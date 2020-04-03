Eager to keep and permanently use all of the “protected health information,” or PHI, it was able to hoover-up about plaintiffs during personal injury litigation — despite a federal regulation called the “privacy rule” (issued under the Health Insurance Portability and Accountability Act, or HIPAA) that (1) prohibits parties from using protected health information “for any purpose other than the litigation or proceeding for which such information was requested” and (2) requires the return or destruction of the information “at the end of the litigation” — State Farm Mutual Automobile Insurance Co. intervened in two Lake County cases and requested the standard HIPAA “qualified protective order” used in Cook County. But both judges rejected the Cook County approach and refused to exempt State Farm from the “return or destroy” requirement and the prohibition on using the information when the cases are over.

Affirming, the 2nd District concluded that (a) State Farm was bound by the privacy rule’s requirements for a qualified protective order, even though it wasn’t a “covered entity” under HIPAA; and (b) State Farm could comply with the federal privacy rule without violating state laws, so this wasn’t a case where Illinois insurance laws trumped the federal regulation through “reverse preemption” under the McCarran-Ferguson Act. Haage v. Zavala, 2020 IL App (2d) 190499 (March 13, 2020).

Here are brief highlights of Justice Donald C. Hudson’s extensive analysis (with light editing and omissions not noted):

Introduction

This consolidated appeal concerns the scope of protective orders involving the disclosure of protected health information to a property and casualty insurer. In each of the two underlying cases, plaintiffs sued to recover damages occasioned by the alleged negligence of defendants in driving their automobiles.

Plaintiffs subsequently moved for the entry of qualified protective orders pursuant to the Health Insurance Portability and Accountability Act of 1996.

Among other things, the protective orders proposed by plaintiffs would have (1) prohibited the parties and any other persons or entities from using or disclosing protected health information for any purpose other than the litigation for which it was requested and (2) required the return or destruction of the information within 60 days after the conclusion of the litigation. See 45 C.F.R. Sec. 164.512(e)(1)(v)(A), (B) (setting forth requirements for a qualified protective order under HIPAA).

State Farm argued that the HIPAA qualified protective orders (1) sought to bind State Farm to the requirements of HIPAA, although State Farm is expressly exempt from the statute’s application and (2) directly conflicted with State Farm’s obligations and rights under the Illinois Insurance Code and the administrative regulations governing its business operations.

Following a combined hearing and additional briefing, the trial court in each case granted plaintiffs’ motions for the HIPAA qualified protective orders and denied State Farm’s request for the Cook County protective orders.

Analysis

The trial courts agreed that State Farm, as a property and casualty insurer, is not a covered entity under HIPAA. They then determined that State Farm’s status as a “non-covered entity” did not exempt it from obeying a protective order entered with respect to protected health information produced by a covered entity.

The trial courts held that all parties receiving the information are bound to follow a HIPAA qualified protective order regardless of whether the party is a covered entity under HIPAA in the first instance, reasoning that a qualified protective order would “lose its effectiveness in protecting a patient’s PHI if a non-covered entity may ignore the restrictions required by HIPAA.”

The question thus becomes whether a “non-covered entity” that receives protected health information from a covered entity in response to a HIPAA qualified protective order is bound to comply with any of the order’s restrictions regarding the use and disclosure of the information.

State Farm insists that, because it is not a covered entity, it is not subject to any use or disclosure restrictions. Plaintiffs counter that, although State Farm is not a covered entity for purposes of HIPAA, this fact does not discharge it from obeying a HIPAA qualified protective order entered with respect to protected health information that has been produced by a covered entity.

Whether State Farm’s status as a “non-covered entity” exempts it from obeying the terms of a HIPAA qualified protective order requires us to construe the privacy rule.

Section 164.512(e) of the privacy rule (45 C.F.R. Sec. 164.512(e)) governs the circumstances under which a covered entity may disclose protected health information to another party, in the course of a judicial proceeding.

Section 164.512(e)(1)(i) permits a covered entity to disclose specified protected health information in the course of a judicial proceeding, “in response to an order of a court.”

