
    322 P.3d 948
    Richard COHAN, Petitioner, v. The Honorable Bert I. AYABE, Judge of the Circuit Court of the First Circuit, State of Hawai'i, Respondent, and Marriott Hotel Services, Inc. DBA Marriott’s Ko Olina Beach Club and Marriott Ownership Resorts, Inc. DBA Marriott Vacation Club International, Respondents, Real Parties in Interest.
    No. SCPW-13-0000092.
    Supreme Court of Hawai'i.
    Feb. 27, 2014.
    
      James Krueger, Cynthia K. Wong, and Loren K. Tilley, Wailuku, for petitioner.
    Sidney K. Ayabe and Ryan I. Inouye, Honolulu, for respondents.
    ACOBA, McKENNA, and POLLACK, JJ., with RECKTENWALD, C.J., Concurring, with whom NAKAYAMA, J., Joins.
   Opinion of the Court by

POLLACK, J.

Petitioner Richard Cohan (Cohan) filed a Petition for Writ of Mandamus (Petition) requesting this court to compel the respondent judge to: (1) vacate his order affirming an arbitration decision that compelled Petitioner to sign authorizations for release of medical records, and (2) order that the qualified protective order proposed by Petitioner be utilized instead.

We hold that the privacy provision of the Hawai'i Constitution, article I, section 6, protects Cohan’s health information against disclosure outside the underlying litigation. Therefore we grant the Petition, and the respondent judge is directed to: (1) vacate the order affirming the arbitration decision, and (2) order that the qualified protective order and the authorizations for release of medical records be revised consistent with this opinion.

I.

In September 2009, Cohan and his wife visited Hawai'i from California. While dining at Chuck’s Steak & Seafood at Marriott’s Ko Olina Beach Club, Cohan fell into a koi pond and was injured.

Cohan and his wife sued Marriott Hotel Services, Inc. dba Marriott’s Ko Olina Beach Club and Marriott Ownership Resorts, Inc. dba Marriott Vacation Club International (collectively, “Marriott”) and RRB Restaurants, LLC dba Chuck’s Steak and Seafood (Restaurant) for damages. The case was placed in the Court Annexed Arbitration Program (CAAP). Courtney Naso, Esq., was appointed the arbitrator.

On April 30, 2012, Marriott sent Cohan thirteen authorizations to obtain medical records and two authorizations for release of employment records, and asked him to sign the forms. The medical records authorizations included the following provisions:

Unless otherwise revoked, this authorization will expire on the following date or event: the final conclusion of the proceeding, for which this authorization is being signed. If a date or event is not specified, this authorization will expire one year from my date of signature below.
I understand that the health information released under this authorization may be re-disclosed by the recipient, in relation to the case/matter for which this authorization is provided, and may no longer be protected under the federal privacy regulations.
I release the above-named health care provider and recipient(s) from all liability and claims whatsoever pertaining to the disclosure of information as contained in the records released pursuant to this authorization.

(Emphases added). The employment records authorizations, which include medical records, accident reports, and claims for benefits made during employment, included the following language:

I further authorize [Marriott’s counsel] to further disclose this authorization and all information obtained by its use, regardless of content, to any and all persons involved in the lawsuit/claim, ... including, but not limited to, opposing counsel, experts, consultants, court personnel, private investigators, copy services, court reporting companies, parties, and insurance representatives.
The undersigned ... waives any applicable requirements and provisions of the Federal Privacy Act (5 U.S.C. Section 525, 525(a) et seq.), the provisions of 42 U.S.C. Section 4582, the provisions of Chapter 334 of the Hawai'i Revised Statutes, and Chapter 325 of the Hawai'i Revised Statutes restricting the use and dissemination of the aforesaid information ... including but not limited to information (if any) regarding the psychiatric, psychological, social work, infectious disease, HIV testing records, alcohol and other substance abuse treatment.

(Emphases added). Cohan returned the authorizations unsigned and informed Marriott that the authorizations did not comply with the federal Health Insurance Portability and Accountability Act of 1996 (HIPAA), Pub.L. No. 104-191, 110 Stat. 1936 (1996). Cohan notified Marriott that he would not consider signing any authorizations unless Marriott first sought to obtain the records pursuant to Hawai'i Rules of Civil Procedure (HRCP) Rule 31 or by way of a motion to compel. In the alternative, Cohan proposed that the parties enter into a stipulated qualified protective order (SQPO).

Cohan forwarded a draft order that contained provisions patterned after HIPAA (i.e. prohibiting use or disclosure of the information outside the underlying litigation without Cohan’s consent and requiring Marriott to return the documents or destroy them at the end of litigation). Marriott rejected the draft protective order and proposed that the parties use a form adopted by the Hawai'i State Bar Association (HSBA). Cohan rejected the HSBA-approved form as too expansive and asked Marriott to delete several provisions:

The HSBA-approved language (offered by Marriott)

Cohan’s proposed changes

1. Non-Disclosure Requirement: Except as provided herein, none of Plaintiffs/Claimant’s Health Information obtained from any source shall be disclosed or used by anyone or by any entity for any purpose, without Plaintiffs/Claimant’s explicit written consent.

(b) Specifically Allowable Uses, Disclosures, and Maintenance: It is specifically understood and agreed that Plaintiffs/Claimant’s Health Information may be used, and/or disclosed, and/or maintained, without Plaintiffs/Claimant’s consent as may be required to comply with state or federal laws, rules, and court, arbitrator, or administrative orders (including subpoenas duces tecum), and in relation to any claim, litigation, and/or proceeding arising out of the accident/incident of-(“Subject Accident”), including the following:

l.(b)(2) for Defendants’ and/or insurer’s internal review and/or auditing, including the handling and disposition of any claim or matter related to the Subject Occurrence, communication between Defendants and their insurers/underwriters/agents; relating to the review and/or audit of claims for the purpose of setting premiums, calculating reserves, calculating loss experience, and/or procuring additional coverage, it being understood and agreed that information will not be used for any record compilation or database of Plaintiffs claim history;

l.(b)(2) for Defendants’ and/or their insurer’s internal review and/or auditing, including the handling and disposition of any claim or matter related to the Subject Occurrence, communication between Defendants and their insurers/underwriters/ agents; relating to the review and/or audit of claims for tho purpose of setting premiums, calculating reserves, calculating loss experience, and/or procuring- additional coverage, -it-beiag-understood and-agr-eed that information will not bo used for any record compilation or database-of-Plaintiff s claim history;

l.(b)(3) for external review and/or auditing, such as by reinsurers, the Insurance Commissioner, or external auditors;

Delete entire provision

l.(b)(6) for any legally required reporting to governmental health or medical insurance organizations or their private contractors for Plaintiffs health care and expenses related to the Subject Occurrence;

Delete entire provision

The HSBA-approved language (offered by Marriott)

Cohan’s proposed changes

1.(b)(7) for statistical or analytical purposes, provided that Plaintiffs personal identification information (e.g., name, specific street address, specific birth date, Social Security number, driver’s license number) is not included in such review or use of Health Information; and

Delete entire provision

l.(b)(8) for any record keeping requirements or obligations relating to any of the foregoing, and pertaining to the Subject Occurrence.

Delete entire provision

The above-noted permissible uses, disclosures, and maintenance provisions are not intended to unreasonably limit a party’s or their counsel’s or insurer’s record-keeping obligations or requirements. Defendants or their agents, attorneys, or insurers may request that additional permissible categories of uses, disclosures, or maintenance be added. Plaintiff shall not unreasonably withhold consent, provided that the additional categories requested are consistent with the intent of this Order.

