X

Thank you for sharing!

Your article was successfully shared with the contacts you provided.

Cross-appeals from a judgment of the Supreme Court (Richard B. Meyer, J.), entered September 27, 2021 in Essex County, which partially granted petitioner’s application, in a proceeding pursuant to CPLR article 78, to annul a determination of respondent denying petitioner’s Freedom of Information Law request. EDDIE MCSHAN, JUDGE Petitioner is a domestic not-for-profit corporation that operates in the Village of Saranac Lake, Franklin County and publishes a magazine alongside digital offerings that report on various issues that affect the Adirondack region. Respondent is a public authority (see Public Authorities Law §2608) that was created to manage and operate the Olympic facilities used during the 1980 Winter Olympic Games in the Village of Lake Placid, Essex County. One of the facilities that respondent operates is Mt. Van Hoevenberg, a sport training and recreation venue for the sports of bobsled, skeleton, luge, Nordic skiing and biathlon. In July 2020, petitioner made a Freedom of Information Law (see Public Officers Law art 6 [hereinafter FOIL]) request to respondent for copies of injury reports from January 2015 through July 2020, and also from calendar year 2004, for sporting and athletic events and competitions that took place at Mt. Van Hoevenberg. In response, respondent provided injury reports with certain information either redacted or withheld. Respondent claimed that the redacted and withheld information would constitute an unwarranted invasion of privacy or was exempt from disclosure under the Health Insurance Portability and Accountability Act of 1996 (42 USC §1320d et seq. [hereinafter HIPAA]). Specifically, the documents, which consisted of respondent’s medical incident reports, general incident reports, a modified standardized assessment of a concussion and injury registration documents, redacted all health-related information, leaving in place certain information pertaining to the event or venue, incident location, the date and time of accident, an incident number, if any existed, references to a participant’s team or country and the applicable sliding sport discipline, depending on the form. Petitioner administratively appealed and respondent’s FOIL appeals officer thereafter denied the appeal, finding that the information sought was exempt under both the invasion of privacy exemption and under HIPAA. Petitioner then commenced the instant CPLR article 78 proceeding, seeking an order to compel respondent to comply with its obligations under FOIL and produce the injury reports from sporting and athletic events and competitions, including the nature of injuries and treatment provided to any individual participants without any personally identifying information, as well as an award of counsel fees. Following an in camera review of the documents, Supreme Court found that the lack of disclosure by respondent was affected by an error of law and ordered a more complete disclosure, subject to the deidentification methodology provided in the HIPAA Privacy Rule (45 CFR parts 160, 164), promulgated by the US Department of Health and Human Services (hereinafter HHS). However, given the unique nature of the records, the court denied petitioner’s request for counsel fees, having determined that there was a reasonable basis for respondent to withhold the information. Respondent appeals and petitioner cross-appeals. It is well settled that “FOIL imposes a broad duty of disclosure on government agencies and all agency records are presumptively available for public inspection and copying unless one of the statutory exemptions applies, permitting the agency to withhold the records” (Matter of Hepps v. New York State Dept. of Health, 183 AD3d 283, 287 [3d Dept 2020] [internal quotation marks, brackets and citations omitted], lv dismissed & denied 37 NY3d 1001 [2021]; see Public Officers Law §§84, 87 [2]; Matter of Suhr v. New York State Dept. of Civ. Serv., 193 AD3d 129, 135 [3d Dept 2021], lv denied 37 NY3d 907 [2021]). “Those exemptions are to be narrowly construed, with the burden resting on the agency to demonstrate that the requested material indeed qualifies for exemption” (Matter of Hanig v. State of N.Y. Dept. of Motor Vehs., 79 NY2d 106, 109 [1992] [citation omitted]; see Matter of Tatko v. Village of Granville, 207 AD3d 975, 977 [3d Dept 2022]; Matter of Hepps v. New York State Dept. of Health, 183 AD3d at 287). Respondent contends that it satisfied its burden for nondisclosure by establishing that the records at issue are exempted pursuant to Public Officers Law §87 (2) as medical records or histories of the individuals who were the subject of the relevant documents. Specifically, respondent points to Public Officers Law §87 (2) (b), which allows an agency to deny the disclosure of records where “disclos[ure] would constitute an unwarranted invasion of personal privacy.” Respondent also relies upon Public Officers Law §87 (2) (a), which permits an agency to deny access to certain records if the records “are specifically exempted from disclosure by state or federal statute”; specifically, respondents contend that the requested records are exempt from disclosure pursuant to HIPAA. In this regard, the HIPAA Privacy Rule provides that “a covered entity may not use or disclose protected health information without an authorization that is valid under this section,” subject to certain exceptions (45 CFR 164.508 [a] [1]). The records at issue consist of a variety of injury reports maintained by respondent in the course of operating Mt. Van Hoevenberg. Specifically, respondent provided its own medical incident reports, which constituted a majority of the relevant documents, alongside International Bobsleigh and Skeleton Federation (hereinafter IBSF) injury registration documents, which were occasionally accompanied by a “[f]it to [s]lide” document that was also prepared by IBSF. Beyond providing space to input basic demographic