Opinion
127519
11-30-2022
CHICAGO SUN-TIMES, Appellee v. COOK COUNTY HEALTH AND HOSPITALS SYSTEM, Appellant.
JUSTICE MICHAEL J. BURKE delivered the judgment of the court, with opinion.
Justices Anne M. Burke, Neville, Overstreet, Carter, and Holder White concurred in the judgment and opinion.
Chief Justice Theis dissented, with opinion.
OPINION
MICHAEL J. BURKE JUSTICE
¶ 1 Plaintiff, the Chicago Sun-Times, sent defendant, Cook County Health and Hospitals System, a request under the Freedom of Information Act (FOIA) (5 ILCS 140/1 et seq. (West 2018)) for information about gunshot wound patients who arrive at defendant's emergency rooms unaccompanied by law enforcement. Plaintiff was investigating whether defendant was meeting a requirement to notify local law enforcement when so-called "walk-in" gunshot wound patients are treated. 20 ILCS 2630/3.2 (West 2018). Plaintiff asked for the "time/date" of each relevant hospital admission and the corresponding "time/date" of law enforcement notification.
¶ 2 Defendant asserted two FOIA exemptions and withheld the records, claiming they contained (1) personal health information prohibited from disclosure by the Health Insurance Portability and Accountability Act (HIPAA) (Pub. L. No. 104-191, 110 Stat. 1936 (1996) (codified as amended in scattered sections of Titles 18, 26, 29, and 42 of the United States Code); 5 ILCS 140/7(1)(a) (West 2018)) and (2) private information barred from disclosure under FOIA (5 ILCS 140/7(1)(b) (West 2018)).
¶ 3 Plaintiff initiated a FOIA enforcement action, arguing that the year listed on each record was discoverable, even if the time of day, day of month, and month were not. Id. § 11(a). The Cook County circuit court ruled for defendant on the parties' cross-motions for summary judgment. The appellate court reversed, holding that HIPAA and FOIA permitted the release of the year elements of the records as long as the individual identifying information was redacted, or "de-identified" to maintain patient confidentiality. 2021 IL App (1st) 192551.
¶ 4 The issue presented is whether the year of each walk-in gunshot wound patient admission and the year of the corresponding law enforcement notification of each admission are exempt from disclosure under section 7(1)(a), which incorporates privacy laws such as HIPAA, or section 7(1)(b), which prohibits the disclosure of private information, including medical records. In light of the narrow scope of plaintiff's request, we hold that the responsive information is not exempt from disclosure under the two exemptions addressed in the parties' cross-motions for summary judgment. We affirm the appellate court's judgment, reverse the circuit court's judgment, and remand the cause for further proceedings.
¶ 5 I. BACKGROUND
¶ 6 On September 10, 2018, plaintiff requested the following information at issue:
"Without providing identifying patient information, we seek the time/date of admission of patients seeking treatment for gunshot wounds through [defendant] between Jan. 1, 2015 through the present day who were not been [sic] accompanied by a law enforcement officer at the time of their admission as well as the corresponding time/date that law enforcement officials were notified of the patients' admission as required by state statue [sic] (20 ILCS 2630/3.2)."
¶ 7 On October 26, 2018, Deborah Fortier, defendant's FOIA officer, answered the request in relevant part as follows:
"According to Trauma administration, there is a trauma registry that logs arrival information of all trauma patients not just walk in gunshot patients, however that log is identifiable private patient health/medical information that is protected from release by medical privacy laws and regulations, including but not limited to HIPAA. Further, there is no independent written record of patient information that simply tracks times/dates of walk in gunshot patients and reporting; so, there is no existing document that is responsive to your request. Respectfully, [defendant] is not required under the FOIA to create a document that is not kept in the regular course of business in order to respond to your request. Further, it would be improper and a violation of state and federal medical privacy laws, including but not limited to HIPAA, for [defendant] to release the specific arrival times and dates and reporting dates of individual walk in gunshot patients, as this could allow for patient identification. This patient information, which is individual protected patient health/medical information, is therefore exempt from public release under Sections 2(c-5) and 7(1)(a) of the FOIA. This would also include where arrival times and dates and date of any reporting would be entered into individual patient medical records; medical records are not public records and are private records per se under Section 2(c-5) of the FOIA. In fact, it would be a violation of medical privacy laws, for [defendant's] staff to review or even access patient medical information to respond to a FOIA request, as responding to a public records request is not a lawful purpose to access patient medical information."
