Haage v. Zavala

• Decision Date: 13 March 2020
• Docket Number: Nos. 2-19-0499,2-19-0500 cons.,s. 2-19-0499
• Citation: 158 N.E.3d 1171,2020 IL App (2d) 190499,442 Ill.Dec. 136
• Parties: Rosemarie HAAGE, Plaintiff-Appellee, v. Alfonso Montiel ZAVALA, Patricia Santiago, Jose Pacheco-Villanuevo, Okan Esmez, and Rosalina Esmez, Defendants (State Farm Mutual Automobile Insurance Company, Intervenor-Appellant). Agnieszka Surlock and Edward Surlock, Plaintiffs-Appellees, v. Dragoslav Starcevic, Defendant (State Farm Mutual Automobile Insurance Company, Intervenor-Appellant).
• Court: United States Appellate Court of Illinois

2020 IL App (2d) 190499

158 N.E.3d 1171

442 Ill.Dec. 136

Rosemarie HAAGE, Plaintiff-Appellee,

v.Alfonso Montiel ZAVALA, Patricia Santiago, Jose Pacheco-Villanuevo, Okan Esmez, and Rosalina Esmez, Defendants

(State Farm Mutual Automobile Insurance Company, Intervenor-Appellant).

Agnieszka Surlock and Edward Surlock, Plaintiffs-Appellees,

v.Dragoslav Starcevic, Defendant

(State Farm Mutual Automobile Insurance Company, Intervenor-Appellant).

Nos. 2-19-0499

2-19-0500 cons.

Appellate Court of Illinois, Second District.

Opinion filed March 13, 2020

Rehearing denied April 2, 2020

Glen E. Amundsen and Michael Resis, of SmithAmundsen LLC, of Chicago, for appellant.

Robert D. Fink and Kenneth A. Koppelman, of Collison Law Offices, of Chicago, for appellees.

JUSTICE HUDSON delivered the judgment of the court, with opinion.

¶ 1 I. INTRODUCTION

¶ 2 This consolidated appeal concerns the scope of protective orders involving the disclosure of protected health information (PHI) to a property and casualty insurer. In each of the two underlying cases, plaintiffs sued to recover damages occasioned by the alleged negligence of defendants in driving their automobiles. Plaintiffs subsequently moved for the entry of qualified protective orders pursuant to the Health Insurance Portability and Accountability Act of 1996 (HIPAA) (Pub. L. No. 104-191, 110 Stat. 1936 (1996) (codified as amended in scattered sections of Titles 18, 26, 29, and 42 of the United States Code)) (HIPAA qualified protective orders). Among other things, the protective orders proposed by plaintiffs would have (1) prohibited the parties and any other persons or entities from using or disclosing PHI for any purpose other than the litigation for which it was requested and (2) required the return or destruction of the PHI within 60 days after the conclusion of the litigation. See 45 C.F.R. § 164.512(e)(1)(v)(A), (B) (2018) (setting forth requirements for a qualified protective order under HIPAA). State Farm Mutual Automobile Insurance Company (State Farm), the liability insurer for at least one of the named defendants in each case, petitioned to intervene. After the circuit court of Lake County granted the petition in each case, State Farm filed objections to the HIPAA qualified protective orders. State Farm argued, inter alia , that the HIPAA qualified protective orders (1) sought to bind State Farm to the requirements of HIPAA, although State Farm is expressly exempt from the statute's application and (2) directly conflicted with State Farm's obligations and rights under the Illinois Insurance Code ( 215 ILCS 5/1 et seq. (West 2018)) and the administrative regulations governing its business operations. State Farm requested that the trial court deny the HIPAA qualified protective orders and enter, pursuant to Illinois Supreme Court Rule 201(c)(1) (eff. May 29, 2014), protective orders similar to one used in the law division of the circuit court of Cook County (Cook County protective orders). The Cook County protective orders would permit insurance companies to "disclose, maintain, use, and dispose of PHI or what would otherwise be considered PHI to comply and conform with current and future applicable federal and state statutes, rules, and regulations" for certain designated purposes and exempt insurers from any "return or destroy" provisions.

¶ 3 Following a combined hearing and additional briefing, the trial court in each case granted plaintiffs' motions for the HIPAA qualified protective orders and denied State Farm's request for the Cook County protective orders. The trial courts determined, among other things, that (1) to the extent that State Farm's obligations and rights under Illinois law conflict with HIPAA requirements, the federal statute and its regulations preempt state law and (2) any individual or entity receiving PHI in response to a HIPAA qualified protective order is bound to follow the terms of the order. State Farm filed an interlocutory appeal in each case, pursuant to Illinois Supreme Court Rule 307(a)(1) (eff. Nov. 1, 2017). On appeal, State Farm contends that the trial courts erred in granting plaintiffs' motions for the HIPAA qualified protective orders. We affirm.

¶ 4 II. BACKGROUND

¶ 5 To provide context to the parties' arguments, we briefly review the relevant provisions of HIPAA before discussing the facts underlying this appeal.

