SAAD, J.
This Court granted plaintiff's application for leave to appeal a trial court order that denied plaintiff's motion to compel discovery. For the reasons set forth below, we affirm.
I. NATURE OF THE CASE
Plaintiff, Isidore Steiner, D.P.M., P.C., claims that defendant, Dr. Marc Bonanni, a former employee of the corporation, breached his employment contract with plaintiff and misappropriated property of the corporation. Plaintiff maintains that defendant stole its patients in violation of a clause in the employment agreement that prohibited defendant from soliciting or servicing any patients of the corporation after he left its employment. After defendant left the employment of plaintiff, plaintiff sued defendant and sought disclosure of defendant's patient list to prove its case and damages. Defendant objected to disclosure pursuant to the Health Insurance Portability and Accountability Act (HIPAA), 42 U.S.C. § 1320d et seq., and state law regarding physician-patient privilege. This discovery dispute requires us to decide whether federal or state law controls and whether disclosure would violate the nonparty patients' privacy rights.
By its language, HIPAA asserts supremacy in this area, but allows for the application of state law regarding physician-patient privilege if the state law is more protective of patients' privacy rights. In the context of litigation that, as here, involves nonparty patients' privacy, HIPAA requires only notice to the patient to effectuate disclosure whereas Michigan law grants the added protection of requiring patient consent before disclosure of patient information. Because Michigan law is more protective of patients' privacy interests in the context of this litigation, Michigan law applies to plaintiff's attempted discovery of defendant's patient information. And, because Michigan law protects the very fact of the physician-patient relationship from disclosure, absent patient consent, the trial court properly rejected plaintiff's efforts to obtain this confidential information, and we affirm the trial court's ruling.
II. FACTS AND PROCEEDINGS
On July 6, 1999, plaintiff and defendant entered into an employment agreement that contained a noncompetition and nonsolicitation clause. Among other things, the clause in issue prohibited defendant from inducing, soliciting, diverting, servicing, or taking away patients from plaintiff for a three-year period following the termination of the employment agreement. Defendant resigned from plaintiff in July 2007. Thereafter, plaintiff filed a lawsuit against defendant for breach of contract, conversion, fraud, and misrepresentation, and seeking an accounting. An essential component of plaintiff's claim for damages is that, after he left the practice, defendant treated plaintiff's patients in violation of the employment agreement.
During discovery, plaintiff sent defendant a set of interrogatories, one of which requested the names, addresses, and telephone numbers for every patient treated by defendant since he resigned. Plaintiff claims that it cannot protect its contractual rights to its patients without discovery of which of its former patients are now patients of defendant. Defendant objected to the interrogatory on the ground that such disclosure would violate HIPAA and Michigan's physician-patient privilege, and the trial court issued a qualified protective order in which the parties agreed to conduct their litigation in compliance with HIPAA and agreed to maintain all privileges. Because defendant failed to fully respond to plaintiff's interrogatories, plaintiff filed a motion to compel. In response, defendant argued that the information requested is protected by Michigan's statutory physician-patient privilege, which, he argued, contains more stringent requirements than HIPAA. The trial court denied plaintiff's motion to compel production of the patients' names, and ruled that the names of the nonparty patients are privileged under Michigan law.
III. ANALYSIS
A. STANDARDS OF REVIEW
We review de novo a trial court's decision about the application of the physician-patient privilege. Baker v. Oakwood Hosp. Corp., 239 Mich.App. 461, 468, 608 N.W.2d 823 (2000). If the privilege does apply, we review for an abuse of direction a trial court's order regarding disclosure. Id. An abuse of discretion occurs when a trial court chooses a result that falls outside the range of reasonable and principled outcomes. Maldonado v. Ford Motor Co., 476 Mich. 372, 388, 719 N.W.2d 809 (2006). Whether HIPAA preempts Michigan law is a question of law, which is reviewed de novo. Hines v. Volkswagen of America, Inc., 265 Mich.App. 432, 438, 695 N.W.2d 84 (2005).
