Chicago Sun-Times v. Cook County Health and Hospital System , 2022 IL 127519 ( 2022 )

IN THE
SUPREME COURT
OF
THE STATE OF ILLINOIS
(Docket No. 127519)
CHICAGO SUN-TIMES, Appellee v. COOK COUNTY HEALTH
AND HOSPITALS SYSTEM, Appellant.
Opinion filed November 30, 2022.
JUSTICE MICHAEL J. BURKE delivered the judgment of the court, with
opinion.
Justices Anne M. Burke, Neville, Overstreet, Carter, and Holder White
concurred in the judgment and opinion.
Chief Justice Theis dissented, with opinion.
OPINION
¶1      Plaintiff, the Chicago Sun-Times, sent defendant, Cook County Health and
Hospitals System, a request under the Freedom of Information Act (FOIA) (5 ILCS
140/1 et seq. (West 2018)) for information about gunshot wound patients who
arrive at defendant’s emergency rooms unaccompanied by law enforcement.
Plaintiff was investigating whether defendant was meeting a requirement to notify
local law enforcement when so-called “walk-in” gunshot wound patients are
treated. 20 ILCS 2630/3.2 (West 2018). Plaintiff asked for the “time/date” of each
relevant hospital admission and the corresponding “time/date” of law enforcement
notification.
¶2       Defendant asserted two FOIA exemptions and withheld the records, claiming
they contained (1) personal health information prohibited from disclosure by the
Health Insurance Portability and Accountability Act (HIPAA) (Pub. L. No. 104-
191, 

 (1996) (codified as amended in scattered sections of Titles 18,
26, 29, and 42 of the United States Code); 5 ILCS 140/7(1)(a) (West 2018)) and
(2) private information barred from disclosure under FOIA (5 ILCS 140/7(1)(b)
(West 2018)).
¶3       Plaintiff initiated a FOIA enforcement action, arguing that the year listed on
each record was discoverable, even if the time of day, day of month, and month
were not. 

 § 11(a). The Cook County circuit court ruled for defendant on the
parties’ cross-motions for summary judgment. The appellate court reversed,
holding that HIPAA and FOIA permitted the release of the year elements of the
records as long as the individual identifying information was redacted, or “de-
identified” to maintain patient confidentiality. 

