DocketNumber: 2-19-04992-19-0500
Citation Numbers: 2020 IL App (2d) 190499
Filed Date: 12/29/2020
Status: Precedential
Modified Date: 12/29/2020
Digitally signed by Reporter of Decisions Reason: I attest to Illinois Official Reports the accuracy and integrity of this document Appellate Court Date: 2020.12.29 15:39:19 -06'00' Haage v. Zavala,2020 IL App (2d) 190499
Appellate Court ROSEMARIE HAAGE, Plaintiff-Appellee, v. ALFONSO MONTIEL Caption ZAVALA, PATRICIA SANTIAGO, JOSE PACHECO- VILLANUEVO, OKAN ESMEZ, and ROSALINA ESMEZ, Defendants (State Farm Mutual Automobile Insurance Company, Intervenor-Appellant).–AGNIESZKA SURLOCK and EDWARD SURLOCK, Plaintiffs-Appellees, v. DRAGOSLAV STARCEVIC, Defendant (State Farm Mutual Automobile Insurance Company, Intervenor-Appellant). District & No. Second District Nos. 2-19-0499, 2-19-0500 cons. Filed March 13, 2020 Rehearing denied April 2, 2020 Decision Under Appeal from the Circuit Court of Lake County, Nos. 17-L-897, 18-L- Review 39; the Hon. Mitchell L. Hoffman and the Hon. Diane E. Winter, Judges, presiding. Judgment Affirmed. Counsel on Glen E. Amundsen and Michael Resis, of SmithAmundsen LLC, of Appeal Chicago, for appellant. Robert D. Fink and Kenneth A. Koppelman, of Collison Law Offices, of Chicago, for appellees. Panel JUSTICE HUDSON delivered the judgment of the court, with opinion. Presiding Justice Birkett and Justice Zenoff concurred in the judgment and opinion. OPINION ¶1 I. INTRODUCTION ¶2 This consolidated appeal concerns the scope of protective orders involving the disclosure of protected health information (PHI) to a property and casualty insurer. In each of the two underlying cases, plaintiffs sued to recover damages occasioned by the alleged negligence of defendants in driving their automobiles. Plaintiffs subsequently moved for the entry of qualified protective orders pursuant to the Health Insurance Portability and Accountability Act of 1996 (HIPAA) (Pub. L. No. 104-191,110 Stat. 1936
(1996) (codified as amended in scattered sections of Titles 18, 26, 29, and 42 of the United States Code)) (HIPAA qualified protective orders). Among other things, the protective orders proposed by plaintiffs would have (1) prohibited the parties and any other persons or entities from using or disclosing PHI for any purpose other than the litigation for which it was requested and (2) required the return or destruction of the PHI within 60 days after the conclusion of the litigation. See45 C.F.R. § 164.512
(e)(1)(v)(A), (B) (2018) (setting forth requirements for a qualified protective order under HIPAA). State Farm Mutual Automobile Insurance Company (State Farm), the liability insurer for at least one of the named defendants in each case, petitioned to intervene. After the circuit court of Lake County granted the petition in each case, State Farm filed objections to the HIPAA qualified protective orders. State Farm argued, inter alia, that the HIPAA qualified protective orders (1) sought to bind State Farm to the requirements of HIPAA although State Farm is expressly exempt from the statute’s application and (2) directly conflicted with State Farm’s obligations and rights under the Illinois Insurance Code (215 ILCS 5/1 et seq. (West 2018)) and the administrative regulations governing its business operations. State Farm requested that the trial court deny the HIPAA qualified protective orders and enter, pursuant to Illinois Supreme Court Rule 201(c)(1) (eff. May 29, 2014), protective orders similar to one used in the law division of the circuit court of Cook County (Cook County protective orders). The Cook County protective orders would permit insurance companies to “disclose, maintain, use, and dispose of PHI or what would otherwise be considered PHI to comply and conform with current and future applicable federal and state statutes, rules, and regulations” for certain designated purposes and exempt insurers from any “return or destroy” provisions. ¶3 Following a combined hearing and additional briefing, the trial court in each case granted plaintiffs’ motions for the HIPAA qualified protective orders and denied State Farm’s request for the Cook County protective orders. The trial courts determined, among other things, that (1) to the extent that State Farm’s obligations and rights under Illinois law conflict with HIPAA requirements, the federal statute and its regulations preempt state law and (2) any individual or entity receiving PHI in response to a HIPAA qualified protective order is bound to follow the terms of the order. State Farm filed an interlocutory appeal in each case, pursuant to Illinois Supreme Court Rule 307(a)(1) (eff. Nov. 1, 2017). On appeal, State Farm contends that the trial courts erred in granting plaintiffs’ motions for the HIPAA qualified protective orders. We -2- affirm. ¶4 II. BACKGROUND ¶5 To provide context to the parties’ arguments, we briefly review the relevant provisions of HIPAA before discussing the facts underlying this appeal. ¶6 A. HIPAA ¶7 In 1996, Congress passed, and President Clinton signed into law, HIPAA (Pub. L. No. 104- 191,110 Stat. 1936
(1996) (codified as amended in scattered sections of Titles 18, 26, 29, and 42 of the United States Code)). Among HIPAA’s purposes were to establish national privacy standards and fair information practices regarding individually identifiable health information. Brende v. Hara,153 P.3d 1109
, 1114 (Haw. 2007); see also Wade v. Vabnick-Wener,922 F. Supp. 2d 679
, 687 (W.D. Tenn. 2010) (“HIPAA embodies Congress’ recognition of ‘the importance of protecting the privacy of health information in the midst of the rapid evolution of health information systems.’ ” (quoting South Carolina Medical Ass’n v. Thompson,327 F.3d 346
, 348 (4th Cir. 2003))); Law v. Zuckerman,307 F. Supp. 2d 705
, 710 (D. Md. 2004) (“Congress enacted HIPAA, in part, to protect the security and privacy of individually identifiable health information.”); U.S. Dep’t of Health & Human Servs., Office for Civil Rights, Summary of the HIPAA Privacy Rule 1 (May 2003), https://www.hhs.gov/sites/ default/files/privacysummary.pdf [https://perma.cc/F66C-T4TR] (“A major goal of [HIPAA] is to assure that individuals’ health information is properly protected while allowing the flow of health information needed to provide and promote high quality health care and to protect the public’s health and well being.”). To this end, HIPAA authorized the Secretary of the Department of Health and Human Services (HHS) to issue regulations governing individually identifiable health information if Congress did not enact privacy legislation within three years of the passage of the statute. HIPAA, Pub. L. No. 104-191, § 264(c)(1),110 Stat. 1936
, 2033- 34 (1996); U.S. Dep’t of Health & Human Servs., Office for Civil Rights, Summary of the HIPAA Privacy Rule 1-2 (May 2003), https://www.hhs.gov/sites/default/files/privacy summary.pdf [https://perma.cc/F66C-T4TR]; Arons v. Jutkowitz,880 N.E.2d 831
, 840 (N.Y. 2007). Congress did not meet its self-imposed deadline, so HHS proposed and subsequently adopted the “Privacy Rule,” a series of regulations governing permitted uses and disclosures of PHI. Standards for Privacy of Individually Identifiable Health Information,65 Fed. Reg. 82,462
(Dec. 28, 2000); U.S. Dep’t of Health & Human Servs., Office for Civil Rights, Summary of the HIPAA Privacy Rule 2 (May 2003), https://www.hhs.gov/sites/default/files/ privacysummary.pdf [https://perma.cc/F66C-T4TR]; Arons, 880 N.E.2d at 840. The Privacy Rule is codified at parts 160 and 164 of Title 45 of the Code of Federal Regulations (45 C.F.R. pt. 160, 164 (2018)). U.S. Dep’t of Health & Human Servs., Office for Civil Rights, Summary of the HIPAA Privacy Rule 2 (May 2003), https://www.hhs.gov/sites/default/files/privacy summary.pdf [https://perma.cc/F66C-T4TR]; Arons, 880 N.E.2d at 840. ¶8 The Privacy Rule prohibits the use or disclosure of an individual’s PHI by a “covered entity” or “business associate” unless the individual has consented in writing or unless the use or disclosure is otherwise specifically permitted or required by the Privacy Rule.45 C.F.R. §§ 164.502
, 164.506, 164.508, 164.510, 164.512 (2018). With exceptions not relevant here, the Privacy Rule defines the term “protected health information” as “individually identifiable health information” transmitted by electronic media, maintained in electronic media, or -3- transmitted or maintained in any other form or medium.45 C.F.R. § 160.103
(2018). In turn, “individually identifiable health information” means information, including demographic data, that (1) relates to “the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual” and (2) “identifies the individual” or where “there is a reasonable basis to believe the information can be used to identify the individual.”45 C.F.R. § 160.103
(2018). A “covered entity” means “[a] health plan,” “[a] health care clearinghouse,” or “[a] health care provider who transmits any health information in electronic form” as those terms are defined in the regulation.45 C.F.R. § 160.103
(2018). A “business associate” is a person, other than a member of a covered entity’s workforce, who performs certain functions or activities on behalf of or provides certain services to a covered entity that involve the use or disclosure of PHI.45 C.F.R. § 160.103
