Haage v. Zavala
183 N.E.3d 830
Ill.
2021
Check Treatment

ROSEMARIE HAAGE, Aрpellee, v. ALFONSO MONTIEL ZAVALA et al. (State Farm Mutual Automobile Insurance Company, Appellant).

Docket No. 125918

SUPREME COURT OF THE STATE OF ILLINOIS

September 23, 2021

2021 IL 125918

Opinion filed September 23, 2021.

JUSTICE NEVILLE delivered the judgment of the court, with opinion.

Chief Justice Anne M. Burke and Justices Garman, Theis, Michael J. Burke, Overstreet, and Carter concurred in the judgment and opinion.

OPINION

¶ 1 In each of two automobile personal injury actions, plaintiffs moved for entry of a qualified protective order (QPO) pursuant to the Health Insurance Portability and Accountability Act (HIPAA) (Pub. L. No. 104-191, 110 Stat. 1936 (1996) (codified as amended in scattered sections of Titles 18, 26, 29, and 42 of the United States Code)) and its implementing regulations (45 C.F.R. pts. 160, 164 (2018)) (hereinafter Privacy Rule). Plaintiffs’ proposed QPOs would allow protected health information (PHI) to be released, but subject to the following restrictions: (1) nonlitigation use or disclosure of PHI is prohibited and (2) PHI must be returned or destroyed at the conclusion of the litigation. See 45 C.F.R. § 164.512(e)(1)(v) (2018). State Farm Mutual Automobile Insurance Company (State Farm), the liability insurer for the named defendants, intervened in each lawsuit and sought entry of its own protective order, which expressly allowed insurance companies to use, disclose, and maintain PHI for purposes beyond the litigation and expressly exempted insurers from the “return or destroy” requirement.

¶ 2 In both cases the circuit court of Lake County granted plaintiffs’ motions, entered their QPOs, аnd denied State Farm‘s motions. State Farm filed an interlocutory appeal in each case. Ill. S. Ct. R. 307(a)(1) (eff. Nov. 1, 2017). The appellate court consolidated the two cases and affirmed. .

¶ 3 State Farm petitioned this court for leave to appeal as a matter of right (Ill. S. Ct. R. 317 (eff. July 1, 2017)) or, alternatively, as a matter of discretion (Ill. S. Ct. R. 315 (eff. Oct. 1, 2019)). We granted State Farm leave to appeal. For the following reasons, we now affirm the judgment of the appellate court and remand the cases to the trial court for further proceedings.

I. BACKGROUND

A. Underlying Complaints

¶ 4 In November 2017, plaintiff Rosemarie Haage filed a multicount complaint (No. 17-L-897) against defendants Alfonso Montiel Zavala, Patricia Santiago, Jose Pacheco-Villanuevo, Okan Esmez, and Rosalina Esmez. Haage sought to recover damages for bodily injuries sustained in a multiple-vehicle collision near the intersection of Lakeview Parkway and Route 60 in Vernon Hills.

¶ 5 In January 2018, plaintiffs Agnieszka Surlock and Edward Surlock filed a two-count complaint (No. 18-L-39) against defendant Dragoslav Starcevic. The Surlock plaintiffs sought damages for Agnieszka‘s bodily injuries and Edward‘s loss of consortium as a result of a collision between an automobile driven by Agnieszka and an automobile driven by Starcevic at the intersection of Grand Avenue and Route 45 in Lindenhurst.

B. Plaintiffs’ Motions for QPOs

¶ 6 In August 2018, plaintiffs, represented by the same attorney, filed nearly identical motions for QPOs allowing the disclosure of protected health information in their respective lawsuits. HIPAA‘s privacy standards are known collectively as the “Privacy Rule.” Deborah F. Buckman, Annotation, Validity, Construction, and Application of Health Insurance Portability and Accountability Act of 1996 (HIPAA) and Regulations Promulgated Thereunder, 194 A.L.R. Fed. 133, 148 (2004). The Privacy Rule is codified at parts 160 and 164 of Title 42 of the Code of Federal Regulations (45 C.F.R. pts. 160, 164 (2018)).

¶ 7 Plaintiffs’ QPO motions alleged as follows. First, the treating physicians, hospitals, and other health care providers for Haage and Agnieszka are subject to the Privacy Rule. Second, these covered entities possess their PHI in the form of medical records. Third, both the plaintiffs and the defendants in each case “will require that the parties, their attorneys, their attorneys’ agents, consultants and various witnesses and other personnel receive and review copies of the [PHI]” pertaining to Haage and Agnieszka. Fourth, HIPAA potentially prohibits covered entities from disclosing PHI in judicial proceedings other than by an authorization or QPO.

¶ 8 Therefore, plaintiffs submitted HIPAA QPOs that permit the use and disclosure of the PHI of Haage and Agnieszka. Relevant here, the proffered QPOs found that 45 C.F.R. § 164.512(e)(1)(v)(A), (B) (2018) requires the following two obligations. Paragraph 9 of the proposed QPOs finds that it is necessary to “[p]rohibit the parties and any other persons or entities from using or disclosing the PHI for any purpose other than the litigation or proceeding for which it was requested.” Paragraph 10 of the proposed QPOs finds that it is necessary to “[r]equire the return of the PHI to the covered entity or the destruction of the information at the end of the litigation or proceeding.”

¶ 9 Accordingly, each proposed QPO ordered: “The PHI of any party in this lawsuit may not be disclosed for any reason without that party‘s prior written consent or an Order of this court specifying the scope of the PHI to be disclosed, the recipients of the disclosed PHI, and the purpose of the disclosure.” Each proposed QPO also ordered as follows:

“Within 60 days after the conclusion of the litigation, including appeals, the parties, their attorneys, insurance companies and any person or entity in possession of PHI received pursuant to this Order, shall return Plaintiff‘s PHI to the covered entity or destroy any and all copies of PHI pertaining to Plaintiff, including any electronically stored copy or image, except that counsel are not required to secure the return or destruction of PHI submitted to the Court. ‘Conclusion of the Litigation’ shall be defined as the point at which final orders disposing of the entire case as to any Defendant have been entered, or the time at which all trial and appellate proceedings have been exhausted as to any Defendant.”

C. State Farm‘s Petitions to Intervene and File Objections

¶ 10 In September 2018, State Farm filed nearly identical petitions to intervene in each lawsuit. See 735 ILCS 5/2-408(a)(2) (West 2018). State Farm maintained that it was the casualty and liability insurer for at least one of the defendants in the Haage lawsuit and for defendant Starcevic in the Surlock lawsuit. State Farm alleged that plaintiffs’ proposed QPOs would impose upon it significant restrictions and obligations, and the attorney representing its policyholders is not conversant with either the legal issues raised by plaintiffs’ proposed QPOs or the statutes and regulations applicable to State Farm‘s business operations. The trial courts granted State Farm‘s petitions to intervene and granted State Farm leave to file objections.

