Haage v. Zavala , 2021 IL 125918 ( 2021 )

IN THE
SUPREME COURT
OF
THE STATE OF ILLINOIS
(Docket No. 125918)
ROSEMARIE HAAGE, Appellee, v. ALFONSO MONTIEL ZAVALA et al.
(State Farm Mutual Automobile Insurance Company, Appellant).
Opinion filed September 23, 2021.
JUSTICE NEVILLE delivered the judgment of the court, with opinion.
Chief Justice Anne M. Burke and Justices Garman, Theis, Michael J. Burke,
Overstreet, and Carter concurred in the judgment and opinion.
OPINION
¶1       In each of two automobile personal injury actions, plaintiffs moved for entry of
a qualified protective order (QPO) pursuant to the Health Insurance Portability and
Accountability Act (HIPAA) (Pub. L. No. 104-191, 

 (1996) (codified
as amended in scattered sections of Titles 18, 26, 29, and 42 of the United States
Code)) and its implementing regulations (45 C.F.R. pts. 160, 164 (2018))
(hereinafter Privacy Rule). Plaintiffs’ proposed QPOs would allow protected health
information (PHI) to be released, but subject to the following restrictions:
(1) nonlitigation use or disclosure of PHI is prohibited and (2) PHI must be returned
or destroyed at the conclusion of the litigation. See 

(e)(1)(v)
(2018). State Farm Mutual Automobile Insurance Company (State Farm), the
liability insurer for the named defendants, intervened in each lawsuit and sought
entry of its own protective order, which expressly allowed insurance companies to
use, disclose, and maintain PHI for purposes beyond the litigation and expressly
exempted insurers from the “return or destroy” requirement.
¶2       In both cases the circuit court of Lake County granted plaintiffs’ motions,
entered their QPOs, and denied State Farm’s motions. State Farm filed an
interlocutory appeal in each case. Ill. S. Ct. R. 307(a)(1) (eff. Nov. 1, 2017). The
appellate court consolidated the two cases and affirmed. 

.
¶3       State Farm petitioned this court for leave to appeal as a matter of right (Ill. S.
Ct. R. 317 (eff. July 1, 2017)) or, alternatively, as a matter of discretion (Ill. S. Ct.
R. 315 (eff. Oct. 1, 2019)). We granted State Farm leave to appeal. For the
following reasons, we now affirm the judgment of the appellate court and remand
the cases to the trial court for further proceedings.
¶4                                    I. BACKGROUND
¶5                                 A. Underlying Complaints
¶6       In November 2017, plaintiff Rosemarie Haage filed a multicount complaint
(No. 17-L-897) against defendants Alfonso Montiel Zavala, Patricia Santiago, Jose
Pacheco-Villanuevo, Okan Esmez, and Rosalina Esmez. Haage sought to recover
damages for bodily injuries sustained in a multiple-vehicle collision near the
intersection of Lakeview Parkway and Route 60 in Vernon Hills.
¶7       In January 2018, plaintiffs Agnieszka Surlock and Edward Surlock filed a two-
count complaint (No. 18-L-39) against defendant Dragoslav Starcevic. The Surlock
plaintiffs sought damages for Agnieszka’s bodily injuries and Edward’s loss of
consortium as a result of a collision between an automobile driven by Agnieszka
and an automobile driven by Starcevic at the intersection of Grand Avenue and
-2-
Route 45 in Lindenhurst.
¶8                                B. Plaintiffs’ Motions for QPOs
¶9         In August 2018, plaintiffs, represented by the same attorney, filed nearly
identical motions for QPOs allowing the disclosure of protected health information
in their respective lawsuits. HIPAA’s privacy standards are known collectively as
the “Privacy Rule.” Deborah F. Buckman, Annotation, Validity, Construction, and
Application of Health Insurance Portability and Accountability Act of 1996
(HIPAA) and Regulations Promulgated Thereunder, 

, 148
(2004). The Privacy Rule is codified at parts 160 and 164 of Title 42 of the Code
of Federal Regulations (45 C.F.R. pts. 160, 164 (2018)).
¶ 10       Plaintiffs’ QPO motions alleged as follows. First, the treating physicians,
hospitals, and other health care providers for Haage and Agnieszka are subject to
the Privacy Rule. Second, these covered entities possess their PHI in the form of
medical records. Third, both the plaintiffs and the defendants in each case “will
require that the parties, their attorneys, their attorneys’ agents, consultants and
various witnesses and other personnel receive and review copies of the [PHI]”
pertaining to Haage and Agnieszka. Fourth, HIPAA potentially prohibits covered
entities from disclosing PHI in judicial proceedings other than by an authorization
or QPO.
¶ 11       Therefore, plaintiffs submitted HIPAA QPOs that permit the use and disclosure
of the PHI of Haage and Agnieszka. Relevant here, the proffered QPOs found that

(e)(1)(v)(A), (B) (2018) requires the following two obligations.
Paragraph 9 of the proposed QPOs finds that it is necessary to “[p]rohibit the parties
and any other persons or entities from using or disclosing the PHI for any purpose
other than the litigation or proceeding for which it was requested.” Paragraph 10 of
the proposed QPOs finds that it is necessary to “[r]equire the return of the PHI to
the covered entity or the destruction of the information at the end of the litigation
or proceeding.”
¶ 12      Accordingly, each proposed QPO ordered: “The PHI of any party in this lawsuit
may not be disclosed for any reason without that party’s prior written consent or an
Order of this court specifying the scope of the PHI to be disclosed, the recipients
-3-
of the disclosed PHI, and the purpose of the disclosure.” Each proposed QPO also
ordered as follows:
“Within 60 days after the conclusion of the litigation, including appeals, the
parties, their attorneys, insurance companies and any person or entity in
possession of PHI received pursuant to this Order, shall return Plaintiff’s PHI
to the covered entity or destroy any and all copies of PHI pertaining to Plaintiff,
including any electronically stored copy or image, except that counsel are not
required to secure the return or destruction of PHI submitted to the Court.
‘Conclusion of the Litigation’ shall be defined as the point at which final orders
disposing of the entire case as to any Defendant have been entered, or the time
at which all trial and appellate proceedings have been exhausted as to any
Defendant.”
¶ 13                   C. State Farm’s Petitions to Intervene and File Objections
¶ 14       In September 2018, State Farm filed nearly identical petitions to intervene in
each lawsuit. See 735 ILCS 5/2-408(a)(2) (West 2018). State Farm maintained that
it was the casualty and liability insurer for at least one of the defendants in the
Haage lawsuit and for defendant Starcevic in the Surlock lawsuit. State Farm
alleged that plaintiffs’ proposed QPOs would impose upon it significant restrictions
and obligations, and the attorney representing its policyholders is not conversant
with either the legal issues raised by plaintiffs’ proposed QPOs or the statutes and
regulations applicable to State Farm’s business operations. The trial courts granted
State Farm’s petitions to intervene and granted State Farm leave to file objections.
¶ 15        In its objections to plaintiffs’ proposed QPOs, State Farm requested that the
trial courts (1) deny plaintiffs’ motions for their QPOs and (2) grant State Farm’s
motions to enter its tendered alternative orders (see Ill. S. Ct. R. 201(c)(1) (eff. July
1, 2014)). State Farm initially argued that, as a property and casualty insurer, it is
not a “covered entity” under HIPAA. State Farm also argued that plaintiffs’
proposed QPOs contained restrictions that would directly conflict with its
obligations and rights under Illinois law, specifically in two ways. First, State Farm
argued that requiring it to return or destroy all copies of PHI following the
conclusion of the litigation would interfere with its statutory and administrative
obligations to maintain complete documentation of all books, records, and
-4-
accounts, including claim files and claim data, and to make that information
available for examination upon request by the Illinois Department of Insurance.
Second, State Farm argued that restricting the use of PHI to the litigation at issue
would interfere “with State Farm’s rights under Illinois law to use a claimant’s
information to perform certain insurance functions.” State Farm asked the trial
courts to deny plaintiffs’ proposed QPOs.
¶ 16      State Farm also asserted that the law division of the circuit court of Cook
County has “entered a standard medical protective order authorizing production of
health information that omits unnecessary restrictions and explicitly accommodates
casualty insurers’ obligations.” State Farm tendered and sought entry of the Cook
County standard protective order.
¶ 17      The Cook County standard protective order lacks the PHI “use or disclosure”
prohibition and the “return or destroy” requirement that plaintiffs’ proposed QPOs
provide.
¶ 18      Rather, the Cook County standard protective order expressly permits insurance
companies to maintain, use, disclose, and dispose of PHI for the following
purposes:
“1. Reporting; investigating; evaluating, adjusting, negotiating, arbitrating,
litigating, or settling claims;
2. Compliance reporting or filing;
3. Conduct described in [section 1014 of the Illinois Insurance Code] 215
ILCS 5/1014;
4. Required inspections and audits;
5. Legally required reporting to private, federal, or state governmental
organizations ***;
6. Rate setting and regulation;
7. Statistical information gathering;
8. Underwriting, reserve, loss, and actuarial calculation;
-5-
9. Drafting policy language;
10. Workers’ compensation; and
11. Determining the need for and procuring excess or umbrella coverage or
reinsurance.”
Also, paragraph 5 of the Cook County standard protective order specifically
exempts insurance companies from the “return or destroy” requirement of 

