Gandhi v. Centers for Medicare and Medicaid Services ( 2023 )

                             UNITED STATES DISTRICT COURT
FOR THE DISTRICT OF COLUMBIA
ASHVIN DHIREN GANDHI, et al.,
Plaintiffs,
v.                         Case No. 21-cv-2628 (CRC)
CENTERS FOR MEDICARE AND
MEDICAID SERVICES,
Defendant.
MEMORANDUM OPINION
The central question in this case is whether the employer-identification numbers of health
care organizations and their parent companies are confidential records that may be properly
withheld from a Freedom of Information Act response. Answering no, and finding that release
of the records at issue will not risk inadvertent disclosure of more sensitive personal information
like social security numbers, the Court will grant summary judgment for Plaintiffs and against
the responding agency, the Centers for Medicare and Medicaid Services.
I.    Background
Health care providers covered under the Health Insurance Portability and Accountability
Act (“HIPAA”) must obtain a unique identification number known as a National Provider
Identifier (“NPI”). Pls.’ Cross-Mot. Summ. J. & Opp’n to Def.’s Mot. (“Pls.’ Mot.”), Ex. 2 at 3,
5 (“NPI Explainer”). To receive an NPI, all providers—ranging from individual physicians to
organizations like hospitals and labs—must complete an application form and submit it to the
Centers for Medicare and Medicaid Services (“CMS”). Id. at 5, 7; Def.’s Mot. Summ. J. (“Def.’s
Mot.”), Ex. 6 ¶ 8 (“Gilmore Decl.”). The form contains numbered boxes calling for the
applicant’s name, address, and other identifying information. Pls.’ Mot., Ex. 10 (“NPI
Application”). Individual providers, including sole proprietorships, are prompted to provide
their social security number or, in the case of an applicant who does not qualify for a social
security number, an Individual Tax Identification Number (“ITIN”). Id. at 1–3. Organizational
providers are asked to supply their Employer Identification Number (“EIN”), a type of tax-
identification number assigned to businesses by the Internal Revenue Service. Id. at 2–3. The
application form clearly instructs organizational applicants, in bold: “Do not report an SSN in
the EIN field.” Id. at 3. Organizational applicants, but not individuals, are also required to
indicate the tax-identification number of any “‘parent’ organization health care provider”
(“Parent TIN”). Id. (Not to be confused with an ITIN, the Parent TIN called for in the
application is, to be more precise, the EIN of the parent organization. An EIN, like a social
security number or an ITIN, is a specific type of tax-identification number issued by the IRS.)
The form further indicates that “information submitted on this application (except for Social
Security Number, IRS Individual Tax Identification Number, and Date of Birth) may be made
available on the internet.” Id.
CMS maintains NPIs, along with associated names and tax identifiers, in a database of
registered health care providers called the National Plan and Provider Enumeration System
(“NPPES”). Gilmore Decl. ¶¶ 8, 13. CMS periodically extracts fields from the NPPES
database showing basic identifying information for registered providers and makes them
available to the public in a downloadable spreadsheet file, id. ¶ 13, which Plaintiffs refer to as the
“full replacement monthly NPI File.” Pls.’ Mot., Ex. 12 ¶ 3 (“Gandhi Decl.”). CMS excludes
tax information, including the EIN, ITIN, and Parent TIN database fields, from the publicly
released file. Gandhi Decl. ¶ 3.
2
Plaintiffs Ashvin Gandhi and Samuel Antill are university professors researching
“whether the Department of Health and Human Services and CMS collect accurate data on the
ownership structures of health care providers.” Pls.’ Mot. at 15–16. In aid of that endeavor,
Plaintiffs filed a Freedom of Information Act (“FOIA”) request with CMS for “the unredacted
Employer Identification Number (EIN) and Parent organization Taxpayer Identification Number
(TIN) corresponding to all records in the full replacement monthly NPI File.” Pls.’ Mot., Ex. 1
at 1. Plaintiffs’ request did not seek social security numbers or any data pertaining to individual
health care providers or sole proprietorships.
After several searches, CMS identified responsive fields from the NPPES database for
some 1.6 million registered providers, but invoked FOIA Exemptions 4 and 6 to withhold all of
the records. Def.’s Reply & Opp’n to Pls.’ Mot. Summ. J., Ex. 3 ¶¶ 9–11 (“Gilmore Supp.
Decl.”). Further, CMS asserted that it could not release the requested EINs and Parent TINs
even if Exemptions 4 and 6 did not apply because some individual providers “may have”
mistakenly provided their social security numbers (or ITINs) in the parts of the NPI application
calling for organizational EINs or Parent TINs, and CMS has no way of removing those personal
identifiers from the database fields Plaintiffs seek. Gilmore Decl. ¶¶ 29–38.
The parties have filed cross-motions for summary judgment along with supporting
declarations. The Court heard oral argument on March 14, 2023.
II.   Standard of Review
Summary judgment may be granted when the moving party establishes that there is no
genuine issue of material fact and that it is entitled to judgment as a matter of law. Fed. R. Civ.
P. 56(a). Summary judgment is the typical mechanism to determine whether an agency has met
its FOIA obligations. See, e.g., Judicial Watch, Inc. v. CFPB, 

