Judge: James C. Chalfant, Case: 21STCP03800, Date: 2022-08-04 Tentative Ruling
Case Number: 21STCP03800 Hearing Date: August 4, 2022 Dept: 85
Aaron Cantu v.
California Correctional Health Care Services Agency, 21STCP03800
Tentative decision on
petition for writ of mandate: granted
Petitioner Aaron Cantu (“Cantu”) seeks a writ of mandate directing
Respondent California Correctional Health Care Services Agency (“Agency”) to
release public records responsive to his requests under the California Public
Records Act (“CPRA”).
The
court has read and considered the moving papers, opposition, and reply,[1] and
renders the following tentative decision.
A.
Statement of the Case
1.
Petition
Petitioner
Cantu filed the Petition on November 16, 2021.
The operative pleading is the Second Amended Petition (“SAP”) alleging
causes of action for mandamus and declaratory relief for violation of the CPRA
in pertinent part as follows.
News
outlets often report a high rate of COVID-19 cases and deaths among
inmates. The Agency has been under court
receivership due to unconstitutionally substandard medical care since 2005. As recently as October 2020, some have called
for the removal of Receiver J. Clark Kelso (“Kelso”) for his mismanagement of
the pandemic.
In
September 2021 and March 2022, freelance journalist Cantu submitted written
CPRA requests to the Agency for medical records of all prisoners who died from
2019 to present day as part of his report on how and why the prison system
continues to provide substandard care. In
denying the requests, the Agency cited privacy protections under both the
Health Insurance Portability and Accountability Act’s (“HIPAA”) Privacy Rule
and the CPRA exception of Government Code section 6254(c). The Agency offered heavily redacted records as
samples of what it could produce which were insufficient because they lack the
cause of death, symptoms, and treatment for each patient.
HIPAA
case law clearly holds that health information that does not identify an
individual and for which there is no reasonable basis to believe that it can be
used to identify an individual is not prohibited form disclosure.
Cantu
seeks (1) a peremptory writ of mandate compelling the Agency to disclose the
withheld records or to show cause why it should not, (2) declaratory judgment
that the requested records are disclosable under the CPRA, (3) hearings to
resolve this issue as soon as possible, and (4) attorney’s fees and costs.
2.
Course of Proceedings
On
November 23, 2021, Petitioner Cantu served Defendant Agency with the Petition and
Summons.
On
February 24, 2022, during a trial setting conference, the court ordered counsel
for both parties to meet and confer as to whether Petitioner could amend the Petition. Petitioner received leave to amend and filed
his First Amended Petition (“FAP”) on April 8, 2022.
On
May 18, 2022, the parties stipulated that Cantu would have leave to file the
SAP with an agreement that some of the allegations and exhibits for the FAP
were inadmissible.[2]
The
SAP was filed on May 32, 022. On June 8,
2022, Agency filed a Response.
B.
Standard of Review
A
party may seek to set aside an agency decision by petitioning for either a writ
of administrative mandamus (CCP §1094.5) or of traditional mandamus. CCP §1085.
A petition for traditional mandamus is appropriate in all actions “to
compel the performance of an act which the law specially enjoins as a duty
resulting from an office, trust, or station....” CCP §1085.
A
traditional writ of mandate under CCP section 1085 is the method of compelling
the performance of a legal, ministerial duty.
Pomona Police Officers’ Assn. v. City of Pomona, (1997) 58
Cal.App.4th 578, 583-84. Generally,
mandamus will lie when (1) there is no plain, speedy, and adequate alternative
remedy, (2) the respondent has a duty to perform, and (3) the petitioner has a
clear and beneficial right to performance.
Id. at 584 (internal citations omitted). Whether a statute imposes a ministerial duty
for which mandamus is available, or a mere obligation to perform a
discretionary function, is a question of statutory interpretation. AIDS Healthcare Foundation v. Los Angeles
County Dept. of Public Health, (2011) 197 Cal.App.4th 693, 701.
Where
a duty is not ministerial and the agency has discretion, mandamus relief is
unavailable unless the petitioner can demonstrate an abuse of that discretion. Mandamus will not lie to compel the exercise
of a public agency’s discretion in a particular manner. American Federation of State, County and
Municipal Employees v. Metropolitan Water District of Southern California,
(2005) 126 Cal.App.4th 247, 261. It is
available to compel an agency to exercise discretion where it has not done so (Los
Angeles County Employees Assn. v. County of Los Angeles, (1973) 33
Cal.App.3d 1, 8), and to correct an abuse of discretion actually
exercised. Manjares v. Newton,
(1966) 64 Cal.2d 365, 370-71. In making
this determination, the court may not substitute its judgment for that of the
agency, whose decision must be upheld if reasonable minds may disagree as to
its wisdom. Id. at 371. An agency decision is an abuse of discretion
only if it is “arbitrary, capricious, entirely lacking in evidentiary support,
unlawful, or procedurally unfair.” Kahn
v. Los Angeles City Employees’ Retirement System, (2010) 187 Cal.App.4th
98, 106. A writ will lie where the
agency’s discretion can be exercised only in one way. Hurtado v. Superior Court, (1974) 11
Cal.3d 574, 579.
No
administrative record is required for traditional mandamus to compel
performance of a ministerial duty or as an abuse of discretion.
B.
Governing Law
1. The CPRA
The
CPRA was enacted in 1968 to safeguard the accountability of government to the
public. San Gabriel Tribune v.