(2018). ¶9 Relevant to this dispute, the Privacy Rule permits a “covered entity” to use or disclose PHI, in the course of any judicial or administrative proceeding, without the written authorization of the individual to whom it belongs.45 C.F.R. § 164.512
(e) (2018). However, the Privacy Rule places certain requirements on both the party providing the information and the party seeking it. U.S. Dep’t of Health & Human Servs., Office for Civil Rights, Summary of the HIPAA Privacy Rule 6 (May 2003), https://www.hhs.gov/sites/default/files/privacysummary.pdf [https://perma.cc/F66C-T4TR]. Hence, a covered entity may disclose PHI expressly authorized by a court order.45 C.F.R. § 164.512
(e)(1)(i) (2018). A covered entity may also disclose PHI “[i]n response to a subpoena, discovery request, or other lawful process, not accompanied by an order of a court,” if the covered entity “receives satisfactory assurance *** from the party seeking the information” that the party has made reasonable efforts (1) to ensure that the individual who is the subject of the PHI has been given notice of the request or (2) to secure a qualified protective order.45 C.F.R. § 164.512
(e)(1)(ii) (2018). In addition, a covered entity may disclose PHI in response to “lawful process” without receiving satisfactory assurance from the requesting party if the covered entity itself makes reasonable efforts to notify the individual or seek a qualified protective order.45 C.F.R. § 164.512
(e)(1)(vi) (2018). With respect to PHI, a “qualified protective order” under the Privacy Rule means an order of the court or of an administrative tribunal or a stipulation by the parties to the litigation or administrative proceeding that (1) “[p]rohibits the parties from using or disclosing the [PHI] for any purpose other than the litigation or proceeding for which such information was requested” and (2) “[r]equires the return to the covered entity or destruction of the [PHI] (including all copies made) at the end of the litigation or proceeding.”45 C.F.R. § 164.512
(e)(1)(v)(A), (B) (2018). ¶ 10 HIPAA and its regulations establish a “uniform federal ‘floor’ of privacy protections for individual medical information.” Scott D. Stein, What Litigators Need to Know About HIPAA,36 J. Health L. 433
, 434 (2003); see also Standards for Privacy of Individually Identifiable Health Information, 65 Fed. Reg. at 82,471 (“The protections [(provided by HIPAA and its regulations)] are a mandatory floor, which other governments and any covered entity may exceed.”);45 C.F.R. § 164.502
(a) (2018). As a result, HIPAA preempts “contrary” state laws unless the state law is “more stringent” than the standards set forth in the Privacy Rule. 42 U.S.C. § 1320d-7 (2018);45 C.F.R. §§ 160.202
, 160.203(b), 164.502(a) (2018); Giangiulio v. Ingalls Memorial Hospital,365 Ill. App. 3d 823
, 840 (2006); Stein, supra, at 434. A state law is “contrary” to HIPAA if a “covered entity or business associate would find it impossible to -4- comply with both the State and Federal requirements” or if the “provision of State law stands as an obstacle to the accomplishment and execution of the full purposes and objectives of [HIPAA].”45 C.F.R. § 160.202
(2018). A state law is “more stringent” than HIPAA if the state law provides greater privacy protection or privacy rights.45 C.F.R. § 160.202
(2018); Giangiulio, 365 Ill. App. 3d at 840; Caldwell v. Chauvin,464 S.W.3d 139
, 153 (Ky. 2015) (“[I]f a ‘contrary’ [state] law requires a more stringent standard of privacy, HIPAA’s preemption provisions are inapplicable and state law controls.” (Emphasis in original.)). In addition, HIPAA will not preempt a contrary state law if the Secretary of HHS determines, in response to a request by the State, that, among other things, the state law is necessary for one of the specified purposes set forth in section 160.203(a)(1) of the Privacy Rule.45 C.F.R. §§ 160.203
(a)(1), 160.204 (2018). ¶ 11 B. Underlying Facts ¶ 12 1. Haage Complaint ¶ 13 On November 15, 2017, plaintiff, Rosemarie Haage, filed a five-count complaint against defendants Alfonso Montiel Zavala, Patricia Santiago, Jose Pacheco-Villanuevo, Okan Esmez, and Rosalina Esmez. The action arose out of a multi-vehicle collision near the intersection of Lakeview Parkway and Route 60 in Vernon Hills. Count I of the complaint alleged negligence on the part of Zavala, count II alleged negligent entrustment on the part of Santiago, count III alleged negligence on the part of Pacheco-Villanuevo, count IV alleged negligence on the part of Okan Esmez, and count V alleged negligent entrustment on the part of Rosalina Esmez. All counts sought to recover damages for, inter alia, Haage’s bodily injuries. ¶ 14 2. Surlock Complaint ¶ 15 On January 11, 2018, plaintiffs, Agnieszka and Edward Surlock, filed a two-count complaint against defendant Dragoslav Starcevic. The action arose out of an automobile accident between Agnieszka and Starcevic on January 24, 2016, at the intersection of Grand Avenue and Route 45 in Lindenhurst. Count I of the complaint alleged negligence and sought to recover damages for, inter alia, Agnieszka’s bodily injuries. Count II of the complaint alleged loss of consortium on behalf of Edward, Agnieszka’s husband. ¶ 16 3. Motions for Entry of Protective Orders ¶ 17 On August 23, 2018, the Surlocks and Haage each filed a “Motion for Entry of Protective Order and Authorization to Disclose Protected Health Information” in their respective lawsuits. The motions alleged that Agnieszka’s and Haage’s treating physicians, hospitals, and other healthcare providers, all of whom are “covered entities” as defined by the Privacy Rule, possess their PHI. The motions further alleged that both the prosecution and the defense in each case “will require that the parties, their attorneys, their attorneys’ agents, consultants and various witnesses and other personnel receive and review copies of the protected health information” but that HIPAA “potentially prohibits covered entities from disclosing protected health information in judicial proceedings other than by authorization or Qualified Protective Order.” See45 C.F.R. § 164.512
(e) (2018). Accordingly, the Surlocks and Haage requested HIPAA qualified protective orders permitting the use and disclosure of PHI pertaining to Agnieszka and Haage. Relevant to these appeals, the HIPAA qualified protective orders proposed by the Surlocks and Haage would (1) require any person or entity in possession of -5- PHI received pursuant to the protective order, including an insurance company, to return or destroy any and all PHI pertaining to the plaintiffs within 60 days after the conclusion of the litigation (45 C.F.R. § 164.512
(e)(1)(v)(B) (2018)) and (2) prohibit the parties, their attorneys, and their insurers from using or disclosing PHI for any purpose other than the litigation at issue (45 C.F.R. § 164.512
(e)(1)(v)(A) (2018)). A hearing on plaintiffs’ motions was scheduled for October 6, 2018. ¶ 18 4. Petitions to Intervene ¶ 19 On September 17, 2018, State Farm filed a petition to intervene in the Surlock case as a matter of right pursuant to section 2-408(a)(2) of the Code of Civil Procedure (Code) (735 ILCS 5/2-408(a)(2) (West 2018)). On September 28, 2018, State Farm filed a nearly identical petition to intervene in the Haage litigation. State Farm sought to intervene on the basis that, as the liability insurer for Starcevic and at least one of the named defendants in the Haage case, the proposed HIPAA qualified protective orders would impose upon it “significant restrictions and obligations.” State Farm asserted that it met the threshold requirements to intervene as of right pursuant to section 2-408(a)(2) of the Code because (1) its petitions were timely, having been filed before the entry of the HIPAA qualified protective orders, (2) representation of its interest by existing parties would be inadequate, as the attorneys representing its policyholders are not conversant with either the legal issues raised by the proposed HIPAA qualified protective orders or the laws and regulations applicable to State Farm’s business operations, and (3) the negative effect on State Farm if the HIPAA qualified protective orders were entered is of no concern or consequence to State Farm’s policyholders. Over plaintiffs’ objections, the trial court granted State Farm’s petitions to intervene and allowed State Farm leave to file objections to the HIPAA qualified protective orders. ¶ 20 5. State Farm’s Objections ¶ 21 In support of its objections, State Farm initially argued that the HIPAA qualified protective orders proposed by plaintiffs seek to bind it to HIPAA’s requirements, even though it is exempt from the statute’s application. In this regard, State Farm asserted that, as a property and casualty insurer, it is not a “covered entity” under HIPAA. State Farm also argued that restrictions in the proposed HIPAA qualified protective orders would directly conflict with its obligations and rights under Illinois law in two principal ways. First, State Farm asserted that requiring it to return or destroy all copies of PHI following the