information, the medical incident reports contained, among other things, various prompts pertaining to the medical care received by a participant, including a subjective and objective physical assessment of any injuries suffered, treatment provided and the manner of discharge. The forms also contained spaces to input the event and incident location, as well as the date and time of the incident and an incident number. The IBSF reports were used to record the date and time of the incident and whether the athlete was cleared for continued participation. Further, those reports identified the track, the sliding sport discipline, the official event or race type, the anatomical location and type of injury, the symptoms and the treatment received. In each instance, the information on the report was generated by an on-site health care provider. We initially find that the health-related information contained in the reports at issue is subject to the protections of both HIPAA and Public Officers Law §87 (2) (b). Specifically, the HIPAA Privacy Rule, among other things, addresses the use and disclosure of “individually identifiable health information,” which is defined as “any information, including demographic information collected from an individual, that…is created or received by a health care provider,…relates to the past, present, or future physical or mental health or condition of an individual, the provision of health care to an individual, or the past, present, or future payment for the provision of health care to an individual, and…identifies the individual…or[,] with respect to which[,] there is a reasonable basis to believe that the information can be used to identify the individual” (42 USC §1320d [6]). Further, as relevant here, Public Officers Law §89 (2) (b) (i) expressly provides for the protection of medical history, which refers to “information that one would reasonably expect to be included as a relevant and material part of a proper medical history” (Matter of Hanig v. State of N.Y. Dept. of Motor Vehs, 79 NY2d at 111-112 [internal quotation marks omitted]; see Matter of Berger v. New York City Dept. of Health & Mental Hygiene, 137 AD3d 904, 907 [2d Dept 2016], lv denied 27 NY3d 910 [2016]; Matter of Beyah v. Goord, 309 AD2d 1049, 1050 [3d Dept 2003]). Upon our review, we conclude that the information provided on the subject forms falls within these protections, as it directly pertains to the relevant individual’s present health condition and would reasonably be included as part of his or her medical history. Accordingly, as the information is subject to a specific exemption to disclosure, “the court need not engage in a balancing of the privacy interests at stake against the public interest in disclosure of the information” (Matter of Police Benevolent Assn. of N.Y. State, Inc. v. State of New York, 165 AD3d 1434, 1437 [3d Dept 2018] [internal quotation marks, brackets and citations omitted]; see Matter of Abdur-Rashid v. New York City Police Dept., 31 NY3d 217, 225 [2018]). Nevertheless, our review does not end there, as both relevant exemptions to disclosure provide a mechanism to disclose such information by way of deidentification. As to the protection of health information under HIPAA, the HIPAA Privacy Rule provides that “[h]ealth information that does not identify an individual and with respect to which there is no reasonable basis to believe that the information can be used to identify an individual is not individually identifiable health information” (45 CFR 164.514 [a]), and sets forth the standard for deidentification of that information (see 45 CFR 164.514 [b]). As is relevant to this proceeding, the safe harbor method for deidentification, which is intended “to provide a means to produce some de[ ]identified information that could be used for many purposes with a very small risk of privacy violation” (65 Fed Reg 82462-01, 82543 [2000]), sets forth an exhaustive list of information that must be removed in order to deidentify individually identifiable health information (see 45 CFR 165.514 [b] [2] [i]) and further requires that “[t]he covered entity does not have actual knowledge that the information could be used alone or in combination with other information to identify an individual who is a subject of the information” (45 CFR 165.514 [b] [2] [ii]).1 The relevant HHS guidance elaborates that “actual knowledge means clear and direct knowledge” (US Department of Health and Human Services, Guidance on De-identification of Protected Health Information §3.6 at 27 [Nov. 26, 2012], available at https://www.hhs.gov/sites/default/files/ocr/privacy/hipaa/understanding/coveredentities/De-identification/hhs_deid_guidance.pdf [last accessed Feb. 23, 2023] [emphasis added] [hereinafter Guidance on Deidentification]).2 Similarly, Public Officers Law §89 (2) (c) (i) adds that, “[u]nless otherwise provided…, disclosure shall not be construed to constitute an unwarranted invasion of personal privacy…when identifying details are deleted.” While FOIL contains no guidance as to the extent of deletion necessary to satisfy this requirement, we find that the stringent deidentification procedure provided in the HIPAA Privacy Rule is sufficient to meet the analogous requirement in Public Officers Law §89 (2) (c) (i) (see generally Matter of Miguel M. [Barron], 17 NY3d 37, 42 [2011]). Accordingly, the question on this appeal distills to whether the information contained in the reports could be properly deidentified in accordance with the requirements of the HIPAA Privacy Rule in order to permit disclosure (see generally Matter of Data Tree, LLC v. Romaine, 9 NY3d 454, 464 [2007]; Matter of Scott, Sardano & Pomeranz v. Records Access Officer of City of Syracuse, 65 NY2d 294, 298 [1985]). In this regard, respondent contends that it possesses actual knowledge that the medical information contained on any given form, after deidentification, could be used alone or in combination with other information to identify the specific individual to