, 6 (D.D.C. 2014).
3
Under FOIA, an agency is first required to make an adequate search for any responsive
records. 1 See Rodriguez v. U.S. Dep’t of Def., 

, 34 (D.D.C. 2017). In
addition to demonstrating that it conducted an adequate search, the agency must also justify any
withholdings it has made pursuant to a FOIA exemption. See, e.g., Larson v. Dep’t of State, 

, 862 (D.C. Cir. 2009). Justification can be provided through sufficiently detailed
agency affidavits, see, e.g., 

 which are “accorded a presumption of good faith.” SafeCard
Servs., Inc. v. SEC, 

, 1200 (D.C. Cir. 1991). Because the primary purpose of
FOIA is disclosure, exemptions are construed narrowly. See, e.g., DiBacco v. U.S. Army, 

, 183 (D.C. Cir. 2015).
FOIA also requires “[a]ny reasonably segregable portion of a record [to] be provided to
any person requesting such record after deletion of the portions which are exempt . . . .” 

(b). Thus, “non-exempt portions of a document must be disclosed unless they are
inextricably intertwined with exempt portions.” Mead Data Cent., Inc. v. Dep't of Air Force, 

, 260 (D.C. Cir. 1977). Agencies must provide “the reasons behind their conclusions”
that non-exempt material is not reasonably segregable. 

. “Nevertheless, ‘[a]gencies are
entitled to a presumption that they complied with the obligation to disclose reasonably
segregable material,’ which must be overcome by some ‘quantum of evidence’ by the requester.”
1
Plaintiffs contested the adequacy of the initial search, which only produced around
275,000 lines of data, because public records indicated that considerably more health care
providers have registered for NPIs. Pls.’ Mot. at 5–7. After receiving Plaintiffs’ cross-motion,
CMS acknowledged that the initial search was unduly limited in several respects. Def.’s Reply
at 4; Gilmore Supp. Decl. ¶¶ 8, 33. A supplemental search produced around 1.6 million lines of
data, Def.’s Reply at 4, causing Plaintiffs to withdraw their adequacy objection, see Pls.’ Reply
at 2 (“[Plaintiffs] no longer have any reason to believe that CMS’s search (as supplemented by
the additional search it conducted after reviewing Plaintiffs’ cross-motion) was inadequate[.]”).
4
Henderson v. ODNI, 

, 179 (D.D.C. 2016) (quoting Sussman v. U.S.
Marshals Serv., 

, 1117 (D.C. Cir. 2007)).
The government must also demonstrate at summary judgment that it has satisfied the
standards imposed by the FOIA Improvement Act of 2016, which allow an agency to withhold
information only if it “reasonably foresees that disclosure would harm an interest protected by an
exemption” to FOIA or “disclosure is prohibited by law.” 

(a)(8)(A)(i). The
statute's “distinct foreseeable harm requirement . . . foreclose[s] the withholding of material
unless the agency can articulate both the nature of the harm [from release] and the link between
the specified harm and specific information contained in the material withheld.” Reps. Comm.
for Freedom of the Press v. FBI, 

, 369 (D.C. Cir. 2021) (second alteration in original)
(internal quotation marks omitted); see also Ctr. for Investigative Reporting v. U.S. Customs &
Border Prot., 436 F. Supp 3d 90, 113 (D.D.C. 2019) (“The foreseeable-harm requirement, as
applied to Exemption 4, enhances the useful ‘tool’ of FOIA.”).
III. Analysis
CMS withheld all responsive records by relying on both Exemption 4, 

(b)(4), which shields confidential commercial or financial information from disclosure, and
Exemption 6, 

(b)(6), which protects personnel records “the disclosure of which
would constitute a clearly unwarranted invasion of personal privacy.” CMS further asserts that
even if the exemptions do not apply, it still cannot produce any data because it cannot segregate
the EINs and Parent TINs from social security numbers that may have been inadvertently
captured in the NPPES database due to errors made by individual providers in filing out the NPI
application. Plaintiffs contest each of these claims.
5
A. Exemption 4
FOIA Exemption 4 permits an agency to withhold “trade secrets and commercial or
financial information from a person [that are] privileged or confidential.” 

