King v. Cook County Health & Hospitals System

2020 IL App (1st) 190925 FIRST DISTRICT FOURTH DIVISION June 18, 2020 No. 1-19-0925 ) Appeal from the DR. JUDY KING, ) Circuit Court of ) Cook County Plaintiff-Appellee, ) ) v. ) ) No. 17 CH 10748 THE COOK COUNTY HEALTH AND HOSPITALS ) SYSTEM, ) ) ) Honorable Defendant-Appellant. ) Celia G. Gamrath, ) Judge Presiding. ) JUSTICE REYES delivered the judgment of the court, with opinion. Presiding Justice Gordon and Justice Lampkin concurred in the judgment and opinion. OPINION ¶1 This appeal involves the circuit court of Cook County’s order granting a Freedom of Information Act (FOIA) (5 ILCS 140/1 et seq. (West 2016)) request by plaintiff Dr. Judy King to the defendant Cook County Health and Hospitals System (CCHHS). Dr. King’s FOIA request provided, in pertinent part, that CCHHS disclose the zip codes used to create a map of the locations of individuals who had previously received mental health services while detained in the Cook County Jail. On appeal, CCHHS maintains that the zip code information of mental health 1-19-0925 recipients is exempt from disclosure pursuant to sections 7(1)(a) and 7(1)(b) of FOIA (7(1)(a), (b)) because the information is specifically prohibited from disclosure by federal and state law or, in the alternative, constitutes private information. Because we conclude that the unredacted zip code information for these individuals is protected information under the Mental Health and Developmental Disabilities Confidentiality Act (Confidentiality Act) (740 ILCS 110/1 et seq. (West 2016)), we reverse the judgment of the circuit court and remand the matter to the circuit court for proceedings consistent with this opinion. ¶2 I. BACKGROUND ¶3 On January 26, 2017, Dr. King submitted a FOIA request to CCHHS for “the data (including records that show the data source) CCHHS used to determine that the Roseland area had the highest concentration ‘of people that leave the detainee situation and go to live in the community’ when compared to other community areas and records that identify the other five (5) community or geographic areas under consideration for future [community triage centers].” Dr. King’s FOIA request stemmed from information presented at a CCHHS finance committee meeting that was used to support the argument that Chicago’s Roseland community would be an appropriate site for a new community triage center. The information presented to the finance committee consisted of various internally generated maps demonstrating that the Roseland area contained the greatest concentration of patients who had previously received mental health services at CCHHS facilities while they were detainees at the Cook County Jail. ¶4 CCHHS responded to Dr. King’s FOIA request by producing the maps upon which the committee based its decision. The maps were color-coded and indicated ranges of individuals residing in certain demarcated areas. The demarcated areas, while representative of zip codes, did not have the zip code identified on the maps. -2- 1-19-0925 ¶5 Dr. King subsequently sought review of CCHHS’s decision from the Illinois Attorney General’s Public Access Counselor, arguing that CCHHS did not properly respond to her FOIA request where it had not provided her with the data used to create the maps—namely, the zip code information of the former patients. The Public Access Counselor issued a nonbinding letter recommending that CCHHS disclose the responsive data to Dr. King. However, the Public Access Counselor acknowledged that if the records contained any information identifying the individuals, “that information may be properly redacted as non-responsive because Dr. King has clarified that she is not seeking such information.” ¶6 CCHHS did not provide any zip code information to Dr. King (redacted or otherwise), and, consequently, Dr. King filed suit in the circuit court of Cook County seeking this information in response to her FOIA request. The parties filed cross-motions for summary judgment. CCHHS maintained (1) that it had already adequately responded to Dr. King’s FOIA request by supplying her with the maps upon which the finance committee had based its decision and (2) that, in any event, the zip code information was exempt under section 7(1)(a) of FOIA pursuant to federal regulations implementing the Health Insurance Portability and Accountability Act of 1996 (HIPAA) (Pub. L. No. 104-191, 110 Stat. 1936 (1996) (codified as amended in scattered sections of Titles 18, 26, 29, and 42 of the United States Code)) and the Confidentiality Act. CCHHS further argued that the zip codes represented private information under section 7(1)(b) of FOIA and were thus exempt from disclosure. Dr. King asserted that the zip code information was not exempt from disclosure under FOIA, since it could not be used to identify the individuals who received mental health treatment. ¶7 After a hearing on the cross-motions for summary judgment, the circuit court entered and continued the matter for CCHHS to confirm that the residential zip codes were the only data used -3- 1-19-0925 to create the maps. Thereafter, CCHHS was granted leave to file additional authority in support of its summary judgment motion. In this motion, CCHHS confirmed that the data used to create the maps were the residential zip codes of the former