Chicago Sun-Times v. Cook County Health and Hospital System , 2022 IL 127519 ( 2022 )


Menu:
  •                                      
    2022 IL 127519
    IN THE
    SUPREME COURT
    OF
    THE STATE OF ILLINOIS
    (Docket No. 127519)
    CHICAGO SUN-TIMES, Appellee v. COOK COUNTY HEALTH
    AND HOSPITALS SYSTEM, Appellant.
    Opinion filed November 30, 2022.
    JUSTICE MICHAEL J. BURKE delivered the judgment of the court, with
    opinion.
    Justices Anne M. Burke, Neville, Overstreet, Carter, and Holder White
    concurred in the judgment and opinion.
    Chief Justice Theis dissented, with opinion.
    OPINION
    ¶1      Plaintiff, the Chicago Sun-Times, sent defendant, Cook County Health and
    Hospitals System, a request under the Freedom of Information Act (FOIA) (5 ILCS
    140/1 et seq. (West 2018)) for information about gunshot wound patients who
    arrive at defendant’s emergency rooms unaccompanied by law enforcement.
    Plaintiff was investigating whether defendant was meeting a requirement to notify
    local law enforcement when so-called “walk-in” gunshot wound patients are
    treated. 20 ILCS 2630/3.2 (West 2018). Plaintiff asked for the “time/date” of each
    relevant hospital admission and the corresponding “time/date” of law enforcement
    notification.
    ¶2       Defendant asserted two FOIA exemptions and withheld the records, claiming
    they contained (1) personal health information prohibited from disclosure by the
    Health Insurance Portability and Accountability Act (HIPAA) (Pub. L. No. 104-
    191, 
    110 Stat. 1936
     (1996) (codified as amended in scattered sections of Titles 18,
    26, 29, and 42 of the United States Code); 5 ILCS 140/7(1)(a) (West 2018)) and
    (2) private information barred from disclosure under FOIA (5 ILCS 140/7(1)(b)
    (West 2018)).
    ¶3       Plaintiff initiated a FOIA enforcement action, arguing that the year listed on
    each record was discoverable, even if the time of day, day of month, and month
    were not. 
    Id.
     § 11(a). The Cook County circuit court ruled for defendant on the
    parties’ cross-motions for summary judgment. The appellate court reversed,
    holding that HIPAA and FOIA permitted the release of the year elements of the
    records as long as the individual identifying information was redacted, or “de-
    identified” to maintain patient confidentiality. 
    2021 IL App (1st) 192551
    .
    ¶4       The issue presented is whether the year of each walk-in gunshot wound patient
    admission and the year of the corresponding law enforcement notification of each
    admission are exempt from disclosure under section 7(1)(a), which incorporates
    privacy laws such as HIPAA, or section 7(1)(b), which prohibits the disclosure of
    private information, including medical records. In light of the narrow scope of
    plaintiff’s request, we hold that the responsive information is not exempt from
    disclosure under the two exemptions addressed in the parties’ cross-motions for
    summary judgment. We affirm the appellate court’s judgment, reverse the circuit
    court’s judgment, and remand the cause for further proceedings.
    ¶5                                  I. BACKGROUND
    ¶6      On September 10, 2018, plaintiff requested the following information at issue:
    -2-
    “Without providing identifying patient information, we seek the time/date
    of admission of patients seeking treatment for gunshot wounds through
    [defendant] between Jan. 1, 2015 through the present day who were not been
    [sic] accompanied by a law enforcement officer at the time of their admission
    as well as the corresponding time/date that law enforcement officials were
    notified of the patients’ admission as required by state statue [sic] (20 ILCS
    2630/3.2).”
    ¶7      On October 26, 2018, Deborah Fortier, defendant’s FOIA officer, answered the
    request in relevant part as follows:
    “According to Trauma administration, there is a trauma registry that logs
    arrival information of all trauma patients not just walk in gunshot patients,
    however that log is identifiable private patient health/medical information that
    is protected from release by medical privacy laws and regulations, including
    but not limited to HIPAA. Further, there is no independent written record of
    patient information that simply tracks times/dates of walk in gunshot patients
    and reporting; so, there is no existing document that is responsive to your
    request. Respectfully, [defendant] is not required under the FOIA to create a
    document that is not kept in the regular course of business in order to respond
    to your request. Further, it would be improper and a violation of state and
    federal medical privacy laws, including but not limited to HIPAA, for
    [defendant] to release the specific arrival times and dates and reporting dates of
    individual walk in gunshot patients, as this could allow for patient
    identification. This patient information, which is individual protected patient
    health/medical information, is therefore exempt from public release under
    Sections 2(c-5) and 7(1)(a) of the FOIA. This would also include where arrival
    times and dates and date of any reporting would be entered into individual
    patient medical records; medical records are not public records and are private
    records per se under Section 2(c-5) of the FOIA. In fact, it would be a violation
    of medical privacy laws, for [defendant’s] staff to review or even access patient
    medical information to respond to a FOIA request, as responding to a public
    records request is not a lawful purpose to access patient medical information.”