(b)(4).
To qualify for Exemption 4, the withheld information must be (1) “commercial or financial”; (2)
“obtained from a person”; and (3) “privileged or confidential.” Citizens for Responsibility and
Ethics in Wash. v. Dep’t of Justice, 

, 1262 (D.C. Cir. 2023) (“CREW”) (quoting
Pub. Citizen Health Rsch. Grp. v. FDA, 

, 1290 (D.C. Cir. 1983)).
The Court will begin (and end) its analysis with the confidentiality requirement, which is
the primary focus of the parties’ briefing. For purposes of Exemption 4, information is
considered confidential if it is “customarily kept private, or at least closely held, by the person
imparting it.” Food Mktg. Inst. v. Argus Leader Media, 

, 2363 (2019).
Information may also be considered confidential “if the party receiving it provides some
assurance that it will remain secret.” 

 While the first condition is mandatory, the Supreme
Court has not definitively said whether the second condition is also required. See 

 Nor has
the D.C. Circuit. CREW, 58 F.4th at 1269 (“We likewise do not decide whether the second
condition must be met[.]”) As it stands, then, “[t]he current law of the D.C. Circuit . . . is that
information is confidential under Exemption 4 ‘if it is of a kind that would customarily not be
released to the public by the person [or entity] from whom it was obtained.’” Renewable Fuels
Ass’n v. EPA, 

, 12 (D.D.C. 2021) (second alteration in original) (quoting
Critical Mass Energy Project v. Nuclear Regulatory Comm’n, 

, 879 (D.C. Cir.
1992)). “The party opposing disclosure bears the burden of proving the information is
confidential.” Ctr. for Auto Safety v. Nat’l Highway Traffic Safety Admin., 

, 148
(D.C. Cir. 2001).
6
In assessing Exemption 4’s confidentiality requirement, courts generally “consider how
the particular party [providing the records] customarily treats the information, not how the
industry as a whole treats the information.” 

 That is a challenging task here, however, given
that Plaintiffs’ FOIA request implicates over 1.6 million health care providers, ranging from
large, corporate hospitals to small clinics and physician groups. Still, the burden remains with
CMS to show that at least some registered organizational providers keeps their EINs and Parent
TINs confidential. 

CMS does not really attempt to satisfy this burden. Rather, the agency focuses on its
perceived obligations to keep EINs and Parent TINs confidential. Specifically, CMS indicates
that it consulted with the IRS, which explained that it keeps EINs and TINs confidential and only
releases them with consent of the taxpayer. Def.’s Mot. at 10. CMS thus concludes that it
“cannot release these EINs and TINs under lower standards than those that the IRS (who has
created these EINs) requires.” Gilmore Decl. ¶ 21. The only support CMS offers for this
position is a provision of the Internal Revenue Code that requires tax return information,
including “a taxpayer’s identity,” to be kept confidential absent the taxpayer’s consent. Def.’s
Mot. at 10–11; see 

 (a), (b)(2)(A), (c). But CMS acknowledges that it does not
receive the EINs and Parent TINs from health care providers for tax purposes. Gilmore Decl.
¶ 21. Nor does it seek to withhold the EINs under Exemption 3, which applies to records
exempted from release under FOIA by another statute. See 

(b)(3). As it relates to
7
Exemption 4, the tax code’s confidentiality provision does not speak to the central question at
hand: whether institutional health care providers treat EINs and Parent TINs as confidential. 2
Plaintiffs, meanwhile, offer substantial evidence that many businesses do not treat their
EINs and Parent TINs as private information. For example, they point out that publicly traded
companies include their EINs in filings with the Securities and Exchange Commission, which are
accessible to the public through the Commission’s EDGAR database. See Pls.’ Reply at 6;
Gandhi Decl. ¶ 9. They also attest that over 800,000 companies with retirement and welfare
benefit plans, public and private alike, include their EINs on an IRS form which the Department
of Labor makes public each year. Gandhi Decl. ¶ 9. Finally, Plaintiffs note online databases
where one can search for companies’ EINs for a fee. See, e.g., Pls.’ Mot. at 11 & n. 15; Pl.’s
Reply at 5. 3
CMS does not contest these examples of public disclosure of EINs and acknowledges
that they can be obtained through “pay-for-subscription services.” Gilmore Supp. Decl. ¶ 56.
The agency instead tacks to the second factor that courts consider in assessing the confidentially
prong of Exemption 4: whether the party receiving the information in question has provided an
assurance of privacy to the provider. CMS argues that it gave registered health care providers
such an assurance in a 2013 “Read Me” notice discussing the data that CMS includes in the
publicly released file of NPPES providers. Def.’s Mot., Ex. 5 at 5–6 (“Read Me”). The notice
2
Any suggestion that 

