     *** FOR PUBLICATION IN WEST’S HAWAI#I REPORTS AND PACIFIC REPORTER ***


                                                                Electronically Filed
                                                                Supreme Court
                                                                SCPW-13-0000092
                                                                27-FEB-2014
                                                                10:48 AM




             IN THE SUPREME COURT OF THE STATE OF HAWAI#I

                                  ---o0o---


                        RICHARD COHAN, Petitioner,

                                      vs.

   THE HONORABLE BERT I. AYABE, JUDGE OF THE CIRCUIT COURT OF THE
            FIRST CIRCUIT, STATE OF HAWAI#I, Respondent,

                                      and

  MARRIOTT HOTEL SERVICES, INC. DBA MARRIOTT’S KO OLINA BEACH CLUB
   and MARRIOTT OWNERSHIP RESORTS, INC. DBA MARRIOTT VACATION CLUB
        INTERNATIONAL, Respondents, Real Parties in Interest.


                              SCPW-13-0000092

                            ORIGINAL PROCEEDING
                           (CIV. NO. 11-1-2192)

                             FEBRUARY 27, 2014

ACOBA, McKENNA, AND POLLACK, JJ., WITH RECKTENWALD, C.J., CONCURRING,
                    WITH WHOM NAKAYAMA, J., JOINS

                  OPINION OF THE COURT BY POLLACK, J.

            Petitioner Richard Cohan (Cohan) filed a Petition for

  Writ of Mandamus (Petition) requesting this court to compel the
   *** FOR PUBLICATION IN WEST’S HAWAI#I REPORTS AND PACIFIC REPORTER ***


respondent judge to: (1) vacate his order affirming an

arbitration decision that compelled Petitioner to sign

authorizations for release of medical records, and (2) order that

the qualified protective order proposed by Petitioner be utilized

instead.

           We hold that the privacy provision of the Hawai#i

Constitution, article I, section 6, protects Cohan’s health

information against disclosure outside the underlying litigation.

Therefore we grant the Petition, and the respondent judge is

directed to: (1) vacate the order affirming the arbitration

decision, and (2) order that the qualified protective order and

the authorizations for release of medical records be revised

consistent with this opinion.

                                    I.

           In September 2009, Cohan and his wife visited Hawai#i

from California.    While dining at Chuck’s Steak & Seafood at

Marriott’s Ko Olina Beach Club, Cohan fell into a koi pond and

was injured.

           Cohan and his wife sued Marriott Hotel Services, Inc.

dba Marriott’s Ko Olina Beach Club and Marriott Ownership

Resorts, Inc. dba Marriott Vacation Club International

(collectively, “Marriott”) and RRB Restaurants, LLC dba Chuck’s

Steak and Seafood (Restaurant) for damages.          The case was placed




                                    -2-
   *** FOR PUBLICATION IN WEST’S HAWAI#I REPORTS AND PACIFIC REPORTER ***


in the Court Annexed Arbitration Program (CAAP).           Courtney Naso,

Esq., was appointed the arbitrator.

          On April 30, 2012, Marriott sent Cohan thirteen

authorizations to obtain medical records and two authorizations

for release of employment records, and asked him to sign the

forms.   The medical records authorizations included the following

provisions:

          Unless otherwise revoked, this authorization will expire on
          the following date or event: the final conclusion of the
          proceeding, for which this authorization is being signed.
          If a date or event is not specified, this authorization will
          expire one year from my date of signature below.
          . . . .
          I understand that the health information released under this
          authorization may be re-disclosed by the recipient, in
          relation to the case/matter for which this authorization is
          provided, and may no longer be protected under the federal
          privacy regulations.
          . . . .
          I release the above-named health care provider and
          recipient(s) from all liability and claims whatsoever
          pertaining to the disclosure of information as contained in
          the records released pursuant to this authorization.

(Emphases added).    The employment records authorizations, which

include medical records, accident reports, and claims for

benefits made during employment, included the following language:

          I further authorize [Marriott’s counsel] to further disclose
          this authorization and all information obtained by its use,
          regardless of content, to any and all persons involved in
          the lawsuit/claim, . . . including, but not limited to,
          opposing counsel, experts, consultants, court personnel,
          private investigators, copy services, court reporting
          companies, parties, and insurance representatives.
          . . . .
          The undersigned . . . waives any applicable requirements and
          provisions of the Federal Privacy Act (5 U.S.C. Section 525,
          525(a) et seq.), the provisions of 42 U.S.C. Section 4582,
          the provisions of Chapter 334 of the Hawaii Revised
          Statutes, and Chapter 325 of the Hawaii Revised Statutes
          restricting the use and dissemination of the aforesaid
          information . . . including but not limited to information
          (if any) regarding the psychiatric, psychological, social


                                    -3-
    *** FOR PUBLICATION IN WEST’S HAWAI#I REPORTS AND PACIFIC REPORTER ***


            work, infectious disease, HIV testing records, alcohol and
            other substance abuse treatment.


(Emphases added).      Cohan returned the authorizations unsigned and

informed Marriott that the authorizations did not comply with the

federal Health Insurance Portability and Accountability Act of

1996 (HIPAA), Pub. L. No. 104-191, 110 Stat. 1936 (1996).1 Cohan

notified Marriott that he would not consider signing any

authorizations unless Marriott first sought to obtain the records



      1
            45 C.F.R. § 164.512, which sets forth the uses and disclosures
under HIPAA, provides:

            (e) Standard: Disclosures for judicial and administrative
            proceedings.
            (1) Permitted disclosures. A [medical provider] may
            disclose protected health information in the course of any
            judicial or administrative proceeding:
            . . . .
                  (ii) in response to a subpoena, discovery request, or
                  other lawful process, that is not accompanied by an
                  order of a court or administrative tribunal, if:
                  . . . .
                  (iv) . . . .
                         (A) The parties to the dispute giving rise to
                         the request for information have agreed to a
                         qualified protective order and have presented
                         it to the court or administrative tribunal with
                         jurisdiction over the dispute;
                  . . . .
                  (v) For purposes of paragraph (e)(1) of this section,
                  a qualified protective order means, with respect to
                  protected health information requested under
                  paragraph (e)(1)(ii) of this section, an order of a
                  court or of an administrative tribunal or a
                  stipulation by the parties to the litigation or
                  administrative proceeding that:
                         (A) Prohibits the parties from using or
                         disclosing the protected health information for
                         any purpose other than the litigation or
                         proceeding for which such information was
                         requested; and
                         (B) Requires the return to the [medical
                         provider] or destruction of the protected
                         health information (including all copies made)
                         at the end of the litigation or proceeding.

(Emphasis added).

                                     -4-
    *** FOR PUBLICATION IN WEST’S HAWAI#I REPORTS AND PACIFIC REPORTER ***


pursuant to Hawai#i Rules of Civil Procedure (HRCP) Rule 312 or by

way of a motion to compel.       In the alternative, Cohan proposed

that the parties enter into a stipulated qualified protective

order (SQPO).

            Cohan forwarded a draft order that contained provisions

patterned after HIPAA (i.e. prohibiting use or disclosure of the

information outside the underlying litigation without Cohan’s

consent and requiring Marriott to return the documents or destroy

them at the end of litigation).        Marriott rejected the draft

protective order and proposed that the parties use a form adopted

by the Hawai#i State Bar Association (HSBA).          Cohan rejected the

HSBA-approved form as too expansive and asked Marriott to delete

several provisions:




      2
            HRCP Rule 31 governs depositions upon written questions and
delineates the subpoena procedure for obtaining documents.