(e)(1)(v)(B) (2018). State Farm urged the trial courts to adopt and
enter the tendered Cook County standard protective order.
¶ 19                                  D. Plaintiffs’ Replies
¶ 20        Plaintiffs responded that their proposed QPOs would not impose undue
restrictions or obligations on nonhealth insurers for two reasons. First, plaintiffs
argued that there was no language in either the Illinois Insurance Code or the
Illinois Administrative Code that requires nonhealth insurers to retain, use, or
disclose PHI. Second, plaintiffs asserted that State Farm does not require PHI to
perform “certain insurance functions.” Plaintiffs further noted that there has never
been an administrative disciplinary action taken against State Farm for failing to
maintain PHI. Therefore, according to plaintiffs, their proposed QPOs would not
affect the reporting obligations of nonhealth insurers such as State Farm.
¶ 21       Plaintiffs alternatively asserted that, absent a waiver from the federal
government, (1) HIPAA prohibits the use or disclosure of PHI for any purpose
other than the litigation or proceeding for which such information was requested
and (2) HIPAA requires the return or destruction of PHI at the end of the litigation
or proceeding. Therefore, according to plaintiffs, to the extent that any state law or
regulation permits State Farm to use, store, maintain or distribute PHI outside of
the scope of litigation and for State Farm’s own business operations, it is preempted
by HIPAA.
¶ 22        Plaintiffs further responded that whether or not State Farm is a “covered entity”
is irrelevant. Plaintiffs reasoned that, even if State Farm is exempt from HIPAA as
a casualty and liability insurer, the plaintiff-authorized PHI, the QPO entered by
the court, and the parties to whom the PHI is released are all subject to HIPAA.
-6-
Thus, according to plaintiffs, “State Farm had no right to the information to begin
with.” Rather, plaintiffs argued that State Farm “only obtains an ability to review
PHI because of a valid protective order. Therefore, regardless of whether State
Farm is a ‘covered entity’ under HIPAA, it must still abide by the court order and
the terms of HIPAA if it wants access to the PHI.”
¶ 23                                 E. Trial Courts’ Orders
¶ 24       In February 2019, the trial courts in the Haage and Surlock lawsuits held a
combined hearing on plaintiffs’ motions for QPOs. In May 2019, the trial courts
issued memorandum opinions and orders that granted plaintiffs’ motions to enter
their proposed QPOs and denied State Farm’s request for the entry of the Cook
County standard protective order.
¶ 25       The trial courts found that HIPAA preempts Illinois law to the extent that State
Farm’s obligations and rights under state law conflict with HIPAA. The trial courts
found that it would be impossible to comply with both Illinois law and HIPAA
requirements for a QPO. The trial courts specifically found that the Cook County
standard protective order violated 

(e)(1)(v)(A), (B) (2018), to
the extent that it (1) would allow insurance companies to maintain, use, disclose,
and dispose of PHI outside of the litigation and (2) would not require insurers to
return or destroy the PHI at the conclusion of the litigation. The trial courts found
that the Cook County standard protective order “would eliminate the two
requirements set forth by the Department [of Health and Human Services (HHS)]
for a qualified protective order and would not provide the confidentiality and
protection of PHI” envisioned when HHS promulgated the Privacy Rule. The trial
courts found that without these two requirements, “a covered entity no longer has
a valid HIPAA qualified protective order to allow disclosure of PHI.”
¶ 26       The trial courts also acknowledged that “property and casualty liability insurers
are not covered entities under HIPAA.” However, each trial court found that not
being a covered entity “does not exempt State Farm from obeying a protective order
entered by this court with respect to PHI which has been produced by a covered
entity.” (Emphasis in original.) Rather, each trial court ruled that “[a]ll parties
receiving the PHI are bound to follow the qualified protective order of the court
regardless of whether they are a covered entity under HIPAA in the first instance.”
-7-
¶ 27       The trial courts next rejected State Farm’s argument that plaintiffs’ motions for
QPOs should be deemed as proposals for a court order under a different section of
the Privacy Rule. Each trial court reasoned that, “[w]hile the HIPAA regulations do
provide several different ways in which a covered entity is permitted to disclose
PHI, Plaintiff has chosen to secure a qualified protective order.”
¶ 28      Accordingly, the trial courts entered plaintiffs’ proposed QPOs in both lawsuits.
The QPOs included the following relevant provisions:
“8. Within 60 days after the conclusion of the litigation, including appeals,
the parties, their attorneys, insurance companies and any person or entity in
possession of PHI received pursuant to this Order, shall return Plaintiff’s PHI
to the covered entity or destroy any and all copies of PHI pertaining to Plaintiff,
including any electronically stored copy or image, except that counsel are not
required to secure the return or destruction of PHI submitted to the Court.
***
12. All requests by or on behalf of any Defendant for protected health
information, including but not limited to subpoenas, shall be accompanied by a
complete copy of this Order. The parties—including their insurers and
counsel—are prohibited from using or disclosing protected health information
for any purpose other than this litigation. ‘Disclose’ shall have the same ***
scope and definition as set forth in 

: ‘the release, transfer,
provision of access to, or divulging in any manner of information outside the
entity holding the information.’ ” (Emphases added.)
¶ 29                                     F. Appellate Court
¶ 30        In each case, State Farm filed an interlocutory appeal to the appellate court. See
Ill. S. Ct. R. 307(a)(1) (eff. Nov. 1, 2017). The appellate court granted State Farm’s
motion to consolidate the appeals and denied plaintiffs’ motion to dismiss. 