 prevents CMS from disclosing EINs is also
belied by, as discussed below, CMS’s own acknowledgement that EINs are disclosable under
FOIA and the widespread release of EINs by other agencies outside the tax context.
3
Plaintiffs also maintain that health care providers are “frequently required to identify
[themselves] by [their] EIN and Parent TIN” when filing claims with an insurer. Pls.’ Mot. at 8.
That may well be so. But giving an insurance carrier an EIN would not, by itself, evidence an
expectation on the part of the provider that the insurer would then release the EIN publicly.
8
advised that some providers had mistakenly provided their SSN or ITIN in parts of the NPI
application that called for a business EIN. 

 To ensure that such inadvertently provided
personal information was not included in the “FOIA-disclosable fields” of the database, CMS
explained that it had previously “t[aken] action to temporarily suppress reported EINs” from the
public NPPES file, “even though they are disclosable under FOIA.” 

. The agency further
explained that it was continuing the “suppression of the EINs and the suppression of the Subpart
Parent Organization TINs of all Organizations in the downloadable file.” 

. CMS went on
to indicate, however, that it “expects to lift the suppression of EINs and Parent Organization
TINs in the future.” 

 It also “urged health care providers to review their NPPES FOIA-
disclosable data to ensure that it is correct and to remove any inappropriate or sensitive
information[.]” 

.
This decade-old notice hardly offered providers an assurance of confidentiality. Not only
does it explicitly inform providers (contrary to the agency’s position in this case) that EINs “are
disclosable under FOIA,” it warns them that withholding of EINs from the public domain was
only a temporary fix to enable physicians to correct any errors in their own listings. What’s
more, the NPI application form itself tells providers that, except for their SSNs, ITINs, and dates
of birth, all of the information submitted in the application, which includes EINs and Parent
ITINs, “may be made available on the internet.” NPI Application at 3. Based on all this, CMS
has not established that it assured providers that it would keep their EINs and Parent TINs
private.
Similarly, CMS has not established that a foreseeable harm would occur if the EINs were
released. Even though many businesses’ EINs are already in the public domain, the government
sounds an alarm that releasing NPPES providers’ EINs and Parent TINs would increase the risk
9
of corporate identity theft for those entities whose EINs may not be accessible currently. Def.’s
Mot. at 10. The Court echoed this concern at oral argument, particularly for small medical
practices that may not have the resources to detect or prevent a bad actor from misusing its EIN.
Mot. Hr’g at 32–35. The Court wondered aloud whether someone could use a small business’s
EIN to fraudulently obtain, say, a line of credit or government relief funds. 

Yet, CMS offers no competent evidence of a risk of corporate identity theft, or any other
harm for that matter, stemming from the release of the EINs and Parent TINs at issue in this
case. 4 Government counsel conceded at oral argument that there is no such evidence in the
record. 

 at 20–21. Moreover, the Small Business Association acknowledged in a recent FOIA
case in this district (again, contrary to the government’s litigating position in this case) that EINs
are not subject to FOIA withholding generally. See WP Company LLC v. U.S. Small Business
Administration, No. 20-1240 (JEB), 

 at *2 (D.D.C. July 15, 2021) (“SBA
admitted that EINS are not themselves exempt from disclosure[.]”). 5 That acknowledgment,
particularly by an agency that routinely handles sensitive information received from small
businesses, suggests the risks of harm are low.
Accordingly, CMS has failed to provide sufficient evidence that health care providers
treat EINs and Parent TINs as confidential. Plaintiffs are therefore entitled to summary
judgment as to CMS’s reliance on Exemption 4.
4
CMS does cite to two short blog posts discussing the potential dangers of corporate
identity theft. Gilmore Supp. Decl. ¶ 23. But the posts are not sourced or authenticated.
5
The EINs in WP Company were ultimately held not to be subject to release due to
segregability concerns different from those raised by CMS here. WP Company LLC v. U.S.
Small Business Administration (V), 

, 120-21 (D.D.C. 2021).
10
B. Exemption 6
CMS’s reliance on Exemption 6 fares no better. Under Exemption 6, an agency may
withhold “personnel and medical files and similar files the disclosure of which would constitute
a clearly unwarranted invasion of personal privacy.” 

