Shteynshlyuger v. Centers for Medicare and Medicaid Services

• Court: District Court, District of Columbia
• Decided: September 30, 2023
• Docket: Civil Action No. 2020-2982
• Status: Published

Opinion

UNITED STATES DISTRICT COURT FOR THE DISTRICT OF COLUMBIA

ALEX SHTEYNLYUGER,

Plaintiff,

v. Civil Action No. 20-2982 (RDM) CENTERS FOR MEDICARE AND MEDICAID SERVICES, et al.,

Defendants.

MEMORANDUM OPINION AND ORDER

Plaintiff Alex Shteynlyuger, a “licensed physician and a specialist in health economics,”

Dkt. 1 at 2 (Compl. ¶ 2), submitted eight requests for records to the Centers for Medicare and

Medicaid Services (“CMS” or “the agency”) between April 2020 and July 2020. Dkt. 28-3 at 2

(Gilmore Decl. ¶ 5). Unsatisfied with the agency’s responses as of October 16, 2020, Plaintiff

filed this suit under the Freedom of Information Act (“FOIA”), 5 U.S.C. § 552(a)(4)(B).

Now before the Court are the parties’ cross-motions for summary judgment. See Dkt. 28,

31. At issue is the adequacy of the search CMS conducted in response to Plaintiff’s FOIA

requests, and its decisions to withhold certain records pursuant to FOIA Exemptions 4, 5, and 6.

For the reasons that follow, the Court will DENY CMS’s motion for summary judgment and will

GRANT in part and DENY in part Plaintiff’s motion for summary judgment.

I. BACKGROUND

A. Factual Background

Plaintiff submitted eight FOIA requests to CMS in 2020. Dkt. 28-3 at 2 (Gilmore Decl.

¶ 5). CMS is a federal agency within the U.S. Department of Health and Human Services that,

1 among many other duties, is responsible for enforcing the “administrative simplification

standards from the Health Insurance Portability and Accountability Act of 1996” (“HIPAA”).

Id. (Gilmore Decl. ¶ 6). “The Administrative Simplification process aims to save time and

money by streamlining communication around billing and insurance related tasks. All HIPAA

covered entities (which include health care providers that transmit transactions electronically,

health plans, and clearinghouses) must comply with the Administration Simplification process.”

Id. at 6–7 (Gilmore Decl. ¶ 20).

Plaintiff’s FOIA requests seek records “pertaining to the enforcement of HIPAA’s

administrative simplification requirements . . . including [those pertaining to] electronic

transactions, such as . . . [electronic funds transfer (“EFT”)] transactions.” Dkt. 1 at 1 (Compl.

¶ 1). Specifically, the requests seek all records relating to several FAQs discussing EFTs, Dkt.

28-3 at 4 (Gilmore Decl. ¶ 14), complaints involving certain specific HIPAA covered entities, id.

at 26 (Gilmore Decl. ¶ 65), “the CMS investigation of covered entities, including health plans,

clearinghouses, and business associates charging fees to conduct standard transactions,” id. at 35

(Gilmore Decl. ¶ 85), “[c]ommunications to and from the US Congress . . . related to fees to

conduct standard transactions (EFT, ERA), and use of virtual credit cards or payment cards,” id.

at 20 (Gilmore Decl. ¶ 48), “standards for healthcare attachment transactions and electronic

signatures,” id. at 42 (Gilmore Decl. ¶ 108), and finally, “price setting, cost reimbursement, fee

schedule allowable amount setting for Medicare reimbursement, APC code

selection, . . . comparative clinical effectiveness research (CER) or analysis, cost-effective[ne]ss

analysis, effect on cost of care for BPH; [and] . . . determination of maximum lifetime

reimbursement quantity that involve” certain therapies or treatments, id. at 39 (Gilmore Decl.

¶ 97).

2 In response to these requests, CMS conducted eight searches, which the Court

summarizes in some detail due to the nature of the parties’ arguments regarding the adequacy of

those searches.

1. April 13, 2020 FOIA request

On April 13, 2020, Plaintiff submitted his first FOIA request to CMS, seeking “all

records” from January 1, 2015 to April 10, 2020 regarding “CMS EFT FAQ FAQ22297 (FAQ

22297), CMS FAQ22285 (FAQ 22285), CMS FAQ22281 (FAQ 22281), CMS FAQ22297 (FAQ

22297)” (the “April 13 FOIA request”). Dkt. 28-5 at 1. In that request, Plaintiff stated that the

“[O]ffice of the CMS Administrator,” the “Office of Strategic Operations and Regulatory

Affairs” (“OSORA”), and the “Office of Information Technology[’s] Program Management and

National Standards Group [(“PMNSG”)] may have responsive records,” but noted that

“additional offices may have responsive records as well.” Dkt. 28-5 at 1–2. Plaintiff also stated

that certain CMS employees he listed “have intimate knowledge of the responsive documents”

and thus were likely custodians of responsive records. Id. at 2.

After reviewing Plaintiff’s April 13 FOIA request, CMS “sent . . . [the] request to two

different entities:” to OSORA and PMNSG (which due to a reorganization within CMS, became

NSG on June 23, 2020). Dkt. 28-3 at 6–7 (Gilmore Decl. ¶¶ 19, 21). OSORA was tasked with

conducting an automated search for records because “Plaintiff sought EFT

FAQ . . . information . . . as well as correspondence to CMS about these FAQ[s],” and “CMS’s

correspondence unit . . . is under OSORA.” Id. at 9 (Gilmore Decl. ¶ 24). OSORA searched its

Strategic Work Information Folder Transfer System (“SWIFT”) database, which “contains

copies of incoming correspondence to the CMS Administrator and leadership.” Id. (Gilmore

Decl. ¶ 25). The search terms used in OSROA’s search of its SWIFT system were “EFT,”

3 “FAQ,” “22297,” “22285,” and “22281.” Id. OSORA also searched the SWIFT system “using

the names of the CMS Administrator and leadership because Plaintiff’s April 13 FOIA request

provided names of custodians some of whom were in the NSG and OSORA Offices.” Id. at 9–

10 (Gilmore Decl. ¶ 26). Those search terms were “Slavitt,” “Verma,” “Tavenner,” “CIO,” and

“CMS Principal Deputy Administrator.” Id.

The April 13 FOIA request was also sent to NSG “because Plaintiff sought information

on EFT transactions which are covered by the Administrative Simplification process of HIPAA,”

and NSG “is the entity [that] develops regulations and policies to implement and support the

Administrative Simplification process,” including “sub-regulatory guidance about EFT

transactions.” Id. at 6–7 (Gilmore Decl. ¶ 20). CMS contends that “it was logical to believe that

if responsive records existed, the NSG would be the appropriate entity to have records that could

be responsive to Plaintiff’s April 13 FOIA [r]equest.” Id. at 8 (Gilmore Decl. ¶ 22).

NSG “initiated an automated search in the ASETT system with the timeframe [of]

January 1, 2015 through April 10, 2020.” Id. (Gilmore Decl. ¶ 23). The ASETT system, or

Administrative Simplification Enforcement and Testing Tool system, “is a web-based

application which enables individuals or organizations to file a complaint against a HIPAA

covered entity for potential non-compliance” and it “allows all HIPAA related transactions to be

checked consistently for compliance, syntax and business rules.” Id. at 7 (Gilmore Decl. ¶ 21).

NSG’s search of the ASETT system used the keywords “EFT,” “FAQ,” “22297,” “22285,” and

“22281.” Id. at 8 (Gilmore Decl. ¶ 23).

In addition, because NSG was previously a “subsidiary” of the Office of Information

Technology (“OIT”), “OIT also searched records related to its employees, including employees

of NSG” that were mentioned in Plaintiff’s FOIA request. Id. at 10 (Gilmore Decl. ¶ 27). The

4 keywords used were, again, “EFT,” “FAQ,” “22297,” “22285,” and “22281,” as were the names

of the fourteen CMS employees identified in the FOIA request as individuals with “intimate

knowledge of the response records,” Dkt. 28-5 at 2; Dkt. 28-3 at 10 (Gilmore Decl. ¶ 27).

The records identified by these searches consisted of 66 pages, of which 21 pages were

redacted pursuant to Exemption 5 and 15 pages were redacted pursuant to Exemption 6. Id. at 10

(Gilmore Decl. ¶ 28). Subject to these redactions, the materials were released to Plaintiff as part

of the January 14, 2021 production. Id. at 11 (Gilmore Decl. ¶ 28).

2. May 4, 2020 FOIA request

On May 4, 2020, Plaintiff submitted a request to CMS for “all records” from January 1,

2015 to May 1, 2020 regarding: “Nixon Peabody,” “W. Scott O’Connell,” “Parthenon Capital or

‘Parthenon,’” “Bain Capital or ‘Bain’, Bain Capital Ventures,” “Kirkland & Ellis,” “Akin Gump

Strauss Hauer & Feld” and various employees affiliated with that firm, “John Bozeman &

Associates,” “GeorgiaLink Public Affairs Group” and various employees affiliated with that

firm, “Matthew N. Greller Esq LLC,” and “Lewis, Ron E. of Ron Lewis & Associates” (the

“May 4 FOIA request”). Dkt. 28-7 at 1 (capitalization altered). Plaintiff included in his May 4

request “additional search keywords” that included, among other terms, “W. Scott O’Connell,”

“O’Connell,” “Oconnell,” “soconnell@nixopeabody.com,” “Nixon Peabody,” and

“nixonpeadbody.com.” Id. at 2. And, like the April 13 FOIA request, the May 4 FOIA request

suggested that CMS search, among other possible offices, the Office of the CMS Administrator,

OSORA, and PMNSG and provided a non-exhaustive list of potential custodians for those

records. Id. at 2–3.

5 Shortly after receiving Plaintiff’s FOIA request, CMS contacted Plaintiff to clarify the

subject matter of the records Plaintiff sought. Dkt. 28-9 at 1. Plaintiff responded that he was

interested in all records relating to the identified individuals or entities concerning:

(1) HIPAA administrative simplification requirements including but not limited to 45 CFR Parts 160, 162, and 164; (2) fees and costs of electronic transactions including but not limited to ERA (electronic remittance advice), EFT (electronic funds transfer), credit cards, virtual payment cards, prepaid cards and debit cards, checks, (3) electronic transactions including but not limited to ERA, EFT, electronic attachments, 835 transactions, 270/271 eligibility and benefit verification transactions, claim submissions, [and] (4) [a]ny aspects of HIPAA administrative simplification requirements including but not limited standard transactions, fees for standard transactions, enforcement of CMS regulations, guidance, payment methods, telecommunication fees.

Dkt. 28-10 at 1.

Once again, CMS referred Plaintiff’s May 4 FOIA request to OSORA and NSG

(formerly PMNSG). Dkt. 28-3 at 13 (Gilmore Decl. ¶ 35). NSG was thought to have responsive

records because “Plaintiff’s May 4 FOIA request sought [records regarding] fees for electronic

health transactions, HIPAA requirements and standard fees for electronic transactions, which are

all matters that the NSG handles.” Id. at 13–14 (Gilmore Decl. ¶ 36). And the May 4 FOIA

request was sent to OSORA “because Plaintiff sought records from exterior entities

and . . . OSORA handles exterior correspondence to the CMS Administrator.” Id. at 15 (Gilmore

Decl. ¶ 38). NSG searched the ASETT system, and OSORA searched the SWIFT

correspondence database. Id. at 14–15 (Gilmore Decl. ¶¶ 37, 39). CMS explains that it “limited

its search to these two record systems because there were no other records systems that were

likely to turn up the information that Plaintiff requested.” Id. at 13 (Gilmore Decl. ¶ 35). NSG’s

search of the ASETT system used the keywords “EFT,” “ERA,” “835,” “270/271,” “fees and/or

costs,” and “any of the associated persons or entities in Plaintiff’s May 4 FOIA [r]equest.” Id. at

6 14 (Gilmore Decl. ¶ 37). OSORA’s search of the SWIFT correspondence database used the

same keywords as NSG’s search. Id. at 15–16 (Gilmore Decl. ¶ 39).

These searches resulted in the identification of 28 pages of responsive records. On

August 17, 2020, CMS provided its response, “releasing 28 pages, and withholding nine pages

pursuant to Exemptions 5 and 6,” id. at 16 (Gilmore Decl. ¶ 40), for a total of 37 pages. CMS

does not explain how 28 pages became 37.

3. May 6, 2020 FOIA request

Plaintiff submitted his third FOIA request on May 6, 2020. That request sought “all

records” from January 1, 2015 to May 5, 2020 regarding “[c]ommunications to and from the US

Congress (US Senate and US House of Representatives) and its members related to fees to

conduct standard transactions (EFT, ERA), and use of virtual credit cards or payment cards.”

Dkt. 28-12 at 1. Plaintiff also provided additional search terms “that may help identify

responsive materials,” including: “EFT Fee, ERA fee, transaction fee, virtual credit card,

payment card, prepaid card,” and the names of numerous health care businesses. Id. Like his

previous requests, Plaintiff stated that the Office of the CMS Administrator, OSORA, and

PMNSG (which at the time of the request was a subsidiary of OIT, Dkt. 28-3 at 10 (Gilmore

Decl. ¶ 27)) might have responsive records and provided a list of CMS employees who Plaintiff

believed were custodians of responsive records. Dkt. 28-12 at 1–2.

CMS asked three offices to search for records responsive to this request: the Office of

Legislative Affairs, OSORA, and the Office of the CMS Administrator. CMS concluded that the

Office of Legislative Affairs might have responsive records because it is the office that “handles

correspondence with Congress.” Dkt. 28-3 at 21 (Gilmore Decl. ¶ 51). That office searched its

“Legislative correspondence tracker” for “incoming correspondence from Congressional

7 members” using the following search terms: “EFT Fee,” “ERA fee,” “transaction fee,” “virtual

credit card,” “payment card,” “prepaid card,” “and the names of any member of the U.S.

Congress whose name(s) could aid the search, based on general search terms that could be used

across all members of Congress.” Id. at 21–22 (Gilmore Decl. ¶ 52). The Office of Legislative

Affairs also used those terms in its search of its “Outlook emails.” Id. at 23 (Gilmore Decl.

¶ 55).

OSORA conducted its own search of incoming correspondence for potentially responsive

records using its SWIFT database. Id. at 22–23 (Gilmore Decl. ¶ 54). CMS thought it “logical

to believe that if [responsive records] existed, OSORA might have [them],” because “this office

has a correspondence group that handles and tracks exterior correspondence for the CMS

Administrator in the SWIFT database” and because “incoming correspondence to the CMS

Administrator . . . is disseminated by OSORA staff to subject matter experts in CMS to

formulate responses.” Id. Finally, the Office of the Administrator was also tasked with

searching for responsive records because that office might “have been involved with such

Congressional correspondence.” Id. at 22 (Gilmore Decl. ¶ 53). It too searched the SWIFT

incoming correspondence database for documents. Id. Both OSORA and the Office of the CMS

Administrator used the same keywords in their searches of the SWIFT system: “EFT fee,” “ERA

fee,” “transaction fee,” “virtual credit card,” “payment card,” and “prepaid card.” Id. at 23

(Gilmore Decl. ¶ 55).

None of these searches identified any responsive records. CMS notified Plaintiff of this

on June 24, 2020. Id. (Gilmore Decl. ¶ 56).

8 4. May 7, 2020 FOIA request

Plaintiff’s fourth FOIA request was submitted to CMS on May 7, 2020. This request

sought “all records” from January 1, 2015 to May 5, 2020 regarding “Zelis or Zelis Healthcare,”

“[a]ll communication involving or referring to” several specific Zelis employees, and “[a] log of

phone calls between any number at CMS to and from (678) 350-3810, (908) 389-8966, and (908)

268-2229” (the “May 7 FOIA request”). Dkt. 28-15 at 1. Plaintiff again stated that the Office of

the CMS Administrator, OSORA, and PMNSG might have responsive records and provided a

list of CMS employees who Plaintiff believed were custodians of responsive records. Id. at 1–2.

NSG was tasked with conducting a search for records responsive to this request because

“Plaintiff sought communications between Zelis and . . . CMS, and . . . NSG handles Zelis[’s]

participation in the Administrative Simplification process.” Dkt. 28-3 at 24–25 (Gilmore Decl.

¶ 61). NSG limited its search to the ASETT record system “because there w[ere] no other

records systems that w[ere] likely to turn up the information that Plaintiff requested.” Id. at 25

(Gilmore Decl. ¶ 61). NSG searched for records between January 16, 2015 to May 5, 2020,

using the terms “Zelis,” “Albright,” “Fargis,” “Drysdale,” and “Klinger.” Id. (Gilmore Decl.

¶ 62). The records identified by this search were incorporated into CMS’s January 14, 2021

production. Id.

