I
{¶ 1} The physician-patient privilege generally protects medical records from disclosure, subject to certain limited exceptions. This case asks us to determine whether the privilege prevents discovery of medical records by an insurance company in a civil fraud action against a physician when the patients have given broad consent to release their records to their insurer. We hold that a patient’s consent to the release of medical information is valid, and waives the physician-patient privilege, if the release is voluntary, express, and reasonably specific in identifying to whom the information is to be delivered.
II
{¶ 2} Defendant-appellee, Dr. William Schlotterer, is a practicing physician. Plaintiff-appellant, Medical Mutual of Ohio, provides insurance coverage to many of Schlotterer’s patients. In 1990, Schlotterer and Blue Cross Blue Shield of Ohio, Medical Mutual’s predecessor in interest, executed a participation agreement, which provides coverage for policyholders who receive treatment from Schlotterer. To document the services Schlotterer provides his patients, Schlot*182terer submits reports to Medical Mutual detailing the services rendered, and he is accordingly reimbursed by the insurance company.
{¶ 3} Medical Mutual’s complaint in this action explains that as part of the reports Schlotterer provides to Medical Mutual, he assigns AMA-developed common-procedural-technology codes to each patient visit, based on Schlotterer’s assessment of the patient’s condition, including the extent of the examination, the comprehensiveness of the medical history taken, and the complexity of the diagnosis and treatment. Those codes are detailed in the provider manual, which is incorporated into the participation agreement. Schlotterer is correspondingly compensated by Medical Mutual based on the codes he assigns. Medical Mutual notes that the code warranting the highest reimbursement, to be used “rarely” and “only where the provider faces significant and complex medical decisions,” is 99215.
{¶ 4} Medical Mutual’s review of Schlotterer’s billing reports in 2004 revealed a high percentage of 99215 code submissions. Medical Mutual then requested medical records for ten families, which Schlotterer provided. The insurer reviewed the records and determined that the 99215 billing code was not warranted in those cases. A subsequent investigation into Schlotterer’s coding practices allegedly revealed that Schlotterer had been overpaid by $269,576 for 99215 code submissions.
{¶ 5} Medical Mutual filed this action against Schlotterer for fraud, breach of contract, and a demand for an accounting of the doctor’s liabilities to it. Schlotterer denied the allegations in the complaint and filed a counterclaim, alleging that Medical Mutual had refused to honor any submissions for reimbursement since February 2005. To determine the extent of the alleged fraud, Medical Mutual filed a motion “for a Qualified Protective Order and order [directing Schlotterer] to respond to discovery” of patient records. These records were to have obscured the information that identified the patients. Medical Mutual argued that the records were discoverable according to Ohio law, the participation agreement, and the certificates of coverage issued to insureds. Schlotterer opposed the motion based on the physician-patient privilege.
{¶ 6} The certificates of coverage issued to each of Schlotterer’s patients insured by Medical Mutual include the following language in the Claim Review section:
{¶ 7} “Consent to Release Medical Information — Denial of Coverage
{¶ 8} ‘You consent to the release of medical information to Medical Mutual when you enroll and/or sign an Application.
{¶ 9} “When you present your identification card for Covered Services, you are also giving your consent to release medical information to Medical Mutual. *183Medical Mutual has the right to refuse to reimburse for Covered Services if you refuse to consent to the release of any medical information.”
{¶ 10} The participation agreement signed by Schlotterer similarly contains the following provision in the Record Review section:
{¶ 11} “Provider agrees to furnish, upon request, to [Medical Mutual] or its agents all requested Records relating to claims filed with [Medical Mutual], as defined in [Medical Mutual’s] Professional Provider Manual.”
{¶ 12} The trial court granted Medical Mutual’s motion, ordering Schlotterer to respond to the discovery requests subject to the protective order. Schlotterer appealed pursuant to R.C. 2505.02(A)(3) and (B)(4), and the court of appeals vacated and remanded the trial court’s decision. Med. Mut. of Ohio v. Schlotterer, Cuyahoga App. No. 89388, 2008-Ohio-49, 2008 WL 94508. The court of appeals held that the order to comply with the discovery requests for the medical records violated the physician-patient privilege, as codified in R.C. 2317.02(B)(1). Id. at ¶ 36. We accepted Medical Mutual’s discretionary appeal. Med. Mut. of Ohio v. Schlotterer, 118 Ohio St.3d 1505, 2008-Ohio-3369, 889 N.E.2d 1024.