    ¶8      On November 21, 2018, plaintiff filed a complaint alleging defendant
    improperly withheld the information. Plaintiff sought, inter alia, an order requiring
    -3-
    defendant to produce the requested records and enjoining defendant from
    withholding public records that are not exempt under FOIA.
    ¶9         The parties filed cross-motions for summary judgment on the issue of whether
    the information concerning the timing of walk-in patient admission and police
    notification was exempt from disclosure under section 7 of FOIA. Defendant
    attached to its motion the affidavit of Fortier, who averred that John H. Stroger Jr.
    Hospital of Cook County (Stroger Hospital) was the only entity that possessed
    records that were potentially responsive to plaintiff’s request.
    ¶ 10       Defendant also attached the affidavit of Justin Mis, Stroger Hospital’s trauma
    coordinator. Mis averred that the electronic trauma registry at Stroger Hospital
    contains entries for each patient arriving at the hospital. Each entry includes the
    patient’s name, date and time of arrival, medical record number, and the patient’s
    chief complaint. Mis conceded that he could generate a report listing only the
    mechanism of injury, such as gunshot wound, and the patient’s time of arrival in
    the emergency department. However, the report would not state whether the patient
    was accompanied by a law enforcement officer or when law enforcement was
    notified, if at all. To determine which patients were unaccompanied, Mis would
    need to cross-reference the report with the “patient access log.” The log shows the
    time and date a law enforcement officer requested access to a patient, but it would
    not indicate whether the request was prompted by hospital notification. Ultimately,
    Mis would need to access the medical record of each gunshot wound patient to
    determine whether he or she arrived at Stroger Hospital with law enforcement or if
    law enforcement was notified of the admission.
    ¶ 11       Fortier averred that the trauma registry and the patient access log contained
    protected health information as defined by HIPAA. Fortier claimed defendant could
    not remove enough identifying information from the trauma registry and the patient
    access log to fulfill the FOIA request and still comply with HIPAA. Further, Fortier
    averred that the responsive records constituted medical records that are protected
    from disclosure under Illinois law.
    ¶ 12       Plaintiff argued in its summary judgment motion that FOIA permitted
    disclosure of the requested information in a de-identified report. Specifically,
    plaintiff argued HIPAA permits the disclosure of the year of treatment and year of
    -4-
    law enforcement notification. Plaintiff conceded that HIPAA bars disclosure of
    other elements of a date field, such as time of day, day of month, or month.
    ¶ 13       On November 15, 2019, the circuit court entered summary judgment for
    defendant. The court stated that, because the year identifier was part of a medical
    record, it was exempt from disclosure under section 7(1)(b) of FOIA. The court
    explained that, without case law expressly permitting the redaction of medical
    records for FOIA purposes, the responsive information was not improperly
    withheld.
    ¶ 14       The appellate court reversed the summary judgment and remanded for further
    proceedings. 
    2021 IL App (1st) 192551
    , ¶ 29. The court determined that plaintiff
    had not forfeited review by revising its request at the summary judgment stage. Id.
    ¶ 15. Plaintiff initially requested “time/date” information, but plaintiff’s summary
    judgment motion conceded that just the year element was releasable. The court
    observed that “narrowing of the request reflects an implicit concession by [plaintiff]
    that it was not entitled to the more specific date and time information.” Id.
    ¶ 15       The appellate court held section 7(1)(a) of FOIA did not exempt the year of
    patient admission and police notification in gunshot-wound cases because the year
    element, alone, does not convey identifying information. Id. ¶ 19 (citing 
    45 C.F.R. § 164.514
    (b)(2)(i)(A)-(C), (G), (H) (2018)). The court held that removing
    individual identifiers would de-identify the information in compliance with
    HIPAA. 
    Id.
    ¶ 16       Considering the sheer number of gunshot-wound patients treated at Stroger
    Hospital during the relevant time period, the court also rejected defendant’s claim
    that it had “ ‘actual knowledge that the information could be used alone or in
    combination with other information to identify an individual who is a subject of the
    information.’ ” Id. ¶ 20 (quoting 
    45 C.F.R. § 164.514
    (b)(2)(ii) (2018)).
    ¶ 17       The appellate court separately held that the year information was not exempt
    under section 7(1)(b) of FOIA, which prohibits the disclosure of “private
    information,” including “medical records.” 
    Id.
     ¶ 25 (citing 5 ILCS 140/2(c-5) (West
    2018)). Noting that FOIA does not define “medical records,” the court declined to
    adopt the definition set forth in the Illinois Administrative Code, instead relying on
    the plain and ordinary meaning of the words. 