.
¶4       The issue presented is whether the year of each walk-in gunshot wound patient
admission and the year of the corresponding law enforcement notification of each
admission are exempt from disclosure under section 7(1)(a), which incorporates
privacy laws such as HIPAA, or section 7(1)(b), which prohibits the disclosure of
private information, including medical records. In light of the narrow scope of
plaintiff’s request, we hold that the responsive information is not exempt from
disclosure under the two exemptions addressed in the parties’ cross-motions for
summary judgment. We affirm the appellate court’s judgment, reverse the circuit
court’s judgment, and remand the cause for further proceedings.
¶5                                  I. BACKGROUND
¶6      On September 10, 2018, plaintiff requested the following information at issue:
-2-
“Without providing identifying patient information, we seek the time/date
of admission of patients seeking treatment for gunshot wounds through
[defendant] between Jan. 1, 2015 through the present day who were not been
[sic] accompanied by a law enforcement officer at the time of their admission
as well as the corresponding time/date that law enforcement officials were
notified of the patients’ admission as required by state statue [sic] (20 ILCS
2630/3.2).”
¶7      On October 26, 2018, Deborah Fortier, defendant’s FOIA officer, answered the
request in relevant part as follows:
“According to Trauma administration, there is a trauma registry that logs
arrival information of all trauma patients not just walk in gunshot patients,
however that log is identifiable private patient health/medical information that
is protected from release by medical privacy laws and regulations, including
but not limited to HIPAA. Further, there is no independent written record of
patient information that simply tracks times/dates of walk in gunshot patients
and reporting; so, there is no existing document that is responsive to your
request. Respectfully, [defendant] is not required under the FOIA to create a
document that is not kept in the regular course of business in order to respond
to your request. Further, it would be improper and a violation of state and
federal medical privacy laws, including but not limited to HIPAA, for
[defendant] to release the specific arrival times and dates and reporting dates of
individual walk in gunshot patients, as this could allow for patient
identification. This patient information, which is individual protected patient
health/medical information, is therefore exempt from public release under
Sections 2(c-5) and 7(1)(a) of the FOIA. This would also include where arrival
times and dates and date of any reporting would be entered into individual
patient medical records; medical records are not public records and are private
records per se under Section 2(c-5) of the FOIA. In fact, it would be a violation
of medical privacy laws, for [defendant’s] staff to review or even access patient
medical information to respond to a FOIA request, as responding to a public
records request is not a lawful purpose to access patient medical information.”
¶8      On November 21, 2018, plaintiff filed a complaint alleging defendant
improperly withheld the information. Plaintiff sought, inter alia, an order requiring
-3-
defendant to produce the requested records and enjoining defendant from
withholding public records that are not exempt under FOIA.
¶9         The parties filed cross-motions for summary judgment on the issue of whether
the information concerning the timing of walk-in patient admission and police
notification was exempt from disclosure under section 7 of FOIA. Defendant
attached to its motion the affidavit of Fortier, who averred that John H. Stroger Jr.
Hospital of Cook County (Stroger Hospital) was the only entity that possessed
records that were potentially responsive to plaintiff’s request.
¶ 10       Defendant also attached the affidavit of Justin Mis, Stroger Hospital’s trauma
coordinator. Mis averred that the electronic trauma registry at Stroger Hospital
contains entries for each patient arriving at the hospital. Each entry includes the
patient’s name, date and time of arrival, medical record number, and the patient’s
chief complaint. Mis conceded that he could generate a report listing only the
mechanism of injury, such as gunshot wound, and the patient’s time of arrival in
the emergency department. However, the report would not state whether the patient
was accompanied by a law enforcement officer or when law enforcement was
notified, if at all. To determine which patients were unaccompanied, Mis would
need to cross-reference the report with the “patient access log.” The log shows the
time and date a law enforcement officer requested access to a patient, but it would
not indicate whether the request was prompted by hospital notification. Ultimately,
Mis would need to access the medical record of each gunshot wound patient to
determine whether he or she arrived at Stroger Hospital with law enforcement or if
law enforcement was notified of the admission.
¶ 11       Fortier averred that the trauma registry and the patient access log contained
protected health information as defined by HIPAA. Fortier claimed defendant could
not remove enough identifying information from the trauma registry and the patient
access log to fulfill the FOIA request and still comply with HIPAA. Further, Fortier
averred that the responsive records constituted medical records that are protected
from disclosure under Illinois law.
¶ 12       Plaintiff argued in its summary judgment motion that FOIA permitted
disclosure of the requested information in a de-identified report. Specifically,
plaintiff argued HIPAA permits the disclosure of the year of treatment and year of
-4-
law enforcement notification. Plaintiff conceded that HIPAA bars disclosure of
other elements of a date field, such as time of day, day of month, or month.
¶ 13       On November 15, 2019, the circuit court entered summary judgment for
defendant. The court stated that, because the year identifier was part of a medical
record, it was exempt from disclosure under section 7(1)(b) of FOIA. The court
explained that, without case law expressly permitting the redaction of medical
records for FOIA purposes, the responsive information was not improperly
withheld.
¶ 14       The appellate court reversed the summary judgment and remanded for further
proceedings. 

, ¶ 29. The court determined that plaintiff
had not forfeited review by revising its request at the summary judgment stage. Id.
¶ 15. Plaintiff initially requested “time/date” information, but plaintiff’s summary
judgment motion conceded that just the year element was releasable. The court
observed that “narrowing of the request reflects an implicit concession by [plaintiff]
that it was not entitled to the more specific date and time information.” Id.
¶ 15       The appellate court held section 7(1)(a) of FOIA did not exempt the year of
patient admission and police notification in gunshot-wound cases because the year
element, alone, does not convey identifying information. Id. ¶ 19 (citing 

(b)(2)(i)(A)-(C), (G), (H) (2018)). The court held that removing
individual identifiers would de-identify the information in compliance with
HIPAA. 

¶ 16       Considering the sheer number of gunshot-wound patients treated at Stroger
Hospital during the relevant time period, the court also rejected defendant’s claim
that it had “ ‘actual knowledge that the information could be used alone or in
combination with other information to identify an individual who is a subject of the
information.’ ” Id. ¶ 20 (quoting 

(b)(2)(ii) (2018)).
¶ 17       The appellate court separately held that the year information was not exempt
under section 7(1)(b) of FOIA, which prohibits the disclosure of “private
information,” including “medical records.” 

 ¶ 25 (citing 5 ILCS 140/2(c-5) (West
2018)). Noting that FOIA does not define “medical records,” the court declined to
adopt the definition set forth in the Illinois Administrative Code, instead relying on
the plain and ordinary meaning of the words. 

