Haage v. Zavala , 2020 IL App (2d) 190499 ( 2020 )


Menu:
  •                                                                         Digitally signed by
    Reporter of
    Decisions
    Reason: I attest to
    Illinois Official Reports                        the accuracy and
    integrity of this
    document
    Appellate Court                         Date: 2020.12.29
    15:39:19 -06'00'
    Haage v. Zavala, 
    2020 IL App (2d) 190499
    Appellate Court     ROSEMARIE HAAGE, Plaintiff-Appellee, v. ALFONSO MONTIEL
    Caption             ZAVALA,      PATRICIA      SANTIAGO,     JOSE    PACHECO-
    VILLANUEVO, OKAN ESMEZ, and ROSALINA ESMEZ,
    Defendants (State Farm Mutual Automobile Insurance Company,
    Intervenor-Appellant).–AGNIESZKA SURLOCK and EDWARD
    SURLOCK, Plaintiffs-Appellees, v. DRAGOSLAV STARCEVIC,
    Defendant (State Farm Mutual Automobile Insurance Company,
    Intervenor-Appellant).
    District & No.      Second District
    Nos. 2-19-0499, 2-19-0500 cons.
    Filed               March 13, 2020
    Rehearing denied    April 2, 2020
    Decision Under      Appeal from the Circuit Court of Lake County, Nos. 17-L-897, 18-L-
    Review              39; the Hon. Mitchell L. Hoffman and the Hon. Diane E. Winter,
    Judges, presiding.
    Judgment            Affirmed.
    Counsel on          Glen E. Amundsen and Michael Resis, of SmithAmundsen LLC, of
    Appeal              Chicago, for appellant.
    Robert D. Fink and Kenneth A. Koppelman, of Collison Law Offices,
    of Chicago, for appellees.
    Panel                     JUSTICE HUDSON delivered the judgment of the court, with
    opinion.
    Presiding Justice Birkett and Justice Zenoff concurred in the judgment
    and opinion.
    OPINION
    ¶1                                          I. INTRODUCTION
    ¶2         This consolidated appeal concerns the scope of protective orders involving the disclosure
    of protected health information (PHI) to a property and casualty insurer. In each of the two
    underlying cases, plaintiffs sued to recover damages occasioned by the alleged negligence of
    defendants in driving their automobiles. Plaintiffs subsequently moved for the entry of
    qualified protective orders pursuant to the Health Insurance Portability and Accountability Act
    of 1996 (HIPAA) (Pub. L. No. 104-191, 
    110 Stat. 1936
     (1996) (codified as amended in
    scattered sections of Titles 18, 26, 29, and 42 of the United States Code)) (HIPAA qualified
    protective orders). Among other things, the protective orders proposed by plaintiffs would have
    (1) prohibited the parties and any other persons or entities from using or disclosing PHI for
    any purpose other than the litigation for which it was requested and (2) required the return or
    destruction of the PHI within 60 days after the conclusion of the litigation. See 
    45 C.F.R. § 164.512
    (e)(1)(v)(A), (B) (2018) (setting forth requirements for a qualified protective order
    under HIPAA). State Farm Mutual Automobile Insurance Company (State Farm), the liability
    insurer for at least one of the named defendants in each case, petitioned to intervene. After the
    circuit court of Lake County granted the petition in each case, State Farm filed objections to
    the HIPAA qualified protective orders. State Farm argued, inter alia, that the HIPAA qualified
    protective orders (1) sought to bind State Farm to the requirements of HIPAA although State
    Farm is expressly exempt from the statute’s application and (2) directly conflicted with State
    Farm’s obligations and rights under the Illinois Insurance Code (215 ILCS 5/1 et seq. (West
    2018)) and the administrative regulations governing its business operations. State Farm
    requested that the trial court deny the HIPAA qualified protective orders and enter, pursuant
    to Illinois Supreme Court Rule 201(c)(1) (eff. May 29, 2014), protective orders similar to one
    used in the law division of the circuit court of Cook County (Cook County protective orders).
    The Cook County protective orders would permit insurance companies to “disclose, maintain,
    use, and dispose of PHI or what would otherwise be considered PHI to comply and conform
    with current and future applicable federal and state statutes, rules, and regulations” for certain
    designated purposes and exempt insurers from any “return or destroy” provisions.
    ¶3         Following a combined hearing and additional briefing, the trial court in each case granted
    plaintiffs’ motions for the HIPAA qualified protective orders and denied State Farm’s request
    for the Cook County protective orders. The trial courts determined, among other things, that
    (1) to the extent that State Farm’s obligations and rights under Illinois law conflict with HIPAA
    requirements, the federal statute and its regulations preempt state law and (2) any individual
    or entity receiving PHI in response to a HIPAA qualified protective order is bound to follow
    the terms of the order. State Farm filed an interlocutory appeal in each case, pursuant to Illinois
    Supreme Court Rule 307(a)(1) (eff. Nov. 1, 2017). On appeal, State Farm contends that the
    trial courts erred in granting plaintiffs’ motions for the HIPAA qualified protective orders. We
    -2-
    affirm.
    ¶4                                     II. BACKGROUND
    ¶5      To provide context to the parties’ arguments, we briefly review the relevant provisions of
    HIPAA before discussing the facts underlying this appeal.
    ¶6                                             A. HIPAA
    ¶7        In 1996, Congress passed, and President Clinton signed into law, HIPAA (Pub. L. No. 104-
    191, 
    110 Stat. 1936
     (1996) (codified as amended in scattered sections of Titles 18, 26, 29, and
    42 of the United States Code)). Among HIPAA’s purposes were to establish national privacy
    standards and fair information practices regarding individually identifiable health information.
    Brende v. Hara, 
    153 P.3d 1109
    , 1114 (Haw. 2007); see also Wade v. Vabnick-Wener, 
    922 F. Supp. 2d 679
    , 687 (W.D. Tenn. 2010) (“HIPAA embodies Congress’ recognition of ‘the
    importance of protecting the privacy of health information in the midst of the rapid evolution
    of health information systems.’ ” (quoting South Carolina Medical Ass’n v. Thompson, 
    327 F.3d 346
    , 348 (4th Cir. 2003))); Law v. Zuckerman, 
    307 F. Supp. 2d 705
    , 710 (D. Md. 2004)
    (“Congress enacted HIPAA, in part, to protect the security and privacy of individually
    identifiable health information.”); U.S. Dep’t of Health & Human Servs., Office for Civil
    Rights, Summary of the HIPAA Privacy Rule 1 (May 2003), https://www.hhs.gov/sites/
    default/files/privacysummary.pdf [https://perma.cc/F66C-T4TR] (“A major goal of [HIPAA]
    is to assure that individuals’ health information is properly protected while allowing the flow
    of health information needed to provide and promote high quality health care and to protect
    the public’s health and well being.”). To this end, HIPAA authorized the Secretary of the
    Department of Health and Human Services (HHS) to issue regulations governing individually
    identifiable health information if Congress did not enact privacy legislation within three years
    of the passage of the statute. HIPAA, Pub. L. No. 104-191, § 264(c)(1), 
    110 Stat. 1936
    , 2033-
    34 (1996); U.S. Dep’t of Health & Human Servs., Office for Civil Rights, Summary of the
    HIPAA Privacy Rule 1-2 (May 2003), https://www.hhs.gov/sites/default/files/privacy
    summary.pdf [https://perma.cc/F66C-T4TR]; Arons v. Jutkowitz, 
    880 N.E.2d 831
    , 840 (N.Y.
    2007). Congress did not meet its self-imposed deadline, so HHS proposed and subsequently
    adopted the “Privacy Rule,” a series of regulations governing permitted uses and disclosures
    of PHI. Standards for Privacy of Individually Identifiable Health Information, 
    65 Fed. Reg. 82,462
     (Dec. 28, 2000); U.S. Dep’t of Health & Human Servs., Office for Civil Rights,
    Summary of the HIPAA Privacy Rule 2 (May 2003), https://www.hhs.gov/sites/default/files/
    privacysummary.pdf [https://perma.cc/F66C-T4TR]; Arons, 880 N.E.2d at 840. The Privacy
    Rule is codified at parts 160 and 164 of Title 45 of the Code of Federal Regulations (45 C.F.R.
    pt. 160, 164 (2018)). U.S. Dep’t of Health & Human Servs., Office for Civil Rights, Summary
    of the HIPAA Privacy Rule 2 (May 2003), https://www.hhs.gov/sites/default/files/privacy
    summary.pdf [https://perma.cc/F66C-T4TR]; Arons, 880 N.E.2d at 840.
    ¶8        The Privacy Rule prohibits the use or disclosure of an individual’s PHI by a “covered
    entity” or “business associate” unless the individual has consented in writing or unless the use
    or disclosure is otherwise specifically permitted or required by the Privacy Rule. 