conclusion of the litigation would interfere with its obligations under provisions of both the Illinois Insurance Code and the Illinois Administrative Code, which require it to maintain a complete record of all books, records, and accounts, including claim files and claim data, and to make that information available for examination upon request to the Illinois Department of Insurance. See 215 ILCS 5/133(2) (West 2018); 50 Ill. Adm. Code 919.30 (1989). According to State Farm, this would encompass medical records and PHI produced to it. State Farm maintained that its failure to comply with its obligations under Illinois law could subject the company to possible disciplinary action by the state. Second, State Farm asserted that restricting the use of the PHI to the litigation at issue would interfere with its rights under Illinois law to use plaintiffs’ information to perform “certain insurance functions,” including (1) claims administration; (2) the detection, investigation, or reporting of actual or potential fraud, misrepresentation, or criminal activity; (3) underwriting; (4) ratemaking and guaranty fund functions; -6- (5) reinsurance and excess loss insurance; and (6) actuarial, scientific, medical, or public policy research. ¶ 22 State Farm also questioned the use of a qualified protective order in light of the fact that the Privacy Rule provides that PHI may be produced in litigation by several other procedures that would not impede the access, use, and retention of medical records by a property and casualty insurer. See45 C.F.R. §§ 164.502
(b)(2), 164.508, 164.512(e)(1)(i), (ii) (2018). As an alternative to plaintiffs’ proposed HIPAA qualified protective orders, State Farm urged the courts to adopt and enter, pursuant to Illinois Supreme Court Rule 201(c)(1) (eff. May 29, 2014), the Cook County protective order, which is the standard “HIPAA Protective Order” used by the law division of the circuit court of Cook County pursuant to General Administrative Order 17-4 (Cook County Cir. Ct. Law Div. Gen. Adm. Order 17-4 (Dec. 15, 2017)). 1 Paragraph two of the Cook County protective order permits insurance companies to “disclose, maintain, use, and dispose of PHI or what would otherwise be considered PHI to comply and conform with current and future applicable federal and state statutes, rules, and regulations” for the 11 designated purposes enumerated therein. Cook County Cir. Ct. Law Div. Gen. Adm. Order 17-4 (Dec. 15, 2017). The Cook County protective order also exempts insurance companies from any “return or destroy” provision, but only for the purposes listed in paragraph two. Cook County Cir. Ct. Law Div. Gen. Adm. Order 17-4 (Dec. 15, 2017). State Farm maintained that the Cook County protective order “omits unnecessary restrictions and explicitly accommodates casualty insurers’ obligations under applicable state and federal law.” ¶ 23 6. Plaintiffs’ Replies to State Farm’s Objections ¶ 24 In their replies to State Farm’s objections, plaintiffs argued that, absent a waiver from the federal government, HIPAA prohibits the use or disclosure of PHI for any purpose other than the litigation or proceeding for which such information was requested and requires the return or destruction of PHI at the end of the litigation or proceeding. See45 C.F.R. § 164.512
(e)(1)(v)(A), (B) (2018). Thus, plaintiffs reasoned, to the extent that any state law or regulation permits State Farm to use, store, maintain, or distribute PHI outside the scope of litigation and for their own business operations, it is preempted by HIPAA. See 42 U.S.C. § 1320d-7 (2018);45 C.F.R. § 160.203
(2018) (providing that a standard, requirement, or implementation specification adopted under HIPAA regulations that is contrary to a provision of state law preempts the state law provision). 1 After State Farm petitioned to intervene, General Administrative Order 17-4 was vacated by the law division of the circuit court of Cook County, pursuant to General Administrative Order 18-1 (Cook County Cir. Ct. Law Div. Gen. Adm. Order 18-1 (Oct. 29, 2018)). General Administrative Order 18-1 adopted a “HIPAA Qualified Protective Order” to replace the standard “HIPAA Protective Order” that had been previously used under General Administrative Order 17-4. Other than some minor modifications, the “HIPAA Qualified Protective Order” approved by General Administrative Order 18- 1 is nearly identical to the standard “HIPAA Protective Order” adopted pursuant to General Administrative Order 17-4. General Administrative Order 18-1 is the subject of Proposal 18-01, which would amend Illinois Supreme Court Rule 218 (eff. July 1, 2014). A public meeting regarding Proposal 18-01 was held before the Illinois Supreme Court Rules Committee on June 19, 2019. At oral argument, the parties represented that, to the best of their knowledge, no additional action has been taken with respect to Proposal 18-01. -7- ¶ 25 Plaintiffs further asserted that no fact or law supports State Farm’s claim that their proposed HIPAA qualified protective orders impose upon insurers undue restrictions or obligations. According to plaintiffs, there is no language in either the Illinois Insurance Code or the Illinois Administrative Code requiring non-health insurers to retain PHI and there has never been a disciplinary action taken against State Farm for failing to maintain PHI despite the entry each year of thousands of HIPAA qualified protective orders. Thus, plaintiffs concluded, their proposed HIPAA qualified protective orders do not place any obligations or restrictions on State Farm that would affect the reporting obligations of non-health insurers. Plaintiffs also disputed State Farm’s claim that it requires PHI in order to perform “certain insurance functions,” arguing that State Farm failed to cite any policies or regulations that would require the use of PHI for such purposes. Plaintiffs further posited that, even if State Farm is correct and Illinois law does require it to maintain PHI for purposes other than the litigation, any statute or regulation would be preempted by HIPAA. ¶ 26 Plaintiffs also asserted that whether State Farm is exempt from HIPAA because it is not a “covered entity” is “a moot point” because a determination of that issue does not control a court’s ability to enter a HIPAA qualified protective order restricting what a “non-covered entity” can do with PHI received from a covered entity. In this regard, State Farm obtains the ability to review plaintiffs’ PHI only because of a valid protective order. Thus, if State Farm wishes to access the PHI at issue, it must abide by the terms of any HIPAA qualified protective order entered by the court. Plaintiffs concluded that, if State Farm’s arguments are accepted, then a court could never enter a meaningful protective order that would require the destruction of PHI at the conclusion of litigation, as clearly required by HIPAA. ¶ 27 7. Trial Court Proceedings and Orders ¶ 28 On February 13, 2019, the trial courts held a combined hearing on plaintiffs’ motions for HIPAA protective orders. On May 15, 2019, following additional briefing by the parties, the trial courts issued a memorandum opinion and order granting plaintiffs’ motions. In so ruling, the trial courts determined that, to the extent that State Farm’s obligations and rights under Illinois law conflict with HIPAA’s requirements, the federal statute preempts state law. The courts noted that it would be impossible to comply with both Illinois law and HIPAA requirements for a qualified protective order. Specifically, in direct conflict with HIPAA, adoption of the Cook County protective order would allow insurance companies to disclose, maintain, use, and dispose of PHI outside of the litigation and would not require insurers to return the PHI at the end of the litigation. See45 C.F.R. § 164.512
(e)(1)(v)(A), (B) (2018). The courts also concluded that State Farm’s interpretation of Illinois law defeats the full purposes and objectives of HIPAA. In this regard, the courts determined that, by eliminating the two requirements for a HIPAA qualified protective order, the Cook County order would not provide the confidentiality and protection of PHI envisioned when the Privacy Rule was enacted and would lower the protective floor that Congress provided in enacting HIPAA. ¶ 29 Next, the courts addressed State Farm’s claim that plaintiffs’ proposed HIPAA qualified protective orders seek to bind it to HIPAA’s requirements although it is expressly exempt from the statute’s application. While the courts agreed that, as a property and casualty liability insurer, State Farm is not a covered entity under HIPAA, they also determined that State Farm is not exempt from obeying a protective order entered with respect to PHI that has been produced by a covered entity. The courts concluded that all parties receiving PHI must follow -8- the qualified protective order, regardless of whether they are covered entities under HIPAA in the first instance. The courts reasoned that a qualified protective order would “lose[ ] its effectiveness” in protecting an individual’s PHI if a noncovered entity may ignore the restrictions required by HIPAA. The courts further concluded that Congress could not have intended that, at the close of litigation, noncovered entities may use PHI for their own private business purposes simply by virtue of their status as a noncovered entity. ¶ 30 Finally, the courts considered whether to avoid conflict with State Farm’s alleged obligations and rights under Illinois law by treating plaintiffs’ motions as proposals for a court order pursuant to45 C.F.R. § 164.512
