati Health Department.
{¶ 10} Contrariwise, respondents contend that HIPAA's privacy rule permits the health department to withhold the citations from public release because it is a covered entity subject to HIPAA and therefore cannot release records that contain individually identifiable health information.
Public Records v. HIPAA
{¶ 11} For the first time, we address the conflict-of-laws poser where a state public-records law, here R.C. 149.43, requires disclosure of a public record, while federal law, HIPAA and its privacy rule, specifically prohibits disclosure of protected health information.
{¶ 12} We begin by reviewing R.C. 149.43(B)(1), which specifies: "[A]ll public records shall be promptly prepared and made available for inspection to any person at all reasonable times during regular business hours."
{¶ 13} In accordance with this mandate, the Enquirer seeks to obtain copies of the lead citations at issue on this appeal.
{¶ 14} Accordingly, our first concern is to define the scope of the information the Enquirer seeks from the Cincinnati Health Department. The record here contains Exhibit C, consisting of the notices and a copy of a multipage form utilized by the department to notify property owners of the results of the lead-assessment investigations conducted at various dwelling units throughout the city of Cincinnati. Only one sentence in the 14-page narrative has any reference to medical information or medical conditions. That one sentence contained in the notice to the property owner states in its entirety: "This unit has been reported to our department as the residence of a child whose blood test indicates an elevated lead level."
{¶ 15} Section 160.103, Title 45, C.F.R. defines "health information" to include information created by a public health authority that relates to the past, present, or future physical condition of an individual.
{¶ 16} Further, the lead-citation notices issued by the health department reveal that they are intended to advise the owners of real estate about results of department investigations and to apprise them of violations relating to lead hazards; the report identifies existing and potential lead hazards on the exterior and interior of the property, details the tests performed on the property and the results of those tests, explains the abatement measures required, provides advice about options to correct the problem, and mandates reporting of abatement measures, including the name of the abatement contractor, the abatement method, and the date of expected abatement completion. Nothing contained in these reports identifies by name, age, birth date, social security number, telephone number, family information, photograph, or other identifier any specific individual or details any specific medical examination, assessment, diagnosis, or treatment of any medical condition. There is a mere nondescript reference to "a" child with "an" elevated lead level.
{¶ 17} Thus, the facts here are in sharp contrast with those in our decision in State ex rel. McCleary v. Roberts (2000), 88 Ohio St.3d 365, 725 N.E.2d 1144, for example, where the city database at issue contained specific identifiable information, including names, addresses, phone numbers, family information, photographs, and medical information of children, that we determined was exempt from public disclosure; we held there that the information did not constitute a public record because it did not document the operation of an office. Here, while we concern ourselves with the question of whether the lead citations contain "protected health information," and therefore face a different issue from that confronted in McCleary, we nonetheless recognize that none of the specific identifiable information referred to in McCleary is part of the information contained in the lead-citation notices or risk-assessment reports prepared by the health department and requested by the Enquirer in this case.
{¶ 18} The prohibition against disclosure contained in the HIPAA privacy rule refers to the release of otherwise protected health information. It provides: "A covered entity may not use or disclose protected health information, except as permitted or required by this subpart or by subpart C of part 160 of this subchapter." Section 164.502(a), Title 45, C.F.R. After careful review of the record, we have concluded that the lead-risk-assessment reports and the lead citations do not contain protected health information and therefore are subject to release, as they are not protected by the HIPAA privacy rule.
{¶ 19} However, even if the records did contain protected health information, they would still be subject to release in accordance with the "required by law" exception to HIPAA.
{¶ 20} HIPAA contains definitions with respect to classification of entities as either performing operations that are covered by its provisions or performing hybrid operations, some of which may not be covered by its provisions.
{¶ 21} The Cincinnati Health Department urges in this regard that pursuant to Section 160.103, Title 45, C.F.R., it is a covered entity as defined by HIPAA and as such may not use or disclose protected health information except as provided for in HIPAA. The Enquirer claims, on the other hand, that the Cincinnati Health Department is a "hybrid entity" as that term is defined in Section 164.103, Title 45, C.F.R., i.e., an entity whose business actions include both covered and noncovered functions as defined by HIPAA. Section 164.502(a) refers to a "covered entity" and provides that it "may not use or disclose protected health information," except as permitted or required by law.
