
    In the Matter of The Plastic Surgery Group, P.C., Respondent, v Comptroller of the State of New York, Appellant.
    [65 NYS3d 595]
   Mulvey, J.

Appeal from an order of the Supreme Court (Ryba, J.), entered July 11, 2016, in Albany County, which granted petitioner’s application pursuant to CPLR 2304 to quash a subpoena duces tecum and denied respondent’s cross motion to compel compliance.

In February 2016, respondent commenced an audit of health insurance claims paid to petitioner by United Health Care to determine if United had overpaid petitioner for claims submitted between 2011 and 2015. Petitioner failed to respond to or comply with respondent’s requests to review a random sample of its records related to such claims. Thereafter, respondent served petitioner with a subpoena duces tecum requesting certain specified documents pertaining to its patients between 2011 and 2015 who were members of the Empire Plan, the primary health insurance plan for the New York State Health Insurance Program (hereinafter NYSHIP). Petitioner is a nonparticipating health care provider with respect to the Empire Plan that submitted millions of dollars in medical claims to United for patients enrolled in the Empire Plan. United is the private insurance company that contracts with the state to process and pay medical claims for state employees and retirees, among others, who are members of the Empire Plan. United pays the claims and related expenses using funds provided by the state, that is, “the [s]tate funds the Empire Plan as a self-insurer [and] United merely passes state money to the proper payees” (Matter of Martin H. Handler, M.D., P.C. v DiNapoli, 23 NY3d 239, 243 [2014]).

Petitioner did not comply with the subpoena for its records and, instead, commenced this proceeding to quash the subpoena or, alternatively, for a protective order if disclosure were required (see CPLR 2304, 3103). Respondent answered and cross-moved to compel petitioner’s compliance pursuant to CPLR 2308. Supreme Court granted the petition, quashed the subpoena and denied respondent’s cross motion, holding that respondent lacked authority to issue the subpoena because it was not accompanied by the patients’ written authorizations pursuant to CPLR 3122 (a). Respondent appeals.

We reverse. We find that, contrary to petitioner’s claims and the holding of Supreme Court, the subpoena was validly issued in furtherance of respondent’s constitutional and statutory authority and obligation to audit payments made by the state for medical services provided under the Empire Plan (see NY Const, art V, § 1; Civil Service Law § 167 [7]; Matter of Martin H. Handler, M.D., P.C. v DiNapoli, 23 NY3d at 242-243, 247). In Matter of Martin H. Handler, M.D., P.C. v DiNapoli (23 NY3d at 242-243, 245-248), decided well before the subject subpoena was issued, the Court of Appeals outlined the relationship between NYSHIP, United and the Empire Plan, the obligations of participating and nonparticipating health care providers with regard to billing patients, and respondent’s independent authority and obligation to audit the state’s payments to both categories of providers. As the Court of Appeals outlined, respondent is constitutionally obligated to audit state payments to health insurance vendors (id. at 245-246, citing NY Const, art V, § 1) and, further, “the Legislature authorized [respondent] to audit payments to the [s]tate’s health insurance vendors” (Matter of Martin H. Handler, M.D., P.C. v DiNapoli, 23 NY3d at 247, citing Civil Service Law § 167 [7]). Importantly, while subpoenas were not in issue in Handler in that the providers permitted access to their records, the Court recognized that “the Legislature has granted [respondent] broad subpoena powers in furtherance of [its] investigatory functions under State Finance Law § 9” (Matter of Martin H. Handler, M.D., P.C. v DiNapoli, 23 NY3d at 247). To that end, State Finance Law § 9 authorizes respondent to issue a subpoena or subpoenas “in reference to any matter within the scope of the inquiry or investigation being conducted by [respondent]” (see id.). The Court made clear that respondent is mandated to ensure proper billing and payments for the Empire Plan, and to prevent unauthorized payments and overpayments, and must audit the records of participating and nonparticipating providers alike as part of its responsibility to audit payments to medical providers (see id. at 247-248). Thus, the subpoena of petitioner’s records here was well within respondent’s constitutional and statutory authority and consistent with its legal obligations, and represented a valid exercise of its subpoena power (see NY Const, art V, § 1; Civil Service Law § 167 [7]; Matter of Martin H. Handler, M.D., P.C. v DiNapoli, 23 NY3d at 245-248).

Supreme Court’s reliance upon CPLR 3122 (a) (2) as a limitation on respondent’s audit and subpoena authority is misplaced. CPLR 3122 (a) (2), which requires, among other things, that a patient’s written authorization accompany any subpoena duces tecum issued to a medical provider for that patient’s medical records, only applies, by its terms, to subpoenas issued by a party to litigation seeking discovery under CPLR 3120 or 3121, after an action or proceeding is commenced. The plain language of CPLR 3122 (a) (1) and (2), read together, makes clear that the provisions apply to subpoenas issued during the discovery phase of litigation, and are not applicable to the subpoena issued by respondent here pursuant to its authority under State Finance Law § 9 (see Matter of DeVera v Elia, 152 AD3d 13, 19 [2017]). Indeed, the conclusion urged by petitioner would lead to the untenable result that, unless health care providers voluntarily cooperate with respondent’s requests for access to patient records for audit purposes, respondent would be unable to fulfill its statutory and constitutional obligations to audit payments to providers for health insurance claims unless it obtained prior written authorization from all patients whose records were requested. Since respondent’s subpoenas are issued in accordance with its constitutional and statutory audit authority, and have no connection with discovery in an action or proceeding, the cited provisions of CPLR 3122 are not applicable.

