Ezel / AG Opinions / DE
DE 19-IB32 2019-06-24

Can a Delaware family member get the public-health investigation file on a disease outbreak at an assisted-living facility?

Short answer: No. Delaware DPH properly withheld the full investigation file on a GI outbreak at Brandywine Assisted Living at Fenwick Island under FOIA's medical-files exemption (29 Del. C. § 10002(l)(1)) and the statutory-prohibition exemption (§ 10002(l)(6)), which incorporated HIPAA and 16 Del. C. § 1210. Because the outbreak's small size made re-identification likely, DPH did not have to create a stripped-down report.
Currency note: this opinion is from 2019
Subsequent statutory amendments, court decisions, or later AG opinions may have changed the analysis. Treat this page as historical context, not current legal advice. Verify current law before relying on any specific rule, deadline, or remedy mentioned here.
Disclaimer: This is an official Delaware Attorney General opinion. AG opinions are persuasive authority but not binding precedent. This summary is for informational purposes only and is not legal advice. Consult a licensed Delaware attorney for advice on your specific situation.
About this page: The plain-English summary, reader guidance, and Q&A below were written by Ezel based on the official AG opinion. The original opinion (linked at the bottom of this page, or PDF in the sidebar) is the authoritative source for any reliance.
View original AG opinion (PDF)

Official title

19-IB32 6/24/2019 FOIA Opinion Letter to Dr. Edward Montz re: FOIA Complaint Concerning the Delaware Department of Health and Social Services

Plain-English summary

Edward Montz, whose parents lived at Brandywine Assisted Living at Fenwick Island, asked the Division of Public Health for "any and all" records, notes, emails, lab tests, and environmental tests related to the facility's gastrointestinal disease cluster in spring 2019. DPH refused, citing two exemptions: the medical files privacy exemption at 29 Del. C. § 10002(l)(1), and the statutory-prohibition exemption at § 10002(l)(6), which DPH backed up by reference to HIPAA and Delaware's protected health information statute, 16 Del. C. § 1210.

Montz argued that disease cluster investigations are routinely publicized without compromising privacy, that DPH had previously released a 2017 inspection report on the same facility, and that even with heavy redactions some non-medical content (the name of the bacteria, the source, the cleanup steps) should remain. The AG was unpersuaded. DPH demonstrated that the small size of the outbreak created a "reasonable basis" under 16 Del. C. § 1210 to believe redacted records could still be reconstructed to identify individuals. The 2017 report came from a different DHSS division (Health Care Quality) that is not a HIPAA Covered Entity. FOIA does not require an agency to create a new document, including a sanitized aggregate report. And the AG limits its review to whether the public body provided sufficient reasons for withholding, not to a record-by-record look.

Currency note

This opinion was issued in 2019. Subsequent statutory amendments, court decisions, or later AG opinions may have changed the analysis. Treat this page as historical context, not current legal advice. Verify current law before relying on any specific rule, deadline, or remedy mentioned here.

Common questions

What is HIPAA's "Covered Entity" status doing in a state FOIA opinion?

The federal HIPAA Privacy Rule applies to "Covered Entities," which include health plans, health care providers, and certain agencies that perform health-care functions. DPH operates infectious disease epidemiology functions and was treated as a Covered Entity. That status, plus 16 Del. C. § 1210, made disclosure of protected health information unlawful, which in turn fed into FOIA's § 10002(l)(6) statutory-prohibition exemption.

What did 16 Del. C. § 1210 require?

The statute defined protected information broadly enough to include data "about which there is a reasonable basis to believe such information could be utilized (either alone or with other information that is or should reasonably be known to be available to predictable recipients of such information) to reveal the identity of that individual." Small outbreak populations make this reidentification risk concrete: a community member or family caregiver can often combine an outbreak date, a symptom, and a facility location to figure out who someone is.

Why couldn't DPH just publish a redacted summary like the 2017 report?

