Judge: James C. Chalfant, Case: 21STCP03800, Date: 2022-08-04 Tentative Ruling

Case Number: 21STCP03800    Hearing Date: August 4, 2022    Dept: 85

Aaron Cantu v. California Correctional Health Care Services Agency, 21STCP03800

Tentative decision on petition for writ of mandate:  granted




Petitioner Aaron Cantu (“Cantu”) seeks a writ of mandate directing Respondent California Correctional Health Care Services Agency (“Agency”) to release public records responsive to his requests under the California Public Records Act (“CPRA”). 

            The court has read and considered the moving papers, opposition, and reply,[1] and renders the following tentative decision.


            A. Statement of the Case

            1. Petition

            Petitioner Cantu filed the Petition on November 16, 2021.  The operative pleading is the Second Amended Petition (“SAP”) alleging causes of action for mandamus and declaratory relief for violation of the CPRA in pertinent part as follows.

            News outlets often report a high rate of COVID-19 cases and deaths among inmates.  The Agency has been under court receivership due to unconstitutionally substandard medical care since 2005.  As recently as October 2020, some have called for the removal of Receiver J. Clark Kelso (“Kelso”) for his mismanagement of the pandemic.

            In September 2021 and March 2022, freelance journalist Cantu submitted written CPRA requests to the Agency for medical records of all prisoners who died from 2019 to present day as part of his report on how and why the prison system continues to provide substandard care.  In denying the requests, the Agency cited privacy protections under both the Health Insurance Portability and Accountability Act’s (“HIPAA”) Privacy Rule and the CPRA exception of Government Code section 6254(c).  The Agency offered heavily redacted records as samples of what it could produce which were insufficient because they lack the cause of death, symptoms, and treatment for each patient.

            HIPAA case law clearly holds that health information that does not identify an individual and for which there is no reasonable basis to believe that it can be used to identify an individual is not prohibited form disclosure.

            Cantu seeks (1) a peremptory writ of mandate compelling the Agency to disclose the withheld records or to show cause why it should not, (2) declaratory judgment that the requested records are disclosable under the CPRA, (3) hearings to resolve this issue as soon as possible, and (4) attorney’s fees and costs.


            2. Course of Proceedings

            On November 23, 2021, Petitioner Cantu served Defendant Agency with the Petition and Summons.

            On February 24, 2022, during a trial setting conference, the court ordered counsel for both parties to meet and confer as to whether Petitioner could amend the Petition.  Petitioner received leave to amend and filed his First Amended Petition (“FAP”) on April 8, 2022.

            On May 18, 2022, the parties stipulated that Cantu would have leave to file the SAP with an agreement that some of the allegations and exhibits for the FAP were inadmissible.[2] 

            The SAP was filed on May 32, 022.  On June 8, 2022, Agency filed a Response.


            B. Standard of Review

            A party may seek to set aside an agency decision by petitioning for either a writ of administrative mandamus (CCP §1094.5) or of traditional mandamus.  CCP §1085.  A petition for traditional mandamus is appropriate in all actions “to compel the performance of an act which the law specially enjoins as a duty resulting from an office, trust, or station....”  CCP §1085. 

            A traditional writ of mandate under CCP section 1085 is the method of compelling the performance of a legal, ministerial duty.  Pomona Police Officers’ Assn. v. City of Pomona, (1997) 58 Cal.App.4th 578, 583-84.  Generally, mandamus will lie when (1) there is no plain, speedy, and adequate alternative remedy, (2) the respondent has a duty to perform, and (3) the petitioner has a clear and beneficial right to performance.  Id. at 584 (internal citations omitted).  Whether a statute imposes a ministerial duty for which mandamus is available, or a mere obligation to perform a discretionary function, is a question of statutory interpretation.  AIDS Healthcare Foundation v. Los Angeles County Dept. of Public Health, (2011) 197 Cal.App.4th 693, 701.

            Where a duty is not ministerial and the agency has discretion, mandamus relief is unavailable unless the petitioner can demonstrate an abuse of that discretion.  Mandamus will not lie to compel the exercise of a public agency’s discretion in a particular manner.  American Federation of State, County and Municipal Employees v. Metropolitan Water District of Southern California, (2005) 126 Cal.App.4th 247, 261.  It is available to compel an agency to exercise discretion where it has not done so (Los Angeles County Employees Assn. v. County of Los Angeles, (1973) 33 Cal.App.3d 1, 8), and to correct an abuse of discretion actually exercised.  Manjares v. Newton, (1966) 64 Cal.2d 365, 370-71.  In making this determination, the court may not substitute its judgment for that of the agency, whose decision must be upheld if reasonable minds may disagree as to its wisdom.  Id. at 371.  An agency decision is an abuse of discretion only if it is “arbitrary, capricious, entirely lacking in evidentiary support, unlawful, or procedurally unfair.”  Kahn v. Los Angeles City Employees’ Retirement System, (2010) 187 Cal.App.4th 98, 106.  A writ will lie where the agency’s discretion can be exercised only in one way.  Hurtado v. Superior Court, (1974) 11 Cal.3d 574, 579.

            No administrative record is required for traditional mandamus to compel performance of a ministerial duty or as an abuse of discretion.


