2004 FOI update: Federal legislation

Tuesday, March 16, 2004

The past year proved to be a relatively quiet year on Capitol Hill as far as the Freedom of Information Act was concerned. While the number of access-related bills introduced was not significantly smaller than in recent years, there was virtually no activity surrounding any of those introduced. In fact, only one FOIA bill was enacted into law in 2003 — and that was just a small section of a broader appropriations bill. Generally, this inactivity would be cause for celebration for access advocates, except that, as compared to 2002, there were more bills introduced that actually would have broadened FOIA; however; none received even minimal attention from its committee of reference.

A proposed fix to the damage done by the Homeland Security Act of 2002’s FOIA protections for critical infrastructure information went nowhere. The same fate fell to two separate proposals that would have put cameras in federal courtrooms and would have increased access to protective orders and sealed federal civil case dockets.

Further, for the fourth successive Congress, it appears that legislation designed to grant public access to taxpayer-funded research documents created by the Congressional Research Service is doomed as well.

Not all the news from Congress was bad. Legislation intended to seal nongovernment reports on hospital abuses and malfeasance has stalled after early indications led many to believe that it was headed for certain passage.

Restoration of the Freedom of Information Act

Two versions of legislation to ameliorate the FOIA exemption in the Homeland Security Act were introduced in Congress. On March 12, 2003, five senators (Patrick Leahy, D-Vt.; Carl Levin, D-Mich.; Robert Byrd, D-W.Va.; Joseph Lieberman, D-Conn.; and Jim Jeffords, I-Vt.) who were later joined by Sen. Bob Graham, D-Fla., introduced S. 609. On the House side, Rep. Barney Frank, D-Mass., introduced H.R. 2526 on June 19, 2003.

Both bills seek the same result: repeal of that section of the Homeland Security Act known as the Critical Infrastructure Information Act of 2002. That law allows private entities to submit information related to protection of the nation’s critical infrastructure (mainly in the area of cybersecurity as it affect our nation’s banking, water, oil, transportation, energy, telecommunications, and other important industries) in exchange for a promise that the information will not be accessible to the public through a FOIA request and will not be used as evidence of liability in a civil lawsuit.

Though the Restore FOIA Act would not repeal those sections of the Homeland Security Act, it would greatly limit the scope of the bill and the protections offered to private industry by reinstating language originally slated to be enacted as part of the Homeland Security Act but then discarded when the Republicans retook the Senate in the November 2002 elections.

The Restore FOIA Act would:

  • Remove the antitrust exemption provided to private companies which seek to share vulnerability information with each other and the government.
  • Remove the “civil immunity” provision which prevents any information shared with the government from being used as evidence in a civil trial, though information can still be used in criminal, regulatory, and congressional proceedings.
  • Still provide an exemption from FOIA for any records voluntarily submitted to the Department of Homeland Security by a private company if they pertain to the vulnerability of and threats to the critical infrastructure, but this exemption would be much more narrow than the law as enacted, which carries a much broader exemption covering any “information” voluntarily submitted to that agency.
  • Reinstate redaction provisions to make access as comprehensive as possible, allowing any reasonably segregable portion of a record to be provided to any person.
  • Remove potential penalties for whistleblowers who release protected information that is in the public interest.

The bill has stalled in the Senate largely because it is still viewed as partisan legislation. The original co-sponsors seek a Republican ally. It has not gotten any momentum whatsoever in the House.

One other bill was introduced that seeks to modify the FOIA provisions enacted as part of the Homeland Security Act. On Jan. 7, 2003, Sen. Thomas Daschle, D-S.D., introduced the Comprehensive Homeland Security Act of 2003 (S. 6). This bill seeks a rollback in the Critical Infrastructure Information Act of 2002 similar to the Restore FOIA bill. But it has not attracted anything near the minimal prospects afforded the legislation introduced by Sen. Leahy and other top FOI champions and has received no attention from the Senate Committee on the Judiciary.

Patient Safety and Quality Improvement Act

There was considerable publicity during the past year surrounding congressional legislation that purportedly would further restrict access to medical records and information — even beyond the controversial Health Insurance Portability and Accountability Act regulations.

S. 720 was introduced by Senator Jim Jeffords, I-Vt., with co-sponsors Bill Frist, R-Tenn., John Breaux, D-La., and Judd Gregg, R-N.H., on March 26, 2003. The bill passed the Senate Committee on Health, Education, Labor and Pensions on July 23, 2003, and could reach the Senate floor at any time for a full vote, though no floor vote has been scheduled.

