Summary
holding that HIPAA does not preempt Michigan law because Michigan law is more stringent than HIPAA in prohibiting disclosure of private medical information
Summary of this case from Thomas v. 1156729 Ontario Inc.Opinion
Submitted Nov. 4, 2010, at Lansing.
Wood, Kull, Herschfus, Obee & Kull, P.C., Farmington Hills (by Brian H. Herschfus and Nicole J. LaVake), for plaintiff.
Giarmarco, Mullins & Horton, P.C., Troy (by William H. Horton and Elizabeth A. Favaro), for defendant.
Before: SAWYER, P.J., and FITZGERALD and SAAD, JJ.
SAAD, J.
[292 Mich.App. 266] This Court granted plaintiff's application for leave to appeal a trial court order that denied plaintiff's motion to compel discovery. For the reasons set forth below, we affirm.
I. NATURE OF THE CASE
Plaintiff, Isidore Steiner, D.P.M., P.C., claims that [292 Mich.App. 267] defendant, Dr. Marc Bonanni, a former employee of the corporation, breached his employment contract with plaintiff and misappropriated property of the corporation. Plaintiff maintains that defendant stole its patients in violation of a clause in the employment agreement that prohibited defendant from soliciting or servicing any patients of the corporation after he left its employment. After defendant left the employment of plaintiff, plaintiff sued defendant and sought disclosure of defendant's patient list to prove its case and damages. Defendant objected to disclosure pursuant to the Health Insurance Portability and Accountability Act (HIPAA), 42 U.S.C. § 1320d et seq., and state law regarding physician-patient privilege. This discovery dispute requires us to decide whether federal or state law controls and whether disclosure would violate the nonparty patients' privacy rights.
By its language, HIPAA asserts supremacy in this area, but allows for the application of state law regarding physician-patient privilege if the state law is more protective of patients' privacy rights. In the context of litigation that, as here, involves nonparty patients' privacy, HIPAA requires only notice to the patient to effectuate disclosure whereas Michigan law grants the added protection of requiring patient consent before disclosure of patient information. Because Michigan law is more protective of patients' privacy interests in the context of this litigation, Michigan law applies to plaintiff's attempted discovery of defendant's patient information. And, because Michigan law protects the very fact of the physician-patient relationship from disclosure, absent patient consent, the trial court properly rejected plaintiff's efforts to obtain this confidential information, and we affirm the trial court's ruling.
[292 Mich.App. 268] II. FACTS AND PROCEEDINGS
On July 6, 1999, plaintiff and defendant entered into an employment agreement that contained a noncompetition and nonsolicitation clause. Among other things, the clause in issue prohibited defendant from inducing, soliciting, diverting, servicing, or taking away patients from plaintiff for a three-year period following the termination of the employment agreement. Defendant resigned from plaintiff in July 2007. Thereafter, plaintiff filed a lawsuit against defendant for breach of contract, conversion, fraud, and misrepresentation, and seeking an accounting. An essential component of plaintiff's claim for damages is that, after he left the practice, defendant treated plaintiff's patients in violation of the employment agreement.
During discovery, plaintiff sent defendant a set of interrogatories, one of which requested the names, addresses, and telephone numbers for every patient treated by defendant since he resigned. Plaintiff claims that it cannot protect its contractual rights to its patients without discovery of which of its former patients are now patients of defendant. Defendant objected to the interrogatory on the ground that such disclosure would violate HIPAA and Michigan's physician-patient privilege, and the trial court issued a qualified protective order in which the parties agreed to conduct their litigation in compliance with HIPAA and agreed to maintain all privileges. Because defendant failed to fully respond to plaintiff's interrogatories, plaintiff filed a motion to compel. In response, defendant argued that the information requested is protected by Michigan's statutory physician-patient privilege, which, he argued, contains more stringent requirements than HIPAA. The trial court denied plaintiff's motion to compel production of the patients' names, [292 Mich.App. 269] and ruled that the names of the nonparty patients are privileged under Michigan law.
III. ANALYSIS
A. STANDARDS OF REVIEW
We review de novo a trial court's decision about the application of the physician-patient privilege. Baker v. Oakwood Hosp. Corp., 239 Mich.App. 461, 468, 608 N.W.2d 823 (2000). If the privilege does apply, we review for an abuse of direction a trial court's order regarding disclosure. Id. An abuse of discretion occurs when a trial court chooses a result that falls outside the range of reasonable and principled outcomes. Maldonado v. Ford Motor Co., 476 Mich. 372, 388, 719 N.W.2d 809 (2006). Whether HIPAA preempts Michigan law is a question of law, which is reviewed de novo. Hines v. Volkswagen of America, Inc., 265 Mich.App. 432, 438, 695 N.W.2d 84 (2005).