patients and maintained that, nonetheless, this zip code information was protected under HIPAA regulations and the Confidentiality Act. ¶8 Upon consideration of CCHHS’s additional argument, the circuit court denied CCHHS’s motion for summary judgment, granted Dr. King’s motion for summary judgment, and ordered CCHHS to produce to Dr. King the complete zip codes used to create the maps. Subsequently, CCHHS filed a motion to clarify the circuit court’s order maintaining that the circuit court did not render an opinion as to whether the zip code information was exempt under section 7(1)(a) of FOIA. The circuit court construed the motion as a motion to reconsider and denied the motion, stating it considered both section 7(1)(a) and section 7(1)(b) of FOIA. After Illinois Supreme Court Rule 304(a) (eff. Mar. 8, 2016) language was added to the order granting summary judgment in Dr. King’s favor, this appeal followed. ¶9 II. ANALYSIS ¶ 10 On appeal, CCHHS asserts that the circuit court erred when it ordered the zip code information of individuals who received mental health treatment while detained in the Cook County Jail to be disclosed under FOIA. CCHHS maintains that this information is exempt under sections 7(1)(a) and 7(1)(b) of FOIA where disclosing it would be in violation of federal and state law, thereby constituting a disclosure of private information. Specifically, CCHHS maintains that the zip codes are exempt under the Confidentiality Act (740 ILCS 110/1 et seq. (West 2016)) and the federal regulations implementing HIPAA (45 C.F.R. §§160, 164 (2016)). CCHHS contends that the proper disclosure of this information is through “de-identified” zip codes, i.e., zip codes where only the first three digits are identified. See id. § 164.514 (2016); 740 -4- 1-19-0925 ILCS 110/2 (West 2016). ¶ 11 In response, Dr. King stresses that the purpose of FOIA is to facilitate governmental transparency and that such transparency requires the courts to apply a liberal construction of the FOIA exemptions in favor of disclosure in this instance. While Dr. King generally asserts (without any citation or argument) that HIPAA does not prohibit the disclosure of zip codes standing alone, she maintains that FOIA requires disclosure where HIPAA defers to FOIA to determine which information is exempt. ¶ 12 A. Standard of Review ¶ 13 Whether the zip codes derived from the mental health records are exempt from disclosure under FOIA (5 ILCS 140/7 (West 2016)) is a matter of statutory construction and our review proceeds de novo. City of Chicago v. Janssen Pharmaceuticals, Inc., 2017 IL App (1st) 150870, ¶ 13; Stern v. Wheaton-Warrenville Community Unit School District 200, 233 Ill. 2d 396, 404 (2009) (“De novo review is also appropriate because this appeal arises from an order granting summary judgment.”). Our review is guided by several well-established principles of statutory construction. It is well settled that the primary objective of this court when construing the meaning of a statute is to ascertain and give effect to the intent of the General Assembly. Southern Illinoisan v. Illinois Department of Public Health, 218 Ill. 2d 390, 415 (2006). In determining legislative intent, our inquiry begins with the plain language of the statute, which is the most reliable indication of the legislature’s objective in enacting a law. In re Madison H., 215 Ill. 2d 364, 372 (2005). A fundamental principle of statutory construction is to view all provisions of a statutory enactment. Southern Illinoisan, 218 Ill. 2d at 415. Accordingly, words and phrases should not be construed in isolation, but must be interpreted considering other relevant provisions of the statute. Michigan Avenue National Bank v. County of Cook, 191 Ill. 2d -5- 1-19-0925 493, 504 (2000). In construing a statute, we presume that the legislature, in its enactment of legislation, did not intend absurdity, inconvenience, or injustice. Burger v. Lutheran General Hospital, 198 Ill. 2d 21, 40 (2001). ¶ 14 B. Public Policy ¶ 15 The issue in this case involves the intersection of two strong public policies: the open disclosure of government records as relayed in FOIA and the confidentiality of mental health records and communications as stated in the Confidentiality Act. We begin our analysis by explaining the purpose of FOIA, which is “to open governmental records to the light of public scrutiny.” Bowie v. Evanston Community Consolidated School District No. 65, 128 Ill. 2d 373, 378 (1989); see 5 ILCS 140/1 (West 2016). We are, therefore, directed by our legislature to view FOIA from the standpoint that “[a]ll records in the custody or possession of a public body are presumed to be open to inspection or copying.” 5 ILCS 140/1.2 (West 2016). In addition, “[a]ny public body that asserts that a record is exempt from disclosure has the burden of proving by clear and convincing evidence that it is exempt.” Id. Our legislature has further intended that, “[r]estraints on access to information, to the extent permitted by this Act, are limited exceptions to the principle that the people of this State have a right to full disclosure of information.” Id. § 1. ¶ 16 As stated by our supreme court: “Based upon the legislature’s clear expression of public policy and intent set forth in section 1 of the FOIA that the purpose of that Act is to provide the public with easy access to government information, this court has held that the FOIA is to be accorded ‘liberal construction to achieve this goal.’ ” Southern Illinoisan, 218 Ill. 2d at 416 (quoting Bowie, 128 Ill. 2d at 378). -6- 1-19-0925 Although FOIA outlines several exemptions to disclosure, those exemptions are read narrowly. Day v. City of Chicago, 388 Ill. App. 3d 70, 73 (2009) (citing Lieber v. Board of Trustees of Southern Illinois University, 176 Ill. 2d 401, 407 (1997)). “Thus, when a public body receives a proper request for information, it must comply with that request unless one of the narrow statutory exemptions set forth in section 7 of the Act applies.” Illinois Education Ass’n v. Illinois State Board of Education, 204 Ill. 2d 456, 463 (2003). One of these exemptions is, of course, that disclosure is prohibited by federal or state law. 5 ILCS 140/7(1)(a) (West 2016). ¶ 17 In contrast, the Confidentiality Act, which concerns mental health or developmental disabilities service records and communications, protects certain health information from being publicly disclosed. As stated in the Confidentiality Act, “All records and communications shall be confidential and shall not be disclosed except as provided in [the Confidentiality] Act.” 740 ILCS 110/3(a) (West 2016). The “records” made confidential under the Confidentiality Act are defined to include “any record kept by a therapist or by an agency in the course of providing mental health or developmental disabilities service to a recipient concerning the recipient and the services provided.” Id. § 2. The “communications” made confidential under the Confidentiality Act are defined to include “any communication made by a recipient or other person to a therapist or to or in the presence of other persons during or in connection with providing mental health or developmental disability services to a recipient. Communication includes information which indicates that a person is a recipient.” Id. A “recipient” is defined as “a person who is receiving or has received mental health or developmental disabilities services.” Id. ¶ 18 In Reda v. Advocate Health Care, 199 Ill. 2d 47, 60 (2002), our supreme court set forth the public policy behind the Confidentiality Act: “The Act represents a comprehensive revision and repeal of previous statutes pertaining -7- 1-19-0925 to psychotherapeutic communications. [Citation.] When viewed as a whole, the Act constitutes a strong statement by the General Assembly about the importance of keeping mental-health records confidential. [Citation.] Confidentiality motivates persons to seek needed treatment. Further, by encouraging complete candor between patient and therapist, confidentiality is essential to the treatment process itself. [Citation.] The legislature carefully drafted the Act to maintain the confidentiality of mental- health records except in the specific circumstances explicitly enumerated. In each case where disclosure is allowed under the Act, the legislature has been careful to restrict disclosure to that which is necessary to accomplish a particular purpose. Exceptions to the Act are narrowly crafted. [Citation.] ‘Consequently, anyone seeking the nonconsensual release of mental health information faces a formidable challenge and must show that disclosure is authorized by the Act.’ [Citation.]” ¶ 19 These sentiments have been echoed throughout our jurisprudence. See Johnston v. Weil, 241 Ill. 2d 169, 187 (2011) (“This court has repeatedly recognized that the Confidentiality Act constitutes ‘a strong statement’ by the legislature about the importance of keeping mental health records confidential.”); Wisniewski v. Kownacki, 221 Ill. 2d 453, 458-59 (2006) (same); Garton v. Pfeifer, 2019 IL App (1st) 180872, ¶ 20 (same); Doe v. Williams McCarthy, LLP, 2017 IL App (2d) 160860, ¶ 25 (same); Sangirardi v. Village of Stickney, 342 Ill. App. 3d 1, 16 (2003) (“We are mindful that the Act constitutes a strong statement by the General Assembly about the importance of keeping mental health records confidential and that confidentiality motivates people to seek needed treatment and is essential to the treatment process.”); Norskog v. Pfiel, 197 Ill. 2d 60, 72 (2001) (observing “[t]hat a high value is placed on privacy is evidenced by the fact that the privilege afforded a recipient of mental health treatment continues even after the -8- 1-19-0925 recipient’s death”). ¶ 20 In sum, while FOIA promotes transparency in the operations of government, the Confidentiality Act encourages the procurement of mental health services for its citizens by protecting their mental health records from disclosure. ¶ 21 HIPAA, which was implemented by the federal government in 1996, has public policy considerations that are similar to that of the Confidentiality Act. As a brief overview, HIPAA was enacted, in part, to “improve the efficiency and effectiveness of the health care system by facilitating the electronic exchange of information with respect to financial and administrative transactions carried out by health plans, heath care clearinghouses, and health care providers.” Standards for Privacy of Individually Identifiable Health Information, 67 Fed. Reg. 14,776 (Mar. 27, 2002) (to be codified at 45 C.F.R. §§ 160, 164). HIPAA mandated that it was a federal offense to disclose “individually identifiable health information.” 