B. DISCUSSION
Plaintiff argues that the trial court erred by holding that the names, addresses, and telephone numbers of the nonparty patients that defendant allegedly wrongfully took from plaintiff are privileged and protected from disclosure by Michigan law, under MCL 600.2157 and Baker, 239 Mich.App. 461, 608 N.W.2d 823, because HIPAA applies and permits disclosure.
HIPAA is the federal regulation that governs the retention, use, and transfer of information obtained during the course of the physician-patient relationship. In re Petition of Attorney General for Investigative Subpoenas, 274 Mich.App. 696, 699, 736 N.W.2d 594 (2007). "Under HIPAA, the general rule pertaining to the disclosure of protected health information is that a covered entity may not use or disclose protected health information without a written authorization from the individual as described in 45 C.F.R. § 164.508, or, alternatively, the opportunity for the individual to agree or object as described in 45 C.F.R. § 164.510." Holman v. Rasak, 486 Mich. 429, 438-439, 785 N.W.2d 98 (2010). However, 45 C.F.R. § 164.512 "enumerates several specific situations in which `[a] covered entity may use or disclose protected health information without the written authorization of the individual, as described in [45 C.F.R.] § 164.508, or the opportunity for the individual to agree or object as described in [45 C.F.R.] § 164.510....'" Holman, 486 Mich. at 439, 785 N.W.2d 98, quoting 45 C.F.R. § 164.512. Included within those situations is disclosure for judicial and administrative proceedings, which allows a provider or other covered entity to disclose the protected information in response to an order or in response to a subpoena or discovery request if the provider receives satisfactory assurance that notice was provided to the patient or that reasonable efforts were made to secure a qualified protective order. 45 C.F.R. § 164.512(e). As our Supreme Court also explained in Holman:
Under HIPAA, "[a] standard, requirement, or implementation specification" of HIPAA "that is contrary to a provision of State law preempts the provision of State law" unless, among other exceptions, "[t]he provision of State law relates to the privacy of individually identifiable health information and is more stringent than a standard, requirement, or implementation specification adopted under" HIPAA. 45 C.F.R. § 160.203 (emphasis added). "Contrary" means either that "[a] covered entity would find it impossible to comply with both the State and federal requirements" or that "[t]he provision of State law stands as an obstacle to the accomplishment and execution of the full purposes and objectives of" HIPAA. 45 C.F.R. § 160.202. "More stringent," in this context, means "provides greater privacy protection for the individual who is the subject of the individually identifiable health information." 45 C.F.R. § 160.202. [Holman, 486 Mich. at 440-441, 785 N.W.2d 98.]
Plaintiff maintains that Michigan law is less stringent than HIPAA because it can be informally waived and that, therefore, MCL 600.2157 is preempted by HIPAA as a matter of law.
We first observe that, under Michigan law, the privilege belongs to the patient and only the patient may waive it. Baker, 239 Mich.App. at 470, 608 N.W.2d 823. The purpose of the physician-patient privilege is to protect the confidential nature of the physician-patient relationship. Swickard v. Wayne Co. Medical Examiner, 438 Mich. 536, 560, 475 N.W.2d 304 (1991); Gaertner v. Michigan, 385 Mich. 49, 53, 187 N.W.2d 429 (1971). These principles are particularly important in a context, as here, wherein a plaintiff seeks the names, addresses, and telephone numbers of nonparty patients, many of whom are unlikely to know the lawsuit is pending.
MCL 600.2157 provides, in part, that,
[e]xcept as otherwise provided by law, a person duly authorized to practice medicine or surgery shall not disclose any information that the person has acquired in attending a patient in a professional character, if the information was necessary to enable the person to prescribe for the patient as a physician, or to do any act for the patient as a surgeon.