Two reasons. First, the 2017 report came from a different DHSS division (Division of Health Care Quality), which DPH represented is not a HIPAA Covered Entity. Second, FOIA does not require an agency to create new documents. If a sanitized aggregate report does not already exist in DPH's files, the requester cannot use FOIA to compel DPH to write one.

Does this mean the public is locked out of all infectious-disease cluster information in Delaware?

The opinion is narrower than that. DPH's published surveillance reports, news releases, and aggregate epidemiology summaries are routinely produced and remain available. What FOIA cannot do is reach into the working investigation file when the population is small enough that even redacted data would reasonably re-identify people.

What is the public body's burden of proof in a Delaware FOIA case?

Under § 10005(c), the public body bears the burden of justifying its denial. This Office accepts factual representations from the public body's counsel under the Delaware Rules of Professional Conduct. The AG does not run an independent in-camera review of withheld records, but tests whether the stated reasons would justify withholding if accurate.

Background and statutory framework

The Brandywine Assisted Living facility had a known cluster of gastrointestinal illness traced to spring 2019. DPH operates within the Department of Health and Social Services and includes the Office of Infectious Disease Epidemiology, which DPH represented falls within the HIPAA Covered Entity definition.

Two FOIA exemptions did the work. Section 10002(l)(1) excludes medical files where disclosure "would constitute an invasion of personal privacy." Section 10002(l)(6) sweeps in records made confidential by other statutes, here HIPAA's Privacy Rule and 16 Del. C. § 1210. The "reasonable basis" language in § 1210 is key: the statute does not require certainty of reidentification, only a reasonable basis to believe it could happen with predictably available information.

The "no duty to create" line of authority (cited as 18-IB34 here) is now consistent across Delaware AG opinions: the petition mechanism cannot conscript an agency into building reports, charts, or summaries that do not already exist. The "no duty to investigate withholding" rule from 18-IB04 frames the AG's role: the question is whether the agency "provided sufficient reasons for withholding the redacted information to satisfy its burden of proof," not whether the AG itself agrees with each line of the records.

Citations

  • 29 Del. C. § 10002(l)(1) (medical files)
  • 29 Del. C. § 10002(l)(6) (statutory prohibition)
  • 29 Del. C. § 10005(c) (burden of proof)
  • 16 Del. C. § 1210 (protected health information)
  • HIPAA Privacy Rule (federal)
  • Del. Op. Att'y Gen. 18-IB34, 2018 WL 3947262 (July 20, 2018)
  • Del. Op. Att'y Gen. 18-IB04, 2018 WL 1061272 (Jan. 23, 2018)
  • Del. Op. Att'y Gen. 15-IB14, 2015 WL 9701645 (Dec. 29, 2015)

Source

Original opinion text

PRINT VERSION: Attorney General Opinion No. 19-IB32

OFFICE OF THE ATTORNEY GENERAL OF THE STATE OF DELAWARE

Attorney General Opinion No. 19-IB32

June 24, 2019

VIA EMAIL

Edward Montz, Jr., Ph.D.

[email protected]

RE: FOIA Petition Regarding the Delaware Department of Health and Social Services

Dear Dr. Montz:

We write in response to your correspondence alleging that the Delaware Department of Health and Social Services ("DHSS") violated the Delaware Freedom of Information Act, 29 Del. C. §§ 10001-10007 ("FOIA") with regard to your records request. We treat your correspondence as a Petition for a determination pursuant to 29 Del. C. § 10005(e) regarding whether a violation of FOIA has occurred or is about to occur. For the reasons set forth below, it is our determination that DHSS has not violated FOIA as alleged.