                                     -5-
*** FOR PUBLICATION IN WEST’S HAWAI#I REPORTS AND PACIFIC REPORTER ***



     The HSBA-approved language               Cohan’s proposed changes
        (offered by Marriott)

 1. Non-Disclosure Requirement:
 Except as provided herein, none of
 Plaintiff’s/Claimant’s Health
 Information obtained from any source
 shall be disclosed or used by anyone
 or by any entity for any purpose,
 without Plaintiff’s/Claimant’s
 explicit written consent.
 (b) Specifically Allowable Uses,
 Disclosures, and Maintenance: It is
 specifically understood and agreed
 that Plaintiff’s/Claimant’s Health
 Information may be used, and/or
 disclosed, and/or maintained, without
 Plaintiff’s/Claimant’s consent as may
 be required to comply with state or
 federal laws, rules, and court,
 arbitrator, or administrative orders
 (including subpoenas duces tecum),
 and in relation to any claim,
 litigation, and/or proceeding arising
 out of the accident/incident of
 ______ (“Subject Accident”),
 including the following:

 1.(b)(2) for Defendants’ and/or         1.(b)(2) for Defendants’ and/or their
 insurer’s internal review and/or        insurer’s internal review and/or
 auditing, including the handling and    auditing, including the handling and
 disposition of any claim or matter      disposition of any claim or matter
 related to the Subject Occurrence,      related to the Subject Occurrence,
 communication between Defendants and    communication between Defendants and
 their insurers/underwriters/agents;     their insurers/underwriters/ agents;
 relating to the review and/or audit     relating to the review and/or audit
 of claims for the purpose of setting    of claims for the purpose of setting
 premiums, calculating reserves,         premiums, calculating reserves,
 calculating loss experience, and/or     calculating loss experience, and/or
 procuring additional coverage, it       procuring additional coverage, it
 being understood and agreed that        being understood and agreed that
 information will not be used for any    information will not be used for any
 record compilation or database of       record compilation or database of
 Plaintiff’s claim history;              Plaintiff’s claim history;


 1.(b)(3) for external review and/or
 auditing, such as by reinsurers, the           Delete entire provision
 Insurance Commissioner, or external
 auditors;


 1.(b)(6) for any legally required
 reporting to governmental health or
 medical insurance organizations or             Delete entire provision
 their private contractors for
 Plaintiff’s health care and expenses
 related to the Subject Occurrence;




                                    -6-
   *** FOR PUBLICATION IN WEST’S HAWAI#I REPORTS AND PACIFIC REPORTER ***



        The HSBA-approved language                Cohan’s proposed changes
           (offered by Marriott)

    1.(b)(7) for statistical or
    analytical purposes, provided that
    Plaintiff’s personal identification
    information (e.g., name, specific              Delete entire provision
    street address, specific birth date,
    Social Security number, driver’s
    license number) is not included in
    such review or use of Health
    Information; and


    1.(b)(8) for any record keeping
    requirements or obligations relating           Delete entire provision
    to any of the foregoing, and
    pertaining to the Subject Occurrence.

    The above-noted permissible uses,       The above-noted permissible uses,
    disclosures, and maintenance            disclosures, and maintenance
    provisions are not intended to          provisions are not intended to
    unreasonably limit a party’s or their   unreasonably limit a party’s or their
    counsel’s or insurer’s record-keeping   counsel’s or insurer’s record-keeping
    obligations or requirements.            obligations or requirements.
    Defendants or their agents,             Defendants or their agents,
    attorneys, or insurers may request      attorneys, or insurers may request
    that additional permissible             that additional permissible
    categories of uses, disclosures, or     categories of uses, disclosures, or
    maintenance be added. Plaintiff         maintenance be added. Plaintiff
    shall not unreasonably withhold         shall not unreasonably withhold
    consent, provided that the additional   consent, provided that the additional
    categories requested are consistent     categories requested are consistent
    with the intent of this Order.          with the intent of this Order.




           Cohan indicated that if Marriott modified its version

of the protective order to delete the stricken language, or used

the form he proposed, Cohan would agree to the SQPO, which could

then be attached to subpoenas for the sought-after records.

           At the June 26, 2012 pre-hearing CAAP conference, the

parties discussed the different versions of the protective order.

By letter dated July 3, 2012, the arbitrator informed the parties

of her decision that they use the form that appears on the HSBA



                                       -7-
   *** FOR PUBLICATION IN WEST’S HAWAI#I REPORTS AND PACIFIC REPORTER ***


website under “Stipulated Qualified Protective Order (for

litigation use)”:

          During the second CAAP pre-hearing conference held on June
          26, 2012, we discussed the form of the Stipulated Qualified
          Protective Order as [the Cohans] were requesting certain
          deletions from the form proposed by [Marriott]. After
          hearing from all counsel and discussing each counsel’s
          position, it was decided the form to be used shall be the
          Stipulated Qualified Protective Order (for litigation use)
          that appears on the Hawaii State Bar Association (HSBA)
          website under Health Care Information Privacy Protection
          Forms.

          [The Cohans’] counsel shall inform [Marriott’s] counsel, in
          writing, no later than Friday, July 6, 2012, whether they
          intend to adhere to the Arbitrator’s above-stated decision.
          In the event one or more parties decides not to adhere to
          the above-stated decision the parties shall file the
          appropriate motions in court to further resolve this issue.


(Underlining in place of italics in the original).           By e-mail

dated July 6, 2012, Cohan informed Marriott that the HSBA form

was unacceptable:

           The HSBA stipulated qualified protective order has no
           mention in Hawaii Rules of Civil Procedure noting that it
           is legally required. It is no more than some form of an
           agreeable agreement, perhaps, but it is a tempest in a tea
           pot as Rule 31, HRCP is available. Rule 31 is a better
           avenue as defense would have to obtain the records, again,
           to be admissible in evidence. Therefore, we cannot agree.


          Marriott thereafter moved for an order compelling Cohan

to sign the fifteen authorizations so that it could obtain the

medical and employment records via subpoena.          By order entered on

September 7, 2012, the arbitrator granted the request and ordered

Cohan to sign the authorizations, as well as the form protective

order from the HSBA website.

          Eleven days later, by letter dated September 18, 2012,

Cohan appealed the arbitrator’s September 7, 2012 decision to the


                                    -8-
   *** FOR PUBLICATION IN WEST’S HAWAI#I REPORTS AND PACIFIC REPORTER ***


CAAP Administrator.     Cohan argued that Marriott was not entitled

to the relief requested because it did not utilize the discovery

methods authorized by the HRCP and had proposed a protective

order that was too broad.      He further argued that the court

lacked jurisdiction to compel him to sign a document not mandated

by state law, rule, regulation, or decision.          The CAAP

Administrator affirmed the arbitrator’s decision.

          Cohan appealed the CAAP Administrator’s decision to the

Honorable Bert I. Ayabe, the Arbitration Judge.           Again, Cohan

argued that there was no law requiring a party to sign

authorizations or a qualified protective order, and he has a

right to the privacy of his health information.           Judge Ayabe

affirmed the CAAP Administrator’s decision by order entered on

November 13, 2012.

                                   II.

          On February 14, 2013, Cohan filed the Petition and a

Memorandum in Support of Petition (Petition Memorandum).            Cohan

argued that Judge Ayabe abused his discretion by affirming the

arbitrator’s order on the grounds that: (1) the order violates

Cohan’s right of privacy under HIPAA, article I, section 6 of the

Hawai#i Constitution, and Hawai#i case law; (2) the version of the

protective order proposed by Marriott wrongfully allows Cohan’s

health information to be used for purposes beyond the litigation;

(3) the authorizations fail to limit disclosure of Cohan’s


                                    -9-
   *** FOR PUBLICATION IN WEST’S HAWAI#I REPORTS AND PACIFIC REPORTER ***


private health information; and (4) no statute, law, or rule

requires Cohan to sign the authorizations or the protective

order.   Cohan asked the court to:

           •    Order Judge Ayabe to vacate his order;

           •    Enter a protective order requiring Marriott to

                pursue HRCP Rule 31, using HIPAA-compliant

                language, prior to the use of any SQPO;

           •    Order that no law requires Cohan to sign the

                authorizations for the medical and employment

                information; and

           •    Enter a qualified protective order consistent with

                Cohan’s proposed version or with the version

                proposed by Marriott with Cohan’s proposed

                modifications.