¶ 8 On November 21, 2018, plaintiff filed a complaint alleging defendant improperly withheld the information. Plaintiff sought, inter alia, an order requiring defendant to produce the requested records and enjoining defendant from withholding public records that are not exempt under FOIA.
¶ 9 The parties filed cross-motions for summary judgment on the issue of whether the information concerning the timing of walk-in patient admission and police notification was exempt from disclosure under section 7 of FOIA. Defendant attached to its motion the affidavit of Fortier, who averred that John H. Stroger Jr. Hospital of Cook County (Stroger Hospital) was the only entity that possessed records that were potentially responsive to plaintiff's request.
¶ 10 Defendant also attached the affidavit of Justin Mis, Stroger Hospital's trauma coordinator. Mis averred that the electronic trauma registry at Stroger Hospital contains entries for each patient arriving at the hospital. Each entry includes the patient's name, date and time of arrival, medical record number, and the patient's chief complaint. Mis conceded that he could generate a report listing only the mechanism of injury, such as gunshot wound, and the patient's time of arrival in the emergency department. However, the report would not state whether the patient was accompanied by a law enforcement officer or when law enforcement was notified, if at all. To determine which patients were unaccompanied, Mis would need to cross-reference the report with the "patient access log." The log shows the time and date a law enforcement officer requested access to a patient, but it would not indicate whether the request was prompted by hospital notification. Ultimately, Mis would need to access the medical record of each gunshot wound patient to determine whether he or she arrived at Stroger Hospital with law enforcement or if law enforcement was notified of the admission.
¶ 11 Fortier averred that the trauma registry and the patient access log contained protected health information as defined by HIPAA. Fortier claimed defendant could not remove enough identifying information from the trauma registry and the patient access log to fulfill the FOIA request and still comply with HIPAA. Further, Fortier averred that the responsive records constituted medical records that are protected from disclosure under Illinois law.
¶ 12 Plaintiff argued in its summary judgment motion that FOIA permitted disclosure of the requested information in a de-identified report. Specifically, plaintiff argued HIPAA permits the disclosure of the year of treatment and year of law enforcement notification. Plaintiff conceded that HIPAA bars disclosure of other elements of a date field, such as time of day, day of month, or month.
¶ 13 On November 15, 2019, the circuit court entered summary judgment for defendant. The court stated that, because the year identifier was part of a medical record, it was exempt from disclosure under section 7(1)(b) of FOIA. The court explained that, without case law expressly permitting the redaction of medical records for FOIA purposes, the responsive information was not improperly withheld.
¶ 14 The appellate court reversed the summary judgment and remanded for further proceedings. 2021 IL App (1st) 192551, ¶ 29. The court determined that plaintiff had not forfeited review by revising its request at the summary judgment stage. Id. ¶ 15. Plaintiff initially requested "time/date" information, but plaintiff's summary judgment motion conceded that just the year element was releasable. The court observed that "narrowing of the request reflects an implicit concession by [plaintiff] that it was not entitled to the more specific date and time information." Id.
¶ 15 The appellate court held section 7(1)(a) of FOIA did not exempt the year of patient admission and police notification in gunshot-wound cases because the year element, alone, does not convey identifying information. Id. ¶ 19 (citing 45 C.F.R. § 164.514(b)(2)(i)(A)-(C), (G), (H) (2018)). The court held that removing individual identifiers would de-identify the information in compliance with HIPAA. Id.
¶ 16 Considering the sheer number of gunshot-wound patients treated at Stroger Hospital during the relevant time period, the court also rejected defendant's claim that it had" 'actual knowledge that the information could be used alone or in combination with other information to identify an individual who is a subject of the information.'" Id. ¶ 20 (quoting 45 C.F.R. § 164.514(b)(2)(ii) (2018)).