            B. Governing Law

            1. The CPRA

            The CPRA was enacted in 1968 to safeguard the accountability of government to the public.  San Gabriel Tribune v. Superior Court, (1983) 143 Cal.App. 762, 771-72.  Govt. Code[3] section 6250 declares that “access to information concerning the conduct of the people’s business is a fundamental and necessary right of every person in this state.”  The CPRA’s purpose is to increase freedom of information by giving the public access to information in possession of public agencies. CBS. Inc. v. Block, (1986) 42 Cal. 3d 646, 651.  The CPRA was intended to safeguard the accountability of government to the public, and it makes public access to governmental records a fundamental right of citizenship.  Wilson v. Superior Court, (1996) 51 Cal.App.4th 1136, 1141.  This requires maximum disclosure of the conduct of government operations.  California State University Fresno Assn., Inc. v. Superior Court, (“California State University”) (2001) 90 Cal.App.4th 810, 823.  In 2004, the voters endorsed the CPRA by approving Prop 59, which amended the state Constitution to declare that “the writings of public agencies…shall be open to public scrutiny.”  Cal. Const. Art. I, §3(b).

            The CPRA makes clear that “every person” has a right to inspect any public record.  §6253(a).  The term “public record” is broadly defined to include “any writing containing information relating to the conduct of the people’s business prepared, owned, used or retained by any state or local agency regardless of physical form or characteristics. §6252(e).  The inspection may be for any purpose; the requester’s motivation is irrelevant. §6257.5.

Upon receiving a request for a copy of public records, an agency has to determine within ten days whether the request seeks public records in the possession of the agency that are subject to disclosure, but that deadline may be extended up to 14 days for unusual circumstances.  §6253(c).  Nothing in the CPRA “shall be construed to permit an agency to delay or obstruct the inspection or copying of public records.”  §6253(d). 

Even significant expense to the agency will not excuse an agency from conducting a thorough search for responsive records unless it constitutes an undue burden.  See, e.g., CBS Broadcasting Inc. v. Superior Ct., (2001) 91 Cal. App. 4th 892, 909 ($43,000 cost to agency to compile responsive public records was not valid reason to deny CPRA request).  “Reasonable efforts do not require that agencies undertake extraordinarily extensive or intrusive searches, however.  In general, the scope of an agency’s search for public records ‘need only be reasonably calculated to locate responsive documents.’” City of San Jose v. Superior Court, (2017) 2 Cal.5th 608, 627 (citation omitted). The “CPRA does not prescribe specific methods of searching for those documents and agencies may develop their own internal policies for conducting searches.  Some general principles have emerged, however. Once an agency receives a CPRA request, it must “‘communicate the scope of the information requested to the custodians of its records,’ although it need not use the precise language of the request...” Ibid. (citation omitted).

The right to inspect is subject to certain exemptions, which are narrowly construed.  California State University, 90 Cal.App.4th at 831.  The exemptions are found in sections 6254 and 6255.  In pertinent part, public records exempt from disclosure include (1) personnel, medical, or similar files, the discovery of which would constitute an unwarranted invasion of personal privacy (§6254(c)), and (2) records for which disclosure “is exempted or prohibited pursuant to federal or state law, including, but not limited to, provisions of the Evidence Code relating to privilege” (§6254(k)).  The burden of demonstrating that exemptions apply lies with the governmental entity.  §6255.

If the agency determines that the requested records are subject to disclosure, it must state in the determination “the estimated date and time when the records will be made available.”  Ibid. There is no deadline expressed in number of days for producing the records. Rather, the agency “shall make the records promptly available.” §6253(b).

If the agency determines that the requested records are not subject to disclosure, the agency promptly must notify the person making the request and provide the reasons for its determination. Ibid.  The agency must justify withholding a responsive record by demonstrating it is exempt or that on the facts of the case the public interest served by not disclosing the record clearly outweighs the public interest served by disclosure of the record.  §6255(a).  The determination that the request is denied must be made in writing.  §6255(b).

A CPRA claim to compel compliance with a public records request may proceed through either mandamus or declaratory relief.  §§6258, 6259. A petition for traditional mandamus is appropriate in actions “to compel the performance of an act which the law specially enjoins as a duty resulting from an office, trust, or station.” CCP §1085.  Because the petitioner may proceed through either mandamus or declaratory relief, the trial court independently decides whether disclosure is required.  See City of San Jose v. Superior Court, (“City of San Jose”) (1999) 74 Cal.App.4th 1008, 1018 (appellate court independently reviews trial court CPRA decision).  No administrative record is required, and the parties must submit admissible evidence.

Section 6259(d) provides for reasonable attorney’s fees should the plaintiff prevail in a CPRA case.  An award of attorney fees pursuant to this subdivision is mandatory if the plaintiff prevails.  Filarsky v. Superior Court, (2002) 28 Cal.4th 419, 427.  To be deemed the prevailing party, a plaintiff must show that the CPRA lawsuit was the motivating factor behind the production of documents.  Motorola Communication & Electronics, Inc. v. Agency of General Services, (1997) 55 Cal.App.4th 1340, 1345. 

The attorney’s fees provision of the CPRA should be interpreted in light of the overall remedial purpose of the CPRA to broaden access to public records.  CYAC, supra, 220 Cal.App.4th at 1447.  To this end, the purpose of the attorney’s fees provision is to provide protections and incentives for members of the public to seek judicial enforcement of the right to inspect public records subject to disclosure.  National Conference of Black Mayors v. Chico Community Publishing, Inc., (2018) 25 Cal.App.5th 570, 581.


            2. HIPAA

Congress enacted HIPAA to, among other things, protect the integrity and confidentiality of personal medical records, and to prevent the unauthorized use or disclosures of such records.  42 U.S.C. §1320d-2(d)(2); see also South Carolina Medical Assn. v. Thompson, (4th Cir. 2003) 327 F.3d 346, 348.  HIPAA applies to covered entities, which are health plans, health care clearinghouses, and health care providers who transmit any health information in electronic form in connection with applicable transactions.  42 U.S.C. § 1320d-1. 