Superior Court, (1983) 143 Cal.App. 762, 771-72. Govt. Code[3] section
6250 declares that “access to information concerning the conduct of the
people’s business is a fundamental and necessary right of every person in this
state.” The CPRA’s purpose is to
increase freedom of information by giving the public access to information in
possession of public agencies. CBS. Inc. v. Block, (1986) 42 Cal. 3d
646, 651. The CPRA was intended to
safeguard the accountability of government to the public, and it makes public
access to governmental records a fundamental right of citizenship. Wilson v. Superior Court, (1996) 51
Cal.App.4th 1136, 1141. This requires
maximum disclosure of the conduct of government operations. California State University Fresno Assn.,
Inc. v. Superior Court, (“California State University”) (2001) 90 Cal.App.4th
810, 823. In 2004, the voters endorsed
the CPRA by approving Prop 59, which amended the state Constitution to declare
that “the writings of public agencies…shall be open to public scrutiny.” Cal. Const. Art. I, §3(b).
The
CPRA makes clear that “every person” has a right to inspect any public
record. §6253(a). The term “public record” is broadly defined
to include “any writing containing information relating to the conduct of the
people’s business prepared, owned, used or retained by any state or local
agency regardless of physical form or characteristics. §6252(e). The inspection may be for any purpose; the
requester’s motivation is irrelevant. §6257.5.
Upon receiving a request for a copy of public records, an
agency has to determine within ten days whether the request seeks public
records in the possession of the agency that are subject to disclosure, but that
deadline may be extended up to 14 days for unusual circumstances. §6253(c). Nothing in the CPRA “shall be construed to
permit an agency to delay or obstruct the inspection or copying of public
records.” §6253(d).
Even significant expense to the agency will not excuse an
agency from conducting a thorough search for responsive records unless it
constitutes an undue burden. See,
e.g., CBS Broadcasting Inc. v. Superior Ct., (2001) 91 Cal. App. 4th
892, 909 ($43,000 cost to agency to compile responsive public records was not
valid reason to deny CPRA request). “Reasonable
efforts do not require that agencies undertake extraordinarily extensive or
intrusive searches, however. In general,
the scope of an agency’s search for public records ‘need only be reasonably
calculated to locate responsive documents.’” City of San Jose v. Superior
Court, (2017) 2 Cal.5th 608, 627 (citation omitted). The “CPRA does not
prescribe specific methods of searching for those documents and agencies may
develop their own internal policies for conducting searches. Some general principles have emerged, however.
Once an agency receives a CPRA request, it must “‘communicate the scope of the
information requested to the custodians of its records,’ although it need not
use the precise language of the request...” Ibid. (citation omitted).
The right to inspect is subject to certain exemptions, which
are narrowly construed. California
State University, 90 Cal.App.4th at 831.
The exemptions are found in sections 6254 and 6255. In pertinent part, public records exempt from
disclosure include (1) personnel, medical, or similar files, the discovery of
which would constitute an unwarranted invasion of personal privacy (§6254(c)), and
(2) records for which disclosure “is exempted or prohibited pursuant to federal
or state law, including, but not limited to, provisions of the Evidence Code
relating to privilege” (§6254(k)). The
burden of demonstrating that exemptions apply lies with the governmental
entity. §6255.
If the agency determines that the requested records are
subject to disclosure, it must state in the determination “the estimated date
and time when the records will be made available.” Ibid. There is no deadline expressed in
number of days for producing the records. Rather, the agency “shall make the
records promptly available.” §6253(b).
If the agency determines that the requested records are not
subject to disclosure, the agency promptly must notify the person making the
request and provide the reasons for its determination. Ibid. The agency must justify withholding a
responsive record by demonstrating it is exempt or that on the facts of the
case the public interest served by not disclosing the record clearly outweighs
the public interest served by disclosure of the record. §6255(a). The determination that the request is denied
must be made in writing. §6255(b).
A CPRA claim to compel compliance with a public records
request may proceed through either mandamus or declaratory relief. §§6258, 6259. A petition for traditional
mandamus is appropriate in actions “to compel the performance of an act which
the law specially enjoins as a duty resulting from an office, trust, or
station.” CCP §1085. Because the
petitioner may proceed through either mandamus or declaratory relief, the trial
court independently decides whether disclosure is required. See City
of San Jose v. Superior Court, (“City of San Jose”) (1999) 74
Cal.App.4th 1008, 1018 (appellate court independently reviews trial court CPRA
decision). No administrative record is
required, and the parties must submit admissible evidence.
Section 6259(d) provides for reasonable attorney’s fees should
the plaintiff prevail in a CPRA case. An
award of attorney fees pursuant to this subdivision is mandatory if the
plaintiff prevails. Filarsky v.
Superior Court, (2002) 28 Cal.4th 419, 427.
To be deemed the prevailing party, a plaintiff must show that the CPRA
lawsuit was the motivating factor behind the production of documents. Motorola Communication & Electronics,
Inc. v. Agency of General Services, (1997) 55 Cal.App.4th 1340, 1345.
The attorney’s fees provision of the CPRA should be
interpreted in light of the overall remedial purpose of the CPRA to broaden
access to public records. CYAC, supra, 220 Cal.App.4th at 1447. To this end, the purpose of the attorney’s
fees provision is to provide protections and incentives for members of the
public to seek judicial enforcement of the right to inspect public records
subject to disclosure. National
Conference of Black Mayors v. Chico Community Publishing, Inc., (2018)
25 Cal.App.5th 570, 581.
2.
HIPAA
Congress enacted HIPAA
to, among other things, protect the integrity and confidentiality of personal
medical records, and to prevent the unauthorized use or disclosures of such
records. 42
U.S.C. §1320d-2(d)(2); see also South
Carolina Medical Assn. v. Thompson, (4th Cir. 2003) 327 F.3d 346, 348. HIPAA applies to
covered entities, which are health plans, health care clearinghouses, and
health care providers who transmit any health information in electronic form in
connection with applicable transactions.