(e)(1)(i) (2018) instead of as “qualified protective order[s]” accompanying “a subpoena, discovery request, or other lawful process” pursuant to45 C.F.R. § 164.512
(e)(1)(ii) (2018). The courts acknowledged that the Privacy Rule provides several different methods by which a covered entity may disclose PHI, but they noted that plaintiffs elected to seek HIPAA qualified protective orders under45 C.F.R. § 164.512
(e)(1)(ii) (2018). As such, the courts concluded, it was “irrelevant” whether a different method could be used that would avoid conflict with State Farm’s alleged obligations and rights under Illinois law. ¶ 31 Accordingly, the courts denied State Farm’s request for the Cook County protective orders and granted plaintiffs’ motions for the HIPAA qualified protective orders. On May 15, 2019, the court in the Surlock case entered a HIPAA qualified protective order. On May 16, 2019, the court in the Haage case entered a HIPAA qualified protective order. Relevant here, the HIPAA qualified protective orders entered by the courts provided: “8. Within 60 days after the conclusion of the litigation, including appeals, the parties, their attorneys, insurance companies and any person or entity in possession of PHI received pursuant to this Order, shall return Plaintiff’s PHI to the covered entity or destroy any and all copies of PHI pertaining to Plaintiff, including any electronically stored copy or image, except that counsel are not required to secure the return or destruction of PHI submitted to the Court. *** 12. All requests by or on behalf of any Defendant for protected health information, including but not limited to subpoenas, shall be accompanied by a complete copy of this Order. The parties—including their insurers and counsel—are prohibited from using or disclosing protected health information for any purpose other than this litigation. ‘Disclose’ shall have the same *** scope and definition as set forth in45 C.F.R. § 160.103
: ‘the release, transfer, provision of access to, or divulging in any manner of information outside the entity holding the information.’ ” (Emphases added.) ¶ 32 8. Postentry Proceedings ¶ 33 On June 6, 2019, State Farm filed a motion to stay portions of the HIPAA qualified protective orders, pursuant to Illinois Supreme Court Rule 305(b) (eff. July 1, 2017), pending interlocutory appeal by State Farm. On June 12, 2019, State Farm filed a notice of interlocutory appeal in each case pursuant to Illinois Supreme Court Rule 307(a)(1) (eff. Nov. 1, 2017) (allowing an appeal to be taken to the appellate court from an interlocutory order granting, modifying, refusing, dissolving, or refusing to dissolve or modify an injunction). On June 26, 2019, this court granted State Farm’s motion to consolidate the appeals. On June 28, 2019, plaintiffs filed with this court a motion to dismiss the appeals as improper under Rule 307(a)(1). -9- This court denied plaintiffs’ motion to dismiss on July 10, 2019. See In re Appointment of Special Prosecutor,2017 IL App (1st) 161376
, ¶ 31 (“A protective order ‘circumscribing the publication of information is reviewable as an interlocutory injunctive order, pursuant to Rule 307(a)(1).’ ” (quoting Skolnick v. Altheimer & Gray,191 Ill. 2d 214
, 221 (2000))); see also In re Daveisha C.,2014 IL App (1st) 133870
, ¶ 25 (holding that Rule 307(a)(1) allows review of an order granting or denying injunctive relief, including a protective order entered during the discovery phase of the proceedings); Bush v. Catholic Diocese of Peoria,351 Ill. App. 3d 588
, 590 (2004) (deciding interlocutory appeal pursuant to Rule 307(a)(1) from entry of protective order). ¶ 34 III. ANALYSIS ¶ 35 On appeal, State Farm argues that it is not a “covered entity” subject to HIPAA and that, therefore, the trial court erred in finding that HIPAA and the Privacy Rule preempted its obligations under state law. State Farm further contends that the HIPAA qualified protective orders entered by the trial courts conflict in two principal ways with the use, retention, and disclosure of PHI authorized by the Illinois Insurance Code and the Illinois Administrative Code. First, the protective orders limit the use of PHI to the litigation in which it was produced. Second, they require the return or destruction of records containing PHI within 60 days of the conclusion of the litigation. In the interests of consistency and uniformity, State Farm requests that this court vacate the HIPAA qualified protective orders and enter in their stead the Cook County protective orders. ¶ 36 In response, plaintiffs contend that the trial court did not err in entering the HIPAA qualified protective orders. Plaintiffs do not dispute that State Farm is not a “covered entity” under HIPAA, but they argue that this fact does not discharge State Farm from obeying a protective order entered by the court with respect to PHI that has been produced by a “covered entity.” Plaintiffs further argue that neither the Illinois Insurance Code nor the administrative regulations governing insurers’ business operations require State Farm to retain PHI. ¶ 37 A. Covered Entity ¶ 38 State Farm initially argues that, as a property and casualty insurer, it is not a “covered entity” under HIPAA and, therefore, is not subject to HIPAA’s Privacy Rule. Whether State Farm falls within the definition of a “covered entity” for purposes of HIPAA requires us to construe the Privacy Rule. “Because administrative regulations have the force and effect of law, the familiar rules that govern construction of statutes also apply to the construction of administrative regulations.” Kean v. Wal-Mart Stores, Inc.,235 Ill. 2d 351
, 368 (2009). The cardinal rule of statutory construction is to ascertain and give effect to the intent of the drafter. State Bank of Cherry v. CGB Enterprises, Inc.,2013 IL 113836
, ¶ 56. The most reliable indicator of the drafter’s intent is the language of the regulation itself, which must be given its plain and ordinary meaning. State Bank of Cherry,2013 IL 113836
, ¶ 56. If the language of the enactment is clear, we must apply it as written, without resort to extrinsic aids. State Bank of Cherry,2013 IL 113836
, ¶ 56. Moreover, we will not depart from the plain meaning of an administrative regulation by reading into it exceptions, limitations, or conditions that conflict with the expressed intent. State Bank of Cherry,2013 IL 113836
, ¶ 56. Statutory construction presents a question of law subject to de novo review. Van Dyke v. White,2019 IL 121452
, ¶ 45. - 10 - ¶ 39 The Privacy Rule defines a “covered entity” as a “health plan,” “health care clearinghouse,” or “health care provider who transmits any health information in electronic form.”45 C.F.R. § 160.103
(2018). In turn, each of these three entities has its own statutory definition. The term “health plan” is defined as “an individual or group plan that provides, or pays the cost of, medical care” but excludes “[a]ny policy, plan, or program to the extent that it provides, or pays for the cost of, excepted benefits that are listed in *** 42 U.S.C. § 300gg-91(c)(1).”45 C.F.R. § 160.103
(2018). “Excepted benefits” include benefits under “[l]iability insurance, including general liability insurance and automobile liability insurance.” 42 U.S.C. § 300gg- 91(c)(1)(C) (2018). Here, State Farm presents itself as a property and casualty insurer that insures its policyholders against the risk of third-party liability for bodily injury and property damage that results from an accident. Plaintiffs do not dispute this portrayal of State Farm. Indeed, State Farm’s description comports with the generally recognized definitions of automobile, liability, property, and casualty insurance—an agreement to indemnify against property damage or loss. See Black’s Law Dictionary (11th ed. 2019) (defining “automobile insurance” as “[a]n agreement to indemnify against one or more kinds of loss associated with the use of an automobile, including damage to a vehicle and liability for personal injury”); Black’s Law Dictionary (11th ed. 2019) (defining “casualty insurance” as “[a]n agreement to indemnify against loss resulting from a broad group of causes such as legal liability, theft, accident, property damage, and workers’ compensation”); Black’s Law Dictionary (11th ed. 2019) (defining “liability insurance” as “[a]n agreement to cover a loss resulting from the insured’s liability to a third party, such as a loss incurred by a driver who injures a pedestrian, and [usually] to defend the insured or to pay for a defense regardless of whether the insured is ultimately found liable”); Black’s Law Dictionary (11th ed. 2019) (defining “property insurance” as “[a]n agreement to indemnify against property damage or destruction”). In light of the foregoing, we agree that State Farm, as a property and casualty insurer, does not constitute a “health plan” as defined by the Privacy Rule. ¶ 40 Likewise, State Farm does not constitute a “health care clearinghouse” or a “health care provider” as those terms are defined by the Privacy Rule. A “health care clearinghouse” is defined as a public or private entity that either “[p]rocesses or facilitates the processing of health information received from another entity in a nonstandard format or containing nonstandard data content into standard data elements or a standard transaction” or “[r]eceives a standard transaction from another entity and processes or facilitates the processing of health information into nonstandard format or nonstandard data content for the receiving entity.”45 C.F.R. § 160.103