The above-noted permissible uses, disclosures, and maintenance provisions are not intended to unreasonably limit a party’s or their counsel’s or insurer’s record-keeping obligations or requirements. Defendants or their agents, attorneys, or insurers may-request that additional permissible catogorios of usesf-disclosures, or maintenance be addod. Plaintiff shall not unreasonably-withheld consent, provided-that the additional categories requested are consistent with the intent of this-Qrder,

Cohan indicated that if Marriott modified its version of the protective order to delete the stricken language, or used the form he proposed, Cohan would agree to the SQPO, which could then be attached to subpoenas for the sought-after records.

At the June 26, 2012 pre-hearing CAAP conference, the parties discussed the different versions of the protective order. By letter dated July 3, 2012, the arbitrator informed the parties of her decision that they use the form that appears on the HSBA website under “Stipulated Qualified Protective Order (for litigation use)”:

During the second CAAP pre-hearing conference held on June 26, 2012, we discussed the form of the Stipulated Qualified Protective Order as [the Cohans] were requesting certain deletions from the form proposed by [Marriott]. After hearing from all counsel and discussing each counsel’s position, it was decided the form to be used shall be the Stipulated Qualified Protective Order (for litigation use) that appears on the Hawai'i State Bar Association (HSBA) website under Health Care Information Privacy Protection Forms.
[The Cohans’] counsel shall inform [Marriott’s] counsel, in writing, no later than Friday, July 6, 2012, whether they intend to adhere to the Arbitrator’s above-stated decision. In the event one or more parties decides not to adhere to the above-stated decision the parties shall file the appropriate motions in court to further resolve this issue.

(Underlining in place of italics in the original). By e-mail dated July 6, 2012, Cohan informed Marriott that the HSBA form was unacceptable:

The HSBA stipulated qualified protective order has no mention in Hawai'i Rules of Civil Procedure noting that it is legally required. It is no more than some form of an agreeable agreement, perhaps, but it is a tempest in a tea pot as Rule 31, HRCP is available. Rule 31 is a better avenue as defense would have to obtain the records, again, to be admissible in evidence. Therefore, we cannot agree.

Marriott thereafter moved for an order compelling Cohan to sign the fifteen authorizations so that it could obtain the medical and employment records via subpoena. By order entered on September 7, 2012, the arbitrator granted the request and ordered Cohan to sign the authorizations, as well as the form protective order from the HSBA website.

Eleven days later, by letter dated September 18, 2012, Cohan appealed the arbitrator’s September 7, 2012 decision to the CAAP Administrator. Cohan argued that Marriott was not entitled to the relief requested because it did not utilize the discovery methods authorized by the HRCP and had proposed a protective order that was too broad. He further argued that the court lacked jurisdiction to compel him to sign a document not mandated by state law, rule, regulation, or decision. The CAAP Administrator affirmed the arbitrator’s decision.

Cohan appealed the CAAP Administrator’s decision to the Honorable Bert I. Ayabe, the Arbitration Judge. Again, Cohan argued that there was no law requiring a party to sign authorizations or a qualified protective order, and he has a right to the privacy of his health information. Judge Ayabe affirmed the CAAP Administrator’s decision by order entered on November 13,2012.

II.

On February 14, 2013, Cohan filed the Petition and a Memorandum in Support of Petition (Petition Memorandum). Cohan argued that Judge Ayabe abused his discretion by affirming the arbitrator’s order on the grounds that: (1) the order violates Cohan’s right of privacy under HIPAA, article I, section 6 of the Hawai'i Constitution, and Ha-wai'i case law; (2) the version of the protective order proposed by Marriott wrongfully allows Cohan’s health information to be used for purposes beyond the litigation; (3) the authorizations fail to limit disclosure of Cohan’s private health information; and (4) no statute, law, or rule requires Cohan to sign the authorizations or the protective order. Cohan asked the court to:

• Order Judge Ayabe to vacate his order;
• Enter a protective order requiring Marriott to pursue HRCP Rule 31, using HIPAA-compliant language, prior to the use of any SQPO;
• Order that no law requires Cohan to sign the authorizations for the medical and employment information; and
• Enter a qualified protective order consistent with Cohan’s proposed version or with the version proposed by Marriott with Cohan’s proposed modifications.

This court, by order entered on March 14, 2013, ordered Marriott and the Restaurant to answer the Petition. In their joint Response, filed on April 3, 2013, Marriott and the Restaurant argued that Cohan waived his right to challenge the form of the SQPO because he failed to appeal the CAAP arbitrator’s July 3, 2012 letter. They also argued that their form of the HSBA-approved SQPO effectively protects any privacy concerns Cohan may have regarding his health information.

On July 26, 2013, we issued an order instructing each party to file a supplemental brief addressing whether the SQPO and medical authorizations required to be signed by the CAAP Administrator complied with federal and state law.

On August 9, 2013, Cohan submitted a Supplemental Memorandum in Support of Petition for Writ of Mandamus. Cohan reiterates challenges to Marriott’s SQPO and medical authorizations set forth in his Petition Memorandum. Cohan maintains that the SQPO does not meet the minimum federal requirements for a protective order as required by HIPAA, much less the more stringent privacy requirements of the Ha-wai'i Constitution. Cohan additionally argues that the medical authorizations negate the protective safeguards required by HI-PAA and the Hawai'i Constitution because the authorizations expressly allow for re-disclosure of protected information without referencing the existence of any limitations imposed by the SQPO.

On August 9, 2013, Marriott submitted its Supplemental Answering Brief to Petitioner Cohan’s Petition for Writ of Mandamus. Marriott argues that: (1) the medical authorizations comply with federal and Hawai'i state law, (2) Marriott’s SQPO complies with federal and Hawai'i state law, and (3) the employment authorizations comply with federal and Hawai'i state law.

III.

A writ of mandamus is an extraordinary remedy that will not issue unless the petitioner demonstrates a clear and indisputable right to relief and a lack of alternative means adequate to redress the alleged wrong or to obtain the requested action. Kema v. Gaddis, 91 Hawai'i 200, 204, 982 P.2d 334, 338 (1999). Where a court has discretion to act, mandamus will not lie to interfere with or control the exercise of that discretion, even when the judge has acted erroneously, unless the judge has exceeded his or her jurisdiction, has committed a flagrant and manifest abuse of discretion, or has refused to act on a subject properly before the court under circumstances in which it is subject to a legal duty to act. Id. at 204-05, 982 P.2d at 338-39. This court has held that “ ‘[m]anda-mus is the appropriate remedy where [a] court issues an order releasing confidential files ... and the order is not immediately appealable.’” Brende v. Hara, 113 Hawai'i 424, 429, 153 P.3d 1109, 1114 (2007) (per curium) (quoting Kema, 91 Hawai'i at 205, 982 P.2d at 339).

IV.

A.

HIPAA is “a complex piece of legislation that addresses the exchange of health-related information,” Nat’l Abortion Fed’n v. Ashcroft, No. 03 Civ. 8695(RCC), 2004 WL 555701, at *2 (S.D.N.Y. Mar. 19, 2004), one that has “radically changed the landscape of how litigators can conduct informal discovery in cases involving medical treatment.” Law v. Zuckerman, 307 F.Supp.2d 705, 711 (D.Md.2004). The HIPAA regulations permit discovery of protected health information “so long as a court order or agreement of the parties prohibits disclosure of the information outside the litigation and requires the return of the information once the proceedings are concluded.” Id. at 708 (quoting A Helping Hand, LLC v. Baltimore Cnty., 295 F.Supp.2d 585, 592 (D.Md.2003)).