The term “individually identifiable health information” means any information, including demographic information collected from an individual, that (A) is created or received by a health care provider, health plan, employer, or health care clearinghouse; and (B) relates to the physical or mental condition of an individual, provision of health care to that individual, or payment for provision of health care at any point in time – provided that said information (a) identifies the individual or (b) on a reasonable basis can be used to identify the individual.  42 U.S.C. § 1320d(6)(A)-(6)(B).

The HIPAA privacy rule requires covered entities to maintain reasonable and appropriate administrative, technical, and physical safeguards to (1) ensure the integrity and confidentiality of health information; (2) protect against any reasonably anticipated threats or hazards to the security or integrity of health information, as well as unauthorized uses or disclosures; and (3) ensure compliance with HIPAA by officers and employees.  42 U.S.C. §1320d-2(d)(2).

Congress charged the Agency of Health and Human Services (“HHS”) to create and adopt federal regulations to implement HIPAA.  Brown v. Mortensen, (2011) 51 Cal.4th 1052, 1066.  These regulations limit the circumstances and to what extent individually protected personal health information can be disclosed by covered entities.  Id. at 1066. 

If state law requires disclosure that is not permitted under HIPAA, HIPAA precludes health care providers from complying with the state requirements.  45 C.F.R. §160.203.   

HIPAA precludes public disclosure of any private inmate medical information and documentation for at least 50 years following an individual’s death.   45 C.F.R. §160.113(2)(IV). 


            D. Statement of Facts[4]

            1. The Inmate Mortality Review

            In a 2001 class-action lawsuit in federal court alleging that the quality of CDCR’s inmate medical care violated the Eighth Amendment of the Constitution, the state settled the suit and agreed to remedies that would rectify the problems.  RJN Ex. 2.  When it failed to implement them, in June 2005 the court established a receivership for prison medical care.  RJN Ex. 2. 

The federal receiver’s supervision of CDCR’s medical care system is carried out by the Agency.  The federal receiver requires the Agency to review, investigate, and prepare reports for all inmate deaths. RJN Ex. 1, pp. 2-3.  The receiver is responsible for (1) delivering medical care at adult prison institutions, (2) obtaining specialty care services in the community for patients at those institutions, (3) overseeing the 12,219 medical care positions providing such care, and (4) obtaining temporary relief staff resources to cover staffing vacancies and long-term absences.  RJN Ex. 2. 

            In 2018, the Agency restructured its death assessment process.  RJN Ex. 1.  Any inmate death prompts the prison to generate an initial death report that then goes to the central headquarters’ mortality review unit staff.  RJN Ex. 1.  Within five business days, the prison generates a local death summary submitted to central headquarters that includes significant clinical events, emergency medical response, and any identified lapses in care or systemic issues contributing to the patient’s death.  RJN Ex. 1. 

            A physician and nurse reviewer then conduct a review of the patient’s clinical record dating at least six months prior to death, with discretion to review older incidents if considered antecedent to the terminal event.  RJN Ex. 1.  Relevant factors include the quality of triage and evaluation, timeliness of access to care, the quality of care for any chronic medical condition, adherence to published evidence-based care guides and nationally recognized standards of care, responses to all abnormal laboratory and imaging studies, and the timing and quality of emergency response.  RJN Ex. 1.  Potential suicides receive additional review by the Suicide Prevention and Response Focused Improvement Team.  RJN Ex. 1.

            Central headquarters’ Mortality Review Committee (“MRC”) reviews the results and determines whether the death was (1) expected or unexpected, and (2) with or without findings for opportunities for improvement.  RJN Ex. 1.  It also identifies any Potential Quality Issues (“PQI”), which refers to incidents with potential quality implications that occur outside the prison system with one of the Healthcare Provider Networks that contract with the state to provide hospital or specialist care.  RJN Ex. 1. 

Both the prison where the death occurred and regional health care leadership receive a copy of this Final Mortality Report, which is also entered into the Electronic Health Care Incident Reporting (“eHCIR”) system.  RJN Ex. 1.


            3. The 2021 Request

            On September 14, 2021, Cantu submitted a CPRA request to the Agency, requesting copies of all medical records for individual inmates who died while housed in one of the California Agency of Corrections and Rehabilitation (“CDCR”) facilities since January 1, 2019.  SAP Ex. A.[5] 

            On September 17, 2021, the Agency replied, without denying such information existed, that the requested information was exempt under HIPAA.  SAP Ex. B.  It was also exempt under section 6254(c) as medical files the disclosure of which would constitute an unwarranted invasion of personal privacy.  SAP Ex. B.  The email advised Cantu that he may find the information he needed on the Agency website where the 2019 death report was published and the 2020 report was expected to be published later.  SAP Ex. B.


            4. The 2022 Request

            On March 9, 2022, after filing the Petition, Cantu submitted a second CPRA request for the period 2019-2021 for (1) the Initial Death Report for each deceased inmate generated by the prison where the death occurred (“Req. No. 1”); (2) the Local Death Summary for each deceased inmate submitted by each prison to Central Headquarters (“Req. No. 2”); (3) separate case reviews by the Suicide Prevention and Response Focused Improvement Team for each inmate who committed suicide (“Req. No. 3”); (4) six months of clinic records for each deceased inmate that was reviewed for the Final Mortality Report (“Req. No. 4”); and (5) the Final Mortality Report for each inmate death that was presented to the Headquarters MEC (“Req. No. 5”).  SAP Ex. C. 

Cantu limited the timeframe of each request to the reports prepared for the 2019-2021 Analyses of CCHCH Inmate Mortality Reviews.  SAP Ex. C.  The request also asked that the Agency not respond by telling Cantu to refer to those reports because he was interested in the underlying records of each death.  SAP Ex. C.  To the extent that redactions were necessary, Cantu invoked his right under section 6253(a) to have a reasonably segregable portion of a record post-redaction available for review.  SAP Ex. C.