           This court, by order entered on March 14, 2013, ordered

Marriott and the Restaurant to answer the Petition.           In their

joint Response, filed on April 3, 2013, Marriott and the

Restaurant argued that Cohan waived his right to challenge the

form of the SQPO because he failed to appeal the CAAP

arbitrator’s July 3, 2012 letter.         They also argued that their

form of the HSBA-approved SQPO effectively protects any privacy

concerns Cohan may have regarding his health information.

           On July 26, 2013, we issued an order instructing each

party to file a supplemental brief addressing whether the SQPO


                                   -10-
    *** FOR PUBLICATION IN WEST’S HAWAI#I REPORTS AND PACIFIC REPORTER ***


and medical authorizations required to be signed by the CAAP

Administrator complied with federal and state law.

            On August 9, 2013, Cohan submitted a Supplemental

Memorandum in Support of Petition for Writ of Mandamus.             Cohan

reiterates challenges to Marriott’s SQPO and medical

authorizations set forth in his Petition Memorandum.             Cohan

maintains that the SQPO does not meet the minimum federal

requirements for a protective order as required by HIPAA, much

less the more stringent privacy requirements of the Hawai#i

Constitution.3    Cohan additionally argues that the medical

authorizations negate the protective safeguards required by HIPAA

and the Hawai#i Constitution because the authorizations expressly

allow for re-disclosure of protected information without

referencing the existence of any limitations imposed by the SQPO.

            On August 9, 2013, Marriott submitted its Supplemental

Answering Brief to Petitioner Cohan’s Petition for Writ of

Mandamus.    Marriott argues that:      (1) the medical authorizations

comply with federal and Hawai#i state law, (2) Marriott’s SQPO

complies with federal and Hawai#i state law, and (3) the

employment authorizations comply with federal and Hawai#i state

law.



       3
            Cohan argues that the Hawai#i Constitution requires more than the
minimum protections provided by HIPAA, as article I, section 6 recognizes that
“[t]he right of the people to privacy . . . shall not be infringed without the
showing of a compelling state interest . . . .[and] [t]he legislature shall
take affirmative steps to implement this right.”

                                    -11-
      *** FOR PUBLICATION IN WEST’S HAWAI#I REPORTS AND PACIFIC REPORTER ***


                                     III.

             A writ of mandamus is an extraordinary remedy that will

not issue unless the petitioner demonstrates a clear and

indisputable right to relief and a lack of alternative means

adequate to redress the alleged wrong or to obtain the requested

action.     Kema v. Gaddis, 91 Hawai#i 200, 204, 982 P.2d 334, 338

(1999).     Where a court has discretion to act, mandamus will not

lie to interfere with or control the exercise of that discretion,

even when the judge has acted erroneously, unless the judge has

exceeded his or her jurisdiction, has committed a flagrant and

manifest abuse of discretion, or has refused to act on a subject

properly before the court under circumstances in which it is

subject to a legal duty to act.          Id. at 204-05, 982 P.2d at 338-

39.    This court has held that “‘[m]andamus is the

appropriate remedy where [a] court issues an order releasing

confidential files . . . and the order is not immediately

appealable.’”      Brende v. Hara, 113 Hawai#i 424, 429, 153 P.3d

1109, 1114 (2007) (per curium) (quoting Kema, 91 Hawai#i at 205,

982 P.2d at 339).4


      4
            Marriott urges the court to find Cohan’s challenge to the July 3,
2012 letter regarding the use of the HSBA-approved stipulated qualified
protective order as untimely. See Haw. Arb. R. 11(B) (a party is required to
challenge an arbitrator’s decision within ten days from the date of the
challenged act). Cohan, however, was not required to appeal from the July 3,
2012 letter. Instead, he appealed from the arbitrator’s September 7, 2012
order, which he was authorized to do. Although the letter of appeal is dated
September 18, 2012, both the CAAP Administrator and Judge Ayabe declined to
rely upon a purported rule violation, and ruled on the merits of the issue in
affirming the arbitrator’s decision. Under Haw. Arb. R. 11(B), “The
                                                                (continued...)

                                      -12-
    *** FOR PUBLICATION IN WEST’S HAWAI#I REPORTS AND PACIFIC REPORTER ***


                                     IV.

                                     A.

            HIPAA is “a complex piece of legislation that addresses

the exchange of health-related information,” Nat’l Abortion Fed’n

v. Ashcroft, No. 03 Civ. 8695(RCC), 2004 WL 555701, at *2

(S.D.N.Y. Mar. 19, 2004)), one that has “radically changed the

landscape of how litigators can conduct informal discovery in

cases involving medical treatment.”          Law v. Zuckerman, 307 F.

Supp. 2d 705, 711 (D. Md. 2004).          The HIPAA regulations permit

discovery of protected health information5 “so long as a court

order or agreement of the parties prohibits disclosure of the

information outside the litigation and requires the return of the

information once the proceedings are concluded.” Id. at 708

(quoting A Helping Hand, LLC v. Baltimore Cnty., 295 F. Supp. 2d

585, 592 (D. Md. 2003)).




      4
       (...continued)
Arbitration Judge shall have the non-reviewable power to uphold, overturn or
modify the decision of the Arbitration Administrator, including the power to
stay any proceeding.” The decision by the Arbitration Judge to review the
merits of Petitioner’s appeal has not been challenged by Marriott as a
flagrant abuse of discretion in an original proceeding or in this case. In
any event, under the circumstances, it clearly was not a flagrant abuse of
discretion for the Arbitration Judge to review the Administrator’s order
involving an issue of constitutional magnitude.

      5
            Health information includes any information, whether oral or
recorded in any form or medium, that: (1) is created or received by a health
care provider, health plan, public health authority, employer, life insurer,
school or university or health care clearinghouse; and (2) relates to the
past, present or future physical or mental health or condition of an
individual; the provision of health care to an individual; or the past,
present or future payment for the provision of health care to an individual.
45 C.F.R. § 160.103.

                                    -13-
   *** FOR PUBLICATION IN WEST’S HAWAI#I REPORTS AND PACIFIC REPORTER ***


          HIPAA provides the “federal floor of privacy

protections that does not disturb more protective rules or

practices . . . .    The protections are a mandatory floor, which

other governments and any [Department of Health and Human

Services regulated] entities may exceed.”         Brende, 113 Hawai#i at

429, 153 P.3d at 1114 (quoting 65 Fed. Reg. 82,462 (Dec. 28,

2000)).

          Section 264 of HIPAA directs the Secretary of Health

and Human Services to promulgate regulations to protect the

privacy of medical records, but provides in subsection (c)(2)

that such a regulation “shall not supersede a contrary provision

of State law, if the provision of State law imposes requirements,

standards, or implementation specifications that are more

stringent than the requirements, standards, or implementation

specifications imposed under the regulation.”          HIPAA, Pub. L. No.

104-191, § 264, 110 Stat. 1936 (1996); see also 45 C.F.R. §

160.203(b).   A state standard is “more stringent” if it “provides

greater privacy protection for the individual who is the subject

of the individually identifiable health information.”            45 C.F.R.