(2018). There is no evidence that State Farm performs either of the functions that would qualify it as a “health care clearinghouse.” A “health care provider” means “a provider of services (as defined in section 1861(u) of the [Social Security] Act, 42 U.S.C. 1395x(u)), a provider of medical or health services (as defined in section 1861(s) of the [Social Security] Act, 42 U.S.C. 1395x(s)), and any other person or organization who furnishes, bills, or is paid for health care in the normal course of business.”45 C.F.R. § 160.103
(2018). With exceptions not relevant here, a “provider of services” is “a hospital, critical access hospital, skilled nursing facility, comprehensive outpatient rehabilitation facility, home health agency, [or] hospice program.” 42 U.S.C. § 1395x(u) (2018). A “provider of medical or health services” includes, inter alia, physician services, services and supplies furnished incident to a physician’s services, hospital services, and diagnostic tests. 42 U.S.C. § 1395x(s) (2018). There is no evidence that State Farm is a provider of services, a provider of medical or health - 11 - services, or one who furnishes, bills, or is paid for health care in the normal course of business. Because State Farm does not fall within the definition of a “health plan,” “health care clearinghouse,” or “health care provider,” we conclude that it is not a covered entity for purposes of HIPAA. See Small v. Ramsey,280 F.R.D. 264
, 276 (N.D. W. Va. 2012) (“This Court finds no language extending the provision of the HIPPA [sic] statutes [citation] and regulations [citation] to liability insurers ***.”). ¶ 41 B. Application of HIPAA ¶ 42 The trial courts agreed that State Farm, as a property and casualty insurer, is not a covered entity under HIPAA. They then determined that State Farm’s status as a “non-covered entity” did not exempt it from obeying a protective order entered with respect to PHI produced by a covered entity. The trial courts held that all parties receiving PHI are bound to follow a HIPAA qualified protective order regardless of whether the party is a covered entity under HIPAA in the first instance, reasoning that a qualified protective order would “lose[ ] its effectiveness in protecting a patient’s PHI if a non-covered entity may ignore the restrictions required by HIPAA.” The question thus becomes whether a “non-covered entity” that receives PHI from a covered entity in response to a HIPAA qualified protective order is bound to comply with any of the order’s restrictions regarding the use and disclosure of PHI. State Farm insists that, because it is not a covered entity, it is not subject to any use or disclosure restrictions. Plaintiffs counter that, although State Farm is not a covered entity for purposes of HIPAA, this fact does not discharge it from obeying a HIPAA qualified protective order entered with respect to PHI that has been produced by a covered entity. Whether State Farm’s status as a “non-covered entity” exempts it from obeying the terms of a HIPAA qualified protective order requires us to construe the Privacy Rule. As such, it presents an issue of statutory construction, which is subject to de novo review. Van Dyke,2019 IL 121452
, ¶ 45; State Bank of Cherry,2013 IL 113836
, ¶ 22. ¶ 43 Section 164.512(e) of the Privacy Rule (45 C.F.R. § 164.512
(e) (2018)) governs the circumstances under which a covered entity may disclose PHI to another party, in the course of a judicial proceeding. Section 164.512(e)(1)(i) permits a covered entity to disclose specified PHI in the course of a judicial proceeding, “[i]n response to an order of a court.”45 C.F.R. § 164.512
(e)(1)(i) (2018). Section 164.512(e)(1)(ii) permits a covered entity to disclose PHI in the course of a judicial proceeding, “[i]n response to a subpoena, discovery request, or other lawful process” that is not accompanied by an order of a court, if: “(A) The covered entity receives satisfactory assurance, as described in paragraph (e)(1)(iii) of this section, from the party seeking the information that reasonable efforts have been made by such party to ensure that the individual who is the subject of the protected health information that has been requested has been given notice of the request; or (B) The covered entity receives satisfactory assurance, as described in paragraph (e)(1)(iv) of this section, from the party seeking the information that reasonable efforts have been made by such party to secure a qualified protective order that meets the requirements of paragraph (e)(1)(v) of this section.”45 C.F.R. § 164.512
(e)(1)(ii)(A), (B) (2018). For the purposes of paragraph (e)(1)(ii)(B), a covered entity receives satisfactory assurances from a party seeking PHI if the covered entity receives from such party a written statement and - 12 - accompanying documentation demonstrating that “[t]he parties to the dispute giving rise to the request for information have agreed to a qualified protective order and have presented it to the court *** with jurisdiction over the dispute” or “[t]he party seeking the [PHI] has requested a qualified protective order from such court.”45 C.F.R. § 164.512
(e)(1)(iv) (2018). Further, paragraph (e)(1)(v) states: “For purposes of paragraph (e)(1) of this section, a qualified protective order means, with respect to [PHI] requested under paragraph (e)(1)(ii) of this section, an order of a court *** that: (A) Prohibits the parties from using or disclosing the [PHI] for any purpose other than the litigation or proceeding for which such information was requested; and (B) Requires the return to the covered entity or destruction of the [PHI] (including all copies made) at the end of the litigation or proceeding.”45 C.F.R. § 164.512
(e)(1)(v) (2018). Thus, in the absence of an order of the court, HIPAA authorizes a covered entity to disclose PHI in a judicial proceeding, pursuant to a subpoena, discovery request, or other lawful process, provided that adequate notice was given to the individual whose information is to be produced or a qualified protective order containing the specified restrictions has been entered in the litigation. ¶ 44 It is important to note that State Farm is not the disclosing party in this case. Rather, it is the party wishing to obtain PHI. In this regard, after plaintiffs moved for the HIPAA qualified protective orders with respect to the disclosure of their PHI, State Farm intervened and filed objections, requesting entry of an alternative HIPAA protective order, the Cook County protective order. As the plain language of the Privacy Rule indicates, a covered entity may disclose PHI to State Farm only if the protective order meets the requirements of section 164.512(e)(1)(v) of the Privacy Rule (45 C.F.R. § 164.512
(e)(1)(v) (2018)). Yet, the Cook County protective order would exempt State Farm from any obligation to limit the use or disclosure of PHI to the litigation or to return or destroy the PHI at the end of the litigation. State Farm cites no provision in HIPAA, the Privacy Rule, any other regulations, or case law that would allow such exemptions. Again, State Farm obtains the ability to review plaintiffs’ PHI only in response to a protective order issued in accordance with the requirements of section 164.512(e)(1)(v) (45 C.F.R. § 164.512
