Opinion No. (2001)

Dear Director Regier,

¶ 0 This office has received your request for an official Attorney General Opinion in which you ask, in effect, the following question:

Does the Oklahoma Open Records Act, 51 O.S. 1991 Supp.2000, §§ 24A.124A.26, require public disclosure ofresidential addresses, dates of birth, social security numbers,or other information of a personal nature submitted by anapplicant and/or licensee to the Oklahoma State Department ofHealth under requirements of the certified nursing aide andnursing aide trainee registry, 63 O.S. Supp. 2000, §1-1951(D)?

I. Introduction ¶ 1 In 1996 the Oklahoma Legislature enacted Section 1-1951 of Title 63 as an addition to the Nursing Home Care Act. See 1996 Okla. Sess. Laws ch. 336, § 8. This legislation, in response to federal law, requires that the Department of Health certify nursing aides; and as a part of that certification procedure, maintain a registry accessible by employers which "provides a process for notification and investigation of alleged abuse, exploitation or neglect of residents of a facility or home or clients of an agency or center." 63 O.S. Supp. 2000, §1-1951[63-1-1951](D)(1)(b); see also id. § 1-1951(D)(1)(a). As will be discussed in more detail below, one federal law dealing with the registry1 has a confidentiality requirement prohibiting the general release of certain personal information; however, Oklahoma's Section 1-1951 contains no such confidentiality requirement. Your question focuses on this difference, and asks whether this lack of a confidentiality requirement in the State statute allows certain personal information to be accessible under the State's Open Records Act.

II. The State Registry ¶ 2 Your question centers around 63 O.S. Supp. 2000, §1-1951[63-1-1951](D). It reads as follows:

D. 1. The State Department of Health shall establish and maintain a certified nursing aide and nursing aide trainee registry that:

a. is sufficiently accessible to promptly meet the needs of the public and employers, and

b. provides a process for notification and investigation of alleged abuse, exploitation or neglect of residents of a facility or home or clients of an agency or center.

2. The registry shall contain information as to whether a nursing aide has:

a. successfully completed a certified nursing aide training and competency examination,

b. met all the requirements for certification, or

c. received a waiver from the Board.

3. a. The registry shall include, but not be limited to, the following information on each certified nursing aide or nursing aide trainee:

(1) the individual's full name,

(2) information necessary to identify each individual,

(3) the date the individual became eligible for placement in the registry,

(4) information on any finding of the Department of abuse, neglect or exploitation by the certified nursing aide or nursing aide trainee. . . .

3 Id. The statute requires that each facility check the nursing aide registry before hiring a person to work as a nursing aide. "If the registry indicates that an individual has been found, as a result of a hearing, to be personally responsible for abuse, neglect or exploitation, that individual shall not be hired by the facility." 63 O.S. Supp. 2000, § 1-1951[63-1-1951](D)(8). The statute further provides that upon request, the Department of Health "shall [subject to confidentiality of the names of residents and clients] disclose all of the information relating to the confirmed determination of abuse, exploitation and neglect by the certified nursing aide or nursing aide trainee to the person requesting such information." Id. § 1-1951(D)(11). The Department of Health may disclose additional information it determines is necessary. See id. There is nothing in this statute or the rest of the Nursing Home Care Act (63 O.S. 1991 Supp. 2000, §§ 1-1901 — 1-1951) specifically dealing with the availability of these records for public inspection.2

¶ 4 Therefore, unless there exists an exception in the Open Records Act, the records in question are subject to that Act.3

III. Open Records Act ¶ 5 The Legislature has expressed the intent and scope of the Oklahoma Open Records Act ("the Act") as follows:

As the Oklahoma Constitution recognizes and guarantees, all political power is inherent in the people. Thus, it is the public policy of the State of Oklahoma that the people are vested with the inherent right to know and be fully informed about their government. The Oklahoma Open Records Act shall not create, directly or indirectly, any rights of privacy or any remedies for violation of any rights of privacy; nor shall the Oklahoma Open Records Act, except as specifically set forth in the Oklahoma Open Records Act, establish any procedures for protecting any person from release of information contained in public records. The purpose of this act is to ensure and facilitate the public's right of access to and review of government records so they may efficiently and intelligently exercise their inherent political power. The privacy interests of individuals are adequately protected in the specific exceptions to the Oklahoma Open Records Act or in the statutes which authorize, create or require the records. Except where specific state or federal statutes create a confidential privilege, persons who submit information to public bodies have no right to keep this information from public access nor reasonable expectation that this information will be kept from public access; provided, the person, agency or political subdivision shall at all times bear the burden of establishing such records are protected by such a confidential privilege.

¶ 6 51 O.S. 1991, § 24A.2[51-24A.2] (footnote omitted). There can be no question the documents requested are "records" as that term is defined in the Act (see 51 O.S. Supp. 2000, 24A.3(1)), nor is there a question the Department of Health is a "public body" as that term is defined. See id. § 24A.3(2). Therefore, unless a public body can rebut the presumption of openness inherent in the language of Section 24A.2, the records in question must be made available.

¶ 7 There are provisions within the Act which create exceptions to the openness requirement. Specifically, one specific provision reads: "Records coming into the possession of a public body from the federal government or records generated or gathered as a result of federal legislation may be kept confidential to the extent required by federal law." 51 O.S. 1991, § 24A.13[51-24A.13]. To determine whether this exception applies, we must examine the federal counterpart to 63 O.S. Supp. 2000, § 1-1951[63-1-1951](D).

IV. Federal Law ¶ 8 Two federal acts pertain to nursing aides and their participation in state-run programs relying in whole or in part on federal dollars. Both acts deal with data collection systems.

a. Registry of Nurse Aides

¶ 9 This registry is based on requirements in statutes regulating nursing facilities4 and skilled nursing facilities.5

¶ 10 In nursing facilities, 42 U.S.C. § 1396r (1998) — a part of the Social Security Act providing grants to states for medical assistance programs — requires nurse aides to be trained and competent. See id. § 1396r(b)(5). Toward that end, a nursing facility cannot employ an individual as a nurse aide unless the facility has inquired of a State registry which must be established. See id. § 1396r(b)(5)(C). The registry must list all individuals who generally have satisfactorily completed a nurse aide training and competency evaluation program, or a nurse aide competency evaluation program. It must also contain any documented findings by a state of resident neglect or abuse or misappropriation of resident property, as well as a brief statement if the individual in question wishes to dispute the findings. See id. § 1396r(e)(2)(A), (B). The statute specifically notes that the state "shall make available to the public information in the registry." Id. § 1396r(e)(2)(B). The same requirements exist in skilled nursing facilities. See id. § 1395i-3(e)(2)(A), (B) (1997).

¶ 11 Pursuant to these statutes, the Secretary of Health and Human Services promulgated certain rules. One rule which applies to your question is 42 C.F.R. § 483.156, mandating a registry for nurse aides. It reads:

(a) Establishment of registry. The State must establish and maintain a registry of nurse aides that meets the requirement of this section. The registry —

(1) Must include as a minimum the information contained in paragraph (c) of this section:

(2) Must be sufficiently accessible to meet the needs of the public and health care providers promptly;

. . . .

(b) Registry operation.

. . . .

(5) The State must provide information on the registry promptly.

(c) Registry Content.

(1) The registry must contain at least the following information on each individual who has successfully completed a nurse aide training and competency evaluation program which meets the requirements of Sec. 483.152 or a competency evaluation which meets the requirements of Sec. 483.154 and has been found by the State to be competent to function as a nurse aide or who may function as a nurse aide because of meeting criteria in Sec. 483.150:

(i) The individual's full name.