    Id.
     (citing 77 Ill. Adm. Code
    -5-
    250.1510(b)(2)(A) (2019)). The dictionary definition of “medical record” is
    “ ‘documents that compose a medical patient’s healthcare history.’ ” 
    Id.
     (quoting
    Black’s Law Dictionary (11th ed. 2019)). The court concluded that, “[w]hile the
    year of a patient’s hospital admission may be found in a patient’s medical record,
    it, standing alone, is not a medical record under this definition.” (Emphasis in
    original.) 
    Id.
    ¶ 18        Defendant filed a petition for leave to appeal, which we allowed pursuant to
    Illinois Supreme Court Rule 315 (eff. Oct. 1, 2020).
    ¶ 19                                            II. ANALYSIS
    ¶ 20       On appeal, defendant renews its arguments that (1) HIPAA prohibits covered
    entities from using and disclosing their patients’ private health information to
    comply with a FOIA request and (2) the responsive records, even with the unique
    identifiers redacted, constitute “medical records” that FOIA categorically exempts
    from disclosure.
    ¶ 21       Defendant alternatively argues that complying with the FOIA request would be
    unduly burdensome. Fortier’s response alluded to the impracticality of processing
    the records, but the parties did not raise the issue in their cross-motions for summary
    judgment, and the issue was not addressed by the lower courts.
    ¶ 22       Plaintiff contends that the appellate court’s judgment should be affirmed
    because plaintiff seeks only the year element of the date field from the records. 1
    For the following reasons, we agree with plaintiff that defendant can de-identify the
    records and comply with the request without violating HIPAA’s privacy rule or
    FOIA’s prohibition against disclosing medical records. We do not reach the
    question of whether the request was unduly burdensome.
    1
    Although defendant criticizes plaintiff’s FOIA request as “reformulated after the fact and
    during the pendency of litigation,” the parties have adopted plaintiff’s interpretation of “time/date”
    to mean “year.” We consider the issues, as presented by the parties, in terms of whether the year
    element is releasable.
    -6-
    ¶ 23                                  A. Summary Judgment
    ¶ 24      This appeal arises from the parties’ cross-motions for summary judgment.
    “[S]ummary judgment should be granted only where the pleadings, depositions,
    admissions and affidavits on file, when viewed in the light most favorable to
    the nonmoving party, show that there is no genuine issue as to any material fact
    and that the moving party is clearly entitled to judgment as a matter of law.”
    Pielet v. Pielet, 
    2012 IL 112064
    , ¶ 29.
    See 735 ILCS 5/2-1005 (West 2018). “When parties file cross-motions for
    summary judgment, they mutually agree that there are no genuine issues of material
    fact and that only a question of law is involved.” Jones v. Municipal Employees’
    Annuity & Benefit Fund, 
    2016 IL 119618
    , ¶ 26. We review summary judgment
    de novo. Pielet, 
    2012 IL 112064
    , ¶ 30. De novo review also applies to our
    interpretation of FOIA and HIPAA. In re Appointment of Special Prosecutor, 
    2019 IL 122949
    , ¶ 22 (issues of statutory construction present questions of law that we
    review de novo).
    ¶ 25                                B. Statutory Interpretation
    ¶ 26       The objective of statutory interpretation is to ascertain and give effect to the
    legislature’s intent, and the most reliable indicator of that intent is the language of
    the statute, given its plain and ordinary meaning. Id. ¶ 23. The General Assembly
    has declared FOIA’s underlying public policy to be that “all persons are entitled to
    full and complete information regarding the affairs of government and the official
    acts and policies of those who represent them as public officials and public
    employees consistent with the terms of this Act.” 5 ILCS 140/1 (West 2018). “It is
    a fundamental obligation of government to operate openly and provide public
    records as expediently and efficiently as possible in compliance with this Act.” Id.
    ¶ 27       This clear expression of legislative intent means that public records are
    presumed to be open and accessible. Special Prosecutor, 
    2019 IL 122949
    , ¶ 25.
    FOIA should be construed liberally to achieve the goal of providing the public with
    easy access to government information. 
    Id.
    -7-
    ¶ 28       FOIA prescribes rules to ensure governmental compliance, including requiring
    a prompt response to a request for inspection or a copy of documents: “[e]ach public
    body shall, promptly, either comply with or deny a request for public records within
    5 business days after its receipt of the request, unless the time for response is
    properly extended.” 5 ILCS 140/3(d) (West 2018). When a person has been denied
    access to a public record, he “may file suit for injunctive or declaratory relief” and
    may seek attorney fees and civil penalties from the public body. 
    Id.
     § 11(a), (i), (j).