5. May 12, 2020 FOIA request

Plaintiff’s fifth FOIA request, sent to CMS on May 12, 2020, was focused on records

relating to Echo Health. Specifically, this request sought “all records” from January 1, 2020 to

May 10, 2020 regarding three specific “CMS Complaint[s] . . . involving Echo Health,” “two

specific “CMS complaints . . . involving Vpay,” and “[a]ny other CMS complaints involving

Echo Health” or “involving Vpay” and “related documents and communications” (the “May 12

9 FOIA request”). Dkt. 27-17 at 1. Plaintiff proposed the following non-exhaustive list of search

terms in his FOIA request: “Echo Health Inc; Echo Health,” “MSroka@ EchoHealthInc.com,”

“@EchoHealthInc.com,” “richmans@pepperlaw.com, vpay.com, vpayusa.com, [and] Vpay.” Id.

And, as was typical of Plaintiff’s requests, he noted that responsive records were likely to be

found with specific CMS employees, the Office of the CMS Administrator, OSORA, and

PMNSG. Id. at 2. He also stated that “the materials responsive to this complaint reside at the

national CMS office” and “NOT . . . the regional New York office.” Id. at 2.

CMS sent the May 12 FOIA request to OSORA, the NSG, CMS Regional Office 2, CMS

Regional Office 5, the Centers for Clinical Standards and Quality (“CCSQ”), and the Center for

Consumer Information and Insurance Oversight (“CCIIO”). Dkt. 28-3 at 26–27 (Gilmore Decl.

¶ 67). All six of these offices used the same keywords in their searches, which included the

specific complaint numbers referenced in the FOIA request and the terms “Echo Health,”

“involving ‘Vpay,’” “MSroka@EchoHealthInc.com,” “@EchoHealthInc.com,”

“richmans@pepperlaw.com,” “vpay.com,” “vpayusa.com,” and “Vpay.” Id. at 27–30 (Gilmore

Decl. ¶¶ 68–70).

OSORA again searched the SWIFT correspondence database for responsive records

because “Plaintiff sought all records, . . . includ[ing] correspondence to agency officials,” which

OSORA “handles.” Id. at 27 (Gilmore Decl. ¶ 68). And NSG again searched the ASETT system

for records because “NSG handles complaints with the specific identifiers mentioned by

Plaintiff” in his FOIA request. Id. at 29 (Gilmore Decl. ¶ 71).

The CMS Regional Offices were tasked with searching for records responsive to this

request because “Plaintiff sought information about companies or law firms” CMS understood to

be “located in [those] region[s],” although the agency later learned that Plaintiff did not actually

10 seek information on any entity located in Region 5. Id. at 27–28 (Gilmore Decl. ¶¶ 69, 70).

Both Regional Offices searched the Automated Survey Processing Environment Network

(“ASPEN”), “which contains information on survey and certifications of Medicare providers.”

Id. at 28 (Gilmore Decl. ¶ 69).

CCSQ also received Plaintiff’s May 12 request “because Plaintiff sought information

about specific companies and given that CCSQ handles laboratories, nursing homes, and other

facilities, it was logical to believe that . . . CCSQ might have records that could be responsive.”

Id. at 29–30 (Gilmore Decl. ¶ 72). CCSQ also searched the ASPEN database for responsive

records. Id. at 30 (Gilmore Decl. ¶ 72). Finally, CCIIO received the FOIA request because the

companies on which Plaintiff sought information “may have been insurance carriers” and CCIIO

“handles insurance claims.” Id. (Gilmore Decl. ¶ 73). It searched its “Consumer Support

Division.” Id.

None of Regional Office 2, Regional Office 5, CCSQ, or CCIIO’s searches identified any

responsive records because the entities that Plaintiff sought information about were not entities

that these offices regulated. Id. at 31 (Gilmore Decl. ¶ 74). The NSG, however, located 46

pages of responsive records, which were incorporated into CMS’s January 14, 2021 production.

Id. (Gilmore Decl. ¶¶ 75–76).

6. May 15, 2020 FOIA request

Plaintiff submitted his sixth FOIA request on May 15, 2020. That request sought “all

records from [from January 1, 2015 to May 15, 2020] regarding the CMS investigation of

covered entities, including health plans, clearinghouses, and business associates charging fees to

conduct standard transactions” (the “May 15 FOIA request”). Dkt. 28-19 at 1. The request

explained that “[t]hese investigations are often the results of HIPAA administrative

11 simplification requirements complaints . . . also known as ASETT . . . complaints.” Id. Plaintiff

also provided a non-exhaustive list of search terms for this request, including “EFT Fee, ERA

fee, standard transaction fee, virtual credit card, payment card, prepaid card,” and the names of

numerous health care businesses. Id. And he stated that he believed responsive records might be

found in the Office of the CMS Administrator, OSORA, and PMNSG, or in the possession of

certain CMS employees. Id. at 1–2.

Like Plaintiff’s previous request, his May 15 FOIA request was sent to NSG “because

Plaintiff sought records on investigations [of] covered entities charging fees on standard

transactions,” and “NSG handles enforcement of the Administrative Simplification process.”

Dkt. 28-3 at 35 (Gilmore Decl. ¶ 87). For the reasons previously described, NSG searched its

ASETT system using the search terms “EFT Fee,” “ERA fee,” “standard transaction fee,”

“virtual credit card,” “payment card,” “prepaid card,” “Zelis,” “Echo Health,” “PaySpan Health,”

“Vpay,” “Consolidated Health Plan,” “Allied Healthcare,” “Paramount,” “Stirling Benefits,”

“Magnacare,” “Meritain,” “Delta Health Systems,” “Excellus Health Plan,” “POMCO,” “UMR,”

“United Healthcare,” “Paramount,” “HealthFirst,” “Total Health Plan,” “GlobalExcel,”

“Magnacare,” “Create Health Plan,” “Olympus,” “GHI, Fidelis,” “Ama Insurance,” and

“Healthsmarte.” Id. at 35–36 (Gilmore Decl. ¶ 88).

This search identified 3,335 pages of responsive records, of which 1,971 pages were

released in full, 133 pages in part, and 1,231 pages were withheld entirely. Id. at 36 (Gilmore

Decl. ¶ 89). CMS released the responsive, non-exempt records to Plaintiff on January 26, 2021.

Id.

12 7. July 22, 2020 FOIA request

Plaintiff’s seventh and penultimate FOIA request was submitted on July 22, 2020. That

request sought “all records” from January 1, 2015 to July 1, 2020 “regarding (1) price setting,

cost, reimbursement, fee schedule allowable amount setting for Medicare reimbursement, APC

code selection[;] (2) comparative clinical effectiveness research (CER) or analysis, cost-

effectiveness analysis, effect on cost of care for BPH[;] [and] (3) determination of maximum

lifetime reimbursement quantity that involve” “Urolift (prostatic urethral lift, transprostatic

implant, prostatic urethral stent),” “Rezum (transurethral water vapor thermal therapy for benign

prostatic hyperplasia),” and “AquaBeam Robotic System and Aquablation therapy.” Dkt. 28-22

at 1 (capitalization altered). Plaintiff suggested that responsive records might be found with the

Office of the CMS Administrator, OSORA, and the Centers for Medicare. Id. at 2.

CMS referred the request to both the CCSQ and the Centers for Medicare. Dkt. 28-3 at

39 (Gilmore Decl. ¶ 99). CCSQ was thought to have responsive records because “Plaintiff’s

July 22 FOIA [r]equest sought costs, reimbursements and fees for certain medical equipment

and . . . [CCSQ] handle[s] medical equipment data coding and billing.” Id. at 39–40 (Gilmore

Decl. ¶ 100). CCSQ searched its ASPEN system, id. at 40 (Gilmore Decl. ¶ 100), “which

contains information on survey and certifications of Medicare providers,” id. at 28 (Gilmore

Decl. ¶ 69). The Centers for Medicare was also tasked with searching for responsive records

because “these Centers handle Fee for Service billing” and “Plaintiff sought fee schedules.” Id.

(Gilmore Decl. ¶ 101). It “initiated an automated search of the[] ‘Fee For Service Division

Recovery Audit Program.’” Id. Both CCSQ and the Centers for Medicare used the same

keywords in their searches. Those keywords were “durable medical equipment reimbursement,”

13 “Urolift,” “Rezum,” and “Aquabeam.” Id. at 39–41 (Gilmore Decl. ¶¶ 100–101, 104). Neither

search identified any responsive records. Id. at 42 (Gilmore Decl. ¶ 106).

Plaintiff’s July 22 request was also sent to the Office of Enterprise Data and Analytics

(“OEDA”) because that office “handles” all of the topics that Plaintiff listed in this request. Id.

at 40–41 (Gilmore Decl. ¶ 102). CMS does not provide much detail, however, regarding this

search. Instead, CMS merely notes that on November 12, 2020, OEDA “responded that the

records in Plaintiff’s July 22 FOIA [r]equest were in public Use Files on the CMS website.” Id.

at 41 (Gilmore Decl. ¶ 103). CMS let Plaintiff know that the information he sought was publicly

available on September 8, 2021. Id. at 42 (Gilmore Decl. ¶ 105).

8. July 27, 2020 FOIA request

Plaintiff submitted the final FOIA request at issue in this suit to CMS on July 27, 2020.

It sought “all records” from January 1, 2015 to July 20, 2020 “regarding standards for healthcare

attachment transactions and electronic signatures, including but not limited to (1) adoption of

these standards, (2) delays with adoption, (3) adoption of 275 transaction, 277 transaction, HL7

Da Vinci project with its leveraging of FHIR API standards for healthcare attachment

transactions.” Dkt. 28-25 at 1. Plaintiff added that “[t]hese standards were mandated in 1996

(HIPAA) and ‘re’ mandated in section 1104 of the ACA (2010),” and Plaintiff provided a non-

exhaustive list of suggested search terms, including “healthcare attachment transaction,

attachment, electronic attachment, electronic signature, healthcare attachment, standard 275

transaction, 277 transaction, HL7 Da Vinci project, FHIR API standards, CAQH Core,

X12, . . . WEDI.” Id. The FOIA request also stated that Plaintiff thought responsive records

might be found in the Office of the CMS Administrator, OSORA, PMNSG, and the Office of

Burden Reduction and Healthcare Informatics. Id. at 1–2.

14 Plaintiff’s July 29 FOIA request was forwarded to NSG to search for responsive records

in its ASETT system because “Plaintiff’s FOIA [r]equest sought records that were related to

standards for healthcare attachment transactions and electronic signatures and . . . ASETT

handles electronic healthcare transactions.” Dkt. 28-3 at 43 (Gilmore Decl. ¶¶ 110–111). The

keywords used in this search were “FHIR API standards,” “HL7 Da Vinci project,” and

“standards for healthcare attachment transactions and electronic signatures,” although CMS also

states that it “used and did not omit any of the keywords provided by Plaintiff,” some of which

returned “hits” and others of which did not. Id. at 44 (Gilmore Decl. ¶¶ 111, 113). The search

identified 92 pages of responsive records, which CMS released to Plaintiff as part of the January

14, 2021 production. Id. (Gilmore Decl. ¶ 113).

B. Procedural Background

Plaintiff filed this suit on October 16, 2020. Dkt. 1. By that time, CMS had provided

responses to two of his eight requests, his May 4 and May 6 requests. Plaintiff administratively

appealed both responses, Dkt. 28-3 at 17 (Gilmore Decl. ¶ 41); Dkt. 31-2 at 14, but CMS did not

resolve either appeal by the time Plaintiff filed this suit. After Plaintiff filed suit, CMS

responded to the remaining six outstanding FOIA requests, releasing responsive materials in two

tranches, one on January 14, 2021 and one on January 26, 2021.

Ultimately, CMS identified at least 3,838 pages of records responsive to Plaintiff’s eight

FOIA requests. Of those records, CMS released 2,396 pages, in full or in part, and withheld

1,380 pages entirely. Dkt. 28-3 at 16, 36, 45 (Gilmore Decl. ¶¶ 40, 89, 116). The parties now

dispute whether CMS has satisfied its obligations under the FOIA to conduct an adequate search

for the records Plaintiff requested and whether it permissibly withheld certain records in whole

15 or in part. CMS moved for summary judgment on December 16, 2022, Dkt. 28, and Plaintiff

cross-moved for summary judgment on February 10, 2023, Dkt. 31.

II. LEGAL STANDARD

FOIA is “designed ‘to pierce the veil of administrative secrecy and to open agency action

to the light of public scrutiny.’” U.S. Dep’t of State v. Ray, 502 U.S. 164 (1991) (quoting Dep’t

of Air Force v. Rose, 425 U.S. 352, 361 (1976)). The Act accordingly “requires federal agencies

to disclose records to the public on request unless a record is protected by one of nine statutory

exemptions.” Citizens for Resp. & Ethics in Wash. v. U.S. Dep’t of Justice, 58 F.4th 1255, 1261–

62 (D.C. Cir. 2023) (citing 5 U.S.C. § 552(b)). While FOIA’s exemptions are “as much a part of

[the Act]’s purposes and policies as the statute’s disclosure requirement,” Food Mktg. Inst. v.

Argus Leader Media, 139 S. Ct. 2356, 2366 (2019) (quoting Encino Motorcars, LLC v. Navarro,

138 S. Ct. 1134, 1142 (2018)), FOIA’s exemptions must nevertheless be “narrowly construed,”

Milner v. Dep’t of Navy, 562 U.S. 562, 565 (2011) (quoting FBI v. Abramson, 456 U.S. 615, 630

(1982)), and the burden is on the agency to justify any withholdings, 5 U.S.C. § 552(a)(4)(B).

“FOIA cases are typically resolved on motions for summary judgment under Federal

Rule of Civil Procedure 56.” Akel v. U.S. Dep't of Justice, 578 F. Supp. 3d 88, 94–95 (D.D.C.

2021). To prevail on a summary judgment motion, the moving party must demonstrate that there

are no genuine issues of material fact and that he is entitled to judgment as a matter of law. See

Celotex Corp. v. Catrett, 477 U.S. 317, 322–23 (1986). In a FOIA case, an agency can satisfy

this burden by submitting “relatively detailed and non-conclusory” affidavits or declarations,

SafeCard Servs., Inc. v. SEC, 926 F.2d 1197, 1200 (D.C. Cir. 1991), and an index of the

information withheld, Vaughn v. Rosen, 484 F.2d 820, 827–28 (D.C. Cir. 1973).

16 When a party challenges the agency’s decision to withhold a record pursuant a FOIA

exemption, the agency must demonstrate “that each document that falls within the class

requested either has been produced . . . or is wholly exempt from [FOIA’s] inspection

requirements.” Students Against Genocide v. U.S. Dep’t of State, 257 F.3d 828, 833 (D.C. Cir.

2001) (quoting Goland v. CIA, 607 F.2d 339, 352 (D.C. Cir. 1978)). Pursuant to the FOIA

Improvement Act, an agency may withhold a record “only if [it] reasonably foresees that

disclosure would harm an interest protected by [the] exemption . . . or if disclosure is prohibited

by law.” 5 U.S.C. § 552(a)(8)(A).

An agency confronted with a challenge to the adequacy of its search has the burden of

showing that “it made a good faith effort to conduct a search for the requested records, using

methods which can be reasonably expected to produce the information requested.” Oglesby v.

Dep’t of the Army, 920 F.2d 57, 68 (D.C. Cir. 1990). To satisfy this burden, the agency must

submit affidavits or declarations that “explain in reasonable detail the scope and method of the

search [it] conducted,” Morley v. CIA, 508 F.3d 1108, 1121 (D.C. Cir. 2007), in order to permit

“a court to determine if the search was adequate,” Nation Magazine v. U.S. Customs Serv., 71

F.3d 885, 890 (D.C. Cir. 1995). Although an agency need not “search every record system,” it

must search those systems “that are likely to turn up the information requested.” Oglesby, 920

F.2d at 68. “Summary judgment must be denied ‘if a review of the record raises substantial

doubt’” regarding the adequacy of the search. DiBacco v. U.S. Army, 795 F.3d 178, 188 (D.C.

Cir. 2015) (quoting Valencia-Lucena v. U.S. Coast Guard, 180 F.3d 321, 326 (D.C. Cir. 1999)).

17 III. ANALYSIS

A. Exhaustion

Before filing suit under the FOIA, “[e]xhaustion of administrative remedies is generally

required . . . so that the agency has an opportunity to exercise its discretion and expertise on the

matter and to make a factual record to support its decision.” Oglesby, 920 F.2d at 61. Here,

CMS contends that Plaintiff has failed to exhaust his administrative remedies with respect to the

FOIA request he submitted on May 15, 2020. See Dkt. 28-1 at 3 n.2. CMS asks the Court, as a

result, to dismiss his claim that pertains to that request. Id.; see also Hidalgo v. FBI, 344 F.3d

1256, 1260 (D.C. Cir. 2003) (vacating a grant of summary judgment and remanding to the

District Court with directions to dismiss the FOIA claims against the agency because the plaintiff

there had failed to exhaust his administrative remedies).