HIPAA provides the “federal floor of privacy protections that does not disturb more protective rules or practices.... The protections are a mandatory floor, which other governments and any [Department of Health and Human Services regulated] entities may exceed.” Brende, 113 Hawai'i at 429, 153 P.3d at 1114 (quoting 65 Fed.Reg. 82,462 (Dec. 28, 2000)).

Section 264 of HIPAA directs the Secretary of Health and Human Services to promulgate regulations to protect the privacy of medical records, but provides in subsection (e)(2) that such a regulation “shall not supersede a contrary provision of State law, if the provision of State law imposes requirements, standards, or implementation specifications that are more stringent than the requirements, standards, or implementation specifications imposed under the regulation.” HIPAA, Pub.L. No. 104-191, § 264, 110 Stat. 1936 (1996); see also 45 C.F.R. § 160.203(b). A state standard is “more stringent” if it “provides greater privacy protection for the individual who is the subject of the individually identifiable health information.” 45 C.F.R. § 160.202(6); see also Nw. Mem'l Hosp. v. Ashcroft, 362 F.3d 923, 924 (7th Cir.2004).

Hawai'i is one of ten states that expressly recognize a right to privacy in their constitutions. Article I, section 6 of the Hawai'i Constitution provides in relevant part that “[t]he right of the people to privacy is recognized and shall not be infringed without the showing of a compelling state interest.” In promulgating this privacy provision, the 1978 Constitutional Convention intended “that privacy [be] treated as a fundamental right for purposes of constitutional analysis.” Comm. Whole Rep. No. 15, in 1 Proceedings of the Constitutional Convention of Hawai'i of 1978 (Proceedings), at 1024. This express right of privacy is “a recognition that the dissemination of private and personal matters, be it true, embarrassing or not, can cause mental pain and distress far greater than bodily injury.... In short, this right of privacy includes the right of an individual to tell the world to ‘mind your own business.’” Stand. Comm. Rep. No. 69, in 1 Proceedings at 674.

In Brende, this court held that article I, section 6 of the Hawai'i Constitution protects private health information from disclosure outside of the underlying litigation. 113 Hawai'i at 426, 153 P.3d at 1111. In that case, in which the underlying litigation arose out of a motor vehicle tort, the plaintiffs petitioned this court for a writ of mandamus directing the respondent judge “to revise a medical information protective order to prohibit any person or entity from disclosing, for purposes outside the underlying litigation and without [the plaintiffs’] consent, [plaintiffs’] health information produced in discovery.” Id.

The plaintiffs proposed a stipulated order patterned after HIPAA and Hawai'i law, including article I, section 6 of the Hawai'i Constitution. Id. at 426-47, 153 P.3d at 1111-12. The proposed order prohibited the defendant from using the plaintiffs’ health information obtained in discovery from a health plan, health care provider, or any other source outside the underlying litigation and without the plaintiffs’ consent. Id. The order further required the health information to be returned to the health care entities, if applicable, or otherwise be destroyed at the end of the litigation. Id. The defendant argued that the proposed order was not necessary and refused to stipulate to the provision prohibiting the use or disclosure of information obtained from sources other than health care providers. Id. at 427, 153 P.3d at 1112.

In granting the petition, the Brende court first noted that HIPAA applies only to “health information obtained in discovery directly from health care entities.” Id. at 429, 153 P.3d at 1114. Because HIPAA regulations establish a “federal floor of privacy protections,” in Hawai'i “a medical information protective order issued in a judicial proceeding must, at a minimum, provide the protections of the HIPAA” Id. (emphasis added). The court further held that article I, section 6 of the Hawai'i Constitution, establishing the right of privacy, applies to “informational privacy” and protects “the right to keep confidential information which is highly personal and intimate.” Id. at 430, 153 P.3d at 1115 (quotation marks and brackets omitted). Because health information is “highly personal and intimate,” it is protected by the informational prong of article I, section 6. Id.

Thus, we held that the “constitutional provision protects the disclosure outside of the underlying litigation of petitioners’ health information produced in discovery.” Id. (emphasis added). The court noted, “once the information is disclosed, the potential harm cannot be undone.” Id. Accordingly, the court held that the plaintiffs were entitled to mandamus relief. Id. at 431-32, 153 P.3d at 1116-17.

B.

Hawai'i’s protection of a person’s health information is based on an overarching constitutional principle of informational privacy that prohibits the disclosure of health information outside the underlying litigation without a showing of a compelling state interest. In contrast, the HIPAA regulations are “dense, complex, confusing, and lengthy.” Smith, supra, note 6, at 978.

This complexity is exemplified by HIPAA’s treatment of “de-identified” health information. Marriott’s SQPO includes a de-identi-fication provision. HIPAA defines de-identi-fied health information as health information “that does not identify an individual and with respect to which there is no reasonable basis to believe that the information can be used to identify an individual.... ” 45 C.F.R. § 164.514(a). Once health information has been de-identified, it is no longer protected by HIPAA. Further, because HIPAA allows “more stringent” state law to preempt federal law only when it relates to the privacy of “individually identifiable health information,” 45 C.F.R. § 160.203(b), this leads to the conclusion that state law also does not protect de-identified information. Nw. Mem’l Hosp., 362 F.3d at 926.

As an initial matter, the de-identifying process itself is extremely complex and problematic. Under the rigorous, comprehensive scheme for de-identification established by 45 C.F.R. § 164.514(b), there are two methods to achieve de-identification. The first, known as the “Expert Opinion” method, requires a “person with appropriate knowledge of and experience with generally accepted statistical and scientific principles and methods for rendering information not individually identifiable” to apply those methods and then determine that the recipient of the information could identify the individual. 45 C.F.R. § 164.514(b)(1). The second, known as the “Safe Harbor” method, requires the removal of eighteen types of identifiers, such as account numbers, telephone numbers, license plate numbers, and e-mail addresses. Id. § 164.514(b)(2). Health information is considered sufficiently de-identified when “[t]he covered entity does not have actual knowledge that the information could be used alone or in combination with other information to identify an individual who is a subject of the information.” Id. § 164.514(b)(2)(h). But, HIPAA expressly allows a covered entity to re-identify previously de-identified information, provided that it adopts certain safety measures. 45 C.F.R. § 164.514(c). Once re-identified, the information is subject to the privacy rules. Id.

In the event of a discovery dispute, judges would be required to determine if information has been sufficiently de-identified so as to escape HIPAA protection and state law preemption. If identifiers remain and HI-PAA therefore applies, judges would determine whether health information has been adequately protected, and in doing so, apply an intricate web of regulations related to covered entities’ internal operations. Because HIPAA also permits a covered entity to disclose protected health information to a “business associate” to conduct the de-identi-fication process on its behalf, judges would need to examine the stringent requirements governing that relationship as well. If information is sufficiently de-identified, however, no such analysis is required, and the covered entity may share the data without restriction.

Apart from these technical considerations, there is the very complicated issue as to whether a patient has a legitimate basis for being concerned about what happens to their personal health information once it is de-identified. The Seventh Circuit has held that “[e]ven if there were no possibility that a patient’s identity might be learned from a redacted medical record, there would be an invasion of privacy.” Nw. Mem’l Hosp., 362 F.3d at 929. If citizens feel that their privacy rights in health care information are not adequately protected, this may lead to various negative outcomes for patients, including “social and psychological harm through embarrassment, economic harm through job discrimination and job loss, patient difficulty in obtaining health insurance, health care fraud, and patient reluctance to share sensitive information with their doctors or pharmacists.” Smith, supra, at 943 (citing Juliana Bell, Privacy at Risk: Patients Use New Web Products to Store and Share Personal Health Records, 38 U. Balt. L. Rev. 485, 489 (2009)).