 (citing 77 Ill. Adm. Code
-5-
250.1510(b)(2)(A) (2019)). The dictionary definition of “medical record” is
“ ‘documents that compose a medical patient’s healthcare history.’ ” 

 (quoting
Black’s Law Dictionary (11th ed. 2019)). The court concluded that, “[w]hile the
year of a patient’s hospital admission may be found in a patient’s medical record,
it, standing alone, is not a medical record under this definition.” (Emphasis in
original.) 

¶ 18        Defendant filed a petition for leave to appeal, which we allowed pursuant to
Illinois Supreme Court Rule 315 (eff. Oct. 1, 2020).
¶ 19                                            II. ANALYSIS
¶ 20       On appeal, defendant renews its arguments that (1) HIPAA prohibits covered
entities from using and disclosing their patients’ private health information to
comply with a FOIA request and (2) the responsive records, even with the unique
identifiers redacted, constitute “medical records” that FOIA categorically exempts
from disclosure.
¶ 21       Defendant alternatively argues that complying with the FOIA request would be
unduly burdensome. Fortier’s response alluded to the impracticality of processing
the records, but the parties did not raise the issue in their cross-motions for summary
judgment, and the issue was not addressed by the lower courts.
¶ 22       Plaintiff contends that the appellate court’s judgment should be affirmed
because plaintiff seeks only the year element of the date field from the records. 1
For the following reasons, we agree with plaintiff that defendant can de-identify the
records and comply with the request without violating HIPAA’s privacy rule or
FOIA’s prohibition against disclosing medical records. We do not reach the
question of whether the request was unduly burdensome.
1
Although defendant criticizes plaintiff’s FOIA request as “reformulated after the fact and
during the pendency of litigation,” the parties have adopted plaintiff’s interpretation of “time/date”
to mean “year.” We consider the issues, as presented by the parties, in terms of whether the year
element is releasable.
-6-
¶ 23                                  A. Summary Judgment
¶ 24      This appeal arises from the parties’ cross-motions for summary judgment.
“[S]ummary judgment should be granted only where the pleadings, depositions,
admissions and affidavits on file, when viewed in the light most favorable to
the nonmoving party, show that there is no genuine issue as to any material fact
and that the moving party is clearly entitled to judgment as a matter of law.”
Pielet v. Pielet, 

, ¶ 29.
See 735 ILCS 5/2-1005 (West 2018). “When parties file cross-motions for
summary judgment, they mutually agree that there are no genuine issues of material
fact and that only a question of law is involved.” Jones v. Municipal Employees’
Annuity & Benefit Fund, 

, ¶ 26. We review summary judgment
de novo. Pielet, 

, ¶ 30. De novo review also applies to our
interpretation of FOIA and HIPAA. In re Appointment of Special Prosecutor, 

, ¶ 22 (issues of statutory construction present questions of law that we
review de novo).
¶ 25                                B. Statutory Interpretation
¶ 26       The objective of statutory interpretation is to ascertain and give effect to the
legislature’s intent, and the most reliable indicator of that intent is the language of
the statute, given its plain and ordinary meaning. Id. ¶ 23. The General Assembly
has declared FOIA’s underlying public policy to be that “all persons are entitled to
full and complete information regarding the affairs of government and the official
acts and policies of those who represent them as public officials and public
employees consistent with the terms of this Act.” 5 ILCS 140/1 (West 2018). “It is
a fundamental obligation of government to operate openly and provide public
records as expediently and efficiently as possible in compliance with this Act.” Id.
¶ 27       This clear expression of legislative intent means that public records are
presumed to be open and accessible. Special Prosecutor, 

, ¶ 25.
FOIA should be construed liberally to achieve the goal of providing the public with
easy access to government information. 

-7-
¶ 28       FOIA prescribes rules to ensure governmental compliance, including requiring
a prompt response to a request for inspection or a copy of documents: “[e]ach public
body shall, promptly, either comply with or deny a request for public records within
5 business days after its receipt of the request, unless the time for response is
properly extended.” 5 ILCS 140/3(d) (West 2018). When a person has been denied
access to a public record, he “may file suit for injunctive or declaratory relief” and
may seek attorney fees and civil penalties from the public body. 

