Given libraries are preparing plans to reopen, I am looking for a follow up to the 3/19/2020 question posted to Ask The Lawyer pertaining to being informed that an individual who has been confirmed to have COVID visited one of our libraries. (participated in a program).
With the new tracing protocols (COVID-19) required by Re-Open New York, what, if any, impact will there be on CPLR 4509? Will libraries be required to provide information and if so, to what extent? Currently we require a judicial subpoena in order to provide any information regarding a patron - including identifying if a patron has been in the library.
Your guidance is much appreciated.
The short answer
This answer is being written on May 28th, 2020.
At this time, in addition to Executive Order 202 issued on March 7, 2020 and declaring a state of emergency in New York through September 7th, 2020, there are 30 Executive Orders.
These Executive Orders create temporary modifications to a wide and ever-increasing array of state law and regulations. They have impacted elections, public health practices, landlord tenant relations, and countless operations of the New York State justice system.
However, as of this date, there has been no modification of section 4509 of the state Civil Procedure Law and Rules (“CPLR”), which, with only very limited exceptions, bars third-party access to a user’s library records.
Therefore, at this time, any library receiving a request from a third party for confidential library records, even if in relation to contract tracing efforts, should follow the same procedure they do for all other third-party requests: require a subpoena or judicial order.
The same answer, but with more information and analysis
I am grateful to the member for posing this question, because not only is it important to have clarity on this precise issue, it is important for information management professionals across the state of New York, including some of New York's most trusted information professionals — librarians — to be thinking about the impact and finer points of contact tracing.
So what is “contact tracing”?
The Centers for Disease Control describes contract tracing this way on their current COVID-19 response page:
“In contact tracing, public health staff work with a patient to help them recall everyone with whom they have had close contact during the timeframe while they may have been infectious. Public health staff then warn these exposed individuals (contacts) of their potential exposure as rapidly and sensitively as possible.”
After declaring COVID-19 a “communicable disease” as defined by the state’s Public Health Law, New York began using contact tracing to combat COVID-19. Local health departments led the way, organizing information and coordinating warnings within their jurisdiction, an initiative that inspired the previous question referenced by the member.
With the adoption of “New York Forward,” 30 contact tracers for every 100,000 residents is one of the express metrics being used to establish when one of the state’s ten regions is ready to begin a phased reopening. So, every region will be recruiting and deploying “tracers” to gather information and issue warnings to individuals who testing has confirmed have been exposed to COVID-19.
While emphasizing that such warnings must be issued “rapidly,” the CDC’s guidelines for contact tracing also emphasize privacy:
“To protect patient privacy, contacts are only informed that they may have been exposed to a patient with the infection. They are not told the identity of the patient who may have exposed them.”
The State of New York, however, does not require this level of confidentiality in its laws regarding quarantine, notification of infection, and contact tracing related to most communicable diseases. While the precise regulations governing the use of contact tracing to fight the spread of HIV require the consent of the patient, the regulations applying to COVID-19 do not have similar requirements. Nor is such information regarded as protected health information (“PHI”) under HIPAA.
I am highlighting these considerations not to denigrate contact tracing, which has been documented as effective in combating pandemics. However, as of this writing, as reported by The New York Times, many in authority, or with credibility in the arenas of privacy and data security, have expressed serious concerns regarding the procurement and arrangement of the software and personnel that will be used in this massive public health initiative.
Caution about privacy, even during times of emergency, is a good thing.
With all that, the collaborative, community health-focused approach I outlined on March 19, 2020, in https://www.wnylrc.org/ask-the-lawyer/raqs/122 is one I continue to endorse.
In addition to that approach, here is a suggested reply in the event your library is contacted by a state-employed contact tracer, designed to work with your standard protocol for complying with 4509:
[After verifying credentials]
We know your work is critical to public health. Please send us a written list of what you need, and we will work to obtain consent from our users, as required by CPLR 4509. In the alternative, please ensure what you need is very thoroughly set forth in a duly issued subpoena or judicial order. Our library will work to expedite your request as soon as we know we are authorized to do so.
One final point
After conducting the research set forth in this answer, it is my opinion that CPLR 4509’s assurance of the confidentiality of library records is not at odds with the current emergency measures our state is taking to protect lives and get our world back on track.
First, it is critical to remember that under 4509, a person may give their written consent to disclosure. Many people, upon learning they might pose a danger, will give their express and voluntary consent, if they have the capacity at the time. That is their right, and there is no concern with your library contacting them to ask the question.
Second, if the need for confidential library records is truly critical, local board of health officials—and the tracers who will be helping their localities—can invoke the authority created by the public health law to obtain duly authorized subpoenas.
Unlike many other laws and regulations, CPLR 4509 can remain as written, while New York undertakes an unprecedented, massive effort to conduct contact tracing, and protect public health.
Thank you for an important question.
 Found on May 28, 2020 at https://www.cdc.gov/coronavirus/2019-ncov/php/principles-contact-tracing.html.
 Since reporting new or unusual communicable diseases is also required, cases were probably also reported before March 7.