whom the form pertains. Respondent specifically posits that, since the records largely concerned Olympic athletes and the sliding sports in question consisted of a limited number of highly specialized international athletes, the remaining information would allow for those containing “insider knowledge” to identify the subjects of respondent’s reports. We disagree, as respondent’s submissions fail to establish that it possessed such knowledge or that a blanket redaction of the information contained in the records was necessary to prevent identification (see Matter of Police Benevolent Assn. of N.Y. State, Inc. v. State of New York, 165 AD3d at 1436). In support of its position, respondent relies upon the affidavits of its general manager and the chief medical officer of IBSF, who both opine, in sum and substance, that members of the sliding sports community possess unique knowledge that would allow them to identify the subjects of the medical reports by utilizing the information pertaining to, among other things, the individual athlete’s treatment and the location of the accident, which was previously redacted, alongside the information on the incident reports that was previously disclosed. However, accepting that certain individuals may possess the ability to make such a connection utilizing information concerning a particular injury suffered alongside other general information contained in the disclosed reports, we find that such information could have been properly redacted in the first instance in accordance with the mandates of the HIPAA Privacy Rule. Specifically, the HIPAA Privacy Rule requires that a covered entity remove, among other things, “[a]ll elements of dates (except year) for dates that are directly related to an individual” (45 CFR 164.514 [b] [2] [i] [C]). While respondent suggests that the limited information provided — such as the time, place and event during which the injury took place — would allow insiders to discover the identity of the subject of the report, it was improper to provide specific date information connected with the individual in the first instance. Further, the redacted records improperly disclosed unique characteristics of the individuals that inherently limited the pool of persons that could be the subject of the reports (see Guidance on De-identification §3.8 at 28). The failure to redact the particular sliding sport discipline of the individual, alongside the individual’s team affiliation, was an improper disclosure of an identifiable characteristic that distinguished that individual and, coupled with certain information pertaining to the medical treatment provided, could allow for identification (see 45 CFR 164.514 [b] [2] [i] [R]).3 All told, our review of the submissions reveals that the risk of identification relied upon by respondent is only implicated by virtue of its own failure to properly deidentify the necessary information in accordance with the HIPAA Privacy Rule (see 45 CFR 165.514 [b] [2]). Thus, had respondent removed the aforementioned information at the outset, there would be no reasonable basis to believe that identification of the individuals in the reports was likely. However, we are mindful that the previously released documents that were not properly redacted could be compared with the newly unredacted documents and additional information about the subject individuals may therefore be discerned. We nevertheless find that this risk is adequately mitigated by employing the proper deidentification methodology provided in the HIPAA Privacy Rule, including the use of additional redactions authorized by that rule beyond what might otherwise have been originally required (see generally Matter of Police Benevolent Assn. of N.Y. State, Inc. v. State of New York, 165 AD3d at 1436).4 Accordingly, it is our view that Supreme Court appropriately ordered disclosure of the records in accordance with the requirements for deidentification of individually identifiable health information provided in the HIPAA Privacy Rule.5 Turning to petitioner’s cross-appeal, “[p]ursuant to Public Officers Law §89 (4) (c) (i), reasonable counsel fees and other litigation costs may be awarded where a petitioner has substantially prevailed in a FOIL proceeding and the court finds that the agency lacked a reasonable basis for denying access to the requested records” (Matter of Vertucci v. New York State Dept. of Transp., 195 AD3d 1209, 1210 [3d Dept 2021], lv denied 37 NY3d 917 [2022]). “Where, as here, the statutory prerequisites are satisfied, the decision whether to award counsel fees rests in the discretion of the court and will not be overturned in the absence of an abuse of such discretion” (Matter of Competitive Enter. Inst. v. Attorney Gen. of N.Y., 161 AD3d 1283, 1287 [3d Dept 2018] [internal quotation marks and citation omitted]; see Matter of New York State Defenders Assn. v. New York State Police, 87 AD3d 193, 195 [3d Dept 2011]). Upon our review, we agree with Supreme Court’s determination that respondent did not act unreasonably in justifying its claimed exemptions pursuant to Public Officers Law §87 (2). Even though respondent did not properly redact its records as required under the HIPAA Privacy Rule, that fact alone does not render its actions unreasonable, and we find that respondent’s desire to protect the sensitive medical information of others and to avoid the significant penalties for violating HIPAA provided adequate justification for its position. Accordingly, we find that respondent had a reasonable basis for claiming the proferred exemptions and do not believe that Supreme Court abused its discretion in declining to award counsel fees (see Matter of Jewish Press, Inc. v. Kingsborough Community Coll., 201 AD3d 547, 549 [1st Dept 2022]; Matter of Norton v. Town of Islip, 17 AD3d 468, 470 [2d Dept 2005], lv denied 6 NY3d 709 [2006]). Clark, J.P., Pritzker, Reynolds Fitzgerald and Ceresia, JJ., concur. ORDERED that the judgement is affirmed, without costs. Dated: March 9, 2023