42 U.S.C. §§ 1320d-5, 1320d-6 (2012). The Department of Health and Human Services promulgated regulations to protect the privacy of this information. 45 C.F.R. § 164.500 et seq. (2016). This complex regulatory scheme, known as the “Privacy Rule,” works to safeguard confidential patient health information. See id. (containing detailed definitions and rules for protection of health information). This scheme reflects a societal understanding of the legitimacy of patients’ right to privacy in information relating to their medical health and shared with providers such as hospitals and physicians— despite the fact that they must entrust this information with providers as an incident to receiving care. See Giangiulio v. Ingalls Memorial Hospital, 365 Ill. App. 3d 823, 839 (2006); see also Moss v. Amira, 356 Ill. App. 3d 701, 710-12 (2005) (Quinn, J., specially concurring). ¶ 22 C. Exceptions to FOIA ¶ 23 Having set forth the public policy considerations of FOIA, the Confidentiality Act, and -9- 1-19-0925 HIPAA, we now turn to the main claim of this appeal. At issue here is whether one of the exceptions recognized by FOIA applies in this case. Section 7(1)(a) states in pertinent part: “When a request is made to inspect or copy a public record that contains information that is exempt from disclosure under this Section, but also contains information that is not exempt from disclosure, the public body may elect to redact the information that is exempt. The public body shall make the remaining information available for inspection and copying. Subject to this requirement, the following shall be exempt from inspection and copying: (a) Information specifically prohibited from disclosure by federal or State law or rules and regulations implementing federal or State law.” 5 ILCS 140/7(1)(a) (West 2016). ¶ 24 D. The Confidentiality Act ¶ 25 We begin our analysis by addressing whether the zip codes constitute confidential information under the Confidentiality Act to be prohibited from disclosure under section 7(1)(a) of FOIA. As previously discussed, “The [Confidentiality] Act imposes stringent protections on the disclosure of mental health records for litigation purposes, identifies who may request the records and for what purposes, and regulates how the request for disclosure should be made and handled.” Garton, 2019 IL App (1st) 180872, ¶ 17. Notably, the plain language of the Confidentiality Act provides that “[a]ll records and communications shall be confidential and shall not be disclosed” unless an exception within the Confidentiality Act applies, none of which are at issue here. (Emphases added.) 740 ILCS 110/3(a) (West 2016). In its definition section, the Confidentiality Act expounds on this broad statement by providing any records or communications made or created in the course of providing mental health or developmental - 10 - 1-19-0925 disabilities services are to be kept confidential unless an exception applies. Id. § 2. The word “any” has broad and inclusive connotations. See People ex rel. Scott v. Silverstein, 94 Ill. App. 3d 431, 434 (1981). The Confidentiality Act further provides in its definition of “communication” that it “includes information which indicates that a person is a recipient.” 740 ILCS 110/2 (West 2016). Indeed, this court has observed that “[t]he protection of the Confidentiality Act is broader than the physician-patient privilege, and all communications and records generated in connection with providing mental health services to a recipient are protected unless excepted by law.” People v. Kaiser, 239 Ill. App. 3d 295, 301 (1992). ¶ 26 Pertinent to this appeal, the Confidentiality Act provides that a confidential “communication” or “record” does not “include information that has been de-identified in accordance with HIPAA, as specified in 45 CFR 164.514.” 740 ILCS 110/2 (West 2016). The Confidentiality Act further provides that “HIPAA” means “the Health Insurance Portability and Accountability Act of 1996, Public Law 104-191, and any subsequent amendments thereto and any regulations promulgated thereunder, including the Security Rule, as specified in 45 CFR 164.302-18, and the Privacy Rule, as specified in 45 CFR 164.500-34.” Id. The Confidentiality Act thus relies in part on HIPAA to define what is and is not considered to be confidential information. ¶ 27 Therefore, to determine whether the zip codes are confidential information under the Confidentiality Act, we must examine HIPAA and its pertinent regulations, particularly the Privacy Rule. As previously addressed, HIPAA is a complicated regulatory scheme, and, as such, it provides numerous definitions that are applicable in this case. 1 HIPAA prohibits covered 1 We acknowledge that HIPAA applies to “covered entities” and the parties do not dispute that CCHHS is one such covered entity. See 45 C.F.R. § 160.103 (2016) (a “covered entity” includes “[a] health care provider who transmits any health information in electronic form in connection with a transaction covered by this subchapter”). - 11 - 1-19-0925 entities from using or disclosing protected health information except as provided in the HIPAA regulations. 