The bill notes that “research on patient safety unequivocally calls for a learning environment, rather than a punitive environment, in order to improve patient safety.” Increased voluntary data gathering, but not increased mandatory data gathering, from within the health care field is apparently necessary to achieve this goal of a learning environment. Organizations supporting this increased voluntary data gathering also support legal rules that will allow them to review this protected information in order to “collaborate in the development and implementation of patient safety improvement strategies.”

The bill contemplates the creation of “patient safety organizations” which will receive “patient safety data” voluntarily provided by health-care providers. These “patient safety organizations” are public or private entities that:

  • Conduct efforts to improve patient safety and quality of health care delivery.
  • Collect and analyze patient safety data voluntarily submitted by a provider.
  • Develop and disseminate information to providers regarding patient safety, including recommendations, protocols or information on best practices.
  • Utilize patient safety data to encourage safety and minimize patient risk.

“Patient safety data” is defined as any data, reports, records, memoranda, analyses, deliberative work, statements, or quality improvement process that are:

  • Collected or developed by a provider for the purpose of reporting to a patient safety organization.
  • Reported to a patient safety organization for patient safety or quality improvement purposes;
  • Requested by a patient safety organization.
  • Reported to a provider by a patient safety organization.
  • Collected or developed by a patient safety organization.
  • Reported among patient safety organizations.

This definition does not specifically include individual medical records, nor is it information that contains personally identifiable information. Rather, patient safety data most likely will consist of aggregated statistics reflecting trends in a given organization or office, such as the number of people who died during surgery in the past year or the number of patients who died from post-operative infection. It may also include individual reports — minus personally identifying information — of medical or administrative errors which are reported to the patient safety organization in order to receive feedback regarding the ability to avoid similar mistakes in the future.

A health-care provider submitting this information can be any person or entity furnishing medical or health care services, including, but not limited to, physicians, pharmacists, renal dialysis facilities, ambulatory surgical centers, long-term care facilities, behavioral health residential treatment facilities and clinical laboratories.

The bill’s controversial provisions grant confidentiality to this patient safety data. The legislation states that all patient safety data shall remain privileged and confidential, preventing its release even in the face of a subpoena or discovery request (or its use as evidence) in any civil, criminal or administrative proceeding, or its disclosure pursuant to FOIA. Disclosure of this information can only occur if:

  • A health-care provider makes the disclosure as part of a separate request for information that contains this information (such as a proper request for a patient’s file when that file contains a reference to patient safety data or the data itself).
  • A health care provider or patient safety organization releases the information as part of a disciplinary proceeding or criminal proceeding if the information is material to the proceeding, within the public interest and unavailable from any other source.

Any person who discloses patient safety data without permission can be fined if found to be in violation of this statute.

The House version of this bill is H.R. 663. Introduced on Feb. 11, 2003, by Rep. Michael Bilirakis, R-Fla., and 20 co-sponsors, it has passed the House of Representatives and has also been referred to the Senate Committee on Health, Education, Labor and Pensions, which has taken no action on the bill.

This bill is similar to S. 720, with the following distinctions:

  • Instead of defining “patient safety data,” it defines “patient safety work product” in virtually the same way.
  • It prevents the use of this information in civil or administrative proceedings, as well as its disclosure via FOIA; it still allows the use of patient safety work product in criminal proceedings.
  • It purports to preserve state laws allowing access to information that is not “patient safety work product.”
  • It creates a civil penalty of $20,000 per violation for any unauthorized disclosure.
  • It specifically allows voluntary disclosure of non-identifiable information if authorized by the provider for purposes of improving patient safety or health-care quality.

Both S. 720 and S. 663 appear to trump existing state laws, such as a recently passed Illinois law that requires the reporting of hospital-acquired infections. This concern stems from the very broad definition of “patient safety data.” By including “any data, reports, records, memoranda, analyses, or statements that could result in improved patient safety or health care outcomes that are (1.) collected or developed by a provider for reporting to a patient safety organization, (2.) requested by a patient safety organization, or (3.) collected from a provider,” in the definition of “patient safety data,” the bills would allow health care providers or patient safety organizations to bring records, information, or other evidence of improper care through the back door into the safe haven of protection from disclosure.

Another bill related to medical privacy was introduced on May 7, 2003, by Rep. Marion Berry, R-Ala. The Health Care Practitioner Protection Act (H.R. 2003) seeks to make it clear that some manner of criminal intent be present prior to prosecution of a wrongful disclosure of individual identifiable health information that is protected by HIPAA, the Social Security Act or any other law protecting personal privacy of medical records. The bill was referred to three committees, the House Energy and Commerce Committee, the House Judiciary Committee and the House Ways and Means Committee, but none have acted.