We further conclude that disclosure of the records sought by respondent is not barred by the Health Insurance Portability and Accountability Act of 1996 (hereinafter HIPAA) (see 42 USC § 1320d et seq.). HIPAA’s “[p]rivacy [r]ule forbids an organization subject to its requirements (a ‘covered entity’) from using or disclosing an individual’s health information (‘protected health information’) except as mandated or permitted by its provisions” (Arons v Jutkowitz, 9 NY3d 393, 412-413 [2007]; see 45 CFR 160.103). However, HIPAA’s privacy regulations provide that “[a] covered entity may disclose protected health information to a health oversight agency for oversight activities authorized by law, including audits; civil, administrative, or criminal investigations; . . . criminal proceedings or actions; or other activities necessary for appropriate oversight of . . . [e]ntities subject to government regulatory programs for which health information is necessary for determining compliance with program standards,” without the written authorization of the patient (45 CFR 164.512 [d] [1] [iii] [emphasis added]). A health oversight agency is defined, in relevant part, as “an agency or authority of . . .a [s]tate . . . that is authorized by law to oversee the health care system (whether public or private) or government programs in which health information is necessary to determine eligibility or compliance” (45 CFR 164.501 [emphases added]). We find that respondent falls squarely within HIPAA’s definition of a health oversight agency (see People v Marcus Garvey Nursing Home, Inc., 57 AD3d 201, 201 [2008, Tom, J.P., concurring]; Matter of Signature Health Ctr. LLC v Hevesi, 13 Misc 3d 1189, 1193 [Sup Ct, Albany County 2006]). To the extent that petitioner argues that its disclosure is only permissive, not mandatory, because the regulation uses the term “may” (45 CFR 164.512 [d] [1] [iii]), we are unpersuaded, particularly given that the Court of Appeals has rejected such an interpretation under a comparable HIPAA exception (see Matter of New York City Health & Hosps. Corp. v New York State Commn. of Correction, 19 NY3d 239, 243, 246 [2012] [interpreting 45 CFR 164.512 (a)]). In view of respondent’s statutory and constitutional responsibility for oversight of NYSHIP and payments to health care providers, we discern no requirement for written authorizations by individual patients under HIPAA, as the regulations promulgated under that statute expressly permit disclosure of protected health information to a “health oversight agency” (45 CFR 164.512 [d] [1] [iii]).

While petitioner argued that portions of the subpoena were overly broad, it failed to satisfy its burden of demonstrating that respondent lacked authority to issue the subpoena, that it was issued without a factual basis or in an exercise of futility, or that the material requested was improper, utterly irrelevant or cumulative (see Matter of Empire Wine & Spirits LLC v Colon, 145 AD3d 1157, 1159 [2016]; Matter of Hogan v Cuomo, 67 AD3d 1144, 1145 [2009]; compare Mokay v Mokay, 124 AD3d 1097, 1099 [2015]). In support of its cross motion to compel compliance, respondent submitted an affidavit of its audit manager that explained, in detail, the importance and necessity to respondent’s audit of the information requested in each paragraph of the subpoena. As respondent has a legal duty and obligation to conduct this type of audit in order to ascertain if there has been an overpayment or unauthorized payment of state funds (see Matter of Martin H. Handler, M.D., P.C. v DiNapoli, 23 NY3d at 242-243, 247), and petitioner failed to establish that the information sought is utterly irrelevant to this proper inquiry, the subpoena should not have been quashed (see CPLR 2304) and respondent’s cross motion to compel compliance with the subpoena should be granted (see CPLR 2308). To the extent that petitioner in its application requested a protective order against respondent, the State Comptroller (see CPLR 3103), we decline to issue such an order. We find that this relief is unnecessary given that, among other factors, respondent is fulfilling its constitutional and statutory duties in acquiring the information that is the subject of the subpoena and in conducting the audit, and petitioner has offered no basis for concern that disclosure should be curtailed to “prevent unreasonable annoyance, expense, embarrassment, disadvantage, or other prejudice to any person” (CPLR 3103 [a]; see Cynthia B. v New Rochelle Hosp. Med. Ctr., 60 NY2d 452, 463 [1983]; Brignola v Pei-Fei Lee, M.D., P.C., 192 AD2d 1008, 1009 [1993]).

Garry, J.P., Egan Jr., Rose and Rumsey, JJ., concur.

Ordered that the order is reversed, on the law, without costs, application to quash the subpoena denied and cross motion to compel compliance granted. 
      
       Nonparticipating providers are providers that have not entered into a fee agreement with United. Before United will reimburse Empire Plan members for nonparticipating providers’ services, the members are required to pay a deductible and are thereafter reimbursed for 80% of the reasonable and customary charge for the provided services. The deductibles and the remaining 20% of the reasonable and customary charge—-known as “coinsurance”—must be collected by the health care provider, or the provider may be liable for insurance fraud (see Matter of Martin H. Handler, M.D., P.C. v DiNapoli, 23 NY3d 239, 243 [2014]).
     