, ¶ 33.
¶ 31       The appellate court acknowledged that State Farm, as a property and casualty
insurer, did not fit within the specific regulatory definition of a “ ‘covered entity,’ ”
as defined by the Privacy Rule, because it was not a “ ‘health plan,’ ” a “ ‘health
-8-
care clearinghouse,’ ” or a “ ‘health care provider who transmits any health
information in electronic form.’ ” Id. ¶¶ 39-40 (quoting 

(2018)). However, the appellate court agreed with the trial courts that “State Farm,
as an entity wishing to receive PHI from a covered entity in response to a HIPAA
qualified protective order, is bound to comply with the use and disclosure
restrictions set forth in the orders.” Id. ¶ 44. Thus, the appellate court concluded
that, “if State Farm wishes to access the PHI at issue, it must abide by the terms of
the HIPAA qualified protective orders entered by the trial courts.” Id. ¶ 49.
¶ 32        State Farm next argued that it must be permitted to use and retain plaintiffs’
PHI to fulfill its obligations under Illinois insurance regulatory law and that the
Cook County standard protective order “ ‘strikes the proper balance between a
litigant’s interest in PHI and the State’s interest in allowing property and casualty
insurers to retain PHI beyond litigation.’ ” Id. ¶ 51. The appellate court concluded
that “State Farm failed to cite any statute, regulation, or case law that affirmatively
requires the retention of PHI or its use for a particular purpose.” Id. ¶ 59. Further,
the appellate court found nothing in the provisions of the Insurance Code and the
Illinois Administrative Code cited by State Farm that requires State Farm to retain
PHI or use it for any particular purpose after the conclusion of the litigation.
Accordingly, the appellate court rejected State Farm’s argument that the terms of
plaintiffs’ QPOs conflict with State Farm’s obligations under state law. Id. ¶ 60.
¶ 33       The appellate court next held that, to the extent that plaintiffs’ QPOs could be
considered to conflict with State Farm’s obligations under state law, HIPAA and
the Privacy Rule preempt state law. Id. ¶¶ 62-64. The appellate court also concluded
that the doctrine of reverse preemption, as provided by the McCarran-Ferguson Act
(

 et seq. (2018)), which is potentially relevant specifically to
insurance regulation, did not apply in this case. 

, ¶¶ 66-
68.
¶ 34       Lastly, State Farm assigned error to the trial courts’ rejection of any alternative
to plaintiffs’ QPOs. The appellate court acknowledged that the Privacy Rule
provides several different methods by which a covered entity may disclose PHI
during litigation. However, the appellate court observed that plaintiffs and State
Farm sought the disclosure of PHI through QPOs. Accordingly, the appellate court
-9-
held that the trial courts did not err in declining to consider an alternative method
of disclosing PHI. Id. ¶ 70.
¶ 35       State Farm appeals to this court. We granted the National Insurance Crime
Bureau leave to submit an amicus curiae brief in support of State Farm’s position.
The Illinois Trial Lawyers Association and the Illinois Public Interest Research
Group were each granted leave to submit an amicus curiae brief in support of
plaintiffs’ position. Ill. S. Ct. R. 345 (eff. Sept. 20, 2010).
¶ 36                                      II. ANALYSIS
¶ 37       Before this court, the parties present several arguments in relation to the
following issues. First, the parties disagree on the applicability of the Privacy Rule
and its preemptive effect on Illinois insurance regulatory law governing the use,
disclosure, and retention of PHI. Second, the parties disagree on whether Illinois
insurance regulatory law mandates that a property and casualty insurer use,
disclose, and retain PHI beyond litigation. Third, the parties disagree on the
preemptive effect of the Privacy Rule on the Cook County standard protective
order.
¶ 38                                  A. Standard of Review
¶ 39        State Farm filed an interlocutory appeal to the appellate court pursuant to
Illinois Supreme Court Rule 307(a)(1) (eff. Nov. 1, 2017), which provides for an
appeal from an interlocutory order “granting, modifying, refusing, dissolving, or
refusing to dissolve or modify an injunction.” This court has held that “an
interlocutory order circumscribing the publication of information is reviewable as
an interlocutory injunctive order, pursuant to Rule 307(a)(1).” Skolnick v. Altheimer
& Gray, 

, 221 (2000); see In re Daveisha C., 

, ¶ 25 (“Supreme Court Rule 307(a)(1) allows review of *** a protective
order entered during the discovery phase of the proceedings.”).
¶ 40       “As this court has explained, ‘in an interlocutory appeal, the scope of review is
normally limited to an examination of whether or not the trial court abused its
discretion in granting or refusing the requested interlocutory relief.’ ” West Bend
- 10 -
Mutual Insurance Co. v. TRRS Corp., 

, ¶ 31 (quoting In re
Lawrence M., 

, 526 (1996)). An abuse of discretion occurs only when
the trial court’s decision is arbitrary, fanciful, or unreasonable or where no
reasonable person would take the view adopted by the trial court. In re Marriage of
Heroy, 

, ¶ 24; Seymour v. Collins, 

, ¶ 41. “When,
however, the interlocutory appeal involves a question of law, the reviewing court
resolves that legal question independently of the trial court’s judgment and, to the
extent necessary, may consider substantive issues to determine whether the trial
court acted within its authority.” West Bend Mutual Insurance Co., 

,
¶ 32; see Loyola Academy v. S&S Roof Maintenance, Inc., 

, 274
(1992).
¶ 41       In this case, State Farm presents issues that require us to construe various
statutory and administrative provisions. Issues of statutory construction present
questions of law that we review de novo. In re Appointment of Special Prosecutor,

, ¶ 22; Cohen v. Chicago Park District, 

, ¶ 17; In re
M.M., 

, ¶ 15. Under the de novo standard, the reviewing court
performs the same analysis that the trial court would perform. People v. McDonald,

, ¶ 32; see Choate v. Indiana Harbor Belt R.R. Co., 

,
¶ 21.
¶ 42                           B. Canons of Statutory Construction
¶ 43       The same familiar principles of statutory construction that apply to state
legislation also apply to federal legislation enacted by Congress. See, e.g., Standard
Mutual Insurance Co. v. Lay, 

, ¶ 26; Italia Foods, Inc. v. Sun Tours,
Inc., 

, ¶ 12. Additionally, because administrative regulations have
the force and effect of law, the familiar rules that govern construction of statutes
also apply to the construction of administrative regulations. Kean v. Wal-Mart
Stores, Inc., 

, 368 (2009); Union Electric Co. v. Department of
Revenue, 

, 391 (1990).
¶ 44       The primary objective in statutory construction is to ascertain and give effect to
the intent of the legislature. The most reliable indicator of legislative intent is the
language of the statute, which must be given its plain and ordinary meaning. In re
Appointment of Special Prosecutor, 

, ¶ 23; In re M.M., 2016 IL
- 11 -
119932, ¶ 16. In construing a federal statute, “ ‘[o]ur task is to give effect to the
will of Congress, and where its will has been expressed in reasonably plain terms,
that language must ordinarily be regarded as conclusive.’ ” Negonsott v. Samuels,

, 104 (1993) (quoting Griffin v. Oceanic Contractors, Inc., 

, 570 (1982)). In construing a statute, a court must view a statute as a whole.
Therefore, words and phrases must be construed in light of other relevant statutory
provisions and not in isolation. United States National Bank of Oregon v.
Independent Insurance Agents of America, Inc., 

, 455 (1993); In re
Appointment of Special Prosecutor, 

, ¶ 23; Chicago Teachers
Union, Local No. 1 v. Board of Education of the City of Chicago, 

,
¶ 15. Each word, clause, and sentence of a statute must be given a reasonable
meaning, if possible, and should not be rendered superfluous. TRW Inc. v. Andrews,

, 31 (2001); Chicago Teachers Union, 

, ¶ 15.
Additionally, the court may consider the reason for the law, the problems sought to
be remedied, the purposes to be achieved (National Bank of Oregon, 

; In re M.M., 

, ¶ 16), and the consequences of construing the
statute one way or another (American Tobacco Co. v. Patterson, 

, 71
(1982); In re Appointment of Special Prosecutor, 

, ¶ 23).
¶ 45                            C. Statutory Overview of HIPAA
¶ 46       “HIPAA is ‘a complex piece of legislation that addresses the exchange of
health-related information.’ ” Cohan v. Ayabe, 

, 954 (Haw. 2014)
(quoting National Abortion Federation v. Ashcroft, No. 03 Civ. 8695(RCC), 

, at *2 (S.D.N.Y. Mar. 19, 2004)). Subtitle F of Title II of HIPAA,
captioned “Administrative Simplification,” consists of sections 261 through 264 of
the statute. As amended in 2010, the purpose of this subtitle is
“to improve *** the efficiency and effectiveness of the health care system, by
encouraging the development of a health information system through the
establishment of uniform standards and requirements for the electronic
transmission of certain health information and to reduce the clerical burden on
patients, health care providers, and health plans.” Pub. L. 104-191 § 261, 