{¶ 22} This analysis, however, becomes relevant only if we conclude that the health department is a hybrid entity performing a noncovered action. Assuming for the sake of argument that the health department is a covered entity as it claims, the next part of our analysis requires us to review the claim of the director of health that the information contained in the lead-citation notices constitutes "protected health information."
{¶ 23} Specifically, Section 164.514(a), Title 45, C.F.R. provides: "Health information that does not identify an individual and with respect to which there is no reasonable basis to believe that the information can be used to identify an individual is not individually identifiable health information."
{¶ 24} The department contends that the single sentence contained in its notice of citation regarding the residence of a child with an elevated blood lead level constitutes a "reasonable basis to believe that the information can be used to identify an individual" and therefore that the citations are not subject to disclosure. We disagree.
{¶ 25} A review of HIPAA reveals a "required by law" exception to the prohibition against disclosure of protected health information. With respect to this position, Section 164.512(a)(1), Title 45, C.F.R. provides, "A covered entity may * * * disclose protected health information to the extent that such * * * disclosure is required by law * * *." (Emphasis added.) And the Ohio Public Records Act requires disclosure of records unless the disclosure or release is prohibited by federal law. R.C. 149.43(a)(1)(v).
{¶ 26} Hence, we are confronted here with a problem of circular reference because the Ohio Public Records Act requires disclosure of information unless prohibited by federal law, while federal law allows disclosure of protected health information if required by state law.
{¶ a} Section 164.512(a), Title 45, C.F.R. provides:
{¶ b} "Standard: Uses and disclosures required by law. (1) A covered entity may use or disclose protected health information to the extent that such use or disclosure is required by law and the use or disclosure complies with and is limited to the relevant requirements of such law.
{¶ c} "(2) A covered entity must meet the requirements described in paragraph (c), (e), or (f) of this section for uses or disclosures required by law."
{¶ 27} Our research reveals that at the time of implementing these regulations, the Department of Health and Human Services, Office of the Secretary, promulgated Standards for Privacy of Individually Identifiable Health Information (2000), 65 F.R. 82462, 82667-82668, stating, "[W]e intend [160.512(a)] to preserve access to information considered important enough by state or federal authorities to require its disclosure by law"; "we do not believe that Congress intended to preempt each such law"; and "[t]he rule's approach is simply intended to avoid any obstruction to the health plan or covered health care provider's ability to comply with its existing legal obligations."
{¶ 28} Similarly, in reviewing federal Freedom of Information Act ("FOIA") requests, the secretary explains that federal FOIA requests "come within § 164.512(a) of the privacy regulation that permits uses or disclosures required by law if the uses or disclosures meet the relevant requirements of the law." (Emphasis added.) 65 F.R. 82462, 82482. By analogy, an entity like the Cincinnati Health Department, faced with an Ohio Public Records Act request, need determine only whether the requested disclosure is required by Ohio law to avoid violating HIPAA's privacy rule. See, also, Tex.Atty.Gen.Op. 681 (2004) 7, which reached the same conclusion under Texas law; cf. Ohio Legal Rights Serv. v. Buckeye Ranch, Inc. (S.D.Ohio 2005), 365 F.Supp.2d 877, where the court concluded that HIPAA's "required by law" exception allowed the Ohio Legal Rights Service to access documents relating to the treatment of a mentally ill child pursuant to Ohio law (R.C. 5123.60) giving the Service "ready access" to those documents.
Section 552, Title 5, U.S.Code.