    45 C.F.R. §§ 164.502
    , 164.506, 164.508, 164.510, 164.512 (2018). With exceptions not relevant here,
    the Privacy Rule defines the term “protected health information” as “individually identifiable
    health information” transmitted by electronic media, maintained in electronic media, or
    -3-
    transmitted or maintained in any other form or medium. 
    45 C.F.R. § 160.103
     (2018). In turn,
    “individually identifiable health information” means information, including demographic data,
    that (1) relates to “the past, present, or future physical or mental health or condition of an
    individual; the provision of health care to an individual; or the past, present, or future payment
    for the provision of health care to an individual” and (2) “identifies the individual” or where
    “there is a reasonable basis to believe the information can be used to identify the individual.”
    
    45 C.F.R. § 160.103
     (2018). A “covered entity” means “[a] health plan,” “[a] health care
    clearinghouse,” or “[a] health care provider who transmits any health information in electronic
    form” as those terms are defined in the regulation. 
    45 C.F.R. § 160.103
     (2018). A “business
    associate” is a person, other than a member of a covered entity’s workforce, who performs
    certain functions or activities on behalf of or provides certain services to a covered entity that
    involve the use or disclosure of PHI. 
    45 C.F.R. § 160.103
     (2018).
    ¶9         Relevant to this dispute, the Privacy Rule permits a “covered entity” to use or disclose PHI,
    in the course of any judicial or administrative proceeding, without the written authorization of
    the individual to whom it belongs. 
    45 C.F.R. § 164.512
    (e) (2018). However, the Privacy Rule
    places certain requirements on both the party providing the information and the party seeking
    it. U.S. Dep’t of Health & Human Servs., Office for Civil Rights, Summary of the HIPAA
    Privacy Rule 6 (May 2003), https://www.hhs.gov/sites/default/files/privacysummary.pdf
    [https://perma.cc/F66C-T4TR]. Hence, a covered entity may disclose PHI expressly authorized
    by a court order. 
    45 C.F.R. § 164.512
    (e)(1)(i) (2018). A covered entity may also disclose PHI
    “[i]n response to a subpoena, discovery request, or other lawful process, not accompanied by
    an order of a court,” if the covered entity “receives satisfactory assurance *** from the party
    seeking the information” that the party has made reasonable efforts (1) to ensure that the
    individual who is the subject of the PHI has been given notice of the request or (2) to secure a
    qualified protective order. 
    45 C.F.R. § 164.512
    (e)(1)(ii) (2018). In addition, a covered entity
    may disclose PHI in response to “lawful process” without receiving satisfactory assurance
    from the requesting party if the covered entity itself makes reasonable efforts to notify the
    individual or seek a qualified protective order. 
    45 C.F.R. § 164.512
    (e)(1)(vi) (2018). With
    respect to PHI, a “qualified protective order” under the Privacy Rule means an order of the
    court or of an administrative tribunal or a stipulation by the parties to the litigation or
    administrative proceeding that (1) “[p]rohibits the parties from using or disclosing the [PHI]
    for any purpose other than the litigation or proceeding for which such information was
    requested” and (2) “[r]equires the return to the covered entity or destruction of the [PHI]
    (including all copies made) at the end of the litigation or proceeding.” 
    45 C.F.R. § 164.512
    (e)(1)(v)(A), (B) (2018).
    ¶ 10       HIPAA and its regulations establish a “uniform federal ‘floor’ of privacy protections for
    individual medical information.” Scott D. Stein, What Litigators Need to Know About HIPAA,
    
    36 J. Health L. 433
    , 434 (2003); see also Standards for Privacy of Individually Identifiable
    Health Information, 65 Fed. Reg. at 82,471 (“The protections [(provided by HIPAA and its
    regulations)] are a mandatory floor, which other governments and any covered entity may
    exceed.”); 
    45 C.F.R. § 164.502
    (a) (2018). As a result, HIPAA preempts “contrary” state laws
    unless the state law is “more stringent” than the standards set forth in the Privacy Rule. 42
    U.S.C. § 1320d-7 (2018); 
    45 C.F.R. §§ 160.202
    , 160.203(b), 164.502(a) (2018); Giangiulio v.
    Ingalls Memorial Hospital, 
    365 Ill. App. 3d 823
    , 840 (2006); Stein, supra, at 434. A state law
    is “contrary” to HIPAA if a “covered entity or business associate would find it impossible to
    -4-
    comply with both the State and Federal requirements” or if the “provision of State law stands
    as an obstacle to the accomplishment and execution of the full purposes and objectives of
    [HIPAA].” 
    45 C.F.R. § 160.202
     (2018). A state law is “more stringent” than HIPAA if the
    state law provides greater privacy protection or privacy rights. 
    45 C.F.R. § 160.202
     (2018);
    Giangiulio, 365 Ill. App. 3d at 840; Caldwell v. Chauvin, 
    464 S.W.3d 139
    , 153 (Ky. 2015)
    (“[I]f a ‘contrary’ [state] law requires a more stringent standard of privacy, HIPAA’s
    preemption provisions are inapplicable and state law controls.” (Emphasis in original.)). In
    addition, HIPAA will not preempt a contrary state law if the Secretary of HHS determines, in
    response to a request by the State, that, among other things, the state law is necessary for one
    of the specified purposes set forth in section 160.203(a)(1) of the Privacy Rule. 
    45 C.F.R. §§ 160.203
    (a)(1), 160.204 (2018).
    ¶ 11                                        B. Underlying Facts
    ¶ 12                                        1. Haage Complaint
    ¶ 13       On November 15, 2017, plaintiff, Rosemarie Haage, filed a five-count complaint against
    defendants Alfonso Montiel Zavala, Patricia Santiago, Jose Pacheco-Villanuevo, Okan Esmez,
    and Rosalina Esmez. The action arose out of a multi-vehicle collision near the intersection of
    Lakeview Parkway and Route 60 in Vernon Hills. Count I of the complaint alleged negligence
    on the part of Zavala, count II alleged negligent entrustment on the part of Santiago, count III
    alleged negligence on the part of Pacheco-Villanuevo, count IV alleged negligence on the part
    of Okan Esmez, and count V alleged negligent entrustment on the part of Rosalina Esmez. All
    counts sought to recover damages for, inter alia, Haage’s bodily injuries.
    ¶ 14                                     2. Surlock Complaint
    ¶ 15       On January 11, 2018, plaintiffs, Agnieszka and Edward Surlock, filed a two-count
    complaint against defendant Dragoslav Starcevic. The action arose out of an automobile
    accident between Agnieszka and Starcevic on January 24, 2016, at the intersection of Grand
    Avenue and Route 45 in Lindenhurst. Count I of the complaint alleged negligence and sought
    to recover damages for, inter alia, Agnieszka’s bodily injuries. Count II of the complaint
    alleged loss of consortium on behalf of Edward, Agnieszka’s husband.
    ¶ 16                            3. Motions for Entry of Protective Orders
    ¶ 17       On August 23, 2018, the Surlocks and Haage each filed a “Motion for Entry of Protective
    Order and Authorization to Disclose Protected Health Information” in their respective lawsuits.
    The motions alleged that Agnieszka’s and Haage’s treating physicians, hospitals, and other
    healthcare providers, all of whom are “covered entities” as defined by the Privacy Rule,
    possess their PHI. The motions further alleged that both the prosecution and the defense in
    each case “will require that the parties, their attorneys, their attorneys’ agents, consultants and
    various witnesses and other personnel receive and review copies of the protected health
    information” but that HIPAA “potentially prohibits covered entities from disclosing protected
    health information in judicial proceedings other than by authorization or Qualified Protective
    Order.” See 
    45 C.F.R. § 164.512
    (e) (2018). Accordingly, the Surlocks and Haage requested
    HIPAA qualified protective orders permitting the use and disclosure of PHI pertaining to
    Agnieszka and Haage. Relevant to these appeals, the HIPAA qualified protective orders
    proposed by the Surlocks and Haage would (1) require any person or entity in possession of
    -5-
    PHI received pursuant to the protective order, including an insurance company, to return or
    destroy any and all PHI pertaining to the plaintiffs within 60 days after the conclusion of the
    litigation (
    45 C.F.R. § 164.512
    (e)(1)(v)(B) (2018)) and (2) prohibit the parties, their attorneys,
    and their insurers from using or disclosing PHI for any purpose other than the litigation at issue
    (
    45 C.F.R. § 164.512
    (e)(1)(v)(A) (2018)). A hearing on plaintiffs’ motions was scheduled for
    October 6, 2018.