A plaintiff has “two ways . . . to exhaust administrative remedies [under the FOIA]:

actual exhaustion and constructive exhaustion.’” Nat’l Sec. Counselors v. CIA, 931 F. Supp. 2d

77, 95 (D.D.C. 2013). “Actual exhaustion, or an administrative ‘appeal to the head of the

agency,’ is required when an agency responds to a request.” Hull v. U.S. Att’y, 279 F. Supp. 3d

10, 12 (D.D.C. 2017) (quoting 5 U.S.C. § 552(a)(6)(A)). By contrast, constructive exhaustion

“occurs ‘[w]hen an agency fails to respond to a request within twenty working days.’” Id.

(quoting Nat’l Sec. Counselors, 931 F.Supp.2d at 95). In that case, “a requester ‘shall be deemed

to have exhausted his administrative remedies’ and may seek judicial review” of the agency’s

failure to fulfil its obligations under the FOIA. Id. (quoting 5 U.S.C. § 552(a)(6)(C)(i)).

Constructive exhaustion, however, is a viable way to exhaust only if the agency has not “cure[d]

its failure to respond within the statutory period by responding to the FOIA request before suit is

filed.” Oglesby, 920 F.2d at 63.

18 Plaintiff contends that he constructively exhausted his May 15 claims. He states that

when he filed suit on October 16, 2020, CMS had not yet responded to his May 15 request. Dkt.

31-1 at 31–32. And, because October 16, 2020 is more than twenty “working days” after May

15, 2020, he concludes that he exhausted his administrative remedies with respect to that request.

Id. In advancing this argument, Plaintiff recognizes that on May 22, 2020, CMS “acknowledged

its receipt [of his May 15 FOIA request].” Id. at 32 (citing Dkt. 28-3 at 34 (Gilmore Decl. ¶ 86).

But he argues that “[t]he acknowledgement did not make a determination on the request” and, to

the contrary, “indicated that CMS had not yet completed its ‘initial analysis.’” Id. (quoting Dkt.

28-20 at 1). The May 22 letter, Plaintiff argues, is therefore insufficient because the agency is

required to issue a determination—rather than a mere acknowledgement of receipt—within

twenty working days under the FOIA. Id. (citing Citizens for Resp. & Ethics in Wash. v. Fed.

Election Comm’n, 711 F.3d 180, 182 (D.C. Cir. 2013)).

Plaintiff is right that an agency must do more than merely acknowledge receipt of a FOIA

request to satisfy its statutory obligation to respond to each request within twenty working days

(barring “unusual circumstances”). FOIA instructs agencies to “[d]etermine within 20 days

(excepting Saturdays, Sundays, and legal public holidays) after the receipt of any such request

whether to comply with such request.” 5 U.S.C. § 552(a)(6)(A)(i). As the D.C. Circuit has

explained, this means that, after receiving a FOIA request, the agency “must at least indicate

within the relevant time period the scope of the documents it will produce and the exemptions it

will claim with respect to any withheld documents.” Citizens for Resp. & Ethics in Wash., 711

F.3d at 182–83. CMS does not suggest that its May 22 letter to Plaintiff satisfied those

requirements.

19 CMS describes in May 22 letter as a “formal acknowledgement letter” that “confirmed

the agency’s receipt of the request, advised that a search for documents had been initiated, and

explained the unusual and exceptional circumstances that would impact the agency’s response

time, informed Plaintiff of the control number, the alternatives if voluminous records are located,

and fees which may be incurred.” Dkt. 28-3 at 35 (Gilmore Decl. ¶ 86). In other words, the

letter explained to Plaintiff how the agency’s process for responding to his request would

proceed. See Dkt. 28-20. It did not provide Plaintiff with a determination of any kind; it did not,

for example, inform him whether the agency would produce the documents he sought or whether

it withhold any documents pursuant to certain exemptions. See Citizens for Res. & Ethics in

Wash., 711 F.3d at 186 (“The statute requires that, within the relevant time period, an agency

must determine whether to comply with a request—that is, whether a requester will receive all

the documents the requester seeks. It is not enough that, within the relevant time period, the

agency simply decide to later decide.”). The Court thus concludes that Plaintiff did not receive a

“determination” of any kind from CMS with respect to his May 15 FOIA request within 20

workings days, and thus he constructively exhausted that request before he filed suit on October

16, 2020.

CMS does make one final attempt to argue that Plaintiff has not exhausted his May 15

claims. It argues that even if Plaintiff constructively exhausted those claims when he filed suit,

the agency remedied its failure to respond to his May 15 FOIA request when it “released 1,971

pages in full, 133 pages in part, and withheld 1,231 pages entirely pursuant to exemptions 4, 5,

and 6 of the FOIA” on January 26, 2021, and Plaintiff never appealed that response. Dkt. 28-3 at

36 (Gilmore Decl. ¶ 89). But this argument misunderstands the principle that an agency can

“cure” its failure to timely respond to a FOIA request by responding, and thereby foreclose a

20 requester’s ability to constructively exhaust their claim. To be sure, the D.C. Circuit has held

that, “if an agency responds to the request after the deadline, but before the requester has filed

suit, the requesting party must exhaust administrative remedies before seeking judicial review.”

In Def. of Animals v. Nat’l Institutes of Health, 543 F. Supp. 2d 83, 96 (D.D.C. 2008) (emphasis

added) (citing Oglesby, 920 F.2d at 63). But the D.C. Circuit has not extended this principle to

permit an agency to cure its failure to respond after the requester has filed suit, thereby “un-

exhausting” a claim that was exhausted at the time the FOIA requester filed suit. An agency’s

decision to respond to a plaintiff’s FOIA request after the plaintiff has filed suit may deprive a

plaintiff of standing if the remedy sought has been provided. But that is not an issue of

exhaustion, see Williams & Connolly v. S.E.C., 662 F.3d 1240, 1243–44 (D.C. Cir. 2011) (“Once

the documents are released to the requesting party, there no longer is any case or controversy,

[rendering the case] . . . moot with respect to those documents.”), and, in any event, the parties

continue dispute the adequacy of CMS’s response to the May 15 FOIA request.

The Court, accordingly, concludes that Plaintiff has exhausted his administrative

remedies with respect to his May 15 FOIA request and, thus, rejects CMS’s exhaustion defense.

B. Adequacy of the Search

The parties dispute whether the search CMS conducted in response to Plaintiff’s eight

FOIA requests was sufficient. CMS contends that it “made a good faith effort to perform search

using methods [that] can be reasonably expected to produce the information requested,” Dkt. 28-

1 at 11, and submits two declarations from Hugh Gilmore, the Director of the Freedom of

Information/Privacy Acts Division of CMS, in an effort to satisfy its burden, Dkt 28-3; Dkt. 41-

1. Plaintiff disagrees on multiple grounds.

21 The adequacy of a search “is generally determined not by [its] fruits . . . , but by the

appropriateness of the methods used to carry [it] out.” Iturralde v. Comptroller of Currency, 315

F.3d 311, 315 (D.C. Cir. 2003). Ultimately, the adequacy of the search is “dependent upon the

circumstances of the case” and measured by a “standard of reasonableness.” Flete-Garcia v.

U.S. Marshals Serv., 613 F. Supp. 3d 425, 432–33 (D.D.C. 2020) (quoting Weisberg v. U.S.

Dep’t of Justice, 705 F.2d 1344, 1351 (D.C. Cir. 1983)). An agency “‘cannot limit its search to

only one record system if there are others that are likely to turn up the information requested,’

but, at the same time, it need not ‘search every record system.’” SAI v. Transportation Sec.

Admin., 315 F. Supp. 3d 218, 241 (D.D.C. 2018) (quoting Oglesby, 920 F.2d at 68). “Similarly,

the agency need not deploy every conceivable search term or permit the FOIA requester to

dictate the search terms in the course of litigation, but it must use terms reasonably calculated to

locate responsive records.” Id.

“[T]o obtain summary judgment[,] the agency must show that it made a good faith effort

to conduct a search for the requested records, using methods which can be reasonably expected

to produce the information requested.” Oglesby, 920 F.2d at 68 (citations omitted). To meet this

burden, “the agency must submit affidavits (or declarations) that ‘denote which files were

searched, [and] by whom those files were searched, and [that] reflect a ‘systematic approach to

document location.’” SAI, 315 F. Supp. 3d at 241 (quoting Liberation Newspaper v. U.S. Dep’t

of State, 80 F. Supp. 3d 137, 144 (D.D.C. 2015)).

Once the agency has proffered “‘relatively detailed and nonconclusory’ declarations

describing its search, the burden shifts to the FOIA requester to ‘produce countervailing

evidence’ sufficient to establish a genuine dispute of material fact as to the adequacy of the

search.” Flete-Garcia, 613 F. Supp. 3d 425, 432–33 (D.D.C. 2020) (quoting Morley, 508 F.3d at

22 1116). That countervailing evidence might include “problems with . . . the specific search terms

used or the inadequacy of the particular locations searched.” Heartland Alliance for Human

Needs & Human Rights v. U.S. Immigration & Customs Enf’t, 406 F. Supp. 3d 90, 117 (D.D.C.

2019). But because the agency’s affidavits or declarations “are accorded a presumption of good

faith, [they] cannot be rebutted by ‘purely speculative claims about the existence and

discoverability of other documents.’” SafeCard Servs., 926 F.2d at 1200 (quoting Ground

Saucer Watch, Inc. v. CIA, 692 F.2d 770, 771 (D.C. Cir. 1981)). If “a review of the record raises

substantial doubt, particularly in view of ‘well defined requests and positive indications of

overlooked materials,’ summary judgment is inappropriate.” Valencia-Lucena, 180 F.3d at 326

(citation omitted).

Plaintiff identifies several reasons why “[s]uch doubt exists” on the present record. He

contends (1) that “CMS failed to follow up on obvious leads;” (2) that “CMS’s search

declaration fails to account for several thousand responsive pages;” (3) and, finally, that CMS

did not use “methods which can be reasonably expected to produce the information requested,”

Oglesby, 920 F.2d at 68, because “CMS employed deficient search terms” and because “CMS

arbitrarily refused to search locations and custodians that would reasonably possess responsive

records.” Dkt. 31-1 at 23–24. The Court will consider each argument in turn.

1. Obvious leads

Plaintiff first argues that CMS’s search was inadequate because the agency failed to

follow obvious leads that were revealed by the results of its earlier searches. See Campbell v.

U.S. Dep’t of Justice, 164 F.3d 20, 28 (D.C. Cir. 1998) (“An agency . . . must revise its

assessment of what is [a] ‘reasonable’ [search] in a particular case to account for leads that

emerge during its inquiry.”). “To be sure, . . . an agency in certain circumstances must conduct

23 an additional search of its records based on the results of its initial search. That obligation exists

in the ‘rare case . . . in which an agency record contains a lead so apparent’—i.e., ‘a lead that is

both clear and certain’—that the agency ‘cannot in good faith fail to pursue it.’” Watkins L. &

Advoc., PLLC v. U.S. Dep’t of Justice, No. 21-5108, 2023 WL 5313522, at *9 (D.C. Cir. Aug.

18, 2023) (quoting Kowalczyk v. Dep’t of Justice, 73 F.3d 386, 389 (D.C. Cir. 1996)). Here,

Plaintiff contends that CMS failed to follow such leads when it did not search its employees’ text

messages after one email released to him referenced a “future text message conversation;” when

CMS failed to produce certain attachments or other documents referenced in records that were

produced; and when CMS failed to search for specific records referenced in the bodies of emails

released to Plaintiff. Dkt. 31-1 at 28–29.

Plaintiff is correct that, in certain circumstances, an agency may be obligated to search a

particular employee’s text messages in response to a FOIA request. Agencies can be required to

search text messages when it is “reasonably likely” that an employee conducted agency business

on a pertinent topic via text. See, e.g., Judicial Watch, Inc. v. U.S. Dep’t of Justice, 373 F. Supp.

3d 120, 127 (D.D.C. 2019) (concluding that an Inspector General report documenting the use of

text messages by a particular government employee to conduct government business made it

sufficiently likely that a search of that’s employee’s text messages would product responsive

records). There is no reason to believe that is the case here, however. The single email Plaintiff

cites in support of his contention that employees were engaged in conversation over text relevant

to his request consists of a discussion in which an “EFT FAQ” is circulated “IN CASE there is

any movement on the FAQs.” Dkt. 31-2 at 51 (capitalization in original). One participant in the

email exchange provides her phone number because she would not be “easily reachable” the

following day, when the “movement on the FAQs” might occur. Id. A natural reading of this

24 email exchange permits the inference that the sender provided her phone number not as an

invitation to continue the discussion about the EFT FAQs via text message but, instead, as a

mere request that someone contact the sender via that number if “movement” on the EFT FAQ

were to occur. 1 Accordingly, this exchange does not constitute “a lead that is both clear and

certain” regarding the existence of potentially response text messages.

Turning, then, to the attachments Plaintiff contends are “missing,” see Dkt. 31-1 at 28–29

(citing Dkt. 31-2 at 53–55), CMS acknowledges that it did not provide Plaintiff with all

attachments or other documents referenced in the materials it did produce. CMS explains that

“Plaintiff is correct that some email attachments . . . were withheld because they were drafts or

duplicates of the same drafts,” Dkt. 28-3 at 11 (Gilmore Decl. ¶ 28), or, in other cases, CMS

contends that “[a]ny attachments that may have existed were . . . non-responsive, id. at 16

(Gilmore Decl. ¶ 40). In other words, there is no basis to find the CMS failed to search for

attachments, thereby rendering its searches inadequate. Plaintiff was, of course, free to challenge

the agency’s decision to withhold attachments “because they were drafts or duplicates of the

same drafts,” Dkt. 28-3 at 11 (Gilmore Decl. ¶ 28), or because they were ‘non-responsive,” id. at

16 (Gilmore Decl. ¶ 40); see also Brady Center for the Prevention of Gun Violence v. U.S. Dep’t

of Justice, 410 F. Supp. 3d 225, 236 (D.D.C. 2019)—but such a challenge goes to the

reasonableness of the withholding or the scope of the FOIA request and is distinct from the

agency’s obligation to conduct an adequate search. This argument therefore also fails.

1 That same email refers to “[t]he text I was going to use for Brittney and Brittany,” but, in context, it appears the author is using the word “text” to refer to the written word and not a mode of communication. Plaintiff, moreover, seems to agree and relied solely on the reference in the email to “a future text message conversation.” Dkt. 31-1 at 28.

25 In a similar vein, Plaintiff also points to several records that he says “refer to” and discuss

“written correspondence” and “complaints filed” that “would have been responsive” to his

requests but were not disclosed to him. Dkt. 31-1 at 28–29 (citing Dkt. 31-2 at 44–50, 56–68).

For example, Plaintiff attests that “CMS produced emails referencing complaints 19TRA01238

and 19TRA01239 involving Allegiance, Cerner, and Zelis but no records related to these

complaints[,] which would be responsive to [the May 15 FOIA] request and [the May 7 FOIA]

request[,] were released.” Dkt. 31-2 at 4 (Shteynshlyuger Decl. ¶ 22a); see Dkt. 31-2 at 46

(“[W]e filed a CMS complaint for Allegiance (19TRA01238) and Cerner (19TRA01239) in

August and November of 2019” regarding “HIPAA 835/EFT/ACH free model.”). Plaintiff

suggests that it was both “clear and certain” that the documents referenced in these records

would have been responsive to his requests and therefore the agency should have searched for

them.

The problem the Court encounters in considering this argument, though, is that on the

present record it cannot discern which of CMS’s searches revealed these records, and without

that information, the Court cannot resolve this aspect of the parties’ dispute. If the search that

identified the email referring to these two specific complaints was not a search CMS conducted

to respond to Plaintiff’s May 7 or May 15 FOIA requests, for example, the Court could not

conclude that it was “clear and certain” that the complaints referenced in the emails would have

been responsive to Plaintiff’s FOIA request. After all, an agency, when responding to a FOIA

request, is obligated only to follow clear or certain leads that are responsive to the request at

issue—not other requests that the same requester may have submitted. Here, Plaintiff has failed

to tie the records that contain the leads the he claims CMS failed to pursue to the FOIA requests

to which those records were arguably responsive.

