State of New York
Department of State
Committee on Open Government

---

One Commerce Plaza
99 Washington Ave.
Albany, New York 12231
(518) 474-2518
Fax (518) 474-1927
https://www.dos.ny.gov/coog/

 

November 3, 1993

 

 

Ms. Krista Bradford
405 East 63rd Street
Apt. 10J
New York, NY 10021

The staff of the Committee on Open Government is authorized to
issue advisory opinions. The ensuing staff advisory opinion is
based solely upon the facts presented in your correspondence.

Dear Ms. Bradford:

As you are aware, I have received your letter of September 27
and a variety of related correspondence concerning your effort to
obtain information from the State Department of Health ("the
Department").

You have sought an advisory opinion pertaining to rights of
access to the Statewide Planning and Research Cooperative System,
commonly known as "SPARCS". According to the regulations
promulgated by the Department of Health, 10 NYCRR §400.18(a)(1),
"SPARCS" shall mean:

"...a statewide centralized health care system
which incorporates data obtained from, among
other sources, the uniform bill and uniform
discharge abstract submitted to the department
by hospitals pursuant to subdivision (b) and
(c) of this section, the patient review
instrument data submitted by residential
health care facilities pursuant to section 86-2.30 of this Title, and ambulatory surgery
data submitted by hospital-based and
freestanding centers pursuant to subdivision
(d) of this section and section 755.11 of this
Title."

"SPARCS" is also defined in §400.18(a)(7) to mean a unit of the
Department whose functions and responsibilities involve the
acceptance of requests for SPARCS data, and the review of those
requests in accordance with criteria described in §400.18(e)(3).
Section 400.18(e)(3)(h) states that:

"After completing its review, SPARCS shall
forward all requests for deniable aggregated
data, facility stay data, deniable individual
stay data, deniable PRI data and deniable
ASDAP data together with recommendations, the
results of its review and all supporting data
to the Data Protection Review Board" (the
"DPRB").

The DPRB conducts a second review and prepares recommendations
concerning access to the Commissioner, who makes a final
determination.

Several of the phrases appearing in subdivision (e)(3)(h) are
defined in subdivision (a), as follows:

"(2) Deniable individual stay data, except as
provided in paragraph (3) of this subdivision,
shall mean data pertaining to a particular
individual's facility stay that contain one or
more of the following deniable data elements,
which, if disclosed, would constitute an
unwarranted invasion of personal privacy:
medical record number, admit number, admit
date, discharge date, date(s) of surgery,
third-party payor identification numbers,
address, birthdate, physician identification,
accident date, facility identification and
patient review instrument data elements
referred to in paragraph (11) of this
subdivision.

(3) Individual stay data shall mean data
pertaining to six or more facility patients
which do not include any of the deniable data
elements referred to in paragraph (2) of this
subdivision. The following shall not
constitute deniable data elements: month and
year of admission, month and year of
discharge, length of stay, number of
preoperative days, number of postoperative
days, class of payor, census tract location of
patient, age of patient at one-year intervals
for patients one-year old or older, age of
patient at one-week intervals for patients
less than one-year old, physician speciality,
number of attending physicians, presence or
absence of an accident, and facility
reimbursement peer group. Any data pertaining
to fewer than six facility patients shall be
deemed to constitute deniable individual stay
data.

(4) Facility stay data shall mean individual
stay data and, in addition, the deniable data
element of facility identification.

(5) Aggregated data shall mean a statistical
tabulation of facility patient records, with
no single grouping or tabulation to be based
upon fewer than six facility patient records.
Where groupings are based upon fewer than six
records, such groupings will be eliminated or
combined with other groupings.

(6) Deniable aggregated data shall mean
aggregated data which include one or more of
the deniable data elements referred to in
paragraph (2) of this subdivision...

(11) Deniable individual PRI data shall mean
data pertaining to a particular individual
that contain one or more of the following
deniable data elements which, if disclosed,
would constitute an unwarranted invasion of
personal privacy: operating certificate
number, social security number, official
facility name, patient name, medical record
number, room number, unit number, date of
birth, date of initial admission, Medicaid
number, and Medicare number.

(12) Aggregated PRI data shall mean a
statistical tabulation of residential health
care facility patient records, with no single
grouping or tabulation to be based on fewer
than six residential health care facility
patient records; however, it shall be noted by
SPARCS on the requested data, if approved,
where the tabulation would result in fewer
than six residential health care facility
patient records.