This anxiety is exacerbated by the “realities of .the modern health information domain,” which have overwhelmed the traditional legal protection of patient data achieved principally through the patient-physician relationship. Nicholas P. Terry, What’s Wrong with Health Privacy, 5 J. Health & Biomedical L. 1, 23 (2009). “The patient data contained in modern longitudinal systems is comprehensive, portable, and ma-nipulatable.” Id. Thus, the “potential for abuse is immense”—“there are many parties ... that crave access to this data.” Id. (footnote omitted).

In sum, this scheme requires judges and arbitrators, when examining the validity of medical authorizations, to not only interpret and apply an intricate law subject to change by regulation, but also to keep pace with rapidly evolving technology shaping the disclosure of information.

In contrast, Hawaii’s Constitution, by precluding the disclosure of private health information outside of the underlying litigation, obviates application of an inordinately complex law that may result in expensive discovery disputes, appeals, and litigation delays to resolve such disagreements. The very purpose of disclosing Cohan’s health information in discovery is to resolve the underlying dispute. To allow this information to be used outside the litigation, regardless of whether it is de-identified or not, would reach beyond what the Hawai'i Constitution permits in the absence of a showing of a compelling state interest.

V.

A.

The parties dispute six provisions that are included in Marriott’s SQPO. Each provision, and its compliance with the Hawai'i Constitution, will be discussed in turn.

1. SQPO paragraph 1(b)(2)—Review and Audit of Claims for Internal Businesses Purposes

SQPO paragraph 1(b)(2) provides that Cohan’s health information may be used, disclosed or maintained, without Cohan’s consent, for purposes of Marriott’s internal reviews or “audit of claims for the purpose of setting premiums, calculating reserves, calculating loss experience, and/or procuring additional eoverage[.]”

Cohan argues that the “language, if retained, would improperly put at risk Cohan’s medical information for matters far beyond the scope of his underlying personal injury tort litigation, such that forcing him to sign it without the ... modifications would violate the privacy protections afforded him by both state and federal law.”

Marriott contends that Cohan cannot show harm resulting from the language he seeks to strike from paragraph 1(b)(2) because the paragraph already provides that it is “understood and agreed that information will not be used for any record compilation or database of Plaintiffs claim history.”

Regardless of whether Cohan can show harm, the “internal review” provision allows Cohan’s health information to be used to audit claims to set premiums and to calculate reserves and “loss experience,” purposes that are outside the underlying litigation. Accordingly, the language of SQPO paragraph 1(b)(2) exceeds the scope allowed by the State Constitution.

2. SQPO paragraph 1(b)(3)—External Review of Health Information

SQPO paragraph 1(b)(3) provides that Cohan’s health information may be used for “external review and/or auditing, such as by reinsurers, the Insurance Commissioner, or external auditors.”

Cohan argues that the use of his health care information for purposes of an external review by undisclosed external auditors does not pertain to the underlying litigation. Marriott argues that HIPAA allows use of health care information for external review.

This provision clearly allows for the use of Cohan’s health information outside of the present litigation and does not limit re-disclosure by such entities. Accordingly, the provision violates Cohan’s right to privacy under the State Constitution.

3. SQPO paragraph 1(b)(7)—Disclosure of De-Identified Information

SQPO paragraph 1(b)(7) provides that Cohan’s health information may be used “for statistical or analytical purposes, provided that [Cohan’s] personal identification information (e.g., name, specific street address, specific birth date, Social Security number, driver’s license number) is not included in such review or use of Health Information.”

Cohan contends that the entire provision should be excised from the protective order because the language “put[s] at risk Cohan’s medical information for use for matters far beyond the scope of his underlying personal injury tort litigation[.]” Marriott argues that Cohan cannot show that he is harmed by the provision.

This provision does not explain what type of analysis will be conducted, who will compile the statistics, and whether the results will be made available to entities outside the litigation. Presumably, there is no need to strip the health information of identifiers if it remains inside the litigation. Because de-identified information is for use outside of the present litigation, the provision is not in accord with the Hawai'i constitutional protection for health information.

4. SQPO paragraph 1(b)(8)—Disclosure of Health Information for Record Keeping Requirements

SQPO paragraph 1(b)(8) provides that Cohan’s health information may be used “for any record keeping requirements or obligations relating to any of the foregoing, and pertaining to the Subject Accident.”

Cohan proposes to strike the provision from the protective order and argues that “[t]he stricken language, if retained, would improperly put at risk Cohan’s medical information for use for matters far beyond the scope of the underlying personal injury tort litigation.” Marriott counters that Cohan cannot show he is harmed by the provision.

The requirement of disclosure of health information “for any record keeping requirements or obligations relating to any of the foregoing, and pertaining to the Subject Accident,” provides no ostensible limitation to allowing use of Cohan’s information outside the subject litigation, and therefore violates the Hawai'i Constitution.

5. SQPO paragraph 1(b)(8)—Unreasonably Withholding Consent to Disclosure of Health Information

SQPO paragraph 1(b)(8) also provides that Marriott or its “agents, attorneys, or insurers may request that additional permissible categories of uses, disclosures, or maintenance be added” to the SQPO, and Cohan “shall not unreasonably withhold consent [to disclosure of health information], provided that the additional categories requested are consistent with the intent of this Order/Agreement.”

Cohan contends that the language, if retained, would improperly risk disclosure of Cohan’s medical information for matters beyond the scope of the underlying litigation and violate the private protections afforded him by state and federal law. Marriott argues that the provision, which “relate[s] to [Marriott’s] reservation to request additional permissible uses,” is “not harmful because it does not impose unilaterally any additional uses without the consent of [Cohan].”

However, the provision does not limit the use or disclosure of Cohan’s health information to the underlying litigation. Further, the provision does not limit Marriott and its agents in requesting additional categories of uses and disclosures for Cohan’s health information, but at the same time limits Cohan’s power to withhold consent provided that the additional categories are consistent with the intent of the SQPO. Therefore, requiring Cohan to comply with SQPO paragraph 1(b)(8) would not comport with the protections provided for health information under the Ha-wai'i Constitution.

6. SQPO paragraph 5—Time Deadline to Return Health Information

SQPO paragraph 5, entitled “Return or Destruction of All Copies,” provides that Marriott must return Cohan’s health information to Cohan’s counsel or destroy the information within ninety days after the “final conclusion of the ... case/claim by fully-executed non-litigation settlement agreement.”

This SQPO provision provides a ninety-day grace period after the end of litigation for Marriott to return or destroy Cohan’s protected health information. Because article I, section 6 of the Hawai'i Constitution prohibits the use of such information outside the present litigation, it would, by inference, require parties to return records immediately after the litigation concludes.

B.

In this case, application of the Hawai'i Constitution establishes that the six contested provisions of the SQPO are not in compliance with state law. The six provisions— paragraph 1(b)(2) (internal review); paragraph 1(b)(3) (external review); paragraph 1(b)(7) (de-identification); paragraph 1(b)(8) (record keeping requirements); paragraph 1(b)(8) (preventing Cohan from unreasonably withholding consent); and paragraph 5 (time deadline for returning health information)— all allow Cohan’s health information to be used for purposes outside the underlying litigation without any showing of a compelling state interest. Therefore, the respondent judge erred in affirming the CAAP Administrator’s order and requiring Cohan to sign the SQPO.

VI.

In addition to requiring the execution of Marriott’s SQPO, the arbitrator’s order mandates that Cohan sign Marriott’s proposed authorizations for medical and employment records. Cohan separately objected to the language contained in these authorizations as overly broad. The medical authorizations submitted to Cohan by Marriott, if signed by Cohan, would grant Marriott’s counsel authorization to disclose Cohan’s health information to any and all persons as follows:

I further authorize [Marriott’s counsel] to further disclose this authorization and all information obtained by its use, regardless of content, to any and all persons involved in the lawsuit/claim, for which this authorization is being signed, including, but not limited to, opposing counsel, experts, consultants, court/administrative agency personnel, government agencies, private investigators, copy services, court reporting companies, parties, and insurance representatives.

