The opinion of the court was delivered by: RICHARD CASEY, District Judge.
Now before the Court is Defendant's motion to enforce a subpoena
against the New York and Presbyterian Hospital pursuant to Federal Rule
of Civil Procedure 45(c)(2)(B). For the reasons stated below, the motion
Plaintiffs, a group of physicians and medical providers, filed this
action on November 4, 2003, to challenge the constitutionality of the
Partial-Birth Abortion Ban Act of 2003 ("the Act"), 18 U.S.C. § 1531,
which imposes criminal and civil sanctions on physicians who perform
certain abortion procedures. This Court temporarily enjoined enforcement
of the Act on November 6,2003, and set the matter for trial to commence
March 29, 2004. Plaintiffs assert that the Act is unconstitutional, among
other reasons, because it lacks an exception to protect a woman's health
as required under the Supreme Court's decision in Stenberg v. Carhart,
530 U.S. 914 (2000).
During the discovery process, the Attorney General of the United States
subpoenas to a number of hospitals throughout the country seeking medical
records of women on whom the plaintiff physicians performed certain
abortion procedures. One of those hospitals is the New York and
Presbyterian Hospital ("the Hospital").
On December 18, 2003, this Court issued an order that authorized, but
did not require, the Hospital to produce the records. On December 22,
Defendant served a subpoena on the Hospital, accompanied by the Court
order, demanding production of "all medical records associated with those
medical record numbers to be identified by plaintiffs Carolyn Westhoff,
M.D. and Stephen Chasen, M.D. in response to the discovery demands served
upon them in" this case. Drs. Westhoff and Chasen, both plaintiffs in this
suit, are employed on the faculties of Columbia and Cornell medical
schools, which are both affiliated with the Hospital. According to the
Hospital, both are attending physicians at, but not employees of, the
Hospital. (Memorandum of Law of Non-Party the New York and Presbyterian
Hospital in Opposition to Defendant's Motion to Enforce Subpoena, at 2.)
Defendant also issued similar subpoenas to other hospitals. One such
institution, Northwestern University Hospital in Illinois, moved to quash
the subpoena in the United States District Court for the Northern
District of Illinois. Chief Judge Charles P. Kocoras granted
Northwestern's motion on February 4,2004. See Nat'l Abortion Fed'n v.
Ashcroft, No. 04 C 55, 2004 WL 292079 (N.D. Ill. Feb. 4, 2004). In a
parallel case challenging the Act, Judge Phyllis Hamilton of the Northern
District of California denied Defendant's motion to compel discovery
seeking similar medical records from health care providers in California
and elsewhere. See Planned Parenthood Fed'n of Am. Inc. v. Ashcroft, No.
C 03-4872, 2004 WL 432222 (N.D. Cal. Mar. 5, 2004). Defendant has
appealed Judge Kocoras's decision to the Seventh Circuit Court of
The Court is unaware whether Defendant has also appealed Judge Hamilton's
order to the Ninth Circuit.
In this case, Defendant brought a motion to enforce the subpoena and
compel production of the documents. By stipulation of the parties in this
case, the Court issued a protective order on January 23, 2004, that
requires redaction of individual identification material prior to
disclosure. The Hospital argues that the protective order is insufficient
under the Health Insurance Portability and Accountability Act of 1996
("HIPAA"), Pub.L. No. 104-191, §§ 261-264, 110 Stat. 1936 (Aug. 21,
1996), because HIPAA incorporates New York State law requiring patient
consent before disclosure. Defendant responds that disclosure is required
because the protective order complies with administrative regulations
promulgated pursuant to HIPAA. See 45 C.F.R. § 164.512(e) (providing
conditions for disclosure of protected health information in judicial
This issue brings into conflict two profoundly important interests:
respect for the sanctity of the physician-patient relationship, and the
search for truth at the heart of the litigation process. Resolution of
the issue requires careful attention to HIPAA and the regulatory
framework promulgated to implement it.
A. The Statutory and Regulatory Framework
HIPAA is a complex piece of legislation that addresses the exchange of
health-related information. Title II of HIPAA includes provisions
entitled "Administrative Simplification." See 110 Stat. 1936, 2021-2034
(codified at 42 U.S.C. § 1320d-1320d-8). In one of the Administrative
Simplification provisions, Congress delegated to the Secretary of Health
and Human Services ("HHS") the authority to make final regulations
concerning the privacy of individually identifiable
health information.*fn2 See HIPAA, § 264(b), (c)(1), 110 Stat.
1936,2033. Those regulations were to address, among other things, the
rights of individuals with regard to their health information, the
procedures by which individuals may exercise their rights, and the uses
and disclosures of health information that may be authorized or
required. Id. § 264(b).
In accordance with this rulemaking authority, in February 2001, HHS
promulgated regulations to protect the privacy of protected health
information. See 45 C.F.R. § 164.500-.534; South Carolina Medical
Ass'n v. Thompson, 327 F.3d 346, 349 (4th Cir. 2003). Protected health
information means individually identifiable health information
transmitted or maintained in any form or medium. 45 C.F.R. § 160.103.
HHS explicitly addressed disclosure of protected health information
during judicial or administrative proceedings. See id. § 164.512(e).
That provision permits health care providers and other covered entities
to disclose protected health information without patient consent: (1) in
response to a court order, provided only the information specified in the
court order is disclosed; or (2) in response to a subpoena or discovery
request if the health care provider receives adequate assurance that the
individual whose records are requested has been given sufficient notice
of the request, or if reasonable efforts have been made to secure a
protective order. Id. § 164.512(e)(1)(i), (ii). Protective orders must
(1) prohibit use of the protected health
information outside the litigation process; and (2) require the return or
destruction of the records, including all copies made, at the conclusion
of the litigation. Id. § 164.512(e)(1)(v).
The regulations also provide that health records are not considered
individually identifiable, and thus not "protected health information,"
if certain information is redacted. HHS determined that "[h]ealth
information that does not identify an individual and with respect to
which there is no reasonable basis to believe that information can be
used to identify an individual is not individually identifiable health
information." Id. § 164.514(a). The following identifiers must be
removed to render medical records not individually identifiable: names;
geographic subdivisions smaller than a state (including addresses and
full zip codes); all dates except years; telephone and fax numbers; email
addresses; social security numbers; medical record numbers; health plan
beneficiary numbers; account numbers; license numbers; vehicle
identifiers; device identifiers; internet addresses; biometric
identifiers such as finger and voice prints; photographs of ...