(13) Deniable aggregated PRI data shall mean
aggregated data which include one or more of
the deniable data elements referred to in
paragraph (11) of this subdivision.

(14) Ambulatory Surgery Data Abstract Project
(ASDAP) shall mean the data format used by
hospital based and free-standing ambulatory
surgery centers to report to the Department of
Health pursuant to subdivision (d) of this
section and section 755.11 of this Title.

(15) ASDAP data shall mean the data submitted
by hospital-based and free-standing ambulatory
surgery centers."

Subdivision (d)(1) states that:

"All hospitals certified by the department to
provide hospital-based ambulatory surgery
services shall submit to the department for
each patient surgical visit the following
information:

(i) SPARCS hospital identification
number;

(ii) an identity-shielded patient
record number;

(iii) the patient's birth date, sex
and ZIP code;

(iv) the date of the visit;

(v) the hour of admission and
discharge for the visit;

(vi) operating room time used;

(vii) principal diagnosis code;

(viii) principal procedure code;

(ix) other procedure code;

(x) primary reimbursement code;

(xi) county of the patient's
residence;

(xii) the disposition of the
patient on discharge from the
service;

(xiii) physician's or dentist's
license number; and

(xiv) method of anesthesia used."

With the background of the regulations in mind, on July 1, you
wrote to the Executive Secretary of the DPRB, Gene D. Therriault,
and, under the Freedom of Information Law, sought various elements
of SPARCS data. You expressed support for the general policy of
protecting data identifiable to patients and specified that some of
the information sought is "deniable" according to the regulations.
You also described your role as a journalist and indicated
that your initial project would "examine the rate of Caesarean
sections and other child birth intervention", and you contended
that "it is in the public's (and the consumer's) best interest not
only to know the c-section rate of the hospitals, as is currently
state law, but of the very doctors delivering these babies". In an
acknowledgement of the receipt of the request on July 7, the
Executive Secretary sought clarification of portions of the request
and expressed a need to know whether the request was meant to be
made under the Freedom of Information Law or the regulations, in
which case an application form would have to be completed. He also
indicated that the "process for responding to your request will be
substantially different, depending upon how you perceive your
request." Finally, Mr. Therriault wrote that if you want to seek
the data under the Freedom of Information Law, he would forward
your request to Donald Macdonald, the Department's records access
officer; on the other hand, if you wanted to request the data under
the SPARCS regulations, you were asked to complete an application
form. On July 20, you asked that your request be considered under
the Freedom of Information Law and that it be forwarded to the
records access officer. You also expressed the view that it is not
your role to suggest how the Department should process the request,
"for [your] only interest is obtaining information [you] believe to
be legally due [you]." Notwithstanding the foregoing, on August 2,
Mr. Therriault wrote to you and advised that SPARCS data must be
requested on a SPARCS application form. You transmitted the
application form with a cover letter on August 12. On September
15, Mr. Therriault denied the application for a number of reasons,
most of which involve your failure to provide information sought by
means of the form. In a draft of an appeal that was not made due
to the pendency of a request for an advisory opinion from this
office, you referred to the denial letter from the DPRB's Executive
Secretary and wrote that:

"In his letter, Therriault maintained [you
were] requesting 'patient information' would
be, upon release, an unwarranted invasion of
personal privacy. [You] maintain that
releasing the names of the doctors, the
facility, the insurers (3rd party payors) and
the medical record numbers by no means invades
the personal privacy of the patients. [You]
have stated [you] have no intent to identify
individual patients and would be unable to
identify them, as no identifying information
would be contained in [your] copy of SPARCS
(name, date of birth, social security number,
address, etc.) However, [you] will not
promise to keep public information,
information due [you] through FOIL, private as
the SPARCS regulations seem to insist."

In this regard, I offer the following comments.

First, the Freedom of Information Law pertains to existing
records. Section 89(3) of that statute states in part that an
agency need not create a record in response to a request. It is
emphasized, however, that §86(4) defines the term "record"
expansively to include:

"any information kept, held, filed, produced,
reproduced by, with or for an agency or the
state legislature, in any physical form
whatsoever including, but not limited to,
reports, statements, examinations, memoranda,
opinions, folders, files, books, manuals,
pamphlets, forms, papers, designs, drawings,
maps, photos, letters, microfilms, computer
tapes or discs, rules, regulations or codes."