¶ 6 A. HIPAA

¶ 7 In 1996, Congress passed, and President Clinton signed into law, HIPAA (Pub. L. No. 104-191, 110 Stat. 1936 (1996) (codified as amended in scattered sections of Titles 18, 26, 29, and 42 of the United States Code)). Among HIPAA's purposes were to establish national privacy standards and fair information practices regarding individually identifiable health information. Brende v. Hara , 113 Hawai'i 424, 153 P.3d 1109, 1114 (2007) ; see also Wade v. Vabnick-Wener , 922 F. Supp. 2d 679, 687 (W.D. Tenn. 2010) ("HIPAA embodies Congress' recognition of ‘the importance of protecting the privacy of health information in the midst of the rapid evolution of health information systems.’ " (quoting South Carolina Medical Ass'n v. Thompson , 327 F.3d 346, 348 (4th Cir. 2003) ); Law v. Zuckerman , 307 F. Supp. 2d 705, 710 (D. Md. 2004) ("Congress enacted HIPAA, in part, to protect the security and privacy of individually identifiable health information."); U.S. Dep't of Health & Human Servs., Office for Civil Rights, Summary of the HIPAA Privacy Rule 1 (May 2003), https://www.hhs.gov/sites/default/files/privacysummary.pdf [https://perma.cc/F66C-T4TR] ("A major goal of [HIPAA] is to assure that individuals' health information is properly protected while allowing the flow of health information needed to provide and promote high quality health care and to protect the public's health and well being."). To this end, HIPAA authorized the Secretary of the Department of Health and Human Services (HHS) to issue regulations governing individually identifiable health information if Congress did not enact privacy legislation within three years of the passage of the statute. HIPAA, Pub. L. No. 104-191, § 264(c)(1), 110 Stat. 1936, 2033-34 (1996); U.S. Dep't of Health & Human Servs., Office for Civil Rights, Summary of the HIPAA Privacy Rule 1-2 (May 2003), https://www.hhs.gov/sites/ default/files/privacysummary.pdf [https://perma.cc/F66C-T4TR]; Arons v. Jutkowitz , 9 N.Y.3d 393, 850 N.Y.S.2d 345, 880 N.E.2d 831, 840 (2007). Congress did not meet its self-imposed deadline, so HHS proposed and subsequently adopted the "Privacy Rule," a series of regulations governing permitted uses and disclosures of PHI. Standards for Privacy of Individually Identifiable Health Information, 65 Fed. Reg. 82,462 (Dec. 28, 2000) ; U.S. Dep't of Health & Human Servs., Office for Civil Rights, Summary of the HIPAA Privacy Rule 2 (May 2003), https://www.hhs.gov/sites/default/files/ privacysummary.pdf [https://perma.cc/F66C-T4TR]; Arons , 850 N.Y.S.2d 345, 880 N.E.2d at 840. The Privacy Rule is codified at parts 160 and 164 of Title 45 of the Code of Federal Regulations (45 C.F.R. pt. 160, 164 (2018)). U.S. Dep't of Health & Human Servs., Office for Civil Rights, Summary of the HIPAA Privacy Rule 2 (May 2003), https://www.hhs.gov/sites/default/files/privacysummary.pdf [https://perma.cc/F66C-T4TR]; Arons , 850 N.Y.S.2d 345, 880 N.E.2d at 840.

¶ 8 The Privacy Rule prohibits the use or disclosure of an individual's PHI by a "covered entity" or "business associate" unless the individual has consented in writing or unless the use or disclosure is otherwise specifically permitted or required by the Privacy Rule. 45 C.F.R. §§ 164.502, 164.506, 164.508, 164.510, 164.512 (2018). With exceptions not relevant here, the Privacy Rule defines the term "protected health information" as "individually identifiable health information" transmitted by electronic media, maintained in electronic media, or transmitted or maintained in any other form or medium. 45 C.F.R. § 160.103 (2018). In turn, "individually identifiable health information" means information, including demographic data, that (1) relates to "the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual" and (2) "identifies the individual" or where "there is a reasonable basis to believe the information can be used to identify the individual." 45 C.F.R. § 160.103 (2018). A "covered entity" means "[a] health plan," "[a] health care clearinghouse," or "[a] health care provider who transmits any health information in electronic form" as those terms are defined in the regulation. 45 C.F.R. § 160.103 (2018). A "business associate" is a person, other than a member of a covered entity's workforce, who performs certain functions or activities on behalf of or provides certain services to a covered entity that involve the use or disclosure of PHI. 45 C.F.R. § 160.103 (2018).

¶ 9 Relevant to this dispute, the Privacy Rule permits a "covered entity" to use or disclose PHI, in the course of any judicial or administrative proceeding, without the written authorization of the individual to whom it belongs. 45 C.F.R. § 164.512(e) (2018). However, the Privacy Rule places certain requirements on both the party providing the information and the party seeking it. U.S. Dep't of Health & Human Servs., Office for Civil Rights, Summary of the HIPAA Privacy Rule 6 (May 2003), https://www.hhs.gov/sites/default/files/privacysummary.pdf [https://perma.cc/F66C-T4TR]. Hence, a covered entity may disclose PHI expressly authorized by a court order. 45 C.F.R. § 164.512(e)(1)(i) (2018). A covered entity may also disclose PHI "[i]n response to a subpoena, discovery request, or other lawful process, not accompanied by an order of a court," if the covered entity "receives satisfactory assurance * * * from the party seeking the information" that the party has made reasonable efforts (1) to ensure...