    ¶ 18                                       4. Petitions to Intervene
    ¶ 19        On September 17, 2018, State Farm filed a petition to intervene in the Surlock case as a
    matter of right pursuant to section 2-408(a)(2) of the Code of Civil Procedure (Code) (735
    ILCS 5/2-408(a)(2) (West 2018)). On September 28, 2018, State Farm filed a nearly identical
    petition to intervene in the Haage litigation. State Farm sought to intervene on the basis that,
    as the liability insurer for Starcevic and at least one of the named defendants in the Haage case,
    the proposed HIPAA qualified protective orders would impose upon it “significant restrictions
    and obligations.” State Farm asserted that it met the threshold requirements to intervene as of
    right pursuant to section 2-408(a)(2) of the Code because (1) its petitions were timely, having
    been filed before the entry of the HIPAA qualified protective orders, (2) representation of its
    interest by existing parties would be inadequate, as the attorneys representing its policyholders
    are not conversant with either the legal issues raised by the proposed HIPAA qualified
    protective orders or the laws and regulations applicable to State Farm’s business operations,
    and (3) the negative effect on State Farm if the HIPAA qualified protective orders were entered
    is of no concern or consequence to State Farm’s policyholders. Over plaintiffs’ objections, the
    trial court granted State Farm’s petitions to intervene and allowed State Farm leave to file
    objections to the HIPAA qualified protective orders.
    ¶ 20                                     5. State Farm’s Objections
    ¶ 21       In support of its objections, State Farm initially argued that the HIPAA qualified protective
    orders proposed by plaintiffs seek to bind it to HIPAA’s requirements, even though it is exempt
    from the statute’s application. In this regard, State Farm asserted that, as a property and
    casualty insurer, it is not a “covered entity” under HIPAA. State Farm also argued that
    restrictions in the proposed HIPAA qualified protective orders would directly conflict with its
    obligations and rights under Illinois law in two principal ways. First, State Farm asserted that
    requiring it to return or destroy all copies of PHI following the conclusion of the litigation
    would interfere with its obligations under provisions of both the Illinois Insurance Code and
    the Illinois Administrative Code, which require it to maintain a complete record of all books,
    records, and accounts, including claim files and claim data, and to make that information
    available for examination upon request to the Illinois Department of Insurance. See 215 ILCS
    5/133(2) (West 2018); 50 Ill. Adm. Code 919.30 (1989). According to State Farm, this would
    encompass medical records and PHI produced to it. State Farm maintained that its failure to
    comply with its obligations under Illinois law could subject the company to possible
    disciplinary action by the state. Second, State Farm asserted that restricting the use of the PHI
    to the litigation at issue would interfere with its rights under Illinois law to use plaintiffs’
    information to perform “certain insurance functions,” including (1) claims administration;
    (2) the detection, investigation, or reporting of actual or potential fraud, misrepresentation, or
    criminal activity; (3) underwriting; (4) ratemaking and guaranty fund functions;
    -6-
    (5) reinsurance and excess loss insurance; and (6) actuarial, scientific, medical, or public
    policy research.
    ¶ 22       State Farm also questioned the use of a qualified protective order in light of the fact that
    the Privacy Rule provides that PHI may be produced in litigation by several other procedures
    that would not impede the access, use, and retention of medical records by a property and
    casualty insurer. See 
    45 C.F.R. §§ 164.502
    (b)(2), 164.508, 164.512(e)(1)(i), (ii) (2018). As an
    alternative to plaintiffs’ proposed HIPAA qualified protective orders, State Farm urged the
    courts to adopt and enter, pursuant to Illinois Supreme Court Rule 201(c)(1) (eff. May 29,
    2014), the Cook County protective order, which is the standard “HIPAA Protective Order”
    used by the law division of the circuit court of Cook County pursuant to General
    Administrative Order 17-4 (Cook County Cir. Ct. Law Div. Gen. Adm. Order 17-4 (Dec. 15,
    2017)). 1 Paragraph two of the Cook County protective order permits insurance companies to
    “disclose, maintain, use, and dispose of PHI or what would otherwise be considered PHI to
    comply and conform with current and future applicable federal and state statutes, rules, and
    regulations” for the 11 designated purposes enumerated therein. Cook County Cir. Ct. Law
    Div. Gen. Adm. Order 17-4 (Dec. 15, 2017). The Cook County protective order also exempts
    insurance companies from any “return or destroy” provision, but only for the purposes listed
    in paragraph two. Cook County Cir. Ct. Law Div. Gen. Adm. Order 17-4 (Dec. 15, 2017). State
    Farm maintained that the Cook County protective order “omits unnecessary restrictions and
    explicitly accommodates casualty insurers’ obligations under applicable state and federal law.”
    ¶ 23                           6. Plaintiffs’ Replies to State Farm’s Objections
    ¶ 24        In their replies to State Farm’s objections, plaintiffs argued that, absent a waiver from the
    federal government, HIPAA prohibits the use or disclosure of PHI for any purpose other than
    the litigation or proceeding for which such information was requested and requires the return
    or destruction of PHI at the end of the litigation or proceeding. See 
    45 C.F.R. § 164.512
    (e)(1)(v)(A), (B) (2018). Thus, plaintiffs reasoned, to the extent that any state law or
    regulation permits State Farm to use, store, maintain, or distribute PHI outside the scope of
    litigation and for their own business operations, it is preempted by HIPAA. See 42 U.S.C.
    § 1320d-7 (2018); 
    45 C.F.R. § 160.203
     (2018) (providing that a standard, requirement, or
    implementation specification adopted under HIPAA regulations that is contrary to a provision
    of state law preempts the state law provision).
    1
    After State Farm petitioned to intervene, General Administrative Order 17-4 was vacated by the
    law division of the circuit court of Cook County, pursuant to General Administrative Order 18-1 (Cook
    County Cir. Ct. Law Div. Gen. Adm. Order 18-1 (Oct. 29, 2018)). General Administrative Order 18-1
    adopted a “HIPAA Qualified Protective Order” to replace the standard “HIPAA Protective Order” that
    had been previously used under General Administrative Order 17-4. Other than some minor
    modifications, the “HIPAA Qualified Protective Order” approved by General Administrative Order 18-
    1 is nearly identical to the standard “HIPAA Protective Order” adopted pursuant to General
    Administrative Order 17-4. General Administrative Order 18-1 is the subject of Proposal 18-01, which
    would amend Illinois Supreme Court Rule 218 (eff. July 1, 2014). A public meeting regarding Proposal
    18-01 was held before the Illinois Supreme Court Rules Committee on June 19, 2019. At oral argument,
    the parties represented that, to the best of their knowledge, no additional action has been taken with
    respect to Proposal 18-01.
    -7-
    ¶ 25       Plaintiffs further asserted that no fact or law supports State Farm’s claim that their proposed
    HIPAA qualified protective orders impose upon insurers undue restrictions or obligations.
    According to plaintiffs, there is no language in either the Illinois Insurance Code or the Illinois
    Administrative Code requiring non-health insurers to retain PHI and there has never been a
    disciplinary action taken against State Farm for failing to maintain PHI despite the entry each
    year of thousands of HIPAA qualified protective orders. Thus, plaintiffs concluded, their
    proposed HIPAA qualified protective orders do not place any obligations or restrictions on
    State Farm that would affect the reporting obligations of non-health insurers. Plaintiffs also
    disputed State Farm’s claim that it requires PHI in order to perform “certain insurance
    functions,” arguing that State Farm failed to cite any policies or regulations that would require
    the use of PHI for such purposes. Plaintiffs further posited that, even if State Farm is correct
    and Illinois law does require it to maintain PHI for purposes other than the litigation, any statute
    or regulation would be preempted by HIPAA.
    ¶ 26       Plaintiffs also asserted that whether State Farm is exempt from HIPAA because it is not a
    “covered entity” is “a moot point” because a determination of that issue does not control a
    court’s ability to enter a HIPAA qualified protective order restricting what a “non-covered
    entity” can do with PHI received from a covered entity. In this regard, State Farm obtains the
    ability to review plaintiffs’ PHI only because of a valid protective order. Thus, if State Farm
    wishes to access the PHI at issue, it must abide by the terms of any HIPAA qualified protective
    order entered by the court. Plaintiffs concluded that, if State Farm’s arguments are accepted,
    then a court could never enter a meaningful protective order that would require the destruction
    of PHI at the conclusion of litigation, as clearly required by HIPAA.
    ¶ 27                              7. Trial Court Proceedings and Orders
    ¶ 28        On February 13, 2019, the trial courts held a combined hearing on plaintiffs’ motions for
    HIPAA protective orders. On May 15, 2019, following additional briefing by the parties, the
    trial courts issued a memorandum opinion and order granting plaintiffs’ motions. In so ruling,
    the trial courts determined that, to the extent that State Farm’s obligations and rights under
    Illinois law conflict with HIPAA’s requirements, the federal statute preempts state law. The
    courts noted that it would be impossible to comply with both Illinois law and HIPAA
    requirements for a qualified protective order. Specifically, in direct conflict with HIPAA,
    adoption of the Cook County protective order would allow insurance companies to disclose,
    maintain, use, and dispose of PHI outside of the litigation and would not require insurers to
    return the PHI at the end of the litigation. See 
    45 C.F.R. § 164.512
    (e)(1)(v)(A), (B) (2018).
