eCases

• 2021 IL 125918

  IN THE
  SUPREME COURT
  OF
  THE STATE OF ILLINOIS
  (Docket No. 125918)
  ROSEMARIE HAAGE, Appellee, v. ALFONSO MONTIEL ZAVALA et al.
  (State Farm Mutual Automobile Insurance Company, Appellant).
  Opinion filed September 23, 2021.
  JUSTICE NEVILLE delivered the judgment of the court, with opinion.
  Chief Justice Anne M. Burke and Justices Garman, Theis, Michael J. Burke,
  Overstreet, and Carter concurred in the judgment and opinion.
  OPINION
  ¶1       In each of two automobile personal injury actions, plaintiffs moved for entry of
  a qualified protective order (QPO) pursuant to the Health Insurance Portability and
  Accountability Act (HIPAA) (Pub. L. No. 104-191, 

  110 Stat. 1936

   (1996) (codified
  as amended in scattered sections of Titles 18, 26, 29, and 42 of the United States
  Code)) and its implementing regulations (45 C.F.R. pts. 160, 164 (2018))
  (hereinafter Privacy Rule). Plaintiffs’ proposed QPOs would allow protected health
  information (PHI) to be released, but subject to the following restrictions:
  (1) nonlitigation use or disclosure of PHI is prohibited and (2) PHI must be returned
  or destroyed at the conclusion of the litigation. See 

  45 C.F.R. § 164.512

  (e)(1)(v)
  (2018). State Farm Mutual Automobile Insurance Company (State Farm), the
  liability insurer for the named defendants, intervened in each lawsuit and sought
  entry of its own protective order, which expressly allowed insurance companies to
  use, disclose, and maintain PHI for purposes beyond the litigation and expressly
  exempted insurers from the “return or destroy” requirement.
  ¶2       In both cases the circuit court of Lake County granted plaintiffs’ motions,
  entered their QPOs, and denied State Farm’s motions. State Farm filed an
  interlocutory appeal in each case. Ill. S. Ct. R. 307(a)(1) (eff. Nov. 1, 2017). The
  appellate court consolidated the two cases and affirmed. 

  2020 IL App (2d) 190499

  .
  ¶3       State Farm petitioned this court for leave to appeal as a matter of right (Ill. S.
  Ct. R. 317 (eff. July 1, 2017)) or, alternatively, as a matter of discretion (Ill. S. Ct.
  R. 315 (eff. Oct. 1, 2019)). We granted State Farm leave to appeal. For the
  following reasons, we now affirm the judgment of the appellate court and remand
  the cases to the trial court for further proceedings.
  ¶4                                    I. BACKGROUND
  ¶5                                 A. Underlying Complaints
  ¶6       In November 2017, plaintiff Rosemarie Haage filed a multicount complaint
  (No. 17-L-897) against defendants Alfonso Montiel Zavala, Patricia Santiago, Jose
  Pacheco-Villanuevo, Okan Esmez, and Rosalina Esmez. Haage sought to recover
  damages for bodily injuries sustained in a multiple-vehicle collision near the
  intersection of Lakeview Parkway and Route 60 in Vernon Hills.
  ¶7       In January 2018, plaintiffs Agnieszka Surlock and Edward Surlock filed a two-
  count complaint (No. 18-L-39) against defendant Dragoslav Starcevic. The Surlock
  plaintiffs sought damages for Agnieszka’s bodily injuries and Edward’s loss of
  consortium as a result of a collision between an automobile driven by Agnieszka
  and an automobile driven by Starcevic at the intersection of Grand Avenue and
  -2-
  Route 45 in Lindenhurst.
  ¶8                                B. Plaintiffs’ Motions for QPOs
  ¶9         In August 2018, plaintiffs, represented by the same attorney, filed nearly
  identical motions for QPOs allowing the disclosure of protected health information
  in their respective lawsuits. HIPAA’s privacy standards are known collectively as
  the “Privacy Rule.” Deborah F. Buckman, Annotation, Validity, Construction, and
  Application of Health Insurance Portability and Accountability Act of 1996
  (HIPAA) and Regulations Promulgated Thereunder, 

  194 A.L.R. Fed. 133

  , 148
  (2004). The Privacy Rule is codified at parts 160 and 164 of Title 42 of the Code
  of Federal Regulations (45 C.F.R. pts. 160, 164 (2018)).
  ¶ 10       Plaintiffs’ QPO motions alleged as follows. First, the treating physicians,
  hospitals, and other health care providers for Haage and Agnieszka are subject to
  the Privacy Rule. Second, these covered entities possess their PHI in the form of
  medical records. Third, both the plaintiffs and the defendants in each case “will
  require that the parties, their attorneys, their attorneys’ agents, consultants and
  various witnesses and other personnel receive and review copies of the [PHI]”
  pertaining to Haage and Agnieszka. Fourth, HIPAA potentially prohibits covered
  entities from disclosing PHI in judicial proceedings other than by an authorization
  or QPO.
  ¶ 11       Therefore, plaintiffs submitted HIPAA QPOs that permit the use and disclosure
  of the PHI of Haage and Agnieszka. Relevant here, the proffered QPOs found that
  

  45 C.F.R. § 164.512

  (e)(1)(v)(A), (B) (2018) requires the following two obligations.
  Paragraph 9 of the proposed QPOs finds that it is necessary to “[p]rohibit the parties
  and any other persons or entities from using or disclosing the PHI for any purpose
  other than the litigation or proceeding for which it was requested.” Paragraph 10 of
  the proposed QPOs finds that it is necessary to “[r]equire the return of the PHI to
  the covered entity or the destruction of the information at the end of the litigation
  or proceeding.”
  ¶ 12      Accordingly, each proposed QPO ordered: “The PHI of any party in this lawsuit
  may not be disclosed for any reason without that party’s prior written consent or an
  Order of this court specifying the scope of the PHI to be disclosed, the recipients
  -3-
  of the disclosed PHI, and the purpose of the disclosure.” Each proposed QPO also
  ordered as follows:
  “Within 60 days after the conclusion of the litigation, including appeals, the
  parties, their attorneys, insurance companies and any person or entity in
  possession of PHI received pursuant to this Order, shall return Plaintiff’s PHI
  to the covered entity or destroy any and all copies of PHI pertaining to Plaintiff,
  including any electronically stored copy or image, except that counsel are not
  required to secure the return or destruction of PHI submitted to the Court.
  ‘Conclusion of the Litigation’ shall be defined as the point at which final orders
  disposing of the entire case as to any Defendant have been entered, or the time
  at which all trial and appellate proceedings have been exhausted as to any
  Defendant.”
  ¶ 13                   C. State Farm’s Petitions to Intervene and File Objections
  ¶ 14       In September 2018, State Farm filed nearly identical petitions to intervene in
  each lawsuit. See 735 ILCS 5/2-408(a)(2) (West 2018). State Farm maintained that
  it was the casualty and liability insurer for at least one of the defendants in the
  Haage lawsuit and for defendant Starcevic in the Surlock lawsuit. State Farm
  alleged that plaintiffs’ proposed QPOs would impose upon it significant restrictions
  and obligations, and the attorney representing its policyholders is not conversant
  with either the legal issues raised by plaintiffs’ proposed QPOs or the statutes and
  regulations applicable to State Farm’s business operations. The trial courts granted
  State Farm’s petitions to intervene and granted State Farm leave to file objections.
  ¶ 15        In its objections to plaintiffs’ proposed QPOs, State Farm requested that the
  trial courts (1) deny plaintiffs’ motions for their QPOs and (2) grant State Farm’s
  motions to enter its tendered alternative orders (see Ill. S. Ct. R. 201(c)(1) (eff. July
  1, 2014)). State Farm initially argued that, as a property and casualty insurer, it is
  not a “covered entity” under HIPAA. State Farm also argued that plaintiffs’
  proposed QPOs contained restrictions that would directly conflict with its
  obligations and rights under Illinois law, specifically in two ways. First, State Farm
  argued that requiring it to return or destroy all copies of PHI following the
  conclusion of the litigation would interfere with its statutory and administrative
  obligations to maintain complete documentation of all books, records, and
  -4-
  accounts, including claim files and claim data, and to make that information
  available for examination upon request by the Illinois Department of Insurance.
  Second, State Farm argued that restricting the use of PHI to the litigation at issue
  would interfere “with State Farm’s rights under Illinois law to use a claimant’s
  information to perform certain insurance functions.” State Farm asked the trial
  courts to deny plaintiffs’ proposed QPOs.
  ¶ 16      State Farm also asserted that the law division of the circuit court of Cook
  County has “entered a standard medical protective order authorizing production of
  health information that omits unnecessary restrictions and explicitly accommodates
  casualty insurers’ obligations.” State Farm tendered and sought entry of the Cook
  County standard protective order.
  ¶ 17      The Cook County standard protective order lacks the PHI “use or disclosure”
  prohibition and the “return or destroy” requirement that plaintiffs’ proposed QPOs
  provide.
  ¶ 18      Rather, the Cook County standard protective order expressly permits insurance
  companies to maintain, use, disclose, and dispose of PHI for the following
  purposes:
  “1. Reporting; investigating; evaluating, adjusting, negotiating, arbitrating,
  litigating, or settling claims;
  2. Compliance reporting or filing;
  3. Conduct described in [section 1014 of the Illinois Insurance Code] 215
  ILCS 5/1014;
  4. Required inspections and audits;
  5. Legally required reporting to private, federal, or state governmental
  organizations ***;
  6. Rate setting and regulation;
  7. Statistical information gathering;
  8. Underwriting, reserve, loss, and actuarial calculation;
  -5-
  9. Drafting policy language;
  10. Workers’ compensation; and
  11. Determining the need for and procuring excess or umbrella coverage or
  reinsurance.”
  Also, paragraph 5 of the Cook County standard protective order specifically
  exempts insurance companies from the “return or destroy” requirement of 

