Eye on Ohio v. Ohio Dept. of Health , 2020 Ohio 5278 ( 2020 )

[Cite as Eye on Ohio v. Ohio Dept. of Health, 

.]
EYE ON OHIO, OHIO CENTER FOR                          Case No. 2020-00279PQ
INVESTIGATIVE JOURNALISM
Special Master Jeff Clark
Requester
REPORT AND RECOMMENDATION
v.
OHIO DEPARTMENT OF HEALTH
Respondent
{¶1} The Ohio Public Records Act requires that copies of public records be made
available to any person upon request, within a reasonable period of time. R.C.
149.43(B)(1). The state policy underlying the Act is that open government serves the
public interest and our democratic system. To that end, the public records statute must
be construed liberally in favor of broad access, with any doubt resolved in favor of
disclosure of public records. State ex rel. Rogers v. Dept. of Rehab. & Corr., 

, 

, 

, ¶ 6. A requester alleging violation of the
Act must establish entitlement to relief by clear and convincing evidence. Hurt v. Liberty
Twp., 

, 

, ¶ 27-30 (5th Dist.).
{¶2} In this case, Eye on Ohio, Ohio Center for Investigative Journalism, requests
the records of daily hospital bed capacity, medical supplies, and staffing levels compiled
by the Ohio Department of Health in its Surgenet data system. Eye on Ohio intends to
report this data to the public as “the people’s records” documenting the day-to-day
availability of hospital services during the ongoing Covid-19 pandemic.1 (Complaint at 8-
12, 15.)
1 “The rule in Ohio is that public records are the people’s records, and that the officials in whose
custody they happen to be are merely trustees for the people; therefore anyone may inspect such records
at any time, subject only to the limitation that such inspection does not endanger the safety of the record,
or unreasonably interfere with the discharge of the duties of the officer having custody of the same.”
(Citation omitted.) State ex rel. Patterson v. Ayers, 

, 371, 

 (1960).
Case No. 2020-00279PQ                       -2-    REPORT AND RECOMMENDATION
{¶3} Courts recognize that the news media enable an informed public by
gathering and reporting information about government operations.
“(I)n a society in which each individual has but limited time and resources
with which to observe at first hand the operations of his government, he
relies necessarily upon the press to bring to him in convenient form the
facts of those operations. Great responsibility is accordingly placed upon
the news media to report fully and accurately the proceedings of
government, and official records and documents open to the public are the
basic data of governmental operations.”
Kallstrom v. City of Columbus, 

, 697 (S.D.Ohio 2001), quoting Cox
Broad. Corp. v. Cohn, 

, 492, 

, 

 (1975). “Thus,
the Supreme Court has concluded, ‘an untrammeled press [is] a vital source of public
information’, and an informed public the essence of working democracy.” (Citations
omitted.) Id. at 698. The Public Records Act facilitates ready access to government
information for public review. “One of the salutary purposes of the Public Records Law
is to ensure accountability of government to those being governed.” State ex rel.
Strothers v. Wertheim, 

, 158, 

 (1997).
Request for Hospital Reporting Data
{¶4} On March 27, 2020, Eye on Ohio, Ohio Center for Investigative Journalism,
made a public records request to respondent Ohio Department of Health (ODH) as
follows:
This is a request on behalf of the Ohio Center for Investigative
Journalism to inspect the following records:
1. The most recent communication from the Ohio Hospital Association
to the Ohio Department of Health relaying data from the OHA
Resource Tracker.
2. The most recent Surgenet data available, broken down by facility,
on capacity and availability for:
A. Adult medical/surgical beds
B. Pediatric medical/surgical beds
C. Adult critical care beds
Case No. 2020-00279PQ                               -3-       REPORT AND RECOMMENDATION
D. Pediatric critical care beds
E. Adult airborne isolation beds
F. Pediatric airborne isolation beds
G. Ventilators
H. ECMO machines
3. The most recent Surgenet data, broken down by facility, on the
availability of:
A. N95 respirators
B. Face/surgical masks
C. Gloves
D. Face shields
E. Gowns
F. Physician staffing
G. Nurse staffing
H. Ancillary staffing
4. The Ohio Department of Health record-retention schedule.
(Complaint at 2-4.) On April 16, 2020, counsel for ODH responded:
Upon review of your records request dated March 27, 2020, the Ohio
Department of Health has determined that the records you are seeking are
“security records,” as that term is defined in R.C. 149.433(A). Because
security records are not public records, pursuant to RC 149.433(B)(1),
they also are not subject to the mandatory release and disclosure
requirements found in R.C. 149.43(B)(1).
Given the sensitive nature of the records you have requested, the
Department has decided to deny your records request.
(Id. at 5.) ODH does not dispute that it gathers, maintains, and can produce the
requested records.2
A requester is entitled to any electronically compiled record that a public office’s data software is
2
programmed to produce (“Database Rule”). State ex rel. Scanlon v. Deters, 