¶ 17 The appellate court separately held that the year information was not exempt under section 7(1)(b) of FOIA, which prohibits the disclosure of "private information," including "medical records." Id. ¶ 25 (citing 5 ILCS 140/2(c-5) (West 2018)). Noting that FOIA does not define "medical records," the court declined to adopt the definition set forth in the Illinois Administrative Code, instead relying on the plain and ordinary meaning of the words. Id. (citing 77 Ill. Adm. Code 250.1510(b)(2)(A) (2019)). The dictionary definition of "medical record" is" 'documents that compose a medical patient's healthcare history.'" Id. (quoting Black's Law Dictionary (11th ed. 2019)). The court concluded that, "[w]hile the year of a patient's hospital admission may be found in a patient's medical record, it, standing alone, is not a medical record under this definition." (Emphasis in original.) Id.
¶ 18 Defendant filed a petition for leave to appeal, which we allowed pursuant to Illinois Supreme Court Rule 315 (eff. Oct. 1, 2020).
¶ 19 II. ANALYSIS
¶ 20 On appeal, defendant renews its arguments that (1) HIPAA prohibits covered entities from using and disclosing their patients' private health information to comply with a FOIA request and (2) the responsive records, even with the unique identifiers redacted, constitute "medical records" that FOIA categorically exempts from disclosure.
¶ 21 Defendant alternatively argues that complying with the FOIA request would be unduly burdensome. Fortier's response alluded to the impracticality of processing the records, but the parties did not raise the issue in their cross-motions for summary judgment, and the issue was not addressed by the lower courts.
¶ 22 Plaintiff contends that the appellate court's judgment should be affirmed because plaintiff seeks only the year element of the date field from the records.For the following reasons, we agree with plaintiff that defendant can de-identify the records and comply with the request without violating HIPAA's privacy rule or FOIA's prohibition against disclosing medical records. We do not reach the question of whether the request was unduly burdensome.
Although defendant criticizes plaintiff's FOIA request as "reformulated after the fact and during the pendency of litigation," the parties have adopted plaintiff's interpretation of "time/date" to mean "year." We consider the issues, as presented by the parties, in terms of whether the year element is releasable.
¶ 23 A. Summary Judgment
¶ 24 This appeal arises from the parties' cross-motions for summary judgment.
"[S]ummary judgment should be granted only where the pleadings, depositions, admissions and affidavits on file, when viewed in the light most favorable to the nonmoving party, show that there is no genuine issue as to any material fact and that the moving party is clearly entitled to judgment as a matter of law." Pielet v. Pielet, 2012 IL 112064, ¶ 29.See 735 ILCS 5/2-1005 (West 2018). "When parties file cross-motions for summary judgment, they mutually agree that there are no genuine issues of material fact and that only a question of law is involved." Jones v. Municipal Employees' Annuity & Benefit Fund, 2016 IL 119618, ¶ 26. We review summary judgment de novo. Pielet, 2012 IL 112064, ¶ 30. De novo review also applies to our interpretation of FOIA and HIPAA. In re Appointment of Special Prosecutor, 2019 IL 122949, ¶ 22 (issues of statutory construction present questions of law that we review de novo).
¶ 25 B. Statutory Interpretation
¶ 26 The objective of statutory interpretation is to ascertain and give effect to the legislature's intent, and the most reliable indicator of that intent is the language of the statute, given its plain and ordinary meaning. Id. ¶ 23. The General Assembly has declared FOIA's underlying public policy to be that "all persons are entitled to full and complete information regarding the affairs of government and the official acts and policies of those who represent them as public officials and public employees consistent with the terms of this Act." 5 ILCS 140/1 (West 2018). "It is a fundamental obligation of government to operate openly and provide public records as expediently and efficiently as possible in compliance with this Act." Id.
¶ 27 This clear expression of legislative intent means that public records are presumed to be open and accessible. Special Prosecutor, 2019 IL 122949, ¶ 25. FOIA should be construed liberally to achieve the goal of providing the public with easy access to government information. Id.
¶ 28 FOIA prescribes rules to ensure governmental compliance, including requiring a prompt response to a request for inspection or a copy of documents: "[e]ach public body shall, promptly, either comply with or deny a request for public records within 5 business days after its receipt of the request, unless the time for response is properly extended." 5 ILCS 140/3(d) (West 2018). When a person has been denied access to a public record, he "may file suit for injunctive or declaratory relief" and may seek attorney fees and civil penalties from the public body. Id. § 11(a), (i), (j). The circuit court is vested with "jurisdiction to enjoin the public body from withholding public records and to order the production of any public records improperly withheld from the person seeking access." Id. § 11(d); Special Prosecutor, 2019 IL 122949, ¶ 57.