(Emphasis added).

Additionally, the medical authorizations would grant Marriott permission to re-disclose Cohan’s health information, “in relation to the [case] for which [the] authorization is provided,” and provide that such information “may no longer be protected under federal pi’ivaey regulations”:

“I understand that the health information released under this authorization may be re-disclosed by the recipient in relation to the case/matter for which this authorization is provided, and may no longer be protected under the federal privacy regulations.”

(Emphasis added). The authorizations would also “release [Marriott] from all liability and claims whatsoever pertaining to the disclosure of information as contained in the records released pursuant to [the] authorization.”

Cohan argues that the clause providing for redisclosure of his information “in relation” to the ease in a manner that “may no longer be protected under the federal privacy regulations” has the effect of “negating] the protective safeguards” of HIPAA and article I, section 6 of the Hawai'i Constitution. Cohan notes that the authorizations make no reference to the SQPO or the limitations on the disclosure of his health information set forth in the SQPO, thereby allowing for the potential disclosure of his health information “to a wide group of people” with no way of preventing the recipients of the information from re-disclosing it to parties unrelated to the underlying litigation. Consequently, while recipients of Cohan’s health information would be apprised of the protections against disclosure listed in the authorizations, they would lack notice of the more restrictive protections against certain types of disclosure that may be contained in a proper SQPO.

The authorizations require Cohan to sign a release expressly stating that his information may no longer be protected by federal privacy regulations. Additionally, the authorizations do not provide that the recipient of the re-disclosed information is subject to the disclosure restrictions set forth in the SQPO. The authorizations also do not require that Cohan be notified before his health information is re-disclosed, thereby eliminating his ability to know or challenge the dissemination of his protected health information.

While discovery of Cohan’s medical records are relevant to the subject matter of his claims, article I, section 6 of the Hawai'i Constitution protects the disclosure of health information produced in discovery and limits such disclosure to the underlying litigation. This right of the people to privacy “is recognized and shall not be infringed without the showing of a compelling state interest.” Brende, 113 Hawai'i at 430, 153 P.3d at 1115.

Thus, the respondent judge’s order requiring Cohan to sign an authorization that would allow Marriott to “disclose [Cohan’s health information] outside of the underlying litigation” without his consent is a violation of Cohan’s “constitutional right to informational privacy.” Id. at 431, 153 P.3d at 1116. Therefore, the respondent judge erred by requiring Cohan to sign the authorizations.

VII.

Cohan is entitled to mandamus relief because the Arbitration Judge’s order is not appealable and results in the release of confidential health information outside the underlying litigation. See Brende, 113 Hawai'i at 429, 153 P.3d at 1114 (citing Kema, 91 Hawai'i at 205, 982 P.2d at 339).

Therefore we grant the Petition, and the respondent judge is directed to: (1) vacate the order affirming the arbitration decision, and (2) order that the qualified protective order and the authorizations for release of medical records be revised consistent with this opinion.

Concurring Opinion by

RECKTENWALD, C.J.,

in which NAEAYAMA, J., Joins.

I concur in the result reached by the majority and in much of its analysis, but write separately to address several issues. I agree that article I, section 6 of the Hawai'i Constitution protects personal medical information that is produced in discovery from being disclosed outside of the underlying litigation. As the majority notes, this court has previously addressed this issue in Brende v. Hara, 113 Hawai'i 424, 153 P.3d 1109 (2007) (per curiam), which also specifically dealt with whether medical information produced to litigants in an underlying tort ease could then be used or disclosed for purposes outside the underlying litigation. Acknowledging the specific circumstances in which the ease was decided, we held in Brende that the constitutional right to privacy “protects the disclosure outside of the underlying litigation of petitioners’ health information produced in discovery.” 113 Hawai'i at 430, 153 P.3d at 1115 (footnote omitted).

However, a party may be able to compel the disclosure of personal medical information outside the litigation by the showing of a “compelling state interest,” pursuant to the plain language of article I, section 6, which provides that “[t]he right of the people to privacy is recognized and shall not be infringed without the showing of a compelling state interest.” Disclosure required by law may be one such compelling state interest. I agree with the majority that paragraph 1(b)(3) of the stipulated qualified protective order in this case was overbroad to the extent that it did not limit re-disclosure of Cohan’s medical information in any way. However, a more precisely drafted provision could be upheld to the extent that it allowed for disclosure that would be required to comply with state or federal law, such as an inquiry from the Insurance Commissioner. See, e.g., HRS § 431:2-208(a) (2006) (“Every person and its officers, employees, and representatives subject to investigation or examination by the commissioner, shall produce and make freely accessible to the commissioner the accounts, records, documents, and files in the person’s possession or control relating to the subject of the investigation or examination, and shall otherwise facilitate the investigation or examination.”). Such a purpose would qualify as a “compelling state interest” in my view.

Finally, with regard to the disclosure of de-identified information under paragraph 1(b)(7), it is not necessary to apply a state constitutional right to privacy here since the paragraph is in any event invalid under the Health Insurance Portability and Accountability Act (HIPAA). See Rees v. Carlisle, 113 Hawai'i 446, 456, 153 P.3d 1131, 1141 (2007) (citation omitted) (“A fundamental and longstanding principle of judicial restraint requires that courts avoid reaching constitutional questions in advance of the necessity of deciding them.”); Lyng v. Nw. Indian Cemetery Protective Ass’n, 485 U.S. 439, 445, 108 S.Ct. 1319, 99 L.Ed.2d 534 (1988) (same). Paragraph 1(b)(7) states that it would allow Cohan’s health information to be used “for statistical or analytical purposes, provided that [Cohan’s] personal identification information (e.g., name, specific street address, specific birth date, Social Security number, driver’s license number) is not included in such review or use of Health Information^]” It is evident that this paragraph does not satisfy the minimum requirements under HI-PAA’s accompanying regulations to ensure that personal medical information is adequately de-identified. See 45 C.F.R. § 164.514 (2013). For example, regulations issued pursuant to HIPAA require that either a “person with appropriate knowledge of and experience with generally accepted statistical and scientific principles and methods for rendering information not individually identifiable” apply such principles and methods to determine that the risk of re-identification is very small, 45 C.F.R. § 164.514(b)(l)(i), or, alternatively, that a list of eighteen identifiers be removed, see 45 C.F.R. §§ 164.514(b)(2)(i)(A)-(R). On its face, paragraph 1(b)(7) fails to comply with either method for de-identifying information under these regulations.

In addition, HIPAA could preempt our state constitutional right to privacy to the extent that our constitution is interpreted to prevent the disclosure of deidentified medical information. The majority opinion cites to HIPAA’s “supersession” clause, section 264 of HIPAA, which directs the Secretary of Health and Human Services to promulgate regulations to protect the privacy of medical records, but provides in subsection (c)(2) that such a regulation “shall not supercede a contrary provision of State law, if the provision of State law imposes requirements, standards, or implementation specifications that are more stringent than the requirements, standards, or implementation specifications imposed under the regulation.” Majority opinion at 955 (citing HIPPA, Pub.L. No. 104-191, § 264, 110 Stat. 1936 (1996); 45 C.F.R. § 160.203(b)). A standard is “more stringent” if it “provides greater privacy protection for the individual who is the subject of the individually identifiable health information” than the standard in the regulation. Majority opinion at 957 (citing 45 C.F.R. § 160.202(6); Nw. Mem’l Hosp. v. Ashcroft, 362 F.3d 923, 924 (7th Cir.2004)).