    The courts also concluded that State Farm’s interpretation of Illinois law defeats the full
    purposes and objectives of HIPAA. In this regard, the courts determined that, by eliminating
    the two requirements for a HIPAA qualified protective order, the Cook County order would
    not provide the confidentiality and protection of PHI envisioned when the Privacy Rule was
    enacted and would lower the protective floor that Congress provided in enacting HIPAA.
    ¶ 29        Next, the courts addressed State Farm’s claim that plaintiffs’ proposed HIPAA qualified
    protective orders seek to bind it to HIPAA’s requirements although it is expressly exempt from
    the statute’s application. While the courts agreed that, as a property and casualty liability
    insurer, State Farm is not a covered entity under HIPAA, they also determined that State Farm
    is not exempt from obeying a protective order entered with respect to PHI that has been
    produced by a covered entity. The courts concluded that all parties receiving PHI must follow
    -8-
    the qualified protective order, regardless of whether they are covered entities under HIPAA in
    the first instance. The courts reasoned that a qualified protective order would “lose[ ] its
    effectiveness” in protecting an individual’s PHI if a noncovered entity may ignore the
    restrictions required by HIPAA. The courts further concluded that Congress could not have
    intended that, at the close of litigation, noncovered entities may use PHI for their own private
    business purposes simply by virtue of their status as a noncovered entity.
    ¶ 30       Finally, the courts considered whether to avoid conflict with State Farm’s alleged
    obligations and rights under Illinois law by treating plaintiffs’ motions as proposals for a court
    order pursuant to 
    45 C.F.R. § 164.512
    (e)(1)(i) (2018) instead of as “qualified protective
    order[s]” accompanying “a subpoena, discovery request, or other lawful process” pursuant to
    
    45 C.F.R. § 164.512
    (e)(1)(ii) (2018). The courts acknowledged that the Privacy Rule provides
    several different methods by which a covered entity may disclose PHI, but they noted that
    plaintiffs elected to seek HIPAA qualified protective orders under 
    45 C.F.R. § 164.512
    (e)(1)(ii) (2018). As such, the courts concluded, it was “irrelevant” whether a
    different method could be used that would avoid conflict with State Farm’s alleged obligations
    and rights under Illinois law.
    ¶ 31       Accordingly, the courts denied State Farm’s request for the Cook County protective orders
    and granted plaintiffs’ motions for the HIPAA qualified protective orders. On May 15, 2019,
    the court in the Surlock case entered a HIPAA qualified protective order. On May 16, 2019,
    the court in the Haage case entered a HIPAA qualified protective order. Relevant here, the
    HIPAA qualified protective orders entered by the courts provided:
    “8. Within 60 days after the conclusion of the litigation, including appeals, the
    parties, their attorneys, insurance companies and any person or entity in possession of
    PHI received pursuant to this Order, shall return Plaintiff’s PHI to the covered entity
    or destroy any and all copies of PHI pertaining to Plaintiff, including any electronically
    stored copy or image, except that counsel are not required to secure the return or
    destruction of PHI submitted to the Court.
    ***
    12. All requests by or on behalf of any Defendant for protected health information,
    including but not limited to subpoenas, shall be accompanied by a complete copy of
    this Order. The parties—including their insurers and counsel—are prohibited from
    using or disclosing protected health information for any purpose other than this
    litigation. ‘Disclose’ shall have the same *** scope and definition as set forth in 
    45 C.F.R. § 160.103
    : ‘the release, transfer, provision of access to, or divulging in any
    manner of information outside the entity holding the information.’ ” (Emphases added.)
    ¶ 32                                       8. Postentry Proceedings
    ¶ 33       On June 6, 2019, State Farm filed a motion to stay portions of the HIPAA qualified
    protective orders, pursuant to Illinois Supreme Court Rule 305(b) (eff. July 1, 2017), pending
    interlocutory appeal by State Farm. On June 12, 2019, State Farm filed a notice of interlocutory
    appeal in each case pursuant to Illinois Supreme Court Rule 307(a)(1) (eff. Nov. 1, 2017)
    (allowing an appeal to be taken to the appellate court from an interlocutory order granting,
    modifying, refusing, dissolving, or refusing to dissolve or modify an injunction). On June 26,
    2019, this court granted State Farm’s motion to consolidate the appeals. On June 28, 2019,
    plaintiffs filed with this court a motion to dismiss the appeals as improper under Rule 307(a)(1).
    -9-
    This court denied plaintiffs’ motion to dismiss on July 10, 2019. See In re Appointment of
    Special Prosecutor, 
    2017 IL App (1st) 161376
    , ¶ 31 (“A protective order ‘circumscribing the
    publication of information is reviewable as an interlocutory injunctive order, pursuant to Rule
    307(a)(1).’ ” (quoting Skolnick v. Altheimer & Gray, 
    191 Ill. 2d 214
    , 221 (2000))); see also
    In re Daveisha C., 
    2014 IL App (1st) 133870
    , ¶ 25 (holding that Rule 307(a)(1) allows review
    of an order granting or denying injunctive relief, including a protective order entered during
    the discovery phase of the proceedings); Bush v. Catholic Diocese of Peoria, 
    351 Ill. App. 3d 588
    , 590 (2004) (deciding interlocutory appeal pursuant to Rule 307(a)(1) from entry of
    protective order).
    ¶ 34                                           III. ANALYSIS
    ¶ 35       On appeal, State Farm argues that it is not a “covered entity” subject to HIPAA and that,
    therefore, the trial court erred in finding that HIPAA and the Privacy Rule preempted its
    obligations under state law. State Farm further contends that the HIPAA qualified protective
    orders entered by the trial courts conflict in two principal ways with the use, retention, and
    disclosure of PHI authorized by the Illinois Insurance Code and the Illinois Administrative
    Code. First, the protective orders limit the use of PHI to the litigation in which it was produced.
    Second, they require the return or destruction of records containing PHI within 60 days of the
    conclusion of the litigation. In the interests of consistency and uniformity, State Farm requests
    that this court vacate the HIPAA qualified protective orders and enter in their stead the Cook
    County protective orders.
    ¶ 36       In response, plaintiffs contend that the trial court did not err in entering the HIPAA
    qualified protective orders. Plaintiffs do not dispute that State Farm is not a “covered entity”
    under HIPAA, but they argue that this fact does not discharge State Farm from obeying a
    protective order entered by the court with respect to PHI that has been produced by a “covered
    entity.” Plaintiffs further argue that neither the Illinois Insurance Code nor the administrative
    regulations governing insurers’ business operations require State Farm to retain PHI.
    ¶ 37                                          A. Covered Entity
    ¶ 38       State Farm initially argues that, as a property and casualty insurer, it is not a “covered
    entity” under HIPAA and, therefore, is not subject to HIPAA’s Privacy Rule. Whether State
    Farm falls within the definition of a “covered entity” for purposes of HIPAA requires us to
    construe the Privacy Rule. “Because administrative regulations have the force and effect of
    law, the familiar rules that govern construction of statutes also apply to the construction of
    administrative regulations.” Kean v. Wal-Mart Stores, Inc., 
    235 Ill. 2d 351
    , 368 (2009). The
    cardinal rule of statutory construction is to ascertain and give effect to the intent of the drafter.
    State Bank of Cherry v. CGB Enterprises, Inc., 
    2013 IL 113836
    , ¶ 56. The most reliable
    indicator of the drafter’s intent is the language of the regulation itself, which must be given its
    plain and ordinary meaning. State Bank of Cherry, 
    2013 IL 113836
    , ¶ 56. If the language of
    the enactment is clear, we must apply it as written, without resort to extrinsic aids. State Bank
    of Cherry, 
    2013 IL 113836
    , ¶ 56. Moreover, we will not depart from the plain meaning of an
    administrative regulation by reading into it exceptions, limitations, or conditions that conflict
    with the expressed intent. State Bank of Cherry, 
    2013 IL 113836
    , ¶ 56. Statutory construction
    presents a question of law subject to de novo review. Van Dyke v. White, 
    2019 IL 121452
    , ¶ 45.
    - 10 -
    ¶ 39       The Privacy Rule defines a “covered entity” as a “health plan,” “health care clearinghouse,”
    or “health care provider who transmits any health information in electronic form.” 
    45 C.F.R. § 160.103
     (2018). In turn, each of these three entities has its own statutory definition. The term
    “health plan” is defined as “an individual or group plan that provides, or pays the cost of,
    medical care” but excludes “[a]ny policy, plan, or program to the extent that it provides, or
    pays for the cost of, excepted benefits that are listed in *** 42 U.S.C. § 300gg-91(c)(1).” 