¶ 29 However, a public body may withhold information that is exempt from disclosure. 5 ILCS 140/7 (West 2018). A public body claiming an exemption bears the burden of proving by clear and convincing evidence that the requested information is exempt. Id. § 1.2. When a request is made to inspect or copy a public record that contains information that is exempt from disclosure under section 7 but also contains information that is not exempt, the public body may elect to redact the information that is exempt. Id. § 7(1). In that case, the public body shall make the remaining information available for inspection and copying. Id.
¶ 30 Defendant asserted two exemptions, claiming (1) HIPAA prohibits the use and disclosure of the information and (2) the information is "private information" under FOIA. Id. § 7(1)(a), (b). Plaintiff responds that defendant can comply with HIPAA and FOIA by redacting the exempt information from the medical records while making the requested information available.
¶ 31. Section 7(1)(a)
¶ 32 The first exemption cited by defendant exposes tension between two strong public policies: FOIA's promotion of the open disclosure of government records and HIPAA's protection of private health information. Defendant claims that "answering a public records request *** is not a permitted use under HIPAA." But when statutes potentially conflict, they must be construed in harmony with one another if reasonably possible. Knolls Condominium Ass'n v. Harms, 202 Ill.2d 450, 458-59 (2002). The two statutory schemes can be reconciled in this case to facilitate the disclosure of government records while protecting patient privacy.
¶ 33 FOIA exempts "[i]nformation specifically prohibited from disclosure by federal or State law or rules and regulations implementing federal or State law." 5 ILCS 140/7(1)(a) (West 2018). Defendant asserts that HIPAA, a federal law, specifically prohibits the disclosure of the year of admission of each walk-in gunshot wound patient and the year of each corresponding law enforcement notification.
¶ 34 HIPAA's privacy rule prohibits the "use or disclosure" of an individual's personal health information by a covered entity, like defendant, unless the individual has consented in writing or unless the use or disclosure is otherwise specifically permitted or required by the privacy rule. 45 C.F.R. §§ 164.502, 164.506, 164.508, 164.510, 164.512 (2018). HIPAA defines "protected health information," as all "individually identifiable health information" kept by a covered entity that is transmitted or maintained in any form or medium, including electronic media. Id. § 160.103. "Individually identifiable health information" includes demographic information collected from an individual that
"(1) Is created or received by a health care provider, health plan, employer, or health care clearinghouse; and
(2) Relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual; and
(i) That identifies the individual; or
(ii) With respect to which there is a reasonable basis to believe the information can be used to identify the individual." Id.
¶ 35 The parties correctly agree the responsive records contain protected health information, but defendant argues, "[r]eviewing medical records in response to a FOIA request is not a permitted use of protected health information." To determine whether a public body can comply with the FOIA request without violating HIPAA, we must consider how the public body would use the protected health information to process the request. Here, Fortier, defendant's FOIA officer, and Mis, Stroger Hospital's trauma administrator, described defendant's record keeping. The records containing the requested information could be sorted in two databases: the trauma registry, which records each patient's arrival at Stroger Hospital, and the patient access log, which shows the time and date a law enforcement officer requested access to a patient. From these databases, defendant could generate a report showing the arrival times of gunshot wound patients and the corresponding times that law enforcement asked to see the patient. But defendant would need to examine the medical record of each patient on the list to ascertain whether law enforcement's request for access to a patient was prompted by the hospital's notification.
¶ 36 The data processing described by Fortier and Mis qualifies as "use" of individually identifiable health information under HIPAA. Id. ("Use means, with respect to individually identifiable health information, the sharing, employment, application, utilization, examination, or analysis of such information within an entity that maintains such information."). However, HIPAA expressly states that a covered entity may use protected health information to create de-identified information for use by a person other than the covered entity: "[a] covered entity may use protected health information to create information that is not individually identifiable health information or disclose protected health information only to a business associate for such purpose, whether or not the de-identified information is to be used by the covered entity." Id. § 164.502(d)(1).