42 U.S.C. § 1320d-1.
The term “individually
identifiable health information” means any information, including
demographic information collected from an individual, that (A) is created or
received by a health care provider, health plan, employer, or health care
clearinghouse; and (B) relates to the physical or mental condition of an individual,
provision of health care to that individual, or payment for provision of health
care at any point in time – provided that said information (a) identifies the
individual or (b) on a reasonable basis can be used to identify the individual. 42 U.S.C. § 1320d(6)(A)-(6)(B).
The HIPAA privacy rule requires covered entities to maintain
reasonable and appropriate administrative, technical, and physical safeguards
to (1) ensure the integrity and confidentiality of health information; (2)
protect against any reasonably anticipated threats or hazards to the security
or integrity of health information, as well as unauthorized uses or
disclosures; and (3) ensure compliance with HIPAA by officers and
employees. 42 U.S.C. §1320d-2(d)(2).
Congress
charged the Agency of Health and Human Services (“HHS”) to create and adopt
federal regulations to implement HIPAA. Brown
v. Mortensen, (2011) 51 Cal.4th 1052, 1066. These regulations limit the circumstances and to
what extent individually protected personal health information can be disclosed
by covered entities. Id.
at 1066.
If
state law requires disclosure that is not permitted under HIPAA, HIPAA
precludes health care providers from complying with the state
requirements. 45 C.F.R. §160.203.
HIPAA precludes
public disclosure of any private inmate medical information and documentation
for at least 50 years following an individual’s death. 45
C.F.R. §160.113(2)(IV).
D.
Statement of Facts[4]
1.
The Inmate Mortality Review
In
a 2001 class-action lawsuit in federal court alleging that the quality of CDCR’s
inmate medical care violated the Eighth Amendment of the Constitution, the
state settled the suit and agreed to remedies that would rectify the
problems. RJN Ex. 2. When it failed to implement them, in June 2005
the court established a receivership for prison medical care. RJN Ex. 2.
The federal receiver’s supervision of CDCR’s medical care
system is carried out by the Agency. The
federal receiver requires the Agency to review, investigate, and prepare
reports for all inmate deaths. RJN Ex. 1, pp. 2-3. The receiver is responsible for (1)
delivering medical care at adult prison institutions, (2) obtaining specialty
care services in the community for patients at those institutions, (3)
overseeing the 12,219 medical care positions providing such care, and (4) obtaining
temporary relief staff resources to cover staffing vacancies and long-term
absences. RJN Ex. 2.
In
2018, the Agency restructured its death assessment process. RJN Ex. 1.
Any inmate death prompts the prison to generate an initial death report
that then goes to the central headquarters’ mortality review unit staff. RJN Ex. 1.
Within five business days, the prison generates a local death summary submitted
to central headquarters that includes significant clinical events, emergency
medical response, and any identified lapses in care or systemic issues
contributing to the patient’s death. RJN
Ex. 1.
A
physician and nurse reviewer then conduct a review of the patient’s clinical
record dating at least six months prior to death, with discretion to review
older incidents if considered antecedent to the terminal event. RJN Ex. 1. Relevant factors include the
quality of triage and evaluation, timeliness of access to care, the quality of
care for any chronic medical condition, adherence to published evidence-based
care guides and nationally recognized standards of care, responses to all
abnormal laboratory and imaging studies, and the timing and quality of
emergency response. RJN Ex. 1. Potential suicides receive additional review
by the Suicide Prevention and Response Focused Improvement Team. RJN Ex. 1.
Central headquarters’
Mortality Review Committee (“MRC”) reviews the results and determines whether
the death was (1) expected or unexpected, and (2) with or without findings for
opportunities for improvement. RJN Ex.
1. It also identifies any Potential
Quality Issues (“PQI”), which refers to incidents with potential quality
implications that occur outside the prison system with one of the Healthcare
Provider Networks that contract with the state to provide hospital or
specialist care. RJN Ex. 1.
Both the
prison where the death occurred and regional health care leadership receive a
copy of this Final Mortality Report, which is also entered into the Electronic
Health Care Incident Reporting (“eHCIR”) system. RJN Ex. 1.
3.
The 2021 Request
On
September 14, 2021, Cantu submitted a CPRA request to the Agency, requesting copies
of all medical records for individual inmates who died while housed in one of
the California Agency of Corrections and Rehabilitation (“CDCR”) facilities since
January 1, 2019. SAP Ex. A.[5]
On
September 17, 2021, the Agency replied, without denying such information
existed, that the requested information was exempt under HIPAA. SAP Ex. B.
It was also exempt under section 6254(c) as medical files the disclosure
of which would constitute an unwarranted invasion of personal privacy. SAP Ex. B.
The email advised Cantu that he may find the information he needed on
the Agency website where the 2019 death report was published and the 2020
report was expected to be published later.
SAP Ex. B.
4.
The 2022 Request
On
March 9, 2022, after filing the Petition, Cantu submitted a second CPRA request
for the period 2019-2021 for (1) the Initial Death Report for each deceased
inmate generated by the prison where the death occurred (“Req. No. 1”); (2) the
Local Death Summary for each deceased inmate submitted by each prison to Central
Headquarters (“Req. No. 2”); (3) separate case reviews by the Suicide
Prevention and Response Focused Improvement Team for each inmate who committed suicide (“Req. No. 3”); (4) six months of clinic records for
each deceased inmate that was reviewed for the Final Mortality Report (“Req.
No. 4”); and (5) the Final
Mortality Report for each inmate death that was presented to the Headquarters
MEC (“Req. No. 5”). SAP Ex. C.
Cantu limited
the timeframe of each request to the reports prepared for the 2019-2021
Analyses of CCHCH Inmate Mortality Reviews.
SAP Ex. C. The request also asked
that the Agency not respond by telling Cantu to refer to those reports because
he was interested in the underlying records of each death. SAP Ex. C.