45 C.F.R. § 164.502(a) (2016). The term “protected health information” is defined as that information being “individually identifiable heath information,” which is further defined as “information that is a subset of health information.” See Haage v. Montiel Zavala, 2020 IL App (2d) 190499, ¶ 8. This includes demographic information provided by the health recipient as follows: “The term ‘individually identifiable health information’ means any information, including demographic information collected from an individual, that— (A) is created or received by a health care provider ***; and (B) relates to the past, present, or future physical or mental health or condition of an individual, the provision of health care to an individual, or the past, present, or future payment for the provision of health care to an individual, and— (i) identifies the individual; or (ii) with respect to which there is a reasonable basis to believe that the information can be used to identify the individual.” (Emphasis added.) 42 U.S.C. § 1320d(6) (2012). ¶ 28 The Privacy Rule, like the Confidentiality Act, allows a covered entity to disclose health information if the information is “de-identified” before it is released. 45 C.F.R. § 164.502(d) (2016); 740 ILCS 110/2 (West 2016). To prevent health information from being linked with individuals, the Privacy Rule sets forth standards for de-identifying health information, which are incorporated into the Confidentiality Act by reference. 45 C.F.R. § 164.514 (2016); 740 ILCS 110/2 (West 2016). Pertinent to this appeal, section 164.514 specifies that a covered entity may - 12 - 1-19-0925 determine that health information is not individually identifiable and may be disclosed if several specific identifiers, including geographic identifiers like street addresses and zip codes, are removed from the information prior to disclosure. 45 C.F.R. § 164.514 (2016). Specifically, the following demographic information is to be removed: “All geographic subdivisions smaller than a State, including street address, city, county, precinct, zip code, and their equivalent geocodes, except for the initial three digits of a zip code if, according to the current publicly available data from the Bureau of the Census: (1) The geographic unit formed by combining all zip codes with the same three initial digits contains more than 20,000 people; and (2) The initial three digits of a zip code for all such geographic units containing 20,000 or fewer people is changed to 000.” (Emphases added.) Id. Accordingly, in regard to zip codes, the Privacy Rule thus provides that, in geographic units of more than 20,000 people where the same three initial digits of the zip codes are employed, the last three digits of the zip codes must be redacted, or deidentified, to preserve an individual’s privacy. Id. ¶ 29 When read together, the Confidentiality Act, and the Privacy Rule incorporated therein, demonstrate that the complete or unredacted zip codes, as ordered to be disclosed by the circuit court, are to be deidentified prior to being disclosed. Thus, the unredacted zip codes are confidential information and protected under the Confidentiality Act. Our legislature and Congress have recognized that there is a privacy interest only in “individually identifiable medical records” and not redacted medical records. When the medical records are “de-identified” all the identifying medical information is removed and any privacy interest in the medical records is eliminated. Therefore, once the zip codes are redacted, they no longer contain - 13 - 1-19-0925 “individually identifiable health information.” See id. § 164.514(a). Thus, the Confidentiality Act and the HIPAA regulations themselves provide that there is no protected privacy interest in non- identifiable health information. See 740 ILCS 110/2 (2016); 45 C.F.R. § 164.502(d)(2) (2016); see also Northwestern Memorial Hospital v. Ashcroft, 362 F.3d 923, 934 (7th Cir. 2004) (Manion, J., concurring in part, dissenting in part). The HIPAA regulations confirm this conclusion: “Uses and disclosures of de-identified information. Health information that meets the standard and implementation specifications for de-identification under § 164.514(a) and (b) is considered not to be individually identifiable health information, i.e., de-identified. The requirements of this subpart do not apply to information that has been de-identified in accordance with the applicable requirements of § 164.514 ***[.]” (Emphasis added.) 45 C.F.R. § 164.502(d)(2) (2016). Accordingly, as the HIPAA regulations recognize that there is no loss of privacy where the medical records are deidentified, the same is true under the Confidentiality Act, which expressly incorporates those regulations. It necessarily follows that the opposite is also true; individually identifiable health information that is required to be deidentified under HIPAA, would be protected from disclosure under the Confidentiality Act. See 740 ILCS 110/2 (West 2016) (a confidential record or communication “does not include information that has been de-identified in accordance with HIPAA”). ¶ 30 Dr. King, however, argues that the zip codes at issue here are incapable of identifying the individual mental health recipients. Yet, contrary to her argument, she also recognizes that both HIPAA and the Confidentiality Act allow only for the disclosure of de-identified zip codes. Indeed, plaintiff appears to accept