
307 F.Supp.2d 705 (2004)
Rosalynn LAW, Plaintiff,
v.
David J. ZUCKERMAN, M.D., Defendant.
No. CIV.A. CBD-01-1429.
United States District Court, D. Maryland, Southern Division.
February 27, 2004.
*706 Allen T. Eaton, III, LaVern D. Wiley, Eaton and McClellan, Washington, DC, Theresa M. Blanco, Eaton and McClellan, Philadelphia, PA, for Plaintiff.
Benjamin S. Vaughan, Karen A. Ferretti, Armstrong, Donohue, Ceppos and Vaughan Chtd, Rockville, MD, for Defendant.

MEMORANDUM OPINION DENYING PLAINTIFF'S ORAL MOTION TO PRECLUDE DEFENSE COUNSEL FROM CONDUCTING EX PARTE INTERVIEWS WITH PLAINTIFF'S TREATING PHYSICIAN
DAY, United States Magistrate Judge.
The Court is faced with an apparent issue of first impression in the Fourth Circuit in this medical malpractice action. The question presented is whether adverse counsel's ex parte discussions with a treating physician regarding the scope of the physician's care violates the Health Insurance and Portability Accountability Act of *707 1996, 42 U.S.C. 1320d et seq. ("HIPAA"). The Court finds that in the absence of strict compliance with HIPAA such discussions are prohibited.
Plaintiff Rosalynn Law ("Plaintiff"), brought this medical malpractice action against Defendant David J. Zuckerman, M.D., ("Defendant"). Jurisdiction is based on diversity of citizenship, and therefore Maryland substantive law must be applied where it does not conflict with controlling federal law. This Court heard arguments on January 7, 2004 and January 8, 2004 pursuant to Plaintiff's oral motion to prohibit defense counsel from conducting ex parte interviews with Plaintiff's treating physician. ("Plaintiff's Motion"). After review of the relevant statutes and case law, the Court denied Plaintiff's Motion. The Court now supplements and further articulates its opinion.
There are two questions before the Court raised by Plaintiff's Motion. The first was whether Defendant's ex parte pre-trial contacts with Plaintiff's treating physician, Dr. Thomas Pinckert, were a violation of HIPAA. Second, if those contacts were a violation of HIPAA, whether the remedy was to preclude Defendant from having other ex parte communications with Dr. Pinckert. This Court finds that a violation of HIPAA did occur but the remedy requested is not appropriate.
A jury trial commenced in this case on January 6, 2004. Plaintiff alleged that the surgical treatment she received from Defendant rendered her cervix incompetent. Defendant performed a laser ablation procedure to remove dysplasia, or abnormal cells, from Plaintiff's cervix. Plaintiff's claim of malpractice is that during the procedure Defendant used laser power settings which caused collateral damage to her cervical tissue. Thereafter, Plaintiff became pregnant and increasingly concerned about her ability to carry a child. Plaintiff sought medical advice as to how best to carry the child to term. One treatment alternative available to Plaintiff was the placement of a cervical cerclage. Simply stated, the cerclage is a method of placing sutures on the cervical tissue so as to minimize the dilation of the cervical opening during the course of pregnancy. Among Plaintiff's alleged damages were the costs and injuries associated with the placement of a permanent cerclage by Dr. Pinckert.
At the end of the second day of trial, Plaintiff raised an objection to ex parte communications that may have occurred between Dr. Thomas Pinckert and Defendant's counsel. Dr. Pinckert had long before been identified as one of Defendant's fact witnesses in the Pre-trial Statement prepared by the parties and approved by the Court. Dr. Pinckert was called to testify as Defendant's first fact witness and to explain that Plaintiff's alleged damages due to the placement of the cerclage were the result of an elective surgical procedure and not a procedure compelled by the alleged negligent care of Defendant. Defendant's counsel met with Dr. Pinckert after Plaintiff provided her medical records to Defendant as part of discovery. Plaintiff was never notified in advance that Defendant's counsel would pursue ex parte communications with her treating physician. Plaintiff asserts that any attempt by the defense to have such communications is a violation of HIPAA.