 § 11(a), (i), (j).
The circuit court is vested with “jurisdiction to enjoin the public body from
withholding public records and to order the production of any public records
improperly withheld from the person seeking access.” Id. § 11(d); Special
Prosecutor, 

, ¶ 57.
¶ 29       However, a public body may withhold information that is exempt from
disclosure. 5 ILCS 140/7 (West 2018). A public body claiming an exemption bears
the burden of proving by clear and convincing evidence that the requested
information is exempt. 

 § 1.2. When a request is made to inspect or copy a public
record that contains information that is exempt from disclosure under section 7 but
also contains information that is not exempt, the public body may elect to redact
the information that is exempt. Id. § 7(1). In that case, the public body shall make
the remaining information available for inspection and copying. Id.
¶ 30       Defendant asserted two exemptions, claiming (1) HIPAA prohibits the use and
disclosure of the information and (2) the information is “private information” under
FOIA. Id. § 7(1)(a), (b). Plaintiff responds that defendant can comply with HIPAA
and FOIA by redacting the exempt information from the medical records while
making the requested information available.
¶ 31                                     1. Section 7(1)(a)
¶ 32      The first exemption cited by defendant exposes tension between two strong
public policies: FOIA’s promotion of the open disclosure of government records
and HIPAA’s protection of private health information. Defendant claims that
“answering a public records request *** is not a permitted use under HIPAA.” But
when statutes potentially conflict, they must be construed in harmony with one
another if reasonably possible. Knolls Condominium Ass’n v. Harms, 202 Ill. 2d
-8-
450, 458-59 (2002). The two statutory schemes can be reconciled in this case to
facilitate the disclosure of government records while protecting patient privacy.
¶ 33       FOIA exempts “[i]nformation specifically prohibited from disclosure by federal
or State law or rules and regulations implementing federal or State law.” 5 ILCS
140/7(1)(a) (West 2018). Defendant asserts that HIPAA, a federal law, specifically
prohibits the disclosure of the year of admission of each walk-in gunshot wound
patient and the year of each corresponding law enforcement notification.
¶ 34       HIPAA’s privacy rule prohibits the “use or disclosure” of an individual’s
personal health information by a covered entity, like defendant, unless the
individual has consented in writing or unless the use or disclosure is otherwise
specifically permitted or required by the privacy rule. 

,
164.506, 164.508, 164.510, 164.512 (2018). HIPAA defines “protected health
information,” as all “individually identifiable health information” kept by a covered
entity that is transmitted or maintained in any form or medium, including electronic
media. 