¶ 11 In its objections to plaintiffs’ proposed QPOs, State Farm requested that the trial courts (1) deny plaintiffs’ motions for their QPOs and (2) grant State Farm‘s motions to enter its tendered alternative orders (see Ill. S. Ct. R. 201(c)(1) (eff. July 1, 2014)). State Farm initiаlly argued that, as a property and casualty insurer, it is not a “covered entity” under HIPAA. State Farm also argued that plaintiffs’ proposed QPOs contained restrictions that would directly conflict with its obligations and rights under Illinois law, specifically in two ways. First, State Farm argued that requiring it to return or destroy all copies of PHI following the conclusion of the litigation would interfere with its statutory and administrative obligations to maintain complete documentation of all books, records, and accounts, including claim files and claim data, and to make that information available for examination upon request by the Illinois Department of Insurance. Second, State Farm argued that restricting the use of PHI to the litigation at issue would interfere “with State Farm‘s rights under Illinois law to use a claimant‘s information to perform certain insurance functions.” State Farm asked the trial courts to deny plaintiffs’ proposed QPOs.

¶ 12 State Farm also asserted that the law division of the circuit court of Cook County has “entered a standard medical protective order authorizing production of health information that omits unnecessary restrictions and explicitly accommodates casualty insurers’ obligations.” State Farm tendered and sought entry of the Cook County standard рrotective order.

¶ 13 The Cook County standard protective order lacks the PHI “use or disclosure” prohibition and the “return or destroy” requirement that plaintiffs’ proposed QPOs provide.

¶ 14 Rather, the Cook County standard protective order expressly permits insurance companies to maintain, use, disclose, and dispose of PHI for the following purposes:

“1. Reporting; investigating; evaluating, adjusting, negotiating, arbitrating, litigating, or settling claims;

2. Compliance reporting or filing;

3. Conduct described in [section 1014 of the Illinois Insurance Code] 215 ILCS 5/1014;

4. Required inspections and audits;

5. Legally required reporting to private, federal, or state governmental organizations ***;

6. Rate setting and regulation;

7. Statistical information gathering;

8. Underwriting, reserve, loss, and actuarial calculation;

9. Drafting policy language;

10. Workers’ compensation; and

11. Determining the need for and procuring excess or umbrella coverage or reinsurance.”

Also, paragraph 5 of the Cook County standard protective order specifically exempts insurance companies from the “return or destroy” requirement of 45 C.F.R. § 164.512(e)(1)(v)(B) (2018). State Farm urged the trial courts to adopt and enter the tendered Cook County standard protective order.

D. Plaintiffs’ Replies

¶ 15 Plaintiffs responded that their proposed QPOs would not impose undue restrictions or obligations on nonhealth insurers for two reasons. First, plaintiffs argued that there was no language in either the Illinois Insurance Code or the Illinois Administrative Code that requires nonhealth insurers to retain, use, or disclose PHI. Second, plaintiffs asserted that State Farm does not require PHI to perform “certain insurance functions.” Plaintiffs further noted that there has never been an administrative disciplinary action taken against State Farm for failing to maintain PHI. Therefore, according to plaintiffs, their proposed QPOs would not affect the reporting obligations of nonhealth insurers such as State Farm.

¶ 16 Plaintiffs alternatively asserted that, absent a waiver from the federal government, (1) HIPAA prohibits the use or disclosure of PHI for any purpose other than the litigation or proceeding for which such information was requested and (2) HIPAA requires the return or destruction of PHI at the end of the litigation or proceeding. Therefore, according to plaintiffs, to the extent that any state law or regulation permits State Farm to use, store, maintain or distribute PHI outside of the scope of litigation and for State Farm‘s own business operations, it is preempted by HIPAA.

¶ 17 Plaintiffs further responded that whether or not State Farm is a “covered entity” is irrelevant. Plaintiffs reasoned that, even if State Farm is exempt from HIPAA as a casualty and liability insurer, the plaintiff-authorized PHI, the QPO entered by the court, and the parties to whom the PHI is released are all subject to HIPAA. Thus, according to plаintiffs, “State Farm had no right to the information to begin with.” Rather, plaintiffs argued that State Farm “only obtains an ability to review PHI because of a valid protective order. Therefore, regardless of whether State Farm is a ‘covered entity’ under HIPAA, it must still abide by the court order and the terms of HIPAA if it wants access to the PHI.”

E. Trial Courts’ Orders

¶ 18 In February 2019, the trial courts in the Haage and Surlock lawsuits held a combined hearing on plaintiffs’ motions for QPOs. In May 2019, the trial courts issued memorandum opinions and orders that granted plaintiffs’ motions to enter their proposed QPOs and denied State Farm‘s request for the entry of the Cook County standard protective order.

¶ 19 The trial courts found that HIPAA preempts Illinois law to the extent that State Farm‘s obligations and rights under state law conflict with HIPAA. The trial courts found that it would be impossible to comply with both Illinois law and HIPAA requirements for a QPO. The trial courts specifically found that the Cook County standard protective order violated 45 C.F.R. § 164.512(e)(1)(v)(A), (B) (2018), to the extent that it (1) would allow insurance companies to maintain, use, disclose, and dispose of PHI outside of the litigation and (2) would not require insurers to return or destroy the PHI at the conclusion of the litigation. The trial courts found that the Cook County standard protective order “would eliminate the two requirements set forth by the Deрartment [of Health and Human Services (HHS)] for a qualified protective order and would not provide the confidentiality and protection of PHI” envisioned when HHS promulgated the Privacy Rule. The trial courts found that without these two requirements, “a covered entity no longer has a valid HIPAA qualified protective order to allow disclosure of PHI.”

¶ 20 The trial courts also acknowledged that “property and casualty liability insurers are not covered entities under HIPAA.” However, each trial court found that not being a covered entity “does not exempt State Farm from obeying a protective order entered by this court with respect to PHI which has been produced by a covered entity.” (Emphasis in original.) Rather, each trial court ruled that “[a]ll parties receiving the PHI are bound to follow the qualified protective order of the court regardless of whether they are a covered entity under HIPAA in the first instance.” The trial courts next rejected State Farm‘s argument that plaintiffs’ motions for QPOs should be deemed as proposals for a court order under a different section of the Privacy Rule. Each trial court reasoned that, “[w]hile the HIPAA regulations do provide several different ways in which a covered entity is permitted to disclose PHI, Plaintiff has chоsen to secure a qualified protective order.”

¶ 21 Accordingly, the trial courts entered plaintiffs’ proposed QPOs in both lawsuits. The QPOs included the following relevant provisions:

“8. Within 60 days after the conclusion of the litigation, including appeals, the parties, their attorneys, insurance companies and any person or entity in possession of ‍‌‌​​​‌‌​‌‌‌​​​‌‌‌​​​​‌​‌​​​​‌‌​​​‌‌​‌‌​​​​‌​​​‌​‍PHI received pursuant to this Order, shall return Plaintiff‘s PHI to the covered entity or destroy any and all copies of PHI pertaining to Plaintiff, including any electronically stored copy or image, except that counsel are not required to secure the return or destruction of PHI submitted to the Court.

***

12. All requests by or on behalf of any Defendant for protected health information, including but not limited to subpoenas, shall be accompanied by a complete copy of this Order. The parties—including their insurers and counsel—are prohibited from using or disclosing protected health information for any purpose other than this litigation. ‘Disclose’ shall have the same *** scope and definition as set forth in 45 C.F.R. § 160.103: ‘the release, transfer, provision of access to, or divulging in any manner of information outside the entity holding the information.‘” (Emphases added.)