FOIA Exemption for National Security Agency Files

Congress did pass legislation that will allow the National Security Agency to hide all its operational files from public view, even though no specific need for withholding these documents in their entirety has ever been demonstrated. Section 922 of the House version of the National Defense Authorization Act for the Fiscal Year 2004 (H.R. 1588) will grant to the NSA the same statutory exemption from search and review under FOIA that already exists (and was created for) the Central Intelligence Agency Directorates of Operations and Science and Technology, though several hearings were held on that exemption.

By contrast, as the Defense and Intelligence Authorization Act moved forward, legislators did little to question the need for these FOIA exemptions, even though other agencies, such as the National Imagery and Mapping Agency and the National Reconnaissance Offices, have similar FOIA exemptions, though significantly less broad. Nor were hearings held on the specific provisions in this legislation that will affect FOIA.

The offending provisions were enacted into law on Nov. 24, 2003.

People’s Right to Know Act

H.R. 2275 was introduced on May 22, 2003 by Rep. Chris Van Hollen, D-Md. It was a direct response to the actions of fellow legislators which had occurred just before the U.S. Supreme Court was to hear argument in U.S. Department of the Treasury v. City of Chicago.

In that case, the Supreme Court was to decide whether the Bureau of Alcohol, Tobacco and Firearms can withhold federal gun-tracking information which resides in a database which traces the origin and ownership of recovered firearms.

In March 2000, the City of Chicago filed a FOIA request in conjunction with a civil suit it brought against a number of gun dealers and distributors. The city’s lawsuit alleged that certain firearms dealers marketed their weapons to city residents, even though gun possession in the city is strictly limited to rifles and shotguns. These sales impeded the city’s ability to enforce its gun control laws. The ATF provided some information in response to the FOIA request but withheld the serial numbers and manufacturers’ dates of the weapons, as well as personal information related to the gun purchasers.

The city filed suit in United States District Court, which ruled that the ATF must fulfill the request in its entirety. The 7th U.S. Circuit Court of Appeals affirmed. The Supreme Court granted the ATF’s request for certiorari.

However, at the 11th hour, Congress passed, and the president signed, a transportation-appropriations bill containing a section that mooted the court case. The Supreme Court withdrew jurisdiction in the case on Feb. 26, 2003.

Rep. Van Hollen’s legislation seeks to repeal that section of the appropriations bill and restore potential access to the ATF database. The bill has been referred to the Government Reform Committee but has not received any attention.

Cameras in the courtroom, access to court records

Once again, two bills were introduced seeking to permit television cameras in federal courtrooms. In the House of Representatives, H.R 2155 was introduced on May 20, 2003, by Rep. Steve Chabot, R-Ohio. S. 554 was introduced on March 6, 2003, by Sen. Charles Grassley, R-Iowa.

Each bill, if passed, would grant discretion to the presiding judge of any federal district or appellate court to allow photography, electronic recording or videotaping of proceedings within his or her courtroom.

Neither appears to have much chance of passing, though the Senate version did receive a favorable vote from the Judiciary Committee on May 22, 2003. The next step will be the Senate floor; no vote has been scheduled.

However, it is unlikely that even Senate approval of S. 554 would spur action in the House, where the Judiciary Committee chairman, James Sensenbrenner, R-Wis., is ardently opposed to cameras in the courtroom. H.R. 2155 was referred to the Judiciary Committee but has not received any attention from this committee.

Separate legislation in the Senate is an effort to increase access to the documents filed in federal civil proceedings. The Sunshine in Litigation Act (S. 817) was introduced on April 8, 2003, by Sen. Herb Kohl, D-Wis. The bill would restrict federal judges from entering orders that (1.) restrict the disclosure of information obtained by a party through discovery, (2.) approve a settlement agreement that restricts the disclosure of such information, or (3.) restrict access to court records unless the court has found:

  • That such order would not restrict the disclosure of information relevant to the public health or safety.
  • The public interest in the disclosure of potential health or safety hazards is outweighed by a specific and substantial interest in maintaining the confidentiality of the information or records in question and the requested protective order is no broader than necessary to protect the privacy interest asserted.

Any order approved by the court may only remain effective until the entry of final judgment in the case, unless the judge again holds on the record that the conditions listed above continue to exist.

S. 817 has not been acted upon by the Senate Judiciary Committee.

Congressional Research Accountability Act

The Congressional Research Service is considered one of the most authoritative sources for nonpartisan, objective evaluation of legislation-related issues. These materials include issue and legislative briefs, and authorization and appropriation products. Citizens, scholars, journalists, librarians, businesses, and many others have long wanted access to CRS reports via the Internet. Despite the fact that the CRS is a taxpayer-funded service, the results of its research are formally available to the public only if a citizen requests certain information from his or her congressman. (See First Amendment-related CRS reports on this site.)

