ORIGINAL PROCEEDING (CIV. NO. 11-1-2192)
James Krueger, Cynthia K. Wong, and Loren K. Tilley for petitioner
Sidney K. Ayabe and Ryan I. Inouye for respondents
ACOBA, McKENNA, AND POLLACK, JJ., WITH RECKTENWALD, C.J., CONCURRING, WITH WHOM NAKAYAMA, J., JOINS
Petitioner Richard Cohan (Cohan) filed a Petition for Writ of Mandamus (Petition) requesting this court to compel the respondent judge to: (1) vacate his order affirming an arbitration decision that compelled Petitioner to sign authorizations for release of medical records, and (2) order that the qualified protective order proposed by Petitioner be utilized instead.
We hold that the privacy provision of the Hawai'i Constitution, article I, section 6, protects Cohan's health information against disclosure outside the underlying litigation. Therefore we grant the Petition, and the respondent judge is directed to: (1) vacate the order affirming the arbitration decision, and (2) order that the qualified protective order and the authorizations for release of medical records be revised consistent with this opinion.
In September 2009, Cohan and his wife visited Hawai'i from California. While dining at Chuck's Steak & Seafood at Marriott's Ko Olina Beach Club, Cohan fell into a koi pond and was injured.
Cohan and his wife sued Marriott Hotel Services, Inc. dba Marriott's Ko Olina Beach Club and Marriott Ownership Resorts, Inc. dba Marriott Vacation Club International (collectively, "Marriott") and RRB Restaurants, LLC dba Chuck's Steak and Seafood (Restaurant) for damages. The case was placed in the Court Annexed Arbitration Program (CAAP). Courtney Naso, Esq., was appointed the arbitrator.
On April 30, 2012, Marriott sent Cohan thirteen authorizations to obtain medical records and two authorizations for release of employment records, and asked him to sign the forms. The medical records authorizations included the following provisions:
Unless otherwise revoked, this authorization will expire on the following date or event: the final conclusion of the proceeding, for which this authorization is being signed. If a date or event is not specified, this authorization will expire one year from my date of signature below.
I understand that the health information released under this authorization may be re-disclosed by the recipient, in relation to the case/matter for which this authorization is provided, and may no longer be protected under the federal privacy regulations.
I release the above-named health care provider and recipient(s) from all liability and claims whatsoever pertaining to the disclosure of information as contained in the records released pursuant to this authorization.
(Emphases added). The employment records authorizations, which include medical records, accident reports, and claims for benefits made during employment, included the following language:
I further authorize [Marriott's counsel] to further disclose this authorization and all information obtained by its use, regardless of content, to any and all persons involved in the lawsuit/claim, . . . including, but not limited to, opposing counsel, experts, consultants, court personnel, private investigators, copy services, court reporting companies, parties, and insurance representatives.
The undersigned . . . waives any applicable requirements and provisions of the Federal Privacy Act (5 U.S.C. Section 525, 525(a) et seq.), the provisions of 42 U.S.C. Section 4582, the provisions of Chapter 334 of the Hawaii Revised Statutes, and Chapter 325 of the Hawaii Revised Statutes restricting the use and dissemination of the aforesaid information . . . including but not limited to information (if any) regarding the psychiatric, psychological, social work, infectious disease, HIV testing records, alcohol and other substance abuse treatment.
(Emphases added). Cohan returned the authorizations unsigned and informed Marriott that the authorizations did not comply with the federal Health Insurance Portability and Accountability Act of 1996 (HIPAA), Pub. L. No. 104-191, 110 Stat. 1936 (1996). Cohan notified Marriott that he would not consider signing any authorizations unless Marriott first sought to obtain the records pursuant to Hawai'i Rules of Civil Procedure (HRCP) Rule 31 or by way of a motion to compel. In the alternative, Cohan proposed that the parties enter into a stipulated qualified protective order (SQPO).
Cohan forwarded a draft order that contained provisions patterned after HIPAA (i.e. prohibiting use or disclosure of the information outside the underlying litigation without Cohan's consent and requiring Marriott to return the documents or destroy them at the end of litigation). Marriott rejected the draft protective order and proposed that the parties use a form adopted by the Hawai'i State Bar Association (HSBA) . Cohan rejected the HSBA-approved form as too expansive and asked Marriott to delete several provisions:
The HSBA-approved language (offered by Marriott)
Cohan's proposed changes
1. Non-Disclosure Requirement:
Except as provided herein, none of Plaintiff's/Claimant's Health Information obtained from any source shall be disclosed or used by anyone or by any entity for any purpose, without Plaintiff's/Claimant's explicit written consent.