  45 C.F.R. § 164.512

  (e)(1)(v)(B) (2018). State Farm urged the trial courts to adopt and
  enter the tendered Cook County standard protective order.
  ¶ 19                                  D. Plaintiffs’ Replies
  ¶ 20        Plaintiffs responded that their proposed QPOs would not impose undue
  restrictions or obligations on nonhealth insurers for two reasons. First, plaintiffs
  argued that there was no language in either the Illinois Insurance Code or the
  Illinois Administrative Code that requires nonhealth insurers to retain, use, or
  disclose PHI. Second, plaintiffs asserted that State Farm does not require PHI to
  perform “certain insurance functions.” Plaintiffs further noted that there has never
  been an administrative disciplinary action taken against State Farm for failing to
  maintain PHI. Therefore, according to plaintiffs, their proposed QPOs would not
  affect the reporting obligations of nonhealth insurers such as State Farm.
  ¶ 21       Plaintiffs alternatively asserted that, absent a waiver from the federal
  government, (1) HIPAA prohibits the use or disclosure of PHI for any purpose
  other than the litigation or proceeding for which such information was requested
  and (2) HIPAA requires the return or destruction of PHI at the end of the litigation
  or proceeding. Therefore, according to plaintiffs, to the extent that any state law or
  regulation permits State Farm to use, store, maintain or distribute PHI outside of
  the scope of litigation and for State Farm’s own business operations, it is preempted
  by HIPAA.
  ¶ 22        Plaintiffs further responded that whether or not State Farm is a “covered entity”
  is irrelevant. Plaintiffs reasoned that, even if State Farm is exempt from HIPAA as
  a casualty and liability insurer, the plaintiff-authorized PHI, the QPO entered by
  the court, and the parties to whom the PHI is released are all subject to HIPAA.
  -6-
  Thus, according to plaintiffs, “State Farm had no right to the information to begin
  with.” Rather, plaintiffs argued that State Farm “only obtains an ability to review
  PHI because of a valid protective order. Therefore, regardless of whether State
  Farm is a ‘covered entity’ under HIPAA, it must still abide by the court order and
  the terms of HIPAA if it wants access to the PHI.”
  ¶ 23                                 E. Trial Courts’ Orders
  ¶ 24       In February 2019, the trial courts in the Haage and Surlock lawsuits held a
  combined hearing on plaintiffs’ motions for QPOs. In May 2019, the trial courts
  issued memorandum opinions and orders that granted plaintiffs’ motions to enter
  their proposed QPOs and denied State Farm’s request for the entry of the Cook
  County standard protective order.
  ¶ 25       The trial courts found that HIPAA preempts Illinois law to the extent that State
  Farm’s obligations and rights under state law conflict with HIPAA. The trial courts
  found that it would be impossible to comply with both Illinois law and HIPAA
  requirements for a QPO. The trial courts specifically found that the Cook County
  standard protective order violated 

  45 C.F.R. § 164.512

  (e)(1)(v)(A), (B) (2018), to
  the extent that it (1) would allow insurance companies to maintain, use, disclose,
  and dispose of PHI outside of the litigation and (2) would not require insurers to
  return or destroy the PHI at the conclusion of the litigation. The trial courts found
  that the Cook County standard protective order “would eliminate the two
  requirements set forth by the Department [of Health and Human Services (HHS)]
  for a qualified protective order and would not provide the confidentiality and
  protection of PHI” envisioned when HHS promulgated the Privacy Rule. The trial
  courts found that without these two requirements, “a covered entity no longer has
  a valid HIPAA qualified protective order to allow disclosure of PHI.”
  ¶ 26       The trial courts also acknowledged that “property and casualty liability insurers
  are not covered entities under HIPAA.” However, each trial court found that not
  being a covered entity “does not exempt State Farm from obeying a protective order
  entered by this court with respect to PHI which has been produced by a covered
  entity.” (Emphasis in original.) Rather, each trial court ruled that “[a]ll parties
  receiving the PHI are bound to follow the qualified protective order of the court
  regardless of whether they are a covered entity under HIPAA in the first instance.”
  -7-
  ¶ 27       The trial courts next rejected State Farm’s argument that plaintiffs’ motions for
  QPOs should be deemed as proposals for a court order under a different section of
  the Privacy Rule. Each trial court reasoned that, “[w]hile the HIPAA regulations do
  provide several different ways in which a covered entity is permitted to disclose
  PHI, Plaintiff has chosen to secure a qualified protective order.”
  ¶ 28      Accordingly, the trial courts entered plaintiffs’ proposed QPOs in both lawsuits.
  The QPOs included the following relevant provisions:
  “8. Within 60 days after the conclusion of the litigation, including appeals,
  the parties, their attorneys, insurance companies and any person or entity in
  possession of PHI received pursuant to this Order, shall return Plaintiff’s PHI
  to the covered entity or destroy any and all copies of PHI pertaining to Plaintiff,
  including any electronically stored copy or image, except that counsel are not
  required to secure the return or destruction of PHI submitted to the Court.
  ***
  12. All requests by or on behalf of any Defendant for protected health
  information, including but not limited to subpoenas, shall be accompanied by a
  complete copy of this Order. The parties—including their insurers and
  counsel—are prohibited from using or disclosing protected health information
  for any purpose other than this litigation. ‘Disclose’ shall have the same ***
  scope and definition as set forth in 

  45 C.F.R. § 160.103

  : ‘the release, transfer,
  provision of access to, or divulging in any manner of information outside the
  entity holding the information.’ ” (Emphases added.)
  ¶ 29                                     F. Appellate Court
  ¶ 30        In each case, State Farm filed an interlocutory appeal to the appellate court. See
  Ill. S. Ct. R. 307(a)(1) (eff. Nov. 1, 2017). The appellate court granted State Farm’s
  motion to consolidate the appeals and denied plaintiffs’ motion to dismiss. 

  2020 IL App (2d) 190499

  , ¶ 33.
  ¶ 31       The appellate court acknowledged that State Farm, as a property and casualty
  insurer, did not fit within the specific regulatory definition of a “ ‘covered entity,’ ”
  as defined by the Privacy Rule, because it was not a “ ‘health plan,’ ” a “ ‘health
  -8-
  care clearinghouse,’ ” or a “ ‘health care provider who transmits any health
  information in electronic form.’ ” Id. ¶¶ 39-40 (quoting 

  45 C.F.R. § 160.103

  (2018)). However, the appellate court agreed with the trial courts that “State Farm,
  as an entity wishing to receive PHI from a covered entity in response to a HIPAA
  qualified protective order, is bound to comply with the use and disclosure
  restrictions set forth in the orders.” Id. ¶ 44. Thus, the appellate court concluded
  that, “if State Farm wishes to access the PHI at issue, it must abide by the terms of
  the HIPAA qualified protective orders entered by the trial courts.” Id. ¶ 49.
  ¶ 32        State Farm next argued that it must be permitted to use and retain plaintiffs’
  PHI to fulfill its obligations under Illinois insurance regulatory law and that the
  Cook County standard protective order “ ‘strikes the proper balance between a
  litigant’s interest in PHI and the State’s interest in allowing property and casualty
  insurers to retain PHI beyond litigation.’ ” Id. ¶ 51. The appellate court concluded
  that “State Farm failed to cite any statute, regulation, or case law that affirmatively
  requires the retention of PHI or its use for a particular purpose.” Id. ¶ 59. Further,
  the appellate court found nothing in the provisions of the Insurance Code and the
  Illinois Administrative Code cited by State Farm that requires State Farm to retain
  PHI or use it for any particular purpose after the conclusion of the litigation.
  Accordingly, the appellate court rejected State Farm’s argument that the terms of
  plaintiffs’ QPOs conflict with State Farm’s obligations under state law. Id. ¶ 60.
  ¶ 33       The appellate court next held that, to the extent that plaintiffs’ QPOs could be
  considered to conflict with State Farm’s obligations under state law, HIPAA and
  the Privacy Rule preempt state law. Id. ¶¶ 62-64. The appellate court also concluded
  that the doctrine of reverse preemption, as provided by the McCarran-Ferguson Act
  (

  15 U.S.C. § 1011

   et seq. (2018)), which is potentially relevant specifically to
  insurance regulation, did not apply in this case. 