that the de-identified zip codes will fulfill her FOIA request - 14 - 1-19-0925 where she argues that “CCHHS offers no facts at all, let alone clear and convincing facts, as to why deidentified records could not be produced.” Indeed, CCHHS is not opposed to providing the de-identified zip codes to Dr. King. ¶ 31 Despite acknowledging that the deidentified zip codes satisfy her FOIA request, Dr. King asserts that the sheer number of Cook County residents and zip codes located therein support her argument that she is entitled to complete and unredacted zip codes, as they cannot serve to individually identify the mental health recipients. However, plaintiff cannot refute the fact that HIPAA regulations account for these figures in determining when zip codes should be deidentified. As previously discussed, HIPAA regulations provide that a covered entity may determine that private health information is not individually identifiable only if the last three digits of a zip code are removed, where the geographic unit formed by combining all the zip codes with the same three initial digits contains more than 20,000 people. 45 C.F.R. § 164.514(b)(2)(i)(B) (2016). In this instance, Cook County falls within these parameters; thus, it is within CCHHS’s purview not to provide full, complete zip codes to Dr. King. ¶ 32 Dr. King maintains, however, that FOIA requires disclosure where HIPAA defers to FOIA to determine which information is exempt. In doing so, Dr. King relies on out-of-state jurisprudence wherein she maintains the courts recognized that Congress did not intend to preempt state and federal laws requiring disclosure with the HIPAA regulations. See State ex rel. Cincinnati Enquirer v. Daniels, 108 Ohio St. 3d 518, 2006-Ohio-1215, 844 N.E.2d 1181, ¶ 25; Abbott v. Texas Department of Mental Health & Mental Retardation, 212 S.W.3d 648, 664, 659- 60 (Tex. App. 2006) (noting that HIPAA’s “commentary makes it clear that when determining whether to release protected health information in response to a Freedom of Information Act request, an agency must look to the limits and exemptions in the Act,” and not to the limits in - 15 - 1-19-0925 HIPAA). Dr. King thus asserts that CCHHS must produce the unredacted zip codes because FOIA requires the disclosure of such records and HIPAA defers to state law FOIA statutes. ¶ 33 Based on our analysis set forth above, Dr. King’s argument is not persuasive. Our decision finding the unredacted zip codes to be protected information is not solely based on HIPAA, but on the Confidentiality Act. The Confidentiality Act, in turn, relies on HIPAA to establish what constitutes private health information. 740 ILCS 110/2 (West 2016). In this instance, HIPAA is not in conflict with the Confidentiality Act, but is incorporated therein. Accordingly, there is no preemption, and Dr. King’s argument fails. ¶ 34 In reaching our conclusion, we further observe that Dr. King’s reliance on several cases that allowed the disclosure of certain information is misplaced because those cases involved neither mental health records nor the Confidentiality Act. See Cincinnati Enquirer, 108 Ohio St. 3d 518, 2006-Ohio-1215, 844 N.E.2d 1181, ¶¶1-2 (finding a reporter’s request for copies of lead- contamination notices issued to property owners of units reported to be the residences of children whose blood tests indicated elevated lead levels did not contain a request for protected health information as defined by HIPAA and that HIPAA does not supersede state disclosure requirements); Abbott, 212 S.W.3d at 664 (finding a reporter’s request for statistics regarding alleged incidents of abuse and sexual assault occurring at the Texas Department of Mental Health and Mental Retardation must be produced under Texas’ Public Information Act, where, assuming the statistics constituted protected health information, no law considered the statistics to be confidential); Bowie, 128 Ill. 2d at 379 (holding that the school district defendant was obligated to disclose a masked record of achievement test scores under FOIA because a masked record, which deletes individual identifying information, does not fall within the definition of a school student record and is not prohibited from disclosure under the Illinois School Student - 16 - 1-19-0925 Records Act (Ill. Rev. Stat. 1985, ch. 122, ¶ 50-1 et seq.)); Southern Illinoisan, 218 Ill. 2d at 420- 21, 426-27 (concluding the Illinois Health and Hazardous Substances Registry Act (Registry Act) (410 ILCS 525/4(d) (West 1998)), which was enacted to “provid[e] public access to meaningful information about potential ‘cancer clusters,’ ” did not prohibit the disclosure of the zip codes of individuals diagnosed with neuroblastoma where that information did not “tend[ ] to lead to [their] identity” within the meaning of the Registry Act). None of these cases involved information derived from mental health records or communications, and none of the courts in these cases were asked to consider an act similar to the Confidentiality Act. Thus, we find these cases to be inapplicable and unpersuasive. ¶ 35 Specifically, Dr. King’s reliance on Cincinnati Enquirer is misplaced. In that case, a newspaper, the Cincinnati Enquirer, sought to obtain copies of the Cincinnati Health Department’s lead-contamination notices issued to property owners of