    The circuit court is vested with “jurisdiction to enjoin the public body from
    withholding public records and to order the production of any public records
    improperly withheld from the person seeking access.” Id. § 11(d); Special
    Prosecutor, 
    2019 IL 122949
    , ¶ 57.
    ¶ 29       However, a public body may withhold information that is exempt from
    disclosure. 5 ILCS 140/7 (West 2018). A public body claiming an exemption bears
    the burden of proving by clear and convincing evidence that the requested
    information is exempt. 
    Id.
     § 1.2. When a request is made to inspect or copy a public
    record that contains information that is exempt from disclosure under section 7 but
    also contains information that is not exempt, the public body may elect to redact
    the information that is exempt. Id. § 7(1). In that case, the public body shall make
    the remaining information available for inspection and copying. Id.
    ¶ 30       Defendant asserted two exemptions, claiming (1) HIPAA prohibits the use and
    disclosure of the information and (2) the information is “private information” under
    FOIA. Id. § 7(1)(a), (b). Plaintiff responds that defendant can comply with HIPAA
    and FOIA by redacting the exempt information from the medical records while
    making the requested information available.
    ¶ 31                                     1. Section 7(1)(a)
    ¶ 32      The first exemption cited by defendant exposes tension between two strong
    public policies: FOIA’s promotion of the open disclosure of government records
    and HIPAA’s protection of private health information. Defendant claims that
    “answering a public records request *** is not a permitted use under HIPAA.” But
    when statutes potentially conflict, they must be construed in harmony with one
    another if reasonably possible. Knolls Condominium Ass’n v. Harms, 202 Ill. 2d
    -8-
    450, 458-59 (2002). The two statutory schemes can be reconciled in this case to
    facilitate the disclosure of government records while protecting patient privacy.
    ¶ 33       FOIA exempts “[i]nformation specifically prohibited from disclosure by federal
    or State law or rules and regulations implementing federal or State law.” 5 ILCS
    140/7(1)(a) (West 2018). Defendant asserts that HIPAA, a federal law, specifically
    prohibits the disclosure of the year of admission of each walk-in gunshot wound
    patient and the year of each corresponding law enforcement notification.
    ¶ 34       HIPAA’s privacy rule prohibits the “use or disclosure” of an individual’s
    personal health information by a covered entity, like defendant, unless the
    individual has consented in writing or unless the use or disclosure is otherwise
    specifically permitted or required by the privacy rule. 
    45 C.F.R. §§ 164.502
    ,
    164.506, 164.508, 164.510, 164.512 (2018). HIPAA defines “protected health
    information,” as all “individually identifiable health information” kept by a covered
    entity that is transmitted or maintained in any form or medium, including electronic
    media. 
    Id.
     § 160.103. “Individually identifiable health information” includes
    demographic information collected from an individual that
    “(1) Is created or received by a health care provider, health plan, employer,
    or health care clearinghouse; and
    (2) Relates to the past, present, or future physical or mental health or
    condition of an individual; the provision of health care to an individual; or the
    past, present, or future payment for the provision of health care to an individual;
    and
    (i) That identifies the individual; or
    (ii) With respect to which there is a reasonable basis to believe the
    information can be used to identify the individual.” Id.
    ¶ 35       The parties correctly agree the responsive records contain protected health
    information, but defendant argues, “[r]eviewing medical records in response to a
    FOIA request is not a permitted use of protected health information.” To determine
    whether a public body can comply with the FOIA request without violating HIPAA,
    we must consider how the public body would use the protected health information
    to process the request. Here, Fortier, defendant’s FOIA officer, and Mis, Stroger
    -9-
    Hospital’s trauma administrator, described defendant’s record keeping. The records
    containing the requested information could be sorted in two databases: the trauma
    registry, which records each patient’s arrival at Stroger Hospital, and the patient
    access log, which shows the time and date a law enforcement officer requested
    access to a patient. From these databases, defendant could generate a report
    showing the arrival times of gunshot wound patients and the corresponding times
    that law enforcement asked to see the patient. But defendant would need to examine
    the medical record of each patient on the list to ascertain whether law enforcement’s
    request for access to a patient was prompted by the hospital’s notification.
    ¶ 36       The data processing described by Fortier and Mis qualifies as “use” of
    individually identifiable health information under HIPAA. Id. (“Use means, with
    respect to individually identifiable health information, the sharing, employment,
    application, utilization, examination, or analysis of such information within an
    entity that maintains such information.”). However, HIPAA expressly states that a
    covered entity may use protected health information to create de-identified
    information for use by a person other than the covered entity: “[a] covered entity
    may use protected health information to create information that is not individually
    identifiable health information or disclose protected health information only to a
    business associate for such purpose, whether or not the de-identified information is
    to be used by the covered entity.” Id. § 164.502(d)(1).
    ¶ 37       Health information, once de-identified, no longer meets the standard of
    individually identifiable health information subject to HIPAA’s protection. Id.