§ 160.202(6); see also Nw. Mem’l Hosp. v. Ashcroft, 362 F.3d 923,

924 (7th Cir. 2004).




                                   -14-
    *** FOR PUBLICATION IN WEST’S HAWAI#I REPORTS AND PACIFIC REPORTER ***


            Hawai#i is one of ten states that expressly recognize a

right to privacy in their constitutions.6          Article I, section 6

of the Hawai#i Constitution provides in relevant part that “[t]he

right of the people to privacy is recognized and shall not be

infringed without the showing of a compelling state interest.”

In promulgating this privacy provision, the 1978 Constitutional

Convention intended “that privacy [be] treated as a fundamental

right for purposes of constitutional analysis.”            Comm. Whole Rep.

No. 15, in 1 Proceedings of the Constitutional Convention of

Hawai#i of 1978 (Proceedings), at 1024.         This express right of

privacy is “a recognition that the dissemination of private and

personal matters, be it true, embarrassing or not, can cause

mental pain and distress far greater than bodily injury. . . .

In short, this right of privacy includes the right of an

individual to tell the world to ‘mind your own business.’”

Stand. Comm. Rep. No. 69, in 1 Proceedings at 674.

            In Brende, this court held that article I, section 6 of

the Hawai#i Constitution protects private health information from

disclosure outside of the underlying litigation.            113 Hawai#i at

426, 153 P.3d at 1111.      In that case, in which the underlying

      6
            Catherine Louisa Glenn, Protecting Health Information Privacy:
The Case for Self-Regulation of Electronically Held Medical Records, 53 Vand.
L. Rev. 1605, 1609 n.25 (2000) (identifying the constitutions of Alaska,
Arizona, California, Florida, Hawai#i, Illinois, Louisiana, Montana, South
Carolina, and Washington as protecting health information privacy). See also
Christopher R. Smith, Somebody’s Watching Me: Protecting Patient Privacy in
Prescription Health Information, 36 Vt. L. Rev. 931, 945 n.90 (2012) (citing
several state court cases recognizing a state constitutional right to
privacy).

                                    -15-
      *** FOR PUBLICATION IN WEST’S HAWAI#I REPORTS AND PACIFIC REPORTER ***


litigation arose out of a motor vehicle tort, the plaintiffs

petitioned this court for a writ of mandamus directing the

respondent judge “to revise a medical information protective

order to prohibit any person or entity from disclosing, for

purposes outside the underlying litigation and without [the

plaintiffs’] consent, [plaintiffs’] health information produced

in discovery.”       Id.

             The plaintiffs proposed a stipulated order patterned

after HIPAA and Hawai#i law, including article I, section 6 of

the Hawai#i Constitution.        Id. at 426-47, 153 P.3d at 1111-12.

The proposed order prohibited the defendant from using the

plaintiffs’ health information obtained in discovery from a

health plan, health care provider, or any other source outside

the underlying litigation and without the plaintiffs’ consent.

Id.    The order further required the health information to be

returned to the health care entities, if applicable, or otherwise

be destroyed at the end of the litigation.            Id.    The defendant

argued that the proposed order was not necessary and refused to

stipulate to the provision prohibiting the use or disclosure of

information obtained from sources other than health care

providers.      Id. at 427, 153 P.3d at 1112.

             In granting the petition, the Brende court first noted

that HIPAA applies only to “health information obtained in

discovery directly from health care entities.”              Id. at 429, 153


                                      -16-
    *** FOR PUBLICATION IN WEST’S HAWAI#I REPORTS AND PACIFIC REPORTER ***


P.3d at 1114.     Because HIPAA regulations establish a “federal

floor of privacy protections,” in Hawai#i “a medical information

protective order issued in a judicial proceeding must, at a

minimum, provide the protections of the HIPAA.”            Id. (emphasis

added).   The court further held that article I, section 6 of the

Hawai#i Constitution, establishing the right of privacy, applies

to “informational privacy” and protects “the right to keep

confidential information which is highly personal and intimate.”

Id. at 430, 153 P.3d at 1115 (quotation marks and brackets

omitted).    Because health information is “highly personal and

intimate,” it is protected by the informational prong of article

I, section 6.7    Id.

            Thus, we held that the “constitutional provision

protects the disclosure outside of the underlying litigation of

petitioners’ health information produced in discovery.”8             Id.

      7
            The Brende court noted that the “privacy of health information was
previously codified in Hawai#i Revised Statutes chapter 323C (Supp. 1999)
(Privacy of Health Care Information), which prohibited anyone from disclosing,
outside of a civil action, health information discovered in the proceedings.”
Brende, 113 Hawai #i at 430 n.5, 153 P.3d at 1115 n.5. The law was enacted in
1999, but was subsequently repealed in 2001 upon the legislature’s finding of
“‘little support for a Hawaii Medical Privacy Law in light of the adoption of
[HIPAA],’ ‘no evidence of widespread abuse [of medical records privacy] in
Hawaii,’ and a need for ‘a clear understanding of what, if any, problems
Hawaii faces in protecting medical privacy.’” Id. (quoting 2001 Haw. Sess. L.
Act 244).

      8
            Finally, the Brende court held that the plaintiffs had also
demonstrated “good cause” for a protective order that provided disclosure
protections in excess of what was required by HIPAA, and thus directed the
trial judge to issue an order prohibiting the defendant from using or
disclosing health information obtained from any source. Id. at 431-32, 153
P.3d at 1116-17 (citing HRCP Rule 26(c)). The court reasoned that
“determining whether good cause exists . . . requires a balancing of
respondent’s need, outside of the underlying litigation, for petitioners’
                                                                (continued...)

                                    -17-
    *** FOR PUBLICATION IN WEST’S HAWAI#I REPORTS AND PACIFIC REPORTER ***


(emphasis added).     The court noted, “once the information is

disclosed, the potential harm cannot be undone.”            Id.

Accordingly, the court held that the plaintiffs were entitled to

mandamus relief.     Id. at 431-32, 153 P.3d at 1116-17.

                                     B.

            Hawai#i’s protection of a person’s health information

is based on an overarching constitutional principle of

informational privacy that prohibits the disclosure of health

information outside the underlying litigation without a showing

of a compelling state interest.        In contrast, the HIPAA

regulations are “dense, complex, confusing, and lengthy.”              Smith,

supra, note 6, at 978.9

            This complexity is exemplified by HIPAA’s treatment of

“de-identified” health information.10        Marriott’s SQPO includes a



      8
       (...continued)
health information produced in discovery against the injury that might result
from the disclosure of that health information outside of the litigation.”
Id. at 431, 153 P.3d at 1116. The court found no legitimate need, outside of
the underlying litigation, for the plaintiffs’ health information produced in
discovery. Id.

      9
            The complete text, including amendments, of 45 C.F.R. parts 160
and 164, which specifically set out the privacy and security standards, “now
consist of fifty-five pages of dense regulatory language.” Nicholas P. Terry,
What’s Wrong with Health Privacy, 5 J. Health & Biomedical L. 1, 31 (2009).
See also Laura Parker, Medical-privacy law creates wide confusion, USA Today
(Oct. 16, 2003, 11:01 PM), http://usatoday30.usatoday.com/news/nation/2003-10-
16-cover-medical-privacy_x.htm (last updated Oct. 17, 2003, 9:47 AM)(noting
that though the privacy provisions in the original HIPAA began as a 337-word
guideline, the final regulations swelled to 101,000 words).

      10
            Robert Gellman, The Deidentification Dilemma: A Legislative and
Contractual Proposal, 21 Fordham Intell. Prop. Media & Ent. L.J. 33, 37-38
(2010) (noting that HIPAA “provides an example of the difficulty of achieving
– or even defining – deidentification”).