Plaintiff's sole request is for the issuance of an order precluding Dr. Pinckert from discussing Plaintiff's treatment and care with defense counsel or, in the alternative, to order Defendant to disclose all communications held with Dr. Pinckert and the details of Dr. Pinckert's expected testimony at trial. Transcript of Motions Hearing ("Trancript") January 7, 2004, at 4-5. Defendant's counsel stated that ex parte communications outside the four corners *708 of Dr. Pinckert's medical records regarding Plaintiff had not taken place, and that it was not the intention of the defense to do so at any time. Transcript, January 7, 2004, at 4-5; Transcript, January 8, 2004, at 6-7.
The Court initially disagreed with Plaintiff as to the application of HIPAA. The Court then issued an order permitting both sides to have ex parte communications with Dr. Pinckert regarding his care and treatment for purposes of the present case before he testified as a fact witness. Upon further reflection, the Court believes Plaintiff correctly discerned the applicability of HIPAA, but the remedy remains unchanged.

Discussion

A. The ex parte contacts between Defendant and Dr. Pinckert are governed by HIPAA not Maryland law.
Maryland law does not prohibit ex parte communications "between a lawyer and the treating physician of an adverse party who has placed her medical condition at issue." Butler-Tulio v. Scroggins, 139 Md.App. 122, 150, 774 A.2d 1209 (2001). Nor does HIPAA prohibit all ex parte communications with a treating physician for an adverse party. Mere contact between Plaintiff's physician and Defendant's counsel is not regulated by HIPAA. Such contact could include discussion of many benign topics, including but not limited to, the best methods for service of a subpoena, determining convenient dates to provide trial testimony, or the most convenient location for the anticipated deposition of the physician. However, HIPAA clearly regulates the methods by which a physician may release a patient's health information, including "oral" medical records. "The HIPAA regulations permit discovery of protected health information so long as a court order or agreement of the parties prohibits disclosure of the information outside the litigation and requires the return of the information once the proceedings are concluded." Helping Hand, LLC v. Baltimore County, 295 F.Supp.2d 585 (D.Md.2003).
HIPAA and the standards promulgated by the Secretary of Health and Human Services ("Secretary") in the Code of Federal Regulations set forth the baseline for the release of health information. A patient's health information may be disclosed pursuant to 45 C.F.R. § 164.512(e)(1)(i), which states that disclosure is permitted "in response to an order of a court ... provided that the covered entity discloses only the protected health information expressly authorized by such order." Health information includes
any information, whether oral or recorded in any form or medium, that: (1) is created or received by a health care provider ...; and (2) relates to the past, present or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present or future payment for the provision of health care to an individual.
45 C.F.R. § 160.103. A trial or deposition subpoena is appropriately treated differently from an order of the Court. When medical information is to be released in response to a subpoena or discovery request, the health care provider must receive satisfactory assurance that: (1) there have been good faith attempts to notify the subject of the protected health information in writing of the request and that subject has been given the opportunity to object; or (2) reasonable efforts have been made by the requesting party to obtain a qualified protective order. 45 C.F.R. § 164.512(e)(1)(ii)(A) and (B).
HIPAA and the related provisions established in the Code of Federal Regulations expressly supercede any contrary *709 provisions of state law except as provided in 42 U.S.C. § 1320d-7(a)(2). Under the relevant exception, HIPAA and its standards do not preempt state law if the state law relates to the privacy of individually identifiable health information and is "more stringent" than HIPAA's requirements. 42 U.S.C. § 1320d-7(a)(2)(B)(referring back to the Historical and Statutory notes to 42 U.S.C § 1320d-2); 45 C.F.R. § 160.203.
Defendant's counsel has argued that the Maryland Confidentiality of Medical Records Act, Md. Code Ann. Health-Gen. I § 4-306(b)(3), ("MCMRA"), governs this case and not HIPAA because MCMRA's rule governing disclosure is mandatory and therefore more restrictive than HIPAA's permissive rule governing disclosure. Transcript, January 7, 2004, at 2-3. Section 4-306(b)(3) states
(b) Permitted disclosures.  A health care provider shall disclose a medical record without the authorization of a person in interest:
.   .   .   .   .
(3) To a health care provider or the provider's insurer or legal counsel, all information in a medical record relating to a patient or recipient's health, health care, or treatment which forms the basis for the issues of a claim in a civil action initiated by the patient, recipient, or person in interest.