    § 164.514(a) (“Health information that does not identify an individual and with
    respect to which there is no reasonable basis to believe that the information can be
    used to identify an individual is not individually identifiable health information.”).
    And HIPAA contains an implementation specification to facilitate de-
    identification. A covered entity may determine that health information is not
    individually identifiable health information if (1) the covered entity does not have
    actual knowledge that the information could be used alone or in combination with
    other information to identify an individual who is a subject of the information (id.
    § 164.514(b)(2)(ii)) and (2) the following identifiers are removed:
    “(A) Names;
    - 10 -
    (B) All geographic subdivisions smaller than a State, including street
    address, city, county, precinct, zip code, and their equivalent geocodes, except
    for the initial three digits of a zip code if, according to the current publicly
    available data from the Bureau of the Census:
    (1) The geographic unit formed by combining all zip codes with the
    same three initial digits contains more than 20,000 people; and
    (2) The initial three digits of a zip code for all such geographic units
    containing 20,000 or fewer people is changed to 000.
    (C) All elements of dates (except year) for dates directly related to an
    individual, including birth date, admission date, discharge date, date of death;
    and all ages over 89 and all elements of dates (including year) indicative of such
    age, except that such ages and elements may be aggregated into a single
    category of age 90 or older;
    (D) Telephone numbers;
    (E) Fax numbers;
    (F) Electronic mail addresses;
    (G) Social security numbers;
    (H) Medical record numbers;
    (I) Health plan beneficiary numbers;
    (J) Account numbers;
    (K) Certificate/license numbers;
    (L) Vehicle identifiers and serial numbers, including license plate numbers;
    (M) Device identifiers and serial numbers;
    (N) Web Universal Resource Locators (URLs);
    (O) Internet Protocol (IP) address numbers;
    - 11 -
    (P) Biometric identifiers, including finger and voice prints;
    (Q) Full face photographic images and any comparable images; and
    (R) Any other unique identifying number, characteristic, or code, except as
    permitted by paragraph (c) of this section[.]” (Emphasis added.) Id.
    § 164.514(b)(2)(i).
    ¶ 38       Section 164.514(b)(2)(i) specifically excludes the year element from the date
    identifiers that must be removed for de-identification. Accordingly, plaintiff
    confined its request to the year elements directly related to the walk-in gunshot
    wound patients involved. Plaintiff specifically asked defendant to withhold
    “identifying patient information” and did not seek any other identifiers that could
    be used to identify an individual.
    ¶ 39       Moreover, there was no evidence that defendant has “actual knowledge that the
    information could be used alone or in combination with other information to
    identify an individual who is a subject of the information.” Id. § 164.514(b)(2)(ii).
    Defendant estimated that Stroger Hospital treated as many as 2000 gunshot wound
    victims during the relevant time period, which diminishes the risk of identifying
    any one individual. The appellate court astutely observed, “[i]t strains credulity to
    imagine that any specific patient could be identified merely by the year they were
    admitted and the year law enforcement was notified of their admission.” 
    2021 IL App (1st) 192551
    , ¶ 20.
    ¶ 40       The de-identification process is a permitted use of protected health information
    under HIPAA (
    45 C.F.R. § 164.502
    (d)(1)) (2018)), and the removal of all the
    enumerated individual identifiers except the year element would meet HIPAA’s de-
    identification requirements for disclosure (id. § 164.514(b)(2)(i)). Under the
    circumstances, we hold that defendant’s use of the patients’ protected health
    information to process plaintiff’s FOIA request would not run afoul of HIPAA’s
    privacy rule because the year element related to each patient admission and police
    notification is not individually identifiable health information. That said, we
    expressly limit our holding to the facts presented, as the exemption could apply to
    a future request involving fewer patients where the year element of a record could
    be used for identification. See id. § 164.514(b)(2)(ii).
    - 12 -
    ¶ 41       Defendant contends King v. Cook County Health & Hospital System, 
    2020 IL App (1st) 190925
    , compels a different result. In King, the FOIA requester asked for
    the zip codes used to create a map of the locations of individuals who had
    previously received mental health services while detained in the Cook County jail.
    Id. ¶ 1. The public body, which coincidentally happens to be defendant in this case,
    asserted section 7(1)(a) as an exemption on the ground that disclosure would violate
    the Mental Health and Developmental Disabilities Confidentiality Act
    (Confidentiality Act) (740 ILCS 110/1 et seq. (West 2016)), which incorporates
    HIPAA regulations by reference. King, 
    2020 IL App (1st) 190925
    , ¶ 28 (citing 
    45 C.F.R. § 164.514
     (2016) and 740 ILCS 110/2 (West 2016)).