(e)(1)(v) (2018)). Hence, if State Farm wishes to access the PHI at issue, it must abide by the terms of the HIPAA qualified protective orders entered by the court. Accordingly, we agree with the trial courts and conclude that State Farm, as an entity wishing to receive PHI from a covered entity in response to a HIPAA qualified protective order, is bound to comply with the use and disclosure restrictions set forth in the orders. ¶ 45 Citing various extrinsic sources, including the Federal Register, State Farm contends that the trial courts’ reasoning “ignores that possession of PHI does not convert a non-covered entity into a covered entity under HIPAA and its regulations.” To be sure, the passages State Farm cites support the notion that Congress did not intend property and casualty insurers to constitute “covered entities” for purposes of HIPAA. See Standards for Privacy of Individually Identifiable Health Information, 65 Fed. Reg. at 82,567 (“Congress did not include life insurers and casualty insurance carriers as ‘health plans’ for purposes of this rule and therefore they are not covered entities.”); Standards for Privacy of Individually Identifiable Health Information, 65 Fed. Reg. at 82,568 (“[P]roperty and casualty insurers *** are not covered entities, as they - 13 - do not meet the statutory definition of ‘health plan.’ ”); Standards for Privacy of Individually Identifiable Health Information, 65 Fed. Reg. at 82,578 (“ ‘[E]xcepted benefits’ as defined under 42 U.S.C. 300gg-91(c)(1), which includes liability programs such as property and casualty benefit providers, are not health plans for purposes of this rule.”). Indeed, as explained earlier, we have no quarrel with State Farm’s proposition. The passages it cites, however, say nothing about whether a noncovered entity is exempt from obeying a HIPAA qualified protective order entered with respect to PHI that has been produced by a covered entity. ¶ 46 State Farm further asserts that HHS has recognized that the Privacy Rule does not protect all PHI “wherever it is found.” In support of this position, State Farm directs us to the following passages from a report authored by HHS: “The HIPAA Rules apply only to organizations known as covered entities and their business associates. HIPAA does not apply to individuals or to other types of organizations that do not qualify as covered entities or business associates, even those that may handle or store an individual’s health information. *** The HIPAA Privacy Rule does not protect all health information wherever it is found. Because the rules apply only to covered entities and their business associates, the protections do not extend to data about the health of individuals held by [noncovered entities].” U.S. Dep’t of Health & Human Servs., Examining Oversight of the Privacy & Security of Health Data Collected by Entities Not Regulated by HIPAA 13, 15 (June 17, 2016), https://www.healthit.gov/sites/default/files/non-covered_ entities_report_june_17_2016.pdf [https://perma.cc/3HRT-TMA7]. State Farm’s reliance on this passage is unpersuasive. While the Privacy Rule does not protect all health information wherever it is found, nothing in the language quoted above indicates that a noncovered entity is exempt from obeying a HIPAA qualified protective order entered with respect to PHI that it has received from a covered entity in response to a HIPAA qualified protective order. ¶ 47 State Farm also asserts that “[a] plaintiff should be well-aware that PHI disclosed by a covered entity to the recipient has the potential to be subject to redisclosure by the recipient.” In support of this assertion, State Farm relies on section 164.508(c)(2)(iii) of the Privacy Rule (45 C.F.R. § 164.508
(c)(2)(iii) (2018)). Section 164.508 of the Privacy Rule is entitled “Uses and disclosures for which an authorization is required.”45 C.F.R. § 164.508
(2018). It sets forth the process by which a covered entity may disclose PHI with a valid authorization. See45 C.F.R. § 164.508
(2018). To be “valid” for purposes of section 164.508, the authorization must, among other things, “contain statements adequate to place the individual on notice of *** [t]he potential for information disclosed pursuant to the authorization to be subject to redisclosure by the recipient and no longer be protected by this subpart.”45 C.F.R. § 164.508
(c)(2)(iii) (2018). Section 164.508 makes clear that redisclosure in this context applies only with respect to PHI disclosed with a valid authorization. In this case, we are not dealing with the disclosure of PHI pursuant to a valid authorization. Thus, State Farm’s reliance on this provision is misplaced. ¶ 48 Citing a passage from the Federal Register, State Farm next observes that HHS has stated that, because its jurisdiction under the statute is limited to covered entities, “once protected health information leaves the purview of *** [a] covered entit[y], *** the information is no longer afforded protection under this rule.” Standards for Privacy of Individually Identifiable - 14 - Health Information, 65 Fed. Reg. at 82,567. Again, nothing in the language of this passage indicates that a noncovered entity is exempt from obeying the restrictions in a HIPAA qualified protective order entered with respect to PHI that has been produced by a covered entity. ¶ 49 In short, while State Farm is not a “covered entity” under HIPAA, it has not directed us to any specific language in HIPAA, the Privacy Rule, or any other regulation, authority, or case law indicating that a noncovered entity that receives PHI from a covered entity in response to a HIPAA qualified protective order is exempt from complying with the order’s restrictions regarding the use or disclosure of the PHI. Thus, if State Farm wishes to access the PHI at issue, it must abide by the terms of the HIPAA qualified protective orders entered by the trial courts. ¶ 50 C. Illinois Law ¶ 51 Next, State Farm argues that the trial courts erred in entering the HIPAA qualified protective orders because they conflict with State Farm’s obligations under state law. According to State Farm, it must be permitted to use and retain plaintiffs’ PHI to fulfill its obligation with respect to various provisions of the Illinois Insurance Code (215 ILCS 5/1 et seq. (West 2018)) and the administrative regulations governing its business operations. As a result, State Farm maintains, the trial courts should instead have entered the Cook County protective orders. According to State Farm, the Cook County protective order “strikes the proper balance between a litigant’s interest in PHI and the State’s interest in allowing property and casualty insurers to retain PHI beyond litigation.” ¶ 52 To begin, State Farm directs us to article XL of the Insurance Code (215 ILCS 5/1001 et seq. (West 2018)), which is titled “Insurance Information and Privacy Protection.” 215 ILCS 5/art. XL (West 2018). One of the stated purposes of article XL is to “maintain a balance between the need for information by those conducting the business of insurance and the public’s need for fairness in insurance information practices, including the need to minimize intrusiveness.” 215 ILCS 5/1001 (West 2018). Citing section 1014 of article XL (215 ILCS 5/1014 (West 2018)), State Farm argues that Illinois law protects personal or privileged information received in handling claims while still allowing property and casualty insurers to make disclosures reasonably necessary to rate-making, anti-fraud programs, consumer- protection research, and regulatory compliance. Specifically, section 1014 provides that “[a]n insurance institution, agent or insurance-support organization shall not disclose any personal or privileged information about an individual collected or received in connection with an insurance transaction unless the disclosure” meets one of the enumerated exceptions. (Emphasis added.) 215 ILCS 5/1014 (West 2018). However, as plaintiffs point out, there is a clear difference between language stating that an insurer “shall not disclose” personal or privileged information and language mandating the retention or use of PHI for a particular purpose. The passage to which State Farm directs us does not contain any mandatory affirmative language requiring the retention of PHI or its use for any particular purpose. This language in no way supports State Farm’s claim that state law requires it to retain or otherwise use PHI. ¶ 53 State Farm further asserts that insurers retain records for a variety of legal and operational reasons. For instance, State Farm notes that insurers are prohibited from engaging in improper claims practices. See 215 ILCS 5/154.5, 154.6 (West 2018). To this end, section 919.30 of Title 50 of the Illinois Administrative Code requires insurers to make their claim files available - 15 - to the Director of the Illinois Department of Insurance (Director) for examination upon request. 50 Ill. Adm. Code 919.30(a) (1989). According to State Farm, the requirements governing the examination process conflict with the “return or destroy provisions” of the protective orders entered here. ¶ 54 With respect to examinations by the Director as part of improper-claims practice, section 919.30 provides in relevant part as follows: “b) Each company shall maintain claim data that should be accessible and retrievable for examination by the Director. A company shall be able to provide the claim number, line of coverage, date of loss and date of payment of the claim, date of denial, or date claim closed without payment. This data must be available for all open and/or closed files for the current year and the two preceding years. The examiners’ review may include but need not be limited to an examination of the following claims: 1) Claims Closed with Payment; 2) Claims Denied; 3) Claims Closed Without Payment; 4) First Party Automobile Total Losses; and/or Subrogation Claims. c) Detailed documentation shall be contained in each claim file in order to permit reconstruction of the company’s activities relative to each claim file.” 50 Ill. Adm. Code 919.30 (1989). According to State Farm, because this regulation requires maintaining “detailed documentation” in each claim file “to permit the reconstruction of the insurer’s activities,” it effectively mandates an insurer “to maintain all records of each claim for ‘all open and/or closed files for the current year and the two preceding years.’ ” However, we find no language in section 919.30 requiring an insurer to expressly retain PHI. Rather, the regulation refers to “claim data,” which it describes as “the claim number, line of coverage, date of loss and date of payment of the claim, date of denial, or date claim closed without payment.” Moreover, we see no reason why keeping in the company’s file a copy of the HIPAA qualified protection order, specifying that the company was prohibited from using or disclosing PHI for any purpose other than the litigation and was required to return or destroy the PHI at the end of the litigation, would not suffice to establish “the company’s activities relative to each file.” For these reasons, we are unpersuaded by State Farm’s claim that the requirements governing examinations for improper-claims practice conflict with the “return or destroy” provisions of the protective orders entered in this case. ¶ 55 State Farm also asserts that the HIPAA qualified protective orders prevent insurers from performing functions related to fraud detection and deterrence. State Farm asserts that, because the Illinois Department of Insurance relies on property and casualty insurers to detect and combat insurance fraud, Illinois law authorizes them to report information, including PHI, to the Illinois Department of Insurance and insurance support organizations, such as the National Insurance Crime Bureau and the Insurance Services Organization. See 215 ILCS 5/155.23 (West 2018). According to State Farm, if insurers must return to covered entities or destroy all PHI within 60 days of the end of litigation, they cannot later provide necessary information to help the state with fraud detection and prevention. ¶ 56 The statute State Farm cites authorizes the Director - 16 - “to promulgate reasonable rules requiring insurers *** doing business in the State of Illinois to report factual information in their possession that is pertinent to suspected fraudulent insurance claims, fraudulent insurance applications, or premium fraud after [the Director] has made a determination that the information is necessary to detect fraud or arson.” (Emphases added.) 215 ILCS 5/155.23(1) (West 2018). We find State Farm’s reliance on section 155.23 unpersuasive for two principal reasons. First, the statute applies only to suspected fraudulent insurance claims, fraudulent insurance applications, or premium fraud and only after the Director has determined that the information is necessary to detect fraud or arson. In this case, there is no indication of fraud and no evidence that the Director has determined that any PHI is necessary to detect fraud or arson. Thus, there can be no factual information pertinent to any suspected fraud. Second, the statute requires an insurer to report only factual information in their possession. An insurer that has returned or destroyed PHI in accordance with a HIPAA qualified protective order cannot violate the statute because it does not possess any such information. ¶ 57 State Farm claims that other purposes for which property and casualty insurers retain claims files include actuarial and rate development, reinsurance evaluation and pricing, and long-tail exposure. 2 However, State Farm neither develops this argument nor cites any statute, policy, or regulation that would require it to use or retain PHI for any of those purposes. As such, we find any such claim forfeited. See Ill. S. Ct. R. 341(h)(7) (eff. May 25, 2018) (requiring appellant’s brief to include argument “which shall contain the contentions of the appellant and the reasons therefor, with citation of the authorities”); Lee v. Lee,2019 IL App (2d) 180923
, ¶ 24. ¶ 58 Lastly, we address State Farm’s reliance on part 901 of Title of 50 of the Illinois Administrative Code (50 Ill. Adm. Code 901) in support of its claim that it must be permitted to use and retain plaintiffs’ PHI to fulfill its obligations with respect to Illinois law. Section 901.5 of Title 50 of the Illinois Administrative Code provides that “[n]o domestic company shall destroy any books, records, documents, accounts or vouchers, hereafter referred to as ‘records’, except in conformity with the requirements of this Part.” 50 Ill. Adm. Code 901.5, codified at7 Ill. Reg. 4213
(eff. Mar. 28, 1983). Section 901.20 of Title 50 sets out a time period for the disposal and destruction of records: “The company is authorized to dispose of or destroy records in its custody that do not have sufficient administrative, legal or fiscal value to warrant their further preservation and are not needed: a) in the transaction of current business; b) for the final settlement or disposition of any claim arising out of a policy of insurance issued by the company, except that these records must be maintained for the current year plus 5 years; or c) to determine the financial condition of the company for the period since the date of the last examination report of the company officially filed with the 2 “Reinsurance” is “[i]nsurance of all or part of one insurer’s risk by a second insurer, who accepts the risk in exchange for a percentage of the original premium.” Black’s Law Dictionary (11th ed. 2019). “Long-tail claims” are “claims that are made or settled a long time after the insurance policy has expired.” Collins English Dictionary, https://www.collinsdictionary.com/us/dictionary/english/long- tail-claims (last visited Feb. 21, 2020) [https://perma.cc/3SQ7-CQSQ]. - 17 - Department of Insurance, except that these records must be maintained for at least the current year plus 5 years.” 50 Ill. Adm. Code 901.20 (2016). According to State Farm, part 901 sets out a detailed process for the destruction of an insurer’s records. Yet, it asserts, the HIPAA qualified protective orders entered in this case “create[ ] a Catch-22 for *** insurers, which must decide whether to comply with its ‘return or destroy’ provisions or continue to comply with the regulations requiring the maintenance of complete claim records for much longer periods.” ¶ 59 Although part 901 of Title 50 defines the term “records,” State Farm does not explain how PHI falls within this definition. The term “records” is defined in section 901.10 of Title 50 as follows: “ ‘Records’ material means all books, papers and documentary materials regardless of physical form or characteristics, made, produced, executed or received by any domestic insurance company pursuant to law or in connection with the transaction of its business and preserved or appropriate for preservation by such company or its successors as evidence of the organization, function, policies, decisions, procedures, obligations and business activities of the company or because of the informational data contained therein. If doubt arises as to whether certain papers are ‘non-record’ materials, it should be assumed that the documents are ‘records’.” (Emphasis added.) 50 Ill. Adm. Code 901.10, codified at7 Ill. Reg. 4213
(eff. Mar. 28, 1983). In this case, State Farm does not explain how plaintiffs’ PHI is “appropriate for preservation,” especially given that (1) the trial courts entered HIPAA qualified protective orders expressly requiring the destruction of PHI within 60 days after the conclusion of the litigation and (2) State Farm failed to cite any statute, regulation, or case law that affirmatively requires the retention of PHI or its use for a particular purpose. See Small, 280 F.R.D. at 279-80 (rejecting similar argument by State Farm, in part because section 901.10 of Title 50 does not specifically reference medical records). Moreover, as noted, a copy of the HIPAA qualified protective order in the file would explain why the PHI was not present. Thus, this provision does not support State Farm’s position. ¶ 60 In short, State Farm has failed to direct us to any provision of the Insurance Code or the Illinois Administrative Code that requires it to use or disclose plaintiffs’ PHI after the conclusion of the litigation. We find nothing in the statutory and administrative regulations cited by State Farm in its brief requiring it to retain PHI or use it for any particular purpose after the conclusion of litigation. As such, we reject State Farm’s argument that the terms of the HIPAA qualified protective order conflict with its obligations under state law. ¶ 61 D. Preemption ¶ 62 Although we have concluded that the terms of the HIPAA qualified protective orders do not conflict with State Farm’s obligations under state law, to the extent that they could be so construed, we agree with the trial courts that the state law provisions are preempted by HIPAA. As noted earlier, among HIPAA’s purposes were to establish national privacy standards and fair information practices regarding individually identifiable health information. Brende,153 P.3d at 1114
; Wade, 922 F. Supp. 2d at 687 (citing South Carolina Medical Ass’n,327 F.3d at 348
); Law,307 F. Supp. 2d at 710