To the extent that redactions were necessary, Cantu invoked his right
under section 6253(a) to have a reasonably segregable portion of a record post-redaction
available for review. SAP Ex. C.
On March 18, 2022, the
Agency replied that information responsive to all five requests was not
disclosable under HIPAA, sections 6254(c) and 6254(k), and 45 C.F.R. sections
164.502(f) and 164.502(g). SAP Ex.
D. In the case of Req. No. 3, a
protective order issued in July 29, 1992 also required that the information
remain confidential. SAP Ex. D. To
comply with these laws and regulations, the Agency asserted that it had to
redact (1) any dates related to the time of death; (2) location of the death;
(3) cause of death; (4) physical description; (5) past and current health
conditions; (6) medications; (7) family history; and (8) patient movement. SAP Ex. D.
Cantu
received redacted samples of documents responsive to Request Nos. 1-3 and 5,
which were of little use to him. SAP Ex.
E-H. The only information not redacted
from the Final Mortality Report was the time of death, the date the review
closed, and the date that the medical and nurse executives accepted the
report. Ex. E. The only portion of the Local Death Summary
that remained unredacted was whether the physician discovered major system
issues that contributed to the patient’s death and whether expedited review was
necessary. SAP Ex. H.
E.
Analysis
Petitioner Cantu seeks mandamus compelling the Agency to
produce redacted medical reports and records.[6] It is undisputed that the records sought by
Cantu are public records under the CPRA and that the Agency has them.
1. HIPAA’s Requirements
Cantu notes (Pet. Op.
Br. at 11) that HIPAA is a federal law that generally prohibits covered
entities from disclosing a patient’s medical records containing personally identifiable
information about the patient to anyone other than a patient and the patient’s
authorized representatives. However,
“[h]ealth information that does not identify an individual and with respect to
which there is no reasonable basis to believe that the information can be used
to identify an individual is not individually identifiable health information.”
45 CFR §164.514(a). In other words, “de-identified records” are not governed by
HIPAA and may be disclosed without violating the statute.
Pursuant to 45 CFR section 164.514(b)(2)’s
safe harbor, a covered entity may determine that health information is not
individually identifiable health information only if:
“(i) The following
identifiers of the individual or of relatives, employers, or household members
of the individual, are removed:
(A) Names;
(B) All geographic
subdivisions smaller than a State, including street address, city, county,
precinct, zip code, and their equivalent geocodes, except for the initial three
digits of a zip code if, according to the current publicly available data from
the Bureau of the Census:
(1) The geographic unit formed by
combining all zip codes with the same three initial digits contains more than
20,000 people; and
(2) The initial three digits of a
zip code for all such geographic units containing 20,000 or fewer people is
changed to 000.
(C) All elements of
dates (except year) for dates directly related to an individual, including
birth date, admission date, discharge date, date of death; and all ages over 89
and all elements of dates (including year) indicative of such age, except that
such ages and elements may be aggregated into a single category of age 90 or
older;
(D) Telephone
numbers;
(E) Fax numbers;
(F) Electronic mail
addresses;
(G) Social security
numbers;
(H) Medical record numbers;
(I) Health plan
beneficiary numbers;
(J) Account
numbers;
(K)
Certificate/license numbers;
(L) Vehicle
identifiers and serial numbers, including license plate numbers;
(M) Device
identifiers and serial numbers;
(N) Web Universal
Resource Locators (URLs);
(O) Internet
Protocol (IP) address numbers;
(P) Biometric
identifiers, including finger and voice prints;
(Q) Full face
photographic images and any comparable images; and
(R) Any other
unique identifying number, characteristic, or code, except as permitted by
paragraph (c) of this section; and
(ii) The covered
entity does not have actual knowledge that the information could be used
alone or in combination with other information to identify an individual who is
a subject of the information.” (emphasis
added). Pet. Op. Br. at 11-13.
HIPAA permits disclosure of patient medical records where
the information has been redacted under the safe harbor de-identification
provision. “Once medical records have
been appropriately redacted and de-identified, patient privacy concerns
dissipate and HIPAA poses no obstacle to the production of the redacted records.”
Roth v. Sunrise Senior Living
Management, Inc., (E.D. Pa.) 2012 WL 748401 at *2 (disclosure of medical
records of other party to incident at assisted living facility); Miller v.
Allstate Fire & Cas. Ins. Co., (W.D. Pa. Mar. 17, 2009) 2009 WL 700142,
at *4 (submission of redacted patient documents
“would obviate any of the patient privacy interests potentially at stake”).
The HHS “Guidance Regarding Methods for De-Identification of
Protected Health Information in Accordance with the HIPAA Privacy Rule”[7]
states that “actual knowledge means clear and direct knowledge that the
remaining information could be used, either alone or in combination with other
information, to identify an individual who is subject of the information.” §3.6. The
Guidance gives some examples of a redacted record that could lead to
re-identification of an individual patient, such as record that lists the
patient as the “former president of the State University.” Id., Example
1. In that example, HHS recommends
redacting the “occupation” field from the record to avoid re-identification –
and then releasing the record. Id.
The Guidance also instructs that a
covered entity may not claim “actual knowledge” of re-identification by citing
studies about re-identification, nor may it redact “all personal names, such as
physician names,” unless it can meet the “actual knowledge specification.” §§ 3.7-3.8.
HIPAA generally preempts state laws regarding privacy. “A standard, requirement, or implementation
specification adopted under this subchapter that is contrary to a provision of
State law preempts the provision of State law[.]” 45 CFR §160.203. “[T]he States' [doctor-patient] privilege laws pose no obstacle to the
discovery of the medical records, provided the records are de-identified”. In re Zyprexa Products Liability
Litigation, (E.D.N.Y. 2008) 254 F.R.D. 50, 52. “Even assuming
that state privilege laws afford greater protection” to patient records, “de-identified
health information is not protected under HIPAA, and...to the extent state
privilege laws offer protection to de-identified medical records, HIPAA
preempts those laws.” Id. at 54.