  2020 IL App (2d) 190499

  , ¶¶ 66-
  68.
  ¶ 34       Lastly, State Farm assigned error to the trial courts’ rejection of any alternative
  to plaintiffs’ QPOs. The appellate court acknowledged that the Privacy Rule
  provides several different methods by which a covered entity may disclose PHI
  during litigation. However, the appellate court observed that plaintiffs and State
  Farm sought the disclosure of PHI through QPOs. Accordingly, the appellate court
  -9-
  held that the trial courts did not err in declining to consider an alternative method
  of disclosing PHI. Id. ¶ 70.
  ¶ 35       State Farm appeals to this court. We granted the National Insurance Crime
  Bureau leave to submit an amicus curiae brief in support of State Farm’s position.
  The Illinois Trial Lawyers Association and the Illinois Public Interest Research
  Group were each granted leave to submit an amicus curiae brief in support of
  plaintiffs’ position. Ill. S. Ct. R. 345 (eff. Sept. 20, 2010).
  ¶ 36                                      II. ANALYSIS
  ¶ 37       Before this court, the parties present several arguments in relation to the
  following issues. First, the parties disagree on the applicability of the Privacy Rule
  and its preemptive effect on Illinois insurance regulatory law governing the use,
  disclosure, and retention of PHI. Second, the parties disagree on whether Illinois
  insurance regulatory law mandates that a property and casualty insurer use,
  disclose, and retain PHI beyond litigation. Third, the parties disagree on the
  preemptive effect of the Privacy Rule on the Cook County standard protective
  order.
  ¶ 38                                  A. Standard of Review
  ¶ 39        State Farm filed an interlocutory appeal to the appellate court pursuant to
  Illinois Supreme Court Rule 307(a)(1) (eff. Nov. 1, 2017), which provides for an
  appeal from an interlocutory order “granting, modifying, refusing, dissolving, or
  refusing to dissolve or modify an injunction.” This court has held that “an
  interlocutory order circumscribing the publication of information is reviewable as
  an interlocutory injunctive order, pursuant to Rule 307(a)(1).” Skolnick v. Altheimer
  & Gray, 

  191 Ill. 2d 214

  , 221 (2000); see In re Daveisha C., 

  2014 IL App (1st) 133870

  , ¶ 25 (“Supreme Court Rule 307(a)(1) allows review of *** a protective
  order entered during the discovery phase of the proceedings.”).
  ¶ 40       “As this court has explained, ‘in an interlocutory appeal, the scope of review is
  normally limited to an examination of whether or not the trial court abused its
  discretion in granting or refusing the requested interlocutory relief.’ ” West Bend
  - 10 -
  Mutual Insurance Co. v. TRRS Corp., 

  2020 IL 124690

  , ¶ 31 (quoting In re
  Lawrence M., 

  172 Ill. 2d 523

  , 526 (1996)). An abuse of discretion occurs only when
  the trial court’s decision is arbitrary, fanciful, or unreasonable or where no
  reasonable person would take the view adopted by the trial court. In re Marriage of
  Heroy, 

  2017 IL 120205

  , ¶ 24; Seymour v. Collins, 

  2015 IL 118432

  , ¶ 41. “When,
  however, the interlocutory appeal involves a question of law, the reviewing court
  resolves that legal question independently of the trial court’s judgment and, to the
  extent necessary, may consider substantive issues to determine whether the trial
  court acted within its authority.” West Bend Mutual Insurance Co., 

  2020 IL 124690

  ,
  ¶ 32; see Loyola Academy v. S&S Roof Maintenance, Inc., 

  146 Ill. 2d 263

  , 274
  (1992).
  ¶ 41       In this case, State Farm presents issues that require us to construe various
  statutory and administrative provisions. Issues of statutory construction present
  questions of law that we review de novo. In re Appointment of Special Prosecutor,
  

  2019 IL 122949

  , ¶ 22; Cohen v. Chicago Park District, 

  2017 IL 121800

  , ¶ 17; In re
  M.M., 

  2016 IL 119932

  , ¶ 15. Under the de novo standard, the reviewing court
  performs the same analysis that the trial court would perform. People v. McDonald,
  

  2016 IL 118882

  , ¶ 32; see Choate v. Indiana Harbor Belt R.R. Co., 

  2012 IL 112948

  ,
  ¶ 21.
  ¶ 42                           B. Canons of Statutory Construction
  ¶ 43       The same familiar principles of statutory construction that apply to state
  legislation also apply to federal legislation enacted by Congress. See, e.g., Standard
  Mutual Insurance Co. v. Lay, 

  2013 IL 114617

  , ¶ 26; Italia Foods, Inc. v. Sun Tours,
  Inc., 

  2011 IL 110350

  , ¶ 12. Additionally, because administrative regulations have
  the force and effect of law, the familiar rules that govern construction of statutes
  also apply to the construction of administrative regulations. Kean v. Wal-Mart
  Stores, Inc., 

  235 Ill. 2d 351

  , 368 (2009); Union Electric Co. v. Department of
  Revenue, 

  136 Ill. 2d 385

  , 391 (1990).
  ¶ 44       The primary objective in statutory construction is to ascertain and give effect to
  the intent of the legislature. The most reliable indicator of legislative intent is the
  language of the statute, which must be given its plain and ordinary meaning. In re
  Appointment of Special Prosecutor, 

  2019 IL 122949

  , ¶ 23; In re M.M., 2016 IL
  - 11 -
  119932, ¶ 16. In construing a federal statute, “ ‘[o]ur task is to give effect to the
  will of Congress, and where its will has been expressed in reasonably plain terms,
  that language must ordinarily be regarded as conclusive.’ ” Negonsott v. Samuels,
  

  507 U.S. 99

  , 104 (1993) (quoting Griffin v. Oceanic Contractors, Inc., 

  458 U.S. 564

  , 570 (1982)). In construing a statute, a court must view a statute as a whole.
  Therefore, words and phrases must be construed in light of other relevant statutory
  provisions and not in isolation. United States National Bank of Oregon v.
  Independent Insurance Agents of America, Inc., 

  508 U.S. 439

  , 455 (1993); In re
  Appointment of Special Prosecutor, 

  2019 IL 122949

  , ¶ 23; Chicago Teachers
  Union, Local No. 1 v. Board of Education of the City of Chicago, 

  2012 IL 112566

  ,
  ¶ 15. Each word, clause, and sentence of a statute must be given a reasonable
  meaning, if possible, and should not be rendered superfluous. TRW Inc. v. Andrews,
  

  534 U.S. 19

  , 31 (2001); Chicago Teachers Union, 

  2012 IL 112566

  , ¶ 15.
  Additionally, the court may consider the reason for the law, the problems sought to
  be remedied, the purposes to be achieved (National Bank of Oregon, 

  508 U.S. at 455

  ; In re M.M., 

  2016 IL 119932

  , ¶ 16), and the consequences of construing the
  statute one way or another (American Tobacco Co. v. Patterson, 

  456 U.S. 63

  , 71
  (1982); In re Appointment of Special Prosecutor, 

  2019 IL 122949

  , ¶ 23).
  ¶ 45                            C. Statutory Overview of HIPAA
  ¶ 46       “HIPAA is ‘a complex piece of legislation that addresses the exchange of
  health-related information.’ ” Cohan v. Ayabe, 

  322 P.3d 948

  , 954 (Haw. 2014)
  (quoting National Abortion Federation v. Ashcroft, No. 03 Civ. 8695(RCC), 

  2004 WL 555701

  , at *2 (S.D.N.Y. Mar. 19, 2004)). Subtitle F of Title II of HIPAA,
  captioned “Administrative Simplification,” consists of sections 261 through 264 of
  the statute. As amended in 2010, the purpose of this subtitle is
  “to improve *** the efficiency and effectiveness of the health care system, by
  encouraging the development of a health information system through the
  establishment of uniform standards and requirements for the electronic
  transmission of certain health information and to reduce the clerical burden on
  patients, health care providers, and health plans.” Pub. L. 104-191 § 261, 

