Shteynlyuger v. Centers for Medicare & Medicaid Servs.

698 F.Supp.3d 82

Alex SHTEYNLYUGER, Plaintiff, v. CENTERS FOR MEDICARE AND MEDICAID SERVICES, et al., Defendants.

Civil Action No. 20-2982 (RDM)

United States District Court, District of Columbia

Signed September 30, 2023

Joshua Loevy, Merrick Jason Wayne, Stephen Stich Match, Matthew Topic, Loevy & Loevy, Chicago, IL, for Plaintiff.

Christina O'Tousa, Thomas Anthony Quinn, DOJ-USAO, Civil Division, Washington, DC, for Defendants.

MEMORANDUM OPINION AND ORDER

RANDOLPH D. MOSS, United States District Judge.

Plaintiff Alex Shteynlyuger, a "licensed physician and a specialist in health economics," Dkt. 1 at 2 (Compl. ¶ 2), submitted eight requests for records to the Centers for Medicare and Medicaid Services ("CMS" or "the agency") between April 2020 and July 2020. Dkt. 28-3 at 2 (Gilmore Decl. ¶ 5). Unsatisfied with the agency's responses as of October 16, 2020, Plaintiff filed this suit under the Freedom of Information Act ("FOIA"), 5 U.S.C. § 552(a)(4)(B).

Now before the Court are the parties' cross-motions for summary judgment. See Dkt. 28, 31. At issue is the adequacy of the search CMS conducted in response to Plaintiff's FOIA requests, and its decisions to withhold certain records pursuant to FOIA Exemptions 4, 5, and 6. For the reasons that follow, the Court will DENY CMS's motion for summary judgment and will GRANT in part and DENY in part Plaintiff's motion for summary judgment.

I. BACKGROUND

A. Factual Background

Plaintiff submitted eight FOIA requests to CMS in 2020. Dkt. 28-3 at 2 (Gilmore Decl. ¶ 5). CMS is a federal agency within the U.S. Department of Health and Human Services that, among many other duties, is responsible for enforcing the "administrative simplification standards from the Health Insurance Portability and Accountability Act of 1996" ("HIPAA"). Id. (Gilmore Decl. ¶ 6). "The Administrative Simplification process aims to save time and money by streamlining communication around billing and insurance related tasks. All HIPAA covered entities (which include health care providers that transmit transactions electronically, health plans, and clearinghouses) must comply with the Administration Simplification process." Id. at 6-7 (Gilmore Decl. ¶ 20).

Plaintiff's FOIA requests seek records "pertaining to the enforcement of HIPAA's administrative simplification requirements... including [those pertaining to] electronic transactions, such as ... [electronic funds transfer ("EFT")] transactions." Dkt. 1 at 1 (Compl. ¶ 1). Specifically, the requests seek all records relating to several FAQs discussing EFTs, Dkt. 28-3 at 4 (Gilmore Decl. ¶ 14), complaints involving certain specific HIPAA covered entities, id. at 26 (Gilmore Decl. ¶ 65), "the CMS investigation of covered entities, including health plans, clearinghouses, and business associates charging fees to conduct standard transactions," id. at 35 (Gilmore Decl. ¶ 85), "[c]ommunications to and from the US Congress ... related to fees to conduct standard transactions (EFT, ERA), and use of virtual credit cards or payment cards," id. at 20 (Gilmore Decl. ¶ 48), "standards for healthcare attachment transactions and electronic signatures," id. at 42 (Gilmore Decl. ¶ 108), and finally, "price setting, cost reimbursement, fee schedule allowable amount setting for Medicare reimbursement, APC code selection,... comparative clinical effectiveness research (CER) or analysis, cost-effective[ne]ss analysis, effect on cost of care for BPH; [and] ... determination of maximum lifetime reimbursement quantity that involve" certain therapies or treatments, id. at 39 (Gilmore Decl. ¶ 97).

In response to these requests, CMS conducted eight searches, which the Court summarizes in some detail due to the nature of the parties' arguments regarding the adequacy of those searches.

1. April 13, 2020 FOIA request

On April 13, 2020, Plaintiff submitted his first FOIA request to CMS, seeking "all records" from January 1, 2015 to April 10, 2020 regarding "CMS EFT FAQ FAQ22297 (FAQ 22297), CMS FAQ22285 (FAQ 22285), CMS FAQ22281 (FAQ 22281), CMS FAQ22297 (FAQ 22297)" (the "April 13 FOIA request"). Dkt. 28-5 at 1. In that request, Plaintiff stated that the "[O]ffice of the CMS Administrator," the "Office of Strategic Operations and Regulatory Affairs" ("OSORA"), and the "Office of Information Technology['s] Program Management and National Standards Group [("PMNSG")] may have responsive records," but noted that "additional offices may have responsive records as well." Dkt. 28-5 at 1-2. Plaintiff also stated that certain CMS employees he listed "have intimate knowledge of the responsive documents" and thus were likely custodians of responsive records. Id. at 2.