                                    -18-
    *** FOR PUBLICATION IN WEST’S HAWAI#I REPORTS AND PACIFIC REPORTER ***


de-identification provision.        HIPAA defines de-identified health

information as heath information “that does not identify an

individual and with respect to which there is no reasonable basis

to believe that the information can be used to identify an

individual . . . .”      45 C.F.R. § 164.514(a).       Once health

information has been de-identified, it is no longer protected by

HIPAA.     Further, because HIPAA allows “more stringent” state law

to preempt federal law only when it relates to the privacy of

“individually identifiable health information,” 45 C.F.R. §

160.203(b), this leads to the conclusion that state law also does

not protect de-identified information.          Nw. Mem’l Hosp., 362 F.3d

at 926.

            As an initial matter, the de-identifying process itself

is extremely complex and problematic.         Under the rigorous,

comprehensive scheme for de-identification established by 45

C.F.R. § 164.514(b), there are two methods to achieve de-

identification.11    The first, known as the “Expert Opinion”

method, requires a “person with appropriate knowledge of and

experience with generally accepted statistical and scientific

principles and methods for rendering information not individually

identifiable” to apply those methods and then determine that the



      11
            See Guidance Regarding Methods for De-identification of Protected
Health Information in Accordance with the Health Insurance Portability and
Accountability Act (HIPAA) Privacy Rule, U.S. Dep’t of Health & Human Serv.,
http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/De-
identification/guidance.html (last visited Feb. 26, 2014).

                                    -19-
    *** FOR PUBLICATION IN WEST’S HAWAI#I REPORTS AND PACIFIC REPORTER ***


recipient of the information could identify the individual.               45

C.F.R. § 164.514(b)(1).       The second, known as the “Safe Harbor”

method, requires the removal of eighteen types of identifiers,

such as account numbers, telephone numbers, license plate

numbers, and e-mail addresses.        Id. § 164.514(b)(2).       Health

information is considered sufficiently de-identified when “[t]he

covered entity does not have actual knowledge that the

information could be used alone or in combination with other

information to identify an individual who is a subject of the

information.”     Id. § 164.514(b)(2)(ii).       But, HIPAA expressly

allows a covered entity to re-identify previously de-identified

information, provided that it adopts certain safety measures.                45

C.F.R. § 164.514(c).      Once re-identified, the information is

subject to the privacy rules.        Id.

            In the event of a discovery dispute, judges would be

required to determine if information has been sufficiently de-

identified so as to escape HIPAA protection and state law

preemption.    If identifiers remain and HIPAA therefore applies,

judges would determine whether health information has been

adequately protected, and in doing so, apply an intricate web of

regulations related to covered entities’ internal operations.12

      12
            For example, covered entities must identify “[t]hose persons or
classes of persons, as appropriate, in its workforce who need access to
protected health information to carry out their duties” and “[f]or each such
person or class of persons, the category or categories of protected health
information to which access is needed and any conditions appropriate to such
access.” 45 C.F.R. § 164.514(d)(2)(i). Further, for those disclosures that a
                                                                (continued...)

                                    -20-
    *** FOR PUBLICATION IN WEST’S HAWAI#I REPORTS AND PACIFIC REPORTER ***


Because HIPAA also permits a covered entity to disclose protected

health information to a “business associate” to conduct the de-

identification process on its behalf,13 judges would need to

examine the stringent requirements governing that relationship as

well.14    If information is sufficiently de-identified, however, no


      12
       (...continued)
covered entity makes on a routine basis, it must “implement policies and
procedures (which may be standard protocols) that limit the protected health
information disclosed to the amount reasonably necessary to achieve the
purpose of the disclosure.” 45 C.F.R. § 164.514(d)(3)(i). But for all other
disclosures, it must “[d]evelop criteria designed to limit the protected
health information disclosed” and “[r]eview requests for disclosure on an
individual basis in accordance with such criteria.” 45 C.F.R. §
164.514(d)(3)(ii). The Privacy Rule permits incidental uses and disclosures
that occur as a by-product of another permissible or required use or
disclosure, as long as the covered entity has applied reasonable safeguards.
45 C.F.R. § 164.502(a)(1)(iii). There are several other regulations related
to a covered entity’s uses and disclosures of protected health information,
such as requests for health information (45 C.F.R. § 164.514(d)(4)), data use
agreements (45 C.F.R. § 164.514(e)), fundraising communications (45 C.F.R. §
164.514(f)), and insurance underwriting or premium rating (45 C.F.R. §
164.514(g)).

      13
            The applicable HIPAA regulation states, in relevant part, “[a]
covered entity may use protected health information to create information that
is not individually identifiable health information or disclose protected
health information only to a business associate for such purpose, whether or
not the de-identified information is to be used by the covered entity.” 45
C.F.R. § 164.502(d)(1) (emphases added).

      14
            There are several regulations concerning a covered entity’s
relationship with a business associate, defined as one who “creates, receives,
maintains, or transmits protected health information for a function or
activity regulated by this subchapter, including claims processing or
administration, data analysis, processing or administration, utilization
review, quality assurance, patient safety activities listed at 42 CFR 3.20,
billing, benefit management, practice management, and repricing” or
“[p]rovides, other than in the capacity of a member of the workforce of such
covered entity, legal, actuarial, accounting, consulting, data aggregation [],
management, administrative, accreditation, or financial services to or for
such covered entity, or to or for an organized health care arrangement in
which the covered entity participates[.]” 45 C.F.R. § 160.103(1)(ii).
Further, the definition goes on to state that a “covered entity may be a
business associate of another covered entity,” id. at § 160.103(2), and
enumerate which entities may or may not be classified as business associates.
Id. at §§ 160.103(3)-(4).
            See, e.g., 45 C.F.R. § 164.502(a)(3) (providing that a business
associate may use or disclose protected health information only as permitted
or required by its business associate contract or other arrangement); id. at §
                                                                (continued...)

                                    -21-
    *** FOR PUBLICATION IN WEST’S HAWAI#I REPORTS AND PACIFIC REPORTER ***


such analysis is required, and the covered entity may share the

data without restriction.15

            Apart from these technical considerations, there is the

very complicated issue as to whether a patient has a legitimate

basis for being concerned about what happens to their personal

health information once it is de-identified.16          The Seventh

Circuit has held that “[e]ven if there were no possibility that a

patient’s identity might be learned from a redacted medical

record, there would be an invasion of privacy.”            Nw. Mem’l Hosp.,

362 F.3d at 929.     If citizens feel that their privacy rights in

health care information are not adequately protected, this may


      14
        (...continued)
164.502(e) (providing that a covered entity may disclose protected health
information to a business association and allow the business associate to
“create, receive, maintain, or transmit protected health information on its
behalf” if the covered entity “obtains satisfactory assurance that the
business associate will appropriately safeguard the information”); id. at §
164.504(e) (setting forth requirements for business associate contracts).

      15
            Guidance Regarding Methods for De-identification of Protected
Health Information in Accordance with the Health Insurance Portability and
Accountability Act (HIPAA) Privacy Rule, U.S. Dep’t of Health & Human Serv.,
http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/De-
identification/guidance.html (last visited Feb. 26, 2014). Though the Privacy
Rule does not limit how a covered entity may disclose de-identified
information, a covered entity may require the recipient of such information to
enter into a data use agreement to access files with known disclosure risk.
Id.