However, as the Northwestern court was careful to note,

the “more stringent” clause applies only to “individually identifiable health information,” § 160.203(b), as opposed to “health information that does not identify an individual and with respect to which there is no reasonable basis to believe that the information can be used to identify an individual.” § 164.514(a). Provided that medical records are redacted in accordance with the redaction requirements (themselves quite stringent) of § 164.514(a), they would not contain “individually identifiable health information” and the “more stringent” clause would fall away.

Nw. Mem’l Hosp., 362 F.3d at 926 (emphases added).

Thus, the “supersession” clause that the majority cites to as enabling it to apply a more protective state constitutional right to privacy, could “fall away” when the information at issue is not “individually identifiable health information,” i.e., is de-identified information. In such situations, HIPAA preempts any conflicting state law. To underscore this point, Judge Manion’s concurrence thus stated that, “In passing HIPAA, Congress recognized a privacy interest only in ‘individually identifiable medical records’ and not redacted medical records, and HI-PAA preempts state law in this regard.” Id. at 933 (Manion, J., concurring in part and dissenting in part).

Additionally, in In re Zyprexa Products Liability Litigation, 254 F.R.D. 50 (E.D.N.Y. 2008), the magistrate judge presiding over discovery concluded that HIPAA preempts state privilege laws that preclude the disclosure of de-identified medical records. There, several states sought damages stemming from the unlawful marketing of an anti-psy-chotie drug Zyprexa. Id. at 51. When the defendant company sought the medical records of a sampling of patients who took the medication, the states attempted to prevent disclosure of such records by asserting that their respective physician-patient privilege laws protected against the disclosure of such records. Id. When the issue arose as to whether the records would be discoverable if properly redacted based on HIPAA’s de-identification procedures, the states further contended that “their respective privilege laws are more stringent than HIPAA, and argue[d] that a HIPAA-compliant court order will not suffice to protect the privacy interests of the patients whose medical records [the defendant] seeks.” Id. at 54. However, the magistrate judge rejected this argument, concluding that,

Even assuming that state privilege laws afford greater protection to the records [the defendant] seeks—and it is not entirely clear that they do—HIPAA contains a supersession clause which makes clear that to the extent state privilege laws are more protective of de-identified health information than is HIPAA, those laws are preempted by HIPAA’s regulatory scheme.

Id.

Citing approvingly to Northwestern, the magistrate judge thus held that, “de-identi-fied health information is not protected under HIPAA, and that, to the extent state privilege laws offer protection to de-identi-fied medical records, HIPAA preempts those laws.” Id. Accordingly, the magistrate judge determined that more stringent state privilege laws did not prevent the discovery of de-identified medical records. Id.

Here, in rejecting paragraph 1(b)(7), the majority concludes that “the provision is not in accord with the Hawaii constitutional protection for health information” because the “de-identified information is for use outside of the present litigation.” Majority opinion at 29. In my view, the majority’s reliance on the state constitutional right to privacy to prevent the disclosure of de-identified information could run afoul of and thus be preempted by HIPAA, just as the state privilege laws were preempted by HIPAA in In re Zyprexa.

Accordingly, since paragraph 1(b)(7) clearly violates HIPAA’s protocols for de-identifi-cation, I would rely on HIPAA in rejecting that provision rather than relying on the state constitutional right to privacy. 
      
      . 45 C.F.R. § 164.512, which sets forth the uses and disclosures under HIPAA, provides:
      (e) Standard: Disclosures for judicial and administrative proceedings.
      (1) Permitted disclosures. A [medical provider] may disclose protected health information in the course of any judicial or administrative proceeding:
      
        
      
      (ii) in response to a subpoena, discovery request, or other lawful process, that is not accompanied by an order of a court or administrative tribunal, if:
      
        
      
      (iv) ....
      (A) The parties to the dispute giving rise to the request for information have agreed to a qualified protective order and have presented it to the court or administrative tribunal with jurisdiction over the dispute;
      
        
      
      (v) For purposes of paragraph (e)(1) of this section, a qualified protective order means, with respect to protected health information requested under paragraph (e)(l)(ii) of this section, an order of a court or of an administrative tribunal or a stipulation by the parties to the litigation or administrative proceeding that:
      (A) Prohibits the parties from using or disclosing the protected health information for any purpose other than the litigation or proceeding for which such information was requested; and
      (B) Requires the return to the [medical provider] or destruction of the protected health information (including all copies made) at the end of the litigation or proceeding.
      (Emphasis added).
     
      
      . HRCP Rule 31 governs depositions upon written questions and delineates the subpoena procedure for obtaining documents.
     
      
      . Cohan argues that the Hawai'i Constitution requires more than the minimum protections provided by HIPAA, as article I, section 6 recognizes that "[t]he right of the people to privacy ... shall not be infringed without the showing of a compelling state interest ... ,[and][t]he legislature shall take affirmative steps to implement this right.”
     
      
      . Marriott urges the court to find Cohan’s challenge to the July 3, 2012 letter regarding the use of the HSBA-approved stipulated qualified protective order as untimely. See Haw. Arb. R. 11 (B) (a party is required to challenge an arbitrator’s decision within ten days from the date of the challenged act). Cohan, however, was not required to appeal from the July 3, 2012 letter. Instead, he appealed from the arbitrator’s September 7, 2012 order, which he was authorized to do. Although the letter of appeal is dated September 18, 2012, both the CAAP Administrator and Judge Ayabe declined to rely upon a purported rule violation, and ruled on the merits of the issue in affirming the arbitrator’s decision. Under Haw. Arb. R. 11(B), "The Arbitration Judge shall have the non-reviewable power to uphold, overturn or modify the decision of the Arbitration Administrator, including the power to stay any proceeding.” The decision by the Arbitration Judge to review the merits of Petitioner’s appeal has not been challenged by Marriott as a flagrant abuse of discretion in an original proceeding or in this case. In any event, under the circumstances, it clearly was not a flagrant abuse of discretion for the Arbitration Judge to review the Administrator’s order involving an issue of constitutional magnitude.
     
      
      . Health information includes any information, whether oral or recorded in any form or medium, that: (1) is created or received by a health care provider, health plan, public health authority, employer, life insurer, school or university or health care clearinghouse; and (2) relates to the past, present or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present or future payment for the provision of health care to an individual. 45 C.F.R. § 160.103.
     
      
      . Catherine Louisa Glenn, Protecting Health Information Privacy: The Case for Self-Regulation of Electronically Held Medical Records, 53 Vand. L. Rev. 1605, 1609 n. 25 (2000) (identifying the constitutions of Alaska, Arizona, California, Florida, Hawai'i, Illinois, Louisiana, Montana, South Carolina, and Washington as protecting health information privacy). See also Christopher R. Smith, Somebody’s Watching Me: Protecting Patient Privacy in Prescription Health Information, 36 Vt. L. Rev. 931, 945 n. 90 (2012) (citing several state court cases recognizing a state constitutional right to privacy).
     
      
      . The Brende court noted that the "privacy of health information was previously codified in Hawai'i Revised Statutes chapter 323C (Supp. 1999) (Privacy of Health Care Information), which prohibited anyone from disclosing, outside of a civil action, health information discovered in the proceedings.” Brende, 113 Hawai'i at 430 n. 5, 153 P.3d at 1115 n. 5. The law was enacted in 1999, but was subsequently repealed in 2001 upon the legislature's finding of " 'little support for a Hawai'i Medical Privacy Law in light of the adoption of [HIPAA],’ 'no evidence of widespread abuse [of medical records privacy] in Hawai'i,’ and a need for ‘a clear understanding of what, if any, problems Hawai'i faces in protecting medical privacy.' ” Id. (quoting 2001 Haw. Sess. L. Act 244).
     
