
670 S.E.2d 68 (2008)
MORELAND et al.
v.
AUSTIN et al.
No. S08G0498.
Supreme Court of Georgia.
November 3, 2008.
Reconsideration Denied December 15, 2008.
*69 Don C. Keenan, Allan L. Galbraith, Charles H. Allen, for appellants.
Green & Sapp, Henry D. Green Jr., Atlanta, for appellees.
O'Neal, Brown & Sizemore, Jarome E. Gautreaux, Macon, Lee T. Wallace, Arnall, Golden & Gregory, Atlanta, Tracy M. Field, Ashley S. Kelly, Robert T. Strang III, Atlanta, amici curiae.
THOMPSON, Justice.
We granted a writ of certiorari to the Court of Appeals in Austin v. Moreland, 288 Ga.App. 270, 653 S.E.2d 347 (2007), to determine whether, in a medical malpractice case, the Privacy Rule of the Health Insurance Portability and Accountability Act ("HIPAA") precludes defendant's attorneys from informally interviewing plaintiff's prior treating physicians. The short answer is "yes."
Following the death of her husband, Jimmy Lee Moreland, plaintiff Amanda Moreland brought this malpractice action against Dr. Michael Austin in the State Court of Bibb County. Plaintiff produced her husband's medical records, including documents pertaining to his treatment by Dr. Jose Rodriguez, Dr. Juan Esnard, and Dr. Edward Young. Each of these physicians treated Mr. Moreland before defendant treated him. Thereafter, defense counsel contacted each of the physicians and asked them to assess Mr. Moreland's "cardiovascular status and his prognosis." Plaintiff objected to these "ex parte" contacts, asserting they violated HIPAA. When the trial court disagreed, plaintiff dismissed her complaint and refiled in the Superior Court of Bibb County. In that forum, in addition to her medical malpractice claims, plaintiff sought injunctive relief *70 to prevent defendant from "inducing any healthcare provider to divulge protected health information concerning [Mr.] Moreland" except in compliance with HIPAA. The trial court granted injunctive relief, ruling that defendant could interview Mr. Moreland's prior treating physicians, but only after giving plaintiff notice to enable her attorneys to be present during the interviews. Defendant appealed and the Court of Appeals reversed and remanded, holding that as long as a physician discloses protected health information in compliance with HIPAA and Georgia law, defense counsel can continue to communicate with the physician in an ex parte fashion. Austin v. Moreland, supra at 275, 653 S.E.2d 347. The Court of Appeals remanded to the superior court, however, to determine whether plaintiff consented to the disclosure of Mr. Moreland's protected health information prior to April 14, 2003 (the effective date of the HIPAA privacy provisions), in which case the physicians can be contacted and interviewed by defendant without restriction; or whether the physicians possess any protected health information that has not been disclosed already, in which case "the trial court may issue an order restricting the ability of the prior treating physicians to disclose such information to [defendant] except in accordance with the HIPAA privacy rule and the Georgia Civil Practice Act." Id. at 275-276, 653 S.E.2d 347.

HIPAA
With the advent of digital technology and digital record keeping came the fear that electronically maintained medical records could be disseminated without the consent of patients. Congress responded to that fear by enacting HIPAA. The act authorized the Secretary of the Department of Health and Human Services to promulgate rules and regulations which would ensure the privacy of patients' medical information. 42 USCA § 1320d-2 (d)(2)(A). The Secretary used his authority to prohibit healthcare providers from disclosing protected health information, whether "oral or recorded in any form or medium,"[1] unless the providers comply with the Secretary's rules and regulations.
One of the regulations authorizing disclosure provides that a "covered entity may disclose protected health information in the course of any judicial ... proceeding" either in response to an order of a court or in response to a subpoena, a request for discovery, "or other lawful process."[2] Of course, the information can be disclosed without a court order, if the patient signs a valid authorization.[3] In the absence of a patient's consent, a healthcare provider cannot disclose protected health information unless it receives "satisfactory assurance ... that reasonable efforts have been made [either] (A)... to ensure that the individual who is the subject of the [requested] protected health information ... has been given notice of the request" and an opportunity to object or "(B)... to secure a qualified protective order" prohibiting the litigants from disclosing the information outside of the proceeding and requiring the destruction or return of the information following the termination of the proceeding.[4] Once these steps are taken, a healthcare provider can choose[5] to disclose the protected health information; but it must take reasonable steps to ensure that it only discloses the "minimum necessary" to accomplish *71 the intended purpose of the disclosure.[6]