26 This difficulty does not mean that Plaintiff’s evidence that other, responsive records

might exist carries no weight; to the contrary, it means only that Plaintiff has failed to show that

CMS failed to follow up on “clear and certain” leads in conducting searches in response to

specific FOIA requests. But this distinction merely affects the standard under which the Court

considers this evidence. The evidence is still relevant to Plaintiff’s overarching challenge to the

adequacy of CMS’s searches and, in particular, to the question whether significant omissions in

the results of CMS’s searches casts doubt on the adequacy of those searches. Accordingly, the

Court considers what weight to give CMS’s failure to identify these specific records in its

searches alongside Plaintiff’s similar arguments, which are addressed below. See supra Section

IV.B.3.c; see also DaVita Inc. v. U.S. Dep’t of Health & Hum. Servs., No. CV 20-1798, 2021

WL 980895, at *7 (D.D.C. Mar. 16, 2021) (“When a plaintiff identifies documents not found by

the agency, the agency must ‘explain those holes in the record,’ such that the Court is “able to

ascertain if [the agency] has explained the . . . absence’ of the responsive records from the results

of the search.’” (first quoting Ctr. for Biological Diversity v. Bureau of Land Mgmt., No. CV 17-

1208, 2021 WL 918204, at *8 (D.D.C. Mar. 9, 2021), then quoting Morley, 508 F.3d at 1121))).

2. Pages identified but neither released nor withheld by CMS

Plaintiff fares better in his challenge to the sufficiency of CMS’s description of the

searches it undertook. Plaintiff contends that, at a minimum, the declaration CMS has submitted

is insufficient because it fails to account for approximately 3,272 pages that the agency reports to

have identified as responsive but has neither withheld nor released. Although this is not a

challenge to the sufficiency of the searches, the Court agrees with Plaintiff that the agency’s

declarations raise significant, unanswered concerns about what CMS did—and what it did not

do—in responding to his FOIA requests. The Gilmore declaration states that CMS “reviewed

27 and processed approximately 7,100 pages of records in response to Plaintiff’s FOIA requests,

and made three responses to Plaintiff.” Dkt. 28-3 at 49 (Gilmore Decl. ¶ 122). But CMS’s

description of the records withheld or released in each of those three productions only account

for 3,828 pages of records. Although Plaintiff squarely raises this concern in his cross-motion

for summary judgment, CMS offers no response in its opposition brief.

For the first production, released on April 18, 2020, CMS “identified, and then reviewed

and processed approximately twenty-eight pages of records.” Dkt. 28-3 at 16 (Gilmore Decl.

¶ 40). (Although, as noted above, CMS also states that it “release[ed] 28 pages, and with[eld]

nine pages” in that same production, suggesting that the agency located 37, not 28, pages of

responsive records, id.) For the next production, released on January 14, 2021, “CMS processed

approximately 466 pages.” Id. at 45 (Gilmore Decl. ¶ 116). That production contained 120 new

pages, 52 pages that were duplicates, 144 pages withheld in part and 149 pages withheld in full.

Id. (The Court notes that the pages described total 465 pages, not 466.) The final production,

released on January 26, 2021, contained “1,971 pages in full, 133 pages in part, and withheld

1,231 pages entirely,” which totals 3,335 pages. Id. at 36 (Gilmore Decl. ¶ 89).

These three productions describe 3,828 pages (or 3,838 pages if the April 18 production

identified 37 pages and if the January 14 production identified 466 pages). That is far short of

the 7,100 of pages that the declaration states that CMS “reviewed and processed.” Id. at 49

(Gilmore Decl. ¶ 122). This might simply be an error on CMS’s part or perhaps the declarant

only meant that its initial responsiveness review included 7,100 pages. But, if so, CMS could

easily have defused the issue in its opposition brief. As things stand, the disparity raises

“substantial doubt” as to the completeness of the declaration that CMS provided. Valencia–

Lucena, 180 F.3d at 325.

28 3. Reasonably tailored search

Plaintiff next argues that CMS failed to “ma[k]e a good faith effort,” as it must, “to

conduct a search for the requested records, using methods which can be reasonably expected to

produce the information requested.” Oglesby, 920 F.2d at 68. In support of his contention that

the agency failed to do so, Plaintiff challenges both the search terms used and the locations

searched. See Dkt. 31-1 at 23. Because the Court agrees that there is “substantial doubt” as to

the adequacy of the searches conducted for several of Plaintiff’s requests, Valencia-Lucena, 180

F.3d at 325, the Court denies CMS summary judgment on this issue and will grants summary

judgment in Plaintiff’s favor with respect to the adequacy of the searches.

a. Search terms

The Court first considers the reasonableness of the search terms CMS used. Dkt. 31-1 at

24. “There is no bright-line rule requiring agencies to use the search terms proposed” by a

plaintiff. Physicians for Hum. Rts. v. U.S. Dep’t of Def., 675 F. Supp. 2d 149, 164 (D.D.C.

2009). Nor is an agency required to “deploy every conceivable search term” when responding to

a FOIA request. Canning v. U.S. Dep’t of State, 346 F. Supp. 3d 1, 14 (D.D.C. 2018) (citing

Agility Pub. Warehousing Co. K.S.C. v. NSA, 113 F. Supp. 3d 313, 339 (D.D.C. 2015)).

Agencies “have discretion in crafting a list of search terms that ‘they believe[] to be reasonably

tailored to uncover documents responsive to the FOIA request.’” Liberation Newspaper, 80 F.

Supp. 3d at 146 (alteration in original) (quoting Physicians for Hum. Rts., 675 F. Supp. 2d at

164); see also Johnson v. Exec. Off. for U.S. Att’ys, 310 F.3d 771, 776 (D.C. Cir. 2002) (“FOIA,

requiring as it does both systemic and case-specific exercises of discretion and administrative

judgment and expertise, is hardly an area in which the courts should attempt to micro manage the

executive branch.”).

29 But that discretion has limits—limits that are essential to the faithful implementation of

the FOIA. As Judge Cooper has aptly observed, “FOIA requests are not a game of Battleship:”

“[t]he requester should not have to score a direct hit on the records sought based on the precise

phrasing of his request.” Gov’t Accountability Project v. U.S. Dep’t of Homeland Sec., 335 F.

Supp. 3d 7, 12 (D.D.C. 2018). Rather, agencies are required to use “obvious synonyms” that are

reasonably likely to lead to responsive documents, or at least, to explain why such obvious

synonyms would not be reasonable in that situation. See, e.g., id. at 11–12 (“Searching only for

the word ‘cellphone’ is inadequate; variants that may well be used in correspondence—like the

two-word version ‘cell phone’ or simply ‘phone’—must also be included.”); Bagwell v. U.S.

Dep’t of Justice, 311 F. Supp. 3d 223, 230 (D.D.C. 2018) (“Because it is likely that emails

concerning the investigation would use ‘PSU’ or ‘Penn State’ rather than the full name of the

University, the Department’s search was not reasonably calculated to find all responsive

emails.”).

Here, Plaintiff contends that the search terms CMS used were not reasonably tailored to

identify all responsive records because the agency often searched only for abbreviated terms

pertaining to Plaintiff’s requests (such as “FAQ,” but not “frequently asked question,” and

“EFT,” but not “electronic funds transfer”) and often “mechanical[ly] cop[ied]” phrases from his

requests (such as “Julie E. Nolan of AKIN GUMP STRAUSS HAUER & FELD,” but not “Julie

Nolan” or “Nolan AND Akin”). Dkt. 31-1 at 24–25. Plaintiff argues that, to the extent CMS

merely searched for the exact words or phrases that Plaintiff used in his FOIA requests, without

even considering what words or phrases were, in fact, likely to appear in response records, it

almost certainly failed to identify responsive records. Id.

30 CMS responds that if it had used Plaintiff’s proposed keywords, the searches would have

“yield[ed] . . . [an] overbroad” swath of potentially responsive records that the agency would

have to review. Dkt. 28-3 at 8 (Gilmore Decl. ¶ 23). Taking the “FAQ” search term as an

example, CMS explains that “the search term ‘22281’ rather than ‘FAQ 22281’” “is more

efficiently tailored” “because the search term ‘FAQ 22281’ would include information on not

only all ‘FAQ’ that are related to ‘22281,’ which is what Plaintiff wants, but also all ‘FAQ’ that

are not related to ‘22281.’” Id. (Gilmore Decl. ¶ 23). Extending that logic to the “FAQ”-

abbreviation issue Plaintiff raises, a search of CMS systems using the keyword “frequently asked

questions” would—according to CMS—return all documents relating to the words “frequently,”

“asked,” and “questions.” Such a search, CMS suggests, would again produce too many

potentially responsive records to be useful or reasonable.

The Court, however, is unconvinced that any limitations on CMS’s search function

precluded (or should have precluded) the agency from conducting a more thorough search. A

FOIA request for “all records” relating to “CMS EFT FAQ22297,” should have included a

search for records containing the terms “EFT” or “electronic funds transfer” and “FAQ” or

“frequently asked question,” subject to five-year search limitation. Although CMS suggests that

a search for phrases like “frequently asked question” would generate hits for each of the separate

terms, it seems implausible that CMS is unable to search for phrases; it appears that CMS has the

functionality to search for one term “and” another (i.e., a Boolean search)—within at least its

SWIFT and ASETT databases as it used “fees and/or costs” as a viable search term in response

to Plaintiff’s May 4, FOIA request. See id. at 14–15 (Gilmore Decl. ¶¶ 37, 39). And, to the

extent the agency lacks the ability to search for phrases or conjunctions, that, too, would seem

problematic, given the widespread availability of technology that allows for far more

31 sophisticated searches than this. See id. at 8 (Gilmore Decl. ¶ 23). Nor is the Court is persuaded

that the agency’s use of the number associated with the FAQs at issue—e.g., “2221” or

“22297”—obviated the need to employ other search terms. It seems unlikely that all drafts and

correspondence that preceded the issuance of the final FAQs carried one of these designations. 2

The Court, accordingly, concludes that a search as limited as CMS describes was not reasonably

calculated to locate the entire universe of responsive records. In any event, it was CMS’s burden

to demonstrate that its search was reasonably calculated to do so, see Oglesby, 920 F.2d at 68,

and it has failed to carry that burden.

Moreover, this concern with CMS’s search terms applies to more than just the search the

agency conducted in response to Plaintiff’s April 13 FOIA request for FAQs. The Court has the

same concern with CMS’s reliance on “EFT” as a search term rather than “electronic funds

transfer.” CMS, however, fails to take this issue on in any meaningful way, and, instead, merely

relies on the argument it makes with respect to the search terms it used for the April 13 FOIA

request about “FAQs.” See Dkt. 28-3. But, given the centrality of the phrases “EFT” and

“electronic funds transfer” to Plaintiff’s FOIA requests—his April 13, May 4, May 6, and May

15 FOIA requests all explicitly asked for records about CMS’s regulation of EFTs—CMS must

do more than it has to justify why it failed to the use of the full phrase that “EFT” abbreviates,

“electronic funds transfer” (or even “electronic transfers”), in its searches.

Speculating that the use of this phrase might have resulted in an “overbroad” yield,

without testing that hypothesis or offering a far more detailed explanation for why that is the

case, will not suffice. In short, an agency may not conduct an underinclusive search based on

2 But, if the Court’s assumption is incorrect, it was CMS’s burden to offer competent evidence that such an unusual practice exists at the agency. It has not done so.

32 nothing more than the unexplained and conclusory assertion that a broader searcher might have

been unduly burdensome. To the contrary, initial FOIA searches often locate a large number of

documents, only some of which are ultimately deemed responsive or disclosable. When that

happens, agencies typically work their way through the potentially responsive documents; use

the responses they obtain to generate more precise searches; or engage in discussions with the

FOIA requesters to see if they will agree to refine or narrow their requests in order to obtain the

records they seek more expeditiously. Those efforts are, at times, burdensome. But what an

agency may not do is unilaterally exclude reasonable search terms that are likely to locate

records that might otherwise go undetected simply because a more robust search would take

additional time and effort. See, e.g., Kwoka v. Internal Revenue Serv., No. 17-1157, 2018 WL

4681000, at *5 (D.D.C. Sept. 28, 2018) (“[T]he Court will not allow it to withhold the

documents wholesale simply because it will (potentially) take 2,200 hours to review them for

redactions.”).

The Court, accordingly, concludes that CMS should have utilized the obvious synonyms

for the search terms provided, or at the very least explained why it was unnecessary to do so.

b. Locations searched

Plaintiff also challenges the adequacy of CMS’s search on the ground that the agency

failed to search certain offices that were likely to have possessed responsive materials. See Dkt.

31-1 at 25. He makes three arguments in this regard: Two arguments pertain to the search CMS

conducted for two specific FOIA requests, his May 6 request and his May 7 request. His third

argument is broader and posits that because his requests sought “all records” pertaining to the

topics he identified, including “correspondence,” it was unreasonable for CMS to have failed to

search files in its Outlook email systems. All three arguments are persuasive.

33 Plaintiff first proposes that CMS should have, in response to his May 6 FOIA request for

“[c]ommunications” between CMS and Congress, Dkt. 28-12 at 1, searched OIT, Dkt. 31-1 at

30. In support of this argument, Plaintiff points to records that he received in responses to a

different FOIA request, which discuss inquiries OIT staff received from members of Congress

about the removal of “FAQ #22281” and whether “billing companies [were] not allowed to

charge fees for EFT transmittals.” Dkt. 32-1 at 82. He also points to another email exchange he

received pursuant to a different FOIA request in which OIT staff discuss talking points

“developed on EFT” that can be used to respond to the “external inquiries [that] have been

receiv[ed] from legislators.” Id. at 86.

In response, CMS merely asserts that Plaintiff’s suggestion in his FOIA request that the

agency search OIT records using the list of custodians he provided “did not . . . make sense and

hence was not used” because “the best way to locate responsive records was to search incoming

correspondence from Congressional members which . . . is tracked by the CMS Office of

Legislative Affairs.” Dkt. 28-3 at 22 (Gilmore Decl. ¶ 52). But the question is not whether the

agency searched the most likely places to maintain responsive records; the question is whether

the agency searched all places where records were reasonably likely to be found. See Oglesby,

920 F.2d at 68; see also Am. Immigr. Council v. U.S. Dep’t of Homeland Sec., 21 F. Supp. 3d 60,

71 (D.D.C. 2014) (“[A] search is inadequate if it includes only those records ‘most likely to

contain the information which had been requested’ because an ‘agency cannot limit its search to

only one record system if there are others that are likely to turn up the information requested.’”

(quoting Oglesby, 920 F.2d at 68)).

Next, Plaintiff argues that CMS limited its search to databases “related either to specific

complaints (ASETT) or particular types of correspondence (SWIFT, Outlook, ASPEN),” without

34 searching for the “call logs” he specifically requested in his May 7 FOIA request. Dkt. 31-1 at

28; see also Dkt. 28-15 at 1 (May 7, 2020 request for “a log of phone calls between any number

at CMS to and from (678) 350-3810, (908) 389-8966, and (908) 268-2229”). CMS provides no

explanation for why it did not search for “call logs” or why the ASETT system, which it did

search in response to this request, was likely to have such information. See, e.g., Prop. of the

People, Inc. v. Off. of Mgmt. & Budget, 330 F. Supp. 3d 373, 378 (D.D.C. 2018) (“[The agency]

later informed Plaintiffs that it does not maintain visitor logs or call logs, and thus, it possesses

no records responsive to the first two categories of requested documents.”). Accordingly, the

Court concludes that CMS’s search in response to this request was insufficient.

Finally, Plaintiff challenges CMS’s failure to search its Outlook email system in response

to all but two of his FOIA requests. See Dkt. 28-3 at 14 (Gilmore Decl. ¶ 37) (explaining that in

response to his May 4 request, NSG searched its Outlook system); id. at 23 (Gilmore Decl. ¶ 55)

(explaining that in response to his May 6 request, the Office of Legislative Affairs searched its

Outlook emails); Dkt. 41 at 5 (same). CMS defends this decision by explaining that its SWIFT

system and ASETT system should encompass all external-facing communications responsive to

his requests. The SWIFT “database contains copies of incoming correspondence to the CMS

Administrator and leadership.” Dkt. 41 at 4. And, the ASETT system “used by the NSG to

search for responsive records is covered by HITS,” Dkt. 28-3 at 32 (Gilmore Decl. ¶ 78), which

contains “[i]nformation on complaint allegations, information gathered during the complaint’s

investigation, findings, and results . . . , and correspondence related to the investigation,” Dkt. 41

at 4. But, as Plaintiff emphasizes, his requests were not limited to external communications.

Rather, Plaintiff sought “all records” regarding the topics he identified. As he has shown, a

search of Outlook might well has revealed records responsive to his request. Dkt. 31-1 at 6.

35 CMS offers no meaningful explanation for why internal discussions between its employees over

email would either fall beyond the scope of Plaintiff’s FOIA requests or why those internal

discussions would be replicated in the databases it has identified. See Dkt. 28-3; Dkt. 41.