(ii) Information necessary to identify each individual;

(iii) The date the individual became eligible for placement in the registry through successfully completing a nurse aide training and competency evaluation program or competency evaluation program or by meeting the requirements of Sec. 483.150; and

(iv) The following information on any finding by the State survey agency of abuse, neglect, or misappropriation of property by the individual:

(A) Documentation of the State's investigation, including the nature of the allegation and the evidence that led the State to conclude that the allegation was valid;

(B) The date of the hearing, if the individual chose to have one, and its outcome; and

(C) A statement by the individual disputing the allegation, if he or she chooses to make one; and

(D) This information must be included in the registry within 10 working days of the finding and must remain in the registry permanently, unless the finding was made in error, the individual was found not guilty in a court of law, or the State is notified of the individual's death.

(2) The registry must remove entries for individuals who have performed no nursing or nursing-related services for a period of 24 consecutive months, unless the individual's registry entry includes documented findings of abuse, neglect, or misappropriation of property.

(d) Disclosure of information. The State must —

(1) Disclose all of the information in Sec. 483.156(c)(1) (iii) and (iv) [the date the individual completed the nurse aide program and any finding of abuse, neglect or misappropriation of property] to all requesters and may disclose additional information it deems necessary; and

(2) Promptly provide individuals with all information contained in the registry on them when adverse findings are placed on the registry and upon request. Individuals on the registry must have sufficient opportunity to correct any misstatements or inaccuracies contained in the registry.

42 C.F.R. § 483.156 (1999) (emphasis added). This regulation was enacted in 1991. See 56 Fed. Reg. 48,919 (Sept. 26, 1991);56 Fed. Reg. 59,331 (Nov. 25, 1991).

¶ 12 From this, we can see that the agency must make available to anyone who requests it, the date the individual became eligible as a nurse aide for placement in the registry; and information dealing with abuse, neglect or misappropriation of property. See 42 C.F.R. § 483.156(d)(1) (1999). However, the regulation does not require the agency to disclose the individual's full name or "[i]nformation necessary to identify each individual" (id. § 483.156(c)(ii)), but it "may disclose additional information it deems necessary." Id. § 483.156(d)(1).

¶ 13 The regulation does not specify what "other information it deems necessary" may be. However, the Secretary of Health and Human Services subsequently has enacted another set of regulations covering nursing aides which directly speaks toward confidentiality. These regulations establish the Healthcare Integrity and Protection Data Bank.

b. Healthcare Integrity and Protection Data Bank

¶ 14 In an effort to curb abuse of certain classes of individuals by individuals or entities receiving federal money under the Social Security Act, as added by the Health Insurance Portability and Accountability Act of 1996, Congress has declared that certain persons must be excluded from participation in the federal program. Those who must be excluded from participation in "any Federal health care program" include any person who has been convicted of a criminal offense related to the delivery of an item or service under laws dealing with health insurance for the elderly and disabled or under any State health care program; or any person who has been convicted under Federal or State law of a crime involving neglect or abuse of patients in connection with the delivery of a health care item or service. See42 U.S.C. § 1320a-7(a) (1997).

¶ 15 Toward this end, Congress directed the Secretary of Health and Human Services to establish a health care fraud and abuse data collection program.6 See 42 U.S.C. § 1320a-7e (1997). The purpose of this data collection program is to assure that certain persons are excluded from participating in state health care programs which receive federal monies. This statute sets forth the information which must be reported. Generally, each governmental agency and health plan must report to the Secretary "any final adverse action (not including settlements in which no findings of liability have been made) taken against a health care provider, supplier, or practitioner." Id. § 1320a-7e(b)(1). Information to be reported includes "[t]he name and . . . [social security number] of any health care provider, supplier, or practitioner who is the subject of a final adverse action." Id. § 1320a-7e(b)(2)(A). The statute states that this information "shall be available to Federal and State government agencies and health plans pursuant to procedures that the Secretary shall provide by regulation." Id. § 1320a-7e(d)(1).