Ill
{¶ 13} We apply a de novo standard of review in this case. In general, discovery orders are reviewed under an abuse-of-discretion standard. State ex rel. Sawyer v. Cuyahoga Cty. Dept. of Children & Family Servs., 110 Ohio St.3d 343, 2006-Ohio-4574, 853 N.E.2d 657, ¶ 9. But whether the information sought is confidential and privileged from disclosure is a question of law that is reviewed de novo. Castlebrook, Ltd. v. Dayton Properties Ltd. Partnership (1992), 78 Ohio App.3d 340, 346, 604 N.E.2d 808. When a court’s judgment is based on an erroneous interpretation of the law, an abuse-of-discretion standard is not appropriate. See Swartzentruber v. Orrville Grace Brethren Church, 163 Ohio App.3d 96, 2005-Ohio-4264, 836 N.E.2d 619, ¶ 6; Huntsman v. Aultman Hosp., 5th Dist. No. 2006 CA 00331, 2008-Ohio-2554, 2008 WL 2572598, ¶ 50.
{¶ 14} Medical records are generally privileged from disclosure under R.C. 2317.02(B)(1). See Hageman v. Southwest Gen. Health Ctr., 119 Ohio St.3d 185, 2008-Ohio-3343, 893 N.E.2d 153, ¶ 9 (“Numerous state and federal laws recognize and protect an individual’s interest in ensuring that his or her medical information remains” confidential — R.C. 2317.02(B)(1), the physician-patient privilege; R.C. 149.43(A)(1)(a), which exempts medical records from the Public Records Act; and the federal Health Information Portability and Accountability Act of 1996). Civ.R. 26(B) accordingly states, “Parties may obtain discovery regarding any matter, not privileged, which is relevant to the subject matter involved in the pending action * * The physician-patient privilege does not apply, however, *184where the patient has given express consent to disclosure. R.C. 2317.02(B)(l)(a)(i).
{¶ 15} The physician-patient privilege is designed to “ ‘promote health by encouraging a patient to fully and freely disclose all relevant information which may assist the physician in treating the patient.’ ” State Med. Bd. of Ohio v. Miller (1989), 44 Ohio St.3d 136, 140, 541 N.E.2d 602, quoting Huzjak v. United States (N.D.Ohio 1987), 118 F.R.D. 61, 63, citing Floyd v. Copas (C.P.1977), 9 O.O.3d 298, 299-300.
{¶ 16} A consent to the release of medical information is valid, and waives the physician-patient privilege, if it is voluntary, express, and reasonably specific in identifying to whom the information is to be delivered. Generally “[pjersons may either expressly or impliedly waive statutory provisions intended for their own benefit.” State ex rel. Wallace v. State Med. Bd. of Ohio (2000), 89 Ohio St.3d 431, 435, 732 N.E.2d 960. But the physician-patient-privilege statute specifically requires a patient’s express consent. R.C. 2317.02(B)(l)(a)(i). See State ex rel. Lambdin v. Brenton (1970), 21 Ohio St.2d 21, 24, 50 O.O.2d 44, 254 N.E.2d 681.
{¶ 17} In Biddle v. Warren Gen. Hosp. (1999), 86 Ohio St.3d 395, 407, 715 N.E.2d 518, we further recognized the importance of specificity in a release of medical records. The hospital in Biddle released medical records to a law firm it had hired to screen patients for Supplemental Security Disability Income eligibility to help those patients pay their past-due medical bills. Id. at 396, 715 N.E.2d 518. The hospital argued that its general-authorization-for-release-of-information form provided the patients’ consent. Id. at 406, 715 N.E.2d 518. We noted, “By its express terms, this form authorizes the hospital to release medical information only ‘to [one’s] insurance company and/or third party payor,’ and then only ‘as may be necessary for the completion of [one’s] hospitalization claims.’ ” Id. We held that the form was insufficient to authorize release of the records because it authorized only the release of information to the patient’s insurance company or third-party payor and not to the hospital’s lawyers. Id. at 406-407, 715 N.E.2d 518. The requirement of specificity allows the patients to know exactly who will have access to their medical records in order for them to make a properly informed decision regarding waiver of the physician-patient privilege. It is important to note that this requirement also prohibits a party receiving the records from sharing the information with others who are not within the scope of the patient’s release. Id. at 407, 715 N.E.2d 518. The limited nature of the consent would otherwise be defeated.