F. Appellate Court

¶ 22 In each case, State Farm filed an interlocutory appeal to the appellate court. See Ill. S. Ct. R. 307(a)(1) (eff. Nov. 1, 2017). The appellate court granted State Farm‘s motion to consolidate the appeals and denied plaintiffs’ motion to dismiss. , ¶ 33.

¶ 23 The appellate court acknowledged that State Farm, as a property and casualty insurer, did not fit within the specific regulatory definition of a “covered entity,” as defined by the Privacy Rule, because it was not a “health plan,” a “health care clearinghouse,” or a “health care provider who transmits any health information in electronic form.” (quoting 45 C.F.R. § 160.103 (2018)). However, the appellate court agreed with the trial courts that “State Farm, as an entity wishing to receive PHI from a covered entity in response to a HIPAA qualified protective order, is bound to comply with the use and disclosure restrictions set forth in the orders.” . Thus, the appellate court concluded that, “if State Farm wishes to access the PHI at issue, it must abide by the terms of the HIPAA qualified protective orders entered by the trial courts.” .

¶ 24 State Farm next argued that it must be permitted to use and retain plaintiffs’ PHI to fulfill its obligations under Illinois insurance regulatory law and that the Cook County standard protective order “strikes the proper balance between a litigant‘s interest in PHI and the State‘s interest in allowing property and casualty insurers to retain PHI beyond litigation.” . The appellate court concluded that “State Farm failed to cite any statute, regulation, or case law that affirmatively requires the retention of PHI or its use for a particular purpose.” . Further, the appellate court found nothing in the provisions of the Insurance Code and the Illinois Administrative Code cited by State Farm that requires State Farm to retain PHI or use it for any particular purpose after the conclusion of the litigation. Accordingly, the appellate court rejected State Farm‘s argument that the terms of plaintiffs’ QPOs conflict with State Farm‘s obligations under state law. .

¶ 25 The appellate court next held that, to the extent that plaintiffs’ QPOs could be considered to conflict with State Farm‘s obligations under state law, HIPAA and the Privacy Rule preempt state law. . The appellate court also concluded that the doctrine of reverse preemption, as provided by the McCarran-Ferguson Act (15 U.S.C. § 1011 et seq. (2018)), which is potentially relevant specifically to insurance regulation, did not apply in this case. .

¶ 26 Lastly, State Farm assigned error to the trial courts’ rejection of any alternative to plaintiffs’ QPOs. The appellate court acknowledged that the Privacy Rule provides several different methods by which a covered entity may disclose PHI during litigation. However, the appellate court observed that plaintiffs and State Farm sought the disclosure of PHI through QPOs. Accordingly, the appellate court held that the trial courts did not err in declining to consider an alternative method of disclosing PHI. .

¶ 27 State Farm appeals to this court. We granted the National Insurance Crime Bureau leave to submit an amicus curiae brief in support of State Farm‘s position. The Illinois Trial Lawyers Association and the Illinois Public Interest Research Group were each granted leave to submit an amicus curiae brief in support of plaintiffs’ position. Ill. S. Ct. R. 345 (eff. Sept. 20, 2010).

II. ANALYSIS

¶ 28 Before this court, the parties present several arguments in relation to the following issues. First, the parties disagree on the applicability of the Privacy Rule and its preemptive effect on Illinois insurance regulatory law governing the use, disclosure, and retention of PHI. Second, the parties disagree on whether Illinois insurance regulatory law mandates that a property and casualty insurer use, disclose, and retain PHI beyond litigation. Third, the parties disagree on the preemptive effect of the Privacy Rule on the Cook County standard protective order.

A. Standard of Review

¶ 29 State Farm filed an interlocutory appеal to the appellate court pursuant to Illinois Supreme Court Rule 307(a)(1) (eff. Nov. 1, 2017), which provides for an appeal from an interlocutory order “granting, modifying, refusing, dissolving, or refusing to dissolve or modify an injunction.” This court has held that “an interlocutory order circumscribing the publication of information is reviewable as an interlocutory injunctive order, pursuant to Rule 307(a)(1).” ; see (“Supreme Court Rule 307(a)(1) allows review of *** a protective order entered during the discovery phase of the proceedings.“).

¶ 30 “As this court has explained, ‘in an interlocutory appeal, the scope of review is normally limited to an examination of whether or not the trial court abused its discretion in granting or refusing the requested interlocutory relief.‘” (quoting ). An abuse of discretion occurs only when the trial court‘s decision is arbitrary, fanciful, or unreasonable or where no reasonable person would take the view adopted by the trial court. ; . “When, however, the interlocutory appeal involves a question of law, the reviewing court resolves that legal question independently of the trial court‘s judgment and, to the extent necessary, may consider substantive issues to determine whether the trial court acted within its authority.” ; see .

¶ 31 In this case, State Farm presents issues that require us to construe various statutory and administrative provisions. Issues of statutory construction рresent questions of law that we review de novo. ; ; . Under the de novo standard, the reviewing court performs the same analysis that the trial court would perform. ; see .

B. Canons of Statutory Construction

¶ 32 The same familiar principles of statutory construction that apply to state legislation also apply to federal legislation enacted by Congress. See, e.g., ; . Additionally, because administrative regulations have the force and effect of law, the familiar rules that govern construction of statutes also apply to the construction of administrative regulations. ; .

¶ 33 The primary objective in statutory construction is to ascertain and give effect to the intent of the legislature. The most reliable indicator of legislative intent is the language of the statute, which must be given its plain and ordinary meaning. ; . In construing a federal statute, “‘[o]ur task is to give effect to the will of Congress, and where its will has been expressed in reasonably plain terms, that language must ordinarily be regarded as conclusive.‘” (quoting ). In construing a statute, a court must view a statute as a whole. Therefore, words and phrases must be construed in light of other relevant statutory provisions and not in isolation. ; ; . Each word, clause, and sentence of a statute must be given a reasonable meaning, if possible, and should not be rendered superfluous. ; . Additionally, the court may consider the reason for the law, the problems sought to be remedied, the purposes to be achieved (; ), and the consequences of construing the statute one way or another (; ).

C. Statutory Overview of HIPAA

¶ 34 “HIPAA is ‘a complex piece of legislation that addresses the exchange of health-related information.‘” (quoting ). Subtitle F of Title II of HIPAA, captioned “Administrative Simplification,” consists of sections 261 through 264 of the statute. As amended in 2010, the purpose of this subtitle is

“to improve *** the efficiency and effectiveness of the health care system, by encouraging the development of a health information system through the establishment of uniform standards and requirements for the electronic transmission of certain health information and to reduce the clerical burden on patients, health care providers, and health plans.” Pub. L. 104-191 § 261, 110 Stat. 1936, 2021 (1996).

¶ 35 In furtherance of these statutory purposes, various individual provisions in section 262 outline whom the regulations were to cover, what information was to be covered, what types of transactions were to be covered, what time limits and standards would govern compliance with HIPAA, and what penalties would accrue for HIPAA violations. 42 U.S.C. §§ 1320d to 1320d-9 (2018).