, 2021 (1996).
- 12 -
¶ 47       In furtherance of these statutory purposes, various individual provisions in
section 262 outline whom the regulations were to cover, what information was to
be covered, what types of transactions were to be covered, what time limits and
standards would govern compliance with HIPAA, and what penalties would accrue
for HIPAA violations. 42 U.S.C. §§ 1320d to 1320d-9 (2018).
¶ 48       To effectuate these statutory directives, section 262 instructed the United States
HHS to adopt uniform standards “to enable health information to be exchanged
electronically.” 42 U.S.C. § 1320d-2(a)(1) (2018). In section 264 of HIPAA,
Congress provided a two-step process to address how to afford certain protections
to the privacy of health information maintained under HIPAA. First, within 12
months of HIPAA’s enactment, HHS was directed to submit to Congress “detailed
recommendations on standards with respect to the privacy of individually
identifiable health information.” HIPAA, Pub. L. No. 104-191 § 264(a), 

, 2033. Congress directed HHS to address subjects including as follows: “(1)
The rights that an individual who is a subject of individually identifiable health
information should have. (2) The procedures that should be established for the
exercise of such rights. (3) The uses and disclosures of such information that should
be authorized or required.” 

 § 264(b).
¶ 49       Second, if Congress did not enact further legislation pursuant to the
recommendations from HHS within 36 months of HIPAA’s enactment, HHS was
to promulgate final regulations providing for such standards. Id. § 264(c)(1).
HIPAA further provided that the privacy regulations promulgated by HHS “shall
not supercede a contrary provision of State law, if the provision of State law
imposes requirements, standards, or implementation specifications that are more
stringent than the requirements, standards, or implementation specifications
imposed under the regulation.” Id. § 264(c)(2); see generally South Carolina
Medical Ass’n v. Thompson, 

, 348-49 (4th Cir. 2003) (summarizing
statute); Buckman, supra, at 145-48 (same).
¶ 50                                D. Privacy Rule Overview
¶ 51       In September 1997, HHS did submit recommendations for protecting the
privacy of individually identifiable heath information. However, Congress
ultimately failed to enact any additional legislation. Arons v. Jutkowitz, 880 N.E.2d
- 13 -
831, 840 (N.Y. 2007); South Carolina Medical Ass’n, 

. In
November 1999, HHS issued proposed “Standards for Privacy of Individually
Identifiable Health Information” (

 (Nov. 3, 1999)), and in
December 2000, HHS promulgated its final rule. 

 (Dec. 28,
2000). These standards are known collectively as the “Privacy Rule.” Buckman,
supra, at 148; U.S. Dep’t of Health & Human Servs., Office for Civil Rights,
Summary       of    the    HIPAA        Privacy    Rule    2      (May      2003),
https://www.hhs.gov/sites/default/files/privacysummary.pdf
[https://perma.cc/F66C-T4TR] (hereinafter Summary of the HIPAA Privacy Rule).
In August 2002, HHS amended the Privacy Rule (

 (Aug. 14,
2002)). The Privacy Rule is codified at parts 160 and 164 of Title 45 of the Code
of Federal Regulations (45 C.F.R. pts. 160, 164 (2018)).
¶ 52       According to HHS, the purposes of the Privacy Rule include: “[t]o protect and
enhance the rights of consumers by *** controlling the inappropriate use” of their
health information and “to improve the efficiency and effectiveness of health care
delivery by creating a national framework for health privacy protection that builds
on efforts by states, health systems, and individual organizations and individuals.”
65 Fed. Reg. at 82,463. HHS explained as follows:
“In enacting HIPAA, Congress recognized the fact that administrative
simplification cannot succeed if we do not also protect the privacy and
confidentiality of personal health information. The provision of high-quality
health care requires the exchange of personal, often-sensitive information
between an individual and a skilled practitioner. Vital to that interaction is the
patient’s ability to trust that the information shared will be protected and kept
confidential. Yet many patients are concerned that their information is not
protected. Among the factors adding to this concern are the growth of the
number of organizations involved in the provision of care and the processing of
claims, the growing use of electronic information technology, increased efforts
to market health care and other products to consumers, and the increasing ability
to collect highly sensitive information about a person’s current and future health
status as a result of advances in scientific research.
Rules requiring the protection of health privacy in the United States have
been enacted primarily by the states. While virtually every state has enacted one
- 14 -
or more laws to safeguard privacy, these laws vary significantly from state to
state and typically apply to only part of the health care system. ***
Until now, virtually no federal rules existed to protect the privacy of health
information and guarantee patient access to such information. This final rule
establishes, for the first time, a set of basic national privacy standards and fair
information practices that provides all Americans with a basic level of
protection and peace of mind that is essential to their full participation in their
care. The rule sets a floor of ground rules for health care providers, health plans,
and health care clearinghouses to follow, in order to protect patients and
encourage them to seek needed care. The rule seeks to balance the needs of the
individual with the needs of the society. It creates a framework of protection
that can be strengthened by both the federal government and by states as health
information systems continue to evolve.” Id. at 82,463-64.
¶ 53       HHS explains that many of the provisions of the Privacy Rule, as codified, “are
presented as ‘standards.’ Generally, the standards indicate what must be
accomplished under the regulation and implementation specifications describe how
the standards must be achieved.” Id. at 82,488.
¶ 54       The Privacy Rule prohibits a “covered entity” or “business associate” from
using a person’s “protected health information” except as mandated or permitted
by its provisions. 

(a) (2018). PHI is defined as “individually
identifiable health information” that is kept or transmitted in electronic or any other
form of media. 

 § 160.103. Further, “individually identifiable health
information” means information, including demographic data, that (1) is created or
received by a “covered entity”; (2) relates “to the past, present, or future physical
or mental health or condition of an individual; the provision of health care to an
individual; or the past, present, or future payment for the provision of health care
to an individual”; and (3) identifies, or reasonably can be used to identify, the
individual. Id. “Covered entities” refer to health plans, health care clearinghouses,
and health care providers who transmit any health information in electronic form.
Id. §§ 160.103, 164.104(a). A “business associate” refers to a person, not a member
of a covered entity’s workforce, who uses or discloses PHI in performing certain
activities or functions on behalf of a covered entity. Id. § 160.103.
- 15 -
¶ 55                       E. The Privacy Rule Applies to State Farm
¶ 56       Both plaintiffs and State Farm agree that State Farm is not a “covered entity”
as defined by HIPAA because a property and casualty insurer is not a “health plan,”
“health care clearinghouse,” or a “health care provider who transmits any health
information in electronic form.” See id. § 160.103. The appellate court observed
that State Farm had not cited any specific language in HIPAA, the Privacy Rule, or
any other source of law “indicating that a noncovered entity that receives PHI from
a covered entity in response to a HIPAA qualified protective order is exempt from
complying with the order’s restrictions regarding the use or disclosure of the PHI.”