  110 Stat. 1936

  , 2021 (1996).
  - 12 -
  ¶ 47       In furtherance of these statutory purposes, various individual provisions in
  section 262 outline whom the regulations were to cover, what information was to
  be covered, what types of transactions were to be covered, what time limits and
  standards would govern compliance with HIPAA, and what penalties would accrue
  for HIPAA violations. 42 U.S.C. §§ 1320d to 1320d-9 (2018).
  ¶ 48       To effectuate these statutory directives, section 262 instructed the United States
  HHS to adopt uniform standards “to enable health information to be exchanged
  electronically.” 42 U.S.C. § 1320d-2(a)(1) (2018). In section 264 of HIPAA,
  Congress provided a two-step process to address how to afford certain protections
  to the privacy of health information maintained under HIPAA. First, within 12
  months of HIPAA’s enactment, HHS was directed to submit to Congress “detailed
  recommendations on standards with respect to the privacy of individually
  identifiable health information.” HIPAA, Pub. L. No. 104-191 § 264(a), 

  110 Stat. 1936

  , 2033. Congress directed HHS to address subjects including as follows: “(1)
  The rights that an individual who is a subject of individually identifiable health
  information should have. (2) The procedures that should be established for the
  exercise of such rights. (3) The uses and disclosures of such information that should
  be authorized or required.” 

  Id.

   § 264(b).
  ¶ 49       Second, if Congress did not enact further legislation pursuant to the
  recommendations from HHS within 36 months of HIPAA’s enactment, HHS was
  to promulgate final regulations providing for such standards. Id. § 264(c)(1).
  HIPAA further provided that the privacy regulations promulgated by HHS “shall
  not supercede a contrary provision of State law, if the provision of State law
  imposes requirements, standards, or implementation specifications that are more
  stringent than the requirements, standards, or implementation specifications
  imposed under the regulation.” Id. § 264(c)(2); see generally South Carolina
  Medical Ass’n v. Thompson, 

  327 F.3d 346

  , 348-49 (4th Cir. 2003) (summarizing
  statute); Buckman, supra, at 145-48 (same).
  ¶ 50                                D. Privacy Rule Overview
  ¶ 51       In September 1997, HHS did submit recommendations for protecting the
  privacy of individually identifiable heath information. However, Congress
  ultimately failed to enact any additional legislation. Arons v. Jutkowitz, 880 N.E.2d
  - 13 -
  831, 840 (N.Y. 2007); South Carolina Medical Ass’n, 

  327 F.3d at 349

  . In
  November 1999, HHS issued proposed “Standards for Privacy of Individually
  Identifiable Health Information” (

  64 Fed. Reg. 59,918

   (Nov. 3, 1999)), and in
  December 2000, HHS promulgated its final rule. 

  65 Fed. Reg. 82,462

   (Dec. 28,
  2000). These standards are known collectively as the “Privacy Rule.” Buckman,
  supra, at 148; U.S. Dep’t of Health & Human Servs., Office for Civil Rights,
  Summary       of    the    HIPAA        Privacy    Rule    2      (May      2003),
  https://www.hhs.gov/sites/default/files/privacysummary.pdf
  [https://perma.cc/F66C-T4TR] (hereinafter Summary of the HIPAA Privacy Rule).
  In August 2002, HHS amended the Privacy Rule (

  67 Fed. Reg. 53,182

   (Aug. 14,
  2002)). The Privacy Rule is codified at parts 160 and 164 of Title 45 of the Code
  of Federal Regulations (45 C.F.R. pts. 160, 164 (2018)).
  ¶ 52       According to HHS, the purposes of the Privacy Rule include: “[t]o protect and
  enhance the rights of consumers by *** controlling the inappropriate use” of their
  health information and “to improve the efficiency and effectiveness of health care
  delivery by creating a national framework for health privacy protection that builds
  on efforts by states, health systems, and individual organizations and individuals.”
  65 Fed. Reg. at 82,463. HHS explained as follows:
  “In enacting HIPAA, Congress recognized the fact that administrative
  simplification cannot succeed if we do not also protect the privacy and
  confidentiality of personal health information. The provision of high-quality
  health care requires the exchange of personal, often-sensitive information
  between an individual and a skilled practitioner. Vital to that interaction is the
  patient’s ability to trust that the information shared will be protected and kept
  confidential. Yet many patients are concerned that their information is not
  protected. Among the factors adding to this concern are the growth of the
  number of organizations involved in the provision of care and the processing of
  claims, the growing use of electronic information technology, increased efforts
  to market health care and other products to consumers, and the increasing ability
  to collect highly sensitive information about a person’s current and future health
  status as a result of advances in scientific research.
  Rules requiring the protection of health privacy in the United States have
  been enacted primarily by the states. While virtually every state has enacted one
  - 14 -
  or more laws to safeguard privacy, these laws vary significantly from state to
  state and typically apply to only part of the health care system. ***
  Until now, virtually no federal rules existed to protect the privacy of health
  information and guarantee patient access to such information. This final rule
  establishes, for the first time, a set of basic national privacy standards and fair
  information practices that provides all Americans with a basic level of
  protection and peace of mind that is essential to their full participation in their
  care. The rule sets a floor of ground rules for health care providers, health plans,
  and health care clearinghouses to follow, in order to protect patients and
  encourage them to seek needed care. The rule seeks to balance the needs of the
  individual with the needs of the society. It creates a framework of protection
  that can be strengthened by both the federal government and by states as health
  information systems continue to evolve.” Id. at 82,463-64.
  ¶ 53       HHS explains that many of the provisions of the Privacy Rule, as codified, “are
  presented as ‘standards.’ Generally, the standards indicate what must be
  accomplished under the regulation and implementation specifications describe how
  the standards must be achieved.” Id. at 82,488.
  ¶ 54       The Privacy Rule prohibits a “covered entity” or “business associate” from
  using a person’s “protected health information” except as mandated or permitted
  by its provisions. 

  45 C.F.R. § 164.502

  (a) (2018). PHI is defined as “individually
  identifiable health information” that is kept or transmitted in electronic or any other
  form of media. 

  Id.

   § 160.103. Further, “individually identifiable health
  information” means information, including demographic data, that (1) is created or
  received by a “covered entity”; (2) relates “to the past, present, or future physical
  or mental health or condition of an individual; the provision of health care to an
  individual; or the past, present, or future payment for the provision of health care
  to an individual”; and (3) identifies, or reasonably can be used to identify, the
  individual. Id. “Covered entities” refer to health plans, health care clearinghouses,
  and health care providers who transmit any health information in electronic form.
  Id. §§ 160.103, 164.104(a). A “business associate” refers to a person, not a member
  of a covered entity’s workforce, who uses or discloses PHI in performing certain
  activities or functions on behalf of a covered entity. Id. § 160.103.
  - 15 -
  ¶ 55                       E. The Privacy Rule Applies to State Farm
  ¶ 56       Both plaintiffs and State Farm agree that State Farm is not a “covered entity”
  as defined by HIPAA because a property and casualty insurer is not a “health plan,”
  “health care clearinghouse,” or a “health care provider who transmits any health
  information in electronic form.” See id. § 160.103. The appellate court observed
  that State Farm had not cited any specific language in HIPAA, the Privacy Rule, or
  any other source of law “indicating that a noncovered entity that receives PHI from
  a covered entity in response to a HIPAA qualified protective order is exempt from
  complying with the order’s restrictions regarding the use or disclosure of the PHI.”
  