HIPAA’s supersession clause means that the Agency is not
permitted to withhold de-identified records compliant with HIPAA when they are sought
under the CPRA based on the privacy protections of the California Constitution,
section 6254(c) and (k), or Civil Code sections 1798.3(a) and 1798.24. The Agency is required to disclose redacted,
de-identified copies of prisoner medical records for individual deceased
prisoners and related individual prisoner death reports as permitted by 45 CFR section
64.514(b)(2), and such a disclosure does not violate HIPAA or state privacy
laws.
2. The Agency Must Produce the Redacted Records and
Reports
Cantu contends that the Agency is required to produce the
records requested in his First and Second CPRA Requests with only those
redactions required by the safe harbor of 45 CFR section 64.514(b)(2). The First CPRA Request sought individual
inmate medical records and the Second CPRA Request sought the following reports
for the calendars years 2019, 2021, and 2022: (1) Initial Death
Reports for deceased inmates generated by the prison where the inmate death
occurred; (2) the Local Death Summary for each deceased inmate submitted by the
prison to Central Headquarters; (3) the separate case reviews by the Suicide
Prevention and Response Focused Improvement Team for each inmate who died by
suicide; (4) six months of clinical records for each deceased prisoner reviewed
by a review team; and (5) Final Mortality Reports for each inmate death that
were presented to the HQ Mortality Review Committee. Pet. Op. Br. at 13-14.
In performing the redactions, Cantu argues that the Agency
should not redact the following information from the medical records and
reports: (a) the cause of death for each inmate; (b) the listing of the
inmate’s death as falling into one of four categories: expected or unexpected
death, with or without findings for opportunity(ies) for improvement
(“Opportunities for Improvement(OFI)”); (c) “Potential Quality Issues (PQI)”
for each inmate’s death for incidents with potential quality implication that
occurred outside the Agency prison system in one of the Healthcare Provider
Networks that contract with the state to provide hospital care or specialist
care; (d) the first three letters of the zip code where each inmate died if the
geographic unit formed by combining all zip codes with the same three initial
digits contains more than 20,000 people; (e) the year of each deceased inmate’s
birth, admission to a hospital facility, discharge from the hospital facility,
death; and all ages over 89 and all elements of dates (including year)
indicative of such age, except that such ages and elements may be aggregated
into a single category of age 90 or older; (f) the pre-existing medical
conditions for each deceased inmate; (g) the cause of death of for each
deceased inmate; (h) reports assessing any problem or failings by the Agency
that may have contributed to each deceased inmate’s death and any general
problems or failings by the Agency contributing to inmate deaths; and (i) reports
discussing proposed changes to medical care provided to inmates to prevent
further deaths. Pet. Op. Br. at 15.
The Agency notes that Cantu does not dispute that the records and reports he
seeks contain private inmate medical information. HIPAA
protects the unlawful disclosure of private medical information (42
U.S.C. § 1320d-2(d)(2)), and expressly precludes
the Agency from disclosing inmate medical records, reports, and information for
at least 50 years after the inmate’s date of death. See
45 C.F.R. §160.103(2)(IV). The
Agency contends that it has a mandatory duty to prohibit, not provide,
disclosure of the medical records and reports. The Agency, as the custodian of private inmate
medical records, may not waive the privacy rights of inmates and has a duty “to
resist attempts at unauthorized disclosure and the person who is the subject of
the record is entitled to expect that his right will be thus asserted.” See
Westbrook v. County of Los Angeles, (1994) 27 Cal.App.4th 157, 166 (citation omitted). Opp. at 9.
The Agency admits that under HIPAA medical records that have
been redacted to remove any and all private personally identifying information
no longer contain private, protected information and thus may be subject to
disclosure. 45 C.F.R. §164.514(a). But this redaction process (“de-identification”)
is not simple. The regulations require
the Agency to engage in a complex discretionary analysis of what information is
personally identifiable private medical information, as well as what
information could be identifiable information when combined or cross-referenced
with other information. 45
C.F.R. §164.514(b)(2); see also 42
U.S.C. §1320d(6)(B) (information
protected under HIPAA includes that “which identifies the individual or with
respect to which there is a reasonable basis to believe that the information
can be used to identify the individual).
Opp. at 11.
The concept of de-identification is so complicated that HHS,
which developed and enforces HIPAA regulations, maintains a website about the de-identification
of personally identifying information.
As explained by HHS, protected information includes information that “identifies the individual or for which there
is a reasonable basis to believe can be used to identify the individual.” Guidance.
Personal identifying information includes “many common identifiers (e.g.,
name, address, birth date, Social Security Number) when they can be associated
with the health information listed above.”
Ibid. Even seemingly de-identified information may
become personally identifiable information that is prohibited from disclosure
when combined or cross-referenced with other information, including other
deidentified information. Guidance. Private and confidential information, even if
de-identified, cannot be viewed in isolation.
Rather, the health care provider must consider the totality of the
information disclosed to determine if it reveals a person’s private medical
information and if so, disclosure is prohibited. Ibid. Opp. at 12.
The Agency contends that Cantu ignores the complexities of
de-identification. He lists the
categories of information that are absolutely protected from disclosure and are
subject to de-identification under HIPAA.
Then he lists, without support, information that he contends is not
personally identifiable information and must remain unredacted. But Cantu’s overly simplistic
argument fails to consider HIPAA’s goal of protecting personally
identifying information and neglects the discretionary analysis the Agency must
perform. Opp. at 12-13.