¶ 36 To effectuate these statutory directives, section 262 instructed the United States HHS to adopt uniform standards “to enable health information to be exchanged electronically.” 42 U.S.C. § 1320d-2(a)(1) (2018). In section 264 of HIPAA, Congress provided a two-step process to address how to afford certain protections to the privacy of health information maintained under HIPAA. First, within 12 months of HIPAA‘s enactment, HHS was directed to submit to Congress “detailed recommendations on standards with respect to the privacy of individually identifiable health information.” HIPAA, Pub. L. No. ‍‌‌​​​‌‌​‌‌‌​​​‌‌‌​​​​‌​‌​​​​‌‌​​​‌‌​‌‌​​​​‌​​​‌​‍104-191 § 264(a), 110 Stat. 1936, 2033. Congress directed HHS to address subjects including as follows: “(1) The rights that an individual who is a subject of individually identifiable health information should have. (2) The procedures that should be established for the exercise of such rights. (3) The uses and disclosures of such information that should be authorized or required.” Id. § 264(b).

¶ 37 Second, if Congress did not enact further legislation pursuant to the recommendations from HHS within 36 months of HIPAA‘s enactment, HHS was to promulgate final regulations providing for such standards. Id. § 264(c)(1). HIPAA further provided that the privacy regulations promulgated by HHS “shall not supercede a contrary provision of State law, if the provision of State law imposes requirements, standards, or implementation specifications that are more stringent than the requirements, standards, or implementation specifications imposed under the regulation.” Id. § 264(c)(2); see generally (summarizing statute); Buckman, supra, at 145-48 (same).

D. Privacy Rule Overview

¶ 38 In September 1997, HHS did submit recommendations for protecting the privacy of individually identifiable health information. However, Congress ultimately failed to enact any additional legislation. ; . In November 1999, HHS issued proposed “Standards for Privacy of Individually Identifiable Health Information” (64 Fed. Reg. 59,918 (Nov. 3, 1999)), and in December 2000, HHS promulgated its final rule. 65 Fed. Reg. 82,462 (Dec. 28, 2000). These standards are known collectively as the “Privacy Rule.” Buckman, supra, at 148; U.S. Dep‘t of Health & Human Servs., Office for Civil Rights, Summary of the HIPAA Privacy Rule 2 (May 2003), https://www.hhs.gov/sites/default/files/privacysummary.pdf [https://perma.cc/F66C-T4TR] (hereinafter Summary of the HIPAA Privacy Rule). In August 2002, HHS amended the Privacy Rule (67 Fed. Reg. 53,182 (Aug. 14, 2002)). The Privacy Rule is codified at parts 160 and 164 of Title 45 of the Code of Federal Regulations (45 C.F.R. pts. 160, 164 (2018)).

¶ 39 According to HHS, the purposes of the Privacy Rule include: “[t]o protect and enhance the rights of consumers by *** controlling the inappropriate use” of their health information and “to improve the efficiency and effectiveness of health care delivery by creating a national framework for health privacy protection that builds on efforts by states, health systems, and individual organizations and individuals.” 65 Fed. Reg. at 82,463. HHS explained as follows:

“In enacting HIPAA, Congress recognized the fact that administrative simplification cannot succeed if we do not also protect the privacy and confidentiality of personal health information. The provision of high-quality health care requires the exchange of personal, often-sensitive information between an individual and a skilled practitioner. Vital to that interaction is the patient‘s ability to trust that the information shared will be protected and kept confidential. Yet many patients are concerned that their information is not protected. Among the factors adding to this concern are the growth of the number of organizations involved in the provision of care and the processing of claims, the growing use of electronic information technology, increased efforts to market health care and other products to consumers, and the increasing ability to collect highly sensitive information about a person‘s current and future health status as a result of advances in scientific research.

Rules requiring the protection of health privacy in the United States have been enacted primarily by the states. While virtually every state has enacted one or more laws to safeguard privacy, these laws vary significantly from state to state and typically apply to only part of the health care system. ***

Until now, virtually no federal rules existed to protect the privacy of health information and guarantee patient access to such information. This final rule establishes, for the first time, a set of basic national privacy standards and fair information practices that provides all Americans with a basic level of protection and peace of mind that is essential to their full participation in their care. The rule sets a floor of ground rules for health care providers, health plans, and health care clearinghouses to follow, in order to protect patients and encourage them to seek needed care. The rule seeks to balance the needs of the individual with the needs of the society. It creates a framework of protection that can be strengthened by both the federal government and by states as health information systems continue to evolve.” Id. at 82,463-64.

¶ 40 HHS explains that many of the provisions of the Privacy Rule, as codified, “are presented as ‘standards.’ Generally, the standards indicate what must be accomplished under the regulation and implementation specifications dеscribe how the standards must be achieved.” Id. at 82,488.

¶ 41 The Privacy Rule prohibits a “covered entity” or “business associate” from using a person‘s “protected health information” except as mandated or permitted by its provisions. 45 C.F.R. § 164.502(a) (2018). PHI is defined as “individually identifiable health information” that is kept or transmitted in electronic or any other form of media. Id. § 160.103. Further, “individually identifiable health information” means information, including demographic data, that (1) is created or received by a “covered entity“; (2) relates “to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual“; and (3) identifies, or reasonably can be used to identify, the individual. Id. “Covered entities” refer to health plans, health care clearinghouses, and health care providers who transmit any health information in electronic form. Id. §§ 160.103, 164.104(a). A “business associate” refers to a person, not a member of a covered entity‘s workforce, who uses or discloses PHI in performing certain activities or functions on behalf of a covered entity. Id. § 160.103.

E. The Privacy Rule Applies to State Farm

¶ 42 Both plaintiffs and State Farm agree that State Farm is not a “covered entity” as defined by HIPAA because a property and casualty insurer is not a “health plan,” “health care clearinghouse,” or a “health care provider who transmits any health information in electronic form.” See id. § 160.103. The appellate court observed that State Farm had not cited any specific language in HIPAA, the Privacy Rule, or any other source of law “indicating that a noncovered entity that receives PHI from a covered entity in response to a HIPAA qualified protective order is exempt from complying with the order‘s restrictions regarding the use or disclosure of the PHI.” .

¶ 43 Before this court, State Farm argues that “because property and casualty insurers like State Farm are not covered entities, their business operations do not fall within HIPAA‘s privacy and security obligations.” Further, according to State Farm, “property and casualty insurers like State Farm do not become a ‘covered entity’ when they receive PHI from a ‘covered entity’ in the ordinary course of handling claims.”

¶ 44 State Farm maintains that property and casualty insurers logically “fall outside HIPAA given the role of liability insurance in the administration of justice.” State Farm argues that “property and casualty insurers do not enter into a physician-patiеnt relationship with anyone and their role is not to provide *** health care services.” Rather, according to State Farm, property and casualty insurers “insure their policyholders against the risk of bodily injury or property damage (including for liability to others) that results from an accident—not to offer medical or health care to the injured person.”