            On March 18, 2022, the Agency replied that information responsive to all five requests was not disclosable under HIPAA, sections 6254(c) and 6254(k), and 45 C.F.R. sections 164.502(f) and 164.502(g).  SAP Ex. D.  In the case of Req. No. 3, a protective order issued in July 29, 1992 also required that the information remain confidential.  SAP Ex. D.  To comply with these laws and regulations, the Agency asserted that it had to redact (1) any dates related to the time of death; (2) location of the death; (3) cause of death; (4) physical description; (5) past and current health conditions; (6) medications; (7) family history; and (8) patient movement.  SAP Ex. D. 

            Cantu received redacted samples of documents responsive to Request Nos. 1-3 and 5, which were of little use to him.  SAP Ex. E-H.  The only information not redacted from the Final Mortality Report was the time of death, the date the review closed, and the date that the medical and nurse executives accepted the report.  Ex. E.  The only portion of the Local Death Summary that remained unredacted was whether the physician discovered major system issues that contributed to the patient’s death and whether expedited review was necessary.  SAP Ex. H.


            E. Analysis

Petitioner Cantu seeks mandamus compelling the Agency to produce redacted medical reports and records.[6]  It is undisputed that the records sought by Cantu are public records under the CPRA and that the Agency has them. 


1. HIPAA’s Requirements

            Cantu notes (Pet. Op. Br. at 11) that HIPAA is a federal law that generally prohibits covered entities from disclosing a patient’s medical records containing personally identifiable information about the patient to anyone other than a patient and the patient’s authorized representatives.  However, “[h]ealth information that does not identify an individual and with respect to which there is no reasonable basis to believe that the information can be used to identify an individual is not individually identifiable health information.” 45 CFR §164.514(a). In other words, “de-identified records” are not governed by HIPAA and may be disclosed without violating the statute.

            Pursuant to 45 CFR section 164.514(b)(2)’s safe harbor, a covered entity may determine that health information is not individually identifiable health information only if:

“(i) The following identifiers of the individual or of relatives, employers, or household members of the individual, are removed:

(A) Names;

(B) All geographic subdivisions smaller than a State, including street address, city, county, precinct, zip code, and their equivalent geocodes, except for the initial three digits of a zip code if, according to the current publicly available data from the Bureau of the Census:

(1) The geographic unit formed by combining all zip codes with the same three initial digits contains more than 20,000 people; and

(2) The initial three digits of a zip code for all such geographic units containing 20,000 or fewer people is changed to 000.

(C) All elements of dates (except year) for dates directly related to an individual, including birth date, admission date, discharge date, date of death; and all ages over 89 and all elements of dates (including year) indicative of such age, except that such ages and elements may be aggregated into a single category of age 90 or older;

(D) Telephone numbers;

(E) Fax numbers;

(F) Electronic mail addresses;

(G) Social security numbers;

(H) Medical record numbers;

(I) Health plan beneficiary numbers;

(J) Account numbers;

(K) Certificate/license numbers;

(L) Vehicle identifiers and serial numbers, including license plate numbers;

(M) Device identifiers and serial numbers;

(N) Web Universal Resource Locators (URLs);

(O) Internet Protocol (IP) address numbers;

(P) Biometric identifiers, including finger and voice prints;

(Q) Full face photographic images and any comparable images; and

(R) Any other unique identifying number, characteristic, or code, except as permitted by paragraph (c) of this section; and

(ii) The covered entity does not have actual knowledge that the information could be used alone or in combination with other information to identify an individual who is a subject of the information.”  (emphasis added).  Pet. Op. Br. at 11-13.


HIPAA permits disclosure of patient medical records where the information has been redacted under the safe harbor de-identification provision.  “Once medical records have been appropriately redacted and de-identified, patient privacy concerns dissipate and HIPAA poses no obstacle to the production of the redacted records.”  Roth v. Sunrise Senior Living Management, Inc., (E.D. Pa.) 2012 WL 748401 at *2 (disclosure of medical records of other party to incident at assisted living facility); Miller v. Allstate Fire & Cas. Ins. Co., (W.D. Pa. Mar. 17, 2009) 2009 WL 700142, at *4  (submission of redacted patient documents “would obviate any of the patient privacy interests potentially at stake”). 

The HHS “Guidance Regarding Methods for De-Identification of Protected Health Information in Accordance with the HIPAA Privacy Rule”[7] states that “actual knowledge means clear and direct knowledge that the remaining information could be used, either alone or in combination with other information, to identify an individual who is subject of the information.”  §3.6.  The Guidance gives some examples of a redacted record that could lead to re-identification of an individual patient, such as record that lists the patient as the “former president of the State University.” Id., Example 1.  In that example, HHS recommends redacting the “occupation” field from the record to avoid re-identification – and then releasing the record.  Id.  The Guidance also instructs that a covered entity may not claim “actual knowledge” of re-identification by citing studies about re-identification, nor may it redact “all personal names, such as physician names,” unless it can meet the “actual knowledge specification.”  §§ 3.7-3.8. 

HIPAA generally preempts state laws regarding privacy.  “A standard, requirement, or implementation specification adopted under this subchapter that is contrary to a provision of State law preempts the provision of State law[.]”  45 CFR §160.203.  “[T]he States' [doctor-patient] privilege laws pose no obstacle to the discovery of the medical records, provided the records are de-identified”.  In re Zyprexa Products Liability Litigation, (E.D.N.Y. 2008) 254 F.R.D. 50, 52.  “Even assuming that state privilege laws afford greater protection” to patient records, “de-identified health information is not protected under HIPAA, and...to the extent state privilege laws offer protection to de-identified medical records, HIPAA preempts those laws.”  Id. at 54.  