The Agency argues that Cantu’s contention that it must
provide redacted documentation based on criteria established by him and not by
law is improper because the Agency’s redaction of its medical records and
reports to remove personally identifiable information requires it to exercise
its discretion. Mandate is not proper to
control the Agency’s discretion to redact personally identifiable information
from inmate medical records. Mandate does
not lie to control how the agent exercises that discretion “unless under the
facts, discretion can be exercised in only one way.” Pacific Bell v. California State &
Consumer Services Agency, (1990) 225 Cal.App.3d 107, 118. Opp.
at 5-6, 10-11.
The Agency concludes that it has the professional knowledge,
experience, and discretion to decide not only what information is identifiable
information, but also the combination of de-identifiable that must be redacted to
prevent re-identifying the inmates it is obligated to protect. The Agency properly exercised its discretion and
came to a reasonable conclusion that the private and confidential information
cannot be disclosed, even with de-identification. Although reasonable minds could differ, no
showing has been made that the Agency failed to exercise a mandatory duty to
disclose unredacted private inmate medical records and reports, or that it
abused its discretion in deciding what information must be redacted. Opp. at 13-14.
A writ of traditional mandate is used to compel the
performance of a legal, ministerial duty.
Pomona Police Officers’ Assn. v. City of Pomona, (1997) 58
Cal.App.4th 578, 583-84. An
act is ministerial if a public officer is required to perform it in a prescribed
manner in obedience to legal authority and without regard to the officer’s own
judgment or opinion concerning the propriety of the act. “Discretion” is the power conferred on public
officials to act according to the dictates of their own judgment. Lockyer v. City & County of San
Francisco, (2004) 33 Cal.4th 1055, 1082 (local official had
ministerial duty to follow state marriage statute and could not refuse to do so
based on opinion the statute is unconstitutional). Even if an agency has discretion, it can be
compelled to exercise it. Los Angeles
County Employees Assn. v. County of Los Angeles, supra, 33
Cal.App.3d 1, 8; California Ass’n of Sanitation Agencies v. State Water
Resources Control Board, (2012) 208 Cal.App.4th 1438, 1462-63 (water
board could be compelled to initiate changes to basin plan that was manifestly inaccurate).
The Agency has a
mandatory duty to disclose public records.
The Agency has no discretion to decide
whether to redact the records to remove information protected by HIPAA. The CPRA requires disclosure of public
records with redactions when necessary. §6253(a).
The CPRA does not permit a government
agency to exercise its discretion to decide whether to release a public record.
“[A]ll public records are subject to
disclosure unless the Legislature has expressly provided to the contrary.” Williams v. Superior Court, (1993) 5
Cal.4th 337, 346; American Civil Liberties Union Foundation v. Superior
Court, (“ACLU”) (2017) 3 Cal.5th 1032, 1038-39.
The Agency also has a
mandatory duty to produce redacted records where redaction is necessary. When a portion of a document is exempt from disclosure under the CPRA,
section 6253(a) requires the government agency to
redact that portion and disclose the rest: “Any reasonably segregable
portion of a record shall be available for inspection by any person
requesting the record after deletion of the portions that are exempted by
law.” §6253(a) (emphasis
added). “[A] public agency remains …
obligated to redact exempt information from a nonexempt record when the exempt
and nonexempt materials are not inextricably intertwined’ and are ‘otherwise
reasonably segregable.’” Becerra v. Superior Court, (2020) 44 Cal. App.
5th 897, 918, 929 (citing ACLU, supra, 32 Cal.3d at 453 n. 13). Redaction or “segregation is required
to serve the objective of the [Act] to make public records available for public
inspection and copying unless a particular statute makes them exempt” in their
entirety. Id. at 453, n. 13
(emphasis added).
Thus, the Agency has a mandatory, ministerial
duty to produce redacted inmate medical records and reports requested by Cantu
and has no discretion not to do so. HIPAA
and its federal regulations do not bar disclosure when disclosure is required
by other laws, including the CPRA, if patient records are redacted to
de-identify individual patients. The CPRA requires the Agency to disclose the
records and HIPAA requires the Agency to de-identify those records before
disclosure.
The Agency’s ministerial duty to provide the redacted inmate
medical records is little different than an agency’s duty to redact privacy or
other privileged information in other CPRA cases. The Agency may have to make a decision about
what information to redact, but the ministerial duty to produce redacted
records remains. The Agency does not
have any discretion on the issue. If the
Agency fails to do so properly, either Cantu or some representative of the
deceased inmate’s estate theoretically could compel the correct redaction. The Agency cites no statute or case
indicating that it has discretion to ignore the CPRA’s mandatory disclosure of
non-exempt records.
The Agency’s argument that it has applied its professional
knowledge, experience, and discretion to reasonably conclude that the private
and confidential information cannot be disclosed, even with de-identification,
is a blanket position unsupported by any evidence or rationale. Apparently, the Agency is relying on (a) its September
17, 2021 reply to Cantu’s First CPRA Request for inmate medical records that
the records simply are exempt, and (b) its March 18, 2022 reply to Cantu’s
Second CPRA Request for reports on inmate deaths by providing a sample Final
Mortality Report in which everything was redacted except the time of death, the
date the review closed, and the date that the medical and nurse executives
accepted the report (Ex. E) and a sample Local Death Summary in which everything
was redacted except whether the physician discovered major system issues that
contributed to the patient’s death and whether expedited review was
necessary. (Ex. H).
The Agency cannot take a blanket position
that it cannot redact inmate medical records and medical reports based on speculation
that some deceased prisoners might be re-identified; it must produce redacted
records and reports for each inmate unless it has actual knowledge that the
inmate could be identified. See 45
CFR §64.514(b)(2)(ii). That would
require the Agency’s review of each inmate medical record or report and a
conclusion that it has actual knowledge that the inmate can be identified no
matter what the redaction is made. The
same concept is true for medical reports.