 
Reprints & Licensing
Mentioned in a Law.com story?

License our industry-leading legal content to extend your thought leadership and build your brand.

More From ALM

With this subscription you will receive unlimited access to high quality, online, on-demand premium content from well-respected faculty in the legal industry. This is perfect for attorneys licensed in multiple jurisdictions or for attorneys that have fulfilled their CLE requirement but need to access resourceful information for their practice areas.
View Now
Our Team Account subscription service is for legal teams of four or more attorneys. Each attorney is granted unlimited access to high quality, on-demand premium content from well-respected faculty in the legal industry along with administrative access to easily manage CLE for the entire team.
View Now
Gain access to some of the most knowledgeable and experienced attorneys with our 2 bundle options! Our Compliance bundles are curated by CLE Counselors and include current legal topics and challenges within the industry. Our second option allows you to build your bundle and strategically select the content that pertains to your needs. Both options are priced the same.
View Now
November 27, 2024
London

Celebrating achievement, excellence, and innovation in the legal profession in the UK.


Learn More
December 02, 2024 - December 03, 2024
Scottsdale, AZ

Join the industry's top owners, investors, developers, brokers and financiers for the real estate healthcare event of the year!


Learn More
December 11, 2024
Las Vegas, NV

This event shines a spotlight on how individuals and firms are changing the investment advisory industry where it matters most.


Learn More

Role TitleAssociate General Counsel, Global EmploymentGrade F13Reporting ToSenior Legal Counsel, Global EmploymentProgram/Tool/ Department/U...


Apply Now ›

Ryan & Conlon, LLP, is a boutique firm specializing in insurance defense. We are a small eclectic practice with a busy and fast paced en...


Apply Now ›

INTELLECTUAL PROPERTY PROSECUTION PARALEGAL - NEW JERSEY OR NEW YORK OFFICESProminent mid-Atlantic law firm with multiple regional office lo...


Apply Now ›