, ¶ 49.
¶ 57        Before this court, State Farm argues that “because property and casualty
insurers like State Farm are not covered entities, their business operations do not
fall within HIPAA’s privacy and security obligations.” Further, according to State
Farm, “property and casualty insurers like State Farm do not become a ‘covered
entity’ when they receive PHI from a ‘covered entity’ in the ordinary course of
handling claims.”
¶ 58       State Farm maintains that property and casualty insurers logically “fall outside
HIPAA given the role of liability insurance in the administration of justice.” State
Farm argues that “property and casualty insurers do not enter into a physician-
patient relationship with anyone and their role is not to provide *** health care
services.” Rather, according to State Farm, property and casualty insurers “insure
their policyholders against the risk of bodily injury or property damage (including
for liability to others) that results from an accident—not to offer medical or health
care to the injured person.”
¶ 59       We cannot accept State Farm’s reasoning. Generally, a personal injury action
requires proof of an injury (Golla v. General Motors Corp., 

, 360
(1995)), which necessarily requires disclosure of relevant PHI. State Farm’s logic
leads to the denial of any request for a QPO in a judicial proceeding where a
defendant is insured by a casualty insurer. This court has noted “the dominant role
played by the insurance industry in the field of personal injury litigation.” Sullivan
v. Midlothian Park District, 

, 280 (1972). Scholars have similarly
recognized:
- 16 -
“The key stakeholders in litigation—at least on the defense side—are seldom
the individual litigants who have been sued. Rather, insurers are the entities
who regularly pay not only the cost of defending claims but also any settlement
or judgment. Insured parties retain some authority to make substantive litigation
decisions, but the practical reality is that insurers drive litigation outcomes.”
Chris Guthrie & Jeffrey J. Rachlinski, Insurers, Illusions of Judgment and
Litigation, 

, 2019 (2006).
See William P. Lynch, Why Settle for Less? Improving Settlement Conferences in
Federal Court, 

, 1251 (2019) (“Insurers play a key role in
the civil justice system. In most personal injury litigation, the individual defendant
is insured, and the insurer provides a defense and exercises complete control over
whether to settle the case.”).
¶ 60       Thus, if we were to accept State Farm’s argument, there would be few instances
in which a QPO could be requested. It was clearly not the intent of Congress that a
QPO would be unavailable whenever an alleged tortfeasor was insured by a liability
insurer. HIPAA contains no such limitation, and this court must not add such a
limitation under the guise of statutory construction. See People ex rel. Birkett v.
Dockery, 

, 81 (2009) (“we cannot rewrite a statute, and depart from
its plain language, by reading into it exceptions, limitations or conditions not
expressed by the legislature”); Hines v. Department of Public Aid, 

,
230 (2006) (same).
¶ 61       There are two exceptions to the prohibition against the use or disclosure of an
individual’s PHI. First, a covered entity may use or disclose PHI pursuant to a valid
authorization. 

(a)(1)(iv), 164.508 (2018).
¶ 62        Second, and relevant to this appeal, a covered entity may use or disclose PHI in
the course of litigation. 

 §§ 164.502(a)(1)(vi), 164.512(e). Use or disclosure of
PHI is permissible to comply with an order of a court or administrative tribunal, so
long as only the PHI expressly authorized by the order is disclosed. Id.
§ 164.512(e)(1)(i). Absent a judicial or administrative order, a covered entity may
disclose PHI in response to a subpoena, discovery request, or other lawful process
if (1) the covered entity has received satisfactory assurances that the party seeking
the disclosure has made reasonable efforts to ensure that the individual has been
given notice of the request or (2) the covered entity has made reasonable efforts to
- 17 -
secure a “qualified protective order.” Id. § 164.512(e)(1)(ii), (iv). A QPO is a
judicial or administrative order, or a stipulation by the parties, that (1) “[p]rohibits
the parties from using or disclosing the [PHI] for any purpose other than the
litigation or proceeding for which such information was requested” and
(2) “[r]equires the return to the covered entity or destruction of the [PHI] (including
all copies made) at the end of the litigation or proceeding.” Id. § 164.512(e)(1)(v).
¶ 63       Importantly, State Farm is not the disclosing party but rather is the party wishing
to obtain plaintiffs’ PHI. Therefore, in the absence of a court order pursuant to
section 164.512(e)(1)(i), the Privacy Rule authorizes a covered entity to disclose
PHI to State Farm in this litigation only pursuant to (1) a subpoena, discovery
request, or other lawful process, provided that adequate notice was given to
plaintiffs, or (2) a QPO containing the required “use and disclosure” prohibition
and the “return or destroy” requirement. Id. § 164.512(e)(1)(ii), (iv). Here, State
Farm is not appealing from any independent disclosure orders or any issues
pertaining to discovery, service of process, and notice. Accordingly, State Farm can
receive plaintiffs’ PHI only in response to a valid QPO.
¶ 64       State Farm argues that we should view its tendered protective orders as a request
for an independent disclosure order pursuant to section 164.512(e)(1)(i). We reject
this argument. Section 164.512(e)(1)(i) specifically mandates that “the covered
entity disclose[ ] only the [PHI] expressly authorized by such order.” (Emphases
added.) Id. § 164.512(e)(1)(i). Thus, pursuant to this section, a covered entity is
prohibited from disclosing PHI that is not “expressly authorized” by the order.
However, State Farm’s tendered protective orders do not address what PHI the
covered entity is expressly authorized to disclose. State Farm’s tendered protective
orders have no language that limits or restricts the PHI permitted to be disclosed.
Such an order would be impermissible for several reasons.
¶ 65       State Farm’s tendered protective orders violate Rule 201 to the extent that they
permit the disclosure of any and all PHI. Rule 201(b)(1) provides in relevant part:
“Except as provided in these rules, a party may obtain by discovery full disclosure
regarding any matter relevant to the subject matter involved in the pending action,
whether it relates to the claim or defense of the party seeking disclosure or of any
other party ***.” Ill. S. Ct. R. 201(b)(1) (eff. July 1, 2014). “[T]he relevance
requirement safeguards against ‘improper and abusive’ discovery and acts as an
- 18 -
‘independent constraint on discovery.’ ” People ex rel. Madigan v. Stateline
Recycling, LLC, 

, ¶ 32 (quoting Kunkel v. Walton, 

,
533 (1997)). Therefore, even if State Farm’s tendered protective orders could be
viewed to require covered entities to disclose plaintiffs’ PHI, they would still be
improper because they do not satisfy the relevancy requirement of Rule 201(b).
¶ 66       Even if we were to consider State Farm’s tendered protective orders as
compliant with section 164.512(e)(1)(i), they would still violate the state
constitutional right to privacy. The Illinois Constitution guarantees, in pertinent
part, that “[t]he people shall have the right to be secure in their persons, houses,
papers and other possessions against unreasonable *** invasions of privacy.” Ill.
Const. 1970, art. I, § 6. In Kunkel, this court stated as follows:
“This court has observed that the Illinois Constitution goes beyond federal
constitutional guarantees by expressly recognizing a zone of personal privacy,
and that the protection of that privacy is stated broadly and without restrictions.
[Citation.] The confidentiality of personal medical information is, without
question, at the core of what society regards as a fundamental component of
individual privacy. Physicians are privy to the most intimate details of their
patients’ lives, touching on diverse subjects like mental health, sexual health
and reproductive choice. Moreover, some medical conditions are poorly
understood by the public, and their disclosure may cause those afflicted to be
unfairly stigmatized. Respect for the privacy of medical information is a central
feature of the physician-patient relationship. Under the Hippocratic Oath, and
modern principles of medical ethics derived from it, physicians are ethically
bound to maintain patient confidences. See Petrillo v. Syntex Laboratories, Inc.,

, 589 (1986).
In addition, this court has recognized that ‘[a] person has a reasonable
expectation that he will not be forced to submit to a close scrutiny of his
personal characteristics, unless for a valid reason. *** [T]he individual’s
privacy interest in his physical person *** must be protected.’ [Citation.] We
believe that this privacy interest pertaining to individual physical characteristics
necessarily encompasses personal medical information.” Kunkel, 

.
- 19 -
In Kunkel, this court cautioned: “The text of our constitution does not accord
absolute protection against invasions of privacy. Rather, it is unreasonable
invasions of privacy that are forbidden. In the context of civil discovery,
reasonableness is a function of relevance.” (Emphasis in original.) 

.
¶ 67       Where the privacy interest in medical information is involved, it “is reasonable
to require full disclosure of medical information that is relevant to the issues in the
lawsuit.” 