  2020 IL App (2d) 190499

  , ¶ 49.
  ¶ 57        Before this court, State Farm argues that “because property and casualty
  insurers like State Farm are not covered entities, their business operations do not
  fall within HIPAA’s privacy and security obligations.” Further, according to State
  Farm, “property and casualty insurers like State Farm do not become a ‘covered
  entity’ when they receive PHI from a ‘covered entity’ in the ordinary course of
  handling claims.”
  ¶ 58       State Farm maintains that property and casualty insurers logically “fall outside
  HIPAA given the role of liability insurance in the administration of justice.” State
  Farm argues that “property and casualty insurers do not enter into a physician-
  patient relationship with anyone and their role is not to provide *** health care
  services.” Rather, according to State Farm, property and casualty insurers “insure
  their policyholders against the risk of bodily injury or property damage (including
  for liability to others) that results from an accident—not to offer medical or health
  care to the injured person.”
  ¶ 59       We cannot accept State Farm’s reasoning. Generally, a personal injury action
  requires proof of an injury (Golla v. General Motors Corp., 

  167 Ill. 2d 353

  , 360
  (1995)), which necessarily requires disclosure of relevant PHI. State Farm’s logic
  leads to the denial of any request for a QPO in a judicial proceeding where a
  defendant is insured by a casualty insurer. This court has noted “the dominant role
  played by the insurance industry in the field of personal injury litigation.” Sullivan
  v. Midlothian Park District, 

  51 Ill. 2d 274

  , 280 (1972). Scholars have similarly
  recognized:
  - 16 -
  “The key stakeholders in litigation—at least on the defense side—are seldom
  the individual litigants who have been sued. Rather, insurers are the entities
  who regularly pay not only the cost of defending claims but also any settlement
  or judgment. Insured parties retain some authority to make substantive litigation
  decisions, but the practical reality is that insurers drive litigation outcomes.”
  Chris Guthrie & Jeffrey J. Rachlinski, Insurers, Illusions of Judgment and
  Litigation, 

  59 Vand. L. Rev. 2017

  , 2019 (2006).
  See William P. Lynch, Why Settle for Less? Improving Settlement Conferences in
  Federal Court, 

  94 Wash. L. Rev. 1233

  , 1251 (2019) (“Insurers play a key role in
  the civil justice system. In most personal injury litigation, the individual defendant
  is insured, and the insurer provides a defense and exercises complete control over
  whether to settle the case.”).
  ¶ 60       Thus, if we were to accept State Farm’s argument, there would be few instances
  in which a QPO could be requested. It was clearly not the intent of Congress that a
  QPO would be unavailable whenever an alleged tortfeasor was insured by a liability
  insurer. HIPAA contains no such limitation, and this court must not add such a
  limitation under the guise of statutory construction. See People ex rel. Birkett v.
  Dockery, 

  235 Ill. 2d 73

  , 81 (2009) (“we cannot rewrite a statute, and depart from
  its plain language, by reading into it exceptions, limitations or conditions not
  expressed by the legislature”); Hines v. Department of Public Aid, 

  221 Ill. 2d 222

  ,
  230 (2006) (same).
  ¶ 61       There are two exceptions to the prohibition against the use or disclosure of an
  individual’s PHI. First, a covered entity may use or disclose PHI pursuant to a valid
  authorization. 

  45 C.F.R. §§ 164.502

  (a)(1)(iv), 164.508 (2018).
  ¶ 62        Second, and relevant to this appeal, a covered entity may use or disclose PHI in
  the course of litigation. 

  Id.

   §§ 164.502(a)(1)(vi), 164.512(e). Use or disclosure of
  PHI is permissible to comply with an order of a court or administrative tribunal, so
  long as only the PHI expressly authorized by the order is disclosed. Id.
  § 164.512(e)(1)(i). Absent a judicial or administrative order, a covered entity may
  disclose PHI in response to a subpoena, discovery request, or other lawful process
  if (1) the covered entity has received satisfactory assurances that the party seeking
  the disclosure has made reasonable efforts to ensure that the individual has been
  given notice of the request or (2) the covered entity has made reasonable efforts to
  - 17 -
  secure a “qualified protective order.” Id. § 164.512(e)(1)(ii), (iv). A QPO is a
  judicial or administrative order, or a stipulation by the parties, that (1) “[p]rohibits
  the parties from using or disclosing the [PHI] for any purpose other than the
  litigation or proceeding for which such information was requested” and
  (2) “[r]equires the return to the covered entity or destruction of the [PHI] (including
  all copies made) at the end of the litigation or proceeding.” Id. § 164.512(e)(1)(v).
  ¶ 63       Importantly, State Farm is not the disclosing party but rather is the party wishing
  to obtain plaintiffs’ PHI. Therefore, in the absence of a court order pursuant to
  section 164.512(e)(1)(i), the Privacy Rule authorizes a covered entity to disclose
  PHI to State Farm in this litigation only pursuant to (1) a subpoena, discovery
  request, or other lawful process, provided that adequate notice was given to
  plaintiffs, or (2) a QPO containing the required “use and disclosure” prohibition
  and the “return or destroy” requirement. Id. § 164.512(e)(1)(ii), (iv). Here, State
  Farm is not appealing from any independent disclosure orders or any issues
  pertaining to discovery, service of process, and notice. Accordingly, State Farm can
  receive plaintiffs’ PHI only in response to a valid QPO.
  ¶ 64       State Farm argues that we should view its tendered protective orders as a request
  for an independent disclosure order pursuant to section 164.512(e)(1)(i). We reject
  this argument. Section 164.512(e)(1)(i) specifically mandates that “the covered
  entity disclose[ ] only the [PHI] expressly authorized by such order.” (Emphases
  added.) Id. § 164.512(e)(1)(i). Thus, pursuant to this section, a covered entity is
  prohibited from disclosing PHI that is not “expressly authorized” by the order.
  However, State Farm’s tendered protective orders do not address what PHI the
  covered entity is expressly authorized to disclose. State Farm’s tendered protective
  orders have no language that limits or restricts the PHI permitted to be disclosed.
  Such an order would be impermissible for several reasons.
  ¶ 65       State Farm’s tendered protective orders violate Rule 201 to the extent that they
  permit the disclosure of any and all PHI. Rule 201(b)(1) provides in relevant part:
  “Except as provided in these rules, a party may obtain by discovery full disclosure
  regarding any matter relevant to the subject matter involved in the pending action,
  whether it relates to the claim or defense of the party seeking disclosure or of any
  other party ***.” Ill. S. Ct. R. 201(b)(1) (eff. July 1, 2014). “[T]he relevance
  requirement safeguards against ‘improper and abusive’ discovery and acts as an
  - 18 -
  ‘independent constraint on discovery.’ ” People ex rel. Madigan v. Stateline
  Recycling, LLC, 

  2020 IL 124417

  , ¶ 32 (quoting Kunkel v. Walton, 

  179 Ill. 2d 519

  ,
  533 (1997)). Therefore, even if State Farm’s tendered protective orders could be
  viewed to require covered entities to disclose plaintiffs’ PHI, they would still be
  improper because they do not satisfy the relevancy requirement of Rule 201(b).
  ¶ 66       Even if we were to consider State Farm’s tendered protective orders as
  compliant with section 164.512(e)(1)(i), they would still violate the state
  constitutional right to privacy. The Illinois Constitution guarantees, in pertinent
  part, that “[t]he people shall have the right to be secure in their persons, houses,
  papers and other possessions against unreasonable *** invasions of privacy.” Ill.
  Const. 1970, art. I, § 6. In Kunkel, this court stated as follows:
  “This court has observed that the Illinois Constitution goes beyond federal
  constitutional guarantees by expressly recognizing a zone of personal privacy,
  and that the protection of that privacy is stated broadly and without restrictions.
  [Citation.] The confidentiality of personal medical information is, without
  question, at the core of what society regards as a fundamental component of
  individual privacy. Physicians are privy to the most intimate details of their
  patients’ lives, touching on diverse subjects like mental health, sexual health
  and reproductive choice. Moreover, some medical conditions are poorly
  understood by the public, and their disclosure may cause those afflicted to be
  unfairly stigmatized. Respect for the privacy of medical information is a central
  feature of the physician-patient relationship. Under the Hippocratic Oath, and
  modern principles of medical ethics derived from it, physicians are ethically
  bound to maintain patient confidences. See Petrillo v. Syntex Laboratories, Inc.,
  

  148 Ill. App. 3d 581

  , 589 (1986).
  In addition, this court has recognized that ‘[a] person has a reasonable
  expectation that he will not be forced to submit to a close scrutiny of his
  personal characteristics, unless for a valid reason. *** [T]he individual’s
  privacy interest in his physical person *** must be protected.’ [Citation.] We
  believe that this privacy interest pertaining to individual physical characteristics
  necessarily encompasses personal medical information.” Kunkel, 

  179 Ill. 2d at 537-38

  .
  - 19 -
  In Kunkel, this court cautioned: “The text of our constitution does not accord
  absolute protection against invasions of privacy. Rather, it is unreasonable
  invasions of privacy that are forbidden. In the context of civil discovery,
  reasonableness is a function of relevance.” (Emphasis in original.) 

  Id. at 538

  .
  ¶ 67       Where the privacy interest in medical information is involved, it “is reasonable
  to require full disclosure of medical information that is relevant to the issues in the
  lawsuit.” 

  Id.