units reported to be the residences of children whose blood tests indicated elevated lead levels. Cincinnati Enquirer, 108 Ohio St. 3d 518, 2006-Ohio-1215, 844 N.E.2d 1181, ¶ 1. The Cincinnati Health Department declined to release notices relying on the HIPAA regulations. Id. ¶ 1. The Ohio Supreme Court determined that these notices did not contain protected health information, as defined by federal law and HIPAA, and therefore were subject to disclosure. Id. ¶ 2. In the alternative, the Ohio Supreme Court found that even if the notices contained protected health information and the Cincinnati Health Department qualified as a covered entity, the notices would still be subject to disclosure under the “required by law” exception to the HIPAA privacy rule because the Ohio Public Records Law (a statute similar to our FOIA) required disclosure of these reports and federal law did not supersede state disclosure requirements. Id. ¶ 36 In explaining this decision, the Ohio Supreme Court first disclosed what the notices - 17 - 1-19-0925 entailed. Specifically, the lead-citation notices issued consisted of a multipage form. Id. ¶ 14. Only one sentence in the 14-page narrative made any reference to medical information or conditions and it stated, “ ‘This unit has been reported to our department as the residence of a child whose blood test indicates an elevated lead level.’ ” Id. In addition, the Ohio Supreme Court observed that the purpose of the lead-citation notices was to advise the owners of real estate about the results of department investigations and to apprise them of violations relating to lead hazards. Id. ¶ 16. The reports did not contain any identifying information such as names, ages, birth dates, social security numbers, telephone numbers, family information, photographs, or any specific medical examinations, assessments, diagnoses, or treatments of any medical condition. Id. When comparing the information contained in the lead-citation notices to the HIPAA definition of protected health information, the Ohio Supreme Court concluded that the lead-risk notices did not contain protected heath information. Id. ¶ 18. In contrast, the conclusion we reach herein is not strictly based on the HIPAA definition of protected health information. Our conclusion is based on the language of the Confidentiality Act that explicitly protects demographic information as defined under HIPAA. See 740 ILCS 110/2 (West 2016). ¶ 37 The Cincinnati Enquirer case is further distinguishable from the case at bar as it involved lead-citation notices that the parties and the court deemed to be “public records” of the Cincinnati Health Department. In contrast, the zip codes at issue here were pulled from mental health records of former detainees. In addition, the information at issue in Cincinnati Enquirer involved a public health issue—lead exposure, an exigent public safety issue. In this case, there is no similar public need for the zip codes of mental health recipients argued by Dr. King. Finally, we observe that there was no Ohio statute at issue in Cincinnati Enquirer that protected the sanctity of mental health records so voraciously as the Confidentiality Act. This case is - 18 - 1-19-0925 inapposite. ¶ 38 Also inapposite is Abbott. That case involved a reporter’s request for information under Texas’s version of FOIA, the Public Information Act, seeking statistics regarding alleged incidents of abuse and sexual assault occurring at facilities operated by the Texas Department of Mental Health and Mental Retardation (Department). Abbott, 212 S.W.3d at 651. Specifically, the request sought information from the last five years about (1) alleged incidents of sexual assault and patient-client abuse at state hospitals and Department facilities, (2) subsequent investigation of the allegations, (3) the names of the facilities in which the incidents allegedly occurred, (4) the dates the events allegedly occurred, and (5) the disposition of any investigations. Id. at 651-52. After receiving the request, the Department released a statistical report of all abuse allegations and subsequent investigations in Texas for the pertinent years, but the report did not provide information regarding individual facilities. Id. at 652. ¶ 39 Thereafter, the Department requested that the Texas Attorney General issue an opinion regarding whether releasing the requested statistical information from the individual facilities would violate HIPAA and the federal rules implementing HIPAA. Id. The Department contended that, because the information concerns alleged sexual and other types of abuse at various facilities and because the request asks for the names of the facilities where the alleged incidents occurred, it was prohibited from disclosing the information because it is “individually identifiable health information.” Id. The Attorney General disagreed, finding that the disclosure was required by law, the information requested in this case was not considered to be confidential under the Privacy Rule, and the information was therefore subject to disclosure. Id. The Department filed suit challenging the opinion of the Attorney General. The district court found that the information requested was confidential and therefore exempt from disclosure under the - 19 - 1-19-0925 Public Information Act. Id. at 