Mandamus
{¶ 29} The Enquirer seeks the lead citations by way of mandamus. This court, in State ex rel. Beacon Journal Publishing Co. v. Akron, 104 Ohio St.3d 399, 2004-Ohio-6557, 819 N.E.2d 1087, ¶ 23, stated, "Mandamus is the appropriate remedy to seek compliance with R.C. 149.43, Ohio's Public Records Act." This court has also explained, in Gilbert v. Summit Cty., 104 Ohio St.3d 660, 2004-Ohio-7108, 821 N.E.2d 564, ¶ 7, quoting State ex rel. Cincinnati Enquirer v. Hamilton Cty. (1996), 75 Ohio St.3d 374, 376, 662 N.E.2d 334, that the Ohio Public Records Act "`is construed liberally in favor of broad access, and any doubt is resolved in favor of disclosure of public records.'" Finally, in State ex rel. Fenley v. Ohio Historical Soc. (1992), 64 Ohio St.3d 509, 510, 597 N.E.2d 120, we observed that a writ of mandamus will issue in a public-records case where the relator is "entitled to respondents' performance of a clear legal duty."
{¶ 30} Because Ohio's Public Records Act requires that public records be "made available" and because the information contained in the lead-hazard reports does not constitute "health information" as defined in HIPAA, and because we have concluded that even if the reports contained protected health information, they would still be subject to disclosure pursuant to the "required by law" exception to the HIPAA privacy rule, the Cincinnati Health Department and its commissioners have a clear legal duty to make the lead citations available to the Enquirer.
Attorney Fees
{¶ 31} The Enquirer also requests an award of its attorney fees. As the court held in its syllabus in State ex rel. Fox v. Cuyahoga Cty. Hosp. Sys. (1988), 39 Ohio St.3d 108, 529 N.E.2d 443, "The award of attorney fees under R.C. 149.43(C) is not mandatory." We detailed the standard in State ex rel. Wadd v. Cleveland (1998), 81 Ohio St.3d 50, 54, 689 N.E.2d 25: "In granting or denying attorney fees under R.C. 149.43(C), courts consider the reasonableness of the government's failure to comply with the public records request and the degree to which the public will benefit from release of the records in question."
{¶ 32} As the parties agreed during oral argument, this is a case of first impression involving disclosure pursuant to the public-records act of the lead citations held as records of a municipal health department and the privacy rule of HIPAA pursuant to applicable provisions of federal law. The health department here reasonably relied on HIPAA in professing its inability to release the requested records. As we stated in State ex rel. Olander v. French (1997), 79 Ohio St.3d 176, 179, 680 N.E.2d 962, "courts should not be in the practice of punishing parties for taking a rational stance on an unsettled legal issue." See, also, Wadd, 81 Ohio St.3d at 55, 689 N.E.2d 25, in which we also denied a request for attorney fees by a prevailing party in a public-records mandamus action that raised issues of first impression. In accordance with our earlier precedent and our consideration of the issues presented here, we decline to award attorney fees in this case.
Conclusion
{¶ 33} Based on the foregoing, we conclude that lead-risk-assessment reports maintained by the Cincinnati Health Department and lead-citation notices issued to property owners of units reported to be the residence of children whose bloodtest results indicate elevated lead levels do not contain "protected health information" as that term is defined by HIPAA.
{¶ 34} Further, even if the requested lead citations and lead-risk-assessment reports did contain "protected health information" as defined by HIPAA, and even if the Cincinnati Health Department operated as a "covered entity" pursuant to HIPAA, the citation notices and lead-risk-assessment reports would still be subject to release under the "required by law" exception to the HIPAA privacy rule because the Ohio Public Records Law requires disclosure of these reports, and HIPAA does not supersede state disclosure requirements.
{¶ 35} Finally, a request for attorney fees made by a prevailing party in a public-records mandamus action will be denied where the case presents a matter of first impression because courts should not engage in the practice of punishing a party to a lawsuit for taking a rational position on a justiciable, unsettled legal issue.
{¶ 36} Accordingly, the judgment of the appellate court is reversed, the writ of mandamus is granted, the respondents are ordered to release the requested records, and the request for attorney fees is denied.
Judgment accordingly.
MOYER, C.J., GRADY, LUNDBERG STRATTON and LANZINGER, JJ., concur.
PFEIFER and O'CONNOR, JJ., concur in judgment only.
THOMAS J. GRADY, J., of the Second Appellate District, sitting for RESNICK, J.