   However, State Farm’s tendered protective orders are unlimited in the
  PHI to be disclosed without regard to the issues being litigated. The scope of the
  PHI required by State Farm’s protective orders would be unreasonable and,
  therefore, unconstitutional.
  ¶ 68       In sum, the Privacy Rule applies to State Farm. Therefore, State Farm can
  receive plaintiffs’ PHI only in response to a valid QPO.
  ¶ 69                     F. Illinois Insurance Regulatory Law Does Not
  Mandate Use, Disclosure, or Retention of PHI
  ¶ 70       State Farm contends that the trial courts should have entered State Farm’s
  tendered Cook County standard protective order or a similar protective order
  “expressly allowing for the retention, use, and disclosure of information by property
  and casualty insurers in conformity to federal and state law and regulations.” State
  Farm complains that the trial courts’ QPOs prevent State Farm from fulfilling its
  obligations under the Illinois Insurance Code and supporting administrative
  regulations. State Farm’s argument requires analysis of the preemptive effect of the
  Privacy Rule on Illinois insurance regulatory law.
  ¶ 71                                 1. Preemption Principles
  ¶ 72       The supremacy clause of the United States Constitution provides that federal
  law “shall be the supreme Law of the Land ***, any Thing in the Constitution or
  Laws of any State to the Contrary notwithstanding.” U.S. Const., art. VI, cl. 2. The
  determination of whether state law is preempted turns on the intent of Congress.
  When interpreting a federal statute pertaining to a subject traditionally governed by
  state law, courts are reluctant to find preemption unless Congress’s preemptive
  - 20 -
  intent is clear and manifest. CSX Transportation, Inc. v. Easterwood, 

  507 U.S. 658

  ,
  664 (1993); Village of Mundelein v. Wisconsin Central R.R., 

  227 Ill. 2d 281

  , 288
  (2008). One of the circumstances in which state law is preempted under the
  supremacy clause is where the express language of a federal statute indicates an
  intent to preempt state law. Wisconsin Public Intervenor v. Mortier, 

  501 U.S. 597

  ,
  604-05 (1991); Village of Mundelein, 

  227 Ill. 2d at 288

  . If the federal statute
  contains an express exemption provision, “the task of statutory construction must
  in the first instance focus on the plain wording of the clause, which necessarily
  contains the best evidence of Congress’ pre-emptive intent.” CSX Transportation,
  507 U.S. at 664; Village of Mundelein, 

  227 Ill. 2d at 289

  .
  ¶ 73       HIPAA and the Privacy Rule establish a uniform federal floor or baseline of
  privacy protection for PHI, which states are free to exceed. See Giangiulio v.
  Ingalls Memorial Hospital, 

  365 Ill. App. 3d 823

  , 839 (2006); Cohan, 322 P.3d at
  955. When HHS promulgated the Privacy Rule, the agency stressed: “It is important
  to understand this regulation as a new federal floor of privacy protections that does
  not disturb more protective rules or practices. *** The protections are a mandatory
  floor, which other governments and any covered entity may exceed.” 65 Fed. Reg.
  at 82,471.
  ¶ 74       Consequently, “State laws that are contrary to the Privacy Rule are preempted
  by the federal requirements, which means that the federal requirements will apply.”
  Summary of the HIPAA Privacy Rule, supra, at 17; 

  45 C.F.R. § 160.203

   (2018). A
  state law is “contrary” to HIPAA if a “covered entity or business associate would
  find it impossible to comply with both the State and Federal requirements” or if the
  “provision of State law stands as an obstacle to the accomplishment and execution
  of the full purposes and objectives of [HIPAA].” 

  45 C.F.R. § 160.202

   (2018).
  ¶ 75       However, section 264 of HIPAA provides that the Privacy Rule “shall not
  supersede a contrary provision of State law, if the provision of State law imposes
  requirements, standards, or implementation specifications that are more stringent
  than [those] imposed under the regulation.” Pub. L. No. 104-191 § 264(c)(2), 

  110 Stat. 1936

  , 2033-34. Implementing this statutory mandate, the Privacy Rule
  provides that the general rule of federal preemption of contrary state law will not
  occur if the state law is “more stringent” than the applicable standard promulgated
  in the Privacy Rule. 

  45 C.F.R. § 160.203

  (b) (2018). The state law is “more
  - 21 -
  stringent” where it meets one or more of several criteria including where state law
  prohibits or restricts a use or disclosure of PHI where the Privacy Rule would allow
  it (id. § 160.202(1) (defining “more stringent”)) or, generally, where the state law
  provides greater privacy protection (id. § 160.202(6) (same)). See South Carolina
  Medical Ass’n, 

  327 F.3d at 355

   (listing criteria).
  ¶ 76       Importantly, we add that these preemption provisions of HIPAA and the
  Privacy Rule speak in terms of a specific provision of HIPAA or the Privacy Rule
  and a specific provision of state law. In proposing the Privacy Rule, HHS explained
  what HIPAA requires as follows:
  “The initial question that arises in the preemption analysis is, what does one
  compare? The statute directs this analysis by requiring the comparison of a
  ‘provision of State law [that] imposes requirements, standards, or
  implementation specifications’ with ‘the requirements, standards, or
  implementation specifications imposed under’ the federal regulation. The
  statute thus appears to contemplate that what will be compared are the State and
  federal requirements that are analogous, i.e., that address the same subject
  matter.” 

  64 Fed. Reg. 59,918

  , 59,995 (proposed Nov. 3, 1999) (to be codified
  at 45 C.F.R. pts. 160 to 164) (quoting Pub. L. No. 104-191 § 264 (c)(2), 110
  Stat.1936, 2033-34).
  Therefore, when a court engages in a HIPAA preemption analysis, the issue is not
  whether HIPAA generally “is contrary to and more stringent than the entirety of a
  state’s laws on the privacy of a patient’s medical information. Rather, the issue is
  whether or not a specific provision of HIPAA is contrary to and more stringent than
  a specific provision of state law.” State ex rel. Proctor v. Messina, 

  320 S.W.3d 145

  ,
  149 (Mo. 2010) (en banc).
  ¶ 77                  2. Contested Provisions of Illinois Insurance Regulatory Law
  ¶ 78      Before this court, State Farm maintains its position that Illinois insurance
  regulatory law requires State Farm to use, disclose, and retain PHI for various
  regulatory purposes. We discuss each in turn.
  - 22 -
  ¶ 79        State Farm contends that “property and casualty insurers are legally required to
  retain documentation in their claim files for examination by regulators.” The
  Insurance Code prohibits insurers from engaging in improper claims practices. See
  215 ILCS 5/154, 154.6 (West 2018). To this end, section 919.30 of Title 50 of the
  Illinois Administrative Code requires insurers to make their claim files available to
  the Director of the Illinois Department of Insurance (Director) for examination
  upon request. 50 Ill. Adm. Code 919.30 (1989). Regarding examinations by the
  Director, section 919.30 provides in relevant part:
  “b) Each company shall maintain claim data that should be accessible and
  retrievable for examination by the Director. A company shall be able to provide
  the claim number, line of coverage, date of loss and date of payment of the
  claim, date of denial, or date claim closed without payment. This data must be
  available for all open and/or closed files for the current year and the two
  preceding years. The examiners’ review may include but need not be limited to
  an examination of the following claims:
  1) Claims Closed With Payment;
  2) Claims Denied;
  3) Claims Closed Without Payment;
  4) First Party Automobile Total Losses; and/or Subrogation Claims.
  c) Detailed documentation shall be contained in each claim file in order to
  permit reconstruction of the company’s activities relative to each claim file.”
  

  Id.