Accordingly, the Court agrees with Plaintiff that CMS should have searched the relevant Outlook

systems for records responsive to his April 13, May 7, May 12, May 15, July 22, and July 27

FOIA requests.

c. Identification of specific records

The last issue the Court addresses concerning the adequacy of the searches CMS

conducted relates to the agency’s identification of (or failure to identify) certain responsive

records. Before turning to the substance of the parties’ respective arguments, it bears emphasis

that “the adequacy of a FOIA search is generally determined not by the fruits of the search, but

by the appropriateness of the methods used to carry out the search,” Iturralde, 315 F.3d at 315,

although the “discovery of additional documents” might, at least on occasion, raise questions

about the method used, Hodge v. FBI, 703 F.3d 575, 579 (D.C. Cir. 2013) (quoting Goland, 607

F.2d at 370). Here, although not alone sufficient to cast doubt on all the searches CMS

conducted, the Court conclude that the weight of the documents CMS failed to identify bolsters

Plaintiff’s arguments that the search terms used and the places searched were not reasonably

calculated to discover all responsive materials.

With respect to the May 4 FOIA request in particular, CMS emphasizes that it was able

to identify—in the locations it searched using its preferred terms—some records that were

responsive to Plaintiff’s request. See Dkt. 28-3 at 20 (Gilmore Decl. ¶ 46). It argues that this

demonstrates that the searches it conducted were reasonably calculated to find responsive

materials. Id. (Gilmore Decl. ¶ 45). Specifically, CMS notes that the search OSORA conducted

36 of the SWIFT correspondence database in response to Plaintiff’s May 4 FOIA request that used

the search terms “EFT,” “ERA,” “835,” “270/271,” and “fees and/or costs” located “records

[that] contained the words ‘Akin Gump,’” which were records that Plaintiff sought. Id. at 15

(Gilmore Decl. ¶ 39). But, as explained, the results of a search do not dictate whether the search

process was adequate. And, even more to the point, the fact that the terms used and databases

searched found some responsive records does not absolve the agency’s obligation to conduct a

search that was reasonably tailored to reveal all responsive materials. See Oglesby, 920 F.2d at

68. By way of analogy, many works of art can be found in the National Gallery, but that does

not mean that a search of the National Gallery is reasonably calculated to locate all works of art.

Plaintiff, moreover, identifies documents that he contends the agency’s searches missed,

supporting his contention that the agency’s search terms and search locations were incomplete.

Dkt. 31-1 at 30. These include “emails [that] refer to written correspondence that was not

produced,” and “records [that] discuss complaints filed against HIPAA-covered entities” that

were not produced. Dkt. 31-1 at 29; see, e.g., Dkt. 31-2 at 45 (“[W]e filed a CMS complaint for

Allegiance (19TRA01238) and Cerner (19TRA01239) in August and November of 2019”

regarding “HIPAA 835/EFT/ACH free model”); id. at 6 (Shteynshlyuger Decl. ¶ 30) (stating that

Plaintiff “filed a complaint through ASETT against Sterling Benefits involving Vpay” that CMS

did not produce in response to his May 12 FOIA request for records pertaining to Vpay); id. at

77 (containing a letter from the Veterans Administration to Plaintiff responding to a FOIA

request he submitted to that department stated that the VA had “submit[ted] complaint

notifications to [CMS]” about Zelis). Thus, even if results were the measure of the adequacy of

the search, CMS would be on weak footing—footing that is only shakier in light of the other

defects Plaintiff has identified in CMS’s searches. See DaVita Inc., 2021 WL 980895, at *7

37 (“[T]he question is not whether the agency can pinpoint the exact whereabouts of the missing

documents, but whether the agency can show that its search is adequate despite its failure to

retrieve known records.”).

In sum, Plaintiff has done enough—by identifying issues with the search terms used, the

databases searched, and the completeness of the agency’s declarations—to “raise[] substantial

doubt” as to the adequacy of the search. Valencia-Lucena, 180 F.3d at 326. CMS, in response,

has done little to address those issues. The Court, accordingly, concludes that CMS failed to

conduct an adequate search for potentially responsive records for any of Plaintiff’s eight

requests. Each of the searches CMS conducted is flawed for one of the reasons Plaintiff has

identified. Specifically, the Court concludes that the search terms CMS used to respond to

Plaintiff’s April 13, May 4, May 6, and May 15 FOIA requests were not reasonably tailored to

find all responsive materials. It also finds that CMS should have searched (or explained why it

could not search) Outlook for records responsive to Plaintiff’s April 13, May 7, May 12, May 15,

July 22, and July 27 FOIA requests. Finally, the Court concludes that CMS should have

searched OIT for records responsive to Plaintiff’s May 6 FOIA request and that CMS should

have searched for phone logs responsive to Plaintiff’s May 7 FOIA request. The Court will,

accordingly, grant partial summary judgment in Plaintiff’s favor with respect to the adequacy of

the searches.

On a separate note, the Court also finds that CMS has failed to address the whereabouts

of the approximately 3,200 unaccounted for pages. The Court is hardly in a position to grant

summary judgment in favor of CMS in the face of such uncertainty.

38 * * *

The Court now turns from the adequacy of the search CMS conducted to the fruits of that

search. CMS relies on three of FOIA’s exemptions, Exemptions 4, 5, and 6, to withhold several

hundred pages of records from Plaintiff. Plaintiff has challenged CMS’s decision to do so on a

number of grounds. The Court begins with the parties’ arguments regarding Exemption 4 and

CMS’s decision to withhold three sets of records, in whole or in part, pursuant to that exemption.

C. Exemption 4

Exemption 4 permits an agency to withhold “matters that are . . . trade secrets and

commercial or financial information obtained from a person and privileged and confidential.” 5

U.S.C. § 552(a)(4). CMS does not argue that the information it has withheld constitutes trade

secrets, but instead, submits that the information is “(1) commercial or financial, (2) obtained

from a person, and (3) privileged or confidential,” Citizens for Resp. & Ethics in Wash., 58 F.4th

at 1262 (quoting Pub. Citizen Health Rsch. Grp. v. FDA, 704 F.2d 1280, 1290 (D.C. Cir. 1983)),

and that it is, therefore, subject to protection under Exemption 4. In considering these

withholdings, the Court is mindful that “[t]he agency bears the burden to justify nondisclosure

under any exemption it asserts” and that “[s]ummary judgment is warranted on the basis of

agency affidavits [or declarations only] when the affidavits [or declarations] describe the

justifications for nondisclosure with reasonably specific detail, demonstrate that the information

withheld logically falls within the claimed exemption, and are not controverted by either contrary

evidence in the record nor by evidence of agency bad faith.” Id. (first quoting U.S. Dep’t of State

v. Ray, 502 U.S. 164, 173 (1991); then quoting Larson v. Dep’t of State, 565 F.3d 857, 862 (D.C.

Cir. 2009)).

39 In crafting Exemption 4, “Congress sought to shield from public release intrinsically

valuable business information such as ‘business sales statistics, inventories, customer lists, and

manufacturing processes.’” Id. at 1263 (quoting S. Rep. No. 89-813, at 9 (1965)). Accordingly,

for information to be considered “commercial or financial” for purposes of Exemption 4, it

“must be commercial ‘in and of itself’” and must “pertain[] to the exchange of goods or services

or the making of a profit.” Id. (citation omitted). It follows that “not every bit of information

submitted to the government by a commercial entity qualifies for protection under Exemption 4.”

Pub. Citizen Health Rsch. Grp., 704 F.2d at 1290. Rather, “Exemption 4 paradigmatically

applies to records that a business owner customarily keeps private because they ‘actually reveal

basic commercial operations, such as sales statistics, profits and losses, and inventories, or [that]

relate to the income-producing aspects of a business,’” Citizens for Resp. & Ethics in Wash., 58

F.4th at 1262 (alteration in original) (quoting Pub. Citizen Health Rsch. Grp., 704 F.2d at 1290),

or to information in which the submitter has a “commercial interest,” id. (quoting Baker &

Hostetler LLP v. U.S. Dep’t of Commerce, 473 F.3d 312, 319 (D.C. Cir. 2006)).

“Commercial information” must also be “confidential” to qualify for withholding under

Exemption 4. 5 U.S.C. § 552(b)(4). For many years, the D.C. Circuit applied different tests to

determine whether information was “confidential,” depending on whether the information was

voluntarily or involuntarily disclosed to the agency. See AAR Airlift Grp., Inc. v. U.S. Transp.

Command, 161 F. Supp. 3d 37, 42 (D.D.C. 2015) (citing Critical Mass Energy Project v.

Nuclear Regulatory Comm’n, 975 F.2d 871, 879 (D.C. Cir. 1992) (en banc) (voluntary standard)

and Nat’l Parks & Conservation Ass’n v. Morton, 498 F.2d 765, 770 (D.C. Cir. 1974)

(involuntary standard)). But in Food Marketing Institute v. Argus Leader Media, 139 S. Ct. 2356

(2019), the Supreme Court rejected this distinction and embraced one uniform meaning of

40 “confidential” for the purposes of Exemption 4, id. at 2364–65 (“[N]or . . . can we discern a

persuasive reason to afford the same statutory term two such radically different constructions.”

(emphasis omitted)).

In Argus Leader, the Court “considered two conditions that might be required for

information provided to the government to be confidential within the meaning of Exemption 4:

(1) that information is ‘customarily kept private, or at least closely held, by the person imparting

it,’ and (2) that ‘the party receiving [the information] provides some assurance that it will remain

secret.’” Citizens for Resp. & Ethics in Wash., 58 F.4th at 1269 (quoting Argus Leader, 139 S.

Ct. at 2363). “The Court held that at least the first condition must be met, reasoning that ‘it is

hard to see how information could be deemed confidential if its owner shares it freely.’” Id.

(quoting Argus Leader, 139 S. Ct. at 2363). With those instructions, the D.C. Circuit now

recognizes that “[o]rdinarily . . . , to justify Exemption 4 withholding, the government must at

least demonstrate that the withheld information itself is ‘customarily and actually treated as

private by its owner.’” Id. (quoting Argus Leader, 139 S. Ct. at 2363). Neither the Supreme

Court nor the D.C. Circuit, however, has elaborated on what circumstances, if any, might

implicate the second condition. See Gandhi v. Ctrs. for Medicare & Medicaid Servs., No. 21-

2628, 2023 WL 2707879, at *3 (D.D.C. Mar. 30, 2023) (“As it stands, then, ‘[t]he current law of

the D.C. Circuit . . . is that information is confidential under Exemption 4 if it is of a kind that

would customarily not be released to the public by the person [or entity] from whom it was

obtained.’” (quoting Renewable Fuels Ass’n v. EPA, 519 F. Supp. 3d 1, 12 (D.D.C. 2021))).

The analysis does not end there. Once an agency meets its burden of showing that

Exemption 4 applies to the information at hand, it must also satisfy FOIA’s foreseeable-harm

requirement. The foreseeable-harm requirement “impose[s] an independent and meaningful

41 burden on agencies.” Reps. Comm. for Freedom of the Press v. FBI, 3 F.4th 350, 369 (D.C. Cir.

2021) (quoting Ctr. for Investigative Reporting v. U.S. Customs & Border Prot., 436 F. Supp. 3d

90, 106 (D.D.C. 2019))). It forecloses the withholding of material under FOIA unless the agency

can establish that it is “reasonably foresee[able] that disclosure would harm an interest protected

by [the] exemption.” 5 U.S.C. § 552(a)(8)(A)(i)(I).

1. May 12 FOIA request

CMS relied on Exemption 4 (as well as Exemption 6) to withhold seven pages in full

that were responsive to Plaintiff’s May 12 FOIA request. Dkt. 28-3 at 31 (Gilmore Decl. ¶ 77). 3

The May 12 FOIA request sought “all records from January 1, 2015 to May 10, 2020” regarding

complaints “involving Echo Health” and complaints “involving Vpay.” Id. at 26 (Gilmore Decl.

¶ 65). “Echo Health is an EFT payment processor” and both “Echo Health and Vpay participate

in the Administrative Simplification process,” id. at 31 (Gilmore Decl. ¶¶ 74–75), which

“streamlin[es] communication around billing and insurance related tasks, id. at 6–7 (Gilmore

Decl. ¶ 20). 4 A search of ASETT, the CMS system that parties use to respond to complaints

about non-compliance with the Administrative Simplification process, id. at 32 (Gilmore Decl.

¶ 78), located forty-six pages of responsive records, id. at 31 (Gilmore Decl. ¶ 76). CMS

describes the records as “consist[ing] of the complaint,” which “deals with electronic funds

transfer,” “CMS email exchanges with the complainant, the respondent company’s email to CMS

3 CMS’s briefing to the Court indicates that these pages are the ones described in its Vaughn index. Dkt. 28-4 at 17 (Bates No. CMS20391–397). 4 “The Administrative Simplification process aims to save time and money by streamlining communication around billing and insurance related tasks. All HIPAA covered entities (which include health care providers that transmit transactions electronically, health plans, and clearinghouses) must comply with the Administration Simplification process.” Id. at 6-7 (Gilmore Decl. ¶ 20).

42 about the complaint and any proposed resolution by the respondent company to CMS.” Id. at

32–33 (Gilmore Decl. ¶ 79). CMS withheld seven of those forty-six pages in full. Id. at 31

(Gilmore Decl. ¶ 77).

CMS contends that the information it withheld was “commercial or financial because the

complaint dealt with electronic funds transfer[s] which relate to financial transactions.” Dkt. 28-

1 at 17. Plaintiff does not dispute that “this might establish the commercial or financial status of

some of the information,” but he does not agree that this statement is sufficient to “establish that

status for all the information.” Dkt. 31-1 at 13. The Court agrees with Plaintiff.

To the extent information about electronic funds transfers, or “EFTs,” is analogous to

“sales statistics, profits and losses, and inventories, or [other information] related to the income-

producing aspects of a business,” that information would qualify as “business or financial

information” for these purposes. See Citizens for Resp. & Ethics in Wash., 58 F.4th at 1263.

Although CMS has provided the Court with no specific description of what “electronic funds

transfers” are in this context, there is reason to believe (and Plaintiff does not argue otherwise)

that information about EFTs would “relate to the income-producing aspects” of Echo Health’s

business, id. at 1263 (alteration in original) (quoting Pub. Citizen Health Rsch. Grp., 704 F.2d at

1290), because Echo Health is an “EFT payment processor,” Dkt. 28-3 at 31 (Gilmore Decl.

¶ 74). It would thus seem that a “complaint [that] deal[t] with electronic funds transfer[s]” and

that pertains to Echo Health’s business, Dkt. 28-3 at 33 (Gilmore Decl. ¶ 79), would contain

information that is “commercial ‘in and of itself,’” and “pertain[] to the exchange of goods or

services or the making of a profit,” Citizens for Resp. & Ethics in Wash., 58 F.4th at 1263

(quoting Nat’l Ass’n of Home Builders, 309 F.3d at 38). Similarly, other records related to that

complaint might also logically contain some discussion of EFTs that might constitute

43 “commercial or financial information” or information in which the owner has a “commercial

interest.” Id. at 1262–63 (first quoting 5 U.S.C. § 552 (b)(4); then quoting Baker & Hostetler

LLP, 473 F.3d at 319).

But this line of reasoning supports only the conclusion that some portion of the forty-six

pages that CMS identified as responsive to Plaintiff’s May 12 FOIA request likely contained

commercial or financial information. We do not know if those portions containing such

commercial or financial information are what was withheld, because CMS provides no

meaningful description of the seven withheld pages. The declaration CMS provides describes

the contents of the forty-six pages as a whole—explaining that those records “consist of the

complaint,” which “deals with electronic funds transfer,” “CMS email exchanges with the

complainant, the respondent company’s email to CMS about the complaint and any proposed

resolution by the respondent company to CMS,” Dkt. 28-3 at 32–33 (Gilmore Decl. ¶ 79)—but

CMS does not explain which of those records were withheld.

In describing the contents of what it actually withheld, CMS states that it “applied

Exemption 4 of the FOIA to information that was supplied by individuals in complaints they had

filed on behalf of their employer (which are not the Plaintiff) or to information that related to a

respondent company’s exchanges with CMS about that complaint.” Dkt. 28-3 at 32 (Gilmore

Decl. ¶ 79). That statement omits any description of the subject matter of the withheld

information—let alone any indication whether that information related to EFTs, was for some

other reason commercial or financial in nature, or was the type of information in which its owner

had a “commercial interest.” See, e.g., Pub. Citizen Health Rsch. Grp., 704 F.2d at 1290 (finding

that a firm’s data or reports on its commercial service or its product’s favorable or unfavorable

attributes was commercial information).