(b)(6). But Exemption 6 is
designed to protect “personal privacy,” not the privacy interests of business entities. See Sims v.
CIA, 

, 572 n.47 (D.C. Cir. 1980) (“Exemption 6 is applicable only to individuals.”);
Nat. Parks and Conservation Ass’n v. Kleppe, 

, 685 n.44 (D.C. Cir. 1976) (“The
sixth exemption has not been extended to protect the privacy interests of businesses or
corporations.”) Plaintiffs stress in their cross-motion that they do not request SSNs, ITINs, or
any other information pertaining to individuals, Pls.’ Mot. at 15, which is consistent with their
FOIA request. The agency is silent on this issue in its Reply, effectively waiving its reliance on
Exemption 6. See Monroe–Evans v. Berryhill, No. 16-1081, 

, at *4 (D.D.C.
September 13, 2017) (arguments not responded to in briefing are conceded).
Accordingly, the Court will also grant summary judgment for Plaintiffs as to CMS’s
invocation of Exemption 6.
C. Segregability
Lastly, CMS maintains that, even if the requested EINs and Parent TINs are not protected
by any FOIA exemptions, the agency still must withhold them because it cannot separate the
responsive data from exempt SSNs and ITINs in the NPPES database. Def.’s Mot. at 12–14.
CMS asserts that individuals “may have provided SSNs” in parts of the NPI applications, but the
agency “does not have any electronic means within NPPES data fields to segregate data like
SSNs or ITINs that is related to sole proprietors from data like EINs that is related to businesses,
partnerships, or corporations.” Gilmore Decl. ¶¶ 33–35. CMS also asserts that the EIN fields
11
themselves “may actually contain SSNs instead of EINs” due to “error in input by the submitter,
or from a sole proprietor entering their SSN information in the field.” 

.
As an initial matter, it is irrelevant whether applicants may have entered SSNs or ITINs
in response to questions on the NPI application calling for information other than the EINs and
Parent EINs Plaintiffs seek. Any such entries would not have wound up in the EIN and Parent
TIN fields of the NPPES disclosure, which are the only fields at issue in this case.
As for whether isolated SSNs may be erroneously included in the EIN or Parent TIN
fields, CMS has not met its burden to support withholding based on segregability. First of all,
there is no evidence before the Court that current versions of database contain mistakenly
submitted SSNs (or ITINs) in the EIN field. By CMS’s own admission, it cannot tell the
difference between a nine-digit SSN and a nine-digit EIN, 

, and it only speculates that
some applicants “may” have submitted an SSN in error. The only supporting evidence CMS
offers is the 2013 “Read Me” notice discussed above. The notice does indicate that “providers
reported SSNs in the EIN field.” Read Me at 5–6. As noted previously, however, that document
was last updated in 2013 and appears to be referencing issues that arose as early as 2008. 

. And the notice was issued to fix the problem by alerting providers to the issue and urging
them to check their data to ensure that no sensitive information was included. CMS does not say
whether these data-entry errors persist today.
CMS’s segregability argument is further undercut by instructions on the NPI application
which repeatedly caution applicants not to provided SSNs in the fields calling for business EINs
and Parent TINs. See NPI Application at 1–4. The instructions could not be more clear. For
example, the first page of the application cautions twice in bold print that “Social Security
Number (SSN) or IRS Individual Taxpayer Identification Number (ITIN) should only be
12
listed in block 18 or 19 of this form. DO NOT report SSN and ITIN information in any
other section of this form.” 

. The application also instructs organizational providers in
large, bold, and italicized letters: Do not report an SSN in the EIN field.” 

. This
instruction appears directly above the box for an EIN. 

 Further to the point, individuals,
including sole proprietors, are instructed not to answer the prompts for an EIN and Parent TIN,
which are reserved for organizations. 

 at 1–3.
So, for CMS’s data-error concern to materialize, an individual health care provider or
sole proprietor filing out the NPI application must ignore the instruction not to fill out the
“Organization Section,” then ignore the instructions to not provide a SSN or ITIN unless
specifically requested, then ignore the boxes that specifically request SSNs or ITINs, then ignore
the instruction not to provide an SSN in the EIN section specifically, and instead offer one of the
most sensitive pieces of personal information in response to a prompt that does not ask for it.
CMS simply has not established the likelihood of this scenario.
The Court, accordingly, rejects CMS’s argument that disclosing the responsive fields will
meaningly risk disclosure of more sensitive SSNs and Individual TINs.
IV. Conclusion
For these reasons, the Court will grant Plaintiffs’ Motion for Summary Judgment and
deny CMS’s Motion for Summary Judgment.
A separate Order shall accompany this opinion.
CHRISTOPHER R. COOPER
United States District Judge
Date: March 30, 2023
13