Based upon the language quoted above, if information is maintained
in some physical form, it would in my opinion constitute a "record"
subject to rights of access conferred by the Law. Further, the
definition of "record" includes specific reference to computer
tapes and discs, and it was held more than ten years ago that
"[i]nformation is increasingly being stored in computers and access
to such data should not be restricted merely because it is not in
printed form" [Babigian v. Evans, 427 NYS 2d 688, 691 (1980); aff'd
97 AD 2d 992 (1983); see also, Szikszay v. Buelow, 436 NYS 2d 558
(1981)]. In my view, since SPARCS consists of data that is
maintained in some physical form by the Department, I believe that
the SPARCS database (or databases) would clearly constitute a
"record" subject to rights conferred by the Freedom of Information
Law.

When information is maintained electronically, it has been
advised that if the information sought is available under the
Freedom of Information Law and may be retrieved by means of
existing computer programs, an agency is required to disclose the
information. In that kind of situation, the agency in my view
would merely be retrieving data that it has the capacity to
retrieve. Disclosure may be accomplished either by printing out
the data on paper or perhaps by duplicating the data on another
storage mechanism, such as a computer tape or disk. On the other
hand, if information sought can be retrieved from a computer or
other storage medium only by means of new programming or the
alteration of existing programs, those steps would, in my opinion,
be the equivalent of creating a new record. As stated earlier,
since §89(3) does not require an agency to create a record, I do
not believe that an agency would be required to reprogram or
develop new programs to retrieve information that would otherwise
be available [see Guerrier v. Hernandez-Cuebas, 165 AD 2d 218
(1991)].

Second, as a general matter, the Freedom of Information Law is
based upon a presumption of access. Stated differently, all
records of an agency are available, except to the extent that
records or portions thereof fall within one or more grounds for
denial appearing in §87(2)(a) through (i) of the Law.

While various portions of the Department's regulations cited
earlier refer to "deniable" data, I do not believe that an agency's
regulations may render records deniable or confidential, unless
there is a basis for so doing pursuant to one or more of the
grounds for denial appearing in the Freedom of Information Law.

The first ground for denial, §87(2)(a), refers to records that
may be characterized as confidential and enables an agency to
withhold records that "are specifically exempted from disclosure by
state or federal statute." A statute, based upon judicial
interpretations of the Freedom of Information Law, is an act of the
State Legislature or Congress [see Sheehan v. City of Syracuse, 521
NYS 2d 207 (1987)], and it has been found that agencies'
regulations are not equivalent of statutes for purposes of
§87(2)(a) of the Freedom of Information Law [see Zuckerman v. NYS
Board of Parole, 385 NYS 2d 811, 53 AD 2d 405 (1976); Morris v.
Martin, Chairman of the State Board of Equalization and Assessment,
440 NYS 2d 365, 82 AD 2d 965, reversed 55 NY 2d 1026 (1982)].
Therefore, insofar as the Department's regulations render records
or portions of records "deniable" in a manner inconsistent with the
Freedom of Information Law or some other statute, those regulations
would, in my opinion, be invalid.

The primary basis for a potential denial of SPARCS data is
referenced in both the Freedom of Information Law and the
Department's regulations. Specifically, §87(2)(b) of the Freedom
of Information Law authorizes an agency to withhold records or
portions thereof which "if disclosed would constitute an
unwarranted invasion of personal privacy under the provisions of
subdivision two of section eighty-nine of this article." Section
89(2)(a) states in part that an agency may delete identifying
details to protect against unwarranted invasions of personal
privacy when it makes records available, and §89(2)(b) includes
examples of unwarranted invasions of personal privacy. The first
includes reference to medical histories; the second pertains to
"disclosure of items involving the medical or personal records of
a client or patient in a medical facility." Based upon those
provisions, it is clear that SPARCS data, insofar as it includes
personally identifiable information concerning patients, is indeed
"deniable". As indicated earlier, in your request of July 1, you
expressed support for protecting the privacy rights of patients,
and you wrote that, irrespective of the nature of the data you
might receive, there would be no effort on your part to identify
patients. In short, it appears that you are not contending in any
way that personally identifiable data must be disclosed or that the
Freedom of Information Law requires the disclosure of such data.