    45 C.F.R. § 160.103
     (2018). “Excepted benefits” include benefits under “[l]iability insurance,
    including general liability insurance and automobile liability insurance.” 42 U.S.C. § 300gg-
    91(c)(1)(C) (2018). Here, State Farm presents itself as a property and casualty insurer that
    insures its policyholders against the risk of third-party liability for bodily injury and property
    damage that results from an accident. Plaintiffs do not dispute this portrayal of State Farm.
    Indeed, State Farm’s description comports with the generally recognized definitions of
    automobile, liability, property, and casualty insurance—an agreement to indemnify against
    property damage or loss. See Black’s Law Dictionary (11th ed. 2019) (defining “automobile
    insurance” as “[a]n agreement to indemnify against one or more kinds of loss associated with
    the use of an automobile, including damage to a vehicle and liability for personal injury”);
    Black’s Law Dictionary (11th ed. 2019) (defining “casualty insurance” as “[a]n agreement to
    indemnify against loss resulting from a broad group of causes such as legal liability, theft,
    accident, property damage, and workers’ compensation”); Black’s Law Dictionary (11th ed.
    2019) (defining “liability insurance” as “[a]n agreement to cover a loss resulting from the
    insured’s liability to a third party, such as a loss incurred by a driver who injures a pedestrian,
    and [usually] to defend the insured or to pay for a defense regardless of whether the insured is
    ultimately found liable”); Black’s Law Dictionary (11th ed. 2019) (defining “property
    insurance” as “[a]n agreement to indemnify against property damage or destruction”). In light
    of the foregoing, we agree that State Farm, as a property and casualty insurer, does not
    constitute a “health plan” as defined by the Privacy Rule.
    ¶ 40       Likewise, State Farm does not constitute a “health care clearinghouse” or a “health care
    provider” as those terms are defined by the Privacy Rule. A “health care clearinghouse” is
    defined as a public or private entity that either “[p]rocesses or facilitates the processing of
    health information received from another entity in a nonstandard format or containing
    nonstandard data content into standard data elements or a standard transaction” or “[r]eceives
    a standard transaction from another entity and processes or facilitates the processing of health
    information into nonstandard format or nonstandard data content for the receiving entity.” 
    45 C.F.R. § 160.103
     (2018). There is no evidence that State Farm performs either of the functions
    that would qualify it as a “health care clearinghouse.” A “health care provider” means “a
    provider of services (as defined in section 1861(u) of the [Social Security] Act, 42 U.S.C.
    1395x(u)), a provider of medical or health services (as defined in section 1861(s) of the [Social
    Security] Act, 42 U.S.C. 1395x(s)), and any other person or organization who furnishes, bills,
    or is paid for health care in the normal course of business.” 
    45 C.F.R. § 160.103
     (2018). With
    exceptions not relevant here, a “provider of services” is “a hospital, critical access hospital,
    skilled nursing facility, comprehensive outpatient rehabilitation facility, home health agency,
    [or] hospice program.” 42 U.S.C. § 1395x(u) (2018). A “provider of medical or health
    services” includes, inter alia, physician services, services and supplies furnished incident to a
    physician’s services, hospital services, and diagnostic tests. 42 U.S.C. § 1395x(s) (2018).
    There is no evidence that State Farm is a provider of services, a provider of medical or health
    - 11 -
    services, or one who furnishes, bills, or is paid for health care in the normal course of business.
    Because State Farm does not fall within the definition of a “health plan,” “health care
    clearinghouse,” or “health care provider,” we conclude that it is not a covered entity for
    purposes of HIPAA. See Small v. Ramsey, 
    280 F.R.D. 264
    , 276 (N.D. W. Va. 2012) (“This
    Court finds no language extending the provision of the HIPPA [sic] statutes [citation] and
    regulations [citation] to liability insurers ***.”).
    ¶ 41                                        B. Application of HIPAA
    ¶ 42       The trial courts agreed that State Farm, as a property and casualty insurer, is not a covered
    entity under HIPAA. They then determined that State Farm’s status as a “non-covered entity”
    did not exempt it from obeying a protective order entered with respect to PHI produced by a
    covered entity. The trial courts held that all parties receiving PHI are bound to follow a HIPAA
    qualified protective order regardless of whether the party is a covered entity under HIPAA in
    the first instance, reasoning that a qualified protective order would “lose[ ] its effectiveness in
    protecting a patient’s PHI if a non-covered entity may ignore the restrictions required by
    HIPAA.” The question thus becomes whether a “non-covered entity” that receives PHI from a
    covered entity in response to a HIPAA qualified protective order is bound to comply with any
    of the order’s restrictions regarding the use and disclosure of PHI. State Farm insists that,
    because it is not a covered entity, it is not subject to any use or disclosure restrictions. Plaintiffs
    counter that, although State Farm is not a covered entity for purposes of HIPAA, this fact does
    not discharge it from obeying a HIPAA qualified protective order entered with respect to PHI
    that has been produced by a covered entity. Whether State Farm’s status as a “non-covered
    entity” exempts it from obeying the terms of a HIPAA qualified protective order requires us to
    construe the Privacy Rule. As such, it presents an issue of statutory construction, which is
    subject to de novo review. Van Dyke, 
    2019 IL 121452
    , ¶ 45; State Bank of Cherry, 
    2013 IL 113836
    , ¶ 22.
    ¶ 43       Section 164.512(e) of the Privacy Rule (
    45 C.F.R. § 164.512
    (e) (2018)) governs the
    circumstances under which a covered entity may disclose PHI to another party, in the course
    of a judicial proceeding. Section 164.512(e)(1)(i) permits a covered entity to disclose specified
    PHI in the course of a judicial proceeding, “[i]n response to an order of a court.” 
    45 C.F.R. § 164.512
    (e)(1)(i) (2018). Section 164.512(e)(1)(ii) permits a covered entity to disclose PHI
    in the course of a judicial proceeding, “[i]n response to a subpoena, discovery request, or other
    lawful process” that is not accompanied by an order of a court, if:
    “(A) The covered entity receives satisfactory assurance, as described in paragraph
    (e)(1)(iii) of this section, from the party seeking the information that reasonable efforts
    have been made by such party to ensure that the individual who is the subject of the
    protected health information that has been requested has been given notice of the
    request; or
    (B) The covered entity receives satisfactory assurance, as described in paragraph
    (e)(1)(iv) of this section, from the party seeking the information that reasonable efforts
    have been made by such party to secure a qualified protective order that meets the
    requirements of paragraph (e)(1)(v) of this section.” 
    45 C.F.R. § 164.512
    (e)(1)(ii)(A),
    (B) (2018).
    For the purposes of paragraph (e)(1)(ii)(B), a covered entity receives satisfactory assurances
    from a party seeking PHI if the covered entity receives from such party a written statement and
    - 12 -
    accompanying documentation demonstrating that “[t]he parties to the dispute giving rise to the
    request for information have agreed to a qualified protective order and have presented it to the
    court *** with jurisdiction over the dispute” or “[t]he party seeking the [PHI] has requested a
    qualified protective order from such court.” 
    45 C.F.R. § 164.512
    (e)(1)(iv) (2018). Further,
    paragraph (e)(1)(v) states:
    “For purposes of paragraph (e)(1) of this section, a qualified protective order means,
    with respect to [PHI] requested under paragraph (e)(1)(ii) of this section, an order of a
    court *** that:
    (A) Prohibits the parties from using or disclosing the [PHI] for any purpose
    other than the litigation or proceeding for which such information was requested;
    and
    (B) Requires the return to the covered entity or destruction of the [PHI]
    (including all copies made) at the end of the litigation or proceeding.” 
    45 C.F.R. § 164.512
    (e)(1)(v) (2018).
    Thus, in the absence of an order of the court, HIPAA authorizes a covered entity to disclose
    PHI in a judicial proceeding, pursuant to a subpoena, discovery request, or other lawful
    process, provided that adequate notice was given to the individual whose information is to be
    produced or a qualified protective order containing the specified restrictions has been entered
    in the litigation.
    ¶ 44       It is important to note that State Farm is not the disclosing party in this case. Rather, it is
    the party wishing to obtain PHI. In this regard, after plaintiffs moved for the HIPAA qualified
    protective orders with respect to the disclosure of their PHI, State Farm intervened and filed
    objections, requesting entry of an alternative HIPAA protective order, the Cook County
    protective order. As the plain language of the Privacy Rule indicates, a covered entity may
    disclose PHI to State Farm only if the protective order meets the requirements of section
    164.512(e)(1)(v) of the Privacy Rule (
    45 C.F.R. § 164.512
    (e)(1)(v) (2018)). Yet, the Cook
    County protective order would exempt State Farm from any obligation to limit the use or
    disclosure of PHI to the litigation or to return or destroy the PHI at the end of the litigation.