¶ 37 Health information, once de-identified, no longer meets the standard of individually identifiable health information subject to HIPAA's protection. Id. § 164.514(a) ("Health information that does not identify an individual and with respect to which there is no reasonable basis to believe that the information can be used to identify an individual is not individually identifiable health information."). And HIPAA contains an implementation specification to facilitate de-identification. A covered entity may determine that health information is not individually identifiable health information if (1) the covered entity does not have actual knowledge that the information could be used alone or in combination with other information to identify an individual who is a subject of the information (id. § 164.514(b)(2)(ii)) and (2) the following identifiers are removed:
"(A) Names;
(B) All geographic subdivisions smaller than a State, including street address, city, county, precinct, zip code, and their equivalent geocodes, except for the initial three digits of a zip code if, according to the current publicly available data from the Bureau of the Census:
(1) The geographic unit formed by combining all zip codes with the same three initial digits contains more than 20,000 people; and
(2) The initial three digits of a zip code for all such geographic units containing 20,000 or fewer people is changed to 000.
(C) All elements of dates (except year) for dates directly related to an individual, including birth date, admission date, discharge date, date of death; and all ages over 89 and all elements of dates (including year) indicative of such age, except that such ages and elements may be aggregated into a single category of age 90 or older;
(D) Telephone numbers;
(E) Fax numbers;
(F) Electronic mail addresses;
(G) Social security numbers; (H) Medical record numbers;
(I) Health plan beneficiary numbers;
(J) Account numbers;
(K) Certificate/license numbers;
(L) Vehicle identifiers and serial numbers, including license plate numbers;
(M) Device identifiers and serial numbers;
(N) Web Universal Resource Locators (URLs);
(O) Internet Protocol (IP) address numbers;
(P) Biometric identifiers, including finger and voice prints;
(Q) Full face photographic images and any comparable images; and
(R) Any other unique identifying number, characteristic, or code, except as permitted by paragraph (c) of this section[.]" (Emphasis added.) Id. § 164.514(b)(2)(i).
¶ 38 Section 164.514(b)(2)(i) specifically excludes the year element from the date identifiers that must be removed for de-identification. Accordingly, plaintiff confined its request to the year elements directly related to the walk-in gunshot wound patients involved. Plaintiff specifically asked defendant to withhold "identifying patient information" and did not seek any other identifiers that could be used to identify an individual.
¶ 39 Moreover, there was no evidence that defendant has "actual knowledge that the information could be used alone or in combination with other information to identify an individual who is a subject of the information." Id. § 164.514(b)(2)(ii). Defendant estimated that Stroger Hospital treated as many as 2000 gunshot wound victims during the relevant time period, which diminishes the risk of identifying any one individual. The appellate court astutely observed, "[i]t strains credulity to imagine that any specific patient could be identified merely by the year they were admitted and the year law enforcement was notified of their admission." 2021 IL App (1st) 192551, ¶ 20.
¶ 40 The de-identification process is a permitted use of protected health information under HIPAA (45 C.F.R. § 164.502(d)(1)) (2018)), and the removal of all the enumerated individual identifiers except the year element would meet HIPAA's de-identification requirements for disclosure (id. § 164.514(b)(2)(i)). Under the circumstances, we hold that defendant's use of the patients' protected health information to process plaintiff's FOIA request would not run afoul of HIPAA's privacy rule because the year element related to each patient admission and police notification is not individually identifiable health information. That said, we expressly limit our holding to the facts presented, as the exemption could apply to a future request involving fewer patients where the year element of a record could be used for identification. See id. § 164.514(b)(2)(ii).
¶ 41 Defendant contends King v. Cook County Health & Hospital System, 2020 IL App (1st) 190925, compels a different result. In King, the FOIA requester asked for the zip codes used to create a map of the locations of individuals who had previously received mental health services while detained in the Cook County jail. Id. ¶ 1. The public body, which coincidentally happens to be defendant in this case, asserted section 7(1)(a) as an exemption on the ground that disclosure would violate the Mental Health and Developmental Disabilities Confidentiality Act (Confidentiality Act) (740 ILCS 110/1 et seq. (West 2016)), which incorporates HIPAA regulations by reference. King, 2020 IL App (1st) 190925, ¶ 28 (citing 45 C.F.R. § 164.514 (2016) and 740 ILCS 110/2 (West 2016)).
¶ 42 To determine whether the zip codes were confidential information under the Confidentiality Act, the Appellate Court, First District, examined HIPAA and its pertinent regulations. Id. ¶ 27. The court held that the individuals' zip code information was protected health information but could be released after de-identification. Id. ¶ 28.