, 379, 

 (1989); Naymik v. Northeast Ohio Areawide Coordinating Agency, Ct. of Cl. No. 2017-
Case No. 2020-00279PQ                               -4-       REPORT AND RECOMMENDATION
{¶5} On April 29, 2020, Eye on Ohio filed a complaint pursuant to R.C. 2743.75
alleging denial of access to public records in violation of R.C. 149.43(B). Following
unsuccessful mediation, ODH filed respondent’s reply (Response) on July 6, 2020. On
July 28, 2020, Eye on Ohio filed a reply. On October 6, 2020, ODH filed a sur-reply
along with copies of a Surgenet user guide, training materials, and screen shots,
restricted from public access.
Surgenet
{¶6} Surgenet was first developed by the Greater Dayton Area Health Information
Network (GDAHIN). The software was subsequently enhanced to its present “all
hazards” function as “a tool to be utilized during an emergency involving the public’s
health which could severely impact hospital services.” (Sur-reply, Webber Aff. at ¶ 4.)
“SurgeNet’s function is to provide the current status of participating hospitals to respond
to crisis events such as bioterrorism attack or pandemic.” (Id. at ¶ 5.) “SurgeNet is being
updated daily at the request of the Regional Healthcare Coordinators (RHC). The
primarily [sic] purpose is to have a regional view of the current bed availability as well as
to be prepared for any mass casualty event that may occur.” (Id. at ¶ 7.)
Exception Claimed
{¶7} ODH does not dispute that the data outputs of Surgenet are, absent an
applicable exception,3 public records kept by a public office. However, ODH claims that
the requested Surgenet hospital data is exempt from disclosure as a “security record
* * * assembled, prepared, or maintained by a public office * * * to prevent, mitigate, or
respond to acts of terrorism.” R.C. 149.433(A)(2).
{¶8} The burden to establish the applicability of this exception rests on ODH.
State ex rel. Cincinnati Enquirer v. Pike Cty. Coroner’s Office, 

, 2017-
00919PQ, 

, ¶ 31-33, and cases cited therein. Even if ODH were not currently accessing
the precise data output requested (see Webber Aff. at ¶ 6), it is still considered to be an existing record.
3 A public records exception is a law prohibiting or excusing disclosure of records that would
otherwise be public.
Case No. 2020-00279PQ                                -5-       REPORT AND RECOMMENDATION
Ohio-8988, 

, ¶ 15. Exceptions to disclosure are strictly construed
against the public-records custodian. State ex rel. Rogers v. Dept. of Rehab. & Corr.,

, 

, 

, ¶ 7. A custodian does not meet
this burden if it has not proven that the requested records fall squarely within the
exception. State ex rel. Cincinnati Enquirer v. Jones-Kelley, 

, 2008-
Ohio-1770, 

, paragraph two of the syllabus. Any doubt should be
resolved in favor of disclosure of public records. State ex rel. James v. Ohio State Univ.,