; U.S. Dep’t of Health & Human Servs., Office for Civil Rights, Summary of the HIPAA Privacy Rule 1 (May 2003), https://www.hhs.gov/sites/ default/files/privacysummary.pdf [https://perma.cc/F66C-T4TR]. To this end, HIPAA and its - 18 - regulations establish a “uniform federal ‘floor’ of privacy protections for individual medical information.” Stein, supra, at 434; see also Standards for Privacy of Individually Identifiable Health Information, 65 Fed. Reg. at 82,471 (“The protections [(provided by HIPAA and its regulations)] are a mandatory floor, which other governments and any covered entity may exceed.”);45 C.F.R. § 164.502
(a) (2018). Thus, HIPAA preempts “contrary” state laws unless the state law is “more stringent” than the standards set forth in the Privacy Rule. 42 U.S.C. § 1320d-7 (2018);45 C.F.R. §§ 160.202
, 160.203(b), 164.502(a) (2018); Giangiulio, 365 Ill. App. 3d at 840; Stein, supra, at 434. A state law is “contrary” to HIPAA if a “covered entity or business associate would find it impossible to comply with both the State and Federal requirements” or if the “provision of State law stands as an obstacle to the accomplishment and execution of the full purposes and objectives of [HIPAA].”45 C.F.R. § 160.202
(2018). Whether a state law is preempted by federal law is a question of law subject to de novo review. Fosler v. Midwest Care Center II, Inc.,398 Ill. App. 3d 563
, 569 (2009). ¶ 63 In this case, a covered entity cannot comply with HIPAA if the statutory and administrative regulations, as interpreted by State Farm, are inserted in the qualified protective order. In this regard, the Cook County protective order does not require an insurer to return or destroy PHI at the conclusion of litigation and would permit the insurer to use and retain PHI outside of litigation. This directly conflicts with the requirements for a HIPAA qualified protective order under section 164.512(e)(1)(v) of the Privacy Rule. Likewise, by eliminating these two requirements, the Cook County protective order would not provide the confidentiality and protection of PHI envisioned when the Privacy Rule was promulgated. Stated differently, any requirement that an insurer be allowed to use and retain PHI beyond the conclusion of litigation would lower the floor of privacy protections HIPAA mandates. As such, the Cook County protective order acts as an obstacle to accomplishing and executing HIPAA’s full purposes and objectives. ¶ 64 In so holding, we also observe that section 160.203(a)(1) of the Privacy Rule provides that HIPAA will not preempt a contrary state law if the Secretary of HHS determines, in response to a request by a state, that the state law is necessary to, inter alia, “prevent fraud and abuse related to the provision of or payment for health care” or “ensure appropriate State regulation of insurance and health plans to the extent expressly authorized by statute or regulation.”45 C.F.R. §§ 160.203
(a)(1)(i), (ii), 160.204 (2018). State Farm does not indicate that any such exception was requested by the state with respect to an insurer’s purported obligations under Illinois law. In the absence of such a waiver from the federal government, a HIPAA qualified protective order prohibits the use or disclosure of PHI for any purpose other than the litigation or proceeding for which such information was requested and requires the return or destruction of PHI at the end of the litigation or proceeding. ¶ 65 E. Reverse Preemption ¶ 66 Typically, when a state law conflicts with a federal law, the federal law preempts the state law, rendering the state law without effect. U.S. Const., art. VI, cl. 2; Altria Group, Inc. v. Good,555 U.S. 70
, 76 (2008); Milliman, Inc. v. Roof,353 F. Supp. 3d 588
, 600 (E.D. Ky. 2018). However, the McCarran-Ferguson Act (15 U.S.C. § 1011
et seq. (2018)) created an exception to this rule with respect to state laws that regulate the “business of insurance.” Milliman, Inc., 353 F. Supp. 3d at 600-01. The trial courts here asked the parties to address the implications, if any, of the McCarran-Ferguson Act to these cases. Neither party argued that - 19 - the McCarran-Ferguson Act applied, so the courts did not further address the issue. State Farm briefly mentions the McCarran-Ferguson Act in its brief but does not fully develop the issue. Nevertheless, we find it appropriate to briefly discuss this matter. ¶ 67 The McCarran-Ferguson Act provides, in relevant part, that “[n]o Act of Congress shall be construed to invalidate, impair, or supersede any law enacted by any State for the purpose of regulating the business of insurance, or which imposes a fee or tax upon such business, unless such Act specifically relates to the business of insurance.”15 U.S.C. § 1012
(b) (2018). “[T]he McCarran-Ferguson Act gives rise to the doctrine of ‘reverse preemption,’ which, if applicable, can cause state insurance laws to trump federal laws that interfere with them.” Western Insurance Co. v. A&H Insurance, Inc.,784 F.3d 725
, 727 (10th Cir. 2015). Under the statute, a state law will reverse preempt a federal law if (1) the federal statute does not specifically relate to the business of insurance, (2) the state statute was enacted for the purpose of regulating the business of insurance, and (3) the federal statute would invalidate, impair, or supersede the state statute. United States v. Rhode Island Insurers’ Insolvency Fund,80 F.3d 616
, 619 (1st Cir. 1996). Ultimately, we conclude that the McCarran-Ferguson Act does not compel reverse preemption in this case because HIPAA does not invalidate, impair, or supersede any state insurance law or regulation cited by State Farm. ¶ 68 The United States Supreme Court has stated that “invalidate” means “to render ineffective, generally without providing a replacement rule or law” and that “supersede” means “to displace (and thus render ineffective) while providing a substitute rule.” (Internal quotation marks omitted.) Humana Inc. v. Forsyth,525 U.S. 299
, 307 (1999). “To impair” for purposes of the McCarran-Ferguson Act means to “frustrate any declared state policy” or “interfere with a State’s administrative regime.” Humana Inc.,525 U.S. at 310
. As noted above, nothing in any Illinois statute or regulation State Farm cites requires the retention of PHI or its use for any particular purpose. Thus, the HIPAA qualified protective orders entered in this case do not “invalidate, impair, or supersede” the Illinois statutes and regulations State Farm cites. As such, we conclude that the doctrine of reverse preemption does not apply here. ¶ 69 F. Alternative Methods of Disclosing PHI ¶ 70 Alternatively, State Farm argues that the Privacy Rule did not require the trial courts to enter the HIPAA qualified protective orders proposed by plaintiffs to the exclusion of other authorized means of permitted disclosure of PHI. State Farm notes, for instance, that the Privacy Rule permits the disclosure of PHI “[i]n response to an order of a court.”45 C.F.R. § 164.512
(e)(1)(i) (2018). According to State Farm, “[n]othing in this section [(of the Privacy Rule)] says that the ‘order of the court’ can only be a qualified protective order.” State Farm also notes that, absent a court order, the Privacy Rule allows the disclosure of PHI “[i]n response to a subpoena, discovery request, or other lawful process,” provided that the party seeking the information either notifies the individual whose information is requested or makes a “reasonable effort[ ]” to secure a qualified protective order.45 C.F.R. § 164.512
(e)(1)(ii) (2018). State Farm points out that, of the authorized means of disclosure, only a HIPAA qualified protective order carries the restrictions that prohibit the use of PHI outside litigation and require the return of PHI to the covered entity or its destruction at the end of the litigation. See45 C.F.R. § 164.512
(e)(1)(v) (2018). State Farm therefore argues that the trial courts erred in rejecting any alternative to plaintiffs’ proposed protective orders. Although we agree that the Privacy Rule provides several different methods by which a covered entity may disclose - 20 - PHI in the course of a judicial proceeding, neither plaintiffs nor State Farm sought the disclosure of PHI by any means other than a protective order. Plaintiffs’ motions referenced HIPAA and the Privacy Rule, and they proposed the HIPAA qualified protective order, which expressly cites the restrictions set forth in section 164.512(e)(1)(v) of the Privacy Rule (45 C.F.R. § 164.512
(e)(1)(v) (2018)). Likewise, in its objections to plaintiffs’ motions, State Farm proposed the Cook County protective order. The record reflects that the trial courts considered and ruled on this issue. Given these circumstances, we find that the trial courts did not err in declining to consider an alternate authorized method of disclosing PHI. ¶ 71 IV. CONCLUSION ¶ 72 For the reasons set forth above, we affirm the judgment of the circuit court of Lake County. ¶ 73 Affirmed. - 21 -
south-carolina-medical-association-physicians-care-network-j-capers-hiott , 327 F.3d 346 ( 2003 )
Law v. Zuckerman , 307 F. Supp. 2d 705 ( 2004 )
Altria Group, Inc. v. Good , 129 S. Ct. 538 ( 2008 )
United States v. Rhode Island Insurers' Insolvency Fund , 80 F.3d 616 ( 1996 )
Van Dyke v. White , 2019 IL 121452 ( 2019 )
State Bank of Cherry v. CGB Enterprises, Inc. , 2013 IL 113836 ( 2013 )
Brende v. Hara , 113 Haw. 424 ( 2007 )
Skolnick v. Altheimer & Gray , 191 Ill. 2d 214 ( 2000 )
Kean v. Wal-Mart Stores, Inc. , 235 Ill. 2d 351 ( 2009 )