¶ 45 We cannot accept State Farm‘s reasoning. Generally, a personal injury action requires proof of an injury (), which necessarily requires disclosure of relevant PHI. State Farm‘s logic leads to the denial of any request for a QPO in a judicial proceeding where a defendant is insured by a casualty insurer. This court has noted “the dominant role played by the insurance industry in the field of personal injury litigation.” . Scholars have similarly recognized:

“The key stakeholders in litigation—at least on the defense side—are seldom the individual litigants who have been sued. Rather, insurers are the entities who regularly pay not only the cost of defending claims but also any settlement or judgment. Insured parties retain some authority to make substantive litigation decisions, but the practical reality is that insurers drive litigation outcomes.” Chris Guthrie & Jeffrey J. Rachlinski, Insurers, Illusions of Judgment and Litigation, 59 Vand. L. Rev. 2017, 2019 (2006).

See (“Insurers play a key role in the civil justice system. In most personal injury litigation, the individual defendant is insured, and the insurer provides a defense and exercises complete control over whether to settle the case.“).

¶ 46 Thus, if we were to accept State Farm‘s argument, there would be few instances in which a QPO could be requested. It was clearly not the intent of Congress that a QPO would be unavailable whenever an alleged tortfeasor was insured by a liability insurer. HIPAA contains no such limitation, and this court must not add such a limitation under the guise of statutory construction. See (“we cannot rewrite a statute, and depart from its plain language, by reading into it exceptions, limitations or conditions not expressed by the legislature“); (same).

¶ 47 There are two exceptions to the prohibition against the use or disclosure of an individual‘s PHI. First, a covered entity may use or disclose PHI pursuant to a valid authorization. 45 C.F.R. §§ 164.502(a)(1)(iv), 164.508 (2018).

¶ 48 Second, and relevant to this appeal, a covered entity may use or disclose PHI in the course of litigation. Id. §§ 164.502(a)(1)(vi), 164.512(e). Use or disclosure of PHI is permissible to comply with an order of a court or administrative tribunal, so long as only the PHI expressly authorized by the order is disclosed. Id. § 164.512(e)(1)(i). Absent a judicial or administrative order, a covered entity may disclose PHI in response to a subpoena, discovery request, or other lawful process if (1) the covered entity has received satisfactory assurances that the party seeking the disclosure has made reasonable efforts to ensure that the individual has been given notice of the request or (2) the covered entity has made reasonable efforts to secure a “qualified protective order.” Id. § 164.512(e)(1)(ii), (iv). A QPO is a judicial or administrative order, or a stipulation by the parties, that (1) “[p]rohibits the parties from using or disclosing the [PHI] for any purpose other than the litigation or proceeding for which such information was requested” and (2) “[r]equires the return to the covered entity or destruction of the [PHI] (including all copies made) at the end of the litigation or proceeding.” Id. § 164.512(e)(1)(v).

¶ 49 Importantly, State Farm is not the disclosing party but rather is the party wishing to obtain plaintiffs’ PHI. Therefore, in the absence of a court order pursuant to section 164.512(e)(1)(i), the Privacy Rule authorizes a covered entity to disclose PHI to State Farm in this litigation only pursuant to (1) a subpoena, discovery request, or other lawful process, provided that adequate notice was given to plaintiffs, or (2) a QPO containing the required “use and disclosure” prohibition and the “return or destroy” requirement. Id. § 164.512(e)(1)(ii), (iv). Here, State Farm is not appealing from any independent disclosure orders or any issues pertaining to discovery, service of process, and notice. Accordingly, State Farm can receive plaintiffs’ PHI only in response to a valid QPO.

¶ 50 State Farm argues that we should view its tendered protective orders as a request for an independent disclosure order pursuant to section 164.512(e)(1)(i). We reject this argument. Section 164.512(e)(1)(i) specifically mandates that “the covered entity disclose[ ] only the [PHI] expressly authorized by such order.” (Emphases added.) Id. § 164.512(e)(1)(i). Thus, pursuant to this section, a covered entity is prohibited from disclosing PHI that is not “expressly authorized” by the order. However, State Farm‘s tendered protective orders do not address what PHI the covered entity is expressly authorized to disclose. State Farm‘s tendered protective orders have no language that limits or restricts the PHI permitted to be disclosed. Such an order would be impermissible for several reasons.

¶ 51 State Farm‘s tendered protective orders violate Rule 201 to the extent that they permit the disclosure of any and all PHI. Rule 201(b)(1) provides in relevant part: “Except as provided in these rules, a party may obtain by discovery full disclosure regarding any matter relevant to the subject matter involved in the pending action, whether it relates to the claim or defense of the party seeking disclosure or of any other party ***.” Ill. S. Ct. R. 201(b)(1) (eff. July 1, 2014). “[T]he relevance requirement safeguards against ‘improper and abusive’ discovery and acts as an ‘independent constraint on discovery.‘” (quoting ). Therefore, even if State Farm‘s tendered protective orders could be viewed to require covered entities to disclose plaintiffs’ PHI, they would still be improper because they do not satisfy the relevancy requirement of Rule 201(b).

¶ 52 Even if we were to consider State Farm‘s tendered protective orders as compliant with section 164.512(e)(1)(i), they would still violate the state constitutional right to privacy. The Illinois Constitution guarantees, in pertinent part, that “[t]he people shall have the right to be secure in their persons, houses, papers and other possessions against unreasonable *** invasions of privacy.” Ill. Const. 1970, art. I, § 6. In Kunkel, this court stated as follows:

“This court has observed that the Illinois Constitution goes beyond federal constitutional guarantees by expressly recognizing a zone of personal privacy, and that the protection of that privacy is stated broadly and without restrictions. [Citation.] The confidentiality of personal medical information is, without question, at the core of what society regards as a fundamental component of individual privacy. Physicians are privy to the most intimate details of their рatients’ lives, touching on diverse subjects like mental health, sexual health and reproductive choice. Moreover, some medical conditions are poorly understood by the public, and their disclosure may cause those afflicted to be unfairly stigmatized. Respect for the privacy of medical information is a central feature of the physician-patient relationship. Under the Hippocratic Oath, and modern principles of medical ethics derived from it, physicians are ethically bound to maintain patient confidences. See .

***

In addition, this court has recognized that ‘[a] person has a reasonable expectation that he will not be forced to submit to a close scrutiny of his personal characteristics, unless for a valid reason. *** [T]he individual‘s ‍‌‌​​​‌‌​‌‌‌​​​‌‌‌​​​​‌​‌​​​​‌‌​​​‌‌​‌‌​​​​‌​​​‌​‍privacy interest in his physical person *** must be protected.’ [Citation.] We believe that this privacy interest pertaining to individual physical characteristics necessarily encompasses personal medical information.” .

In Kunkel, this court cautioned: “The text of our constitution does not accord absolute protection against invasions of privacy. Rather, it is unreasonable invasions of privacy that are forbidden. In the context of civil discovery, rеasonableness is a function of relevance.” (Emphasis in original.) .

¶ 53 Where the privacy interest in medical information is involved, it “is reasonable to require full disclosure of medical information that is relevant to the issues in the lawsuit.” However, State Farm‘s tendered protective orders are unlimited in the PHI to be disclosed without regard to the issues being litigated. The scope of the PHI required by State Farm‘s protective orders would be unreasonable and, therefore, unconstitutional.

¶ 54 In sum, the Privacy Rule applies to State Farm. Therefore, State Farm can receive plaintiffs’ PHI only in response to a valid QPO.