    ¶ 42       To determine whether the zip codes were confidential information under the
    Confidentiality Act, the Appellate Court, First District, examined HIPAA and its
    pertinent regulations. Id. ¶ 27. The court held that the individuals’ zip code
    information was protected health information but could be released after de-
    identification. Id. ¶ 28.
    ¶ 43       Defendant contends that HIPAA permitted the release of the redacted zip codes
    in King “[b]ecause the information had been collected for an authorized use, and
    the use was for a legitimate transaction of public business.” Defendant contrasts
    King with this case, where defendant claims the necessary redactions would be a
    misuse of protected health information under HIPAA. Defendant is mistaken.
    ¶ 44        In King, the redacted zip codes were releasable because they had been de-
    identified according to the implementation specifications set forth in section
    164.514(b)(2)(i)(B) of HIPAA (
    45 C.F.R. § 164.514
    (b)(2)(i)(B) (2018)). King,
    
    2020 IL App (1st) 190925
    , ¶ 31 (“HIPAA regulations provide that a covered entity
    may determine that private health information is not individually identifiable only
    if the last three digits of a zip code are removed, where the geographic unit formed
    by combining all the zip codes with the same three initial digits contains more than
    20,000 people”). Like the redacted zip codes in King, the year elements in this case
    are not individually identifiable health information if properly de-identified,
    regardless of how the public body previously used the information. 
    45 C.F.R. § 164.502
    (d)(1) (2018) (“A covered entity may use protected health information to
    create information that is not individually identifiable health information or
    disclose protected health information only to a business associate for such purpose,
    - 13 -
    whether or not the de-identified information is to be used by the covered entity.”).
    ¶ 45                                     2. Section 7(1)(b)
    ¶ 46       Defendant also asserts the responsive records are exempt because they contain
    “[p]rivate information,” where disclosure is not required by another provision of
    FOIA, a state or federal law, or a court order. 5 ILCS 140/7(1)(b) (West 2018).
    “ ‘Private information’ means unique identifiers, including a person’s social
    security number, driver’s license number, employee identification number,
    biometric identifiers, personal financial information, passwords or other access
    codes, medical records, home or personal telephone numbers, and personal
    email addresses. Private information also includes home address and personal
    license plates, except as otherwise provided by law or when compiled without
    possibility of attribution to any person.” (Emphasis added.) 
    Id.
     § 2(c-5).
    ¶ 47       Defendant argues, without citation of authority, “the entirety of a ‘medical
    record’—not merely certain discrete information found in such a record—is exempt
    from disclosure.” We disagree. The year element is not “private information” under
    FOIA and so is not exempt under section 7(1)(b).
    ¶ 48        Defendant cites provisions in the Medical Rights Act (410 ILCS 50/3(d) (West
    2018)), the Managed Care Reform and Patient Rights Act (215 ILCS 134/5(a)(4)
    (West 2018)), and the Hospital Licensing Act (210 ILCS 85/6.17(d) (West 2018))
    for the proposition that “individuals have a right to an expectation of privacy related
    to their medical information.” These statutory schemes define “medical records,”
    but FOIA, which is the operative statute in this case, does not. So, we adopt the
    approach taken by the appellate court, which is to resort to the plain and ordinary
    meaning of the term. Special Prosecutor, 
    2019 IL 122949
    , ¶ 23.
    ¶ 49       Defendant concedes that the plain and ordinary meaning of “medical records”
    is “[t]he documents that compose a medical patient’s healthcare history.” Black’s
    Law Dictionary 1177 (11th ed. 2019). Although the year element requested by
    plaintiff is found in medical records, the year element by itself, stripped of context,
    is not a document of a patient’s healthcare history.
    - 14 -
    ¶ 50       Defendant argues that, even if maintaining patient anonymity permits
    disclosure of the year element, the process of matching the year of patient
    admission to the year of police notification would require “some form of personally
    identifiable information such as the medical record number.” Processing the FOIA
    request might involve accessing medical records, including their reference
    numbers, to match the year of patient admission to the year of law enforcement
    notification. But section 7(1)(b) of FOIA prohibits the disclosure, not the use, of
    medical records. Theoretically, defendant can use the medical record numbers to
    match the year elements of patient admission and law enforcement notification and
    then renumber the matched records before turning them over to plaintiff.
    ¶ 51       Defendant concludes that the exemption for medical records would be rendered
    superfluous if a public body could simply redact personally identifying information
    and release the rest of the record. However, the exemption for private information
    under section 7(1)(b) plainly covers “unique identifiers,” which confirms that the
    removal of uniquely identifying information from a patient’s healthcare history
    renders the remainder of the document releasable. Adopting defendant’s broad
    interpretation that “medical records” are exempt in their entirety would potentially
    shield from disclosure all information concerning patient care undertaken by a
    public body.