  Further, “documentation” includes “all pertinent communications, transactions,
  notes and work papers” “properly dated and compiled in sufficient detail in order
  to allow for the reconstruction of all pertinent events relative to each claim file.
  Documentation shall include but not be limited to bills, explanations of benefits and
  worksheets.” 50 Ill. Adm. Code 919.40 (1989).
  ¶ 80       State Farm argues that this regulation requires it to maintain, in each claim file,
  detailed documentation that includes medical bills, which necessarily contain PHI.
  - 23 -
  According to State Farm, this insurance examination process conflicts with the
  “return or destroy” requirement of the trial court’s QPOs.
  ¶ 81        We reject this argument. State Farm could establish its “activities relative to
  each file” by simply including in the file a copy of the QPO, specifying that the
  insurer was prohibited from using or disclosing PHI for any purpose other than the
  litigation and was required to return or destroy the PHI at the end of the litigation.
  The appellate court correctly reached a similar conclusion. See 

  2020 IL App (2d) 190499

  , ¶ 54.
  ¶ 82       State Farm next contends that property and casualty insurers are prohibited from
  destroying company records except in conformity with the requirements of the
  Insurance Code and its administrative regulations. State Farm relies on part 901 of
  Title 50 of the Illinois Administrative Code (50 Ill. Adm. Code 901 (2016)). Section
  901.5 provides that “[n]o domestic company shall destroy any books, records,
  documents, accounts or vouchers, hereafter referred to as ‘records’, except in
  conformity with the requirements of this Part.” 50 Ill. Adm. Code 901.5 (2016).
  Section 901.20 of Title 50 sets out a time period for the disposal and destruction of
  records:
  “The company is authorized to dispose of or destroy records in its custody
  that do not have sufficient administrative, legal or fiscal value to warrant their
  further preservation and are not needed:
  a) in the transaction of current business;
  b) for the final settlement or disposition of any claim arising out of a
  policy of insurance issued by the company, except that these records must
  be maintained for the current year plus 5 years; or
  c) to determine the financial condition of the company for the period
  since the date of the last examination report of the company officially filed
  with the Department of Insurance, except that these records must be
  maintained for at least the current year plus 5 years.” 50 Ill. Adm. Code
  901.20 (2016).
  Further, the term “records” is defined in section 901.10 of Title 50 as follows:
  - 24 -
  “ ‘Records’ material means all books, papers and documentary materials
  regardless of physical form or characteristics, made, produced, executed or
  received by any domestic insurance company pursuant to law or in connection
  with the transaction of its business and preserved or appropriate for preservation
  by such company or its successors as evidence of the organization, function,
  policies, decisions, procedures, obligations and business activities of the
  company or because of the informational data contained therein. If doubt arises
  as to whether certain papers are ‘non-record’ materials, it should be assumed
  that the documents are ‘records’.” 50 Ill. Adm. Code 901.10 (2016).
  Before this court, State Farm argues that this definition of “records” is broad
  enough to include medical bills and records. State Farm maintains its position that
  part 901 sets out a detailed process for the destruction of an insurer’s records, which
  conflicts with the trial courts’ QPOs.
  ¶ 83       We reject this argument. In this case, State Farm does not explain how
  plaintiffs’ PHI is “appropriate for preservation,” especially given that (1) the trial
  courts entered HIPAA QPOs expressly requiring the destruction of PHI within 60
  days after the conclusion of the litigation and (2) State Farm failed to cite any
  statute, regulation, or case law that affirmatively requires the retention of PHI or its
  use for a particular purpose. State Farm has made this argument in other courts,
  including the appellate court here, and those courts have correctly rejected it. See
  

  2020 IL App (2d) 190499

  , ¶ 59; State ex rel. State Farm Mutual Automobile
  Insurance Co. v. Marks, 

  741 S.E.2d 75

  , 83-84 (W. Va. 2012); Small v. Ramsey, 

  280 F.R.D. 264

  , 279-80 (N.D. W. Va. 2012). Further, as earlier noted, retention of a
  copy of the QPO in the file would explain why the PHI was not present. Thus, part
  901 of Title 50 of the Illinois Administrative Code does not support State Farm’s
  position.
  ¶ 84       State Farm next contends that the trial courts’ QPOs prevent insurers from
  performing functions related to fraud detection and deterrence. State Farm
  maintains its position that, because the Illinois Department of Insurance relies on
  property and casualty insurers to detect and combat insurance fraud, Illinois law
  authorizes them to report information, including PHI, to the Illinois Department of
  Insurance and insurance support organizations, such as the National Insurance
  Crime Bureau and the Insurance Services Organization. See 215 ILCS 5/155.23
  - 25 -
  (West 2018). State Farm argues that, if insurers must return to covered entities or
  destroy all PHI within 60 days of the end of litigation, they cannot later provide
  necessary information to help the state with fraud detection and prevention.
  ¶ 85      The statute State Farm cites authorizes the Director
  “to promulgate reasonable rules requiring insurers *** doing business in the
  State of Illinois to report factual information in their possession that is pertinent
  to suspected fraudulent insurance claims, fraudulent insurance applications, or
  premium fraud after [the Director] has made a determination that the
  information is necessary to detect fraud or arson. Claim information may
  include:
  (a) Dates and description of accident or loss.
  (b) Any insurance policy relevant to the accident or loss.
  (c) Name of the insurance company claims adjustor and claims adjustor
  supervisor processing or reviewing any claim or claims made under any
  insurance policy relevant to the accident or loss.
  (d) Name of claimant’s or insured’s attorney.
  (e) Name of claimant’s or insured’s physician, or any person rendering
  or purporting to render medical treatment.
  (f) Description of alleged injuries, damage or loss.
  (g) History of previous claims made by the claimant or insured.
  (h) Places of medical treatment.
  (i) Policy premium payment record.
  (j) Material relating to the investigation of the accident or loss, including
  statements of any person, proof of loss, and any other relevant evidence.
  (k) any facts evidencing fraud or arson.” 

  Id.

   § 155.23(1).
  - 26 -
  State Farm’s reliance on section 155.23 is unpersuasive for two reasons. First, the
  statute applies only to suspected fraudulent insurance claims or applications, or
  premium fraud, and only after the Director has determined that the information is
  necessary to detect fraud or arson. In this case, there is no indication of fraud and
  no evidence that the Director has determined that any PHI is necessary to detect
  fraud or arson. Therefore, there can be no factual information pertinent to any
  suspected fraud. Second, the statute requires an insurer to report only factual
  information in its possession. An insurer that has returned or destroyed PHI in
  accordance with a HIPAA QPO cannot violate the statute, because it does not
  possess any such information.
  ¶ 86       State Farm next asserts that the trial courts’ QPOs “impede compliance with
  federal reporting requirements.” State Farm argues that, under the Medicare
  secondary payor statute (42 U.S.C. § 1395y(b)(2) (2018)), “automobile or liability
  insurers must report payments made to Medicare beneficiaries, along with
  information about the alleged cause of injury, incident, or illness.” According to
  State Farm: “Retention of medical records is crucial to this process. Additionally,
  insurers need medical records if Medicare seeks recovery of a ‘conditional
  payment.’ ”
  ¶ 87       We also reject this argument. This statute does not require a liability insurer to
  retain PHI after litigation even for Medicare beneficiaries. If State Farm is to pay a
  settlement or judgment, all it need do is to report the payment and the alleged cause
  of injury. Id. § 1395y(b)(8)(B)(i), (ii). This does not require State Farm to retain or
  disclose PHI after the conclusion of litigation.
  ¶ 88       Lastly, State Farm maintains its position that Illinois law protects personal or
  privileged information received in handling claims while still allowing property and
  casualty insurers to make disclosures necessary for rate-making, anti-fraud
  programs, and consumer-protection research. Article XL of the Insurance Code
  provides as follows:
  “The purpose of this Article is to establish standards for the collection, use and
  disclosure of information gathered in connection with insurance transactions by
  insurance institutions, agents or insurance-support organizations; to maintain a
  balance between the need for information by those conducting the business of
  insurance and the public’s need for fairness in insurance information practices,
  - 27 -
  including the need to minimize intrusiveness; to establish a regulatory
  mechanism to enable natural persons to ascertain what information is being or
  has been collected about them in connection with insurance transactions and to
  have access to such information for the purpose of verifying or disputing its
  accuracy; to limit the disclosure of information collected in connection with
  insurance transactions; and to enable insurance applicants and policyholders to
  obtain the reasons for any adverse underwriting decision.” 215 ILCS 5/1001
  (West 2018).
  This provision does not contain any affirmative language that mandates the use,
  disclosure, or retention of PHI for any purpose.
  ¶ 89       State Farm has failed to direct us to, nor have we found, any provision of the
  Insurance Code or the Illinois Administrative Code that requires it to use or disclose
  plaintiffs’ PHI after the conclusion of the litigation. As such, we reject State Farm’s
  argument that the trial courts’ QPOs conflict with its obligations under state law.
  Since there is no conflict, the Privacy Rule does not preempt or otherwise nullify
  these specific provisions in the Insurance Code and its administrative regulations.
  ¶ 90                         G. Privacy Rule Preempts Cook County
  Standard Protective Order
  ¶ 91        State Farm assigns error to the conclusion of the trial and appellate courts that
  its alternative tendered protective orders are preempted by the Privacy Rule. State
  Farm argues that the absence of the “use or disclose” prohibition and the “return or
  destroy” requirement “cannot be an obstacle to accomplishing HIPAA’s full
  purposes and objectives” because those restrictions are not required for a court
  order pursuant to section 164.512(e)(1)(i). Rather, those restrictions apply only to
  discovery processes that are not accompanied by a court order. 