¶ 43 Defendant contends that HIPAA permitted the release of the redacted zip codes in King "[b]ecause the information had been collected for an authorized use, and the use was for a legitimate transaction of public business." Defendant contrasts King with this case, where defendant claims the necessary redactions would be a misuse of protected health information under HIPAA. Defendant is mistaken.
¶ 44 In King, the redacted zip codes were releasable because they had been deidentified according to the implementation specifications set forth in section 164.514(b)(2)(i)(B) of HIPAA (45 C.F.R. § 164.514(b)(2)(i)(B) (2018)). King, 2020 IL App (1st) 190925, ¶ 31 ("HIPAA regulations provide that a covered entity may determine that private health information is not individually identifiable only if the last three digits of a zip code are removed, where the geographic unit formed by combining all the zip codes with the same three initial digits contains more than 20,000 people"). Like the redacted zip codes in King, the year elements in this case are not individually identifiable health information if properly de-identified, regardless of how the public body previously used the information. 45 C.F.R. § 164.502(d)(1) (2018) ("A covered entity may use protected health information to create information that is not individually identifiable health information or disclose protected health information only to a business associate for such purpose, whether or not the de-identified information is to be used by the covered entity.").
¶ 45 2. Section 7(1)(b)
¶ 46 Defendant also asserts the responsive records are exempt because they contain "[p]rivate information," where disclosure is not required by another provision of FOIA, a state or federal law, or a court order. 5 ILCS 140/7(1)(b) (West 2018).
" 'Private information' means unique identifiers, including a person's social security number, driver's license number, employee identification number, biometric identifiers, personal financial information, passwords or other access codes, medical records, home or personal telephone numbers, and personal email addresses. Private information also includes home address and personal license plates, except as otherwise provided by law or when compiled without possibility of attribution to any person." (Emphasis added.) Id. § 2(c-5).
¶ 47 Defendant argues, without citation of authority, "the entirety of a 'medical record'-not merely certain discrete information found in such a record-is exempt from disclosure." We disagree. The year element is not "private information" under FOIA and so is not exempt under section 7(1)(b).
¶ 48 Defendant cites provisions in the Medical Rights Act (410 ILCS 50/3(d) (West 2018)), the Managed Care Reform and Patient Rights Act (215 ILCS 134/5(a)(4) (West 2018)), and the Hospital Licensing Act (210 ILCS 85/6.17(d) (West 2018)) for the proposition that "individuals have a right to an expectation of privacy related to their medical information." These statutory schemes define "medical records," but FOIA, which is the operative statute in this case, does not. So, we adopt the approach taken by the appellate court, which is to resort to the plain and ordinary meaning of the term. Special Prosecutor, 2019 IL 122949, ¶ 23.
¶ 49 Defendant concedes that the plain and ordinary meaning of "medical records" is "[t]he documents that compose a medical patient's healthcare history." Black's Law Dictionary 1177 (11th ed. 2019). Although the year element requested by plaintiff is found in medical records, the year element by itself, stripped of context, is not a document of a patient's healthcare history.
¶ 50 Defendant argues that, even if maintaining patient anonymity permits disclosure of the year element, the process of matching the year of patient admission to the year of police notification would require "some form of personally identifiable information such as the medical record number." Processing the FOIA request might involve accessing medical records, including their reference numbers, to match the year of patient admission to the year of law enforcement notification. But section 7(1)(b) of FOIA prohibits the disclosure, not the use, of medical records. Theoretically, defendant can use the medical record numbers to match the year elements of patient admission and law enforcement notification and then renumber the matched records before turning them over to plaintiff.
¶ 51 Defendant concludes that the exemption for medical records would be rendered superfluous if a public body could simply redact personally identifying information and release the rest of the record. However, the exemption for private information under section 7(1)(b) plainly covers "unique identifiers," which confirms that the removal of uniquely identifying information from a patient's healthcare history renders the remainder of the document releasable. Adopting defendant's broad interpretation that "medical records" are exempt in their entirety would potentially shield from disclosure all information concerning patient care undertaken by a public body.