¶ 16 As directed, the Secretary of Health and Human Services established the "Healthcare Integrity and Protection Data Bank" ("HIPDB"). See 45 C.F.R. § 61.1 (2000). The Department of Health, as state licensing agency, is required to report such things as revocation or suspension of license or certification and whether a reprimand, censure or probation has occurred. See45 C.F.R. § 61.7(a)(1) (2000). As identifiers, the department is required to include (among other things) the person's name, social security number, address, sex and date of birth. See45 C.F.R. § 61.7(b) (2000). Prosecutors must also report (using the same identifiers as listed above) any convictions which relate to the delivery of a health care service. See 45 C.F.R. § 61.8(a) (2000). The same applies to civil judgments related to the delivery of a health care service (see 45 C.F.R. § 61.9(a) (2000)) or persons excluded as a result of a settlement where no liability was found or admitted. See 45 C.F.R. § 61.10(a) (2000).

¶ 17 Of concern to you are the sections dealing with disclosure. Information contained in the HIPDB is available upon request to government agencies, health plans, self-queries by individuals in the database, and researchers or others who request statistical information (although these requesters are not entitled to data which would identify any particular individual). See 45 C.F.R. § 61.12(a) (2000).

¶ 18 The restrictive nature of this data is underscored by another rule, which reads:

Information reported to the HIPDB is considered confidential and will not be disclosed outside the Department, except as specified in Secs. 61.12 [discussed above] and 61.15 [dealing with the right of the individual to dispute the accuracy of the data in the HIPDB]. Persons and entities receiving information from the HIPDB, either directly or from another party, must use it solely with respect to the purpose for which it was provided. Nothing in this section will prevent the disclosure of information by a party from its own files used to create such reports where disclosure is otherwise authorized under applicable State or Federal law.

¶ 19 45 C.F.R. § 61.14 (2000). Comments to the rules make it clear that the information is to remain confidential. In64 Fed. Reg. 57,741-42, it is noted that the confidentiality requirements were "clearly specified" in 42 U.S.C. § 1320a-7e(b)(3), (d)(1) and 42 U.S.C. § 1320a-7c(a)(3)(B)(ii). Further,

We proposed that information from this system be confidential and disclosed only for the purpose for which it was provided. We also proposed that appropriate uses of the information would include the prevention of fraud and abuse activities and improving the quality of patient care. This proposed provision did not go beyond the requirements set forth in the Act. The proposed requirements would not prevent an authorized user from sharing information from the HIPDB within the entity that requested it, as long as the information is used solely for the purpose for which it was provided.

¶ 20 64 Fed. Reg. 57,742 (Oct. 26, 1999) (to be codified at45 C.F.R. pt. 61). Further responses to comments reinforce the privacy requirement:

Comment: The majority of the commenters responding to this provision questioned the confidentiality of the reported data bank elements and resulting privacy of the information once a report is submitted to the HIPDB. The confidentiality of individual elements, as well as of the report as a whole, were questioned and several commenters believed the final rule needed to be clarified further. Citing possible violation of the Privacy Act, commenters expressed concern about the "purpose" for which the data are provided and the process of how queriers may distribute and use the information provided in a report.

Response: Similar to the NPDB [National Practitioner Data Bank], the HIPDB requires specific data elements to be reported in order to maximize the accuracy of matching subjects of reports by the querier. . . . Section 552b(3) of the Privacy Act allows disclosure for "routine use," compatible with the purpose for which it was collected. Appropriate uses for the HIPDB information will include credentialing and employment decisions, fraud and abuse investigations, and use as a part of a querying entity's screening process which would indicate more complete details are needed about the subject. This "routine use" does not allow disclosure to the general public.

Comment: Several commenters stated that the wording of this section was confusing, and did not fully explain the ways in which information can be disseminated once it is released to an eligible entity.

Response: With respect to the confidentiality requirements of information obtained from the HIPDB indirectly from another party, as well as information obtained directly from the data bank, an individual or entity that receives information from the HIPDB is permitted to disclose such information further in the course of carrying out the activity for which the information was sought. For example, during the course of a health plan's credentialing process, the plan may request information from the HIPDB on a practitioner's history of final adverse actions. The health plan may share this information with other individuals who are part of the credentialing review and decision making process on the practitioner's application. Nevertheless, the confidentiality limitations of the Act apply both to the health plan staff who initially receive the information and to the specific departmental staff who subsequently review this same information; they may each only use and disclose the information with respect to the credentialing decision.