  45 C.F.R. § 164.512

  (e)(1)(ii) (2018).
  ¶ 92       We recognize that the Privacy Rule does not require a court order entered
  pursuant to section 164.512(e)(1)(i) to include the “use or disclose” prohibition and
  the “return or destroy” requirement of section 164.512(e)(1)(ii). This provision
  does not expressly dictate any criteria for judges to exercise their discretion.
  However, in response to a court order pursuant to section 164.512(e)(1)(i), a
  - 28 -
  covered entity may disclose “only the [PHI] expressly authorized by such order.”
  

  Id.

   § 164.512(e)(1)(i).
  ¶ 93       We must construe the language of section 164.512(e)(1) as a whole, in light of
  HIPAA and the entire Privacy Rule. See National Bank of Oregon, 

  508 U.S. at 455

  .
  Accordingly, we consider plaintiffs and State Farm to have followed the better
  approach in this litigation. Parties should first seek a protective order that meets the
  definition of a QPO under section 164.512(e)(1)(v) to pursue discovery under the
  provisions of section 164.512(e)(1)(ii). Should the parties then encounter any
  difficulty with the acquisition of necessary discovery, they may seek a court order
  as contemplated under section 164.512(e)(1)(i) for that specific, targeted
  information. See, e.g., Lohr v. UnitedHealth Group Inc., No. 1:12CV718, 

  2013 WL 4500692

  , at *5 (M.D.N.C. Aug. 21, 2013).
  ¶ 94       As earlier discussed, the Cook County standard protective order does not
  address what PHI the covered entity is expressly authorized to disclose. Therefore,
  we conclude that, in this case, a covered entity cannot comply with both the Privacy
  Rule and State Farm’s tendered protective orders. The Cook County standard
  protective order does not prohibit the insurer from using and disclosing PHI outside
  of litigation and does not require an insurer to return or destroy PHI at the
  conclusion of litigation. These concessions directly conflict with the requirements
  for a HIPAA QPO under section 164.512(e)(1)(v) of the Privacy Rule. Likewise,
  by eliminating the “use or disclose” prohibition and the “return or destroy”
  requirement, the Cook County standard protective order would not provide the
  confidentiality and protection of PHI envisioned when the Privacy Rule was
  promulgated. To accept State Farm’s argument would render superfluous and
  nugatory section 164.512(e)(1)(ii), which we cannot do. TRW Inc., 

  534 U.S. at 31

  .
  In other words, any requirement that an insurer be allowed to use and retain PHI
  beyond the conclusion of litigation would lower the floor of privacy protection that
  HIPAA and the Privacy Rule mandate. As such, the Cook County standard
  protective order acts as an obstacle to accomplishing and executing HIPAA’s full
  purposes and objectives. 

  45 C.F.R. § 160.202

   (2018).
  ¶ 95      Therefore, we hold that the Cook County standard protective order is preempted
  by the Privacy Rule. We next determine whether the McCarran-Ferguson Act
  - 29 -
  shields the Cook County standard protective order from traditional preemption.
  ¶ 96                                 H. Reverse Preemption
  ¶ 97       The trial courts asked the parties to address the implications of the McCarran-
  Ferguson Act (

  15 U.S.C. § 1011

   et seq. (2018)), which gives rise to the doctrine of
  “reverse preemption.” If applicable, the reverse preemption doctrine allows state
  laws that regulate insurance to prevail over general federal rules. Lovilia Coal Co.
  v. Williams, 

  143 F.3d 317

  , 324 (7th Cir. 1998); United States v. Rhode Island
  Insurers’ Insolvency Fund, 

  80 F.3d 616

  , 620 (1st Cir. 1996) (collecting cases). The
  parties did not argue that the McCarran-Ferguson Act applied in these cases, and
  the trial courts did not address the issue. The appellate court observed: “State Farm
  briefly mentions the McCarran-Ferguson Act in its brief but does not fully develop
  the issue. Nevertheless, we find it appropriate to briefly address this matter.” 

  2020 IL App (2d) 190499

  , ¶ 66. The appellate court held that the doctrine of reverse
  preemption did not apply to shield Illinois insurance law from Privacy Rule
  preemption. Id. ¶ 68.
  ¶ 98       Before this court, State Farm contends that the appellate court’s holding that the
  Privacy Rule preempts any conflicting state law is inconsistent with its holding that
  there is no conflict between the Privacy Rule and state law for reverse preemption
  purposes. State Farm misapprehends the McCarran-Ferguson Act and the reverse
  preemption doctrine.
  ¶ 99       As earlier mentioned, the general rule is that, “[w]here a state statute conflicts
  with, or frustrates, federal law, the former must give way.” CSX Transportation,
  507 U.S. at 663. However, the McCarran-Ferguson Act carved out an exception to
  this general rule where state laws regulate the “business of insurance.” 

  15 U.S.C. § 1011

   (2018). Section 2(b) of the McCarran-Ferguson Act provides: “No Act of
  Congress shall be construed to invalidate, impair, or supersede any law enacted by
  any State for the purpose of regulating the business of insurance *** unless such
  Act specifically relates to the business of insurance.” 

  Id.

   § 1012(b). The United
  States Supreme Court has explained:
  “[T]he Act does not seek to insulate state insurance regulation from the reach
  of all federal law. Rather, it seeks to protect state regulation primarily against
  - 30 -
  inadvertent federal intrusion—say, through enactment of a federal statute that
  describes an affected activity in broad, general terms, of which the insurance
  business happens to constitute one part.” (Emphasis omitted.) Barnett Bank of
  Marion County v. Nelson, 

  517 U.S. 25

  , 39 (1996).
  ¶ 100       The McCarran-Ferguson Act “transformed the legal landscape by overturning
  the normal rules of preemption.” United States Department of Treasury v. Fabe,
  

  508 U.S. 491

  , 507 (1993). Section 2(b) imposes “a rule that state laws enacted ‘for
  the purpose of regulating the business of insurance’ do not yield to conflicting
  federal statutes unless a federal statute specifically requires otherwise.” 

  Id.

   Under
  the McCarran-Ferguson Act, a state law will reverse preempt a federal law if (1) the
  state law was enacted for the purpose of regulating the business of insurance; (2) the
  federal law does not specifically relate to the business of insurance; and (3) the
  federal law would invalidate, impair, or supersede the state law. Humana Inc. v.
  Forsyth, 

  525 U.S. 299

  , 307 (1999). All three criteria must be satisfied for the
  doctrine of reverse preemption to preclude application of a federal law. See Lovilia
  Coal, 

  143 F.3d at 324

  ; Rhode Island Insurers’ Insolvency Fund, 

  80 F.3d at 619

  .
  ¶ 101       The appellate court concluded that “nothing in any Illinois statute or regulation
  State Farm cites requires the retention of PHI or its use for any particular purpose.
  Thus, the HIPAA qualified protective orders entered in this case do not ‘invalidate,
  impair, or supersede’ the Illinois statutes and regulations State Farm cites.” 

  2020 IL App (2d) 190499

  , ¶ 68. Therefore, the appellate court correctly held that the
  doctrine of reverse preemption does not apply in this case. 

  Id.

  ¶ 102       There is no inconsistency between this holding and our prior conclusion, with
  which the appellate court agreed, that the Privacy Rule preempts any conflicting
  state law. State Farm and plaintiffs agree with the appellate court’s holding that the
  McCarran-Ferguson Act does not apply here. Therefore, the doctrine of reverse
  preemption cannot shield the pertinent Illinois Insurance Code sections and
  regulations from federal preemption.
  ¶ 103                                   III. CONCLUSION
  ¶ 104       As a matter of law, we conclude as follows. The Privacy Rule applies in these
  cases to potentially preempt Illinois insurance regulatory law governing the use,
  - 31 -
  disclosure, and retention of PHI. The trial courts’ QPOs do not conflict with Illinois
  insurance regulatory law because nothing in the Insurance Code or administrative
  regulations mandates that a property and casualty insurer use, disclose, and retain
  PHI beyond litigation. However, the Cook County standard protective order is
  contrary to the Privacy Rule because it falls below the floor of privacy that the
  Privacy Rule mandates. Therefore, it is preempted by the Privacy Rule. Further, the
  reverse preemption doctrine provided by the McCarran-Ferguson Act does not
  shield the disputed provisions of Illinois insurance regulatory law from preemption.
  Therefore, we hold that the trial courts did not abuse their discretion in entering the
  QPOs pursuant to HIPAA and the Privacy Rule.
  ¶ 105       For the foregoing reasons, the judgment of the appellate court is affirmed, and
  the cases are remanded to the circuit court of Lake County for further proceedings.
  ¶ 106      Affirmed and remanded.
  - 32 -
  

• Sign In
• Sign Up