Section 164.512(e)(1)(ii) permits a covered entity to disclose information in the course of a judicial proceeding, “in response to a subpoena, discovery request, or other lawful process” that is not accompanied by an order of a court, if:

“(A) The covered entity receives satisfactory assurance, as described in paragraph (e)(1)(iii) of this section, from the party seeking the information that reasonable efforts have been made by such party to ensure that the individual who is the subject of the protected health information that has been requested has been given notice of the request; or

“(B) The covered entity receives satisfactory assurance, as described in paragraph (e)(1)(iv) of this section, from the party seeking the information that reasonable efforts have been made by such party to secure a qualified protective order that meets the requirements of paragraph (e)(1)(v) of this section.”

For the purposes of paragraph (e)(1)(ii)(B), a covered entity receives satisfactory assurances from a party seeking protected health information if the covered entity receives from such party a written statement and accompanying documentation demonstrating that “the parties to the dispute giving rise to the request for information have agreed to a qualified protective order and have presented it to the court... With jurisdiction over the dispute” or “the party seeking the [PHI] has requested a qualified protective order from such court.” 45 C.F.R. Sec. 164.512(e)(1)(iv). Further, paragraph (e)(1)(v) states:

“For purposes of paragraph (e)(1) of this section, a qualified protective order means, with respect to [PHI] requested under paragraph (e)(1)(ii) of this section, an order of a court . . . that:

“(A) Prohibits the parties from using or disclosing the [PHI] for any purpose other than the litigation or proceeding for which such information was requested; and

“(B) Requires the return to the covered entity or destruction of the [PHI] (including all copies made) at the end of the litigation or proceeding.” 45 C.F.R. Sec. 164.512(e)(1)(v).

Thus, in the absence of an order of the court, HIPAA authorizes a covered entity to disclose protected health information in a judicial proceeding, pursuant to a subpoena, discovery request, or other lawful process, provided that adequate notice was given to the individual whose information is to be produced or a qualified protective order containing the specified restrictions has been entered in the litigation.

It is important to note that State Farm is not the disclosing party in this case. Rather, it is the party wishing to obtain protected health information. In this regard, after plaintiffs moved for the HIPAA qualified protective orders with respect to the disclosure of their protected health information, State Farm intervened and filed objections, requesting entry of an alternative HIPAA protective order, the Cook County protective order.

As the plain language of the privacy rule indicates, a covered entity may disclose protected health information to State Farm only if the protective order meets the requirements of Section 164.512(e)(1)(v) of the privacy rule. Yet, the Cook County protective order would exempt State Farm from any obligation to limit the use or disclosure of PHI to the litigation or to return or destroy the protected health information at the end of the litigation.

State Farm cites no provision in HIPAA, the privacy rule, any other regulations, or case law that would allow such exemptions. Again, State Farm obtains the ability to review plaintiffs’ protected health information only in response to a protective order issued in accordance with the requirements of Section 164.512(e)(1)(v). Hence, if State Farm wishes to access the information at issue, it must abide by the terms of the HIPAA qualified protective orders entered by the court.

Accordingly, we agree with the trial courts and conclude that State Farm, as an entity wishing to receive protected health information from a covered entity in response to a HIPAA qualified protective order, is bound to comply with the use and disclosure restrictions set forth in the orders.

Citing various extrinsic sources, State Farm contends that the trial courts’ reasoning “ignores that possession of PHI does not convert a non-covered entity into a covered entity under HIPAA and its regulations.”

To be sure, the passages State Farm cites support the notion that Congress did not intend property and casualty insurers to constitute “covered entities” for purposes of HIPAA. Indeed, we have no quarrel with State Farm’s proposition. The passages it cites, however, say nothing about whether a non-covered entity is exempt from obeying a HIPAA qualified protective order entered with respect to protected health information that has been produced by a covered entity.

In short, while State Farm is not a “covered entity” under HIPAA, it has not directed us to any specific language in HIPAA, the privacy rule, or any other regulation, authority, or case law indicating that a noncovered entity that receives protected health information from a covered entity in response to a HIPAA qualified protective order is exempt from complying with the order’s restrictions regarding the use or disclosure of the information.

Thus, if State Farm wishes to access the protected health information at issue, it must abide by the terms of the HIPAA qualified protective orders entered by the trial courts.