F. Illinois Insurance Regulatory Law Does Not Mandate Use, Disclosure, or Retention of PHI

¶ 55 State Farm contends that the trial courts should have entered State Farm‘s tendered Cook County standard protective order or a similar protective order “expressly allowing for the retention, use, and disclosure of information by property and casualty insurers in conformity to federal and state law and regulations.” State Farm complains that the trial courts’ QPOs prevent State Farm from fulfilling its obligations under the Illinois Insurance Code and supporting administrative regulations. State Farm‘s argument requires analysis of the preemptive effect of the Privacy Rule on Illinois insurance regulatory law.

1. Preemption Principles

¶ 56 The supremacy clause of the United States Constitution provides that federal law “shall be the supreme Law of the Land ***, any Thing in the Constitution or Laws of any State to the Contrary notwithstanding.” U.S. Const., art. VI, cl. 2. The determination of whether state law is preempted turns on the intent of Congress. When interpreting a federal statute pertaining to a subject traditionally governed by state law, courts are reluctant to find preemption unless Congress‘s preemptive

intent is clear and manifest. ; . One of the circumstances in which state law is preempted under the supremacy clause is where the express language of a federal statute indicates an intent to preempt state law. ; . If the federal statute contains an express exemption provision, “the task of statutory construction must in the first instance focus on the plain wording of the clause, which necessarily contains the best evidence of Congress’ pre-emptive intent.” ; .

¶ 73 HIPAA and the Privacy Rule establish a uniform federal floor or baseline of privacy protection for PHI, which states are free to exceed. See ; . When HHS promulgated the Privacy Rule, the agency stressed: “It is important to understand this regulation as a new federal floor of privacy protections that does not disturb more protective rules or practices. *** The protections are a mandatory floor, which other governments and any covered entity may exceed.” 65 Fed. Reg. at 82,471.

¶ 74 Consequently, “State laws that are contrary to the Privacy Rule are preempted by the federal requirements, which means that the federal requirements will apply.” Summary of the HIPAA Privacy Rule, supra, at 17; 45 C.F.R. § 160.203 (2018). A state law is “contrary” to HIPAA if a “covered entity or business associate would find it impossible to comply with both the State and Federal requirements” or if the “provision of State law stands as an obstacle to the accomplishment and execution of the full purposes and objectives of [HIPAA].” 45 C.F.R. § 160.202 (2018).

¶ 75 However, section 264 of HIPAA provides that the Privacy Rule “shall not supersede a contrary provision of State law, if the provision of State law imposes requirements, standards, or implementation specifications that are more stringent than [those] imposed under the regulation.” Pub. L. No. 104-191 § 264(c)(2), 110 Stat. 1936, 2033-34. Implementing this statutory mandate, the Privacy Rule provides that the general rule of federal preemption of contrary state law will not occur if the state law is “more stringent” than the applicable standard promulgated in the Privacy Rule. 45 C.F.R. § 160.203(b) (2018). The state law is “morestringent” where it meets one or more of several criteria including where state law prohibits or restricts a use or disclosure of PHI where the Privacy Rule would allow it (id. § 160.202(1) (defining “more stringent“)) or, generally, where the state law provides greater privacy protection (id. § 160.202(6) (same)). See (listing criteria).

¶ 76 Importantly, we add that these preemption provisions of HIPAA and the Privacy Rule speak in terms of a specific provision of HIPAA or the Privacy Rule and a specific provision of state law. In proposing the Privacy Rule, HHS explained what HIPAA requires as follows:

“The initial question that arises in the preemption analysis is, what does one compare? The statute directs this analysis by requiring the comparison of a ‘provision of State law [that] imposes requirements, standards, or implementation specifications’ with ‘the requirements, standards, or implementation specifications imposed under’ the federal regulation. The statute thus appears to contemplate that what will be compared are the State and federal requirements that are analogous, i.e., that address the same subject matter.” 64 Fed. Reg. 59,918, 59,995 (proposed Nov. 3, 1999) (to be codified at 45 C.F.R. pts. 160 to 164) (quoting Pub. L. No. 104-191 § 264 (c)(2), 110 Stat. 1936, 2033-34).

Therefore, when a court engages in a HIPAA preemption analysis, the issue is not whether HIPAA generally “is contrary to and more stringent than the entirety of a state‘s laws on the privacy of a patient‘s medical information. Rather, the issue is whether or not a speсific provision of HIPAA is contrary to and more stringent than a specific provision of state law.” .

2. Contested Provisions of Illinois Insurance Regulatory Law

¶ 77 Before this court, State Farm maintains its position that Illinois insurance regulatory law requires State Farm to use, disclose, and retain PHI for various regulatory purposes. We discuss each in turn.

¶ 78 State Farm contends that “property and casualty insurers are legally required to retain documentation in their claim files for examination by regulators.” The Insurance Code prohibits insurers from engaging in improper claims practices. See 215 ILCS 5/154, 154.6 (West 2018). To this end, section 919.30 of Title 50 of the Illinois Administrative Code requires insurers to make their claim files available to the Director of the Illinois Department of Insurance (Director) for examination upon request. 50 Ill. Adm. Code 919.30 (1989). Regarding examinations by the Director, section 919.30 provides in relevant part:

“b) Each company shall maintain claim data that should be accessible and retrievable for examination by the Director. A company shall be able to provide the claim number, line of coverage, date of loss and date of payment of the claim, date of denial, or date claim closed without payment. This data must be available for all open and/or closed files for the current year and the two preceding years. The еxaminers’ review may include but need not be limited to an examination of the following claims:

  1. Claims Closed With Payment;
  2. Claims Denied;
  3. Claims Closed Without Payment;
  4. First Party Automobile Total Losses; and/or Subrogation Claims.

c) Detailed documentation shall be contained in each claim file in order to permit reconstruction of the company‘s activities relative to each claim file.”

Id.

Further, “documentation” includes “all pertinent communications, transactions, notes and work papers” “properly dated and compiled in sufficient detail in order to allow for the reconstruction of all pertinent events relative to each claim file. Documentation shall include but not be limited to bills, explanations of benefits and worksheets.” 50 Ill. Adm. Code 919.40 (1989).

¶ 79 State Farm argues that this regulation requires it to maintain, in each claim file, detailed documentation that includes medical bills, which necessarily contain PHI.According to State Farm, this insurance examination process conflicts with the “return or destroy” requirement of the trial court‘s QPOs.

¶ 80 We reject this argument. State Farm could establish its “activities relative to each file” by simply including in the file a copy of the QPO, specifying that the insurer was prohibited from using or disclosing PHI for any purpose other than the litigation and was required to return or destroy the PHI at the end of the litigation. The appellate court correctly reached a similar conclusion. See .

¶ 81 State Farm next contends that property and casualty insurers are prohibited from destroying company records except in conformity with the requirements of the Insurance Code and its administrative regulations. State Farm relies on part 901 of Title 50 of the Illinois Administrative Code (50 Ill. Adm. Code 901 (2016)). Section 901.5 provides that “[n]o domestic company shall destroy any books, records, documents, accounts or vouchers, hereafter referred to as ‘records‘, except in conformity with the requirements of this Part.” 50 Ill. Adm. Code 901.5 (2016). Section 901.20 of Title 50 sets out a time period for the disposal and destruction of records:

“The company is authorized to dispose of or destroy records in its custody that do not have sufficient administrative, legal or fiscal value to warrant their further preservation and are not needed:

  1. in the transaction of current business;
  2. for the final settlement or disposition of any claim arising out of a policy of insurance issued by the company, except that these records must be maintained for the current year plus 5 years; or
  3. to determine the financial condition of the company for the period since the date of the last examination report of the company officially filed with the Department of Insurance, excеpt that these records must be maintained for at least the current year plus 5 years.” 50 Ill. Adm. Code 901.20 (2016).