MCMRA is applicable to cases where the patient has sued her health care provider alleging medical malpractice. MCMRA states that in such an instance, a health care provider shall disclose patient records without authorization from the patient. Conversely, HIPAA states that a health care provider may disclose patient records after using certain procedures. For the reasons set forth below, the Court does not agree that MCMRA is "more stringent" than HIPAA's requirements. Accordingly, HIPAA preempts MCMRA and is controlling on the issue of ex parte communications. This Court expressly refrains from opining upon the validity of MCMRA as it relates to the initial disclosure of medical records under § 4-306(b)(3).
Under 45 C.F.R. § 160.203, a state law that is contrary to "a standard, requirement, or implementation specification adopted under this subchapter" is preempted unless it meets one of a small list of exceptions. The only exception relevant here is found in 45 C.F.R. § 160.203(b) which states that a state law is not preempted if it is "more stringent" than a standard, requirement or implementation specification adopted under HIPAA. "More stringent," as defined in 45 C.F.R. § 160.202, means, that the state law meets any one of six criteria. The criteria applicable to this case are the fourth and the sixth listed under the "more stringent" definition.
(4) With respect to the form, substance, or the need for express legal permission from an individual, who is the subject of the individually identifiable health information, provides requirements that narrow the scope of duration, increase the privacy protections afforded (such as by expanding the criteria for), or reduce the coercive effect of the circumstances surrounding the express legal permission, as applicable.
.   .   .   .   .
(6) With respect to any other matter, provides greater privacy protection for the individual who is the subject of the individually identifiable health information.
Id. In light of the criteria listed above, the Court views "more stringent" to mean laws that afford patients more control over their medical records. This Court's analysis is confirmed by a review of the case law from other jurisdictions.
*710 Most recently, this issue was addressed in National Abortion Fed'n v. Ashcroft, 2004 WL 292079 (N.D.Ill.2004), in the context of a motion to quash a subpoena brought by Northwestern Memorial Hospital (the "Hospital"). In granting the Hospital's motion to quash the Court addressed the question of whether the Illinois medical information privacy laws are more stringent than HIPAA's requirements. Id. at 2004 WL 292079 *2. The Illinois law prohibits the disclosure by a health care provider of "any information he or she may have acquired in attending any patient in a professional character, necessary to enable him or her professionally to serve the patient," without patient consent, even in response to a subpoena. The Illinois courts have held that the protections of this law apply even if the patients' names and identification numbers are deleted or redacted from their medical records. Id. at 2004 WL 292079 *3. Conversely, HIPAA would allow such disclosures with the suggested redactions. Juxtaposing the two statutes, the Court found that "Illinois law concerning when nonparty patient medical records may be disclosed by hospitals" without patient consent is "more stringent" than HIPAA and thus, state law was not preempted. Id.
In United States v. Louisiana Clinic, 2002 WL 31819130 (E.D.La.2002), defendants argued that Louisiana law concerning unauthorized disclosure of confidential medical information should apply because it was "more stringent" than HIPAA. Louisiana law requires either that a patient give his or her consent to the disclosure, or in the absence of consent, that "a court shall issue an order for the production and disclosure of a patient's records ... only: after a contradictory hearing with the patient ... and after a finding by the court that the release of the requested information is proper." Id. at 2002 WL 31819130 *5 (citing La. Rev. Stat. Ann. § 13:3715.1(B)(5)). However, the Court noted that the Louisiana law did not address "the form, substance or the need for express legal permission from an individual," which is "required by 45 C.F.R. § 160.202 for the exception to apply." The Court stated that instead of increasing the restrictions on express legal permission "the Louisiana statute provides a way of negating the need for such permission." Id. The Court found that the Louisiana law was not "more stringent" than the HIPAA regulations and it was therefore preempted by federal law.