64 Fed. Reg. 57,751 (Oct. 26, 1999) (to be codified at45 C.F.R. pt. 61) (emphasis added).

V. Comparison of State and Federal Law ¶ 21 Under the federal rules establishing the Registry of Nurse Aides, "the State must" disclose the date an individual completed the nurse aide program and any finding of abuse, neglect or misappropriation of property. See 42 C.F.R. § 483.156(d) (1999). This same requirement is reflected in the State statute.63 O.S. Supp. 2000, § 1-1951[63-1-1951](D)(11).

¶ 22 In contrast, the HIPDB requires that "specific data elements" used to identify subjects of the database allows disclosure only for "`routine use,' compatible with the purpose for which it was collected," such as "credentialing and employment decisions, fraud and abuse investigations, and use as a part of a querying entity's screening process which would indicate more complete details are needed about the subject."64 Fed. Reg. 57,751 (Oct. 26, 1999) (to be codified at 45 C.F.R. pt. 61). Comments to the HIPDB specifically state these more detailed "data elements" cannot be disclosed to the general public.

¶ 23 Reconciling these provisions to make them not only consistent and harmonious, but also to give an intelligent effect to each (see Sharp v. Tulsa County Election Bd.,890 P.2d 836, 840 (Okla. 1994)), the Department of Health would be required to release, upon request, the date an individual completed the nurse aide program and any finding of abuse, neglect or misappropriation of property. However, more specific data used to identify and screen subjects such as social security numbers, addresses or dates of birth cannot be disclosed to the general public.

VI. Conclusion ¶ 24 Since 63 O.S. Supp. 2000, § 1-1951[63-1-1951](D) was passed in response to federal law,7 it follows that the Department of Health is authorized under that statute to release the date the individual became eligible for placement in the registry and information on any finding of the Department of abuse, neglect or exploitation by the certified nursing aide or nursing aide trainee — excluding names of victims of that abuse. See 63O.S. Supp. 2000, § 1-1951[63-1-1951](D)(11). Likewise, it follows that other information of a more personal nature used for more accurate identification — such as residential addresses, dates of birth, social security numbers — is not subject to disclosure under the Oklahoma Open Records Act, as the material came into the Health Department's possession as records "generated or gathered as a result of federal legislation," 51 O.S. 1991, §24A.13[51-24A.13], and thus may be kept confidential to the extent required by federal law. See id.8 The Oklahoma statute also permits the release of "additional information the Department determines necessary." 63 O.S. Supp. 2000, § 1-1951[63-1-1951](D)(11). So long as the "additional information" does not contain the specific information set forth above which is required to be kept confidential, that information could be released if the Department of Health deems it necessary. See id. What would constitute such information is a question of fact beyond the scope of an Attorney General Opinion. See 74 O.S. Supp. 2000,§ 18b[74-18b](A)(5).

¶ 25 It is, therefore, the official Opinion of the AttorneyGeneral that: 1. The Oklahoma Open Records Act, 51 O.S. 1991 Supp. 2000,§§ 24A.124A.26, does not require public disclosure ofresidential addresses, dates of birth, social security numbers,or other information of a personal nature submitted by anapplicant and/or licensee to the Oklahoma State Department ofHealth under requirements of the certified nursing aide andnursing aide trainee registry, see 63 O.S. Supp. 2000, §1-1951(D), because that registry was enacted pursuant tofederal law and the information submitted in that registry isrequired to remain confidential under federal law; therefore, itis exempted from disclosure under 51 O.S. 1991, § 24A.13,which allows the information to be kept confidential to theextent required by federal law. 2. The Oklahoma Open Records Act permits the release of thedate the nursing aide became eligible for placement in theregistry and information on any finding of the Department ofHealth of abuse, neglect or exploitation by the certified nursingaide or nursing aide trainee — excluding names of victims of thatabuse. See 63 O.S. Supp. 2000, § 1-1951(D)(11). TheOklahoma statute also permits the release of "additionalinformation the Department determines necessary." 63 O.S. Supp.2000, § 1-1951(D)(11). So long as the "additional information"does not contain the specific information set forth above whichis required to be kept confidential, that information could bereleased. What constitutes such information is a question of factbeyond the scope of an Attorney General Opinion. See 74 O.S.Supp. 2000, § 18b(A)(5).

