Gandhi v. Ctrs. for Medicare & Medicaid Servs., No. 21-2628, 2023 WL 2707879 (D.D.C. Mar. 30, 2023) (Cooper, J.)

Gandhi v. Ctrs. for Medicare & Medicaid Servs., No. 21-2628, 2023 WL 2707879 (D.D.C. Mar. 30, 2023) (Cooper, J.)

Re:  Request for “‘the unredacted Employer Identification Number [(“EIN”)] and Parent organization Taxpayer Identification Number [(“TIN”)] corresponding to all records in the full replacement monthly [National Provider Identifier (“NPI”)] File’”

Disposition:  Granting plaintiff’s motion for summary judgment; denying defendant’s motion for summary judgment

• Exemption 4:  The court holds that “CMS has failed to provide sufficient evidence that health care providers treat EINs and Parent TINs as confidential.”  “The Court will begin (and end) its analysis with the confidentiality requirement . . . .”  “CMS does not really attempt to satisfy this burden.”  “Rather, the agency focuses on its perceived obligations to keep EINs and Parent TINs confidential.”  “Specifically, CMS indicates that it consulted with the IRS, which explained that it keeps EINs and TINs confidential and only releases them with consent of the taxpayer.”  “CMS thus concludes that it ‘cannot release these EINs and TINs under lower standards than those that the IRS (who has created these EINs) requires.’”  “The only support CMS offers for this position is a provision of the Internal Revenue Code that requires tax return information, including ‘a taxpayer's identity,’ to be kept confidential absent the taxpayer’s consent.”  “But CMS acknowledges that it does not receive the EINs and Parent TINs from health care providers for tax purposes.”  “Nor does it seek to withhold the EINs under Exemption 3, which applies to records exempted from release under FOIA by another statute.”  “As it relates to Exemption 4, the tax code’s confidentiality provision does not speak to the central question at hand:  whether institutional health care providers treat EINs and Parent TINs as confidential.”  “Plaintiffs, meanwhile, offer substantial evidence that many businesses do not treat their EINs and Parent TINs as private information.”
  
  “The agency instead tacks to the second factor that courts consider in assessing the confidentially prong of Exemption 4:  whether the party receiving the information in question has provided an assurance of privacy to the provider.”  “CMS argues that it gave registered health care providers such an assurance in a 2013 ‘Read Me’ notice discussing the data that CMS includes in the publicly released file of [the National Plan and Provider Enumeration System (“NPPES”)] providers.”  “The notice advised that some providers had mistakenly provided their SSN or ITIN in parts of the NPI application that called for a business EIN.”  “To ensure that such inadvertently provided personal information was not included in the ‘FOIA-disclosable fields’ of the database, CMS explained that it had previously ‘t[aken] action to temporarily suppress reported EINs’ from the public NPPES file, ‘even though they are disclosable under FOIA.’”  “The agency further explained that it was continuing the ‘suppression of the EINs and the suppression of the Subpart Parent Organization TINs of all Organizations in the downloadable file.’”  “CMS went on to indicate, however, that it ‘expects to lift the suppression of EINs and Parent Organization TINs in the future.’”  “It also ‘urged health care providers to review their NPPES FOIA-disclosable data to ensure that it is correct and to remove any inappropriate or sensitive information[.]’”  The court finds that “[t]his decade-old notice hardly offered providers an assurance of confidentiality.”  “Not only does it explicitly inform providers (contrary to the agency’s position in this case) that EINs ‘are disclosable under FOIA,’ it warns them that withholding of EINs from the public domain was only a temporary fix to enable physicians to correct any errors in their own listings.”  “What's more, the NPI application form itself tells providers that, except for their SSNs, ITINs, and dates of birth, all of the information submitted in the application, which includes EINs and Parent ITINs, ‘may be made available on the internet.’”  “Based on all this, CMS has not established that it assured providers that it would keep their EINs and Parent TINs private.”  “Similarly, CMS has not established that a foreseeable harm would occur if the EINs were released.”  “Even though many businesses’ EINs are already in the public domain, the government sounds an alarm that releasing NPPES providers’ EINs and Parent TINs would increase the risk of corporate identity theft for those entities whose EINs may not be accessible currently.”  “Yet, CMS offers no competent evidence of a risk of corporate identity theft, or any other harm for that matter, stemming from the release of the EINs and Parent TINs at issue in this case.”
   
• Exemption 6:  The court holds that “CMS’s reliance on Exemption 6 fares no better.”  “Exemption 6 is designed to protect ‘personal privacy,’ not the privacy interests of business entities.”  “Plaintiffs stress in their cross-motion that they do not request SSNs, ITINs, or any other information pertaining to individuals, . . . which is consistent with their FOIA request.”  “The agency is silent on this issue in its Reply, effectively waiving its reliance on Exemption 6.”
   
• Litigation Considerations, “Reasonably Segregable” Requirements:  “The Court . . . rejects CMS’s argument that disclosing the responsive fields will meaning[ful]ly risk disclosure of more sensitive SSNs and Individual TINs.”  The court relate[s] that “CMS maintains that, even if the requested EINs and Parent TINs are not protected by any FOIA exemptions, the agency still must withhold them because it cannot separate the responsive data from exempt SSNs and ITINs in the NPPES database.”  “CMS asserts that individuals ‘may have provided SSNs’ in parts of the NPI applications, but the agency ‘does not have any electronic means within NPPES data fields to segregate data like SSNs or ITINs that is related to sole proprietors from data like EINs that is related to businesses, partnerships, or corporations.’”  “CMS also asserts that the EIN fields themselves ‘may actually contain SSNs instead of EINs’ due to ‘error in input by the submitter, or from a sole proprietor entering their SSN information in the field.’”  The court finds that “it is irrelevant whether applicants may have entered SSNs or ITINs in response to questions on the NPI application calling for information other than the EINs and Parent EINs Plaintiffs seek.”  “Any such entries would not have wound up in the EIN and Parent TIN fields of the NPPES disclosure, which are the only fields at issue in this case.”  “As for whether isolated SSNs may be erroneously included in the EIN or Parent TIN fields, CMS has not met its burden to support withholding based on segregability.”  “First of all, there is no evidence before the Court that current versions of database contain mistakenly submitted SSNs (or ITINs) in the EIN field.”  “CMS’s segregability argument is further undercut by instructions on the NPI application which repeatedly caution applicants not to provide[] SSNs in the fields calling for business EINs and Parent TINs.”  “The instructions could not be more clear.”  “So, for CMS’s data-error concern to materialize, an individual health care provider or sole proprietor filing out the NPI application must ignore the instruction not to fill out the ‘Organization Section,’ then ignore the instructions to not provide a SSN or ITIN unless specifically requested, then ignore the boxes that specifically request SSNs or ITINs, then ignore the instruction not to provide an SSN in the EIN section specifically, and instead offer one of the most sensitive pieces of personal information in response to a prompt that does not ask for it. CMS simply has not established the likelihood of this scenario.”