 § 160.103. “Individually identifiable health information” includes
demographic information collected from an individual that
“(1) Is created or received by a health care provider, health plan, employer,
or health care clearinghouse; and
(2) Relates to the past, present, or future physical or mental health or
condition of an individual; the provision of health care to an individual; or the
past, present, or future payment for the provision of health care to an individual;
and
(i) That identifies the individual; or
(ii) With respect to which there is a reasonable basis to believe the
information can be used to identify the individual.” Id.
¶ 35       The parties correctly agree the responsive records contain protected health
information, but defendant argues, “[r]eviewing medical records in response to a
FOIA request is not a permitted use of protected health information.” To determine
whether a public body can comply with the FOIA request without violating HIPAA,
we must consider how the public body would use the protected health information
to process the request. Here, Fortier, defendant’s FOIA officer, and Mis, Stroger
-9-
Hospital’s trauma administrator, described defendant’s record keeping. The records
containing the requested information could be sorted in two databases: the trauma
registry, which records each patient’s arrival at Stroger Hospital, and the patient
access log, which shows the time and date a law enforcement officer requested
access to a patient. From these databases, defendant could generate a report
showing the arrival times of gunshot wound patients and the corresponding times
that law enforcement asked to see the patient. But defendant would need to examine
the medical record of each patient on the list to ascertain whether law enforcement’s
request for access to a patient was prompted by the hospital’s notification.
¶ 36       The data processing described by Fortier and Mis qualifies as “use” of
individually identifiable health information under HIPAA. Id. (“Use means, with
respect to individually identifiable health information, the sharing, employment,
application, utilization, examination, or analysis of such information within an
entity that maintains such information.”). However, HIPAA expressly states that a
covered entity may use protected health information to create de-identified
information for use by a person other than the covered entity: “[a] covered entity
may use protected health information to create information that is not individually
identifiable health information or disclose protected health information only to a
business associate for such purpose, whether or not the de-identified information is
to be used by the covered entity.” Id. § 164.502(d)(1).
¶ 37       Health information, once de-identified, no longer meets the standard of
individually identifiable health information subject to HIPAA’s protection. Id.
§ 164.514(a) (“Health information that does not identify an individual and with
respect to which there is no reasonable basis to believe that the information can be
used to identify an individual is not individually identifiable health information.”).
And HIPAA contains an implementation specification to facilitate de-
identification. A covered entity may determine that health information is not
individually identifiable health information if (1) the covered entity does not have
actual knowledge that the information could be used alone or in combination with
other information to identify an individual who is a subject of the information (id.
§ 164.514(b)(2)(ii)) and (2) the following identifiers are removed:
“(A) Names;
- 10 -
(B) All geographic subdivisions smaller than a State, including street
address, city, county, precinct, zip code, and their equivalent geocodes, except
for the initial three digits of a zip code if, according to the current publicly
available data from the Bureau of the Census:
(1) The geographic unit formed by combining all zip codes with the
same three initial digits contains more than 20,000 people; and
(2) The initial three digits of a zip code for all such geographic units
containing 20,000 or fewer people is changed to 000.
(C) All elements of dates (except year) for dates directly related to an
individual, including birth date, admission date, discharge date, date of death;
and all ages over 89 and all elements of dates (including year) indicative of such
age, except that such ages and elements may be aggregated into a single
category of age 90 or older;
(D) Telephone numbers;
(E) Fax numbers;
(F) Electronic mail addresses;
(G) Social security numbers;
(H) Medical record numbers;
(I) Health plan beneficiary numbers;
(J) Account numbers;
(K) Certificate/license numbers;
(L) Vehicle identifiers and serial numbers, including license plate numbers;
(M) Device identifiers and serial numbers;
(N) Web Universal Resource Locators (URLs);
(O) Internet Protocol (IP) address numbers;
- 11 -
(P) Biometric identifiers, including finger and voice prints;
(Q) Full face photographic images and any comparable images; and
(R) Any other unique identifying number, characteristic, or code, except as
permitted by paragraph (c) of this section[.]” (Emphasis added.) Id.
§ 164.514(b)(2)(i).
¶ 38       Section 164.514(b)(2)(i) specifically excludes the year element from the date
identifiers that must be removed for de-identification. Accordingly, plaintiff
confined its request to the year elements directly related to the walk-in gunshot
wound patients involved. Plaintiff specifically asked defendant to withhold
“identifying patient information” and did not seek any other identifiers that could
be used to identify an individual.
¶ 39       Moreover, there was no evidence that defendant has “actual knowledge that the
information could be used alone or in combination with other information to
identify an individual who is a subject of the information.” Id. § 164.514(b)(2)(ii).
Defendant estimated that Stroger Hospital treated as many as 2000 gunshot wound
victims during the relevant time period, which diminishes the risk of identifying
any one individual. The appellate court astutely observed, “[i]t strains credulity to
imagine that any specific patient could be identified merely by the year they were
admitted and the year law enforcement was notified of their admission.” 

, ¶ 20.
¶ 40       The de-identification process is a permitted use of protected health information
under HIPAA (

(d)(1)) (2018)), and the removal of all the
enumerated individual identifiers except the year element would meet HIPAA’s de-
identification requirements for disclosure (id. § 164.514(b)(2)(i)). Under the
circumstances, we hold that defendant’s use of the patients’ protected health
information to process plaintiff’s FOIA request would not run afoul of HIPAA’s
privacy rule because the year element related to each patient admission and police
notification is not individually identifiable health information. That said, we
expressly limit our holding to the facts presented, as the exemption could apply to
a future request involving fewer patients where the year element of a record could
be used for identification. See id. § 164.514(b)(2)(ii).
- 12 -
¶ 41       Defendant contends King v. Cook County Health & Hospital System, 

, compels a different result. In King, the FOIA requester asked for
the zip codes used to create a map of the locations of individuals who had
previously received mental health services while detained in the Cook County jail.
Id. ¶ 1. The public body, which coincidentally happens to be defendant in this case,
asserted section 7(1)(a) as an exemption on the ground that disclosure would violate
the Mental Health and Developmental Disabilities Confidentiality Act
(Confidentiality Act) (740 ILCS 110/1 et seq. (West 2016)), which incorporates
HIPAA regulations by reference. King, 