HIPAA’s supersession clause means that the Agency is not permitted to withhold de-identified records compliant with HIPAA when they are sought under the CPRA based on the privacy protections of the California Constitution, section 6254(c) and (k), or Civil Code sections 1798.3(a) and 1798.24.  The Agency is required to disclose redacted, de-identified copies of prisoner medical records for individual deceased prisoners and related individual prisoner death reports as permitted by 45 CFR section 64.514(b)(2), and such a disclosure does not violate HIPAA or state privacy laws. 


2. The Agency Must Produce the Redacted Records and Reports

Cantu contends that the Agency is required to produce the records requested in his First and Second CPRA Requests with only those redactions required by the safe harbor of 45 CFR section 64.514(b)(2).  The First CPRA Request sought individual inmate medical records and the Second CPRA Request sought the following reports for the calendars years 2019, 2021, and 2022: (1) Initial Death Reports for deceased inmates generated by the prison where the inmate death occurred; (2) the Local Death Summary for each deceased inmate submitted by the prison to Central Headquarters; (3) the separate case reviews by the Suicide Prevention and Response Focused Improvement Team for each inmate who died by suicide; (4) six months of clinical records for each deceased prisoner reviewed by a review team; and (5) Final Mortality Reports for each inmate death that were presented to the HQ Mortality Review Committee.  Pet. Op. Br. at 13-14.

In performing the redactions, Cantu argues that the Agency should not redact the following information from the medical records and reports: (a) the cause of death for each inmate; (b) the listing of the inmate’s death as falling into one of four categories: expected or unexpected death, with or without findings for opportunity(ies) for improvement (“Opportunities for Improvement(OFI)”); (c) “Potential Quality Issues (PQI)” for each inmate’s death for incidents with potential quality implication that occurred outside the Agency prison system in one of the Healthcare Provider Networks that contract with the state to provide hospital care or specialist care; (d) the first three letters of the zip code where each inmate died if the geographic unit formed by combining all zip codes with the same three initial digits contains more than 20,000 people; (e) the year of each deceased inmate’s birth, admission to a hospital facility, discharge from the hospital facility, death; and all ages over 89 and all elements of dates (including year) indicative of such age, except that such ages and elements may be aggregated into a single category of age 90 or older; (f) the pre-existing medical conditions for each deceased inmate; (g) the cause of death of for each deceased inmate; (h) reports assessing any problem or failings by the Agency that may have contributed to each deceased inmate’s death and any general problems or failings by the Agency contributing to inmate deaths; and (i) reports discussing proposed changes to medical care provided to inmates to prevent further deaths.  Pet. Op. Br. at 15.

The Agency notes that Cantu does not dispute that the records and reports he seeks contain private inmate medical information.  HIPAA protects the unlawful disclosure of private medical information (42 U.S.C. § 1320d-2(d)(2)), and expressly precludes the Agency from disclosing inmate medical records, reports, and information for at least 50 years after the inmate’s date of death.  See 45 C.F.R. §160.103(2)(IV).  The Agency contends that it has a mandatory duty to prohibit, not provide, disclosure of the medical records and reports.  The Agency, as the custodian of private inmate medical records, may not waive the privacy rights of inmates and has a duty “to resist attempts at unauthorized disclosure and the person who is the subject of the record is entitled to expect that his right will be thus asserted.”   See Westbrook v. County of Los Angeles, (1994) 27 Cal.App.4th 157, 166 (citation omitted).  Opp. at 9.

The Agency admits that under HIPAA medical records that have been redacted to remove any and all private personally identifying information no longer contain private, protected information and thus may be subject to disclosure.  45 C.F.R. §164.514(a).  But this redaction process (“de-identification”) is not simple.  The regulations require the Agency to engage in a complex discretionary analysis of what information is personally identifiable private medical information, as well as what information could be identifiable information when combined or cross-referenced with other information.  45 C.F.R. §164.514(b)(2); see also 42 U.S.C. §1320d(6)(B) (information protected under HIPAA includes that “which identifies the individual or with respect to which there is a reasonable basis to believe that the information can be used to identify the individual).  Opp. at 11.

The concept of de-identification is so complicated that HHS, which developed and enforces HIPAA regulations, maintains a website about the de-identification of personally identifying information.  As explained by HHS, protected information includes information that “identifies the individual or for which there is a reasonable basis to believe can be used to identify the individual.”  Guidance.  Personal identifying information includes “many common identifiers (e.g., name, address, birth date, Social Security Number) when they can be associated with the health information listed above.”  Ibid.  Even seemingly de-identified information may become personally identifiable information that is prohibited from disclosure when combined or cross-referenced with other information, including other deidentified information.  Guidance.  Private and confidential information, even if de-identified, cannot be viewed in isolation.  Rather, the health care provider must consider the totality of the information disclosed to determine if it reveals a person’s private medical information and if so, disclosure is prohibited.  Ibid.  Opp. at 12.

The Agency contends that Cantu ignores the complexities of de-identification.  He lists the categories of information that are absolutely protected from disclosure and are subject to de-identification under HIPAA.  Then he lists, without support, information that he contends is not personally identifiable information and must remain unredacted.  But Cantu’s overly simplistic argument fails to consider HIPAA’s goal of protecting personally identifying information and neglects the discretionary analysis the Agency must perform.  Opp. at 12-13.