The Opinion of the Court of Appeals
The Court of Appeals ruled that "HIPAA does not preclude ex parte communications between defense counsel and a plaintiff's prior treating physicians." Austin v. Moreland, supra at 275, 653 S.E.2d 347. It reasoned that "in the context of a judicial proceeding, the Georgia Civil Practice Act places more stringent requirements than HIPAA does on requests for documents from a third-party health care provider" and that, therefore, "OCGA § 9-11-34(c) is not preempted by HIPAA." Id. at 274, 653 S.E.2d 347. This analysis misses the mark. We are not concerned here with the disclosure of protected health information pursuant to a request for production of documents. Rather, the question centers on whether, after Mr. Moreland's medical records were requested and produced pursuant to discovery, defense counsel could then engage in ex parte communications with Mr. Moreland's treating physicians. That is because the proper focus of this case is on the methods used to discover evidence of plaintiff's medical condition; it is not on the "discoverability" of that evidence.

Waiver of Right to Privacy in Medical Records Under Georgia Law
Georgia law is clear that a plaintiff waives his right to privacy with regard to medical records that are relevant to a medical condition the plaintiff placed in issue in a civil or criminal proceeding. OCGA § 24-9-40(a); Orr v. Sievert, 162 Ga.App. 677, 292 S.E.2d 548 (1982). Therefore, under Georgia law, once a plaintiff puts his medical condition in issue, defendant can seek plaintiff's protected health information by formal discovery, or informally, by communicating orally with a plaintiff's physicians.[7] The question then is whether ex parte communications between defense counsel and plaintiff's physicians violate the HIPAA privacy rule. They do if HIPAA preempts state law in this area.

HIPAA Preempts Georgia Law
This Court recently held:
HIPAA and the related provisions established in the Code of Federal Regulations expressly supercede any contrary provisions of State law except as provided in 42 U.S.C. § 1320d-7 (a)(2). Under the relevant exception, HIPAA and its standards do not preempt state law if the state law relates to the privacy of individually identifiable health information and is "more stringent" than HIPAA's requirements. "More stringent" means laws that afford patients more control over their medical records.
(Citations, punctuation and emphasis omitted.) Allen v. Wright, supra at 12, 644 S.E.2d 814.
After reviewing HIPAA, Georgia law, and the case law of other jurisdictions, we find that HIPAA preempts Georgia law with regard to ex parte communications between defense counsel and plaintiff's prior treating physicians because HIPAA affords patients more control over their medical records when it comes to informal contacts between litigants and physicians. Under Georgia law, once a patient files suit and puts his medical condition in issue, his treating physicians can then disclose his medical records and defendant's lawyer can informally contact those physicians and orally communicate with them about plaintiff's medical condition. HIPAA, on the other hand, prevents a medical provider from disseminating a patient's medical information in litigation, whether orally or in writing, without obtaining a court order or the patient's express consent, or fulfilling certain other procedural requirements designed to safeguard against improper use of the information. See 45 CFR § 164.512(e). In other words, HIPAA requires a physician to protect a patient's health information, unless the patient is given reasonable notice and an opportunity to object. Georgia law stands in sharp contrast: it facilitates and *72 streamlines the litigation process; it was not designed to protect a patient's private health information in the course of oral communications between the patient's physicians and defense counsel. It follows that HIPAA is more stringent and that it governs ex parte communications between defense counsel and healthcare providers. Allen v. Wright, supra.
This is not to say that all oral communications between defense counsel and a plaintiff's prior treating physicians are forbidden. Certainly, counsel can contact a physician and make inquiries which are not intended to elicit protected health information.
Such contact could include discussion of many benign topics, including but not limited to, the best methods for service of a subpoena, determining convenient dates to provide trial testimony, or the most convenient location for the anticipated deposition of the physician. However, HIPAA clearly regulates the methods by which a physician may release a patient's health information, including "oral" medical records.
Law v. Zuckerman, 307 F.Supp.2d 705, 708 (D.Md.2004). See also Bayne v. Provost, 359 F.Supp.2d 234 (N.D.N.Y.2005) (ex parte contacts with medical provider are permissible if HIPAA requirements are satisfied).
These methods include a subpoena, discovery request or other lawful process with assurances pertaining to notification or a protective order. 45 CFR § 164.512(e)(1). See Arons, supra at 415, 850 N.Y.S.2d 345, 880 N.E.2d 831 (privacy rule does not prohibit informal discovery, "it merely superimposes procedural prerequisites"). See also McCloud v. Bd. of Directors of Geary Community Hosp., Case No. 06-1002-MLB, 2006 WL 2375614 (D.Kan.2006) (defendants complied with HIPAA by seeking court order permitting production of medical records and ex parte contact with treating physicians); Holmes v. Nightingale, 158 P.3d 1039 (Okla. 2007) (ex parte communication with physician may be sought pursuant to a court order issued in compliance with HIPAA). Thus, in order for defense counsel to informally interview plaintiff's treating physicians, they must first obtain a valid authorization, or court order or otherwise comply with the provisions of 45 CFR § 164.512(e). See Crenshaw v. MONY Life Ins. Co., 318 F.Supp.2d 1015, 1029 (S.D.Cal.2004) ("HIPAA does not authorize ex parte contacts with healthcare providers"). In this case, service of a request for production of documents is insufficient because, although it gave plaintiff notice and an opportunity to object to the production of written documents, it did not give plaintiff an opportunity to object to the ex parte oral contact and the discovery of the physicians' recollections and mental impressions.