, ¶ 28 (citing 

 (2016) and 740 ILCS 110/2 (West 2016)).
¶ 42       To determine whether the zip codes were confidential information under the
Confidentiality Act, the Appellate Court, First District, examined HIPAA and its
pertinent regulations. Id. ¶ 27. The court held that the individuals’ zip code
information was protected health information but could be released after de-
identification. Id. ¶ 28.
¶ 43       Defendant contends that HIPAA permitted the release of the redacted zip codes
in King “[b]ecause the information had been collected for an authorized use, and
the use was for a legitimate transaction of public business.” Defendant contrasts
King with this case, where defendant claims the necessary redactions would be a
misuse of protected health information under HIPAA. Defendant is mistaken.
¶ 44        In King, the redacted zip codes were releasable because they had been de-
identified according to the implementation specifications set forth in section
164.514(b)(2)(i)(B) of HIPAA (

(b)(2)(i)(B) (2018)). King,

, ¶ 31 (“HIPAA regulations provide that a covered entity
may determine that private health information is not individually identifiable only
if the last three digits of a zip code are removed, where the geographic unit formed
by combining all the zip codes with the same three initial digits contains more than
20,000 people”). Like the redacted zip codes in King, the year elements in this case
are not individually identifiable health information if properly de-identified,
regardless of how the public body previously used the information. 

(d)(1) (2018) (“A covered entity may use protected health information to
create information that is not individually identifiable health information or
disclose protected health information only to a business associate for such purpose,
- 13 -
whether or not the de-identified information is to be used by the covered entity.”).
¶ 45                                     2. Section 7(1)(b)
¶ 46       Defendant also asserts the responsive records are exempt because they contain
“[p]rivate information,” where disclosure is not required by another provision of
FOIA, a state or federal law, or a court order. 5 ILCS 140/7(1)(b) (West 2018).
“ ‘Private information’ means unique identifiers, including a person’s social
security number, driver’s license number, employee identification number,
biometric identifiers, personal financial information, passwords or other access
codes, medical records, home or personal telephone numbers, and personal
email addresses. Private information also includes home address and personal
license plates, except as otherwise provided by law or when compiled without
possibility of attribution to any person.” (Emphasis added.) 

 § 2(c-5).
¶ 47       Defendant argues, without citation of authority, “the entirety of a ‘medical
record’—not merely certain discrete information found in such a record—is exempt
from disclosure.” We disagree. The year element is not “private information” under
FOIA and so is not exempt under section 7(1)(b).
¶ 48        Defendant cites provisions in the Medical Rights Act (410 ILCS 50/3(d) (West
2018)), the Managed Care Reform and Patient Rights Act (215 ILCS 134/5(a)(4)
(West 2018)), and the Hospital Licensing Act (210 ILCS 85/6.17(d) (West 2018))
for the proposition that “individuals have a right to an expectation of privacy related
to their medical information.” These statutory schemes define “medical records,”
but FOIA, which is the operative statute in this case, does not. So, we adopt the
approach taken by the appellate court, which is to resort to the plain and ordinary
meaning of the term. Special Prosecutor, 

, ¶ 23.
¶ 49       Defendant concedes that the plain and ordinary meaning of “medical records”
is “[t]he documents that compose a medical patient’s healthcare history.” Black’s
Law Dictionary 1177 (11th ed. 2019). Although the year element requested by
plaintiff is found in medical records, the year element by itself, stripped of context,
is not a document of a patient’s healthcare history.
- 14 -
¶ 50       Defendant argues that, even if maintaining patient anonymity permits
disclosure of the year element, the process of matching the year of patient
admission to the year of police notification would require “some form of personally
identifiable information such as the medical record number.” Processing the FOIA
request might involve accessing medical records, including their reference
numbers, to match the year of patient admission to the year of law enforcement
notification. But section 7(1)(b) of FOIA prohibits the disclosure, not the use, of
medical records. Theoretically, defendant can use the medical record numbers to
match the year elements of patient admission and law enforcement notification and
then renumber the matched records before turning them over to plaintiff.
¶ 51       Defendant concludes that the exemption for medical records would be rendered
superfluous if a public body could simply redact personally identifying information
and release the rest of the record. However, the exemption for private information
under section 7(1)(b) plainly covers “unique identifiers,” which confirms that the
removal of uniquely identifying information from a patient’s healthcare history
renders the remainder of the document releasable. Adopting defendant’s broad
interpretation that “medical records” are exempt in their entirety would potentially
shield from disclosure all information concerning patient care undertaken by a
public body.
¶ 52                                 3. Unduly Burdensome
¶ 53       Defendant alternatively argues that, even if the year element of the responsive
records is not exempt from disclosure, the information was not withheld
improperly. Defendant asserts the steps for processing the request, including the
de-identification of the records, would be unduly burdensome under section 3(g) of
FOIA. 5 ILCS 140/3(g) (West 2018). Defendant adds that plaintiff’s
“reformulation” of the request at the summary judgment stage would make
compliance even more burdensome.
¶ 54      Section 3(g) provides,
“[r]equests calling for all records falling within a category shall be complied
with unless compliance with the request would be unduly burdensome for the
- 15 -
complying public body and there is no way to narrow the request and the burden
on the public body outweighs the public interest in the information.” 