Finally, the New Jersey Superior Court addressed this issue in an unpublished opinion decided September 23, 2003. In re PPA Litigation, 2003 WL 22203734 (N.J.Super.L.2003). Under New Jersey case law, ex parte interviews are a legitimate means of informal discovery. Id. at *13. However, because the New Jersey safeguards for disclosure fall below the HIPAA standards for disclosure, HIPAA preempts New Jersey law in that regard. Id. The New Jersey safeguards provide Plaintiff's counsel with notice of the proposed interview, provide the physician with a description of the anticipated scope of the interview, and communicate that the physician's participation in the interview is voluntary. Id. at *2. Under state law, the patient can not prevent disclosure of the medical information. The New Jersey Superior Court found these safeguards to be insufficient under HIPAA and found that a reasonable notice provision and an opportunity for the patient to object would bring New Jersey into compliance.
Congress enacted HIPAA, in part, to protect the security and privacy of individually identifiable health information. 45 C.F.R. § 164.501 et seq; United States v. Sutherland, 143 F.Supp.2d. 609, 612 (W.D.Va.2001). The rules promulgated by the Secretary define and restrict the ability of health care providers to divulge patient *711 medical records without express consent of the patient or pursuant to a court order. Id. It is clear there is strong federal policy in favor of protecting the privacy of patient medical records.
The key component in analyzing HIPAA's "more stringent" requirement is the ability of the patient to withhold permission and to effectively block disclosure. HIPAA's permissive disclosure requirements give each patient more control over the dissemination of their medical records than MCMRA, while MCMRA sacrifices the patient's control of their private health information in order to expedite malpractice litigation. If state law can force disclosure without a court order, or the patient's consent, it is not "more stringent" than the HIPAA regulations. MCMRA is designed to give adverse counsel access to a patient's medical records without consent.[1] Since Maryland law fails to satisfy the "more stringent" standard, federal law is controlling and all ex parte communications must be conducted in accordance with the procedures set forth in HIPAA.

B. Informal discovery of protected health information is now prohibited unless the patient consents.
The recently enacted HIPAA statute has radically changed the landscape of how litigators can conduct informal discovery in cases involving medical treatment. In times past, given Maryland's reluctance to embrace the physician-patient privilege, ex parte contacts with an adversary's treating physician may have been a valuable tool in the arsenal of savvy counsel. The element of surprise could lead to case altering, if not case dispositive results. Ngo v. Standard Tools & Equipment, Co., Inc., 197 F.R.D. 263 (D.Md.2000)(defendant was free to converse with and use Plaintiff's treating physician as a witness contrary to Plaintiff's wishes). Counsel should now be far more cautious in their contacts with medical fact witnesses when compared to other fact witnesses to ensure that they do not run afoul of HIPAA's regulatory scheme. Wise counsel must now treat medical witnesses similar to the high ranking corporate employee of an adverse party. See Camden v. Maryland, 910 F.Supp. 1115 (D.Md.1996)(holding that counsel may not have ex parte contact with the former employee of an adverse party when the lawyer knows or should know that the former employee has been extensively exposed to confidential client information); Accord Zachair, Ltd. v. Driggs, 965 F.Supp. 741 (D.Md.1997); But see Davidson Supply Co., Inc. v. P.P.E., Inc., 986 F.Supp. 956 (D.Md.1997).
HIPAA outlines the steps to follow in order to obtain protected health information during a judicial proceeding in 45 C.F.R. § 164.512(e). There are three ways. First, counsel may obtain a court order which allows the health care provider to disclose "only the protected health information expressly authorized by such order." 45 C.F.R. § 164.512(e)(1)(i). In the absence of a court order, §§ 164.512(e)(1)(ii)(A) and (B) provide two additional methods available when used in conjunction with more traditional means of discovery.

C. The imposition of sanctions is not appropriate.
To the extent there was a disclosure of individually identifiable health information, Defendant's pretrial contacts with Dr. Pinckert were in violation of HIPAA. However, the remedy sought by Plaintiff precluding Defendant's counsel from speaking further with Dr. Pinckert about *712 Plaintiff's treatment is not appropriate here.