This is where the safe harbor of 45 CFR §64.514(b)(2) comes
into play. The Agency is not obligated
to follow the safe harbor of 45 CFR section 64.514(b)(2), but it can do so
without fear of being second guessed.
Under the plain terms of section 45 CFR section 64.514(b)(2)(ii), the
Agency cannot rely on the listed information as the sole redactions if it has actual
knowledge that the information could be used alone or in combination with
other information to identify the inmate.
But this does not mean some hypothetical possibility that someone could piece
together other publicly available prison records to identify a deceased inmate. The term “actual knowledge” is not defined in
45 CFR section 64.514(b)(2)(ii), but there must be a realistic prospect that
the information can be used to identify the inmate. It seems very unlikely that this could occur
if the safe harbor is followed.
In sum, it is plain from the evidence that the Agency has
overreacted and lacks actual knowledge that any specific inmate patient will be
re-identified based on the release of de-identified records. The Agency is not required to follow Cantu’s
direction of what must remain for the redaction (Pet. Op. Br. at 15), but it
should follow the safe harbor and then review the records to ascertain if there
is any realistic possibility of identification of the deceased inmate from the
redacted record in combination with other realistically available information.
3.
The Case Law
The Agency relies on Menefield
v. Foreman, (“Menefield”) (2014) 231 Cal.App.4th 211, as
instructive. There, an inmate challenged
CDCR’s decision to cancel an administrative appeal concerning security for and
access to the prison chapel. Id.
at 215. A prison official screened the
appeal, found it to be duplicative of a previous appeal, and cancelled it. Id.
at 216. The court ruled that 15
section 3084.5(b) required CDCR to screen all inmate administrative appeals,
but that it gave a prison appeals coordinator discretion to determine whether an
appeal is duplicative. Id.
at 217-18. Although reasonable
minds could differ whether Menefield’s second appeal was duplicative, CDCR was
entitled to exercise its discretion. Id.
at 219. Despite the factual differences
in the two inmate appeals, CDCR did not abuse its discretion in concluding that
the second appeal was duplicative of the first.
Id.
at 219-20. Opp. at 13.
The Agency argues that Cantu advances the same rationale
rejected in Menefield by contending that the Agency abuses
its discretion in deciding what information needs to be redacted. De-identification under HIPAA contemplates the
Agency’s exercise of discretion when determining the identifiable health
information and the information that needs to be redacted to protect the
individual’s right to privacy. 42
U.S.C. §1320d(6)(B); 45
C.F.R. §164.514(b). This is echoed by HHS’s Guidance, which explains
that information that may be de-identifiable in a vacuum can be
protected personal identification information when combined or cross-referenced
with other information. Like Menefield, while reasonable minds could
differ, no showing has been made that the Agency failed to exercise a mandatory
duty to disclose unredacted private inmate medical records and reports, or that
it abused its discretion in deciding what information must be redacted. Opp. at 13-14.
Menefield is inapposite. There, the court interpretated a regulation
to permit CDCR to exercise its discretion whether to cancel an inmate appeal as
duplicative. Minefield did not involve a statute
that imposed a clear and ministerial mandatory duty to produce redacted
documents, detailed regulations that spell out how de-identification can be
done in a safe harbor and that require the agency to have actual knowledge that
the subject can be identified before concluding that a redaction is unworkable,
and a guidance document providing examples.
As Cantu notes (Reply at 4), other jurisdictions have held
that where a state public records law requires disclosure of the requested
records and HIPAA regulations permit disclosure, the state agency is required
to release health records in compliance with both. See Abbott v. Texas Dept. Of Mental
Health, (“Abbott”) (2006) 212 S.W.3d 648, 650; State ex. rel.
Cincinnati Enquirer v. Daniels, (“Daniels”) (2006) 844 N.E.2d 1181.
In Abbott, a journalist made a request under the
Texas Public Records Act for statistical information about reports of abuse and
investigations in state mental hospitals, including the corresponding name of
the facility where each allegation was made. 212 S.W.3d at 651. The Texas Agency of Mental Health and Mental
Retardation released a statistical report showing abuse allegations and
subsequent investigations but argued that HIPAA barred it from releasing the
names of the facilities because such information was “individually identifiable
health information.” Id. at 652. The Texas Court of Appeals rejected this “circular
logic.” Id. at 662. The court
held that where “a request is made under authority of a statute that requires
disclosure” such as the Texas Public Information Act, “the agency must disclose
the information” because HIPAA and related federal regulations, known
collectively as the Privacy Rule, permit such disclosure. Id. at 662.
The Texas Court of Appeals noted that the Privacy Rule “permits
disclosure of protected health information if required by law, as long as the
disclosure comports with the requirements of that law.” Id. at 664. The Texas Public Information Act requires
disclosure of public information unless an exception applies and none does here. Id.
at 664. If the information is patient information, the state agency
“must release the information if potential identifiers are redacted” pursuant
to 45 C.F.R. section 164.512(a) and 164.514. Id. at 662.
Similarly, in Daniels, the Ohio Supreme Court held
that a city health department was required to disclose its lead-contamination
notices under the state public records act even if the records contained
protected health information under HIPAA. 844 N.E.2d at 1186-88. The court held that the
“requested …. reports [are] subject to disclosure under the ‘required by law’
exception to the HIPAA privacy rule because the Ohio Public Records Law ….
requires disclosure of these reports, and federal law, HIPAA, does not
supersede state disclosure requirements.” Id. at 1188.
As Cantu argues, these cases support the conclusion that the
Agency is required to provide the records to Cantú under the CPRA and the
“required by law” exemption in 45 C.F.R. section 164.512(a), while adhering to
the safe harbor de-identification regulations in 45 C.F.R. section 164.514(a),
(b)(2). Reply at 5.