Plaintiff’s request for information about walk-in gunshot wound patients concerns
a distinct category of records, so section 3(g) potentially applies.
¶ 55        Plaintiff responds that defendant has failed to preserve the issue for review. See,
e.g., Lazenby v. Mark’s Construction, Inc., 

, 92 (2010) (the failure to
raise an issue in the circuit court or appellate court results in forfeiture). Plaintiff
claims defendant was required to invoke section 3(g) as an affirmative defense and
in its motion for summary judgment, or risk forfeiture. Plaintiff does not develop
its forfeiture argument besides asserting “this court need not address the merits of
[defendant’s] burden claim because it failed to properly raise the issue below.” We
decline to advocate for plaintiff on the potentially complex issue of what measures
a public body must take to preserve the unduly burdensome defense under FOIA.
People ex rel. Illinois Department of Labor v. E.R.H. Enterprises, Inc., 

, ¶ 56 (“a reviewing court is not simply a depository into which a party may
dump the burden of argument and research”).
¶ 56       Setting forfeiture aside, this action’s procedural posture illustrates why
weighing the evidence on the burdens associated with processing the request would
be premature at this point. Cross-motions for summary judgment, like those filed
in this case, ordinarily signify the parties’ mutual agreement that there are no
genuine issues of material fact and that only a question of law remains. Jones, 

, ¶ 26. However, defendant did not invoke section 3(g) in its motion for
summary judgment, which was perhaps a tacit acknowledgment that a question of
fact exists about whether processing the request would be unduly burdensome. The
record contains some evidence, but the lower courts did not reach the issue because
the parties have focused on the two exemptions concerning HIPAA and medical
records.
¶ 57       Because the litigation did not progress beyond the summary judgment stage, we
confine our review to the summary judgment entered for defendant and decline to
delve into the factual question of the burdens associated with processing the
request. That said, the circuit court is free to address the procedural and substantive
issues surrounding the unduly burdensome nature of the request if defendant asserts
- 16 -
section 3(g) on remand. We emphasize that we express no opinion on the matter.
¶ 58                                   III. CONCLUSION
¶ 59       The parties disputed in their cross-motions for summary judgment whether two
exemptions authorized defendant to withhold the year of admission for walk-in
gunshot wound patients and the corresponding year of police notification from
January 1, 2015, through September 10, 2018. Defendant claims (1) the
information is prohibited from disclosure under HIPAA and (2) the information is
“private information” under FOIA. 5 ILCS 140/7(1)(a), (b) (West 2018). We hold
that the HIPAA regulations and FOIA exemptions cited by defendant do not bar
the release of the year elements of the responsive records as long as the remaining
individual identifying information is removed to maintain patient confidentiality.
We affirm the appellate court judgment, reverse the circuit court judgment, and
remand the cause to the circuit court for further proceedings consistent with this
opinion.
¶ 60      Appellate court judgment affirmed.
¶ 61      Circuit court judgment reversed.
¶ 62      Cause remanded.
¶ 63      CHIEF JUSTICE THEIS, dissenting:
¶ 64       Contrary to how the majority frames it, the issue in this case is not whether the
year that each walk-in gunshot wound patient was admitted to the hospital and the
year that law enforcement was notified of the admission are exempt from disclosure
under the Freedom of Information Act (FOIA) (5 ILCS 140/1 et seq. (West 2018)).
Rather, the issue is whether FOIA requires a public body to review its records to
piece together information to create a new document in response to a FOIA request.
FOIA imposes no such requirements on the public body. Therefore, I respectfully
dissent.
- 17 -
¶ 65       The majority correctly observes that FOIA’s underlying public policy is that
“all persons are entitled to full and complete information regarding the affairs of
government and the official acts and policies of those who represent them as public
officials and public employees consistent with the terms of this Act.” 5 ILCS 140/1
(West 2018). At the same time, FOIA is not intended to “disrupt the duly-
undertaken work of any public body independent of the fulfillment of any of the
fore-mentioned rights of the people to access to information.” 