    ¶ 52                                 3. Unduly Burdensome
    ¶ 53       Defendant alternatively argues that, even if the year element of the responsive
    records is not exempt from disclosure, the information was not withheld
    improperly. Defendant asserts the steps for processing the request, including the
    de-identification of the records, would be unduly burdensome under section 3(g) of
    FOIA. 5 ILCS 140/3(g) (West 2018). Defendant adds that plaintiff’s
    “reformulation” of the request at the summary judgment stage would make
    compliance even more burdensome.
    ¶ 54      Section 3(g) provides,
    “[r]equests calling for all records falling within a category shall be complied
    with unless compliance with the request would be unduly burdensome for the
    - 15 -
    complying public body and there is no way to narrow the request and the burden
    on the public body outweighs the public interest in the information.” 
    Id.
    Plaintiff’s request for information about walk-in gunshot wound patients concerns
    a distinct category of records, so section 3(g) potentially applies.
    ¶ 55        Plaintiff responds that defendant has failed to preserve the issue for review. See,
    e.g., Lazenby v. Mark’s Construction, Inc., 
    236 Ill. 2d 83
    , 92 (2010) (the failure to
    raise an issue in the circuit court or appellate court results in forfeiture). Plaintiff
    claims defendant was required to invoke section 3(g) as an affirmative defense and
    in its motion for summary judgment, or risk forfeiture. Plaintiff does not develop
    its forfeiture argument besides asserting “this court need not address the merits of
    [defendant’s] burden claim because it failed to properly raise the issue below.” We
    decline to advocate for plaintiff on the potentially complex issue of what measures
    a public body must take to preserve the unduly burdensome defense under FOIA.
    People ex rel. Illinois Department of Labor v. E.R.H. Enterprises, Inc., 
    2013 IL 115106
    , ¶ 56 (“a reviewing court is not simply a depository into which a party may
    dump the burden of argument and research”).
    ¶ 56       Setting forfeiture aside, this action’s procedural posture illustrates why
    weighing the evidence on the burdens associated with processing the request would
    be premature at this point. Cross-motions for summary judgment, like those filed
    in this case, ordinarily signify the parties’ mutual agreement that there are no
    genuine issues of material fact and that only a question of law remains. Jones, 
    2016 IL 119618
    , ¶ 26. However, defendant did not invoke section 3(g) in its motion for
    summary judgment, which was perhaps a tacit acknowledgment that a question of
    fact exists about whether processing the request would be unduly burdensome. The
    record contains some evidence, but the lower courts did not reach the issue because
    the parties have focused on the two exemptions concerning HIPAA and medical
    records.
    ¶ 57       Because the litigation did not progress beyond the summary judgment stage, we
    confine our review to the summary judgment entered for defendant and decline to
    delve into the factual question of the burdens associated with processing the
    request. That said, the circuit court is free to address the procedural and substantive
    issues surrounding the unduly burdensome nature of the request if defendant asserts
    - 16 -
    section 3(g) on remand. We emphasize that we express no opinion on the matter.
    ¶ 58                                   III. CONCLUSION
    ¶ 59       The parties disputed in their cross-motions for summary judgment whether two
    exemptions authorized defendant to withhold the year of admission for walk-in
    gunshot wound patients and the corresponding year of police notification from
    January 1, 2015, through September 10, 2018. Defendant claims (1) the
    information is prohibited from disclosure under HIPAA and (2) the information is
    “private information” under FOIA. 5 ILCS 140/7(1)(a), (b) (West 2018). We hold
    that the HIPAA regulations and FOIA exemptions cited by defendant do not bar
    the release of the year elements of the responsive records as long as the remaining
    individual identifying information is removed to maintain patient confidentiality.
    We affirm the appellate court judgment, reverse the circuit court judgment, and
    remand the cause to the circuit court for further proceedings consistent with this
    opinion.
    ¶ 60      Appellate court judgment affirmed.
    ¶ 61      Circuit court judgment reversed.
    ¶ 62      Cause remanded.
    ¶ 63      CHIEF JUSTICE THEIS, dissenting:
    ¶ 64       Contrary to how the majority frames it, the issue in this case is not whether the
    year that each walk-in gunshot wound patient was admitted to the hospital and the
    year that law enforcement was notified of the admission are exempt from disclosure
    under the Freedom of Information Act (FOIA) (5 ILCS 140/1 et seq. (West 2018)).
    Rather, the issue is whether FOIA requires a public body to review its records to
    piece together information to create a new document in response to a FOIA request.
    FOIA imposes no such requirements on the public body. Therefore, I respectfully
    dissent.
    - 17 -
    ¶ 65       The majority correctly observes that FOIA’s underlying public policy is that
    “all persons are entitled to full and complete information regarding the affairs of
    government and the official acts and policies of those who represent them as public
    officials and public employees consistent with the terms of this Act.” 5 ILCS 140/1
    (West 2018). At the same time, FOIA is not intended to “disrupt the duly-
    undertaken work of any public body independent of the fulfillment of any of the
    fore-mentioned rights of the people to access to information.” 