Further, the term “records” is defined in section 901.10 of Title 50 as follows:

“‘Records’ material means all books, papers and documentary materials regardless of physical form or characteristics, made, produced, executed or received by any domestic insurance company pursuant to law or in connection with the transaction of its business and preserved or appropriate for preservation by such company or its successors as evidence of the organization, function, policies, decisions, procedures, obligations and business activities of the company or because of the informational data contained therein. If doubt arises as to whether certain papers are ‘non-record’ materials, it should be assumed that the documents are ‘records‘.” 50 Ill. Adm. Code 901.10 (2016).

Before this court, State Farm argues that this definition of “records” is broad enough to include medical bills and records. State Farm maintains its position that part 901 sets out a detailed process for the destruction of an insurer‘s records, which conflicts with the trial courts’ QPOs.

¶ 82 We reject this argument. In this case, State Farm does not explain how plaintiffs’ PHI is “appropriate for preservation,” espеcially given that (1) the trial courts entered HIPAA QPOs expressly requiring the destruction of PHI within 60 days after the conclusion of the litigation and (2) State Farm failed to cite any statute, regulation, or case law that affirmatively requires the retention of PHI or its use for a particular purpose. State Farm has made this argument in other courts, including the appellate court here, and those courts have correctly rejected it. See ; ; . Further, as earlier noted, retention of a copy of the QPO in ‍‌‌​​​‌‌​‌‌‌​​​‌‌‌​​​​‌​‌​​​​‌‌​​​‌‌​‌‌​​​​‌​​​‌​‍the file would explain why the PHI was not present. Thus, part 901 of Title 50 of the Illinois Administrative Code does not support State Farm‘s position.

¶ 83 State Farm next contends that the trial courts’ QPOs prevent insurers from performing functions related to fraud detection and deterrence. State Farm maintains its position that, because the Illinois Department of Insurance relies on property and casualty insurers to detect and combat insurance fraud, Illinois law authorizes them to report information, including PHI, to the Illinois Department of Insurance and insurance support organizations, such as the National Insurance Crime Bureau and the Insurance Services Organization. See 215 ILCS 5/155.23(West 2018). State Farm argues that, if insurers must return to covered entities or destroy all PHI within 60 days of the end of litigation, they cannot later provide necessary information to help the state with fraud detection and prevention.

¶ 84 The statute State Farm cites authorizes the Director

“to promulgate reasonable rules requiring insurers *** doing business in the State of Illinois to report factual information in their possession that is pertinent to suspected fraudulent insurance claims, fraudulent insurance applications, or premium fraud after [the Director] has made a determination that the information is necessary to detect fraud or arson. Claim information may include:

  1. Dates and description of accident or loss.
  2. Any insurance policy relevant to the accident or loss.
  3. Name of the insurance company claims adjustor and claims adjustor supervisor processing or reviewing any claim or claims made under any insurance policy relevant to the accident or loss.
  4. Name of claimant‘s or insured‘s attorney.
  5. Name of claimant‘s or insured‘s physician, or any person rendering or purporting to render medical treatment.
  6. Description of alleged injuries, damage or loss.
  7. History of previous claims made by the claimant or insured.
  8. Places of medical treatment.
  9. Policy premium payment record.
  10. Material relating to the investigation of the accident or loss, including statements of any person, proof of loss, and any other relevant evidence.
  11. any facts evidencing fraud or arson.” Id. § 155.23(1).

State Farm‘s reliance on section 155.23 is unpersuasive for two reasons. First, the statute applies only to suspected fraudulent insurance claims or applications, or premium fraud, and only after the Director has determined that the information is necessary to detect fraud or arson. In this case, there is no indication of fraud and no evidence that the Director has determined that any PHI is necessary to detect fraud or arson. Therefore, there can be no factual information pertinent to any suspected fraud. Second, the statute requires an insurer to report only factual information in its possession. An insurer that has returned or destroyed PHI in accordance with a HIPAA QPO cannot violate the statute, because it does not possess any such information.

¶ 85 State Farm next asserts that the trial courts’ QPOs “impede compliance with federal reporting requirements.” State Farm argues that, under the Medicare secondary payor statute (42 U.S.C. § 1395y(b)(2) (2018)), “automobile or liability insurers must report payments made to Medicare beneficiaries, along with information about the alleged cause of injury, incident, or illness.” According to State Farm: “Retention of medical records is crucial to this process. Additionally, insurers need medical records if Medicare seeks recovery of a ‘conditional payment.‘”

¶ 86 We also reject this argument. This statute does not require a liability insurer to retain PHI after litigation even for Medicare beneficiaries. If State Farm is to pay a settlement or judgment, all it need do is to report the payment and the alleged cause of injury. Id. § 1395y(b)(8)(B)(i), (ii). This does not require State Farm to retain or disclose PHI after the conclusion of litigation.

¶ 87 Lastly, State Farm maintains its position that Illinois law protects personal or privileged information received in handling claims while still allowing property and casualty insurers to make disclosures necessary for rate-making, anti-fraud programs, and consumer-protection research. Article XL of the Insurance Code provides as follows:

“The purpose of this Article is to establish standards for the collection, use and disclosure of information gathered in connection with insurance transactions by insurance institutions, agents or insurance-support organizations; to maintain a balance between the need for information by those conducting the business of insurance and the public‘s need for fairness in insurance information practices,including the need to minimize intrusiveness; to establish a regulatory mechanism to enable natural persons to ascertain what information is being or has been collected about them in connection with insurance transactions and to have access to such information for the purpose of verifying or disputing its accuracy; to limit the disclosure of information collected in connection with insurance transactions; and to enable insurance applicants and policyholders to obtain the reasons for any adverse underwriting decision.” 215 ILCS 5/1001 (West 2018).

This provision does not contain any affirmative language that mandates the use, disclosure, or retention of PHI for any purpose.

¶ 88 State Farm has failed to direct us to, nor have we found, any provision of the Insurance Code or the Illinois Administrative Code that requires it to use or disclose plaintiffs’ PHI after the conclusion of the litigation. As such, we reject State Farm‘s argument that the trial courts’ QPOs conflict with its obligations under state law. Since there is no conflict, the Privacy Rule does not preempt or otherwise nullify these specific provisions in the Insurance Code and its administrative regulations.

G. Privacy Rule Preempts Cook County Standard Protective Order

¶ 89 State Farm assigns error to the conclusion of the trial and appellate courts that its alternative tendered protective orders are preempted by the Privacy Rule. State Farm argues that the absence of the “use or disclose” prohibition and the “return or destroy” requirement “cannot be an obstacle to accomplishing HIPAA‘s full purposes and objectives” beсause those restrictions are not required for a court order pursuant to section 164.512(e)(1)(i). Rather, those restrictions apply only to discovery processes that are not accompanied by a court order. 45 C.F.R. § 164.512(e)(1)(ii) (2018).