{¶ 18} We also held in Biddle that the form provided inadequate consent because it explicitly stated a purpose for releasing the information, namely completion of hospitalization claims, that was inconsistent with the hospital’s disclosure to the law firm to determine Supplemental Security Income eligibility. *185Id. at 406, 715 N.E.2d 518. If a purpose is provided within an express waiver of privilege, then it becomes part of the consent. The patient must be able to rely on any limitations or exclusions if he or she is to be capable of fully understanding the implications of the waiver. If medical information is released for a purpose other than what is agreed to, it is effectively a violation of the express nature of the consent.
IV
{¶ 19} The consent provisions in the certificates of coverage provided to all Medical Mutual insureds that were patients of Schlotterer meet the necessary requirements for disclosure. First, there is no contention that the releases were involuntary. Second, they qualify as express consent, given the sentence: “You consent to the release of medical information to Medical Mutual when you enroll and/or sign an Application.” And third, the provisions are reasonably specific in identifying to whom the release is made: i.e., Medical Mutual.
{¶ 20} Nor would discovery of the medical records at issue be inconsistent with any stated purpose in the consent provisions. The releases here are broader than those in Biddle, 86 Ohio St.3d at 406, 715 N.E.2d 518, where disclosure was limited to the express purpose of completing hospitalization claims. Medical Mutual’s consent statement contains no such express purpose. Schlotterer argues that the release does not authorize Medical Mutual to investigate fraud; instead he asserts that the statement allows for review of the medical records only before the insurer makes a coverage determination. We disagree. The second paragraph in the consent section of the certificates of coverage states that the patient again consents to release of medical information upon presenting an identification card and that Medical Mutual has the right to refuse to reimburse if the patient refuses consent. This language does not limit the release to permission to determine whether services will be reimbursed, but merely explains the consequences should a patient withdraw his or her consent.
{¶ 21} Schlotterer also points to the heading above the consent section in the certificates of coverage, Claim Review. We decline, however, to give significant weight to it. Medical Mutual’s purpose for obtaining these records falls within the category of claim review. The insurer is seeking to review prior coverage claims to investigate whether Schlotterer received proper reimbursement.
{¶22} Schlotterer further contends that disclosing medical records in the context of this litigation would entail releasing the records to Medical Mutual’s attorneys, who fall outside the specific language of the consent. This argument also fails. The disclosure of the medical information to the law firm in Biddle fell outside the release because it authorized the hospital to release records to the patient’s insurance company or a third-party payor only. Id., 86 Ohio St.3d at 406-407, 715 N.E.2d 518. Although we required that the attorneys be specifically *186named in the consent, rather than impliedly included with their client, we do not require this specificity in all circumstances. The release to Medical Mutual in this case also permits disclosure to its attorneys who are seeking disclosure on its behalf. Were we to find otherwise, a party that must turn to the courts to enforce a waiver of privilege would be compelled to do so on a pro se basis. A party is entitled to attorney representation in a court of law. The information will be disclosed to Medical Mutual’s attorneys only because Schlotterer refused to comply with the consent provision and provide the records directly to Medical Mutual. Biddle involved considerably different circumstances: the hospital disclosed the medical records to the law firm on its own terms entirely outside the context of litigation. Id. at 396, 715 N.E.2d 518.
y
{¶ 23} Because Schlotterer’s patients that are insured by Medical Mutual validly consented to release their medical information to Medical Mutual, we hold that the consent exception to the physician-patient privilege in R.C. 2317.02(B)(1) applies. Medical Mutual is therefore entitled to discovery of the medical records in this action. We do stress, however, that Civ.R. 26(C) still applies to discovery that is excepted from privilege protection. Trial courts may use protective orders to prevent confidential information, such as that contained in the medical records at issue, from being unnecessarily revealed. Whether a protective order is necessary remains a determination within the sound discretion of the trial court. See State ex rel. Citizens for Open, Responsive & Accountable Govt. v. Register, 116 Ohio St.3d 88, 2007-Ohio-5542, 876 N.E.2d 913, ¶ 18. Schlotterer has not challenged the trial court’s protective order, but only the decision that the records are not protected by the physician-patient privilege. We therefore reverse the judgment of the court of appeals and remand to the trial court for further proceedings.
Judgment reversed and cause remanded.
Lundberg Stratton, O’Connor, O’Donnell, Lanzinger, and Cupp, JJ., concur. Pfeifer, J., concurs in part and dissents in part.