      16
            Despite the identification provisions’ intricacy, the risk of re-
identification remains, as there is “no national, uniform standard governing
the level of identifier-stripping necessary to guarantee that de-identified
data cannot be re-identified.” Smith, supra, at 935. Along with concerns
related to the security of this information once distributed, some patients
have subjective privacy concerns. Id. at 936 (arguing that the issue is one
of “dehumanization [in] having one’s most intimate information circulated by
an indifferent and faceless infrastructure without any control over the
process or content”) (quoting Will Thomas DeVries, Protecting Privacy in the
Digital Age, 18 Berkeley Tech. L.J. 283, 298 (2003)). It is noted that this
invasion of privacy occurs only because of the alleged wrongful conduct of a
defendant in the first instance.

                                    -22-
   *** FOR PUBLICATION IN WEST’S HAWAI#I REPORTS AND PACIFIC REPORTER ***


lead to various negative outcomes for patients, including “social

and psychological harm through embarrassment, economic harm

through job discrimination and job loss, patient difficulty in

obtaining health insurance, health care fraud, and patient

reluctance to share sensitive information with their doctors or

pharmacists.”    Smith, supra, at 943 (citing Juliana Bell, Privacy

at Risk: Patients Use New Web Products to Store and Share

Personal Health Records, 38 U. Balt. L. Rev. 485, 489 (2009)).

            This anxiety is exacerbated by the “realities of the

modern health information domain,” which have overwhelmed the

traditional legal protection of patient data achieved principally

through the patient-physician relationship.          Nicholas P. Terry,

What’s Wrong with Health Privacy, 5 J. Health & Biomedical L. 1,

23 (2009).    “The patient data contained in modern longitudinal

systems is comprehensive, portable, and manipulatable.”            Id.

Thus, the “potential for abuse is immense” – “there are many

parties . . . that crave access to this data.”          Id. (footnote

omitted).

            In sum, this scheme requires judges and arbitrators,

when examining the validity of medical authorizations, to not

only interpret and apply an intricate law subject to change by

regulation, but also to keep pace with rapidly evolving

technology shaping the disclosure of information.




                                   -23-
   *** FOR PUBLICATION IN WEST’S HAWAI#I REPORTS AND PACIFIC REPORTER ***


          In contrast, Hawai#i’s Constitution, by precluding the

disclosure of private health information outside of the

underlying litigation, obviates application of an inordinately

complex law that may result in expensive discovery disputes,

appeals, and litigation delays to resolve such disagreements.

The very purpose of disclosing Cohan’s health information in

discovery is to resolve the underlying dispute.           To allow this

information to be used outside the litigation, regardless of

whether it is de-identified or not, would reach beyond what the

Hawai#i Constitution permits in the absence of a showing of a

compelling state interest.




                                   -24-
    *** FOR PUBLICATION IN WEST’S HAWAI#I REPORTS AND PACIFIC REPORTER ***


                                     V.

                                     A.

            The parties dispute six provisions that are included in

Marriott’s SQPO.17    Each provision, and its compliance with the

Hawai#i Constitution, will be discussed in turn.

    1. SQPO paragraph 1(b)(2) — Review and Audit of Claims for
                   Internal Businesses Purposes

            SQPO paragraph 1(b)(2) provides that Cohan’s health

information may be used, disclosed or maintained, without Cohan’s

consent, for purposes of Marriott’s internal reviews or “audit of

claims for the purpose of setting premiums, calculating reserves,

calculating loss experience, and/or procuring additional

coverage[.]”




      17
            Cohan, in his Supplemental Memorandum, contended that the SQPO’s
paragraph 1(b) allows disclosure in relation to “any claim, litigation, and/or
proceeding arising out of the . . . subject accident” whereas the Hawai#i
Constitution permits disclosure only as to the “underlying litigation.”
(Emphasis added). During oral argument, Cohan’s counsel acknowledged that the
originally contested provision matched his own proposed SQPO language at the
trial court level. Consequently, we do not consider this provision in
determining the merits of the Petition.
            Similarly, Cohan waived his argument as to Marriott’s SQPO
paragraph 1(b)(6), which provides that Cohan’s health information may be used
“for any legally required reporting to governmental health or medical
insurance organizations or their private contractors for [Cohan’s] health care
and expenses related to the Subject Accident.” (Emphasis added). Cohan’s
proposed SQPO provides that “[i]t is specifically understood and agreed that
plaintiff’s health information may be used, and/or disclosed, and/or
maintained, without plaintiff’s consent as may be required to comply with
state or federal laws/rules[.]” (Emphasis added). Because this language is
also used in Marriott’s SQPO paragraph 1(b) and Cohan did not directly address
this provision in his Supplemental Memorandum, we do not consider this
provision in deciding whether the Arbitration Judge abused his discretion. In
light of Cohan’s waiver of his argument to this provision, we also need not
determine whether Marriott demonstrated a compelling state interest for
disclosure of health information in order to satisfy a legally required
reporting mandate.

                                    -25-
   *** FOR PUBLICATION IN WEST’S HAWAI#I REPORTS AND PACIFIC REPORTER ***



          Cohan argues that the “language, if retained, would

improperly put at risk Cohan’s medical information for matters

far beyond the scope of his underlying personal injury tort

litigation, such that forcing him to sign it without the . . .

modifications would violate the privacy protections afforded him

by both state and federal law.”

          Marriott contends that Cohan cannot show harm resulting

from the language he seeks to strike from paragraph 1(b)(2)

because the paragraph already provides that it is “understood and

agreed that information will not be used for any record

compilation or database of Plaintiff’s claim history.”

          Regardless of whether Cohan can show harm, the

“internal review” provision allows Cohan’s health information to

be used to audit claims to set premiums and to calculate reserves

and “loss experience,” purposes that are outside the underlying




                                   -26-
    *** FOR PUBLICATION IN WEST’S HAWAI#I REPORTS AND PACIFIC REPORTER ***



litigation.18   Accordingly, the language of SQPO paragraph 1(b)(2)

exceeds the scope allowed by the State Constitution.

2. SQPO paragraph 1(b)(3) — External Review of Health Information

            SQPO paragraph 1(b)(3) provides that Cohan’s health

information may be used for “external review and/or auditing,




      18
            An analysis under HIPAA arguably may lead to a different result.
SQPO paragraph 1(b)(2) provides that Cohan’s health information may be used,
disclosed or maintained, without his consent, for purposes of Marriott’s
internal reviews or audits. The applicable HIPAA regulation states that a
“covered entity,” which is defined as a 1) a health plan; (2) a health care
clearinghouse; or (3) a health care provider who transmits any health
information in electronic form in connection with a transaction covered by
this subchapter (45 C.F.R. § 160.103), “may use or disclose protected health
information for its own treatment, payment, or health care operations.” 45
C.F.R. § 164.506(c)(1). “Health care operations” is defined to include the
following activities of the covered entity (to the extent the activities are
related to covered functions):

            (5) Business planning and development, such as conducting
            cost-management and planning-related analyses related to
            managing and operating the entity, including formulary
            development and administration, development or improvement
            of methods of payment or coverage policies; and
            (6) Business management and general administrative
            activities of the entity, including, but not limited to:

            . . . .
                  (ii) Customer service, including the provision of
                  data analyses for policy holders, plan sponsors, or
                  other customers, provided that protected health
                  information is not disclosed to such policy holder,
                  plan sponsor, or customer;

45 C.F.R. § 164.501. Marriott asserts that the language of SQPO paragraph
1(b)(2) is consistent with 45 C.F.R. § 164.506(c) given that § 164.506(c)(1)
provides that insurance companies “may use or disclose protected health
information for its own treatment, payment, or health care operations.”
Further, Marriott notes that “health care operations” includes “business
management and general administrative activities.”
            While Marriott relies upon § 164.501(6), it would appear that §
164.501(5) provides a better rationale for the SQPO language, as it relates to
internal review functions such as “[b]usiness planning and development, such
as conducting cost-management and planning-related analyses related to
managing and operating the entity[.]” 45 C.F.R. § 164.501(5). Thus, the
language of paragraph 1(b)(2) may satisfy the HIPAA requirement, but
apparently not under the provision that Marriott references.


