When considering the proper use or disclosure of patient data, most health care providers look immediately to the Health Insurance Portability and Accountability Act (“HIPAA”) privacy rules. But that may not be enough. As the plaintiff in Isidore Steiner, DPM, PC dba Family Foot Center v. Marc Bonanni learned, state law also must considered. In general, a state law will be applied instead of HIPAA if the state law is more stringent and protective of patients’ protected health information (PHI).

In Bonanni, the Family Foot Center, a HIPAA-covered entity, was seeking to enforce a non-compete agreement with its former employee, a physician. Believing the former employee was soliciting its patients in violation of the agreement, the Center requested its former employee’s patient lists as part of pre-trial discovery. The physician objected on the ground that HIPAA and Michigan law on physician-patient privilege protected information of non-party patients from disclosure without their consent. The Center filed a motion to compel the disclosure.

The trial court denied the motion, reasoning that the names, addresses, and phone numbers of non-party patients were privileged under Michigan law. The Center appealed.

Under HIPAA, a covered entity generally may not use or disclose an individual’s PHI without a written authorization or providing the individual the opportunity to agree or object. However, it may do so for example, when responding to a subpoena or discovery request, upon satisfying certain conditions. 45 CFR 164.512(e). Nevertheless, HIPAA further provides that even this limited exception can be trumped by a more stringent state law that prohibits such use or disclosure of PHI.

The appellate court held that under Michigan’s physician-patient privilege, MCL 600.2157, the right to waive the privilege rests solely with the patient. Further, unlike HIPAA, the privilege did not contain exceptions for disclosing patient information in judicial proceedings. The Court concluded that Michigan’s physician-patient privilege conflicted with HIPAA and provided more stringent protections for the PHI at issue. Therefore, the state’s privilege law trumped HIPAA. The Court affirmed the denial of the Center’s discovery motion. In reaching this result, it rejected the Center’s plea that it could not proceed with its non-compete action without the requested information. The Court stated:

To this, we say that it is not our role to address either the wisdom of a physician’s efforts to restrict with whom a patient may consult or the appropriate business or legal means by which a corporation can effectively protect its practice. Instead, our limited role is to decide whether the names, addresses and telephone numbers of non-party patients are protected from disclosure by law.

Health care providers receive requests for PHI in many different contexts, not just in connection with litigations. This ruling makes clear that when making disclosures of PHI, considering only HIPAA could be risky. Because this analysis is not limited to Michigan (see, for example, recent Ohio decisions, Turk v. Oiler and Grove v. Northeast Ohio Nephrology Associates, Inc.), providers should undertake a detailed analysis of the applicable federal, state and local laws and regulations prior to making any disclosure.