The Agency argues that Cantu’s contention that it must provide redacted documentation based on criteria established by him and not by law is improper because the Agency’s redaction of its medical records and reports to remove personally identifiable information requires it to exercise its discretion.  Mandate is not proper to control the Agency’s discretion to redact personally identifiable information from inmate medical records.  Mandate does not lie to control how the agent exercises that discretion “unless under the facts, discretion can be exercised in only one way.”  Pacific Bell v. California State & Consumer Services Agency, (1990) 225 Cal.App.3d 107, 118.  Opp. at 5-6, 10-11.

The Agency concludes that it has the professional knowledge, experience, and discretion to decide not only what information is identifiable information, but also the combination of de-identifiable that must be redacted to prevent re-identifying the inmates it is obligated to protect.  The Agency properly exercised its discretion and came to a reasonable conclusion that the private and confidential information cannot be disclosed, even with de-identification.  Although reasonable minds could differ, no showing has been made that the Agency failed to exercise a mandatory duty to disclose unredacted private inmate medical records and reports, or that it abused its discretion in deciding what information must be redacted.  Opp. at 13-14.

A writ of traditional mandate is used to compel the performance of a legal, ministerial duty.  Pomona Police Officers’ Assn. v. City of Pomona, (1997) 58 Cal.App.4th 578, 583-84.  An act is ministerial if a public officer is required to perform it in a prescribed manner in obedience to legal authority and without regard to the officer’s own judgment or opinion concerning the propriety of the act.  “Discretion” is the power conferred on public officials to act according to the dictates of their own judgment.  Lockyer v. City & County of San Francisco, (2004) 33 Cal.4th 1055, 1082 (local official had ministerial duty to follow state marriage statute and could not refuse to do so based on opinion the statute is unconstitutional).  Even if an agency has discretion, it can be compelled to exercise it.  Los Angeles County Employees Assn. v. County of Los Angeles, supra, 33 Cal.App.3d 1, 8; California Ass’n of Sanitation Agencies v. State Water Resources Control Board, (2012) 208 Cal.App.4th 1438, 1462-63 (water board could be compelled to initiate changes to basin plan that was manifestly inaccurate).

            The Agency has a mandatory duty to disclose public records.  The Agency has no discretion to decide whether to redact the records to remove information protected by HIPAA.  The CPRA requires disclosure of public records with redactions when necessary.  §6253(a).  The CPRA does not permit a government agency to exercise its discretion to decide whether to release a public record.  “[A]ll public records are subject to disclosure unless the Legislature has expressly provided to the contrary.”  Williams v. Superior Court, (1993) 5 Cal.4th 337, 346; American Civil Liberties Union Foundation v. Superior Court, (“ACLU”) (2017) 3 Cal.5th 1032, 1038-39. 

            The Agency also has a mandatory duty to produce redacted records where redaction is necessary.  When a portion of a document is exempt from disclosure under the CPRA, section 6253(a) requires the government agency to redact that portion and disclose the rest: “Any reasonably segregable portion of a record shall be available for inspection by any person requesting the record after deletion of the portions that are exempted by law.”  §6253(a) (emphasis added).  “[A] public agency remains … obligated to redact exempt information from a nonexempt record when the exempt and nonexempt materials are not inextricably intertwined’ and are ‘otherwise reasonably segregable.’” Becerra v. Superior Court, (2020) 44 Cal. App. 5th 897, 918, 929 (citing ACLU, supra, 32 Cal.3d at 453 n. 13).  Redaction or “segregation is required to serve the objective of the [Act] to make public records available for public inspection and copying unless a particular statute makes them exempt” in their entirety.  Id. at 453, n. 13 (emphasis added). 

Thus, the Agency has a mandatory, ministerial duty to produce redacted inmate medical records and reports requested by Cantu and has no discretion not to do so.  HIPAA and its federal regulations do not bar disclosure when disclosure is required by other laws, including the CPRA, if patient records are redacted to de-identify individual patients. The CPRA requires the Agency to disclose the records and HIPAA requires the Agency to de-identify those records before disclosure.  

The Agency’s ministerial duty to provide the redacted inmate medical records is little different than an agency’s duty to redact privacy or other privileged information in other CPRA cases.  The Agency may have to make a decision about what information to redact, but the ministerial duty to produce redacted records remains.  The Agency does not have any discretion on the issue.  If the Agency fails to do so properly, either Cantu or some representative of the deceased inmate’s estate theoretically could compel the correct redaction.  The Agency cites no statute or case indicating that it has discretion to ignore the CPRA’s mandatory disclosure of non-exempt records.  

The Agency’s argument that it has applied its professional knowledge, experience, and discretion to reasonably conclude that the private and confidential information cannot be disclosed, even with de-identification, is a blanket position unsupported by any evidence or rationale.  Apparently, the Agency is relying on (a) its September 17, 2021 reply to Cantu’s First CPRA Request for inmate medical records that the records simply are exempt, and (b) its March 18, 2022 reply to Cantu’s Second CPRA Request for reports on inmate deaths by providing a sample Final Mortality Report in which everything was redacted except the time of death, the date the review closed, and the date that the medical and nurse executives accepted the report (Ex. E) and a sample Local Death Summary in which everything was redacted except whether the physician discovered major system issues that contributed to the patient’s death and whether expedited review was necessary.  (Ex. H).

The Agency cannot take a blanket position that it cannot redact inmate medical records and medical reports based on speculation that some deceased prisoners might be re-identified; it must produce redacted records and reports for each inmate unless it has actual knowledge that the inmate could be identified.  See 45 CFR §64.514(b)(2)(ii).  That would require the Agency’s review of each inmate medical record or report and a conclusion that it has actual knowledge that the inmate can be identified no matter what the redaction is made.  The same concept is true for medical reports.