44 CMS’s further statement that it “conducted a line-by-line review of the forty-six pages of

records . . . and determined that some non-exempt, factual information within them could be

segregated for release” does not change the Court’s conclusion. Dkt. 28-3 at 33 (Gilmore Decl.

¶ 80). Although it indicates that the agency conducted the required segregability analysis, the

description offers no further description of the seven withheld pages. The Court is left to guess

at the contents of the seven pages the agency chose to withhold, only knowing that the seven

pages were part of the forty-six pages the agency identified that relate to a complaint that “deal[t]

with” EFTs. Id. (Gilmore Decl. ¶ 79). The Court, accordingly, concludes that CMS has failed to

satisfy its burden of showing that the information it withheld was commercial or financial in

nature, such that Exemption 4 could apply.

CMS fares no better with respect to the confidentiality prong of Exemption 4. “To justify

Exemption 4 withholding, the government must at least demonstrate that the withheld

information itself is ‘customarily and actually treated as private by its owner.’” Citizens for

Resp. & Ethics in Wash., 58 F.4th at 1269 (emphasis added) (quoting Argus Leader, 139 S. Ct. at

2366). CMS, however, says almost nothing about the owners of the information and, instead,

attempts to satisfy its burden by showing that it—that is, the government—treats the information

as private. That will not do. See, e.g., Occupational Safety & Health L. Project, PLLC v. U.S.

Dep’t of Labor, No. 21-2028, 2022 WL 3444935, at *8 (D.D.C. Aug. 17, 2022) (“But the test

here is not about general custom in the industry, nor by the government. Rather, the issue is how

[the owner of the commercial information] customarily treats the information, not how its peers

do.”).

It may be the case that “when CMS receives a complaint regarding an electronic transfer

of transactions, CMS places information that is provided in the complaint in a CMS Privacy Act

45 System of Records named the Health Insurance Portability and Accountability Act System

(HITS) Privacy Act System of Records” and that “during the investigative process of the

complaint, the information is not disclosable pursuant to Section (k)(2) of the Privacy Act.” Dkt.

28-3 at 31–32 (Gilmore Decl. ¶ 78). It may also be the case that to submit a complaint or to

respond to one, an entity uses the ASETT system, id. at 7 (Gilmore Decl. ¶ 21), and is “provided

a PIN” to do so, id. at 32 (Gilmore Decl. ¶ 78), indicating that the web tool is “secure,” Dkt. 28-1

at 17. And, finally, it may be the case that the “complainant’s information” is “not customarily

released to any individual or entity other than the complainant.” Dkt. 28-3 at 32 (Gilmore Decl.

¶ 78). But those facts principally go to whether CMS treated the information submitted as

confidential (and perhaps whether CMS provided assurances to the owner of the information that

it would remain confidential)—not whether the owner of the information “customarily and

actually” treated the information as private. Argus Leader, 139 S. Ct. at 2366. At most, one

might speculate that at least some owners of information who submit it to a secure site using a

PIN hope to maintain the confidentiality of the information. But such speculation, without more,

will not suffice. Indeed, it is equally plausible that the owner of the information contained in any

specific complaint would support broad disclosure and used the secure site and PIN only because

that is how CMS has designed the process.

More generally, the Court can only guess at how the owners of the withheld information

might have treated it because CMS says so little about the owners (or types of owners) of the

information, about whether the assertedly confidential information was submitted by an owner or

by a third-party, about whether any such third-party owed a duty of confidentiality to the owner,

and, most significantly, about the precise nature of the specific information that was withheld.

46 CMS, in short, has also failed to carry its burden of showing that the information it withheld was

“confidential,” as required under Exemption 4.

2. May 15 FOIA request

CMS also invokes Exemption 4 to withhold records responsive to Plaintiff’s May 15

FOIA request. See Dkt. 28-3 at 36 (Gilmore Decl. ¶ 89). That request sought records relating to

CMS’s “investigation of covered entities, including health plans, clearinghouses, and business

associates charging fees to conduct standard transactions,” and, again, identified numerous

“search keywords that” might assist CMS in its search, including “EFT Fee, ERA fee, standard

transaction fee, virtual credit card, payment care, [and] prepaid card.” Dkt. 28-19 at 1. In

response to this request, CMS “released 1,971 pages in full, 133 pages in part, and withheld

1,231 pages entirely pursuant to Exemptions 4, 5, and 6.” Dkt. 28-3 at 36 (Gilmore Decl. ¶ 89).

CMS’s summary judgment briefing fails to address the application of Exemptions 4 to these

withholdings, see Dkt. 28-1 at 15–17; Dkt. 41 at 6–7, relying instead on the argument (which the

Court has rejected) that Plaintiff failed to exhaust his administrative remedies with respect to this

request. Nor does CMS’s Vaughn index describe these records. See Dkt. 28-4. Although

Plaintiff points to this omission in its motion, CMS offers no response in its briefs. See Dkt. 41

at 6–7. As result, the Court treats the issue as conceded with respect to the factual predicate for

the withholding. See Winston & Strawn, LLP v. McLean, 843 F.3d 503, 506–08 (D.C. Cir.

2016). But even relying on the one paragraph in the Gilmore declaration that makes passing

reference to the issue, see Dkt. 28-3 at 36–37 (Gilmore Decl. ¶ 90), the Court concludes that

CMS has failed to carry its burden.

That single paragraph explains that Exemption 4 was applied “only . . . to information

that related to records which had been supplied by complainants or respondents in conjunction

47 with complaints that were stored in the ASETT information system and were not Plaintiff’s

complaints.” Id. at 36 (Gilmore Decl. ¶ 90). The declaration then explains that the records at

issue “consisted of email exchanges with CMS and respondents, which was investigatory in

nature, as well as of proposals[,] if any, that had been made by the business involved in the

investigatory complaint to resolve that complaint.” Id. (Gilmore Decl. ¶ 90). Finally, it explains:

The information was commercial or financial because given that it related to information that business entities supply in filing or responding to complaints in the ASETT system, and contains information on financial [e]lectronic funds transfers or proposed corrective actions by the respondent to CMS, it is an investigatory process for which confidentiality is provided to both complainant and respondent. During the complaint process, the respondent is given a PIN access code to enter into the ASETT database to review and supply comments, rebuttal, replies, corrective actions. All of this is under the confidential, investigation process in the ASETT database. The information was obtained from a business entity because it was provided by entities like electronic funds transfer clearinghouses, who are generally known to be business entities. The information was privileged or confidential because during the complaint investigation, all information is exempt from disclosure even to the complainant pursuant to exemption (k)(2) of the Privacy Act. The information was also customarily and actually treated as private by its owners because the business reply is sent to CMS in a PIN protected secure ASETT system which is a Privacy Act System of Records.

Id. (Gilmore Decl. ¶ 90). But this barren (and less than pellucid) description of as many as 1,264

pages of records is insufficient to show that the withheld information was truly commercial or

financial in nature or that the owners treated the information as confidential.

The fact that some of the information in the ASETT database “relates to information that

business entities supply” tells the Court little about the subject matter of the withheld information

or the extent to which some or all of it contains commercial or financial information. Nor has

CMS done enough to show that the withheld material was confidential. The agency once again

simply relies on its practices of keeping the information stored in the ASETT database

confidential, rather than addressing whether the source of the information treated it as

48 confidential. For reasons discussed above, neither the fact that respondents were given PINs and

that CMS treats the ASETT system as secure nor systems status under the Privacy Act, without

more, is sufficient to show that the information was “customarily and actually” treated as

confidential by its owner. Argus Leader, 139 S. Ct. at 2366.

Accordingly, even giving CMS the benefit of the doubt and considering this issue on the

merits, it has failed to justify its withholding of these records under Exemption 4 as well.

3. January 14 production

Finally, CMS also invokes Exemption 4 to withhold 142 pages that were responsive to

Plaintiff’s April 13, May 7, and July 29 FOIA requests. 5 Dkt. 28-3 at 45 (Gilmore Decl. ¶ 116).

CMS explains that “Exemption 4 was applied [to these records] because businesses’ complaints

or responses contained in the ASETT system are afforded business confidentiality” by CMS, the

information withheld “concerns electronic fund transfers and is financial,” and “[t]he information

was obtained from . . . entities like electronic fund clearing houses, who are generally known to

be business entities.” 6 Id. at 45–46 (Gilmore Decl. ¶ 117).

For the reasons explained above, this description of the information CMS withheld is

insufficient. At no point does the agency describe in reasonable detail the nature or contents of

the records it withheld. Some or all of that material might constitute commercial or financial

information. Some or all of it might have reflected actual electronic fund transfers. (All that

5 This production also included the seven pages responsive to Plaintiff’s May 12 request that were withheld in their entirety and discussed separately above. 6 CMS provides a limited Vaughn index, which appears to describe 12 of the 142 pages the agency withheld. Dkt. 28-4 at 17–18 (Bates Nos. CMS20401, CMS20427–36). The description the Vaughn index provides is also perfunctory and provides no more information than the declaration does. See e.g., id. (describing CMS20401 and CMS20427-36 as follows: “[T]he subject of the complaint is a business entity to which responses are submitted regarding the complaint” and “[s]uch responses are considered business confidential by the submitter”).

49 CMS says is that the information “concern[ed]” electronic fund transfers, id. (Gilmore Decl.

¶ 117), but that can be said of almost all of Plaintiff’s requests.) The owner or owners might

have treated some or all of it as confidential. But the Court has no way to know. Accordingly,

the Court must, once again, conclude that CMS has failed to satisfy its burden.

4. Foreseeable harm

As explained above, CMS has failed to make the required showings with respect to the

applicability of Exemption 4 to any of the records it withheld on that ground. But even if it had

cleared that hurdle, CMS’s arguments would still fail, because the agency wholly ignores the

foreseeable-harm requirement of the FOIA. See 5 U.S.C. § 552(a)(8)(A)(i)(I); Reps. Comm. for

Freedom of the Press, 3 F.4th at 369. CMS fails to devote a single sentence in its briefing or

declarations to the anticipated consequences of disclosing the information it seeks to keep private

pursuant to Exemption 4, see Dkt. 28-1 at 15–17; Dkt. 41 at 6–7—not even after Plaintiff

identified that omission, see Dkt. 31-1 at 17, and not even in the supplemental declaration that

CMS submitted addressing other omissions, including its failure to address foreseeable harm

with respect to the agency’s Exemption 5 withholdings, see Dkt. 40-1.

The Court recognizes that few courts have considered what burden the foreseeable-harm

requirement imposes on agencies that seek to withhold records pursuant to Exemption 4. See

Seife v. U.S. Food & Drug Admin., 43 F.4th 231, 235 (2d Cir. 2022) (“Neither the Supreme

Court nor . . . any of our sister circuits has had occasion to consider the burden imposed by the

[foreseeable-harm requirement] in an Exemption 4 case.”). And relatedly, there is an open

question as to the scope of the interest Exemption 4 seeks to protect. Compare

Ctr. for Investigative Reporting, 436 F. Supp. 3d at 113 (concluding that, for the purposes of

Exemption 4, those interests include avoiding causing “’genuine harm to [the submitter’s]

50 economic or business interests’ and thereby dissuading others from submitting similar

information to the government”) (quoting Argus Leader, 139 S. Ct. at 2369), with Am. Small

Bus. League v. U.S. Dep’t of Defense, 411 F. Supp. 3d 824, 836 (N.D. Cal. 2019) (“[T]he plain

and ordinary meaning of Exemption 4 indicates that the relevant protected interest is that of the

information’s confidentiality—that is, its private nature. Disclosure would necessarily destroy

the private nature of the information, no matter the circumstance.” (emphasis omitted)). The

Second Circuit’s decision in Seife v. U.S. Food & Drug Administration, 43 F.4th 231 (2d Cir.

2022), however, offers helpful guidance.

As the Seife decision persuasively explains, application of the foreseeable-harm standard

to Exemption 4 requires a showing of “foreseeable commercial or financial harm to the submitter

upon release of the contested information.” Id. at 242. To hold otherwise—and to require an

agency merely to show that disclosure would be at odds with confidentiality—would render the

foreseeable-harm requirement a nullity in all Exemption 4 cases, a result that cannot be squared

with the congressional decision to exempt other FOIA exemptions from the requirement, but not

Exemption 4. Id. at 239–40; see also Reps. Comm. for Freedom of the Press, 3 F.4th at 369

(“[T]he foreseeable harm requirement impose[s] an independent and meaningful burden on

agencies.” (quotation omitted) (second alteration in original)); cf. Reps. Comm. for Freedom of

the Press v. U.S. Customs & Border Prot., 567 F. Supp. 3d 97, 124 (D.D.C. 2021) (“True, . . .

establishing the attorney-client privilege will go a long way to show the risk of foreseeable harm.

But an agency must still provide a non-generalized explanation on the foreseeable harm that

51 would result from disclosure of attorney-client communications. [The agency] has barely

provided any explanation at all.”). 7

Here, however, CMS makes no argument whatsoever that it has satisfied the foreseeable-

harm requirement. Unless the foreseeable-harm requirement is a nullity as applied to Exemption

4, and as noted above, that contention cannot be squared with the statutory text, that omission is

fatal to CMS’s position.

D. Exemption 5

CMS also relies on FOIA’s Exemption 5 to withhold records from its three productions.

Exemption 5 permits an agency to withhold or redact “inter-agency or intra-agency

memorandums or letters that would not be available by law to a party other than an agency in

litigation with the agency,” 5 U.S.C. § 552(b)(5), which courts have interpreted to encompass

“the privileges available to [g]overnment [agencies] in civil litigation,” U.S. Fish & Wildlife

Serv. v. Sierra Club, Inc., 141 S. Ct. 777, 783 (2021). Those privileges include the attorney-

client privilege and the deliberative process privilege, both of which CMS invokes here,

although, as explained below, the deliberative process privilege is the agency’s focus. See

Coastal States Gas Corp. v. Dept. of Energy, 617 F.2d 854 (D.C. Cir. 1980) (citations omitted).

7 CMS might (generously) be understood to rely on the “very context and purpose of those communications” to meet its burden. Reps. Comm. for Freedom of the Press, 3 F.4th at 372 (“With respect to the [withheld] emails, the record establishes the unique sensitivity of discussions among Director Comey and high-ranking FBI officials about how to respond to an ongoing crisis that threatened existing covert Bureau operational tactics. The very context and purpose of those communications bearing on sensitive undercover operations in the midst of a policy crisis make the foreseeability of harm manifest.”). But even if the Court were to consider the argument, which the agency does not press, CMS would still fail to establish foreseeable harm. To rely on the “context and purpose” of the records to make a finding of harm, the Court would need to know what those communications contain; yet, as explained above, the present record lacks any such description.

52 The deliberative process privilege applies to “documents reflecting advisory opinions,

recommendations and deliberations comprising part of a process by which governmental

decisions and policies are formulated.” Dep’t of Interior v. Klamath Water Users Protective

Ass’n, 532 U.S. 1, 8 (2001) (quoting N.L.R.B. v. Sears, Roebuck & Co., 421 U.S. 132, 150

(1975)) (internal quotation marks omitted). In order for the deliberative process privilege to

apply, the record at issue must be both predecisional and deliberative. “Documents are

‘predecisional’ if they are ‘generated before the adoption of an agency policy,’ and ‘deliberative’

if they ‘reflect[ ] the give-and-take of the consultative process.’” Judicial Watch, Inc. v. U.S.

Dep’t of Def., 847 F.3d 735, 739 (D.C. Cir. 2017) (alteration in original) (Public Citizen, Inc. v.

Off. of Mgmt. & Budget, 598 F.3d 865, 874 (D.C. Cir. 2010)).

To invoke the privilege, an “agency must establish what deliberative process is involved,

and the role played by the documents in issue in the course of that process.” 100Reporters v.

U.S. Dep’t of State, 602 F. Supp. 3d 41, 60 (quoting Senate of P.R. ex rel. Judiciary Comm. v.

U.S. Dep’t of Justice., 823 F.2d 574, 585–86 (D.C. Cir. 1987)). The agency must also explain

“the nature of the decision[-]making authority vested in the office or person issuing the disputed

document(s), and the positions in the chain of command of the parties to the documents.” Arthur

Andersen & Co. v. IRS, 679 F.2d 254, 258 (D.C. Cir. 1982) (quoting Taxation with

Representation Fund v. IRS, 646 F.2d 666, 679, 681 (D.C. Cir. 1981)). In other words, to

determine if the agency has met its burden to show that it properly invoked the privilege, a court

“asks whether the agency has offered evidence sufficient to establish the ‘who,’ i.e., the roles of

the document drafters and recipients and their places in the chain of command; the ‘what,’ i.e.,

the nature of the withheld content; the ‘where,’ i.e., the stage within the broader deliberative

process in which the withheld material operates; and the ‘how,’ i.e., the way in which the

53 withheld material facilitated agency deliberation.” Judicial Watch, Inc. v. Dep’t of Justice, 20

F.4th 49, 56 (D.C. Cir. 2021).