    State Farm cites no provision in HIPAA, the Privacy Rule, any other regulations, or case law
    that would allow such exemptions. Again, State Farm obtains the ability to review plaintiffs’
    PHI only in response to a protective order issued in accordance with the requirements of section
    164.512(e)(1)(v) (
    45 C.F.R. § 164.512
    (e)(1)(v) (2018)). Hence, if State Farm wishes to access
    the PHI at issue, it must abide by the terms of the HIPAA qualified protective orders entered
    by the court. Accordingly, we agree with the trial courts and conclude that State Farm, as an
    entity wishing to receive PHI from a covered entity in response to a HIPAA qualified protective
    order, is bound to comply with the use and disclosure restrictions set forth in the orders.
    ¶ 45       Citing various extrinsic sources, including the Federal Register, State Farm contends that
    the trial courts’ reasoning “ignores that possession of PHI does not convert a non-covered
    entity into a covered entity under HIPAA and its regulations.” To be sure, the passages State
    Farm cites support the notion that Congress did not intend property and casualty insurers to
    constitute “covered entities” for purposes of HIPAA. See Standards for Privacy of Individually
    Identifiable Health Information, 65 Fed. Reg. at 82,567 (“Congress did not include life insurers
    and casualty insurance carriers as ‘health plans’ for purposes of this rule and therefore they are
    not covered entities.”); Standards for Privacy of Individually Identifiable Health Information,
    65 Fed. Reg. at 82,568 (“[P]roperty and casualty insurers *** are not covered entities, as they
    - 13 -
    do not meet the statutory definition of ‘health plan.’ ”); Standards for Privacy of Individually
    Identifiable Health Information, 65 Fed. Reg. at 82,578 (“ ‘[E]xcepted benefits’ as defined
    under 42 U.S.C. 300gg-91(c)(1), which includes liability programs such as property and
    casualty benefit providers, are not health plans for purposes of this rule.”). Indeed, as explained
    earlier, we have no quarrel with State Farm’s proposition. The passages it cites, however, say
    nothing about whether a noncovered entity is exempt from obeying a HIPAA qualified
    protective order entered with respect to PHI that has been produced by a covered entity.
    ¶ 46        State Farm further asserts that HHS has recognized that the Privacy Rule does not protect
    all PHI “wherever it is found.” In support of this position, State Farm directs us to the following
    passages from a report authored by HHS:
    “The HIPAA Rules apply only to organizations known as covered entities and their
    business associates. HIPAA does not apply to individuals or to other types of
    organizations that do not qualify as covered entities or business associates, even those
    that may handle or store an individual’s health information.
    ***
    The HIPAA Privacy Rule does not protect all health information wherever it is
    found. Because the rules apply only to covered entities and their business associates,
    the protections do not extend to data about the health of individuals held by
    [noncovered entities].” U.S. Dep’t of Health & Human Servs., Examining Oversight of
    the Privacy & Security of Health Data Collected by Entities Not Regulated by HIPAA
    13, 15 (June 17, 2016), https://www.healthit.gov/sites/default/files/non-covered_
    entities_report_june_17_2016.pdf [https://perma.cc/3HRT-TMA7].
    State Farm’s reliance on this passage is unpersuasive. While the Privacy Rule does not protect
    all health information wherever it is found, nothing in the language quoted above indicates that
    a noncovered entity is exempt from obeying a HIPAA qualified protective order entered with
    respect to PHI that it has received from a covered entity in response to a HIPAA qualified
    protective order.
    ¶ 47        State Farm also asserts that “[a] plaintiff should be well-aware that PHI disclosed by a
    covered entity to the recipient has the potential to be subject to redisclosure by the recipient.”
    In support of this assertion, State Farm relies on section 164.508(c)(2)(iii) of the Privacy Rule
    (
    45 C.F.R. § 164.508
    (c)(2)(iii) (2018)). Section 164.508 of the Privacy Rule is entitled “Uses
    and disclosures for which an authorization is required.” 
    45 C.F.R. § 164.508
     (2018). It sets
    forth the process by which a covered entity may disclose PHI with a valid authorization. See
    
    45 C.F.R. § 164.508
     (2018). To be “valid” for purposes of section 164.508, the authorization
    must, among other things, “contain statements adequate to place the individual on notice of
    *** [t]he potential for information disclosed pursuant to the authorization to be subject to
    redisclosure by the recipient and no longer be protected by this subpart.” 
    45 C.F.R. § 164.508
    (c)(2)(iii) (2018). Section 164.508 makes clear that redisclosure in this context
    applies only with respect to PHI disclosed with a valid authorization. In this case, we are not
    dealing with the disclosure of PHI pursuant to a valid authorization. Thus, State Farm’s
    reliance on this provision is misplaced.
    ¶ 48        Citing a passage from the Federal Register, State Farm next observes that HHS has stated
    that, because its jurisdiction under the statute is limited to covered entities, “once protected
    health information leaves the purview of *** [a] covered entit[y], *** the information is no
    longer afforded protection under this rule.” Standards for Privacy of Individually Identifiable
    - 14 -
    Health Information, 65 Fed. Reg. at 82,567. Again, nothing in the language of this passage
    indicates that a noncovered entity is exempt from obeying the restrictions in a HIPAA qualified
    protective order entered with respect to PHI that has been produced by a covered entity.
    ¶ 49       In short, while State Farm is not a “covered entity” under HIPAA, it has not directed us to
    any specific language in HIPAA, the Privacy Rule, or any other regulation, authority, or case
    law indicating that a noncovered entity that receives PHI from a covered entity in response to
    a HIPAA qualified protective order is exempt from complying with the order’s restrictions
    regarding the use or disclosure of the PHI. Thus, if State Farm wishes to access the PHI at
    issue, it must abide by the terms of the HIPAA qualified protective orders entered by the trial
    courts.
    ¶ 50                                           C. Illinois Law
    ¶ 51       Next, State Farm argues that the trial courts erred in entering the HIPAA qualified
    protective orders because they conflict with State Farm’s obligations under state law.
    According to State Farm, it must be permitted to use and retain plaintiffs’ PHI to fulfill its
    obligation with respect to various provisions of the Illinois Insurance Code (215 ILCS 5/1
    et seq. (West 2018)) and the administrative regulations governing its business operations. As
    a result, State Farm maintains, the trial courts should instead have entered the Cook County
    protective orders. According to State Farm, the Cook County protective order “strikes the
    proper balance between a litigant’s interest in PHI and the State’s interest in allowing property
    and casualty insurers to retain PHI beyond litigation.”
    ¶ 52       To begin, State Farm directs us to article XL of the Insurance Code (215 ILCS 5/1001
    et seq. (West 2018)), which is titled “Insurance Information and Privacy Protection.” 215 ILCS
    5/art. XL (West 2018). One of the stated purposes of article XL is to “maintain a balance
    between the need for information by those conducting the business of insurance and the
    public’s need for fairness in insurance information practices, including the need to minimize
    intrusiveness.” 215 ILCS 5/1001 (West 2018). Citing section 1014 of article XL (215 ILCS
    5/1014 (West 2018)), State Farm argues that Illinois law protects personal or privileged
    information received in handling claims while still allowing property and casualty insurers to
    make disclosures reasonably necessary to rate-making, anti-fraud programs, consumer-
    protection research, and regulatory compliance. Specifically, section 1014 provides that “[a]n
    insurance institution, agent or insurance-support organization shall not disclose any personal
    or privileged information about an individual collected or received in connection with an
    insurance transaction unless the disclosure” meets one of the enumerated exceptions.
    (Emphasis added.) 215 ILCS 5/1014 (West 2018). However, as plaintiffs point out, there is a
    clear difference between language stating that an insurer “shall not disclose” personal or
    privileged information and language mandating the retention or use of PHI for a particular
    purpose. The passage to which State Farm directs us does not contain any mandatory
    affirmative language requiring the retention of PHI or its use for any particular purpose. This
    language in no way supports State Farm’s claim that state law requires it to retain or otherwise
    use PHI.
    ¶ 53       State Farm further asserts that insurers retain records for a variety of legal and operational
    reasons. For instance, State Farm notes that insurers are prohibited from engaging in improper
    claims practices. See 215 ILCS 5/154.5, 154.6 (West 2018). To this end, section 919.30 of
    Title 50 of the Illinois Administrative Code requires insurers to make their claim files available
    - 15 -
    to the Director of the Illinois Department of Insurance (Director) for examination upon request.
    50 Ill. Adm. Code 919.30(a) (1989). According to State Farm, the requirements governing the
    examination process conflict with the “return or destroy provisions” of the protective orders
    entered here.