Over the past few years, legislation has repeatedly been introduced that would required that CRS documents be made available to the public via the House and Senate websites. No proposal has made it very far through the legislative process. Still, Reps. Christopher Shays, R-Conn., and Mark Green, R-Wis., took it upon themselves to effect the same result through other means. They created portals on their Web sites that would allow the public to access CRS documents they had accumulated as part of a self-described “pilot program” which lasted for three years. However, it appears that the pilot program will not become permanent, as they removed their links to this CRS material, without explanation for their actions, in early November.

Very soon afterwards, on Nov. 21, 2003, Rep. Shays introduced H.R. 3630, which requires the Congressional Research Service to make available:

  • Issue briefs.
  • Reports that are available to members of Congress through the Congressional Research Service Web site.
  • Authorization of Appropriations Products.

Any released CRS document must be provided within 30 to 40 days after it is made available to members of Congress through the CRS Web site. The bill was referred to the House Administration Committee but has not received any attention from that committee.

Sen. John McCain, R-Ariz., introduced a Senate Resolution (S. Res. 54) on Feb. 11, 2003, which sought the same result. That resolution was referred to the Committee on Rules and Administration but has received no action.

Human Rights Information Act

Rep. Tom Lantos, D-Calif., continues his quest to declassify government records related to human rights abuses in countries around the world. On June 19, 2003, he introduced H.R. 2534, which is a response to the amendment of FOIA by the Intelligence Authorization Act for Fiscal Year 2003 (enacted in 2002) to prohibit agencies within the intelligence community from making records available to foreign entities or their representatives.

Lantos believes that this change is harmful because “the overwhelming importance to the United States of investigations by foreign authorities of gross human rights violations and the urgency of requests for legal assistance which the United States will continue to receive from foreign entities require a systematic process of expedited declassification and disclosure of documents pertaining to such gross human rights violations.”

H.R. 2534 would require the President or head of any agency charged with the conduct of foreign policy or foreign intelligence to, within 60 days of receiving a request for a human rights record filed by an individual or entity that is carrying out an official mandate to investigate a pattern of gross violations of international human rights, make a determination whether such a request is a bona fide request. A bona fide request is one which is part of a proceeding that:

  • Is a credible examination or investigation conducted in accordance with the mandate of the entity or official.
  • Is carried out in accordance with international law, including laws regarding appropriate jurisdiction of the person or entity carrying out the proceeding.
  • Does not threaten to violate due process or other internationally recognized human rights.

If the request is bona fide, then all human rights records must be identified, reviewed, and organized for the purpose of declassification within 120 days. They must be released within 30 days after the completion of that review. If the request is determined not to be bona fide, that decision must be published in the Federal Register within 90 days, allowing for appeal by the requesting party.

The bill was referred to the Government Reform Committee. It has not received a hearing or vote.

Privacy-related bills

As usual, there were several bills introduced that seek to protect some specific aspect of personal privacy, whether that interest is endangered by the potential release of financial records, medical information, or Social Security numbers. The number of bills falling into this category has decreased over the past few years, but the following qualifiers, none of which received any attention from its committee of reference, still exist:

  • On Jan. 7, 2003, Rep. Rodney Frelinghuysen, R-N.J., introduced the Online Privacy Protection Act (H.R. 69). It would require the Federal Trade Commission to prescribe regulations to protect the privacy of personal information collected on the Internet from and about individuals who are not covered by the Children’s Online Privacy Protection Act of 1998 to provide greater individual control over the collection and use of that information, and for other purposes. It was referred to the Energy and Commerce Committee.
  • Rep. Frelinghuysen also introduced the Social Security Online Privacy Protection Act (H.R. 70) the same day. It would regulate the use by interactive computer service of Social Security account numbers and related personally identifiable information. It was also referred to the Energy and Commerce Committee.
  • On May 1, 2003, Rep. Gerald Kleczka, D-Wis., introduced the Personal Information Privacy Act (H.R. 1931). The bill seeks to protect the privacy of the individual with respect to Social Security numbers and other personal information. It was referred to both the Financial Services Committee and the Ways and Means Committee.
  • On the Senate side, Sen. Dianne Feinstein, D-Calif., introduced the Privacy Act of 2003 (S. 745) on March 31, 2003. The bill, which was referred to the Judiciary Committee, would require the consent of an individual prior to the sale and marketing of such individual’s personally identifiable information.

Kevin M.Goldberg, an associate at the Washington, D.C., law firm of Cohn and Marks, is co-counsel for the American Society of Newspaper Editors.