After reviewing Plaintiff's April 13 FOIA request, CMS "sent ... [the] request to two different entities:" to OSORA and PMNSG (which due to a reorganization within CMS, became NSG on June 23, 2020). Dkt. 28-3 at 6-7 (Gilmore Decl. ¶¶ 19, 21). OSORA was tasked with conducting an automated search for records because "Plaintiff sought EFT FAQ ... information ... as well as correspondence to CMS about these FAQ[s]," and "CMS's correspondence unit ... is under OSORA." Id. at 9 (Gilmore Decl. ¶ 24). OSORA searched its Strategic Work Information Folder Transfer System ("SWIFT") database, which "contains copies of incoming correspondence to the CMS Administrator and leadership." Id. (Gilmore Decl. ¶ 25). The search terms used in OSROA's search of its SWIFT system were "EFT," "FAQ," "22297," "22285," and "22281." Id. OSORA also searched the SWIFT system "using the names of the CMS Administrator and leadership because Plaintiff's April 13 FOIA request provided names of custodians some of whom were in the NSG and OSORA Offices." Id. at 9-10 (Gilmore Decl. ¶ 26). Those search terms were "Slavitt," "Verma," "Tavenner," "CIO," and "CMS Principal Deputy Administrator." Id.

The April 13 FOIA request was also sent to NSG "because Plaintiff sought information on EFT transactions which are covered by the Administrative Simplification process of HIPAA," and NSG "is the entity [that] develops regulations and policies to implement and support the Administrative Simplification process," including "sub-regulatory guidance about EFT transactions." Id. at 6-7 (Gilmore Decl. ¶ 20). CMS contends that "it was logical to believe that if responsive records existed, the NSG would be the appropriate entity to have records that could be responsive to Plaintiff's April 13 FOIA [r]equest." Id. at 8 (Gilmore Decl. ¶ 22).

NSG "initiated an automated search in the ASETT system with the timeframe [of] January 1, 2015 through April 10, 2020." Id. (Gilmore Decl. ¶ 23). The ASETT system, or Administrative Simplification Enforcement and Testing Tool system, "is a web-based application which enables individuals or organizations to file a complaint against a HIPAA covered entity for potential non-compliance" and it "allows all HIPAA related transactions to be checked consistently for compliance, syntax and business rules." Id. at 7 (Gilmore Decl. ¶ 21). NSG's search of the ASETT system used the keywords "EFT," "FAQ," "22297," "22285," and "22281." Id. at 8 (Gilmore Decl. ¶ 23).

In addition, because NSG was previously a "subsidiary" of the Office of Information Technology ("OIT"), "OIT also searched records related to its employees, including employees of NSG" that were mentioned in Plaintiff's FOIA request. Id. at 10 (Gilmore Decl. ¶ 27). The keywords used were, again, "EFT," "FAQ," "22297," "22285," and "22281," as were the names of the fourteen CMS employees identified in the FOIA request as individuals with "intimate knowledge of the response records," Dkt. 28-5 at 2; Dkt. 28-3 at 10 (Gilmore Decl. ¶ 27).

The records identified by these searches consisted of 66 pages, of which 21 pages were redacted pursuant to Exemption 5 and 15 pages were redacted pursuant to Exemption 6. Id. at 10 (Gilmore Decl. ¶ 28). Subject to these redactions, the materials were released to Plaintiff as part of the January 14, 2021 production. Id. at 11 (Gilmore Decl. ¶ 28).

2. May 4, 2020 FOIA request

On May 4, 2020, Plaintiff submitted a request to CMS for "all records" from January 1, 2015 to May 1, 2020 regarding: "Nixon Peabody," "W. Scott O'Connell," "Parthenon Capital or 'Parthenon,'" "Bain Capital or 'Bain', Bain Capital Ventures," "Kirkland & Ellis," "Akin Gump Strauss Hauer & Feld" and various employees affiliated with that firm, "John Bozeman & Associates," "GeorgiaLink Public Affairs Group" and various employees affiliated with that firm, "Matthew N. Greller Esq LLC," and "Lewis, Ron E. of Ron Lewis & Associates" (the "May 4 FOIA request"). Dkt. 28-7 at 1 (capitalization altered). Plaintiff included in his May 4 request "additional search keywords" that included, among other terms, "W. Scott O'Connell," "O'Connell," "Oconnell," "soconnell@nixopeabody.com," "Nixon Peabody," and "nixonpeadbody.com." Id. at 2. And, like the April 13 FOIA request, the May 4 FOIA request suggested that CMS search, among other possible offices, the Office of the CMS Administrator, OSORA, and PMNSG and provided a non-exhaustive list of potential custodians for those records. Id. at 2-3.

Shortly after receiving Plaintiff's FOIA request, CMS contacted Plaintiff to clarify the subject matter of the records Plaintiff sought. Dkt. 28-9 at 1. Plaintiff responded that he was interested in all records relating to the identified individuals or entities concerning:

(1) HIPAA administrative simplification requirements including but not limited to 45 CFR Parts 160, 162, and 164; (2) fees and costs of electronic transactions including but not limited to ERA (electronic remittance advice), EFT (electronic funds transfer), credit cards, virtual payment cards, prepaid cards and debit cards, checks, (3) electronic transactions including but not limited to ERA, EFT, electronic attachments, 835 transactions, 270/271 eligibility and benefit verification transactions, claim submissions, [and] (4) [a]ny aspects of HIPA

...