B. DISCUSSION
Plaintiff argues that the trial court erred by holding that the names, addresses, and telephone numbers of the nonparty patients that defendant allegedly wrongfully took from plaintiff are privileged and protected from disclosure by Michigan law, under MCL 600.2157 and Baker, 239 Mich.App. 461, 608 N.W.2d 823, because HIPAA applies and permits disclosure.
HIPAA is the federal regulation that governs the retention, use, and transfer of information obtained during the course of the physician-patient relationship. In re Petition of Attorney General for Investigative Subpoenas, 274 Mich.App. 696, 699, 736 N.W.2d 594 (2007). " Under HIPAA, the general rule pertaining to the disclosure of protected health information is that a [292 Mich.App. 270] covered entity may not use or disclose protected health information without a written authorization from the individual as described in 45 C.F.R. § 164.508, or, alternatively, the opportunity for the individual to agree or object as described in 45 C.F.R. § 164.510." Holman v. Rasak, 486 Mich. 429, 438-439, 785 N.W.2d 98 (2010). However, 45 C.F.R. § 164.512 " enumerates several specific situations in which ‘ [a] covered entity may use or disclose protected health information without the written authorization of the individual, as described in [45 C.F.R.] § 164.508, or the opportunity for the individual to agree or object as described in [45 C.F.R.] § 164.510....’ " Holman, 486 Mich. at 439, 785 N.W.2d 98, quoting 45 C.F.R. § 164.512. Included within those situations is disclosure for judicial and administrative proceedings, which allows a provider or other covered entity to disclose the protected information in response to an order or in response to a subpoena or discovery request if the provider receives satisfactory assurance that notice was provided to the patient or that reasonable efforts were made to secure a qualified protective order. 45 C.F.R. § 164.512(e). As our Supreme Court also explained in Holman:
Under HIPAA, " [a] standard, requirement, or implementation specification" of HIPAA " that is contrary to a provision of State law preempts the provision of State law" unless, among other exceptions, " [t]he provision of State law relates to the privacy of individually identifiable health information and is more stringent than a standard, requirement, or implementation specification adopted under" HIPAA. 45 C.F.R. § 160.203 (emphasis added). " Contrary" means either that " [a] covered entity would find it impossible to comply with both the State and federal requirements" or that " [t]he provision of State law stands as an obstacle to the accomplishment and execution of the full purposes and objectives of" HIPAA. 45 C.F.R. § 160.202. " More stringent," in this context, means " provides greater [292 Mich.App. 271] privacy protection for the individual who is the subject of the individually identifiable health information." 45 C.F.R. § 160.202. [ Holman, 486 Mich. at 440-441, 785 N.W.2d 98.] Plaintiff maintains that Michigan law is less stringent than HIPAA because it can be informally waived and that, therefore, MCL 600.2157 is preempted by HIPAA as a matter of law.
We first observe that, under Michigan law, the privilege belongs to the patient and only the patient may waive it. Baker, 239 Mich.App. at 470, 608 N.W.2d 823. The purpose of the physician-patient privilege is to protect the confidential nature of the physician-patient relationship. Swickard v. Wayne Co. Medical Examiner, 438 Mich. 536, 560, 475 N.W.2d 304 (1991); Gaertner v. Michigan, 385 Mich. 49, 53, 187 N.W.2d 429 (1971). These principles are particularly important in a context, as here, wherein a plaintiff seeks the names, addresses, and telephone numbers of nonparty patients, many of whom are unlikely to know the lawsuit is pending.
MCL 600.2157 provides, in part, that,
[e]xcept as otherwise provided by law, a person duly authorized to practice medicine or surgery shall not disclose any information that the person has acquired in attending a patient in a professional character, if the information was necessary to enable the person to prescribe for the patient as a physician, or to do any act for the patient as a surgeon.
When interpreting a statute, this Court must give effect to the Legislature's intent as expressed in the language of the statute by analyzing the words, phrases, and clauses according to their plain meaning. Bukowski v. Detroit, 478 Mich. 268, 273-274, 732 N.W.2d 75 (2007). The language of MCL 600.2157 states that physicians " shall not" disclose information obtained from patients for purposes of medical treatment, except as otherwise provided in the law. The use of the word " shall" denotes [292 Mich.App. 272] mandatory action. Wolverine Power Supply Coop., Inc. v. Dep't of Environmental Quality, 285 Mich.App. 548, 561, 777 N.W.2d 1 (2009). This type of mandatory language is not found in HIPAA. Instead, HIPAA provides that a physician may disclose protected health information in response to a subpoena or discovery request when adequate assurances are given from the requesting party that the patients have been notified and informed of their right to deny the request. 45 C.F.R. § 164.512(e). Thus, the language of HIPAA allows for permissive disclosure, whereas Michigan law generally prohibits disclosure.