      
      . Finally, the Brende court held that the plaintiffs had also demonstrated "good cause” for a protective order that provided disclosure protections in excess of what was required by HIPAA, and thus directed the trial judge to issue an order prohibiting the defendant from using or disclosing health information obtained from any source. Id. at 431-32, 153 P.3d at 1116-17 (citing HRCP Rule 26(c)). The court reasoned that "determining whether good cause exists ... requires a balancing of respondent's need, outside of the underlying litigation, for petitioners' health information produced in discovery against the injury that might result from the disclosure of that health information outside of the litigation.” Id. at 431, 153 P.3d at 1116. The court found no legitimate need, outside of the underlying litigation, for the plaintiffs’ health information produced in discovery. Id.
      
     
      
      . The complete text, including amendments, of 45 C.F.R. parts 160 and 164, which specifically set out the privacy and security standards, "now consist of fifty-five pages of dense regulatory language.” Nicholas P. Terry, What's Wrong with Health Privacy, 5 J. Health & Biomedical L. 1, 31 (2009). See also Laura Parker, Medical-privacy law creates wide confusion, USA Today (Oct. 16, 2003, 11:01 PM), http://usatoday30. usatoday.com/news/nation/2003-10-16-cover-medicalprivacy_x.htm (last updated Oct. 17, 2003, 9:47 AM)(noting that though the privacy provisions in the original HIPAA began as a 337-word guideline, the final regulations swelled to 101,000 words).
     
      
      . Robert Gellman, The Deidentification Dilemma: A Legislative and Contractual Proposal, 21 Fordham Intell. Prop. Media & Ent. L.J. 33, 37-38 (2010) (noting that HIPAA “provides an example of the difficulty of achieving—or even defining—deidentification’').
     
      
      . See Guidance Regarding Methods for De-identification of Protected Health Information in Accordance with the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule, U.S. Dep’t of Health & Human Serv., http://www.hhs. gov/ocr/privacy/hipaa/understanding/covered entities/De-identification/guidance.html (last visited Feb. 26, 2014).
     
      
      . For example, covered entities must identify "[t]hose persons or classes of persons, as appropriate, in its workforce who need access to protected health information to carry out their duties" and "[f|or each such person or class of persons, the category or categories of protected health information to which access is needed and any conditions appropriate to such access.” 45 C.F.R. § 164.514(d)(2)(i). Further, for those disclosures that a covered entity makes on a routine basis, it must "implement policies and procedures (which may be standard protocols) that limit the protected health information disclosed to the amount reasonably necessary to achieve the purpose of the disclosure.” 45 C.F.R. § 164.514(d)(3)(i). But for all other disclosures, it must "[d]evelop criteria designed to limit the protected health information disclosed” and "[r]eview requests for disclosure on an individual basis in accordance with such criteria.” 45 C.F.R. § 164.514(d)(3)(ii). The Privacy Rule permits incidental uses and disclosures that occur as a by-product of another permissible or required use or disclosure, as long as the covered entity has applied reasonable safeguards. 45 C.F.R. § 164.502(a)(l)(iii). There are several other regulations related to a covered entity’s uses and disclosures of protected health information, such as requests for health information (45 C.F.R. § 164.514(d)(4)), data use agreements (45 C.F.R. § 164.514(e)), fundraising communications (45 C.F.R. § 164.514(f)), and insurance underwriting or premium rating (45 C.F.R. § 164.514(g)).
     
      
      .The applicable HIPAA regulation states, in relevant part, "[a] covered entity may use protected health information to create information that is not individually identifiable health information or disclose protected health information only to a business associate for such purpose, whether or not the de-identified information is to be used by the covered entity.” 45 C.F.R. § 164.502(d)(1) (emphases added).
     
      
      .There are several regulations concerning a covered entity's relationship with a business associate, defined as one who "creates, receives, maintains, or transmits protected health information for a function or activity regulated by this subchapter, including claims processing or administration, data analysis, processing or administration, utilization review, quality assurance, patient safety activities listed at 42 CFR 3. 20, billing, benefit management, practice management, and repricing" or "[plrovides, other than in the capacity of a member of the workforce of such covered entity, legal, actuarial, accounting, consulting, data aggregation [], management, administrative, accreditation, or financial services to or for such covered entity, or to or for an organized health care arrangement in which the covered entity participates!.]” 45 C.F.R. § 160.103(l)(ii). Further, the definition goes on to state that a "covered entity may be a business associate of another covered entity," id. at § 160.103(2), and enumerate which entities may or may not be classified as business associates. Id. at §§ 160.103(3)-(4).
      
        See, e.g., 45 C.F.R. § 164.502(a)(3) (providing that a business associate may use or disclose protected health information only as permitted or required by its business associate contract or other arrangement); id. at § 164.502(e) (providing that a covered entity may disclose protected health information to a business association and allow the business associate to "create, receive, maintain, or transmit protected health information on its behalf" if the covered entity "obtains satisfactory assurance that the business associate will appropriately safeguard the information”); id. at § 164.504(e) (setting forth requirements for business associate contracts).
     
      
      . Guidance Regarding Methods for De-identification of Protected Health Information in Accordance with the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule, U.S. Dep’t of Health & Human Serv., http://www.hhs. gov/ocr/privacy/hipaa/understanding/covered entities/De-identification/guidance.html (last visited Feb. 26, 2014). Though the Privacy Rule does not limit how a covered entity may disclose de-identified information, a covered entity may require the recipient of such information to enter into a data use agreement to access files with known disclosure risk. Id.
      
     
      
      . Despite the identification provisions’ intricacy, the risk of re-identification remains, as there is "no national, uniform standard governing the level of identifier-stripping necessary to guarantee that de-identified data cannot be re-identified.” Smith, supra, at 935. Along with concerns related to the security of this information once distributed, some patients have subjective privacy concerns. Id. at 936 (arguing that the issue is one of "dehumanization [in] having one’s most intimate information circulated by an indifferent and faceless infrastructure without any control over the process or content") (quoting Will Thomas DeVries, Protecting Privacy in the Digital Age, 18 Berkeley Tech. L.J. 283, 298 (2003)). It is noted that this invasion of privacy occurs only because of the alleged wrongful conduct of a defendant in the first instance.
     
      
      . Cohan, in his Supplemental Memorandum, contended that the SQPO’s paragraph 1(b) allows disclosure in relation to "any claim, litigation, and/or proceeding arising out of the ... subject accident” whereas the Hawai'i Constitution permits disclosure only as to the "underlying litigation.” (Emphasis added). During oral argument, Cohan’s counsel acknowledged that the originally contested provision matched his own proposed SQPO language at the trial court level. Consequently, we do not consider this provision in determining the merits of the Petition.
      Similarly, Cohan waived his argument as to Marriott's SQPO paragraph 1(b)(6), which provides that Cohan’s health information may be used "for any legally required reporting to governmental health or medical insurance organizations or their private contractors for [Cohan’s] health care and expenses related to the Subject Accident." (Emphasis added). Cohan's proposed SQPO provides that ”[i]t is specifically understood and agreed that plaintiff's health information may be used, and/or disclosed, and/or maintained, without plaintiff's consent as may be required to comply with state or federal laws/ rulesf.]” (Emphasis added). Because this language is also used in Marriott’s SQPO paragraph 1(b) and Cohan did not directly address this provision in his Supplemental Memorandum, we do not consider this provision in deciding whether the Arbitration Judge abused his discretion. In light of Cohan’s waiver of his argument to this provision, we also need not determine whether Marriott demonstrated a compelling state interest for disclosure of health information in order to satisfy a legally required reporting mandate.
     