 However, State Farm’s tendered protective orders are unlimited in the
PHI to be disclosed without regard to the issues being litigated. The scope of the
PHI required by State Farm’s protective orders would be unreasonable and,
therefore, unconstitutional.
¶ 68       In sum, the Privacy Rule applies to State Farm. Therefore, State Farm can
receive plaintiffs’ PHI only in response to a valid QPO.
¶ 69                     F. Illinois Insurance Regulatory Law Does Not
Mandate Use, Disclosure, or Retention of PHI
¶ 70       State Farm contends that the trial courts should have entered State Farm’s
tendered Cook County standard protective order or a similar protective order
“expressly allowing for the retention, use, and disclosure of information by property
and casualty insurers in conformity to federal and state law and regulations.” State
Farm complains that the trial courts’ QPOs prevent State Farm from fulfilling its
obligations under the Illinois Insurance Code and supporting administrative
regulations. State Farm’s argument requires analysis of the preemptive effect of the
Privacy Rule on Illinois insurance regulatory law.
¶ 71                                 1. Preemption Principles
¶ 72       The supremacy clause of the United States Constitution provides that federal
law “shall be the supreme Law of the Land ***, any Thing in the Constitution or
Laws of any State to the Contrary notwithstanding.” U.S. Const., art. VI, cl. 2. The
determination of whether state law is preempted turns on the intent of Congress.
When interpreting a federal statute pertaining to a subject traditionally governed by
state law, courts are reluctant to find preemption unless Congress’s preemptive
- 20 -
intent is clear and manifest. CSX Transportation, Inc. v. Easterwood, 

,
664 (1993); Village of Mundelein v. Wisconsin Central R.R., 

, 288
(2008). One of the circumstances in which state law is preempted under the
supremacy clause is where the express language of a federal statute indicates an
intent to preempt state law. Wisconsin Public Intervenor v. Mortier, 

,
604-05 (1991); Village of Mundelein, 

. If the federal statute
contains an express exemption provision, “the task of statutory construction must
in the first instance focus on the plain wording of the clause, which necessarily
contains the best evidence of Congress’ pre-emptive intent.” CSX Transportation,
507 U.S. at 664; Village of Mundelein, 

.
¶ 73       HIPAA and the Privacy Rule establish a uniform federal floor or baseline of
privacy protection for PHI, which states are free to exceed. See Giangiulio v.
Ingalls Memorial Hospital, 

, 839 (2006); Cohan, 322 P.3d at
955. When HHS promulgated the Privacy Rule, the agency stressed: “It is important
to understand this regulation as a new federal floor of privacy protections that does
not disturb more protective rules or practices. *** The protections are a mandatory
floor, which other governments and any covered entity may exceed.” 65 Fed. Reg.
at 82,471.
¶ 74       Consequently, “State laws that are contrary to the Privacy Rule are preempted
by the federal requirements, which means that the federal requirements will apply.”
Summary of the HIPAA Privacy Rule, supra, at 17; 

 (2018). A
state law is “contrary” to HIPAA if a “covered entity or business associate would
find it impossible to comply with both the State and Federal requirements” or if the
“provision of State law stands as an obstacle to the accomplishment and execution
of the full purposes and objectives of [HIPAA].” 

 (2018).
¶ 75       However, section 264 of HIPAA provides that the Privacy Rule “shall not
supersede a contrary provision of State law, if the provision of State law imposes
requirements, standards, or implementation specifications that are more stringent
than [those] imposed under the regulation.” Pub. L. No. 104-191 § 264(c)(2), 

, 2033-34. Implementing this statutory mandate, the Privacy Rule
provides that the general rule of federal preemption of contrary state law will not
occur if the state law is “more stringent” than the applicable standard promulgated
in the Privacy Rule. 

(b) (2018). The state law is “more
- 21 -
stringent” where it meets one or more of several criteria including where state law
prohibits or restricts a use or disclosure of PHI where the Privacy Rule would allow
it (id. § 160.202(1) (defining “more stringent”)) or, generally, where the state law
provides greater privacy protection (id. § 160.202(6) (same)). See South Carolina
Medical Ass’n, 

 (listing criteria).
¶ 76       Importantly, we add that these preemption provisions of HIPAA and the
Privacy Rule speak in terms of a specific provision of HIPAA or the Privacy Rule
and a specific provision of state law. In proposing the Privacy Rule, HHS explained
what HIPAA requires as follows:
“The initial question that arises in the preemption analysis is, what does one
compare? The statute directs this analysis by requiring the comparison of a
‘provision of State law [that] imposes requirements, standards, or
implementation specifications’ with ‘the requirements, standards, or
implementation specifications imposed under’ the federal regulation. The
statute thus appears to contemplate that what will be compared are the State and
federal requirements that are analogous, i.e., that address the same subject
matter.” 

, 59,995 (proposed Nov. 3, 1999) (to be codified
at 45 C.F.R. pts. 160 to 164) (quoting Pub. L. No. 104-191 § 264 (c)(2), 110
Stat.1936, 2033-34).
Therefore, when a court engages in a HIPAA preemption analysis, the issue is not
whether HIPAA generally “is contrary to and more stringent than the entirety of a
state’s laws on the privacy of a patient’s medical information. Rather, the issue is
whether or not a specific provision of HIPAA is contrary to and more stringent than
a specific provision of state law.” State ex rel. Proctor v. Messina, 

,
149 (Mo. 2010) (en banc).
¶ 77                  2. Contested Provisions of Illinois Insurance Regulatory Law
¶ 78      Before this court, State Farm maintains its position that Illinois insurance
regulatory law requires State Farm to use, disclose, and retain PHI for various
regulatory purposes. We discuss each in turn.
- 22 -
¶ 79        State Farm contends that “property and casualty insurers are legally required to
retain documentation in their claim files for examination by regulators.” The
Insurance Code prohibits insurers from engaging in improper claims practices. See
215 ILCS 5/154, 154.6 (West 2018). To this end, section 919.30 of Title 50 of the
Illinois Administrative Code requires insurers to make their claim files available to
the Director of the Illinois Department of Insurance (Director) for examination
upon request. 50 Ill. Adm. Code 919.30 (1989). Regarding examinations by the
Director, section 919.30 provides in relevant part:
“b) Each company shall maintain claim data that should be accessible and
retrievable for examination by the Director. A company shall be able to provide
the claim number, line of coverage, date of loss and date of payment of the
claim, date of denial, or date claim closed without payment. This data must be
available for all open and/or closed files for the current year and the two
preceding years. The examiners’ review may include but need not be limited to
an examination of the following claims:
1) Claims Closed With Payment;
2) Claims Denied;
3) Claims Closed Without Payment;
4) First Party Automobile Total Losses; and/or Subrogation Claims.
c) Detailed documentation shall be contained in each claim file in order to
permit reconstruction of the company’s activities relative to each claim file.”

Further, “documentation” includes “all pertinent communications, transactions,
notes and work papers” “properly dated and compiled in sufficient detail in order
to allow for the reconstruction of all pertinent events relative to each claim file.
Documentation shall include but not be limited to bills, explanations of benefits and
worksheets.” 50 Ill. Adm. Code 919.40 (1989).
¶ 80       State Farm argues that this regulation requires it to maintain, in each claim file,
detailed documentation that includes medical bills, which necessarily contain PHI.
- 23 -
According to State Farm, this insurance examination process conflicts with the
“return or destroy” requirement of the trial court’s QPOs.
¶ 81        We reject this argument. State Farm could establish its “activities relative to
each file” by simply including in the file a copy of the QPO, specifying that the
insurer was prohibited from using or disclosing PHI for any purpose other than the
litigation and was required to return or destroy the PHI at the end of the litigation.
The appellate court correctly reached a similar conclusion. See 