Finally, pursuant to the FOIA Improvement Act, the agency must also satisfy the

foreseeable-harm requirement. See 5 U.S.C. § 552(a)(8)(A). This requirement “applies with

special force to deliberative process withholdings under Exemption 5,” because “Congress

viewed [this use of Exemption 5] as posing particular risks of ‘overuse.’” 100Reporters, 602

F. Supp. 3d at 61 (quoting Ctr. for Investigative Reporting, 436 F. Supp. 3d at 106). To satisfy

the foreseeable-harm requirement, an agency must establish that it is reasonably foreseeable that

“disclosure would harm an interest protected by the deliberative-process privilege,” Machado

Amadis v. U.S. Dep’t of State, 971 F.3d 364, 371 (D.C. Cir. 2020)—that is, when Exemption 5 is

invoked, that disclosure would cause “injury to the quality of agency decisions,” Sears, 421 U.S.

at 151.

1. May 4 FOIA request

CMS seeks to withhold nine pages that were responsive to Plaintiff’s May 4 FOIA

request pursuant to Exemptions 5 and 6. Dkt. 28-3 at 16 (Gilmore Decl. ¶ 40). The Gilmore

declaration describes these records as containing “pre-decisional, deliberative communications

from CMS personnel to CMS OSORA executive correspondence staff regarding correspondence

from the American College of Gastroenterology,” and concerning “actions that were under

consideration at CMS which related specifically to hurricane relief.” Id. at 17 (Gilmore Decl.

¶ 42). The declaration also states that the records contain “pre-decisional” “email exchanges

between employees . . . address[ing] how to handle and debate the best route to take regarding

further supporting email from [a law firm,] Akin Gump” and “[a]n additional email and

executive correspondence [that] discussed a meeting with the CMS Administrator from the

54 Otsuka Pharmaceutical Group.” Id. at 18 (Gilmore Decl. ¶ 42). “The purpose of these internal

exchanges was to discuss the concerns that CMS had regarding [the] provi[sion of] hurricane

relief to [the American College of Gastroenterology].” Dkt. 40-1 at 2 (Suppl. Gilmore Decl.

¶ 5).

The agency argues that these records were deliberative because they “consisted of emails

between employees of CMS discussing information that was contained in incoming

correspondence from an exterior source, evaluating how the correspondence should be

handled, . . . which operating division should be tracking this correspondence, whether that

correspondence was a follow-up to a previous correspondence, and whether a single CMS

response was warranted.” Dkt. 28-3 at 17–18 (Gilmore Decl. ¶ 42). And, the agency argues that

the records to be predecisional because the material withheld “relates to CMS’[s] own internal

electronic correspondence regarding the CMS reasons and context” for its decision about

whether to provide the hurricane relief that was requested; rather than “the correspondence that

CMS had with [the American College of Gastroenterology] regarding [its] request [for] the

emergency hurricane relief waiver,” which CMS released to Plaintiff. Dkt. 40-1 at 4 (Suppl.

Gilmore Decl. ¶ 8).

CMS has satisfied its burden of showing that these records are deliberative and

predecisional. Internal agency communications that discuss and debate the best course of action

to take in response to inquiries from the public often fall within the deliberative process

privilege. See e.g., Odland v. FERC, 34 F. Supp. 3d 3, 20 (D.D.C. 2014) (approving of the

agency’s application of the deliberative process privilege to emails containing “deliberations

regarding the appropriate response to public inquiries and public attendance at meetings while

the underlying proceeding was pending”). And here, CMS’s description of the records it

55 withheld shows that they were “deliberative in nature, weighing the pros and cons of agency

adoption of one viewpoint or another.” Coastal States Gas Corp. v. Dep’t of Energy, 617 F.2d

854, 866 (D.C. Cir. 1980). Finally, CMS has done enough to show that the records were pre-

decisional. By explaining that the final communications that CMS had with the American

College of Gastroenterology were released, while those internal communications that preceded it

were not, CMS has satisfied its burden of showing that the records containing the internal

deliberations preceded any final decision. See 100Reporters, 602 F. Supp. 3d at 62 (explaining

that to withhold a record under the deliberative process privilege, an agency need not “trace the

lineage of each draft or evidently deliberative record to ensure that the agency did not, at some

point, adopt the predecisional record,” but instead must “provide the Court with a reasoned and

sound basis for concluding that the record at issue was—and remained—predecisional”).

Having concluded that the deliberative process privilege applies to the materials

responsive to Plaintiff’s May 4 FOIA request that CMS withheld pursuant to Exemption 5, the

Court must consider whether CMS has satisfied the foreseeable-harm requirement. In his

original declaration, Gilmore observed that “[r]elease of this information would cause

foreseeable harm . . . because it would create a chilling effect o[n] future employees’ discussions

and block the free exchange of ideas, including ideas that could improve and streamline the

efficient functioning of CMS.” Dkt. 28-3 at 18 (Gilmore Decl. ¶ 42). Standing alone, that

articulation of foreseeable harm would be too “perfunctory” and would seem to apply to most, if

not all, deliberative exchanges of information, “regardless of category or substance.” Reps.

Comm. for Freedom of the Press, 3 F.4th at 370 (quoting Rosenberg v. Dep’t of Def., 342 F.

Supp. 3d 62, 79 (D.D.C. 2018)). Presumably recognizing as much, CMS submitted a

56 supplemental declaration, further explaining the foreseeable harm that disclosure would entail.

See Dkt. 40-1.

That supplemental declaration poses its own difficulties. To the extent it expresses

concern, for example, that disclosure of the deliberations might expose individual employees to

external pressure, see id. at 6 (Supp. Gilmore Decl. ¶ 11), CMS could simply redact the names of

those employees. The agency comes closer to the mark, however, when it observes that release

of the records would reveal the “internal decisional process” that the agency employs to evaluate

hurricane relief waivers, such as “the criteria CMS uses to determine hardship, how CMS gathers

information on . . . eligible clinicians’ need to benefit from an emergency waiver, . . . [and] how

CMS assesses alternative resolutions to emergency relief.” Id. at 4 (Suppl. Gilmore Decl. ¶ 9).

This would be harmful, CMS explains, because entities would have “a roadmap” to “know

exactly what [they] need[] to do to obtain a hurricane emergency waiver,” which could

undermine the ability of the agency to make the right decision when it comes to whether to grant

relief. Id. at 4–5 (Suppl. Gilmore Decl. ¶ 9). Although the Gilmore declaration does not

explicitly tie this “roadmap” justification to “an interest protected by” Exemption 5, see 5 U.S.C.

§552(a)(8)(A), the Court concludes that the supplemental declaration must be read in light of

Gilmore’s prior assertion that release of the information would create a chilling effect on internal

deliberations by future employees, see Dkt. 28-3 at 18 (Gilmore Decl. ¶ 42). The supplemental

declaration introduces its discussion of foreseeable harm, for example, by noting that it is

providing additional background “[t]o better understand the foreseeable harm” that would result

from the disclosure of these documents. Dkt. 40-1 at 2 (Suppl. Gilmore Decl. ¶6). And, taken

together, Gilmore’s declarations are best, albeit not unambiguously, read to say that providing

the public with “a roadmap” detailing “exactly” how “to obtain a hurricane emergency waiver”

57 would chill employees from committing similar deliberations to written form in the future. See

id. at 5 (Suppl. Gilmore Decl. ¶ 9).

Understood in this light, the agency’s foreseeable harm analysis passes muster. See Reps.

Comm. for Freedom of the Press, 3 F.4th at 370. It is a “focused and concrete demonstration of

why disclosure of the particular type of material at issue,” namely internal discussions about

whether to grant relief to this particular group in light of the hardship it experienced due to a

natural disaster, “will, in the specific context of the agency action at issue, actually impede those

same agency deliberations going forward.” Id. This showing is sufficient to satisfy the agency’s

burden to demonstrate that harm will foreseeably result from the disclosure of these documents.

Accordingly, although a closer question than it should be, the Court is persuaded that CMS has

satisfied its burden to show that its properly withheld portions of these records pursuant to

Exemption 5.

2. May 15 FOIA request and the January 14 production

CMS also invokes the deliberative process privilege to withhold some or all of the 1,508

pages it identified as responsive to Plaintiff’s April 13, May 7, May 12, May 15, and July 29

FOIA requests. Dkt. 28-3 at 36, 45 (Gilmore Decl. ¶¶ 89, 116). These materials “all concern

draft information related to sub-regulatory guidance, EFT/FAQs, a draft memo on EFT revision,

and drafts of responses to Plaintiff.” Dkt. 40-1 at 8 (Suppl. Gilmore Decl. ¶ 13).

Unfortunately, CMS’s description of the contents of the material withheld includes little

detail beyond this vague statement. The agency does describe some of the withheld materials as

including “emails that discussed the past EFT/FAQs, modified the current FAQs, discussed

whether to discontinue the FAQs or a particular FAQs, discussed wording changes, discussed

justifications for the changes, discussed why CMS was not going in a particular direction with

58 the EFT/FAQs, or suggested that something may have been too broadly described, and needed to

be more narrowly described.” Dkt. 40-1 at 9–10 (Suppl. Gilmore Decl. ¶ 15). But it does not

identify which description applies to which documents, or even how many pages it withheld

pursuant to that description. Nor does CMS explain why each of these records was predecisional

and deliberative, beyond the high-level assertion that the withheld materials “consisted of edits

and comments on draft documents,” Dkt. 28-3 at 38 (Gilmore Decl. ¶ 92), and “opinions and

recommendations of CMS staff,” id. at 47 (Gilmore Decl. ¶ 118). That is insufficient.

“An agency must demonstrate that ‘each document that falls within the class requested

either has been produced . . . or is wholly [or partially] exempt from the Act’s inspection

requirements.’” Citizens For Resp. & Ethics in Wash. v. U.S. Dep’t of Lab., 478 F. Supp. 2d 77,

80 (D.D.C. 2007) (alteration in original) (emphasis added) (quoting Goland v. CIA, 607 F.2d

339, 352 (D.C. Cir. 1978)). Although agencies “have never [been] required [to provide]

repetitive, detailed explanations for each piece of withheld information,” and “codes and

categories may be sufficiently particularized to carry the agency’s burden of proof,” when an

agency seeks to take a more categorical approach, it must “tie[] each individual document to one

or more exemptions, and . . . [must provide a] declaration [that] link[s] the substance of each

exemption to the documents’ common elements.” Morley, 508 F.3d at 1122 (quoting Judicial

Watch, Inc. v. Food & Drug Administration, 449 F.3d 141, 146–47 (D.C. Cir. 2006)). CMS’s

submissions fail that test. The Vaughn index it provides is not only perfunctory in its description

of the documents, it also entirely fails to account for hundreds of pages that the agency withheld.

See Dkt. 28-4. And the declarations CMS provides fail to address specific records (or groups of

records) and fail to reference specific entries in the Vaughn index, making it nearly impossible to

59 determine which documents in the Vaughn index are the ones discussed in the agency’s

declarations. See Dkt. 28-3; Dkt. 40-1.

The Court, accordingly, concludes that CMS has failed to carry its burden with respect to

application of Exemption 5 to these records. As a result, the Court need not consider the

separation question of foreseeable harm. For future guidance, however, the Court cautions CMS

that it must focus its foreseeable-harm inquiry on whether disclosure of the information at issue

would result in harm to the agency’s decision-making process; not whether the individual

requester is likely to use the released materials in a way that the agency would rather avoid.

3. Attorney-client privilege

Although not the focus of either party’s briefing, the Court notes that the agency’s

Vaughn index states that CMS seeks to withhold some material on the basis of attorney-client

privilege. See Dkt. 28-4 at 5, 6, 9, 11–12 (Bates Nos. CMS20064–75, CMS20108–111,

CMS20153–154, CMS20170–171, CMS20194–202). To the extent CMS does, in fact, seek to

withhold certain material on this basis, the Court notes that the agency’s explanation of why that

privilege applies is too cursory for the Court to assess that claim. For example, CMS withholds

five pages in full pursuant to Exemption 5, explaining, in part, that “[t]he Office of General

Counsel is supplying comments about the draft, clarification about the draft, and comments and

recommendations which is attorney-client privilege[d].” Id. at 5 (Bates No. CMS20064–75).

This generic description does not allow the Court to determine whether the withheld material

constitutes “confidential communications between an attorney and his client relating to a legal

matter for which the client has sought professional advice.” Protect Democracy Project, Inc. v.

U.S. Dep’t of Health & Hum. Servs., 370 F. Supp. 3d 159, 173 (D.D.C. 2019) (quoting Mead

Data Cent., Inc. v. U.S. Dep’t of Air Force, 566 F.2d 242, 252 (D.C. Cir. 1977)). To take just

60 one example, stylistic suggestions (“don’t split your infinitives”), even if offered by a lawyer, are

not necessarily privileged.

Therefore, to the extent CMS did in fact rely on the attorney-client privilege to withhold

some of the materials at issue, the Court is unpersuaded that the agency has satisfied its burden.

E. Exemption 6

The final FOIA exemption CMS invokes is Exemption 6. “Exemption 6 provides that the

disclosure requirements of the FOIA do not apply to ‘personnel and medical files and similar

files the disclosure of which would constitute a clearly unwarranted invasion of personal

privacy.’” U.S. Dep’t of State v. Wash. Post Co., 456 U.S. 595, 597 n.1 (1982) (quoting 5 U.S.C.

§ 552(b)(6)). CMS invokes this exemption to withhold individuals’ contact information,

including phone numbers and email addresses, Dkt. 28-3 at 18–19 (Gilmore Decl. ¶ 43); see also

id. at 38 , 48 (Gilmore Decl. ¶¶ 93, 119), and also applies the exemption to “records [that] were

located in the ASETT system[,] which is a Privacy Act [s]ystem of records,” id. at 33 (Gilmore

Decl. ¶ 81). Plaintiff does not challenge the agency’s application of the exemption to contact

information. But he does maintain that CMS was wrong to apply Exemption 6 to the second

category of records. See Dkt. 31-1 at 22. 8

The purpose of Exemption 6 is “to protect individuals from the injury and embarrassment

that can result from the unnecessary disclosure of personal information.” Multi Ag Media LLC v.

8 The Gilmore declaration states that its search in response to Plaintiff’s April 13 FOIA request identified “fifteen pages had portions redacted pursuant to Exemption 6 of the FOIA.” Dkt. 28-3 at 10 (Gilmore Decl. ¶ 28). These pages were not immediately released to Plaintiff due to an error on CMS’s part, but were instead released as part of the January 14 production. The Court understands that the description of the records withheld pursuant to Exemption 6 in the January 14 production includes these fifteen pages identified as responsive to Plaintiff’s April 13 request, and that those pages are not challenged by Plaintiff in this litigation because they contained contact information. Id. at 48 (Gilmore Decl. ¶ 119).

61 Dep’t of Agric., 515 F.3d 1224, 1228 (D.C. Cir. 2008) (emphasis omitted) (quoting Wash. Post

Co., 456 U.S. at 599). Accordingly, Exemption 6 is not limited “‘to a narrow class of files

containing only a discrete kind of personal information’ (such as tax or medical records),” but,

rather, it “cover[s] detailed Government records on an individual which can be identified as

applying to that individual.” Scarlett v. Off. of Inspector Gen., No. 21-819, 2023 WL 2682259,

at *9–10 (D.D.C. Mar. 29, 2023) (quoting Wash. Post Co., 456 U.S. at 602).

That said, “the mere fact that an agency file or record contains personal, identifying

information is not enough to invoke Exemption 6—the information must also be ‘of such a

nature that its disclosure would constitute a clearly unwarranted privacy invasion.’” Id. (quoting

Nat’l Ass’n of Home Builders, 309 F.3d at 32). To make that determination, “the Court [must]

employ[ ] a balancing test, weighing ‘the private interest involved (namely the individual's right

of privacy) against the public interest (namely, the basic purpose of [FOIA], which is to open

agency action to the light of public scrutiny).’” People for the Am. Way Found. v. Nat’l Park

Serv., 503 F. Supp. 2d 284, 304 (D.D.C. 2007) (quoting Judicial Watch, Inc., 449 F.3d at 153).

“In undertaking this analysis, the [C]ourt is guided by the instruction that, under Exemption 6,

the presumption in favor of disclosure is as strong as can be found anywhere in [FOIA].” Nat’l

Ass’n of Home Builders, 309 F.3d at 32 (quoting Wash. Post Co. v. U.S. Dep’t of Health & Hum.