 These metrics are laid out in a graph found at https://www.governor.ny.gov/programs/new-york-forward.
 That section is 10 NYCRR 2.10, which states: “It shall be the duty of every physician to report to the city, county or district health officer, within whose jurisdiction such patient resides, the full name, age and address of every person with a suspected or confirmed case of a communicable disease, any outbreak of communicable disease, any unusual disease or unusual disease outbreak and as otherwise authorized in section 2.1 of this Part, together with the name of the disease if known, and any additional information requested by the health officer in the course of an investigation pursuant to this Part, within 24 hours from the time the case is first seen by him, and such report shall be by telephone, facsimile transmission or other electronic communication if indicated, and shall also be made in writing, except that the written notice may be omitted with the approval of the State Commissioner of Health.”
 New York Public Health Law, Section 309.
We are seeking guidance as a result of the following:
We have been informed (by the Health Department and via news media) an individual who now has been confirmed to have COVID-19 attended a program at one of our libraries. I have been asked the following questions:
1. To what extent is it the responsibility of the library to notify participants who attended the library program the person now diagnosed with COVID-19 attended?
If the library bears no responsibility, would you recommend the library, as a courtesy, notify attendees? What of others who may have been in the library at the time of the program - in many cases, the names of these individuals are not known...are we placing the library in a liability situation if we notify some, but not others? If you suggest a courtesy call, can you please provide suggested language?
2. CPLR 4509 speaks to the confidentiality of library records. We have always employed that this further applies to the identification of anyone using the library, those participating in programs, etc. -- meaning that NO information can be provided to anyone without a proper subpoena. Given that this is a situation related to the health and well-being of our community should (they have not, but this is a question that has been asked) the Health Department request the names of program participants does CPLR apply? If so, can you recommend a response to such a question.
Thank you for your assistance.
To address this very serious array of questions, we’ll take them one at a time.
To what extent is it the responsibility of the library to notify participants who attended the library program the person now diagnosed with COVID-19 attended?
The library is not obligated to notify individual members of the public regarding possible exposure; the county health department is obligated to notify the New York State Department of Health, and will coordinate the necessary level of response.
If the library bears no responsibility, would you recommend the library, as a courtesy, notify attendees?
In a time of pandemic, information is power. If the library has the capacity to notify attendees in a way that connects them to meaningful next steps, AND the County Health Department agrees that such notification will be helpful, then: yes, that would be a good thing to do.
However, because the slightest bit of mis-information in this step could potentially cause harm, such a courtesy should only be done in collaboration with the County Health Department.
What of others who may have been in the library at the time of the program - in many cases, the names of these individuals are not known...are we placing the library in a liability situation if we notify some, but not others?
An effort to empower people, through information, to take care of themselves and minimize the spread of disease will not expose the library to liability in the event only known attendees can be alerted. As stressed above, the greater risk would be mis-informing the public, which is why coordination with the county health department is key.
If you suggest a courtesy call, can you please provide suggested language?
For reasons of confidentiality and accessibility, the notice should not be a verbal phone call, but rather (and only if confirmed as helpful by the County Health Department), a written notice sent to the library’s user’s email address.
Suggested text for your library to review with the health department is:
Dear Library Member:
As you know, the [INSERT] [County Department of Health] is monitoring the development of COVID-19 in our county.
As you can see at the listing [here], the Department has determined that on DATE, a person with COVID-19 attended the [INSERT PROGRAM NAME] program at our library, which ran from TIME to TIME on DATE.
Because the [NAME] Library values every member, and because we believe knowledge is power, we are working with the county to notify individuals who we know were present at the event. As advised by the County’s guidance [here], encourage you to monitor yourself daily for symptoms of COVID-19.
Further information on what to do in the event of a health concern is on the Health Department’s website at [link].
Your library information is confidential and your participation in the [NAME] event will not be released unless upon your request.
Given that this is a situation related to the health and well-being of our community…[if] the Health Department request the names of program participants does CPLR  apply? If so, can you recommend a response to such a question.
Yes, the confidentiality requirement of CPLR 4509 absolutely still applies. Here is the language of that law:
Library records, which contain names or other personally identifying details regarding the users of public, free association, school, college and university libraries and library systems of this state, including but not limited to records related to the circulation of library materials, computer database searches, interlibrary loan transactions, reference queries, requests for photocopies of library materials, title reserve requests, or the use of audio-visual materials, films or records, shall be confidential and shall not be disclosed except that such records may be disclosed to the extent necessary for the proper operation of such library and shall be disclosed upon request or consent of the user or pursuant to subpoena, court order or where otherwise required by statute.
Because CPLR 4509 is so clear in its protection of patron information, I am not comfortable concluding that disclosure to a County Health Department is allowed for the “proper operation” of the library, or even in the case of a declared emergency. Even during times of trouble, we need to follow the law.
However, if the library has the capacity to do so, upon request of the Health Department, the library can write to the impacted patron, and see if the patron will request the disclosure.
Sample outreach to see if the patron wants their information released is:
As a result of a person who visited the [NAME] library testing positive for COVID-19, the county health department has the name and contact information of other patrons who visited during the [EVENT].