This is where the safe harbor of 45 CFR §64.514(b)(2) comes into play.  The Agency is not obligated to follow the safe harbor of 45 CFR section 64.514(b)(2), but it can do so without fear of being second guessed.  Under the plain terms of section 45 CFR section 64.514(b)(2)(ii), the Agency cannot rely on the listed information as the sole redactions if it has actual knowledge that the information could be used alone or in combination with other information to identify the inmate.  But this does not mean some hypothetical possibility that someone could piece together other publicly available prison records to identify a deceased inmate.  The term “actual knowledge” is not defined in 45 CFR section 64.514(b)(2)(ii), but there must be a realistic prospect that the information can be used to identify the inmate.  It seems very unlikely that this could occur if the safe harbor is followed.

In sum, it is plain from the evidence that the Agency has overreacted and lacks actual knowledge that any specific inmate patient will be re-identified based on the release of de-identified records.  The Agency is not required to follow Cantu’s direction of what must remain for the redaction (Pet. Op. Br. at 15), but it should follow the safe harbor and then review the records to ascertain if there is any realistic possibility of identification of the deceased inmate from the redacted record in combination with other realistically available information.


            3. The Case Law

The Agency relies on Menefield v. Foreman, (“Menefield”) (2014) 231 Cal.App.4th 211, as instructive.  There, an inmate challenged CDCR’s decision to cancel an administrative appeal concerning security for and access to the prison chapel.  Id. at 215.  A prison official screened the appeal, found it to be duplicative of a previous appeal, and cancelled it.  Id. at 216.  The court ruled that 15 section 3084.5(b) required CDCR to screen all inmate administrative appeals, but that it gave a prison appeals coordinator discretion to determine whether an appeal is duplicative.  Id. at 217-18.  Although reasonable minds could differ whether Menefield’s second appeal was duplicative, CDCR was entitled to exercise its discretion.  Id. at 219.  Despite the factual differences in the two inmate appeals, CDCR did not abuse its discretion in concluding that the second appeal was duplicative of the first.  Id. at 219-20.  Opp. at 13.

The Agency argues that Cantu advances the same rationale rejected in Menefield by contending that the Agency abuses its discretion in deciding what information needs to be redacted.  De-identification under HIPAA contemplates the Agency’s exercise of discretion when determining the identifiable health information and the information that needs to be redacted to protect the individual’s right to privacy.  42 U.S.C. §1320d(6)(B); 45 C.F.R. §164.514(b).   This is echoed by HHS’s Guidance, which explains that information that may be de-identifiable in a vacuum can be protected personal identification information when combined or cross-referenced with other information.  Like Menefield, while reasonable minds could differ, no showing has been made that the Agency failed to exercise a mandatory duty to disclose unredacted private inmate medical records and reports, or that it abused its discretion in deciding what information must be redacted.  Opp. at 13-14.

Menefield is inapposite.  There, the court interpretated a regulation to permit CDCR to exercise its discretion whether to cancel an inmate appeal as duplicative.   Minefield did not involve a statute that imposed a clear and ministerial mandatory duty to produce redacted documents, detailed regulations that spell out how de-identification can be done in a safe harbor and that require the agency to have actual knowledge that the subject can be identified before concluding that a redaction is unworkable, and a guidance document providing examples. 

As Cantu notes (Reply at 4), other jurisdictions have held that where a state public records law requires disclosure of the requested records and HIPAA regulations permit disclosure, the state agency is required to release health records in compliance with both.  See Abbott v. Texas Dept. Of Mental Health, (“Abbott”) (2006) 212 S.W.3d 648, 650; State ex. rel. Cincinnati Enquirer v. Daniels, (“Daniels”) (2006) 844 N.E.2d 1181. 

In Abbott, a journalist made a request under the Texas Public Records Act for statistical information about reports of abuse and investigations in state mental hospitals, including the corresponding name of the facility where each allegation was made.  212 S.W.3d at 651.  The Texas Agency of Mental Health and Mental Retardation released a statistical report showing abuse allegations and subsequent investigations but argued that HIPAA barred it from releasing the names of the facilities because such information was “individually identifiable health information.”  Id. at 652.  The Texas Court of Appeals rejected this “circular logic.” Id. at 662.  The court held that where “a request is made under authority of a statute that requires disclosure” such as the Texas Public Information Act, “the agency must disclose the information” because HIPAA and related federal regulations, known collectively as the Privacy Rule, permit such disclosure.  Id. at 662.

The Texas Court of Appeals noted that the Privacy Rule “permits disclosure of protected health information if required by law, as long as the disclosure comports with the requirements of that law.”  Id. at 664.  The Texas Public Information Act requires disclosure of public information unless an exception applies and none does here.  Id.  at 664. If the information is patient information, the state agency “must release the information if potential identifiers are redacted” pursuant to 45 C.F.R. section 164.512(a) and 164.514.  Id. at 662. 

Similarly, in Daniels, the Ohio Supreme Court held that a city health department was required to disclose its lead-contamination notices under the state public records act even if the records contained protected health information under HIPAA.  844 N.E.2d at 1186-88. The court held that the “requested …. reports [are] subject to disclosure under the ‘required by law’ exception to the HIPAA privacy rule because the Ohio Public Records Law …. requires disclosure of these reports, and federal law, HIPAA, does not supersede state disclosure requirements.” Id. at 1188.

As Cantu argues, these cases support the conclusion that the Agency is required to provide the records to Cantú under the CPRA and the “required by law” exemption in 45 C.F.R. section 164.512(a), while adhering to the safe harbor de-identification regulations in 45 C.F.R. section 164.514(a), (b)(2).  Reply at 5.