There are no exceptions under Michigan law for providing random patient information related to any lawsuit. Unlike HIPAA, MCL 600.2157 does not provide for disclosure in judicial proceedings. Also, HIPAA, unlike Michigan law, makes disclosure exceptions for public-health activities, victims of abuse, neglect, or domestic violence, or for health-oversight activities. 45 C.F.R. § 164.512(b), (c), and (d). Plaintiff argues that because the privilege may be waived involuntarily under MCL 600.2157, it is less stringent than HIPAA. Under MCL 600.2157, the privilege [292 Mich.App. 273] may be waived if a patient pursues a medical-malpractice claim and calls his or her physician as a witness, if the heirs of a patient contest the patient's will, or if the beneficiaries of a life insurance policy of a deceased patient provide the necessary documents to the life insurer when the insurer is examining a claim for benefits. Relying on Law v. Zuckerman, 307 F.Supp.2d 705, 711 (D.Md., 2004), plaintiff contends that HIPAA should apply here because these waiver possibilities " can force disclosure without a court order, or the patient's consent." In Law, the United States District Court for the District of Maryland held, " If state law can force disclosure without a court order, or the patient's consent, it is not ‘ more stringent’ than the HIPAA regulations." Id. The Law court ruled, in a case of first impression, that HIPAA preempted Maryland state law and governed all ex parte communications between defense counsel and the patient's treating physician. Id. at 709. However, the key component in analyzing HIPAA's so-called " more stringent" requirement is the ability of the patient to withhold permission and to effectively block disclosure. Id. at 711. Under MCL 600.2157, a patient or his representative can withhold permission by not engaging in acts that waive the privilege. In this way, the patient may indeed block disclosure. Moreover, HIPAA also covers instances in which the patient's consent is not necessary in order to warrant disclosure. A patient's protected health information may be disclosed without the patient's written consent or authorization in a judicial or administrative proceeding in response to a court order, or in response to a subpoena or discovery request without a court order, if the party seeking the information has given the patient notice and an opportunity to object. 45 C.F.R. § 164.512(e)(1)(ii)(A) and (B). Thus, disclosure under HIPAA may be made without judicial order, much like [292 Mich.App. 274] some disclosures under MCL 600.2157. Additionally, unlike HIPAA, MCL 600.2157 does not authorize disclosure under a qualified protective order. For these reasons, we do not find persuasive the argument that automatic waiver of the privilege under some circumstances makes Michigan law less stringent than HIPAA.
However, Michigan law does provide for some exceptions other than the waivers specifically stated in MCL 600.2157. See People v. Keskimaki, 446 Mich. 240, 247, 254-255, 521 N.W.2d 241 (1994) (If after an accident, a sample of a person's blood is withdrawn for the purpose of medical treatment, that sample shall be admissible in a criminal prosecution. An accident is often unexpected and undesired by at least one of the parties involved, but not necessarily all.); People v. Johnson, 111 Mich.App. 383, 390-391, 314 N.W.2d 631 (1981) (Communications between a physician and a patient, however confidential they may be, are held not to be privileged if they have been made in the furtherance of an unlawful or criminal purpose.); Osborn v. Fabatz, 105 Mich.App. 450, 455-456, 306 N.W.2d 319 (1981) (Communication between a person and a physician that is for the purpose of a lawsuit, and not for treatment or advice regarding treatment, is not protected by the physician-patient privilege.).
We further note that the policy behind the Law standard on stringency supports the application of Michigan law. The Law court opined that the main concern regarding the disclosure of patient medical information is that the patient is in a position to authorize the disclosure. Law, 307 F.Supp.2d at 711. This policy has also been repeatedly expressed by this Court and the Michigan Supreme Court. See Baker, 239 Mich.App. at 470, 608 N.W.2d 823; Gaertner, 385 Mich. at 53, 187 N.W.2d 429; Swickard, 438 Mich. at 560-561, 475 N.W.2d 304. Here, protecting the interests of the nonparty patients is of utmost importance. The nonparty patients who defendant allegedly treated confided in defendant with personal information, including the fact that they were treated at all, which should not be disclosed without their consent. Moreover, these patients are not in a position to waive their rights. Nothing in the record shows that they are aware of this case or were given the right to decide the issue. Thus, the public policy underlying both HIPAA and Michigan's physician-patient privilege supports applying Michigan law, specifically because there are only limited exceptions to Michigan's general nondisclosure requirement and there is no Michigan rule for nonconsensual disclosure of nonparty patients in judicial proceedings as in HIPAA. Therefore, on this issue, Michigan law is more stringent than HIPAA and HIPAA does not preempt MCL 600.2157.