 Further, FOIA
“is not intended to create an obligation on the part of any public body to
maintain or prepare any public record which was not maintained or prepared by
such public body at the time when this Act becomes effective, except as
otherwise required by applicable local, State or federal law.” 

¶ 66       As an initial matter, I question whether the request at issue sought public
records that were subject to production under FOIA. As courts have ruled, a
“request to inspect or copy must reasonably identify a public record and not general
data, information, or statistics.” Chicago Tribune Co. v. Department of Financial
& Professional Regulation, 

, ¶ 33; see also Kenyon v.
Garrels, 

, 32 (1989) (observing that FOIA “does not compel the
agency to provide answers to questions posed by the inquirer”). Here, as modified
on appeal, plaintiff’s FOIA request sought the year of
“admission of patients seeking treatment for gunshot wounds through
[defendant] between Jan. 1, 2015, through the present day who were not ***
accompanied by a law enforcement officer at the time of their admission as well
as the corresponding [year] that law enforcement officials were notified of the
patients’ admission as required by state statue [sic].”
This appears to be a request for general information, rather than a request for public
records under FOIA. 2
2
By contrast, plaintiff’s other request (which is not at issue in this appeal) asked the hospital for
“[w]ritten policy and/or related policy documents, and/or internal memos or communications setting
policy or providing guidelines, instructions and/or directives to staff in the reporting of patients who
have suffered gunshot wounds to law enforcement agencies as required by state statute.” The
hospital provided plaintiff with those policies.
- 18 -
¶ 67       Setting that question aside, the majority notes that the Cook County Health and
Hospitals System is required to notify local law enforcement when a person who is
not accompanied by a law enforcement officer arrives for treatment for a gunshot
wound. 20 ILCS 2630/3.2 (West 2018). The hospital is not, however, required to
keep a written log of when it notifies law enforcement. See 

 In response to
plaintiff’s FOIA request and again in its summary judgment filings, the hospital
explained that there is no written record that tracks the year a gunshot wound patient
arrived at the hospital unaccompanied by law enforcement and the year that law
enforcement was notified. In other words, there is no public record that contains the
information that plaintiff seeks.
¶ 68       Neither plaintiff nor the majority appear to dispute that the hospital does not
possess the information that plaintiff has requested. See In re Wade, 

,
246 (7th Cir. 1992) (“Without evidence of bad faith, the veracity of the
government’s submissions regarding reasons for withholding the documents should
not be questioned.”). Nonetheless, the majority would require the hospital to comb
through the medical records of each gunshot wound patient to see whether the
hospital’s staff included a notation about whether the patient arrived with law
enforcement or if law enforcement was notified of the admission. According to the
majority, the hospital can then “use the medical record numbers to match the year
elements of patient admission and law enforcement notification and then renumber
the matched records before turning them over to plaintiff.” Supra ¶ 50. This
presumably would require the hospital to create a chart that includes a reference
number for the patient and the years of patient admission and law enforcement
notification.
¶ 69       The majority would impose these requirements even though FOIA “is not
designed to compel the compilation of data the governmental body does not
ordinarily keep.” Kenyon, 184 Ill. App. 3d at 32. FOIA also does not require a
public body to generate new records in response to FOIA requests. Martinez v.
Cook County State’s Attorney’s Office, 

, ¶ 30; see also
Hites v. Waubonsee Community College, 

, ¶ 74
(distinguishing between performing a search for data on a database that contains
public records, which is permissible under FOIA, and creating a new record or
performing research, which is not). And to the extent that the majority would
require the hospital to produce redacted medical records (see supra ¶ 51), it is not
- 19 -
clear to me that a gunshot wound patient’s medical records pertain to the transaction
of public business. See 5 ILCS 140/2(c) (West 2018) (defining “public records,” in
part, as all “documentary materials pertaining to the transaction of public business,
*** having been prepared by or for, or having been or being used by, received by,
in the possession of, or under the control of any public body”).
¶ 70       FOIA does not require a public body to compile information that it does not
otherwise keep, nor does it require a public body to create a new record in response
to a FOIA request. Accordingly, I would affirm the trial court’s grant of summary
judgment in the hospital’s favor. For these reasons, I respectfully dissent.
- 20 -