4. The District Court’s Protective Order
(i). The Protective Order Has No Bearing on the
Agency’s CPRA Duties
The Agency contends that it cannot disclose the “separate
case reviews by the Suicide Prevention and Response Focused Improvement Team
for each inmate who died by suicide for preparation of … 2019-2021 Reports”
because those records are confidential under a protective order issued by the federal
district court overseeing the receivership of the CDCR in Coleman v. Newsom.
FAP,
¶14, Ex. D, p. 24. Pet.
Op. Br. at 15.
This is incorrect. The federal court’s protective order in Coleman
does not govern the Agency’s duty under the CPRA, or this court’s decision
whether the records must be disclosed. A
person requesting records under the CPRA is not governed by the rules of civil
discovery (Wilder v. Superior Court, (1998) 66 Cal.App.4th 77, 79-80)
and “the Federal Rules of Civil Procedure do not act as an automatic bar of a
litigant’s rights to obtain or seek documents under a [state] public record
access statute.” Mid-Atlantic
Recycling Technologies, Inc. v. City of Vineland, (D. N.J. 2004) 222 F.R.D.
81, 86. Pet. Op. Br. at 15.
(ii). The Filing Pursuant to Protective Order Is Not a
Release to the Public
Cantu
notes that government agencies
are not permitted to release a public record to a member of the public,
business entity, or place it into the public record, and then deny disclosure
to another requester. §6254.5; Black
Panther v. Kehoe, Black Panther Party v. Kehoe, (1974) 42 Cal. App.
3d 645, 656-57 (CPRA does not permit selective disclosure). He argues that, to the extent the Agency has
disclosed any of the requested records about inmate deaths in a public court
record, the Agency is required to provide those reports to him. Pet. Op. Br. at 10; Reply at 7-8.
The
Agency initially responds that Cantu never raised this argument in his Petition
but cites to no requirement that Cantu was required to do so. See Opp. at 14. The Agency also argues that Cantu has the burden
to prove his claim and has not identified any public disclosure it made. Opp. at 14.
This argument carries has more validity.
Cantu makes no showing that the Agency publicly filed any pertinent documents
in Coleman. However, the Agency
admits that it confidentially filed documents in Coleman, stating that
it did so pursuant to a protective order controlling the identification, use,
and dissemination of the records.
Accordingly, these records have not been publicly disclosed. Opp. at 14.
Cantu has
not shown that the Agency waived any privacy rights for medical records and reports
filed pursuant to a protective order in Coleman.
F.
Conclusion
The SAP is granted. A
writ shall issue compelling the Agency to review and redact each medical record
and report sought by Cantu and redact them according to HIPAA. The Agency is not required to follow Cantu’s
direction of what must remain for the redaction, but it should follow the safe
harbor and then review the records to ascertain if there is any realistic
possibility of identification of the deceased inmate from the redacted record or
report in combination with other realistically available information.
Petitioner Cantu’s counsel is ordered to prepare a proposed
judgment and writ of mandate, serve them on the Agency’s counsel for approval
as to form, wait ten days after service for any objections, meet and confer if
there are objections, and then submit the proposed judgment and writ along with
a declaration stating the existence/non-existence of any unresolved
objections. An OSC re: judgment is set
for September 20, 2022 at 1:30 p.m.
[1] The
parties cite various federal statutes, regulations, and case law in their
briefs. For future reference, their
counsel would be wise to provide hard copies of federal authority. See CRC 3.1113(i).
[2] The Agency
contends that the court never signed the stipulated order (Opp. at 8, n. 2),
but the court file shows that it was signed on May 24, 2022.
[4] Petitioner
Cantu requests judicial notice (1) the Analysis of 2020 Agency Inmate Mortality
Reviews (“2020 Inmate Mortality Report”) dated December 12, 2020 and posted on
the Agency website (RJN Ex. 1); (2) Agency Receiver Fact Sheet, last updated
December 2020 (RJN Ex. 2); (3) “Tracking the Coronavirus in California State
Prisons,” an article published in the Los Angeles Times (RJN Ex. 3); (4)
“Incarcerated and Infected: How the Virus Tore Through the U.S. Prison System,”
an article published in the New York Times (RJN Ex. 4); (5) “Legislators Seek Ouster
of Receiver After San Quentin Covid-19 Outbreak” an article from the Los
Angeles Daily Journal (RJN Ex. 5); (6) “Prisons and Jails Have Become a ‘Public
Health Threat’ During the Pandemic, Advocates Say” an article from the
Washington Post (RJN Ex. 6); and (7) “California Prisons Ignored Warning Before
Covid Outbreaks” an article from the Angeles Times (RJN Ex. 7).
The requests are granted for Exs. 1, 2. Evid. Code §452(c). While the existence of the remaining exhibits
(Exs. 3-7) could be judicially noticed, Cantu offers them for the truth of
their contents which is impermissible. A
court may not take judicial notice of the truth of the findings in a court
document. Sosinsky v. Grant,
(1992) 6 Cal.App.4th 1548, 1551 (court may not judicially notice truth of court
document). The requests are denied.
[5] Cantu
relies on his verified SAP as evidence.
The Agency does not dispute his right to do so.
[6] The
Agency contends that Cantu waived his declaratory relief claim because he
failed to address it. Even if not
waived, the declaratory relief claim is “wholly derivative” of the mandate
claim. Ball v. FleetBoston Financial Corp., (2008) 164
Cal.App.4th 794, 800. Opp. at 15-16. Cantu responds that the CPRA (§6258)
expressly authorizes him to seek either mandamus or declaratory relief. Reply at 8.
This is true, but both his claims seek the same relief; there is no
reason to distinguish them.
[7]https://www.hhs.gov/hipaa/for-professionals/privacy/special-topics/de-identification/index.html
(July 22, 2022).