We further note that nothing in the protective order supports a conclusion that HIPAA controls.
[292 Mich.App. 275] Applying MCL 600.2157, we affirm the trial court's holding that the names, addresses, and telephone numbers are privileged. In Schechet v. Kesten, 372 Mich. 346, 350-351, 126 N.W.2d 718 (1964), our Supreme Court held that the physician-patient privilege protects the names of patients who were not parties to the case. The Court ruled that the physician-patient privilege
imposes an absolute bar. It protects, " within the veil of privilege," whatever ... " was disclosed to any of his senses, and which in any way was brought to his knowledge for that purpose." Such veil of privilege is the patient's right. It prohibits the physician from disclosing, in the course of any action wherein his patient or patients are not involved and do not consent, even the names of such noninvolved patients. [ Id. at 351, 126 N.W.2d 718 (citation omitted).]
In Dorris v. Detroit Osteopathic Hosp. Corp., 220 Mich.App. 248, 249, 559 N.W.2d 76 (1996), the plaintiff sued a hospital and alleged that she refused a particular drug that was subsequently administered to her. After she received the drug, the plaintiff's blood pressure dropped. Id. The plaintiff requested the name of her roommate in the hospital because she claimed that the roommate was present when she refused the drug. Relying on Schechet, this Court held the name of the nonparty roommate was protected by the physician-patient privilege. Id. at 251-252, 559 N.W.2d 76.
Similarly, in Popp v. Crittenton Hosp., 181 Mich.App. 662, 449 N.W.2d 678 (1989), this Court relied on Schechet and held that the plaintiff was not entitled to the name and medical records of a nonparty patient. In Dierickx v. Cottage Hosp. Corp., 152 Mich.App. 162, 164-165, 393 N.W.2d 564 (1986), the plaintiffs brought a medical-malpractice action claiming that their first-born daughter suffered central-nervous-system damage because of the defendants' negligence. The defendants [292 Mich.App. 276] requested the medical records of the plaintiffs' two youngest children, one of whom appeared to have a disorder similar to that of the eldest daughter, to determine if the central-nervous-system damage could have been genetic. Id. at 165, 393 N.W.2d 564. This Court held that the two younger children had not placed any disorder in controversy, and therefore did not waive the privilege. Id. at 167, 393 N.W.2d 564. This Court in Baker, 239 Mich.App. at 463, 608 N.W.2d 823, with the support of the above-cited cases, held that " the physician-patient privilege is an absolute bar that prohibits the unauthorized disclosure of patient medical records, including when the patients are not parties to the action."
Thus, Schechet and its progeny fully support our holding that the names, addresses, and telephone numbers requested by plaintiff are privileged under Michigan law. These cases clearly state that nonparty names and other related medical information is " within the veil of privilege." Schechet, 372 Mich. at 351, 126 N.W.2d 718 (quotation marks and citation omitted). The nonparty patients in this case have not waived the privilege by putting their medical condition in controversy. Dierickx, 152 Mich.App. at 167, 393 N.W.2d 564. Additionally, much like the nonparty patient in Dorris, the patients in this matter likely are not aware of the pending lawsuit. Because we hold that HIPAA does not preempt Michigan law on this issue [292 Mich.App. 277] and that, under MCL 600.2157, plaintiff is not entitled to the requested nonparty-patient information, we hold that the trial court did not abuse its discretion when it denied plaintiff's motion to compel discovery.
To support its request for defendant's patient list, plaintiff says it cannot press its claim that defendant stole its patients without knowing the identity of defendant's patients and that, unless the courts grant such discovery, it cannot enforce its contractual right to protect its valuable patient list from poaching by any unscrupulous ex-employee, such as plaintiff regards defendant. To this, we say that it is not our role to address either the wisdom of a physician's efforts to restrict with whom a patient may consult or the appropriate business or legal means by which a corporation can effectively protect its practice. Instead, our limited role is to decide whether the names, addresses, and telephone numbers of nonparty patients are protected from disclosure by law.
We also reject plaintiff's assertion that defendant did not timely raise this claim of privilege under MCL 600.2157. MCR 2.310(C)(2) generally requires that a party to whom a request for the production of documents is served must make a written response within 28 days after service of the request. Plaintiff submitted the interrogatories on April 7, 2009, and defendant timely objected to plaintiff's interrogatories on May 5, 2009. Defendant stated that " HIPAA, as well as medical privilege, precludes Defendant from releasing the information sought in this request." Defendant's response clearly stated that he objected to the disclosure of the requested information and gave a sufficient reason for the objection. Therefore, defendant's reply was timely and his objection stated adequate grounds in accordance with MCR 2.310(C)(2).
Affirmed.
SAWYER, P.J., and FITZGERALD, J., concurred with SAAD, J.