, 169, 

 (1994).
Security Records
{¶9} The public records exception asserted by ODH is found in R.C. 149.433(A),
which provides:4
(A) As used in this section: * * * “Security record” means any of the
following:
***
(2) Any record assembled, prepared, or maintained by a public office
or public body to prevent, mitigate, or respond to acts of terrorism,
including any of the following:
(a) Those portions of records containing specific and unique
vulnerability assessments or specific and unique response plans
either of which is intended to prevent or mitigate acts of terrorism,
and communication codes or deployment plans of law
enforcement or emergency response personnel;
4 ODH includes the text of another subsection, once, in its pleadings. (Sur-reply at 2.) Even if this
was intentional, ODH offers no argument or evidence that the requested hospital data was being “directly
used for protecting or maintaining the security of a public office against attack, interference, or sabotage.”
R.C. 149.433(A)(1). Eye on Ohio did not request records disclosing the programming or security
configuration of Surgenet. It did not request any password, source code, user guide, or other document
that could compromise or provide direct access to the Surgenet system. ODH alleges that “[t]hese
records are also used to identify vulnerabilities in the Ohio healthcare system that, if made widely known
to the public, could be seized upon by terrorist organizations and others seeking to wreak havoc upon
Ohio’s healthcare system in times of pandemic.” (Sur-reply at 2-3.) However, it provides no explanation or
expert opinion as to how the March 27, 2020 data output could be reverse-engineered or otherwise used
to “wreak havoc upon Ohio’s healthcare system.” Rogers at ¶ 16-21.
Case No. 2020-00279PQ                            -6-      REPORT AND RECOMMENDATION
(b) Specific intelligence information and specific investigative records
shared by federal and international law enforcement agencies with
state and local law enforcement and public safety agencies;
(c) National security records classified under federal executive order
and not subject to public disclosure under federal law that are
shared by federal agencies, and other records related to national
security briefings to assist state and local government with
domestic preparedness for acts of terrorism.
***
(B)(1) A record kept by a public office that is a security record is not a
public record under section 149.43 of the Revised Code and is not subject
to mandatory release or disclosure under that section.
(Emphasis added.)
{¶10} As a threshold matter, ODH complains that Eye on Ohio is “focused on the
specific records sought, while Respondent is looking at the system itself.” (Sur-reply at
2.) However, the Public Records Act is focused solely on records, and not on systems.5
ODH argues that “the security record SurgeNet is not a public record” (Id.), but provides
no legal precedent for the notion that an entire computer system is a “record.” Computer
systems are repositories of records. Computer software is a means of access to
records, without itself meeting the definition of a “record.” State ex rel. Recodat Co. v.
Buchanan, 

, 165, 

 (1989). An office may keep records
about a computer system, such as user guides and training materials, but the Surgenet
system itself is not a single record. ODH must prove that the actual “records” requested
– hospital resource availability data used to respond to the Covid-19 pandemic – were
maintained on that date to mitigate or respond to acts of terrorism.
Requested Hospital Data Was Not Related to Acts of Terrorism
{¶11} ODH admits that, at the time of the request, the Surgenet system was
gathering and generating Eye on Ohio’s requested records in response to a pandemic.
5 “‘Public record’ means records kept by any public office, * * *.” R.C. 149.43(A)(1). See R.C.
149.011(G) for the definition of “records” as used in R.C. Chapter 149.
Case No. 2020-00279PQ                      -7-     REPORT AND RECOMMENDATION
ODH seeks to invoke the terrorism exception only by asserting that Surgenet could be
used if the state is faced with acts of terrorism in the future. Eye on Ohio counters that
ODH is required to prove application of the terrorism exception to the data on the date it
is requested, not how it might apply to future hospital data under different
circumstances.
{¶12} To meet the burden of proof regarding alleged security records, ODH must
offer more than its own conclusory labeling:
The department and other agencies of state government cannot simply
label a criminal or safety record a “security record” and preclude it from
release under the public-records law, without showing that it falls within
the definition in R.C. 149.433.
State ex rel. Plunderbund Media, L.L.C. v. Born, 