The civil remedies for failure to comply with the requirements and standards of HIPAA are found under 42 U.S.C. § 1320d-5. The Secretary shall fine any person who violates a provision of HIPAA "not more than $100 for each such violation." 42 U.S.C. § 1320d-5(a)(1). However, this penalty may not be imposed if either (1) "the person liable for the penalty did not know, and by exercising reasonable diligence would not have known, that such person violated the provision;" or (2) "the failure to comply was due to reasonable cause and not willful neglect" and "the failure to comply is corrected during the 30-day period beginning on the first date the person is liable for the penalty knew, or by exercising reasonable care would have known, that the failure to comply occurred." 42 U.S.C. § 1320d-5(b)(2) and (3). Since HIPAA does not include any reference to how a court should treat such a violation during discovery or at trial, the type of remedy to be applied is within the discretion of the Court under Fed. R. Civ. P. 37.
In this case, this Court's discretion is guided by the fact that the penalty that could be levied by the Secretary as described above is mild and that in all likelihood the defense would be able to afford itself of the aforementioned statutory defenses. All counsel were knowledgeable and extremely skilled in addressing the issues presented in this less than clear area of the law.[2]
Defendant's counsel believed in good faith that MCMRA fell into the "required by law"[3] exception to HIPAA. Transcript January 7, 2004, 2-3. It does not. The exception is found under 45 C.F.R. § 164.512 and sets forth additional requirements that must be satisfied before the Maryland statute can be accepted under the rubric of "required by law."
Under 45 C.F.R. § 164.512(a)(1), a doctor or other covered entity "may use or disclose protected health information to the extent that such use or disclosure is required by law and the use or disclosure complies with and is limited to the relevant requirements of such law." Defendant reasoned that because MCMRA mandates that patient records are discoverable without authorization or notice to the patient, its ex parte communications with Dr. Pinckert fell into this exception. However, a closer reading of the statute reveals that a doctor or other covered entity "must meet the requirements described in paragraph (c)(e), or (f)" of § 164.512 when they are "required by law" to disclose protected health information. 45 C.F.R. § 164.512(a)(2).
Paragraph (e) of § 164.512, "disclosures for judicial and administrative proceedings," applies to medical information disclosed during discovery. This section anticipates that a patient's records can only be disclosed in response to a court order, or, if in the case of a subpoena or discovery request, when accompanied by satisfactory assurance that (1) written notice has been given to the patient allowing an *713 opportunity to object; or (2) a qualified protective order has been sought by the requesting party. 45 C.F.R. § 164.512(e) et seq. It therefore follows that while a physician may disclose a patient's records in accordance with MCMRA's mandate, he or she must do so using the procedures set forth in HIPAA.
Notwithstanding the Court's disagreement with Defendant's counsel's analysis, it is clear that he exercised more than reasonable diligence when determining that his contacts with Dr. Pinckert did not violate HIPAA. On January 8, 2004, the Court did not find at the time that HIPAA applied in the instant case. Transcript, January 8, 2004 at 5-6. However, in the event that Defendant's contact with Dr. Pinckert triggered a HIPAA violation, the Court ordered that either party could speak with Dr. Pinckert before he testified about the issues set forth in Plaintiff's medical records. The Court also stated that if Dr. Pinckert strayed in his testimony from the medical records and offered any opinions beyond his experience as Plaintiff's treating physician such testimony would be prohibited. While the Court finds upon further review that HIPAA was applicable to any pre-trial disclosure of Plaintiff's medical information, it is also apparent that the Court's Order effectively remedied any potential violation.

D. Conclusion
Therefore, for the reasons stated above, Plaintiff's Motion to preclude Dr. Pinckert from discussing the Plaintiff's treatment with defense counsel is denied.
NOTES
[1]  Under MCMRA, it can be plausibly argued that patient consent is inferred by the filing of suit by Plaintiffs. This Court does not believe inferred consent satisfies the intended purpose of HIPAA.
[2]  Parenthetically, counsel for both parties repeatedly demonstrated the high ideal of civility in their dealings with the Court and each other throughout these proceedings. All counsel aggressively represented their clients, while being courteous litigants. See THE CODE OF CIVILITY OF THE BAR ASS'N OF MONTGOMERY COUNTY, MARYLAND (2003); MARYLAND STATE BAR ASS'N CODE OF CIVILITY (1997).
[3]  "Required by law means a mandate contained in law that compels an entity to make a use or disclosure of protected health information and that is enforceable in a court of law. Required by law includes, but is not limited to, ... statutes or regulations that require such information[.]" 45 C.F.R. § 164.103.