BACKGROUND

On April 17, 2019, you submitted a request to the Division of Public Health ("DPH") of DHSS for records pertaining to an outbreak of infectious disease at the assisted living facility, Brandywine Assisted Living at Fenwick Island. DPH is subject to the federal Health Information Portability and Accountability Act ("HIPAA") and is considered a "HIPAA Covered Entity," meaning that DPH must comply with HIPAA regulations for all of its programs, including the Office of Infectious Disease Epidemiology. Your FOIA request sought the following records:

Blanket request for any and all records, notes, documents, phone logs, emails, lab tests, environmental tests and any other materials related to the Brandywine Assisted Living at Fenwick Island GI cluster. Please consider this as a request for any similar materials currently being prepared or planned for future preparation, at such time as these materials are completed. The timeframe of the cluster is early March to the present time. I cannot be more specific in my request because I do not know the extent of the State's involvement in this matter and am relying on the State to fully disclose all requested/related materials. Please consider this a request for information from ALL DHSS departments and personnel involved in this outbreak.

After extending the time for their response on May 9, 2019 and again on May 24, 2019, DPH denied your request, citing two exemptions from the definition of "public record." DPH cited 29 Del. C. § 10002(l)(1), which exempts medical files, the disclosure of which would constitute an invasion of personal privacy, and 29 Del. C. § 10002(l)(6), which exempts information protected from disclosure by statute. In support of the latter exemption, DPH cited the HIPAA and 16 Del. C. § 1210, which defines and prohibits the disclosure of protected health information, except in limited designated circumstances. This Petition followed.

The Petition alleges two overall issues: 1) that "this is not a legitimate denial;" and 2) that "[you] have little confidence that a proper cleanup of the facility was performed so that threats to the residents and the public exist even today." Specifically, you argue that disease cluster investigations can be made public without compromising privacy and that while another DHSS division issued an inspection report on the same facility in 2017, DPH and no other division of DHSS responded to your FOIA request. You also question how DPH can rely on the privacy exemption when it was able to release this 2017 report containing information from medical files. Finally, you submitted a list of questions to clarify your initial request, explaining you never intended to request "personal information," but instead sought "procedures and regulatory actions taken against the facility." Finally, citing to your numerous stakeholder interests, you "request that DHSS be ordered to release the material immediately . . . ."

DHSS's counsel responded to the Petition on DPH's behalf on June 7, 2019 ("Response"). DPH contends that it was the only respondent because no other division in DHSS has responsive records and that as a HIPAA Covered Entity, it must protect extensive identifying data, including patients' residences and dates of an outbreak, and would thus have to redact the documents it has so heavily that they would be "meaningless." DPH further argued that the number of individuals in the outbreak created a "reasonable basis" to believe that the data requested could be used to identify those individuals, and there was no applicable exemption to provide the information under Delaware's privacy law. In response to your assertion that a report was previously published regarding another outbreak, DPH notes that the division publishing that report, the Division of Health Care Quality, is not a HIPAA Covered Entity. DPH argues that its records are exempt from disclosure by 29 Del. C. § 10002(l)(1), which exempts medical files which constitute an invasion of personal privacy. Finally, DPH notes that you have spoken with staff on several occasions about this matter and DPH is willing to speak again about your concerns; additionally, your parents' medical records would be available to you as a power of attorney.

In your reply submitted on June 12, 2019 ("Reply"), you agree that medical information with personal identifiers should not be released nor should DHSS be required to release information in violation of state or federal law. However, you argue that identifiers in the requested records could be removed and that certain information from the investigation "could, or should" be in DHSS's files that does not include patients' information subject to HIPAA, such as the name of the bacteria causing the outbreak, the source of contamination, and how it was cleaned. You further challenge DHSS's reliance on 16 Del. C. § 1210, asserting that DHSS has only alleged a mere possibility that identities could be revealed using information purged of identifiers and that is not enough to meet the statutory threshold that a "reasonable basis" exists to believe identification would be possible. Also, you allege that DHSS's assessment that the documents, after redacting the information subject to HIPAA, would be rendered meaningless, "is not a valid argument against releasing redacted information." You propose a test to prove that re-identification of patients would be impossible.