¶ 52 3. Unduly Burdensome
¶ 53 Defendant alternatively argues that, even if the year element of the responsive records is not exempt from disclosure, the information was not withheld improperly. Defendant asserts the steps for processing the request, including the de-identification of the records, would be unduly burdensome under section 3(g) of FOIA. 5 ILCS 140/3(g) (West 2018). Defendant adds that plaintiff's "reformulation" of the request at the summary judgment stage would make compliance even more burdensome.
¶ 54 Section 3(g) provides,
"[r]equests calling for all records falling within a category shall be complied with unless compliance with the request would be unduly burdensome for the
complying public body and there is no way to narrow the request and the burden on the public body outweighs the public interest in the information." Id.
Plaintiff's request for information about walk-in gunshot wound patients concerns a distinct category of records, so section 3(g) potentially applies.
¶ 55 Plaintiff responds that defendant has failed to preserve the issue for review. See, e.g., Lazenby v. Mark's Construction, Inc., 236 Ill.2d 83, 92 (2010) (the failure to raise an issue in the circuit court or appellate court results in forfeiture). Plaintiff claims defendant was required to invoke section 3(g) as an affirmative defense and in its motion for summary judgment, or risk forfeiture. Plaintiff does not develop its forfeiture argument besides asserting "this court need not address the merits of [defendant's] burden claim because it failed to properly raise the issue below." We decline to advocate for plaintiff on the potentially complex issue of what measures a public body must take to preserve the unduly burdensome defense under FOIA. People ex rel. Illinois Department of Labor v. E.R.H. Enterprises, Inc., 2013 IL 115106, ¶ 56 ("a reviewing court is not simply a depository into which a party may dump the burden of argument and research").
¶ 56 Setting forfeiture aside, this action's procedural posture illustrates why weighing the evidence on the burdens associated with processing the request would be premature at this point. Cross-motions for summary judgment, like those filed in this case, ordinarily signify the parties' mutual agreement that there are no genuine issues of material fact and that only a question of law remains. Jones, 2016 IL 119618, ¶ 26. However, defendant did not invoke section 3(g) in its motion for summary judgment, which was perhaps a tacit acknowledgment that a question of fact exists about whether processing the request would be unduly burdensome. The record contains some evidence, but the lower courts did not reach the issue because the parties have focused on the two exemptions concerning HIPAA and medical records.
¶ 57 Because the litigation did not progress beyond the summary judgment stage, we confine our review to the summary judgment entered for defendant and decline to delve into the factual question of the burdens associated with processing the request. That said, the circuit court is free to address the procedural and substantive issues surrounding the unduly burdensome nature of the request if defendant asserts section 3(g) on remand. We emphasize that we express no opinion on the matter.
¶ 58 III. CONCLUSION
¶ 59 The parties disputed in their cross-motions for summary judgment whether two exemptions authorized defendant to withhold the year of admission for walk-in gunshot wound patients and the corresponding year of police notification from January 1, 2015, through September 10, 2018. Defendant claims (1) the information is prohibited from disclosure under HIPAA and (2) the information is "private information" under FOIA. 5 ILCS 140/7(1)(a), (b) (West 2018). We hold that the HIPAA regulations and FOIA exemptions cited by defendant do not bar the release of the year elements of the responsive records as long as the remaining individual identifying information is removed to maintain patient confidentiality. We affirm the appellate court judgment, reverse the circuit court judgment, and remand the cause to the circuit court for further proceedings consistent with this opinion.
¶ 60 Appellate court judgment affirmed.
¶ 61 Circuit court judgment reversed.
¶ 62 Cause remanded.
¶ 63 CHIEF JUSTICE THEIS, dissenting:
¶ 64 Contrary to how the majority frames it, the issue in this case is not whether the year that each walk-in gunshot wound patient was admitted to the hospital and the year that law enforcement was notified of the admission are exempt from disclosure under the Freedom of Information Act (FOIA) (5 ILCS 140/1 et seq. (West 2018)). Rather, the issue is whether FOIA requires a public body to review its records to piece together information to create a new document in response to a FOIA request. FOIA imposes no such requirements on the public body. Therefore, I respectfully dissent.