Also relevant in considering issues relating to privacy is the
Personal Privacy Protection Law. Section 96(1) of that statute
precludes a state agency from disclosing personal information about
a "data subject", unless disclosure is permitted pursuant to
exceptions authorizing disclosure that appear in the ensuing
portions of that provision. A "data subject" is "any natural
person about whom personal information has been collected by an
agency" [Personal Privacy Protection Law, §92(3)]. "Personal
information" is defined to mean "any information concerning a data
subject which, because of name, number, symbol, mark or other
identifier, can be used to identify that data subject" [§92(7)].
For purposes of the Personal Privacy Protection Law, the term
"record" is defined to mean "any item, collection or grouping of
personal information about a data subject which is maintained and
is retrievable by use of the name or other identifier of the data
subject" [§92(9)].

Further, §89(2-a) of the Freedom of Information Law states
that:

"Nothing in this article [the Freedom of
Information Law] shall permit disclosure which
constitutes an unwarranted invasion of
personal privacy as defined in subdivision two
of this section if such disclosure is
prohibited under section ninety-six of this
chapter."

As such, when the Freedom of Information Law and the Personal
Privacy Protection Law are read in conjunction with one another, a
state agency cannot release records when disclosure would result in
an unwarranted invasion of personal privacy, unless disclosure is
otherwise permitted by §96.

It is noted that one of the provisions authorizing disclosure,
§96(1)(c), pertains to disclosures made pursuant to "article six of
this chapter." Article six of the Public Officers Law is the
Freedom of Information Law. In other words, personal information
subject to the Personal Privacy Protection Law is available under
the Freedom of Information Law when disclosure would result in a
permissible rather than an unwarranted invasion of personal
privacy.

In reviewing the various items characterized in the
Department's regulations as "deniable", the issue in terms of the
Freedom of Information Law, the Personal Privacy Protection Law and
the validity of those regulations is whether disclosure would
indeed constitute an unwarranted invasion of personal privacy. I
believe that a name of a patient, that person's address, social
security number, Medicaid number or similar identifier would, if
disclosed, in combination with the other items described in
regulations described earlier, result in an unwarranted invasion of
personal privacy. However, if those unique personal identifiers
are deleted or removed, it is difficult to envision how disclosure
of several items characterized in the regulations as deniable could
possibly identify a patient or, therefore, result in an unwarranted
invasion of personal privacy. For instance, the name of a
facility, a hospital where treatment was provided, although
designated as deniable individual stay data, must be disclosed in
my opinion to comply with the Freedom of Information Law because
there is nothing "personal" about that data.

From my perspective, the provisions in the Freedom of
Information Law pertaining to privacy are intended to deal with
natural persons, rather than entities, such as corporations,
hospitals, other health care facilities or insurers. The Personal
Privacy Protection Law, when read in conjunction with the Freedom
of Information Law makes it clear that the protection of privacy as
envisioned by those statutes is intended to pertain to personal
information about natural persons [see Public Officers Law,
§§92(3), 92(7), 96(1) and 89(2-a). Therefore, insofar as the
information at issue would identify entities, such as hospitals or
insurance companies rather than natural persons, I do not believe
that the information could be withheld based upon considerations of
privacy. In a decision rendered by the Court of Appeals that
focused upon the privacy provisions, the court referred to the
authority to withhold "certain personal information about private
citizens" [see Matter of Federation of New York State Rifle and
Pistol Clubs, Inc. v. The New York City Police Department, 73 NY 2d
92 (1989)]. In view of that statement, again, I believe that the
authority to withhold the information based upon considerations of
privacy is restricted to those situations in which the information
pertains to natural persons.

Moreover, based upon the judicial interpretation of the
Freedom of Information Law, not every disclosure of an individual's
name or other identifier would, if disclosed, constitute an
unwarranted invasion of personal privacy. On the contrary, as
suggested earlier, disclosure in some instances would result in a
permissible invasion of personal privacy. In the case of SPARCS
data, I believe that a primary goal involves the protection of
patient privacy, and it is clear that patients' names, for example,
are indeed deniable. Nevertheless, included as deniable data is
physician identification. Based upon a judicial interpretation of
the Freedom of Information Law that dealt with different records
maintained by the Department, I do not believe that the Department
may restrict the disclosure of SPARCS data that identifies
physicians. In Newsday, Inc. v. New York State Department of
Health (Supreme Court, Albany County, October 15, 1991), the issue
involved access to records that ranked individual surgeons
performing cardiac surgery in hospitals throughout the state.
Although the Department withheld portions of the records
identifiable to physicians on the ground that disclosure would
constitute an unwarranted invasion of personal privacy, it was my
view that the information should be disclosed, for it pertained to
professional activities carried out by persons licensed by the
state. As stated in an advisory opinion prepared on May 14, 1992
at the request of Newsday that was cited in the court's decision:

"...the information sought, although
identifiable to particular physicians,
pertains solely to the performance of their
duties in a profession licensed by the state.
Unlike an individual's social security number
or medical records identifiable to patients,
which would involve unique and personal
details of people's lives, the records in
question are not 'personal', in my opinion;
rather, again, they deal with functions
carried out by individuals in their capacities
as licensed professionals. Further, in terms
of the public interest in the records, the
public is increasingly interested and
concerned regarding a variety of issues
relating to medical treatment, including a
hospital's performance, the necessity of
surgical procedures and alternatives to
surgery, assessment of risks and similar
matters. In short, as suggested in the
decisions cited above, the exception
concerning privacy likely does not extend to
the kind of information at issue, which
relates to persons acting in their business or
professional capacities, and that, in
balancing the interests, disclosure would
constitute a permissible rather than an
unwarranted invasion of personal privacy."

Aside from the two examples of data described in the preceding
paragraphs which could not in my view be validly characterized as
"deniable" (data identifying facilities and physicians), there may
be other aspects of so-called deniable data that could not
justifiably be withheld. In short, the issue in my opinion
involves the extent to which disclosure of the data could identify
patients, thereby resulting in an unwarranted invasion of personal
privacy. Insofar as disclosure would not identify patients, it
would appear to be difficult, if not impossible, for the Department
to justify a denial.

Third, it is emphasized that the courts have consistently
interpreted the Freedom of Information Law in a manner that fosters
maximum access. As stated by the Court of Appeals more than decade
ago:

"To be sure, the balance is presumptively
struck in favor of disclosure, but in eight
specific, narrowly constructed instances where
the governmental agency convincingly
demonstrates its need, disclosure will not be
ordered (Public Officers Law, section 87, subd
2). Thus, the agency does not have carte
blanche to withhold any information it
pleases. Rather, it is required to articulate
particularized and specific justification and,
if necessary, submit the requested materials
to the courts for in camera inspection, to
exempt its records from disclosure (see Church
of Scientology of N.Y. v. State of New York,
46 NY 2d 906, 908). Only where the material
requested falls squarely within the ambit of
one of these statutory exemptions may
disclosure be withheld" [Fink v. Lefkowitz, 47
NY 2d 567, 571 (1979)]."

In another decision rendered by the Court of Appeals, it was held
that:

"Exemptions are to be narrowly construed to
provide maximum access, and the agency seeking
to prevent disclosure carries the burden of
demonstrating that the requested material
falls squarely within a FOIL exemption by
articulating a particularized and specific
justification for denying access" [Capital
Newspapers v. Burns, 67 NY 2d 562, 566 (1986);
see also, Farbman & Sons v. New York City, 62
NY 2d 75, 80 (1984); and Fink v. Lefkowitz, 47
NY 2d 567, 571 (1979)].

Lastly, the use of information that could ordinarily be
withheld under the Freedom of Information Law or the Personal
Privacy Protection Law may be a relevant factor in determining
whether an agency can or should disclose in conjunction with an
exception that permits disclosure. However, in general, the
reasons for which a request is made and an applicant's potential
use of records are irrelevant, and it has been held that when
records are accessible under the Freedom of Information Law, they
should be made equally available to any person, without regard to
status or interest [see e.g., M. Farbman & Sons v. New York City.
642 NY 2d 75 (1984) and Burke v. Yudelson, 368 NYS 2d 779, aff'd 51
AD 2d 673, 378 NYS 2d 165 (1976)]. Moreover, when records
accessible under the Freedom of Information Law are disclosed to
the public, I believe that the recipient of the records may use the
records as he or she sees fit.

I hope that I have been of some assistance. Should any
further questions arise, please feel free to contact me.

Sincerely,

 

Robert J. Freeman
Executive Director

RJF:jm

cc: Gene Therriault, Executive Secretary
Donald Macdonald, Records Access Officer
Peter Slocum, Appeals Officer