W.A. DREW EDMONDSON ATTORNEY GENERAL OF OKLAHOMA

DAN CONNALLY ASSISTANT ATTORNEY GENERAL

1 There is no doubt 63 O.S. Supp. 2000, § 1-1951[63-1-1951](D) was passed in response to federal requirements that states receiving federal funds must establish the data banks discussed below.See 42 U.S.C. § 1320a_7b (defining "federal health care program" as "(1) any plan or program that provides health benefits, whether directly, through insurance, or otherwise, which is funded directly, in whole or in part, by the United States Government (other than the health insurance program under chapter 89 of Title 5); or (2) any State health care program, as defined in section 1320a_7(h) of this title.)"; Id. § 701(a) (1997) (block grants for maternal and child support services);id. § 1396 (1991) (grants to states for medical assistance programs); id. § 1397a (1996) (block grants to state for social services); id. 1397aa(a) (1997) (state children's health insurance program).

2 There is a provision in the Nursing Home Care Act which requires regulated facilities to "retain for public inspection" certain items, including "[a] record of personnel who are licensed, certified or registered and employed or retained by the facility who are responsible for patient care[.]" 63 O.S. 1991,§ 1-1910[63-1-1910](5). However, by its language, this requirement is directed solely to facilities governed by the Act, and not the State agency. See id. § 1-1910. The Nursing Home Care Act does not define the term "record."

3 In light of the holding reached in this Opinion, we need not address whether the same or a different result would be dictated by the general doctrine of federal preemption.

4 The term "nursing facility" very generally provides the same services as provided by a skilled nursing facility, but also can include "on a regular basis, health_related care and services to individuals who because of their mental or physical condition require care and services (above the level of room and board) which can be made available to them only through institutional facilities. . . ." 42 U.S.C. § 1396r(a)(1)(C) (1998).

5 That term is generally defined as an institution, or a distinct part of one, which is primarily engaged in providing skilled nursing care and related services for residents who require medical or nursing care, or rehabilitation services for the rehabilitation of injured, disabled, or sick persons, but is not primarily for the care and treatment of mental diseases.See 42 U.S.C. § 1395i_3(a) (1997).

6 This data bank requirement applies to your question because Congress included the "Grants to States for Medical Assistance" program, Subchapter XIX of Chapter 7 of Title 42 (the law discussed above requiring the registry), in the definition of "State health care program" in the statutes establishing the requirement of the fraud and abuse data collection program. See42 U.S.C. § 1320a-7(h)(1), (2); id. § 1320a-7e(g)(2) (defining "licensed health care practitioner" and "practitioner" as "an individual who is licensed or otherwise authorized by the State to provide health care services (or any individual who, without authority holds himself or herself out to be so licensed or authorized)"; see also 45 C.F.R. § 61.3(5) (2000) (same definition).

7 Legislative rules duly promulgated in compliance with the procedures set forth in statute or the federal Administrative Procedures Act are binding rules which have the force and effect of law. See Appalachian Power Co. v. EPA, 208 F.3d 1015, 1020 (D.C. Cir. 2000).

8 Of course, any nursing aide could waive the privacy requirements protecting this information by signing a waiver allowing the release of the confidential information to a prospective employer or anyone else the aide would wish to receive it. See Nat'l Treasury Employees Union v. IRS,601 F.Supp. 1268, 1272-73 (D.D.C. 1985) (Waiver signed by former Internal Revenue Service employee allowing the release of certain information barred liability on part of IRS under the federal Privacy Act; acknowledging validity of waiver); Thomas v.Veterans Admin., 467 F.Supp. 458, 462_67 (D. Conn. 1979) (acknowledging that plaintiff signed waiver that allowed access to information which would otherwise be private).