FOIA, 5 U.S.C. 552, provides for public disclosure, upon the request of any person, of many types of information in the possession of the federal government, subject to nine exemptions and three exclusions. For example, Exemption 6 permits federal agencies to withhold “personnel and medical files and similar files the disclosure of which would constitute a clearly unwarranted invasion of personal privacy.” 5 U.S.C. 552(b)(6).
Uses and disclosures required by FOIA come within § 164.512(a) of the privacy regulation that permits uses or disclosures required by law if the uses or disclosures meet the relevant requirements of the law. Thus, a federal agency must determine whether it may apply an exemption or exclusion to redact the protected health information when responding to a FOIA request. When a FOIA request asks for documents that include protected health information, we believe the agency, when appropriate, must apply Exemption 6 to preclude the release of medical files or otherwise redact identifying details before disclosing the remaining information.
We offer the following analysis for federal agencies and federal contractors who operate Privacy Act systems of records on behalf of federal agencies and must comply with FOIA and the privacy regulation. If presented with a FOIA request that would result in the disclosure of protected health information, a federal agency must first determine if FOIA requires the disclosure or if an exemption or exclusion would be appropriate. We believe that generally a disclosure of protected health information, when requested under FOIA, would come within FOIA Exemption 6. We recognize, however, that the application of this exemption to information about deceased individuals requires a different analysis than that applicable to living individuals because, as a general rule, under the Privacy Act, privacy rights are extinguished at death. However, under FOIA, it is entirely appropriate to consider the privacy interests of a decedent's survivors under Exemption 6. See Department of Justice FOIA Guide 2000, Exemption 6: Privacy Considerations. Covered entities subject to FOIA must evaluate each disclosure on a case-by-case basis, as they do now under current FOIA procedures.
Comment: One comment asserted that the proposed privacy regulation
conflicts with the Freedom of Information Act ("FOI"). The comment
argued that the proposed restriction on disclosures by agencies would
not come within one of the permissible exemptions to the FOIA. In
addition, the comment noted that only in exceptional circumstances
would the protected health information of deceased individuals come
within an exemption because, for the most part, death extinguishes an
individual's right to privacy.
Response: Section 164.512(a) below permits covered entities to
disclose protected health information when such disclosures are
required by other laws as long as they follow the requirements of those
laws. Therefore, the privacy regulation will not interfere with the
ability of federal agencies to comply with FOIA, when it requires the
disclosure.
We disagree, however, that most protected health information will
not come within Exemption 6 of FOIA. See the discussion above under
"Relationship to Other Federal Laws" for our review of FOIA.
Moreover, we disagree with the comment's assertion that the protected
health information of deceased individuals does not come within
Exemption 6. Courts have recognized that a deceased individual's
surviving relatives may have a privacy interest that federal agencies
may consider when balancing privacy interests against the public
interest in disclosure of the requested information. Federal agencies
will need to consider not only the privacy interests of the subject of
the protected health information in the record requested, but also,
when appropriate, those of a deceased individual's family consistent
with judicial rulings.
If an agency receives a FOIA request for the disclosure of
protected health information of a deceased individual, it will need to
determine whether or not the disclosure comes within Exemption 6. This
evaluation must be consistent with the court's rulings in this area. If
the exemption applies, the federal agency will not have to release the
information. If the federal agency determines that the exemption does
not apply, may release it under Sec. 164.512(a) of this regulation.
Comment: One commenter expressed concern that our proposal to
protect the individually identifiable health information about the
deceased for two years following death would impede public interest
reporting and would be at odds with many state Freedom of Information
laws that make death records and autopsy reports public information.
The commenter suggested permitting medical information to be available
upon the death of an individual or, at the very least, that an appeals
process be permitted so that health information trustees would be
allowed to balance the interests in privacy and in public disclosure
and release or not release the information accordingly.
Response: These rules permit covered entities to make disclosures
that are required by state Freedom of Information Act (FOIA) laws under
Sec. 164.512(a). Thus, if a state FOIA law designates death records and
autopsy reports as public information that must be disclosed, a covered
entity may disclose it without an authorization under the rule. To the
extent that such information is required to be disclosed by FOIA or
other law, such disclosures are permitted under the final rule. In
addition, to the extent that death records and autopsy reports are
obtainable from non-covered entities, such as state legal authorities,
access to this information is not impeded by this rule.
If another law does not require the disclosure of death records and
autopsy reports generated and maintained by a covered entity, which are
protected health information, covered entities are not allowed to
disclose such information except as permitted or required by the final
rule, even if another entity discloses them.
Comment: One comment sought clarification of the relationship
between the Freedom of Information Act, the Privacy Act, and the
privacy rules.
Response: We have provided this analysis in the "Relationship to
Other Federal Laws" section of the preamble in our discussion of the
Freedom of Information Act.