When interpreting a statute, this Court must give effect to the Legislature's intent as expressed in the language of the statute by analyzing the words, phrases, and clauses according to their plain meaning. Bukowski v. Detroit, 478 Mich. 268, 273-274, 732 N.W.2d 75 (2007). The language of MCL 600.2157 states that physicians "shall not" disclose information obtained from patients for purposes of medical treatment, except as otherwise provided in the law. The use of the word "shall" denotes mandatory action. Wolverine Power Supply Coop., Inc. v. Dep't of Environmental Quality, 285 Mich.App. 548, 561, 777 N.W.2d 1 (2009). This type of mandatory language is not found in HIPAA. Instead, HIPAA provides that a physician may disclose protected health information in response to a subpoena or discovery request when adequate assurances are given from the requesting party that the patients have been notified and informed of their right to deny the request. 45 C.F.R. § 164.512(e). Thus, the language of HIPAA allows for permissive disclosure, whereas Michigan law generally prohibits disclosure.
There are no exceptions under Michigan law for providing random patient information related to any lawsuit. Unlike HIPAA, MCL 600.2157 does not provide for disclosure in judicial proceedings. Also, HIPAA, unlike Michigan law, makes disclosure exceptions for public-health activities, victims of abuse, neglect, or domestic violence, or for health-oversight activities. 45 C.F.R. § 164.512(b), (c), and (d).1
Plaintiff argues that because the privilege may be waived involuntarily under MCL 600.2157, it is less stringent than HIPAA. Under MCL 600.2157, the privilege may be waived if a patient pursues a medical-malpractice claim and calls his or her physician as a witness, if the heirs of a patient contest the patient's will, or if the beneficiaries of a life insurance policy of a deceased patient provide the necessary documents to the life insurer when the insurer is examining a claim for benefits. Relying on Law v. Zuckerman, 307 F.Supp.2d 705, 711 (D.Md., 2004), plaintiff contends that HIPAA should apply here because these waiver possibilities "can force disclosure without a court order, or the patient's consent." In Law, the United States District Court for the District of Maryland held, "If state law can force disclosure without a court order, or the patient's consent, it is not `more stringent' than the HIPAA regulations." Id. The Law court ruled, in a case of first impression, that HIPAA preempted Maryland state law and governed all ex parte communications between defense counsel and the patient's treating physician. Id. at 709. However, the key component in analyzing HIPAA's so-called "more stringent" requirement is the ability of the patient to withhold permission and to effectively block disclosure. Id. at 711. Under MCL 600.2157, a patient or his representative can withhold permission by not engaging in acts that waive the privilege. In this way, the patient may indeed block disclosure. Moreover, HIPAA also covers instances in which the patient's consent is not necessary in order to warrant disclosure. A patient's protected health information may be disclosed without the patient's written consent or authorization in a judicial or administrative proceeding in response to a court order, or in response to a subpoena or discovery request without a court order, if the party seeking the information has given the patient notice and an opportunity to object. 45 C.F.R. § 164.512(e)(1)(ii)(A) and (B). Thus, disclosure under HIPAA may be made without judicial order, much like some disclosures under MCL 600.2157. Additionally, unlike HIPAA, MCL 600.2157 does not authorize disclosure under a qualified protective order. For these reasons, we do not find persuasive the argument that automatic waiver of the privilege under some circumstances makes Michigan law less stringent than HIPAA.