¶ 65 The majority correctly observes that FOIA's underlying public policy is that "all persons are entitled to full and complete information regarding the affairs of government and the official acts and policies of those who represent them as public officials and public employees consistent with the terms of this Act." 5 ILCS 140/1 (West 2018). At the same time, FOIA is not intended to "disrupt the duly-undertaken work of any public body independent of the fulfillment of any of the fore-mentioned rights of the people to access to information." Id. Further, FOIA
"is not intended to create an obligation on the part of any public body to maintain or prepare any public record which was not maintained or prepared by such public body at the time when this Act becomes effective, except as otherwise required by applicable local, State or federal law." Id.
¶ 66 As an initial matter, I question whether the request at issue sought public records that were subject to production under FOIA. As courts have ruled, a "request to inspect or copy must reasonably identify a public record and not general data, information, or statistics." Chicago Tribune Co. v. Department of Financial & Professional Regulation, 2014 IL App (4th) 130427, ¶ 33; see also Kenyon v. Garrels, 184 Ill.App.3d 28, 32 (1989) (observing that FOIA "does not compel the agency to provide answers to questions posed by the inquirer"). Here, as modified on appeal, plaintiff's FOIA request sought the year of
"admission of patients seeking treatment for gunshot wounds through [defendant] between Jan. 1, 2015, through the present day who were not *** accompanied by a law enforcement officer at the time of their admission as well as the corresponding [year] that law enforcement officials were notified of the patients' admission as required by state statue [sic]."
This appears to be a request for general information, rather than a request for public records under FOIA.
By contrast, plaintiff's other request (which is not at issue in this appeal) asked the hospital for "[w]ritten policy and/or related policy documents, and/or internal memos or communications setting policy or providing guidelines, instructions and/or directives to staff in the reporting of patients who have suffered gunshot wounds to law enforcement agencies as required by state statute." The hospital provided plaintiff with those policies.
¶ 67 Setting that question aside, the majority notes that the Cook County Health and Hospitals System is required to notify local law enforcement when a person who is not accompanied by a law enforcement officer arrives for treatment for a gunshot wound. 20 ILCS 2630/3.2 (West 2018). The hospital is not, however, required to keep a written log of when it notifies law enforcement. See id. In response to plaintiff's FOIA request and again in its summary judgment filings, the hospital explained that there is no written record that tracks the year a gunshot wound patient arrived at the hospital unaccompanied by law enforcement and the year that law enforcement was notified. In other words, there is no public record that contains the information that plaintiff seeks.
¶ 68 Neither plaintiff nor the majority appear to dispute that the hospital does not possess the information that plaintiff has requested. See In re Wade, 969 F.2d 241, 246 (7th Cir. 1992) ("Without evidence of bad faith, the veracity of the government's submissions regarding reasons for withholding the documents should not be questioned."). Nonetheless, the majority would require the hospital to comb through the medical records of each gunshot wound patient to see whether the hospital's staff included a notation about whether the patient arrived with law enforcement or if law enforcement was notified of the admission. According to the majority, the hospital can then "use the medical record numbers to match the year elements of patient admission and law enforcement notification and then renumber the matched records before turning them over to plaintiff." Supra ¶ 50. This presumably would require the hospital to create a chart that includes a reference number for the patient and the years of patient admission and law enforcement notification.
¶ 69 The majority would impose these requirements even though FOIA "is not designed to compel the compilation of data the governmental body does not ordinarily keep." Kenyon, 184 Ill.App.3d at 32. FOIA also does not require a public body to generate new records in response to FOIA requests. Martinez v. Cook County State's Attorney's Office, 2018 IL App (1st) 163153, ¶ 30; see also Hites v. Waubonsee Community College, 2016 IL App (2d) 150836, ¶ 74 (distinguishing between performing a search for data on a database that contains public records, which is permissible under FOIA, and creating a new record or performing research, which is not). And to the extent that the majority would require the hospital to produce redacted medical records (see supra ¶ 51), it is not clear to me that a gunshot wound patient's medical records pertain to the transaction of public business. See 5 ILCS 140/2(c) (West 2018) (defining "public records," in part, as all "documentary materials pertaining to the transaction of public business, *** having been prepared by or for, or having been or being used by, received by, in the possession of, or under the control of any public body").
¶ 70 FOIA does not require a public body to compile information that it does not otherwise keep, nor does it require a public body to create a new record in response to a FOIA request. Accordingly, I would affirm the trial court's grant of summary judgment in the hospital's favor. For these reasons, I respectfully dissent. 20