, ¶ 54.
¶ 82       State Farm next contends that property and casualty insurers are prohibited from
destroying company records except in conformity with the requirements of the
Insurance Code and its administrative regulations. State Farm relies on part 901 of
Title 50 of the Illinois Administrative Code (50 Ill. Adm. Code 901 (2016)). Section
901.5 provides that “[n]o domestic company shall destroy any books, records,
documents, accounts or vouchers, hereafter referred to as ‘records’, except in
conformity with the requirements of this Part.” 50 Ill. Adm. Code 901.5 (2016).
Section 901.20 of Title 50 sets out a time period for the disposal and destruction of
records:
“The company is authorized to dispose of or destroy records in its custody
that do not have sufficient administrative, legal or fiscal value to warrant their
further preservation and are not needed:
a) in the transaction of current business;
b) for the final settlement or disposition of any claim arising out of a
policy of insurance issued by the company, except that these records must
be maintained for the current year plus 5 years; or
c) to determine the financial condition of the company for the period
since the date of the last examination report of the company officially filed
with the Department of Insurance, except that these records must be
maintained for at least the current year plus 5 years.” 50 Ill. Adm. Code
901.20 (2016).
Further, the term “records” is defined in section 901.10 of Title 50 as follows:
- 24 -
“ ‘Records’ material means all books, papers and documentary materials
regardless of physical form or characteristics, made, produced, executed or
received by any domestic insurance company pursuant to law or in connection
with the transaction of its business and preserved or appropriate for preservation
by such company or its successors as evidence of the organization, function,
policies, decisions, procedures, obligations and business activities of the
company or because of the informational data contained therein. If doubt arises
as to whether certain papers are ‘non-record’ materials, it should be assumed
that the documents are ‘records’.” 50 Ill. Adm. Code 901.10 (2016).
Before this court, State Farm argues that this definition of “records” is broad
enough to include medical bills and records. State Farm maintains its position that
part 901 sets out a detailed process for the destruction of an insurer’s records, which
conflicts with the trial courts’ QPOs.
¶ 83       We reject this argument. In this case, State Farm does not explain how
plaintiffs’ PHI is “appropriate for preservation,” especially given that (1) the trial
courts entered HIPAA QPOs expressly requiring the destruction of PHI within 60
days after the conclusion of the litigation and (2) State Farm failed to cite any
statute, regulation, or case law that affirmatively requires the retention of PHI or its
use for a particular purpose. State Farm has made this argument in other courts,
including the appellate court here, and those courts have correctly rejected it. See

, ¶ 59; State ex rel. State Farm Mutual Automobile
Insurance Co. v. Marks, 

, 83-84 (W. Va. 2012); Small v. Ramsey, 

, 279-80 (N.D. W. Va. 2012). Further, as earlier noted, retention of a
copy of the QPO in the file would explain why the PHI was not present. Thus, part
901 of Title 50 of the Illinois Administrative Code does not support State Farm’s
position.
¶ 84       State Farm next contends that the trial courts’ QPOs prevent insurers from
performing functions related to fraud detection and deterrence. State Farm
maintains its position that, because the Illinois Department of Insurance relies on
property and casualty insurers to detect and combat insurance fraud, Illinois law
authorizes them to report information, including PHI, to the Illinois Department of
Insurance and insurance support organizations, such as the National Insurance
Crime Bureau and the Insurance Services Organization. See 215 ILCS 5/155.23
- 25 -
(West 2018). State Farm argues that, if insurers must return to covered entities or
destroy all PHI within 60 days of the end of litigation, they cannot later provide
necessary information to help the state with fraud detection and prevention.
¶ 85      The statute State Farm cites authorizes the Director
“to promulgate reasonable rules requiring insurers *** doing business in the
State of Illinois to report factual information in their possession that is pertinent
to suspected fraudulent insurance claims, fraudulent insurance applications, or
premium fraud after [the Director] has made a determination that the
information is necessary to detect fraud or arson. Claim information may
include:
(a) Dates and description of accident or loss.
(b) Any insurance policy relevant to the accident or loss.
(c) Name of the insurance company claims adjustor and claims adjustor
supervisor processing or reviewing any claim or claims made under any
insurance policy relevant to the accident or loss.
(d) Name of claimant’s or insured’s attorney.
(e) Name of claimant’s or insured’s physician, or any person rendering
or purporting to render medical treatment.
(f) Description of alleged injuries, damage or loss.
(g) History of previous claims made by the claimant or insured.
(h) Places of medical treatment.
(i) Policy premium payment record.
(j) Material relating to the investigation of the accident or loss, including
statements of any person, proof of loss, and any other relevant evidence.
(k) any facts evidencing fraud or arson.” 

 § 155.23(1).
- 26 -
State Farm’s reliance on section 155.23 is unpersuasive for two reasons. First, the
statute applies only to suspected fraudulent insurance claims or applications, or
premium fraud, and only after the Director has determined that the information is
necessary to detect fraud or arson. In this case, there is no indication of fraud and
no evidence that the Director has determined that any PHI is necessary to detect
fraud or arson. Therefore, there can be no factual information pertinent to any
suspected fraud. Second, the statute requires an insurer to report only factual
information in its possession. An insurer that has returned or destroyed PHI in
accordance with a HIPAA QPO cannot violate the statute, because it does not
possess any such information.
¶ 86       State Farm next asserts that the trial courts’ QPOs “impede compliance with
federal reporting requirements.” State Farm argues that, under the Medicare
secondary payor statute (42 U.S.C. § 1395y(b)(2) (2018)), “automobile or liability
insurers must report payments made to Medicare beneficiaries, along with
information about the alleged cause of injury, incident, or illness.” According to
State Farm: “Retention of medical records is crucial to this process. Additionally,
insurers need medical records if Medicare seeks recovery of a ‘conditional
payment.’ ”
¶ 87       We also reject this argument. This statute does not require a liability insurer to
retain PHI after litigation even for Medicare beneficiaries. If State Farm is to pay a
settlement or judgment, all it need do is to report the payment and the alleged cause
of injury. Id. § 1395y(b)(8)(B)(i), (ii). This does not require State Farm to retain or
disclose PHI after the conclusion of litigation.
¶ 88       Lastly, State Farm maintains its position that Illinois law protects personal or
privileged information received in handling claims while still allowing property and
casualty insurers to make disclosures necessary for rate-making, anti-fraud
programs, and consumer-protection research. Article XL of the Insurance Code
provides as follows:
“The purpose of this Article is to establish standards for the collection, use and
disclosure of information gathered in connection with insurance transactions by
insurance institutions, agents or insurance-support organizations; to maintain a
balance between the need for information by those conducting the business of
insurance and the public’s need for fairness in insurance information practices,
- 27 -
including the need to minimize intrusiveness; to establish a regulatory
mechanism to enable natural persons to ascertain what information is being or
has been collected about them in connection with insurance transactions and to
have access to such information for the purpose of verifying or disputing its
accuracy; to limit the disclosure of information collected in connection with
insurance transactions; and to enable insurance applicants and policyholders to
obtain the reasons for any adverse underwriting decision.” 215 ILCS 5/1001
(West 2018).
This provision does not contain any affirmative language that mandates the use,
disclosure, or retention of PHI for any purpose.
¶ 89       State Farm has failed to direct us to, nor have we found, any provision of the
Insurance Code or the Illinois Administrative Code that requires it to use or disclose
plaintiffs’ PHI after the conclusion of the litigation. As such, we reject State Farm’s
argument that the trial courts’ QPOs conflict with its obligations under state law.
Since there is no conflict, the Privacy Rule does not preempt or otherwise nullify
these specific provisions in the Insurance Code and its administrative regulations.
¶ 90                         G. Privacy Rule Preempts Cook County
Standard Protective Order
¶ 91        State Farm assigns error to the conclusion of the trial and appellate courts that
its alternative tendered protective orders are preempted by the Privacy Rule. State
Farm argues that the absence of the “use or disclose” prohibition and the “return or
destroy” requirement “cannot be an obstacle to accomplishing HIPAA’s full
purposes and objectives” because those restrictions are not required for a court
order pursuant to section 164.512(e)(1)(i). Rather, those restrictions apply only to
discovery processes that are not accompanied by a court order. 