                                    -27-
    *** FOR PUBLICATION IN WEST’S HAWAI#I REPORTS AND PACIFIC REPORTER ***



such as by reinsurers, the Insurance Commissioner, or external

auditors.”

            Cohan argues that the use of his health care

information for purposes of an external review by undisclosed

external auditors does not pertain to the underlying litigation.

Marriott argues that HIPAA allows use of health care information

for external review.

            This provision clearly allows for the use of Cohan’s

health information outside of the present litigation and does not

limit re-disclosure by such entities.         Accordingly, the provision

violates Cohan’s right to privacy under the State Constitution.19




      19
            Cohan argues that “external review and/or auditing” does not
qualify under HIPAA as a use of the information in “the litigation or
proceeding for which such information was requested.” Marriott argues that
Cohan cannot show that he is harmed by the language of paragraph 1(b)(3)
because the use of health care information for external review and/or auditing
by reinsurers, the Insurance Commissioner, or external auditors is allowed by
45 C.F.R. § 164.501(4), which states that insurance companies may conduct or
arrange “medical review, legal services, and auditing functions” as part of
their health care operations. The applicable HIPAA regulation states that “a
covered entity may use or disclose protected health information for its own
treatment, payment, or health care operations.” 45 C.F.R. § 164.506(c)(1).
The applicable definition of “health care operations” provides: “Conducting or
arranging for medical review, legal services, and auditing functions,
including fraud and abuse detection and compliance programs[.]” 45 C.F.R. §
164.501(4) (emphasis added). However, paragraph 1(b)(3) would allow Cohan’s
information to be disclosed to business associates of Marriott. Under HIPAA,
the covered entity and its business associates must comply with strict
requirements. See 45 C.F.R. § 164.502(a)(3) (business associate may use or
disclose protected health information only as permitted or required by its
business associate contract or other arrangement); 45 C.F.R. § 164.504(e)
(setting forth requirements for business associate contracts). Because these
comprehensive requirements are not set forth in the SQPO, this provision
appears to violate HIPAA.

                                    -28-
    *** FOR PUBLICATION IN WEST’S HAWAI#I REPORTS AND PACIFIC REPORTER ***



      3. SQPO paragraph 1(b)(7) — Disclosure of De-Identified
                            Information

            SQPO paragraph 1(b)(7) provides that Cohan’s health

information may be used “for statistical or analytical purposes,

provided that [Cohan’s] personal identification information

(e.g., name, specific street address, specific birth date, Social

Security number, driver’s license number) is not included in such

review or use of Health Information.”

            Cohan contends that the entire provision should be

excised from the protective order because the language “put[s] at

risk Cohan’s medical information for use for matters far beyond

the scope of his underlying personal injury tort litigation[.]”

Marriott argues that Cohan cannot show that he is harmed by the

provision.

            This provision does not explain what type of analysis

will be conducted, who will compile the statistics, and whether

the results will be made available to entities outside the

litigation.    Presumably, there is no need to strip the health

information of identifiers if it remains inside the litigation.

Because de-identified information is for use outside of the

present litigation, the provision is not in accord with the

Hawai#i constitutional protection for health information.20


      20
            As discussed in the earlier section, the HIPAA regulations related
to de-identified information are inordinately complex. The applicable HIPAA
regulation states, in relevant part, “[a] covered entity may use protected
                                                                (continued...)

                                    -29-
    *** FOR PUBLICATION IN WEST’S HAWAI#I REPORTS AND PACIFIC REPORTER ***



4. SQPO paragraph 1(b)(8) — Disclosure of Health Information for
                   Record Keeping Requirements

            SQPO paragraph 1(b)(8) provides that Cohan’s health

information may be used “for any record keeping requirements or

obligations relating to any of the foregoing, and pertaining to

the Subject Accident.”

            Cohan proposes to strike the provision from the

protective order and argues that “[t]he stricken language, if

retained, would improperly put at risk Cohan’s medical

information for use for matters far beyond the scope of the

underlying personal injury tort litigation.”           Marriott counters

that Cohan cannot show he is harmed by the provision.

            The requirement of disclosure of health information

“for any record keeping requirements or obligations relating to

any of the foregoing, and pertaining to the Subject Accident,”

provides no ostensible limitation to allowing use of Cohan’s




      20
        (...continued)
health information to create information that is not individually identifiable
health information or disclose protected health information only to a business
associate for such purpose, whether or not the de-identified information is to
be used by the covered entity.” 45 C.F.R. § 164.502(d)(1) (emphasis added).
Marriott contends that HIPAA does not protect de-identified information
because, pursuant to 45 C.F.R. §§ 164.502(d)(1)-(2), “[c]overed entities,
i.e., insurance companies, may use protected health information to create
information that is not individually identifiable health information, and such
‘de-identified’ information is not subject to the requirements of [45 C.F.R. §
164.502].” This argument rests on whether the information is fully de-
identified. However, Marriott’s de-identification provision in SQPO paragraph
1(b)(7) does not comply with the minimal requirements of 45 C.F.R. §§
164.502(d)(1)-(2), which codifies a comprehensive set of regulations for the
de-identification of health care information, set forth in 45 C.F.R. §§
164.514(a)-(b).

                                    -30-
    *** FOR PUBLICATION IN WEST’S HAWAI#I REPORTS AND PACIFIC REPORTER ***



information outside the subject litigation, and therefore

violates the Hawai#i Constitution.21

 5. SQPO paragraph 1(b)(8) — Unreasonably Withholding Consent to
                 Disclosure of Health Information

            SQPO paragraph 1(b)(8) also provides that Marriott or

its “agents, attorneys, or insurers may request that additional

permissible categories of uses, disclosures, or maintenance be

added” to the SQPO, and Cohan “shall not unreasonably withhold

consent [to disclosure of health information], provided that the

additional categories requested are consistent with the intent of

this Order/Agreement.”22

            Cohan contends that the language, if retained, would

improperly risk disclosure of Cohan’s medical information for

matters beyond the scope of the underlying litigation and violate

the private protections afforded him by state and federal law.

Marriott argues that the provision, which “relate[s] to

[Marriott’s] reservation to request additional permissible uses,”



      21
            Although Marriott cites to 45 C.F.R. §§ 164.502(d)(1)-(2)
(relating to uses and disclosures of de-identified information) as a statutory
basis for SQPO paragraph 1(b)(8), the cited regulations are not related to the
subject of paragraph 1(b)(8). Furthermore, SQPO paragraph 1(b)(8), which
provides that Cohan’s health information may be used “for any record keeping
requirements or obligations relating to any of the foregoing, and pertaining
to the Subject Accident” (emphasis added), does not identify the entities that
may use Cohan’s health information or require them to conform to HIPAA
requirements.

      22
            There is no HIPAA regulation addressing the subject of this
provision, which provides that Cohan “shall not unreasonably withhold consent
[to disclosure of health information], provided that the additional categories
requested are consistent with the intent of this Order/Agreement.”

                                    -31-
   *** FOR PUBLICATION IN WEST’S HAWAI#I REPORTS AND PACIFIC REPORTER ***



is “not harmful because it does not impose unilaterally any

additional uses without the consent of [Cohan].”

          However, the provision does not limit the use or

disclosure of Cohan’s health information to the underlying

litigation.   Further, the provision does not limit Marriott and

its agents in requesting additional categories of uses and

disclosures for Cohan’s health information, but at the same time

limits Cohan’s power to withhold consent provided that the

additional categories are consistent with the intent of the SQPO.

