*1 THIS MATTER is before the Court on the Motion to Compel Discovery [41] filed by Plaintiff. Having considered the Motion, the record, and the applicable law, the Court finds that the Motion [41] should be granted as to the alternative relief requested.

Plaintiff in this action is a medical doctor who reviewed chest x-rays for workers who were exposed to asbestos. See Amended Complaint [12] at 3. Defendant Ankura Consulting Group, LLC (“Ankura”) was hired by a third party to conduct an audit of Plaintiff's patient's x-rays and ultimately “failed” him for “misreading or misinterpreting a material number” of those x-rays. Id. at 11. Plaintiff alleges that this was a “bad faith sham audit” and that Ankura intentionally failed Plaintiff in an effort to save its customers money. Id.

The parties filed two stipulated protective orders to protect against the disclosure of confidential information related to the subject matter at issue, i.e. medical records containing protected health information (“PHI”). See [37] [38]. In pertinent part, personal identifying information such as names and account numbers are to be redacted and an agreed upon code substituted in place of that information. See [38] at 2. The parties now disagree as to the scope of the protective orders. On April 12, 2021, the court held a telephonic conference with the parties in an attempt to resolve their dispute. No resolution was reached, and the Court directed the parties to file the appropriate motions. See Minute Entry 04/12/2021.

On April 16, 2021, Plaintiff filed the instant Motion [41], arguing that he is entitled to receive either the unredacted records from Defendant that caused Plaintiff to fail the audit, or in the alternative, a key to the redacted records so that he can adequately review them and provide them to his experts. Ankura responded, arguing that Plaintiff's request exceeds the scope of the agreed protective order, and that his motion should be denied. See [42]. Plaintiff filed his Reply [46], and the matter is now ripe for review.

Plaintiff argues that Ankura is not a “covered entity” under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) and, therefore, not subject to the disclosure requirements under HIPAA. If Ankura is not a covered entity, then it is not bound by HIPAA's restrictions regarding the dissemination of medical information and is free to produce the requested files without a protective order. See e.g. United States v. Abdallah, No. CRIM.A. H-07-155, 2009 WL 1918401, at *6-7 (S.D. Tex. July 1, 2009) (“The statutory language is clear that HIPAA only applies to” covered entities and no violation occurs where non-covered entities disclose PHI); United States v. Zamora, 408 F. Supp. 2d 295, 297 (S.D. Tex. 2006) (HIPAA's prohibition applies only to “covered entities”) (citing 45 C.F.R. § 164.502.); see also, Beard v. City of Chicago, 2005 WL 66074 at *2 (N.D. Ill. Jan. 10, 2005) (HIPAA did not bar production of documents because defendant fire department was not a “covered entity” under HIPAA and “the restrictions on use or disclosure of health information apply only to a covered entity.”).

*2 HIPAA defines a “covered entity” as either a health plan, a health care clearinghouse, or a healthcare provider who transmits any health information in electronic form. See 45 C.F.R. § 160.103. Nothing in the record before the Court indicates that Ankura fits into one of these categories.

The Court need not determine whether Ankura is a “covered entity” within the meaning of HIPAA, because even assuming that it is, HIPAA permits disclosure in this instance. HIPAA allows for limited exceptions to its use and disclosure limitations. See 45 C.F.R. § 164.512(e). For judicial proceedings like the current action, covered entities are permitted to make disclosures by order of the court or in response to a subpoena or discovery request if it receives satisfactory assurance that reasonable efforts were made to secure a qualified protective order. Id. The qualified protective order must prohibit parties from using or disclosing PHI for any purpose other than the proceeding at hand and that the information be returned at the end of the proceeding. Id. A qualified protective order is in place in the instant action, and the information should be properly and reasonably protected once produced. Therefore, no violation of HIPAA should result by disclosing this information in this limited instance.

Finally, Ankura argues that it is merely complying with the agreed protective orders and that it would substitute an agreed upon code in lieu of personal identifying information. See [42]. Plaintiff agrees with this reading of the Order [38] but argues that he was under the impression that he would receive a copy of the code key. See [41] at 6. Ankura asserts that providing the code key is the “functional equivalent of producing the information in unredacted form” and would undermine the agreed orders. See [42] at 2.

Plaintiff filed this action arguing that Ankura intentionally “failed” him in an audit and now requests the documents that Ankura used in order to form its opinion during the audit. As discussed above, HIPAA authorizes disclosure of PHI during judicial proceedings, and the protective orders in place should protect information disclosed to Plaintiff's counsel. The information at issue (the code key) is both relevant and proportional to the needs of the case, and the Court finds that it should be produced to Plaintiff's counsel so that he may verify the accuracy and integrity of the documents produced. Accordingly, the Motion [41] will be granted as to the alternative relief demanded.

The Court finds that Ankura's nondisclosure of the information compelled was substantially justified in this instance and that a good faith dispute was presented. Accordingly, no award of fees or costs is appropriate. See Fed. R. Civ. P. 37(A)(5)(A)(ii).

IT IS, THEREFORE, ORDERED that the Motion to Compel Discovery [41] filed by Plaintiff is GRANTED as to the alternative relief demanded by the Motion. Defendant shall provide Plaintiff's counsel with the key to the “mutually agreed” code contemplated by ¶6 of the Protective Order [38]. Defendant may designate the code and key as “Confidential” or “Highly Confidential” pursuant to the Agreed Protective Order [37].

SO ORDERED this the 18th day of May, 2021.