    ¶ 54        With respect to examinations by the Director as part of improper-claims practice, section
    919.30 provides in relevant part as follows:
    “b) Each company shall maintain claim data that should be accessible and
    retrievable for examination by the Director. A company shall be able to provide the
    claim number, line of coverage, date of loss and date of payment of the claim, date of
    denial, or date claim closed without payment. This data must be available for all open
    and/or closed files for the current year and the two preceding years. The examiners’
    review may include but need not be limited to an examination of the following claims:
    1) Claims Closed with Payment;
    2) Claims Denied;
    3) Claims Closed Without Payment;
    4) First Party Automobile Total Losses; and/or Subrogation Claims.
    c) Detailed documentation shall be contained in each claim file in order to permit
    reconstruction of the company’s activities relative to each claim file.” 50 Ill. Adm.
    Code 919.30 (1989).
    According to State Farm, because this regulation requires maintaining “detailed
    documentation” in each claim file “to permit the reconstruction of the insurer’s activities,” it
    effectively mandates an insurer “to maintain all records of each claim for ‘all open and/or
    closed files for the current year and the two preceding years.’ ” However, we find no language
    in section 919.30 requiring an insurer to expressly retain PHI. Rather, the regulation refers to
    “claim data,” which it describes as “the claim number, line of coverage, date of loss and date
    of payment of the claim, date of denial, or date claim closed without payment.” Moreover, we
    see no reason why keeping in the company’s file a copy of the HIPAA qualified protection
    order, specifying that the company was prohibited from using or disclosing PHI for any
    purpose other than the litigation and was required to return or destroy the PHI at the end of the
    litigation, would not suffice to establish “the company’s activities relative to each file.” For
    these reasons, we are unpersuaded by State Farm’s claim that the requirements governing
    examinations for improper-claims practice conflict with the “return or destroy” provisions of
    the protective orders entered in this case.
    ¶ 55        State Farm also asserts that the HIPAA qualified protective orders prevent insurers from
    performing functions related to fraud detection and deterrence. State Farm asserts that, because
    the Illinois Department of Insurance relies on property and casualty insurers to detect and
    combat insurance fraud, Illinois law authorizes them to report information, including PHI, to
    the Illinois Department of Insurance and insurance support organizations, such as the National
    Insurance Crime Bureau and the Insurance Services Organization. See 215 ILCS 5/155.23
    (West 2018). According to State Farm, if insurers must return to covered entities or destroy all
    PHI within 60 days of the end of litigation, they cannot later provide necessary information to
    help the state with fraud detection and prevention.
    ¶ 56        The statute State Farm cites authorizes the Director
    - 16 -
    “to promulgate reasonable rules requiring insurers *** doing business in the State of
    Illinois to report factual information in their possession that is pertinent to suspected
    fraudulent insurance claims, fraudulent insurance applications, or premium fraud after
    [the Director] has made a determination that the information is necessary to detect fraud
    or arson.” (Emphases added.) 215 ILCS 5/155.23(1) (West 2018).
    We find State Farm’s reliance on section 155.23 unpersuasive for two principal reasons. First,
    the statute applies only to suspected fraudulent insurance claims, fraudulent insurance
    applications, or premium fraud and only after the Director has determined that the information
    is necessary to detect fraud or arson. In this case, there is no indication of fraud and no evidence
    that the Director has determined that any PHI is necessary to detect fraud or arson. Thus, there
    can be no factual information pertinent to any suspected fraud. Second, the statute requires an
    insurer to report only factual information in their possession. An insurer that has returned or
    destroyed PHI in accordance with a HIPAA qualified protective order cannot violate the statute
    because it does not possess any such information.
    ¶ 57       State Farm claims that other purposes for which property and casualty insurers retain
    claims files include actuarial and rate development, reinsurance evaluation and pricing, and
    long-tail exposure. 2 However, State Farm neither develops this argument nor cites any statute,
    policy, or regulation that would require it to use or retain PHI for any of those purposes. As
    such, we find any such claim forfeited. See Ill. S. Ct. R. 341(h)(7) (eff. May 25, 2018)
    (requiring appellant’s brief to include argument “which shall contain the contentions of the
    appellant and the reasons therefor, with citation of the authorities”); Lee v. Lee, 
    2019 IL App (2d) 180923
    , ¶ 24.
    ¶ 58       Lastly, we address State Farm’s reliance on part 901 of Title of 50 of the Illinois
    Administrative Code (50 Ill. Adm. Code 901) in support of its claim that it must be permitted
    to use and retain plaintiffs’ PHI to fulfill its obligations with respect to Illinois law. Section
    901.5 of Title 50 of the Illinois Administrative Code provides that “[n]o domestic company
    shall destroy any books, records, documents, accounts or vouchers, hereafter referred to as
    ‘records’, except in conformity with the requirements of this Part.” 50 Ill. Adm. Code 901.5,
    codified at 
    7 Ill. Reg. 4213
     (eff. Mar. 28, 1983). Section 901.20 of Title 50 sets out a time
    period for the disposal and destruction of records:
    “The company is authorized to dispose of or destroy records in its custody that do
    not have sufficient administrative, legal or fiscal value to warrant their further
    preservation and are not needed:
    a) in the transaction of current business;
    b) for the final settlement or disposition of any claim arising out of a policy of
    insurance issued by the company, except that these records must be maintained for
    the current year plus 5 years; or
    c) to determine the financial condition of the company for the period since the
    date of the last examination report of the company officially filed with the
    2
    “Reinsurance” is “[i]nsurance of all or part of one insurer’s risk by a second insurer, who accepts
    the risk in exchange for a percentage of the original premium.” Black’s Law Dictionary (11th ed. 2019).
    “Long-tail claims” are “claims that are made or settled a long time after the insurance policy has
    expired.” Collins English Dictionary, https://www.collinsdictionary.com/us/dictionary/english/long-
    tail-claims (last visited Feb. 21, 2020) [https://perma.cc/3SQ7-CQSQ].
    - 17 -
    Department of Insurance, except that these records must be maintained for at least
    the current year plus 5 years.” 50 Ill. Adm. Code 901.20 (2016).
    According to State Farm, part 901 sets out a detailed process for the destruction of an insurer’s
    records. Yet, it asserts, the HIPAA qualified protective orders entered in this case “create[ ] a
    Catch-22 for *** insurers, which must decide whether to comply with its ‘return or destroy’
    provisions or continue to comply with the regulations requiring the maintenance of complete
    claim records for much longer periods.”
    ¶ 59        Although part 901 of Title 50 defines the term “records,” State Farm does not explain how
    PHI falls within this definition. The term “records” is defined in section 901.10 of Title 50 as
    follows:
    “ ‘Records’ material means all books, papers and documentary materials regardless
    of physical form or characteristics, made, produced, executed or received by any
    domestic insurance company pursuant to law or in connection with the transaction of
    its business and preserved or appropriate for preservation by such company or its
    successors as evidence of the organization, function, policies, decisions, procedures,
    obligations and business activities of the company or because of the informational data
    contained therein. If doubt arises as to whether certain papers are ‘non-record’
    materials, it should be assumed that the documents are ‘records’.” (Emphasis added.)
    50 Ill. Adm. Code 901.10, codified at 
    7 Ill. Reg. 4213
     (eff. Mar. 28, 1983).
    In this case, State Farm does not explain how plaintiffs’ PHI is “appropriate for preservation,”
    especially given that (1) the trial courts entered HIPAA qualified protective orders expressly
    requiring the destruction of PHI within 60 days after the conclusion of the litigation and
    (2) State Farm failed to cite any statute, regulation, or case law that affirmatively requires the
    retention of PHI or its use for a particular purpose. See Small, 280 F.R.D. at 279-80 (rejecting
    similar argument by State Farm, in part because section 901.10 of Title 50 does not specifically
    reference medical records). Moreover, as noted, a copy of the HIPAA qualified protective
    order in the file would explain why the PHI was not present. Thus, this provision does not
    support State Farm’s position.
    ¶ 60        In short, State Farm has failed to direct us to any provision of the Insurance Code or the
    Illinois Administrative Code that requires it to use or disclose plaintiffs’ PHI after the
    conclusion of the litigation. We find nothing in the statutory and administrative regulations
    cited by State Farm in its brief requiring it to retain PHI or use it for any particular purpose
    after the conclusion of litigation. As such, we reject State Farm’s argument that the terms of
    the HIPAA qualified protective order conflict with its obligations under state law.
    ¶ 61                                          D. Preemption
    ¶ 62       Although we have concluded that the terms of the HIPAA qualified protective orders do
    not conflict with State Farm’s obligations under state law, to the extent that they could be so
    construed, we agree with the trial courts that the state law provisions are preempted by HIPAA.