In summary, you state that the "point is that information exists (or may exist), which is neither associated with personal medical information and/or may be released, subject to removal of all personal identifiers, without violating either state or federal laws." Further, you reiterate your four requests for action by this Office: 1) "any and all information contained in DHSS investigation files of Brandywine Assisted Living be release[d] immediately, subject to compliance with applicable laws;" 2) you "request all that all DHSS files, modified in any way to comply with privacy laws, be reviewed independently by DOJ, before release, to ensure that no information is unnecessarily redacted due to overreach;" 3) you "reject the offer to have telephone conversations in lieu of written documents" as you will not "bargain down" your FOIA rights; and 4) if your requests are denied in whole or in part, you request for "all information which does not contain medical information" be released.

DISCUSSION

Under FOIA, a public body carries the burden of proof to justify denial of a request for records. Your request seeks medical information about a disease outbreak. DHSS denied access to these medical records pursuant to 29 Del. C. § 10002(l)(1) and 29 Del. C. § 10002(l)(6). You allege that DHSS's response was improper primarily due to three reasons: 1) DPH was the only responding division of DHSS; 2) you believe the disease cluster investigations can publicized without compromising privacy; and 3) you believe that DHSS has information not subject to the state and federal laws that should be released, including any information remaining in the heavily redacted materials.

First, with regard to your allegation that other divisions within DHSS were not required to response, DHSS's counsel has confirmed in its Response that DPH is only division believed to have responsive records. Consistent with this Office's practice, we accept those representations and find that DHSS appropriately supported its designation of DPH as the appropriate location to search for responsive records.

Second, you suggest that DHSS's release of the 2017 report indicates that it is possible for DHSS to create a report without using personal medical information. However, DHSS has not indicated that any such report exists in the fashion you contemplate and FOIA does not require creation of a document. If, in your opinion, other laws outside of FOIA require otherwise, DHSS does not have an obligation under FOIA to create a report.

Third, you allege that DHSS must have certain responsive records that are not precluded from disclosure under state and federal law and should be produced to you, even if heavily redacted. One reason is that you challenge DHSS's application of 16 Del. C. § 1210, arguing that there is no reasonable basis to assert that individuals can be identified using the information which would be produced to you and other reasonably available information. The other reason is that you believe other records without personal medical information must, or should, exist, and the information remaining, even after heavy redactions, should be produced. DHSS represents that it has reviewed the requested records in light of 16 Del. C. § 1210 and determined that due to the size of the outbreak, DHSS believes that there is reasonable basis that releasing the information that you have requested would potentially reveal the identities of individuals. Further, DHSS has reviewed the records and found that the remaining responsive documents would be meaningless after the needed redactions. DHSS also points to 29 Del. C. § 10002(l)(1), noting that the requested records in this case are medical records concerning infectious diseases of individuals at a facility.

This Office accepts the representations of a public body's counsel to determine whether requested records exist. Despite the Petition's assertion that other records might exist or the heavily redacted documents are meaningful, DHSS's counsel responds that DHSS's review of the records reveals that the only remaining information would be meaningless due to the heavy redactions required by state and federal law. In addition, this Office previously determined that FOIA does not require this Office to conduct an investigation or a review of records that a public body has withheld in response to a FOIA request. Rather, "FOIA only requires a determination of whether the City provided sufficient reasons for withholding the redacted information to satisfy its burden of proof." In these circumstances, we are satisfied that DHSS demonstrated that it asserted both FOIA exemptions, 29 Del. C. § 10002(l)(1) and 29 Del. C. § 10002(l)(6) and its underlying state and federal statutes, with a clear understanding of their meanings.

Finally, we note that your Petition includes a list of questions and issues that you expected to be addressed by the documents released to you. FOIA does not require a public body to answer questions, but to the extent you would like to submit more specific FOIA requests to DHSS incorporating the questions you posed to this Office, you may wish to do so.

CONCLUSION

It is our determination that DHSS has not violated FOIA as alleged.

Very truly yours,

/s/ Alexander S. Mackler

Alexander S. Mackler

Chief Deputy Attorney General

cc:

Joanna S. Suder, Deputy Attorney General

Dorey L. Cole, Deputy Attorney General