Servs., 690 F.2d 252, 261 (D.C. Cir. 1982)).

CMS contends that because the records at issue “were located in the ASETT system[,]

which is a Privacy Act [s]ystem of records,” the records are “similar” to “personnel and medical

files” and thus fall within the scope of Exemption 6. Dkt. 28-3 at 33–34 (Gilmore Decl. ¶ 81)

(quoting 5 U.S.C. §552(b)(6)). As further context, CMS explains that:

when CMS receives a complaint regarding electronic transfer of transactions, CMS places information that is provided in that complaint in a CMS Privacy

62 Act System of Records named the Health Insurance Portability and Accountability Act System (HITS) Privacy Act System of Records [of which ASETT is a part]. HITS collects and maintains information on complaint allegations, information gathered during the complaint’s investigation, findings, and results of the investigation, and correspondence related to the investigation. The collected information will contain name, address, telephone number, health insurance claim (HIC) number, geographic location, as well as, background information which relate to the Medicare or Medicaid issues of the complainant. HITS represents a single, central, electronic repository of all complaints’ documents and information including related investigative files, correspondence, and administrative records. This information system is known as an exempt system of records because during the investigative process of the complaint, the information is not disclosable pursuant to Section (k)(2) of the Privacy Act.

Id. at 31–32 (Gilmore Decl. ¶ 78). CMS thus seems to argue that because a record is found in

ASETT and because ASETT is a Privacy Act system of records, any information contained in

ASETT that was obtained from a “business submitter” is per se subject to Exemption 6. See id.

at 33 (Gilmore Decl. ¶ 81). That contention is problematic on several fronts.

First, CMS contends that, as a general matter, it would be improper to disclose any

complaint (or associated document) from its ASETT system because doing so “would constitute

an unwarranted invasion of privacy and violate the business confidentiality of the business

submitter, who is the respondent to the complaint.” Id. at 33 (Gilmore Decl. ¶ 81). But

Exemption 6 is not concerned with the confidentiality interests of corporations. See FCC v.

AT&T Inc., 562 U.S. 397, 408–10 (2011) (suggesting that the scope of Exemption 6 and

Exemption 7(C) should be understood to mirror one another, that Exemption 6 “involve[s] an

‘individual’s right of privacy,’” and that it “reject[s] the argument that . . . the phrase ‘personal

privacy’ in Exemption 7(C) reaches corporations as well” (quoting Ray, 502 U.S. at 175). And

CMS does not indicate whether the “business submitter[s]” it seeks to protect are corporations or

individuals. Dkt. 28-3 at 33 (Gilmore Decl. ¶ 81). Indeed, if anything, CMS suggests that the

submitters are corporations by emphasizing that much of the information contained in its ASETT

63 system was “obtained from [] business entit[ies], . . . like electronic fund clearing houses.” Id. at

45–46 (Gilmore Decl. ¶ 117).

Even beyond that dispositive difficulty, in applying Exemption 6, the presumption is in

favor of disclosure, and, here, CMS had not done enough to shift the balance in the opposite

direction. It has failed to identify the privacy interest of the submitters and has failed to explain

how disclosure would “constitute a clearly unwarranted” invasion of that unspecified interest. 5

U.S.C. §552(b)(6).

Accordingly, as the record now stands, CMS has failed to justify its withholdings

pursuant to Exemption 6.

F. Segregability

Although the Court concludes that many of CMS’s withholdings are inadequately

supported, as explained above, it is persuaded that CMS has carried its burden of showing that

the deliberative process privilege applies to a portion of the withheld material and that

foreseeable harm would result from the disclosure of that material. But “[b]efore approving the

application of a FOIA exemption, the district court must make specific findings of segregability

regarding the documents to be withheld.” Sussman v. U.S. Marshals Serv., 494 F.3d 1106, 1116

(D.C. Cir. 2007) (first citing Summers v. DOJ, 140 F.3d 1077, 1081 (D.C. Cir. 1998); then citing

Krikorian v. Dep’t of State, 984 F.2d 461, 467 (D.C. Cir. 1993)); see also Muttitt v. Dep’t of

State, 926 F. Supp. 2d 284, 309 (D.D.C. 2013) (“Even when a plaintiff does not challenge the

segregability efforts of an agency, the Court has an affirmative duty to consider the segregability

issue sua sponte.” (quotation omitted)). Specifically, the Court must determine whether “‘[a]ny

reasonably segregable portion of a record shall be provided’ after exempt portions are deleted.”

Sussman, 494 F.3dat 1112 (quoting 5 U.S.C. § 552(b)(1)(9)). Here, that requirement precludes

64 the Court from granting summary judgment in favor of CMS even with respect to that portion of

the withheld material.

To be sure, CMS attests that it “conducted a line-by-line review of the twenty-eight pages

of records returned in the searches [for records responsive to the May 4 FOIA request] and

determined that some non-exempt, factual information within them could be segregated for

release,” Dkt. 28-3 at 18 (Gilmore Decl. ¶ 42). The problem is that “the Court need not [and

ought not] blindly accept an agency’s conclusory assurance that it has taken reasonable steps to

segregate information if the record suggests otherwise or the Vaughn index and declarations are

not sufficiently detailed to permit the Court to meaningfully assess whether further segregability

is possible,” Protect Democracy Project, Inc. v. U.S. Dep’t of Health & Hum. Servs., 569 F.

Supp. 3d 25, 36 (D.D.C. 2021). Here, neither the Vaughn index nor the declarations CMS has

provided are sufficient to show that the agency has met its segregability burden. Most notably,

CMS states that it is withholding “nine pages pursuant to Exemptions 5 and 6” responsive to the

May 4 FOIA request, id. at 16 (Gilmore Decl. ¶ 40), but it does not explain which withholdings

are subject to which exemption or which of the entries in its Vaughn index corresponds to these

records. Without having that basic understanding of what the government has withheld, the

Court cannot determine if the records it withheld can be segregated.

As a result, the Court will defer making a final decision with respect to segregability until

the record is complete and the universe of potentially responsive records is settled. See, e.g.,

Zynovieva v. U.S. Dep’t of State, No. 19-3445, 2021 WL 3472628, at *8 (D.D.C. Aug. 5, 2021).

G. Disposition

For the reasons explained above, the Court agrees with many, although not all, of the

arguments that Plaintiff has raised—both in opposition to CMS’s motion for summary judgment

65 and in support of his cross-motion. Anticipating this result, Plaintiffs asks that the Court to grant

summary judgment in his favor (in whole or in part) and to preclude CMS from engaging in the

type of iterative summary judgment practice that has become all too common in FOIA litigation.

As Plaintiff stresses, Federal Rule of Civil Procedure “56(e) does not require the Court to give

the agency another bite at the apple,” Dkt. 44 at 22, and the purposes of FOIA are ill-served by

permitting an agency to wait for an opposing party or court to point out all the deficiencies in the

agency’s justifications for withholding records and then simply to file a renewed motion with the

benefit of the court’s detailed analysis of what is required to satisfy the agency’s burden.

“FOIA’s mandate,” after all, is “that agencies ‘shall’ make requested records ‘promptly

available.’” Jud. Watch, Inc. v. U.S. Dep’t of Homeland Sec., 895 F.3d 770, 775–76 (D.C. Cir.

2018). Because “[i]nformation is often useful only if it is timely,” the “excessive delay” that

multiple rounds of summary judgment briefing can entail “is often tantamount to denial.”

Edmonds v. FBI, 417 F.3d 1319, 1324 (D.C. Cir. 2005) (quoting H.R. Rep. No. 93-876, at 6

(1974)).

At the same time, however, the D.C. Circuit and this Court have recognized that the

propriety of permitting do-overs must be assessed on a case-by-case basis. The D.C. Circuit

touched on this issue in Citizens for Responsibility & Ethics in Washington v. U.S. Department of

Justice, 45 F.4th 963, 978–79 (D.C. Cir. 2022) (hereinafter “CREW”), where it declined to “fault

the district court for not giving [an agency] another chance” in a FOIA case. In reaching that

conclusion, the court identified a number of considerations, including (1) the fact that the agency

did not timely request another chance; (2) the case did “not involve ‘extraordinary

circumstances’ in which, ‘from pure human error,’ the government ‘will have to release

information compromising national security or sensitive, personal, private information, unless

66 the court allows it to make an untimely . . . claim,’” id. at 979 (quoting Maydak v. DOJ, 218 F.3d

760, 767 (D.C. Cir. 2000)); and (3) the case was not one “in which an agency [had] present[ed] a

viable legal theory for a claimed exemption but provide[d] declarations that c[a]me up short in

tying the requested records to that exemption,” id.. As the court explained with respect to this

last consideration, it may (at least on occasion) “be prudent for a district court to permit

supplemental declarations” further explaining the applicability of an exemption. Id.

Consistent with these considerations, this Court has at times granted agencies do-overs in

FOIA litigation, including by permitting agencies to assert new exemptions after an initial round

of summary judgment proceedings, see, e.g., Shapiro v. U.S. Dep’t of Justice, 177 F. Supp. 3d

467 (D.D.C. 2016); Shapiro v. U.S. Dep’t of Justice, 2016 WL 3023980 (D.D.C. May 25, 2016),

to make new arguments after losing on summary judgment, see, e.g., Brennan Ctr. for Just. at

N.Y.U. Sch. of L. v. U.S. Dep't of Justice, No. 18-1860, 2021 WL 2711765, at * 8 (D.D.C. July 1,

2021), and, most commonly, to refine or further explain their bases for withholding records, see,

e.g., Mountgordon v. U.S. Coast Guard, No. 21-1319, 2023 WL 5607454, at *13 (D.D.C. Aug.

30, 2023). But, in each context, the Court has balanced FOIA’s “statutory goals—efficient,

prompt, and full disclosure of information,” August v. FBI, 328 F.3d 697, 699 (D.C. Cir. 2003)

(emphasis omitted) (quoting Sen. of the Commonwealth of Puerto Rico v. U.S. Dep’t of

Justice, 823 F.2d 574, 580 (D.C. Cir. 1987)), against the adverse consequences of requiring

disclosure of potentially exempt records based on anything ranging from modest lack of clarity

by the agency to a failure by the agency and its counsel to take their responsibilities under FOIA

as seriously as they should. In a recent opinion, for example, the Court observed that the

agency’s “motion for summary judgment [was] poorly supported and lack[ed] essential detail,”

and that the agency had “not taken the time to support its position.” Mountgordon, 2023 WL

67 5607454, at *1. The Court, however, separately considered the proper disposition with respect to

each set of records at issue, granting summary judgment in favor the plaintiff as to some, and

permitting the agency another chance where (1) it seemed likely that the agency’s position could

be sustained with some additional explanation, or (2) “the redactions potentially implicate[d] the

interests of third parties, who cannot be blamed for the [agency’s] omission.” Id. at *7–*13.

Rule 56, moreover, provides the Court with the discretion to balance FOIA’s goal of

prompt disclosure against the harm that an unwarranted disclosure might cause to the agency or

an innocent third party, and, in doing so, to consider the good faith (or lack of diligence) with

which the agency has approached the litigation. In particular, Rule 56(e) provides that, “[i]f a

party fails to properly support an assertion of fact or fails to properly address another party’s

assertion of fact . . . , the court may,” among other things, grant summary judgment against that

party, provide that party with a further “opportunity to support or address the fact,” or “issue any

other appropriate order.” Fed. R. Civ. P. 56(e). The Court may also grant or deny summary

judgment with respect to “part of [a] claim or defense,” Fed. R. Civ. P. 56(a), such as the

adequacy or inadequacy of the agency’s search for responsive records, and “may enter an order

stating any material fact . . . that is not genuinely in dispute and treating the fact as established in

the case,” Fed. R. Civ. P. 56(g).

Applying these principles here, the Court notes that CMS has missed opportunities to

address at least some of the flaws and omissions in its filings. After Plaintiff identified

significant problems with CMS’s initial declaration, the agency submitted a supplemental

declaration that addressed only a few of these problems and that ignored others. To paraphrase

the D.C. Circuit’s recent decision in the CREW case, “[t]hose [two] declarations, coupled with

the [agency’s] two briefs, gave ample opportunity [for CMS] to identify” the basis for the

68 withholdings. CREW, 45 F.4th at 979. Even so, CMS was not able to meet its burden—and with

respect to some withholdings or arguments appeared not even to try. Most notably, despite

Plaintiff pointing out that CMS wholly failed to address foreseeable harm with respect to its

Exemption 4 withholdings, CMS did not respond at all to that argument in its reply brief or in the

supplemental declaration it filed (which did address foreseeable harm with respect to Exemption

5).

On the other side of the scale, however, the interests of third parties are likely implicated

by the most glaring of CMS’s omissions. The agency invoked Exemption 6, which is intended

“to protect individuals from the injury and embarrassment that can result from the unnecessary

disclosure of personal information,” Multi Ag Media LLC, 515 F.3d at 1228 (quoting U.S. Dep’t

of State v. Wash. Post Co., 456 U.S. 595, 599 (1982)), and it invoked Exemption 4, which is

designed to prevent the disclosure of sensitive commercial information and thus also the interests

of third parties. With respect to this latter category of withholdings, Plaintiff argues that “[m]ost

agencies . . . have regulations requiring [them] to notify third party submitters when a requester

has filed a lawsuit implicating the submitter’s information that might fall under Exemption 4”

and that, “[a]bsent contrary evidence,” the Court should assume that CMS provided this notice

and that the purportedly interested third parties declined to intervene to protect their interests.

Dkt. 44 at 23. The Court is skeptical, however, that CMS notified the interested parties of the

litigation, particularly since the agency withheld their information, and, in any event, the Court is

not prepared merely to assume that the interested parties were notified and declined to take steps

to protect their confidential business information.

CMS’s substantive defenses of its Exemption 5 withholdings are on less shaky ground

than its other withholdings, and the Court concludes that it is likely that those withholdings can

69 be sustained, at least in substantial part, with further explication from the agency. Permitting a

second bite at the apple with respect to these withholdings is more in line with the type of

refinement that this Court often permits in FOIA cases. See, e.g., Kolbusz v. FBI, 2021 WL

1845352, at *27 (D.D.C. Feb. 17, 2021) (“[W]here a court has found an agency failed to justify

its claimed FOIA exemptions—courts have denied the defendant’s and plaintiff’s motions for

summary judgment without prejudice and given the agency the choice to ‘disclose those

documents or file supplemental submissions indicating in sufficient detail why withholding is

proper.’” (quoting Shurtleff v. EPA, 991 F. Supp. 2d 1, 20 (D.D.C. 2013))); Muttitt, 926 F. Supp.

2d at 308 (“[T]he Court will deny summary judgment to the [defendant] regarding its Exemption

5 withholding determinations that invoke the deliberative process privilege in the . . . challenged

documents. The defendant may either supplement its declaration demonstrating the applicability

of the deliberative process privilege to the information contained in these . . . documents or

disclose that information to the plaintiff.”); 100Reporters, 248 F. Supp. 3d 115, 165 (D.D.C.

2017) (“[T]he Court must deny summary judgment with regard to DOJ’s withholdings. If

DOJ . . . intend to continue to rely on Exemption 7(C), they will have another opportunity to

present further affidavits justifying the withholdings. Although DOJ is not necessarily

prohibited from relying on categorical arguments, it should, at the least, make a more

particularized showing for defined subgroups.” (quotation omitted)).

For these reasons, the Court will deny summary judgment to both parties with respect to

the relevant withholdings but will do so without prejudice. The Court cautions CMS, however,

that “this is not a process that can continue indefinitely” and that “FOIA does not permit an

agency to make a half-hearted effort with the expectation that, if unconvincing, it can simply ‘do

it over’—again and again, until the Court is satisfied.” Mountgordon, 2023 WL 5607454, at *1.

70 Finally, the Court will grant summary judgment in favor of Plaintiff on the issue of

exhaustion and with respect to the adequacy of the agency’s searches. For the reasons explained

above, Plaintiff did administratively exhaust his May 15 FOIA request before filing suit, and, the

searches that CMS conducted were plainly inadequate. Accordingly, there is no reason to delay

granting Plaintiff summary judgment on either issue. As noted above, Rule 56(a) permits the

Court to enter summary judgment with respect to “the part of [a] claim or defense,” and use of

that discretion is warranted here.

CONCLUSION

For the foregoing reasons, CMS’s motion for summary judgment, Dkt. 28, is hereby

DENIED, and Plaintiff’s motion for summary judgment, Dkt. 31, is GRANTED in part and

DENIED in part. It is hereby ORDERED that the parties shall meet and confer and shall submit

a joint status report on or before October 31, 2023 proposing a schedule for further proceedings

in this case.

SO ORDERED.

/s/ Randolph D. Moss RANDOLPH D. MOSS United States District Judge

Date: September 30, 2023