(b) Specifically Allowable Uses, Disclosures, and Maintenance: It is specifically understood and agreed that Plaintiff's/Claimant's Health Information may be used, and/or disclosed, and/or maintained, without Plaintiff's/Claimant's consent as may be required to comply with state or federal laws, rules, and court, arbitrator, or administrative orders (including subpoenas duces tecum), and in relation to any claim, litigation, and/or proceeding arising out of the accident/incident of_______("Subject Accident"), including the following:
1. (b)(2) for Defendants' and/or insurer's internal review and/or auditing, including the handling and disposition of any claim or matter related to the Subject Occurrence, communication between Defendants and their insurers/underwriters/agents; relating to the review and/or audit of claims for the purpose of setting premiums, calculating reserves, calculating loss experience, and/or procuring additional coverage, it being understood and agreed that information will not be used for any record compilation or database of Plaintiff s claim history;
1. (b) (2) for Defendants' and/or their insurer's internal review and/or auditing, including the handling and disposition of any claim or matter related to the Subject Occurrence, communication between Defendants and their insurers/underwriters/ agents;
relating to the review and/or audit of claims for the purpose of setting premiums, calculating reserves, calculating loss experience, and/or procuring additional coverage, it being understood and agreed that information will not be used for any record compilation or database of Plaintiff’s claim history;
1. (b) (3) for external review and/or auditing, such as by reinsurers, the Insurance Commissioner, or external auditors;
Delete entire provision
1. (b)(6) for any legally required reporting to governmental health or medical insurance organizations or their private contractors for Plaintiff s health care and expenses related to the Subject Occurrence;
Delete entire provision
1. (b) (7) for statistical or analytical purposes, provided that Plaintiff s personal identification information (e.g., name, specific street address, specific birth date, Social Security number, driver's license number) is not included in such review or use of Health Information; and
Delete entire provision
1. (b) (8) for any record keeping requirements or obligations relating to any of the foregoing, and pertaining to the Subject Occurrence.
Delete entire provision
The above-noted permissible uses, disclosures, and maintenance provisions are not intended to unreasonably limit a party's or their counsel's or insurer's record-keeping obligations or requirements. Defendants or their agents, attorneys, or insurers may request that additional permissible categories of uses, disclosures, or maintenance be added. Plaintiff shall not unreasonably withhold consent, provided that the additional categories requested are consistent with the intent of this Order.
The above-noted permissible uses, disclosures, and maintenance provisions are not intended to unreasonably limit a party's or their counsel's or insurer's record-keeping obligations or requirements.
Defendants or their agents, attorneys, or insurers may request that additional permissible categories of uses, disclosures, or maintenance be added. Plaintiff shall not unreasonably withhold consent, provided that the additional categories requested are consistent with the intent of this Order.
Cohan indicated that if Marriott modified its version of the protective order to delete the stricken language, or used the form he proposed, Cohan would agree to the SQPO, which could then be attached to subpoenas for the sought-after records.
At the June 26, 2012 pre-hearing CAAP conference, the parties discussed the different versions of the protective order. By letter dated July 3, 2012, the arbitrator informed the parties of her decision that they use the form that appears on the HSBA website under "Stipulated Qualified Protective Order (for litigation use)":
During the second CAAP pre-hearing conference held on June 26, 2012, we discussed the form of the Stipulated Qualified Protective Order as [the Cohans] were requesting certain deletions from the form proposed by [Marriott]. After hearing from all counsel and discussing each counsel's position, it was decided the form to be used shall be the Stipulated Qualified Protective Order (for litigation use) that appears on the Hawaii State Bar Association (HSBA) website under Health Care Information Privacy Protection Forms.
[The Cohans'] counsel shall inform [Marriott's] counsel, in writing, no later than Friday, July 6, 2012, whether they intend to adhere to the Arbitrator's above-stated decision. In the event one or more parties decides not to adhere to the above-stated decision the parties shall file the appropriate motions in court to further resolve this issue.
(Underlining in place of italics in the original). By e-mail dated July 6, 2012, Cohan informed Marriott that the HSBA form was unacceptable:
The HSBA stipulated qualified protective order has no mention in Hawaii Rules of Civil Procedure noting that it is legally required. It is no more than some form of an agreeable agreement, perhaps, but it is a tempest in a tea pot as Rule 31, HRCP is available. Rule 31 is a better avenue as defense would have to obtain the records, again, to be admissible in evidence. Therefore, we cannot agree.
Marriott thereafter moved for an order compelling Cohan to sign the fifteen authorizations so that it could obtain the medical and employment records via subpoena. By order entered on September 7, 2012, the arbitrator granted the request and ordered Cohan to sign the authorizations, as well as the form protective order from the HSBA website.
Eleven days later, by letter dated September 18, 2012, Cohan appealed the arbitrator's September 7, 2012 decision to the CAAP Administrator. Cohan argued that Marriott was not entitled to the relief requested because it did not utilize the discovery methods authorized by the HRCP and had proposed a protective order that was too broad. He further argued that the court lacked jurisdiction to compel him to sign a document not mandated by state law, rule, regulation, or decision. The CAAP Administrator affirmed the arbitrator's decision.
Cohan appealed the CAAP Administrator's decision to the Honorable Bert I. Ayabe, the Arbitration Judge. Again, Cohan argued that there was no law requiring a party to sign authorizations or a qualified protective order, and he has a right to the privacy of his health information. Judge Ayabe affirmed the CAAP Administrator's decision by order entered on November 13, 2012.
On February 14, 2013, Cohan filed the Petition and a Memorandum in Support of Petition (Petition Memorandum). Cohan argued that Judge Ayabe abused his discretion by affirming the arbitrator's order on the grounds that: (1) the order violates Cohan's right of privacy under HIPAA, article I, section 6 of the Hawai'i Constitution, and Hawai'i case law; (2) the version of the protective order proposed by Marriott wrongfully allows Cohan's health information to be used for purposes beyond the litigation; (3) the authorizations fail to limit disclosure of Cohan's private health information; and (4) no statute, law, or rule requires Cohan to sign the authorizations or the protective order. Cohan asked the court to:
• Order Judge Ayabe to vacate his order;
• Enter a protective order requiring Marriott to pursue HRCP Rule 31, using HIPAA-compliant language, prior to the use of any SQPO;
• Order that no law requires Cohan to sign the authorizations for the medical and employment information; and
• Enter a qualified protective order consistent with Cohan's proposed version or with the version proposed by Marriott ...