Remedies for HIPAA Violations
The remedies for HIPAA violations are set forth in 42 USCA § 1320d-5. That code section merely authorizes the Secretary to impose a fine not to exceed $100 for each violation. It does not authorize a remedy or penalty in the context of a civil lawsuit. In our view, the appropriate remedy to be fashioned in cases of this kind is best left to the discretion of the trial court. See generally OCGA § 9-11-37. Where, as here, defense counsel contacted plaintiff's prior treating physicians at a time when the applicability of HIPAA to ex parte communications was uncertain, a trial court would be well-advised to avoid an extreme sanction. See Law v. Zuckerman, supra at 713 (court remedied HIPAA violation by ordering that either party could speak to physician before trial and if physician "strayed in his testimony from the medical records and offered any opinions beyond his experience as [p]laintiff's treating physician such testimony would be prohibited"); Crenshaw, supra at 1030 (court remedied HIPAA violation by ordering defendant to produce physician for deposition at its expense and prohibiting further ex parte contacts). The remedy fashioned by the trial court in this case, permitting defense counsel to interview Mr. Moreland's prior treating physicians, but only after giving plaintiff notice and enabling her attorneys to be present when the physicians are interviewed, lies well within a trial court's discretion.

Conclusion
HIPAA protects a patient from the unauthorized disclosure of protected health information and it is applicable to ex parte oral communications between defense counsel and *73 a plaintiff's prior treating physicians. Accordingly, defense counsel cannot contact a plaintiff's prior treating physicians to discuss his or her medical history without complying with HIPAA regulations. Although defense counsel can engage in such discussions if a plaintiff gives his or her consent,[8] it must be clear that the plaintiff consented to ex parte oral communications. We will not presume a plaintiff consented to such communications simply because the plaintiff did not object when defendant sought plaintiff's medical records pursuant to a subpoena or request for production of documents.
Judgment reversed.
All the Justices concur.
NOTES
[1]  45 CFR § 160.103. Health information is protected whether it lies within a physician's memory or a written record. See Arons v. Jutkowitz, 9 N.Y.3d 393, 415, 416, 850 N.Y.S.2d 345, 880 N.E.2d 831 (N.Y.2007) (citing 65 Fed.Reg. 82462, 82620, which explained the "rationale for treating verbal communications the same as paper and electronically based information").
[2]  45 CFR § 164.512(e)(1).
[3]  45 CFR § 164.508(c). See also Allen v. Wright, 282 Ga. 9, 12, 644 S.E.2d 814 (2007).
[4]  45 CFR § 164.512(e)(1)(ii)-(v).
[5]  Healthcare providers are

free to decide whether or not to cooperate with defense counsel. HIPAA-compliant authorizations and HIPAA court orders cannot force a health care professional to communicate with anyone; they merely signal compliance with HIPAA and the Privacy Rule as is required before any use or disclosure of protected health information may take place.
Arons v. Jutkowitz, supra at 416, 850 N.Y.S.2d 345, 880 N.E.2d 831.
[6]  45 CFR § 164.508.
[7]  Courts have encouraged informal contacts as a way to minimize the high costs of medical malpractice litigation. See, e.g., Arons v. Jutkowitz, supra at 406-408, 850 N.Y.S.2d 345, 880 N.E.2d 831; Stempler v. Speidell, 100 N.J. 368, 495 A.2d 857, 859-864 (1985). But see Givens v. Mullikin, 75 S.W.3d 383 (Tenn.2002) (ex parte interviews of patients' physician improper without authorization).
[8]  We agree with the Court of Appeals that if, as defendant claims, plaintiff consented to the disclosure of all protected health information prior to the effective date of the HIPAA privacy rule, and if the authorization "specifically permits [the intended] use or disclosure and there is no agreed-to restriction in accordance with 45 CFR § 164.522(a)," the physicians may continue to disclose the information without violating HIPAA. See 45 CFR § 164.532(a), (b); Austin v. Moreland, supra at 275, 653 S.E.2d 347. This is a matter for the trial court's determination.