By law, your library information is confidential. Therefore, the [NAME] Library will only disclose your information if you request that we do so.
Please let us know if you would like us to release your name, address, and phone number on file with the library to the [COUNTY] County Health Department.
You may also directly call the County Health Department about this at [NUMBER]; if you do, tell this it is regarding the COVID-19 case as the [NAME] Library.
In the alternative, the County Health Department may obtain the information via a subpoena or court order.
Those are my answers to the member’s questions. Here are some additional thoughts:
Legal compliance and ethics are strong supports during tough times. Thank you to the member for thinking this situation through so thoroughly.
 10 NYCRR 2.16v
My question is: do public libraries have any legal obligation to collect emergency contact information for children (age 17 and under) attending library programs without a parent or caregiver present/on the premises? Our library is located on the campus of a school district, and we have access to the school district's library automation system, in addition to our own, so we could easily and quickly locate contact information for the parents/caregivers of children who attend our programs in the event of a medical or other type of emergency situation. We already have an unattended minor policy as well. Our Library Board wants to make sure that we are in compliance with both Federal and New York State law on this issue. Thank you.
This question is rather like asking an astronautical engineer: When on a spacewalk, are there any safety procedures specifically related to securing my helmet as I exit the airlock?
Such a question could inspire an initial reaction like: Safety concerns? In SPACE??? Blazing comets, the safety concerns start the moment you blast off!
But upon reflecting on the actual question, the calm, composed answer might be: “To ensure integrity of the pressure garment assembly, double-check the neck-dam’s connection to the helmet’s attaching ring.”
Lawyers get this way addressing questions related to children and liability. Our first reaction is to think about everything that can go wrong. But then we calm down and focus on the specific issue at hand.
So, here is my calm, composed answer to the member’s very specific question:
There are two potential instances where a public library offering a program for unaccompanied minors might be obligated by law to collect emergency contact information.
If the program the library is hosting is a camp required by law to have a “Safety Plan,” applicable regulations arguably require that the library gather the child’s emergency medical treatment and contact information.
If the library is paying a child performer as part of an event, the law requires that the library must collect the child performer’s parent/guardian information before the performance.
Other than the above instances, while such a practice may be required by an insurance carrier, a landlord, or event sponsor, there is no state law or regulation that makes collecting emergency contact information a specific requirement of a public library.
I do have two additional considerations, though.
“Emergency contact” information provided by the parents/guardians, in a signed document drafted expressly for your library, is generally the best course of action when welcoming groups of unaccompanied minors for events not covered by your library’s usual policies.
I write this because Murphy’s Law (which is not on the bar exam, but remains a potent force in the world) will ensure the one time there is an incident at your youth program, the district’s automation system will be down.
Which brings us to the….
Libraries and educational institutions sharing automation systems must make sure that such data exchange does not violate either FERPA (which bars educational institutions from sharing certain student information), or CPLR 4509 (which bars libraries from sharing user information).
Emergency contact information maintained by a school is potentially a FERPA-protected education record. If FERPA-protected, it is illegal for any third party—such as a public library—to access it unless there is an agreement in place with certain required language AND the library’s use of the information is in the students’ “legitimate educational interests.” 
Of course, given the right circumstances, meeting these criteria is perfectly possible. In fact, such agreements can be a routine part of a school’s operations. But just like with a space helmet before leaving the airlock, its best to confirm that everything is in place before you take the next step.
Thanks for a thought-provoking question.
 I imagine aeronautical engineers swear like the rest of us, but I like to image they sound like characters Golden Age comic books.
 Thanks, NASA.gov!
 I know this question isn’t really about camps, but libraries do host them. And since the NY State Health Department’s template for a licensed camp’s “Safety Plan” includes eliciting emergency contact/treatment info, I have to include this consideration. For a breakdown of what types of camps requires licenses, visit https://www.health.ny.gov/publications/3603/
 This is a requirement of Title 12 NYCRR § 186-4.4. Since the library would also need said child performer’s license to perform, this requirement would not likely be missed! I also appreciate that this example is on the far side of what this question is actually about.
 Call your carrier to check. They may even have preferred language for your library to use when crafting registration documents.
 The definition of “education records” under FERPA (and its many exceptions) is here: https://www.ecfr.gov/cgi-bin/text-idx?rgn=div5&node=34:184.108.40.206.33#se34.1.99_13. Interestingly, a student’s name, phone number, and address—three critical components of an emergency contact form—are potentially not FERPA-protected “education records” as they may be considered “directory information” if specifically listed in a public notice from the school, as required by FERPA Section 99.37. FERPA violations can turn on these small details!
 What language is that? Under FERPA Section 99.31, an educational agency or institution may disclose such information to another party (like a library on its campus) if that party is: 1) performing a function for which the school would otherwise use employees; 2) the library directly controls the contractor’s use and maintenance of the records; and 3) the contractor is required to not further disclose the records. This formula can also be found in the link in footnote 4.
 Who says that simile can’t make a second appearance?!