, 

,

, ¶ 29. Even records produced by a designated security system or law
enforcement security protection operation must individually meet the statutory definition.
State ex rel. Rogers v. Dept. of Rehab. & Corr., 

, 

,

, ¶ 21 (video from a security camera system did not meet the
definition); State ex rel. Miller v. Pinkney, 

, 

, 

, ¶ 1-4 (dated, innocuous, and unfounded reports of threats against official
were “not security records.” See Appendix.); Shaffer v. Budish, Ct. of Cl. No. 2017-
00690PQ, 

, ¶ 21-24 (video from jail’s internal security camera). “As we
made clear in Plunderbund, every record claimed under the security-record exception to
disclosure must be considered separately.” Rogers at ¶ 21. “And when a public office
claims an exception based on risks that are not apparent within the records themselves,
the office must provide more than conclusory statements in affidavits to support its
claim. See State ex rel. Besser v. Ohio State Univ., 

, 400-401, 2000-
Ohio-207, 

 (2000).” Rogers at ¶ 15.
{¶13} The standard of proof is strictly applied against the public records
custodian. Rogers at ¶ 7. Even where a document has previously qualified as a security
Case No. 2020-00279PQ                      -8-     REPORT AND RECOMMENDATION
record, that status ceases if the threat to which it responded has abated. State ex rel.
Ohio Republican Party v. FitzGerald, 

, 

, 

, ¶ 6-8, 24; Rogers at ¶ 20-21; Gannett GP Media, Inc. v. Ohio Dept. of Pub. Safety,
Ct. of Cl. No. 2017-00051PQ, 

, ¶ 32. Proof that information is a security
record is often provided through affidavits and expert testimony establishing that the
records meet the statutory elements. In Plunderbund, respondent provided the detailed
testimony of several law-enforcement and telecommunications experts connecting the
disclosure of the requested information to future risks. Plunderbund at ¶ 22-31. The
evidence offered by ODH falls short of this standard, more closely resembling the
evidence found to be insufficient in Rogers:
First, the evidence it offers to support the applicability of the claimed
exception pales in comparison to the evidence we considered in
Plunderbund. Here, DRC has provided only two affidavits, one of which
merely concludes that “it is [DRC] policy that security videos within
correction institutions are not public records, and are therefore not
disclosed in response to public records requests.” The Bobby affidavit
contains more information regarding the applicability of the exception, yet
even his testimony is general and insufficient to meet DRC’s burden in this
case. Beyond these bare allegations, DRC has not attempted to explain
how the video recording at issue * * * was “assembled, prepared, or
maintained by a public office * * * to prevent, mitigate, or respond to acts
of terrorism.” R.C. 149.433(A)(1) and (2).
Rogers at ¶ 19. The single affidavit submitted by ODH does not attempt to connect the
March 27, 2020 hospital data requested by Eye on Ohio with prevention, mitigation, or
response to any pending or anticipated act of terrorism.
{¶14} The additional, unsworn assertions in ODH’s pleadings also fail to establish
the elements of the exception. First, ODH relates that
On March 26, 2020, ODH and local health partners received a verbal
warning from Special Agent Bryan Seamour of the Federal Bureau of
Investigation of credible threats from foreign terrorist organization [sic]
directing followers to attack healthcare infrastructure within the United
States.
Case No. 2020-00279PQ                        -9-     REPORT AND RECOMMENDATION
(Sur-reply at 1.) A general warning that a terrorist organization is directing followers to
attack unnamed healthcare infrastructure anywhere within the United States is not the
type of specific, credible, current threat required to prove any exception based on risk.
See Gannett at ¶ 28-33, Narciso v. Powell Police Dept., Ct. of Cl. 2018-01195PQ, 2018-
Ohio-4590, ¶ 35-38, State ex rel. Quolke v. Strongsville City Sch. Dist. Bd. of Educ., 