      
      . An analysis under HIPAA arguably may lead to a different result. SQPO paragraph 1(b)(2) provides that Cohan’s health information may be used, disclosed or maintained, without his consent, for purposes of Marriott’s internal reviews or audits. The applicable HIPAA regulation states that a "covered entity,” which is defined as a (1) a health plan; (2) a health care clearinghouse; or (3) a health care provider who transmits any health information in electronic form in connection with a transaction covered by this subchapter (45 C.F.R. § 160.103), "may use or disclose protected health information for its own treatment, payment, or health care operations.” 45 C.F.R. § 164.506(c)(1). "Health care operations” is defined to include the following activities of the covered entity (to the extent the activities are related to covered functions):
      (5) Business planning and development, such as conducting cost-management and planning-related analyses related to managing and operating the entity, including formulary development and administration, development or improvement of methods of payment or coverage policies; and Business management and general administrative activities of the entity, including, but not limited to:
      
        
      
      (ii) Customer service, including the provision of data analyses for policy holders, plan sponsors, or other customers, provided that protected health information is not disclosed to such policy holder, plan sponsor, or customer;
      45 C.F.R. § 164.501. Marriott asserts that the language of SQPO paragraph 1(b)(2) is consistent with 45 C.F.R. § 164.506(c) given that § 164.506(c)(1) provides that insurance companies "may use or disclose protected health information for its own treatment, payment, or health care operations." Further, Marriott notes that "health care operations” includes "business management and general administrative activities.”
      While Marriott relies upon § 164.501(6), it would appear that § 164.501(5) provides a better rationale for the SQPO language, as it relates to internal review functions such as "[b]usiness planning and development, such as conducting cost-management and planning-related analyses related to managing and operating the entity!.]” 45 C.F.R. § 164.501(5). Thus, the language of paragraph 1(b)(2) may satisfy the HIPAA requirement, but apparently not under the provision that Marriott references.
     
      
      . Cohan argues that "external review and/or auditing” does not qualify under HIPAA as a use of the information in "the litigation or proceeding for which such information was requested.” Marriott argues that Cohan cannot show that he is harmed by the language of paragraph 1(b)(3) because the use of health care information for external review and/or auditing by reinsurers, the Insurance Commissioner, or external auditors is allowed by 45 C.F.R. § 164.501(4), which states that insurance companies may conduct or arrange "medical review, legal services, and auditing functions” as part of their health care operations. The applicable HIPAA regulation states that "a covered entity may use or disclose protected health information for its own treatment, payment, or health care operations." 45 C.F.R. § 164.506(c)(1). The applicable definition of “health care operations” provides: "Conducting or arranging for medical review, legal services, and auditing functions, including fraud and abuse detection and compliance programs!.]” 45 C.F.R. § 164.501(4) (emphasis added). However, paragraph 1(b)(3) would allow Cohan's information to be disclosed to business associates of Marriott. Under HIPAA, the covered entity and its business associates must' comply with strict requirements. See 45 C.F.R. § 164.502(a)(3) (business associate may use or disclose protected health information only as permitted or required by its business associate contract or other arrangement); 45 C.F.R. § 164.504(e) (setting forth requirements for business associate contracts). Because these comprehensive requirements are not set forth in the SQPO, this provision appears to violate HIPAA.
     
      
      .As discussed in the earlier section, the HIPAA regulations related to de-identified information are inordinately complex. The applicable HIPAA regulation states, in relevant part, "[a] covered entity may use protected health information to create information that is not individually identifiable health information or disclose protected health information only to a business associate for such purpose, whether or not the de-identi-fied information is to be used by the covered entity.” 45 C.F.R. § 164.502(d)(1) (emphasis added). Marriott contends that HIPAA does not protect de-identified information because, pursuant to 45 C.F.R. §§ 164.502(d)(l)-(2), "[c]overed entities, i.e., insurance companies, may use protected health information to create information that is not individually identifiable health information, and such ‘de-identified’ information is not subject to the requirements of [45 C.F.R. § 164.502].” This argument rests on whether the information is fully deidentified. However, Marriott’s de-identification provision in SQPO paragraph 1(b)(7) does not comply with the minimal requirements of 45 C.F.R. §§ 164.502(d)(l)-(2), which codifies a comprehensive set of regulations for the de-identification of health care information, set forth in 45 C.F.R. §§ 164.514(a)-(b).
     
      
      . Although Marriott cites to 45 C.F.R. §§ 164.502(d)(l)-(2) (relating to uses and disclosures of de-identified information) as a statutory basis for SQPO paragraph 1(b)(8), the cited regulations are not related to the subject of paragraph 1(b)(8). Furthermore, SQPO paragraph 1 (b)(8), which provides that Cohan's health information may be used "for any record keeping requirements or obligations relating to any of the foregoing, and pertaining to the Subject Accident" (emphasis added), does not identify the entities that may use Cohan’s health information or require them to conform to HIPAA requirements.
     
      
      . There is no HIPAA regulation addressing the subject of this provision, which provides that Cohan "shall not unreasonably withhold consent [to disclosure of health information], provided that the additional categories requested are consistent with the intent of this Order/Agreement.”
     
      
      .The corresponding HIPAA regulation requires, in relevant part, "the return to the covered entity or destruction of the protected health information (including all copies made) at the end of the litigation or proceeding.” 45 C.F.R. § 164.512(e)( 1 )(v)(B) (emphasis added). In contrast, SQPO paragraph 5 provides that Marriott must return the information within ninety days after the "final conclusion of the ... case/claim by fully-executed non-litigation settlement agreement.” Marriott argues that the SQPO provision complies with the HIPAA regulation because Marriott must return protected health information within ninety days after the conclusion of the case. But, the ninety-day grace period in the SQPO is more than what HIPAA allows.
     
      
      . Cohan argues that Hawai'i Rules of Evidence (HRE) Rule 504, entitled "Physician-patient privilege,” provides supplementary protection against the disclosure of his health information. In light of the court’s determination as to informational protection under the Hawai'i Constitution, this contention need not be addressed.
     
      
      . Although Marriott references "employment authorizations" in its Supplemental Memorandum, all of the authorizations submitted by the parties appear to be medically related.
     
      
      . If, pursuant to Brende, any "medical information protective order issued in a judicial proceeding must, at a minimum, provide the protections of the HIPAA," 113 Hawai'i at 429, 153 P.3d at 1114, then it follows that a party may not be required to sign an authorization form that does not provide the same minimum protections.
     
      
      . Although the majority cites to Northwestern for a passage in which the court stated that, “Even if there were no possibility that a patient's identity might be learned from a redacted medical record, there would be an invasion of privacy[,j” the Northwestern court made this statement within the context of affirming the district court’s quashing of a subpoena based on a balancing of the benefit and burden of complying with the subpoena, under Federal Rules of Civil Procedure Rule 45(c). Id., 362 F.3d at 929-33.
      Notably, the court in Northwestern relied on this balancing analysis in reaching its holding because it rejected the district court’s other grounds for quashing the subpoena, that Illinois’s "more stringent” standard for disclosure trumped the HIPAA regulation by virtue of HI-PAA’s supersession provision. Id. at 925-26.
      The majority in Northwestern did state in dictum that "Illinois is free to enforce its more stringent medical-records privilege (there is no comparable federal privilege) in suits in state court to enforce state law and, by virtue of an express provision in Fed.R.Evid. 501, in suits in federal court (mainly diversity suits) as well in which state law supplies the rule of decision.” Id. at 925. However, that statement was not made specifically with regard to de-identified information.
     