Therefore, requiring Cohan to comply with SQPO paragraph 1(b)(8)

would not comport with the protections provided for health

information under the Hawai#i Constitution.

6. SQPO paragraph 5 — Time Deadline to Return Health Information

          SQPO paragraph 5, entitled “Return or Destruction of

All Copies,” provides that Marriot must return Cohan’s health

information to Cohan’s counsel or destroy the information within

ninety days after the “final conclusion of the . . . case/claim

by fully-executed non-litigation settlement agreement.”

          This SQPO provision provides a ninety-day grace period

after the end of litigation for Marriott to return or destroy

Cohan’s protected health information.        Because article I, section

6 of the Hawai#i Constitution prohibits the use of such

information outside the present litigation, it would, by



                                   -32-
    *** FOR PUBLICATION IN WEST’S HAWAI#I REPORTS AND PACIFIC REPORTER ***



inference, require parties to return records immediately after

the litigation concludes.23

                                     B.

           In this case, application of the Hawai#i Constitution

establishes that the six contested provisions of the SQPO are not

in compliance with state law.        The six provisions – paragraph

1(b)(2) (internal review); paragraph 1(b)(3) (external review);

paragraph 1(b)(7) (de-identification); paragraph 1(b)(8) (record

keeping requirements); paragraph 1(b)(8) (preventing Cohan from

unreasonably withholding consent); and paragraph 5 (time deadline

for returning health information) – all allow Cohan’s health

information to be used for purposes outside the underlying

litigation without any showing of a compelling state interest.

Therefore, the respondent judge erred in affirming the CAAP

Administrator’s order and requiring Cohan to sign the SQPO.

                                     VI.

           In addition to requiring the execution of Marriott’s

SQPO, the arbitrator’s order mandates that Cohan sign Marriott’s



      23
            The corresponding HIPAA regulation requires, in relevant part,
“the return to the covered entity or destruction of the protected health
information (including all copies made) at the end of the litigation or
proceeding.” 45 C.F.R. § 164.512(e)(1)(v)(B) (emphasis added). In contrast,
SQPO paragraph 5 provides that Marriott must return the information within
ninety days after the “final conclusion of the . . . case/claim by fully-
executed non-litigation settlement agreement.” Marriott argues that the SQPO
provision complies with the HIPAA regulation because Marriott must return
protected health information within ninety days after the conclusion of the
case. But, the ninety-day grace period in the SQPO is more than what HIPAA
allows.

                                    -33-
    *** FOR PUBLICATION IN WEST’S HAWAI#I REPORTS AND PACIFIC REPORTER ***



proposed authorizations for medical and employment records.24

Cohan separately objected to the language contained in these

authorizations as overly broad.        The medical authorizations

submitted to Cohan by Marriott,25 if signed by Cohan, would grant

Marriott’s counsel authorization to disclose Cohan’s health

information to any and all persons as follows:

            I further authorize [Marriott’s counsel] to further disclose
            this authorization and all information obtained by its use,
            regardless of content, to any and all persons involved in
            the lawsuit/claim, for which this authorization is being
            signed, including, but not limited to, opposing counsel,
            experts, consultants, court/administrative agency personnel,
            government agencies, private investigators, copy services,
            court reporting companies, parties, and insurance
            representatives.


(Emphasis added).

            Additionally, the medical authorizations would grant

Marriott permission to re-disclose Cohan’s health information,

“in relation to the [case] for which [the] authorization is

provided,” and provide that such information “may no longer be

protected under federal privacy regulations”:

            “I understand that the health information released under
            this authorization may be re-disclosed by the recipient in
            relation to the case/matter for which this authorization is
            provided, and may no longer be protected under the federal
            privacy regulations.”




      24
            Cohan argues that Hawai#i Rules of Evidence (HRE) Rule 504,
entitled “Physician-patient privilege,” provides supplementary protection
against the disclosure of his health information. In light of the court’s
determination as to informational protection under the Hawai#i Constitution,
this contention need not be addressed.

      25
            Although Marriott references “employment authorizations” in its
Supplemental Memorandum, all of the authorizations submitted by the parties
appear to be medically related.

                                    -34-
   *** FOR PUBLICATION IN WEST’S HAWAI#I REPORTS AND PACIFIC REPORTER ***



(Emphasis added).    The authorizations would also “release

[Marriott] from all liability and claims whatsoever pertaining to

the disclosure of information as contained in the records

released pursuant to [the] authorization.”

          Cohan argues that the clause providing for re-

disclosure of his information “in relation” to the case in a

manner that “may no longer be protected under the federal privacy

regulations” has the effect of “negat[ing] the protective

safeguards” of HIPAA and article I, section 6 of the Hawai#i

Constitution.   Cohan notes that the authorizations make no

reference to the SQPO or the limitations on the disclosure of his

health information set forth in the SQPO, thereby allowing for

the potential disclosure of his health information “to a wide

group of people” with no way of preventing the recipients of the

information from re-disclosing it to parties unrelated to the

underlying litigation.     Consequently, while recipients of Cohan’s

health information would be apprised of the protections against

disclosure listed in the authorizations, they would lack notice

of the more restrictive protections against certain types of

disclosure that may be contained in a proper SQPO.

          The authorizations require Cohan to sign a release

expressly stating that his information may no longer be protected




                                   -35-
    *** FOR PUBLICATION IN WEST’S HAWAI#I REPORTS AND PACIFIC REPORTER ***



by federal privacy regulations.26        Additionally, the

authorizations do not provide that the recipient of the re-

disclosed information is subject to the disclosure restrictions

set forth in the SQPO.       The authorizations also do not require

that Cohan be notified before his health information is re-

disclosed, thereby eliminating his ability to know or challenge

the dissemination of his protected health information.

            While discovery of Cohan’s medical records are relevant

to the subject matter of his claims, article I, section 6 of the

Hawai#i Constitution protects the disclosure of health

information produced in discovery and limits such disclosure to

the underlying litigation.        This right of the people to privacy

“is recognized and shall not be infringed without the showing of

a compelling state interest.”        Brende, 113 Hawai#i at 430, 153

P.3d at 1115.

            Thus, the respondent judge’s order requiring Cohan to

sign an authorization that would allow Marriott to “disclose

[Cohan’s health information] outside of the underlying

litigation” without his consent is a violation of Cohan’s

“constitutional right to informational privacy.”            Id. at 431, 153




      26
            If, pursuant to Brende, any “medical information protective order
issued in a judicial proceeding must, at a minimum, provide the protections of
the HIPAA,” 113 Hawai #i at 429, 153 P.3d at 1114, then it follows that a party
may not be required to sign an authorization form that does not provide the
same minimum protections.

                                     -36-
   *** FOR PUBLICATION IN WEST’S HAWAI#I REPORTS AND PACIFIC REPORTER ***



P.3d at 1116.   Therefore, the respondent judge erred by requiring

Cohan to sign the authorizations.

                                   VII.

          Cohan is entitled to mandamus relief because the

Arbitration Judge’s order is not appealable and results in the

release of confidential health information outside the underlying

litigation.   See Brende, 113 Hawai#i at 429, 153 P.3d at 1114

(citing Kema, 91 Hawai#i at 205, 982 P.2d at 339).

          Therefore we grant the Petition, and the respondent

judge is directed to: (1) vacate the order affirming the

arbitration decision, and (2) order that the qualified protective

order and the authorizations for release of medical records be

revised consistent with this opinion.

James Krueger,                            /s/ Simeon R. Acoba, Jr.
Cynthia K. Wong, and
Loren K. Tilley                           /s/ Sabrina S. McKenna
for petitioner
                                          /s/ Richard W. Pollack
Sidney K. Ayabe and
Ryan I. Inouye
for respondents




                                   -37-