, 

, 

, ¶ 30. Nor, even were a specific
terrorism threat identified with high confidence, does ODH explain how the snapshot of
Surgenet hospital data existing on March 27, 2020 was assembled to prevent, mitigate
or respond to that terrorist threat – the essential element of the exception asserted.
Second, ODH asserts a policy preference to not disclose the data:
The strength of SurgeNet depends entirely on how candid participating
healthcare providers are when providing information. Webber Affidavit,
Paragraph 5. Most of the information that could be in SurgeNet
(inventories, bed availability, readiness) are not topics hospitals prefer to
discuss in open forums. See, generally, Webber Affidavit, Exhibit A.
Even assuming, arguendo, that some hospitals would rather not disclose their bed and
resource availability, it is well-settled that public offices may not withhold records merely
because of a policy preference for confidentiality. State ex rel. Consumer News Serv.,
Inc. v. Worthington City Bd. of Edn., 

, 

, 

at ¶ 46, 54. Accord State ex rel. WBNS TV, Inc. v. Dues, 

, 2004-
Ohio-1497, 

, ¶ 37; Snyder-Hill v. Ohio State Univ., Ct. of Cl. No. 2020-
00308PQ, 

, ¶ 8-13.
“[I]n enumerating very narrow, specific exceptions to the public records
statute, the General Assembly has already weighed and balanced the
competing public policy considerations between the public’s right to know
how its state agencies make decisions and the potential harm,
inconvenience or burden imposed on the agency by disclosure.”
James v. OSU, 

, 172, 

 (1994). In the absence of proof
that they meet the statutory definition, a public office’s mere policy of not disclosing
certain documents is insufficient to show they are “security records.” Rogers at ¶ 19.
Case No. 2020-00279PQ                               -10-       REPORT AND RECOMMENDATION
{¶15} Under the Public Records Act, it generally does not matter whether a
record could be used by an office for some purpose, but only whether it is so used.
Narciso v. Powell Police Dept, Ct. of Cl. 2018-01195PQ, 

, ¶ 35-38, and
cases cited therein (the bare assertion that records “could be used to target and
victimize” persons was not supported by the evidence); State ex rel. Beacon Journal
Publ. Co. v. Whitmore, 

, 63, 

 (1998) (an item is not a
record just because the office “could have” used it). In the absence of expert testimony
or other competent evidence that the requested data is being used in the context of acts
of terrorism, the mere assertion of potential nefarious use is not sufficient to prove the
data falls squarely within the security records exception. Rogers at ¶ 16-18. Although
the Surgenet system could be used to mitigate or respond to acts of terrorism at some
future time, and ODH may be able then to justify the security records exception, its daily
hospital bed and resource records were not being so used on the date of this request.
{¶16} I conclude that ODH has failed to meet its burden to prove that on the date
of the request the listed data fell squarely under the exception for records “assembled,
prepared, or maintained * * * to prevent, mitigate, or respond to acts of terrorism.”
Conclusion
{¶17} Accordingly, I recommend the court order respondent to provide requester
with copies of the requested records.6 I recommend the court order that requester is
entitled to recover from respondent the amount of the filing fee of twenty-five dollars and
any other costs associated with the action that it has incurred. I recommend costs be
assessed to respondent.
{¶18} Pursuant to R.C. 2743.75(F)(2), either party may file a written objection
with the clerk of the Court of Claims of Ohio within seven (7) business days after
receiving this report and recommendation. Any objection shall be specific and state with
6 A requester is entitled to copies of electronic public records in any format that the public office’s
equipment is programmed to export. See Parks v. Webb, Ct. of Cl. No. 2018-00995PQ, 

,
¶ 10-17, and cases cited therein. See also R.C. 149.43(B)(6).
Case No. 2020-00279PQ                      -11-     REPORT AND RECOMMENDATION
particularity all grounds for the objection. A party shall not assign as error on appeal the
court’s adoption of any factual findings or legal conclusions in this report and
recommendation unless a timely objection was filed thereto. R.C. 2743.75(G)(1).
JEFF CLARK
Special Master
Filed October 20, 2020
Sent to S.C. Reporter 11/13/20