    Id.
     Further, FOIA
    “is not intended to create an obligation on the part of any public body to
    maintain or prepare any public record which was not maintained or prepared by
    such public body at the time when this Act becomes effective, except as
    otherwise required by applicable local, State or federal law.” 
    Id.
    ¶ 66       As an initial matter, I question whether the request at issue sought public
    records that were subject to production under FOIA. As courts have ruled, a
    “request to inspect or copy must reasonably identify a public record and not general
    data, information, or statistics.” Chicago Tribune Co. v. Department of Financial
    & Professional Regulation, 
    2014 IL App (4th) 130427
    , ¶ 33; see also Kenyon v.
    Garrels, 
    184 Ill. App. 3d 28
    , 32 (1989) (observing that FOIA “does not compel the
    agency to provide answers to questions posed by the inquirer”). Here, as modified
    on appeal, plaintiff’s FOIA request sought the year of
    “admission of patients seeking treatment for gunshot wounds through
    [defendant] between Jan. 1, 2015, through the present day who were not ***
    accompanied by a law enforcement officer at the time of their admission as well
    as the corresponding [year] that law enforcement officials were notified of the
    patients’ admission as required by state statue [sic].”
    This appears to be a request for general information, rather than a request for public
    records under FOIA. 2
    2
    By contrast, plaintiff’s other request (which is not at issue in this appeal) asked the hospital for
    “[w]ritten policy and/or related policy documents, and/or internal memos or communications setting
    policy or providing guidelines, instructions and/or directives to staff in the reporting of patients who
    have suffered gunshot wounds to law enforcement agencies as required by state statute.” The
    hospital provided plaintiff with those policies.
    - 18 -
    ¶ 67       Setting that question aside, the majority notes that the Cook County Health and
    Hospitals System is required to notify local law enforcement when a person who is
    not accompanied by a law enforcement officer arrives for treatment for a gunshot
    wound. 20 ILCS 2630/3.2 (West 2018). The hospital is not, however, required to
    keep a written log of when it notifies law enforcement. See 
    id.
     In response to
    plaintiff’s FOIA request and again in its summary judgment filings, the hospital
    explained that there is no written record that tracks the year a gunshot wound patient
    arrived at the hospital unaccompanied by law enforcement and the year that law
    enforcement was notified. In other words, there is no public record that contains the
    information that plaintiff seeks.
    ¶ 68       Neither plaintiff nor the majority appear to dispute that the hospital does not
    possess the information that plaintiff has requested. See In re Wade, 
    969 F.2d 241
    ,
    246 (7th Cir. 1992) (“Without evidence of bad faith, the veracity of the
    government’s submissions regarding reasons for withholding the documents should
    not be questioned.”). Nonetheless, the majority would require the hospital to comb
    through the medical records of each gunshot wound patient to see whether the
    hospital’s staff included a notation about whether the patient arrived with law
    enforcement or if law enforcement was notified of the admission. According to the
    majority, the hospital can then “use the medical record numbers to match the year
    elements of patient admission and law enforcement notification and then renumber
    the matched records before turning them over to plaintiff.” Supra ¶ 50. This
    presumably would require the hospital to create a chart that includes a reference
    number for the patient and the years of patient admission and law enforcement
    notification.
    ¶ 69       The majority would impose these requirements even though FOIA “is not
    designed to compel the compilation of data the governmental body does not
    ordinarily keep.” Kenyon, 184 Ill. App. 3d at 32. FOIA also does not require a
    public body to generate new records in response to FOIA requests. Martinez v.
    Cook County State’s Attorney’s Office, 
    2018 IL App (1st) 163153
    , ¶ 30; see also
    Hites v. Waubonsee Community College, 
    2016 IL App (2d) 150836
    , ¶ 74
    (distinguishing between performing a search for data on a database that contains
    public records, which is permissible under FOIA, and creating a new record or
    performing research, which is not). And to the extent that the majority would
    require the hospital to produce redacted medical records (see supra ¶ 51), it is not
    - 19 -
    clear to me that a gunshot wound patient’s medical records pertain to the transaction
    of public business. See 5 ILCS 140/2(c) (West 2018) (defining “public records,” in
    part, as all “documentary materials pertaining to the transaction of public business,
    *** having been prepared by or for, or having been or being used by, received by,
    in the possession of, or under the control of any public body”).
    ¶ 70       FOIA does not require a public body to compile information that it does not
    otherwise keep, nor does it require a public body to create a new record in response
    to a FOIA request. Accordingly, I would affirm the trial court’s grant of summary
    judgment in the hospital’s favor. For these reasons, I respectfully dissent.
    - 20 -