¶ 90 We recognize that the Privacy Rule does not require a court order entered pursuant to section 164.512(e)(1)(i) to include the “use or disclose” prohibition and the “return or destroy” requirement of section 164.512(e)(1)(ii). This provision does not expressly dictate any criteria for judges to exercise their discretion. However, in response to a court order pursuant to section 164.512(e)(1)(i), acovered entity may disclose “only the [PHI] expressly authorized by such order.” Id..

¶ 91 We must construe the language of section 164.512(e)(1) as a whole, in light of HIPAA and the entire Privacy Rule. See . Accordingly, we consider plaintiffs and State Farm to have followed the better approach in this litigation. Parties should first seek a protective order that meets the definition of a QPO under section 164.512(e)(1)(v) to pursue discovery under the provisions of section 164.512(e)(1)(ii). Should the parties then encounter any difficulty with the acquisition of necessary discovery, they may seek a court order as contemplated under section 164.512(e)(1)(i) for that specific, targeted information. See, e.g., .

¶ 92 As earlier discussed, the Cook County standard protective order does not address what PHI the covered entity is expressly authorized to disclose. Therefore, we conclude that, in this case, a covered entity cannot comply with both the Privacy Rule and State Farm‘s tendered protective orders. The Cook County standard protective order does not prohibit the insurer from using and disclosing PHI outside of litigation and does not require an insurer to return or destroy PHI at the conclusion of litigation. These concessions directly conflict with the requirements for a HIPAA QPO under section 164.512(e)(1)(v) of the Privacy Rule. Likewise, by eliminating the “use or disclose” prohibition and the “return or destroy” requirement, the Cook County standard protective order would not provide the confidentiality and protection of PHI envisioned when the Privacy Rule was promulgated. To accept State Farm‘s argument would render superfluous and nugatory section 164.512(e)(1)(ii), which we cannot do. . In other words, any requirement that an insurer be allowed to use and retain PHI beyond the conclusion of litigation would lower the floor of privacy protection that HIPAA and the Privacy Rule mandate. As such, the Cook County standard protective order acts as an obstacle to accomplishing and executing HIPAA‘s full purposes and objectives. 45 C.F.R. § 160.202 (2018).

¶ 93 Therefore, we hold that the Cook County standard protective order is preempted by the Privacy Rule. We next determine whether the McCarran-Ferguson Actshields the Cook County standard protective order from traditional preemption.

H. Reverse Preemption

¶ 94 The trial courts asked the parties to address the implications of the McCarran-Ferguson Act (15 U.S.C. § 1011 et seq. (2018)), which gives rise to the doctrine of “reverse preemption.” If applicable, the reverse preemption doctrine allows state laws that regulate insurance to prevail over general federal rules. ; (collecting cases). The parties did not argue that the McCarran-Ferguson Act applied in these cases, and the trial courts did not address the issue. The appellate court observed: “State Farm briefly mentions the McCarran-Ferguson Act in its brief but does not fully develop the issue. Nevertheless, we find it appropriate to briefly address this matter.” . The appellate court held that the doctrine of reverse preemption did not apply to shield Illinois insurance law from Privacy Rule preemption. Id. ¶ 68.

¶ 95 Before this court, State Farm contends that the appellate court‘s holding that the Privacy Rule preempts any conflicting state law is inconsistent with its holding that there is no conflict between the Privacy Rule and state law for reverse preemption purposes. State Farm misapprehends the McCarran-Ferguson Act and the reverse preemption doctrine.

¶ 96 As earlier mentioned, the general rule is that, “[w]here a state statute conflicts with, or frustrates, federal law, the former must give way.” . However, the McCarran-Ferguson Act carved out an exception to this general rule where state laws regulate the “business of insurance.” 15 U.S.C. § 1011 (2018). Section 2(b) of the McCarran-Ferguson Act provides: “No Act of Congress shall be construed to invalidate, impair, or supersede any law enacted by any State for the purpose of regulating the business of insurance *** unless such Act specifically relates to the business of insurance.” Id. § 1012(b). The United States Supreme Court has explained:

“[T]he Act does not seek to insulate state insurance regulation from the reach of all federal law. Rather, it seeks to protect state regulation primarily againstinadvertent federal intrusion—say, through enactment of a federal statute that describes an affected activity in broad, general terms, of which the insurance business happens to constitute one part.” (Emphasis omitted.) .

¶ 97 The McCarran-Ferguson Act “transformed the legal landscape by overturning the normal rules of preemption.” . Section 2(b) imposes “a rule that state laws enacted ‘for the purpose of regulating the business of insurance’ do not yield to conflicting federal statutes unless a federal statute specifically requires otherwise.” Id.. Under the McCarran-Ferguson Act, a state law will reversе preempt a federal law if (1) the state law was enacted for the purpose of regulating the business of insurance; (2) the federal law does not specifically relate to the business of insurance; and (3) the federal law would invalidate, impair, or supersede the state law. . All three criteria must be satisfied for the doctrine of reverse preemption to preclude application of a federal law. See ; .

¶ 98 The appellate court concluded that “nothing in any Illinois statute or regulation State Farm cites requires the retention of PHI or its use for any particular purpose. Thus, the HIPAA qualified protective orders entered in this case do not ‘invalidate, impair, or supersede’ the Illinois statutes and regulations State Farm cites.” . Therefore, the appellate court correctly held that the doctrine ‍‌‌​​​‌‌​‌‌‌​​​‌‌‌​​​​‌​‌​​​​‌‌​​​‌‌​‌‌​​​​‌​​​‌​‍of reverse preemption does not apply in this case. Id.

¶ 99 There is no inconsistency between this holding and our prior conclusion, with which the appellate court agreed, that the Privacy Rule preempts any conflicting state law. State Farm and plaintiffs agree with the appellate court‘s holding that the McCarran-Ferguson Act does not apply here. Therefore, the doctrine of reverse preemption cannot shield the pertinent Illinois Insurance Code sections and regulations from federal preemption.

III. CONCLUSION

¶ 100 As a matter of law, we conclude as follows. The Privacy Rule applies in these cases to potentially preempt Illinois insurance regulatory law governing the use,disclosure, and retention of PHI. The trial courts’ QPOs do not conflict with Illinois insurance regulatory law because nothing in the Insurance Code or administrative regulations mandates that a property and casualty insurer use, disclose, and retain PHI beyond litigation. However, the Cook County standard protective order is contrary to the Privacy Rule because it falls below the floor of privacy that the Privacy Rule mandates. Therefore, it is preempted by the Privacy Rule. Further, the reverse preemption doctrine provided by the McCarran-Ferguson Act does not shield the disputed provisions of Illinois insurance regulatory law from preemption. Therefore, we hold that the trial courts did not abuse their discretion in entering the QPOs pursuant to HIPAA and the Privacy Rule.

¶ 101 For the foregoing reasons, the judgment of the appellate court is affirmed, and the cases are remanded to the circuit court of Lake County for further proceedings.

¶ 102 Affirmed and remanded.

Read the detailed case summary