4. The District Court’s Protective Order

(i). The Protective Order Has No Bearing on the Agency’s CPRA Duties

The Agency contends that it cannot disclose the “separate case reviews by the Suicide Prevention and Response Focused Improvement Team for each inmate who died by suicide for preparation of … 2019-2021 Reports” because those records are confidential under a protective order issued by the federal district court overseeing the receivership of the CDCR in Coleman v. Newsom. FAP, ¶14, Ex. D, p. 24. Pet. Op. Br. at 15.

This is incorrect. The federal court’s protective order in Coleman does not govern the Agency’s duty under the CPRA, or this court’s decision whether the records must be disclosed.  A person requesting records under the CPRA is not governed by the rules of civil discovery (Wilder v. Superior Court, (1998) 66 Cal.App.4th 77, 79-80) and “the Federal Rules of Civil Procedure do not act as an automatic bar of a litigant’s rights to obtain or seek documents under a [state] public record access statute.”  Mid-Atlantic Recycling Technologies, Inc. v. City of Vineland, (D. N.J. 2004) 222 F.R.D. 81, 86.  Pet. Op. Br. at 15.


(ii). The Filing Pursuant to Protective Order Is Not a Release to the Public

Cantu notes that government agencies are not permitted to release a public record to a member of the public, business entity, or place it into the public record, and then deny disclosure to another requester.  §6254.5; Black Panther v. Kehoe, Black Panther Party v. Kehoe, (1974) 42 Cal. App. 3d 645, 656-57 (CPRA does not permit selective disclosure).  He argues that, to the extent the Agency has disclosed any of the requested records about inmate deaths in a public court record, the Agency is required to provide those reports to him.  Pet. Op. Br. at 10; Reply at 7-8.

The Agency initially responds that Cantu never raised this argument in his Petition but cites to no requirement that Cantu was required to do so.  See Opp. at 14.  The Agency also argues that Cantu has the burden to prove his claim and has not identified any public disclosure it made.  Opp. at 14.  This argument carries has more validity.  Cantu makes no showing that the Agency publicly filed any pertinent documents in Coleman.  However, the Agency admits that it confidentially filed documents in Coleman, stating that it did so pursuant to a protective order controlling the identification, use, and dissemination of the records.  Accordingly, these records have not been publicly disclosed.  Opp. at 14. 

Cantu has not shown that the Agency waived any privacy rights for medical records and reports filed pursuant to a protective order in Coleman.


            F. Conclusion

The SAP is granted.  A writ shall issue compelling the Agency to review and redact each medical record and report sought by Cantu and redact them according to HIPAA.  The Agency is not required to follow Cantu’s direction of what must remain for the redaction, but it should follow the safe harbor and then review the records to ascertain if there is any realistic possibility of identification of the deceased inmate from the redacted record or report in combination with other realistically available information.

Petitioner Cantu’s counsel is ordered to prepare a proposed judgment and writ of mandate, serve them on the Agency’s counsel for approval as to form, wait ten days after service for any objections, meet and confer if there are objections, and then submit the proposed judgment and writ along with a declaration stating the existence/non-existence of any unresolved objections.  An OSC re: judgment is set for September 20, 2022 at 1:30 p.m.




[1] The parties cite various federal statutes, regulations, and case law in their briefs.  For future reference, their counsel would be wise to provide hard copies of federal authority.  See CRC 3.1113(i).

[2] The Agency contends that the court never signed the stipulated order (Opp. at 8, n. 2), but the court file shows that it was signed on May 24, 2022.

            [3]All further statutory references are to the Government Code unless expressly stated otherwise.

            [4] Petitioner Cantu requests judicial notice (1) the Analysis of 2020 Agency Inmate Mortality Reviews (“2020 Inmate Mortality Report”) dated December 12, 2020 and posted on the Agency website (RJN Ex. 1); (2) Agency Receiver Fact Sheet, last updated December 2020 (RJN Ex. 2); (3) “Tracking the Coronavirus in California State Prisons,” an article published in the Los Angeles Times (RJN Ex. 3); (4) “Incarcerated and Infected: How the Virus Tore Through the U.S. Prison System,” an article published in the New York Times (RJN Ex. 4); (5) “Legislators Seek Ouster of Receiver After San Quentin Covid-19 Outbreak” an article from the Los Angeles Daily Journal (RJN Ex. 5); (6) “Prisons and Jails Have Become a ‘Public Health Threat’ During the Pandemic, Advocates Say” an article from the Washington Post (RJN Ex. 6); and (7) “California Prisons Ignored Warning Before Covid Outbreaks” an article from the Angeles Times (RJN Ex. 7). 

The requests are granted for Exs. 1, 2.  Evid. Code §452(c).  While the existence of the remaining exhibits (Exs. 3-7) could be judicially noticed, Cantu offers them for the truth of their contents which is impermissible.  A court may not take judicial notice of the truth of the findings in a court document.  Sosinsky v. Grant, (1992) 6 Cal.App.4th 1548, 1551 (court may not judicially notice truth of court document).  The requests are denied.

[5] Cantu relies on his verified SAP as evidence.  The Agency does not dispute his right to do so.

[6] The Agency contends that Cantu waived his declaratory relief claim because he failed to address it.  Even if not waived, the declaratory relief claim is “wholly derivative” of the mandate claim.  Ball v. FleetBoston Financial Corp., (2008) 164 Cal.App.4th 794, 800.  Opp. at 15-16.  Cantu responds that the CPRA (§6258) expressly authorizes him to seek either mandamus or declaratory relief.  Reply at 8.  This is true, but both his claims seek the same relief; there is no reason to distinguish them.

[7]https://www.hhs.gov/hipaa/for-professionals/privacy/special-topics/de-identification/index.html (July 22, 2022).