We further note that the policy behind the Law standard on stringency supports the application of Michigan law. The Law court opined that the main concern regarding the disclosure of patient medical information is that the patient is in a position to authorize the disclosure. Law, 307 F.Supp.2d at 711. This policy has also been repeatedly expressed by this Court and the Michigan Supreme Court. See Baker, 239 Mich.App. at 470, 608 N.W.2d 823; Gaertner, 385 Mich. at 53, 187 N.W.2d 429; Swickard, 438 Mich. at 560-561, 475 N.W.2d 304. Here, protecting the interests of the nonparty patients is of utmost importance. The nonparty patients who defendant allegedly treated confided in defendant with personal information, including the fact that they were treated at all, which should not be disclosed without their consent. Moreover, these patients are not in a position to waive their rights. Nothing in the record shows that they are aware of this case or were given the right to decide the issue. Thus, the public policy underlying both HIPAA and Michigan's physician-patient privilege supports applying Michigan law, specifically because there are only limited exceptions to Michigan's general nondisclosure requirement and there is no Michigan rule for nonconsensual disclosure of nonparty patients in judicial proceedings as in HIPAA. Therefore, on this issue, Michigan law is more stringent than HIPAA and HIPAA does not preempt MCL 600.2157.2
Applying MCL 600.2157, we affirm the trial court's holding that the names, addresses, and telephone numbers are privileged. In Schechet v. Kesten, 372 Mich. 346, 350-351, 126 N.W.2d 718 (1964), our Supreme Court held that the physician-patient privilege protects the names of patients who were not parties to the case. The Court ruled that the physician-patient privilege
imposes an absolute bar. It protects, "within the veil of privilege," whatever. . . "was disclosed to any of his senses, and which in any way was brought to his knowledge for that purpose." Such veil of privilege is the patient's right. It prohibits the physician from disclosing, in the course of any action wherein his patient or patients are not involved and do not consent, even the names of such noninvolved patients. [Id. at 351, 126 N.W.2d 718 (citation omitted).]
In Dorris v. Detroit Osteopathic Hosp. Corp., 220 Mich.App. 248, 249, 559 N.W.2d 76 (1996), the plaintiff sued a hospital and alleged that she refused a particular drug that was subsequently administered to her. After she received the drug, the plaintiff's blood pressure dropped. Id. The plaintiff requested the name of her roommate in the hospital because she claimed that the roommate was present when she refused the drug. Relying on Schechet, this Court held the name of the nonparty roommate was protected by the physician-patient privilege. Id. at 251-252, 559 N.W.2d 76.
Similarly, in Popp v. Crittenton Hosp., 181 Mich.App. 662, 449 N.W.2d 678 (1989), this Court relied on Schechet and held that the plaintiff was not entitled to the name and medical records of a nonparty patient. In Dierickx v. Cottage Hosp. Corp., 152 Mich.App. 162, 164-165, 393 N.W.2d 564 (1986), the plaintiffs brought a medical-malpractice action claiming that their first-born daughter suffered central-nervous-system damage because of the defendants' negligence. The defendants requested the medical records of the plaintiffs' two youngest children, one of whom appeared to have a disorder similar to that of the eldest daughter, to determine if the central-nervous-system damage could have been genetic. Id. at 165, 393 N.W.2d 564. This Court held that the two younger children had not placed any disorder in controversy, and therefore did not waive the privilege. Id. at 167, 393 N.W.2d 564. This Court in Baker, 239 Mich.App. at 463, 608 N.W.2d 823, with the support of the above-cited cases, held that "the physician-patient privilege is an absolute bar that prohibits the unauthorized disclosure of patient medical records, including when the patients are not parties to the action."
Thus, Schechet and its progeny fully support our holding that the names, addresses, and telephone numbers requested by plaintiff are privileged under Michigan law.3 These cases clearly state that non-party names and other related medical information is "within the veil of privilege." Schechet, 372 Mich. at 351, 126 N.W.2d 718 (quotation marks and citation omitted). The nonparty patients in this case have not waived the privilege by putting their medical condition in controversy. Dierickx, 152 Mich.App. at 167, 393 N.W.2d 564. Additionally, much like the nonparty patient in Dorris, the patients in this matter likely are not aware of the pending lawsuit. Because we hold that HIPAA does not preempt Michigan law on this issue and that, under MCL 600.2157, plaintiff is not entitled to the requested nonparty-patient information, we hold that the trial court did not abuse its discretion when it denied plaintiff's motion to compel discovery.4
Affirmed.
SAWYER, P.J., and FITZGERALD, J., concurred with SAAD, J.