(e)(1)(ii) (2018).
¶ 92       We recognize that the Privacy Rule does not require a court order entered
pursuant to section 164.512(e)(1)(i) to include the “use or disclose” prohibition and
the “return or destroy” requirement of section 164.512(e)(1)(ii). This provision
does not expressly dictate any criteria for judges to exercise their discretion.
However, in response to a court order pursuant to section 164.512(e)(1)(i), a
- 28 -
covered entity may disclose “only the [PHI] expressly authorized by such order.”

 § 164.512(e)(1)(i).
¶ 93       We must construe the language of section 164.512(e)(1) as a whole, in light of
HIPAA and the entire Privacy Rule. See National Bank of Oregon, 

.
Accordingly, we consider plaintiffs and State Farm to have followed the better
approach in this litigation. Parties should first seek a protective order that meets the
definition of a QPO under section 164.512(e)(1)(v) to pursue discovery under the
provisions of section 164.512(e)(1)(ii). Should the parties then encounter any
difficulty with the acquisition of necessary discovery, they may seek a court order
as contemplated under section 164.512(e)(1)(i) for that specific, targeted
information. See, e.g., Lohr v. UnitedHealth Group Inc., No. 1:12CV718, 

, at *5 (M.D.N.C. Aug. 21, 2013).
¶ 94       As earlier discussed, the Cook County standard protective order does not
address what PHI the covered entity is expressly authorized to disclose. Therefore,
we conclude that, in this case, a covered entity cannot comply with both the Privacy
Rule and State Farm’s tendered protective orders. The Cook County standard
protective order does not prohibit the insurer from using and disclosing PHI outside
of litigation and does not require an insurer to return or destroy PHI at the
conclusion of litigation. These concessions directly conflict with the requirements
for a HIPAA QPO under section 164.512(e)(1)(v) of the Privacy Rule. Likewise,
by eliminating the “use or disclose” prohibition and the “return or destroy”
requirement, the Cook County standard protective order would not provide the
confidentiality and protection of PHI envisioned when the Privacy Rule was
promulgated. To accept State Farm’s argument would render superfluous and
nugatory section 164.512(e)(1)(ii), which we cannot do. TRW Inc., 

.
In other words, any requirement that an insurer be allowed to use and retain PHI
beyond the conclusion of litigation would lower the floor of privacy protection that
HIPAA and the Privacy Rule mandate. As such, the Cook County standard
protective order acts as an obstacle to accomplishing and executing HIPAA’s full
purposes and objectives. 

 (2018).
¶ 95      Therefore, we hold that the Cook County standard protective order is preempted
by the Privacy Rule. We next determine whether the McCarran-Ferguson Act
- 29 -
shields the Cook County standard protective order from traditional preemption.
¶ 96                                 H. Reverse Preemption
¶ 97       The trial courts asked the parties to address the implications of the McCarran-
Ferguson Act (

 et seq. (2018)), which gives rise to the doctrine of
“reverse preemption.” If applicable, the reverse preemption doctrine allows state
laws that regulate insurance to prevail over general federal rules. Lovilia Coal Co.
v. Williams, 

, 324 (7th Cir. 1998); United States v. Rhode Island
Insurers’ Insolvency Fund, 

, 620 (1st Cir. 1996) (collecting cases). The
parties did not argue that the McCarran-Ferguson Act applied in these cases, and
the trial courts did not address the issue. The appellate court observed: “State Farm
briefly mentions the McCarran-Ferguson Act in its brief but does not fully develop
the issue. Nevertheless, we find it appropriate to briefly address this matter.” 

, ¶ 66. The appellate court held that the doctrine of reverse
preemption did not apply to shield Illinois insurance law from Privacy Rule
preemption. Id. ¶ 68.
¶ 98       Before this court, State Farm contends that the appellate court’s holding that the
Privacy Rule preempts any conflicting state law is inconsistent with its holding that
there is no conflict between the Privacy Rule and state law for reverse preemption
purposes. State Farm misapprehends the McCarran-Ferguson Act and the reverse
preemption doctrine.
¶ 99       As earlier mentioned, the general rule is that, “[w]here a state statute conflicts
with, or frustrates, federal law, the former must give way.” CSX Transportation,
507 U.S. at 663. However, the McCarran-Ferguson Act carved out an exception to
this general rule where state laws regulate the “business of insurance.” 

 (2018). Section 2(b) of the McCarran-Ferguson Act provides: “No Act of
Congress shall be construed to invalidate, impair, or supersede any law enacted by
any State for the purpose of regulating the business of insurance *** unless such
Act specifically relates to the business of insurance.” 

 § 1012(b). The United
States Supreme Court has explained:
“[T]he Act does not seek to insulate state insurance regulation from the reach
of all federal law. Rather, it seeks to protect state regulation primarily against
- 30 -
inadvertent federal intrusion—say, through enactment of a federal statute that
describes an affected activity in broad, general terms, of which the insurance
business happens to constitute one part.” (Emphasis omitted.) Barnett Bank of
Marion County v. Nelson, 

, 39 (1996).
¶ 100       The McCarran-Ferguson Act “transformed the legal landscape by overturning
the normal rules of preemption.” United States Department of Treasury v. Fabe,

, 507 (1993). Section 2(b) imposes “a rule that state laws enacted ‘for
the purpose of regulating the business of insurance’ do not yield to conflicting
federal statutes unless a federal statute specifically requires otherwise.” 

 Under
the McCarran-Ferguson Act, a state law will reverse preempt a federal law if (1) the
state law was enacted for the purpose of regulating the business of insurance; (2) the
federal law does not specifically relate to the business of insurance; and (3) the
federal law would invalidate, impair, or supersede the state law. Humana Inc. v.
Forsyth, 

, 307 (1999). All three criteria must be satisfied for the
doctrine of reverse preemption to preclude application of a federal law. See Lovilia
Coal, 

; Rhode Island Insurers’ Insolvency Fund, 

.
¶ 101       The appellate court concluded that “nothing in any Illinois statute or regulation
State Farm cites requires the retention of PHI or its use for any particular purpose.
Thus, the HIPAA qualified protective orders entered in this case do not ‘invalidate,
impair, or supersede’ the Illinois statutes and regulations State Farm cites.” 

, ¶ 68. Therefore, the appellate court correctly held that the
doctrine of reverse preemption does not apply in this case. 

¶ 102       There is no inconsistency between this holding and our prior conclusion, with
which the appellate court agreed, that the Privacy Rule preempts any conflicting
state law. State Farm and plaintiffs agree with the appellate court’s holding that the
McCarran-Ferguson Act does not apply here. Therefore, the doctrine of reverse
preemption cannot shield the pertinent Illinois Insurance Code sections and
regulations from federal preemption.
¶ 103                                   III. CONCLUSION
¶ 104       As a matter of law, we conclude as follows. The Privacy Rule applies in these
cases to potentially preempt Illinois insurance regulatory law governing the use,
- 31 -
disclosure, and retention of PHI. The trial courts’ QPOs do not conflict with Illinois
insurance regulatory law because nothing in the Insurance Code or administrative
regulations mandates that a property and casualty insurer use, disclose, and retain
PHI beyond litigation. However, the Cook County standard protective order is
contrary to the Privacy Rule because it falls below the floor of privacy that the
Privacy Rule mandates. Therefore, it is preempted by the Privacy Rule. Further, the
reverse preemption doctrine provided by the McCarran-Ferguson Act does not
shield the disputed provisions of Illinois insurance regulatory law from preemption.
Therefore, we hold that the trial courts did not abuse their discretion in entering the
QPOs pursuant to HIPAA and the Privacy Rule.
¶ 105       For the foregoing reasons, the judgment of the appellate court is affirmed, and
the cases are remanded to the circuit court of Lake County for further proceedings.
¶ 106      Affirmed and remanded.
- 32 -