    As noted earlier, among HIPAA’s purposes were to establish national privacy standards and
    fair information practices regarding individually identifiable health information. Brende, 
    153 P.3d at 1114
    ; Wade, 922 F. Supp. 2d at 687 (citing South Carolina Medical Ass’n, 
    327 F.3d at 348
    ); Law, 
    307 F. Supp. 2d at 710
    ; U.S. Dep’t of Health & Human Servs., Office for Civil
    Rights, Summary of the HIPAA Privacy Rule 1 (May 2003), https://www.hhs.gov/sites/
    default/files/privacysummary.pdf [https://perma.cc/F66C-T4TR]. To this end, HIPAA and its
    - 18 -
    regulations establish a “uniform federal ‘floor’ of privacy protections for individual medical
    information.” Stein, supra, at 434; see also Standards for Privacy of Individually Identifiable
    Health Information, 65 Fed. Reg. at 82,471 (“The protections [(provided by HIPAA and its
    regulations)] are a mandatory floor, which other governments and any covered entity may
    exceed.”); 
    45 C.F.R. § 164.502
    (a) (2018). Thus, HIPAA preempts “contrary” state laws unless
    the state law is “more stringent” than the standards set forth in the Privacy Rule. 42 U.S.C.
    § 1320d-7 (2018); 
    45 C.F.R. §§ 160.202
    , 160.203(b), 164.502(a) (2018); Giangiulio, 365 Ill.
    App. 3d at 840; Stein, supra, at 434. A state law is “contrary” to HIPAA if a “covered entity
    or business associate would find it impossible to comply with both the State and Federal
    requirements” or if the “provision of State law stands as an obstacle to the accomplishment
    and execution of the full purposes and objectives of [HIPAA].” 
    45 C.F.R. § 160.202
     (2018).
    Whether a state law is preempted by federal law is a question of law subject to de novo review.
    Fosler v. Midwest Care Center II, Inc., 
    398 Ill. App. 3d 563
    , 569 (2009).
    ¶ 63        In this case, a covered entity cannot comply with HIPAA if the statutory and administrative
    regulations, as interpreted by State Farm, are inserted in the qualified protective order. In this
    regard, the Cook County protective order does not require an insurer to return or destroy PHI
    at the conclusion of litigation and would permit the insurer to use and retain PHI outside of
    litigation. This directly conflicts with the requirements for a HIPAA qualified protective order
    under section 164.512(e)(1)(v) of the Privacy Rule. Likewise, by eliminating these two
    requirements, the Cook County protective order would not provide the confidentiality and
    protection of PHI envisioned when the Privacy Rule was promulgated. Stated differently, any
    requirement that an insurer be allowed to use and retain PHI beyond the conclusion of litigation
    would lower the floor of privacy protections HIPAA mandates. As such, the Cook County
    protective order acts as an obstacle to accomplishing and executing HIPAA’s full purposes and
    objectives.
    ¶ 64        In so holding, we also observe that section 160.203(a)(1) of the Privacy Rule provides that
    HIPAA will not preempt a contrary state law if the Secretary of HHS determines, in response
    to a request by a state, that the state law is necessary to, inter alia, “prevent fraud and abuse
    related to the provision of or payment for health care” or “ensure appropriate State regulation
    of insurance and health plans to the extent expressly authorized by statute or regulation.” 
    45 C.F.R. §§ 160.203
    (a)(1)(i), (ii), 160.204 (2018). State Farm does not indicate that any such
    exception was requested by the state with respect to an insurer’s purported obligations under
    Illinois law. In the absence of such a waiver from the federal government, a HIPAA qualified
    protective order prohibits the use or disclosure of PHI for any purpose other than the litigation
    or proceeding for which such information was requested and requires the return or destruction
    of PHI at the end of the litigation or proceeding.
    ¶ 65                                     E. Reverse Preemption
    ¶ 66      Typically, when a state law conflicts with a federal law, the federal law preempts the state
    law, rendering the state law without effect. U.S. Const., art. VI, cl. 2; Altria Group, Inc. v.
    Good, 
    555 U.S. 70
    , 76 (2008); Milliman, Inc. v. Roof, 
    353 F. Supp. 3d 588
    , 600 (E.D. Ky.
    2018). However, the McCarran-Ferguson Act (
    15 U.S.C. § 1011
     et seq. (2018)) created an
    exception to this rule with respect to state laws that regulate the “business of insurance.”
    Milliman, Inc., 353 F. Supp. 3d at 600-01. The trial courts here asked the parties to address the
    implications, if any, of the McCarran-Ferguson Act to these cases. Neither party argued that
    - 19 -
    the McCarran-Ferguson Act applied, so the courts did not further address the issue. State Farm
    briefly mentions the McCarran-Ferguson Act in its brief but does not fully develop the issue.
    Nevertheless, we find it appropriate to briefly discuss this matter.
    ¶ 67       The McCarran-Ferguson Act provides, in relevant part, that “[n]o Act of Congress shall be
    construed to invalidate, impair, or supersede any law enacted by any State for the purpose of
    regulating the business of insurance, or which imposes a fee or tax upon such business, unless
    such Act specifically relates to the business of insurance.” 
    15 U.S.C. § 1012
    (b) (2018). “[T]he
    McCarran-Ferguson Act gives rise to the doctrine of ‘reverse preemption,’ which, if applicable,
    can cause state insurance laws to trump federal laws that interfere with them.” Western
    Insurance Co. v. A&H Insurance, Inc., 
    784 F.3d 725
    , 727 (10th Cir. 2015). Under the statute,
    a state law will reverse preempt a federal law if (1) the federal statute does not specifically
    relate to the business of insurance, (2) the state statute was enacted for the purpose of regulating
    the business of insurance, and (3) the federal statute would invalidate, impair, or supersede the
    state statute. United States v. Rhode Island Insurers’ Insolvency Fund, 
    80 F.3d 616
    , 619 (1st
    Cir. 1996). Ultimately, we conclude that the McCarran-Ferguson Act does not compel reverse
    preemption in this case because HIPAA does not invalidate, impair, or supersede any state
    insurance law or regulation cited by State Farm.
    ¶ 68       The United States Supreme Court has stated that “invalidate” means “to render ineffective,
    generally without providing a replacement rule or law” and that “supersede” means “to
    displace (and thus render ineffective) while providing a substitute rule.” (Internal quotation
    marks omitted.) Humana Inc. v. Forsyth, 
    525 U.S. 299
    , 307 (1999). “To impair” for purposes
    of the McCarran-Ferguson Act means to “frustrate any declared state policy” or “interfere with
    a State’s administrative regime.” Humana Inc., 
    525 U.S. at 310
    . As noted above, nothing in
    any Illinois statute or regulation State Farm cites requires the retention of PHI or its use for
    any particular purpose. Thus, the HIPAA qualified protective orders entered in this case do not
    “invalidate, impair, or supersede” the Illinois statutes and regulations State Farm cites. As such,
    we conclude that the doctrine of reverse preemption does not apply here.
    ¶ 69                            F. Alternative Methods of Disclosing PHI
    ¶ 70       Alternatively, State Farm argues that the Privacy Rule did not require the trial courts to
    enter the HIPAA qualified protective orders proposed by plaintiffs to the exclusion of other
    authorized means of permitted disclosure of PHI. State Farm notes, for instance, that the
    Privacy Rule permits the disclosure of PHI “[i]n response to an order of a court.” 
    45 C.F.R. § 164.512
    (e)(1)(i) (2018). According to State Farm, “[n]othing in this section [(of the Privacy
    Rule)] says that the ‘order of the court’ can only be a qualified protective order.” State Farm
    also notes that, absent a court order, the Privacy Rule allows the disclosure of PHI “[i]n
    response to a subpoena, discovery request, or other lawful process,” provided that the party
    seeking the information either notifies the individual whose information is requested or makes
    a “reasonable effort[ ]” to secure a qualified protective order. 
    45 C.F.R. § 164.512
    (e)(1)(ii)
    (2018). State Farm points out that, of the authorized means of disclosure, only a HIPAA
    qualified protective order carries the restrictions that prohibit the use of PHI outside litigation
    and require the return of PHI to the covered entity or its destruction at the end of the litigation.
    See 
    45 C.F.R. § 164.512
    (e)(1)(v) (2018). State Farm therefore argues that the trial courts erred
    in rejecting any alternative to plaintiffs’ proposed protective orders. Although we agree that
    the Privacy Rule provides several different methods by which a covered entity may disclose
    - 20 -
    PHI in the course of a judicial proceeding, neither plaintiffs nor State Farm sought the
    disclosure of PHI by any means other than a protective order. Plaintiffs’ motions referenced
    HIPAA and the Privacy Rule, and they proposed the HIPAA qualified protective order, which
    expressly cites the restrictions set forth in section 164.512(e)(1)(v) of the Privacy Rule (
    45 C.F.R. § 164.512
    (e)(1)(v) (2018)). Likewise, in its objections to plaintiffs’ motions, State Farm
    proposed the Cook County protective order. The record reflects that the trial courts considered
    and ruled on this issue. Given these circumstances, we find that the trial courts did not err in
    declining to consider an alternate authorized method of disclosing PHI.
    ¶ 71                                       IV. CONCLUSION
    ¶ 72      For the reasons set forth above, we affirm the judgment of the circuit court of Lake County.
    ¶ 73      Affirmed.
    - 21 -