652-53. ¶ 40 On appeal, the reviewing court found that the information requested was subject to disclosure. Id. at 664. Specifically, the reviewing court determined that section 164.512(a) of the Privacy Rule permitted disclosure of protected health information if required by law, as long as the disclosure comported with the requirements of that law. Id. The Texas Public Information Act required disclosure of public information unless an exception applied. Id. In Abbott, no exception to the disclosure in the Public Information Act applied to the release of statistical information regarding abuse at individual government facilities. Id. The court further found that the confidentiality exception listed in the Public Information Act did not apply because no law rendered the information confidential. Id. Notably, in rendering this determination, the court emphasized that its “construction [of the statutes at issue] comports with the policy of this State to disclose information regarding abuse and neglect at facilities caring for the mentally ill or mentally retarded” and that it was further consistent “with the public’s interest in having access to information about the operation of these facilities.” Id. at 663. ¶ 41 Here, however, there is a strong public policy in Illinois to protect the confidentiality of mental health records. See Reda, 199 Ill. 2d at 60. Although the Abbott court concluded that an exception to its version of FOIA did not apply, we find the opposite in the case at bar. Illinois’s Confidentiality Act clearly sets forth what can be disclosed under the Act, and the unredacted zip codes at issue here are not to be disclosed. 740 ILCS 110/2 (West 2016) (a confidential communication or record “does not include information that has been de-identified in accordance with HIPAA”). Indeed, even the Abbott court recognized that, under HIPAA regulations, a government agency may release protected health information only “if potential identifiers are redacted or if a statistician determines that release of the information cannot be used to identify - 20 - 1-19-0925 an individual.” Abbott, 212 S.W.3d at 662 (citing 45 C.F.R. § 164.514 (2016)). ¶ 42 Lastly, Dr. King relies upon Southern Illinoisan for the proposition that “[t]he fact that one of the exemptions here derives from another statute like HIPAA, and that it involves a privacy interest, does not change FOIA’s presumption in favor of disclosure or its requirement that exemptions be narrowly construed.” In Southern Illinoisan, our supreme court considered whether a newspaper’s request of the Illinois Department of Public Health (IDPH) to release from the Illinois Health and Hazardous Substances Registry (cancer registry) certain data about incidents of neuroblastoma was exempt from disclosure under section 7(1)(a) of FOIA. Southern Illinoisan, 218 Ill. 2d at 393. The newspaper specifically sought information regarding the type of cancer, zip code, and date of diagnosis of neuroblastoma. Id. at 394. The IDPH maintained that disclosure of such information violated section 4(d) of the Registry Act because it “ ‘tends to lead to the identity, of any person whose condition or treatment is submitted to the Illinois Health and Hazardous Substances Registry.’ ” Id. at 418 (quoting 410 ILCS 525/4(d) (West 1998)). ¶ 43 Our supreme court ultimately concluded that the IDPH failed to demonstrate that the release of the cancer registry information requested by plaintiff tended to lead to the identity of the specific person described in the data and therefore allowed the disclosure of the information. Id. at 426-27. In reaching this determination, our supreme court noted the competing interests of providing public access to meaningful information about cancer clusters and the interest in minimizing the risk of invading the privacy of cancer patients. Id. at 420-21. The court further noted that these competing interests are captured by the legislature in section 4(d) of the Registry Act, which prohibits the disclosure of otherwise publicly available information if it “tends to lead to the identity” of the cancer patients listed in the registry. Id. at 421. The court then engaged in statutory construction of the term “tends to lead to the identify” stating the following: - 21 - 1-19-0925 “We observe, however, that by employing the word ‘tends,’ the legislature deliberately allowed for flexibility, to the extent that, in some instances, disclosure of Registry information will be permissible and in other instances such disclosure will be prohibited. As stated above, there are competing interests—and therefore an inherent tension— within the Registry Act: the purpose of the Act is to provide the public with information about hazardous substances and cancer, while at the same time the Act is intended to protect the identity of those patients afflicted with this disease. The use of the term ‘tends’ indicates that the General Assembly wished to impose a somewhat heightened standard of confidentiality by prohibiting disclosure of Registry information other than just information that simply ‘leads to the identity’ of cancer patients. However, at the same time, the use of the word ‘tends’ also indicates that the legislature did not intend to erect a per se bar to the disclosure of Registry information, and we must, therefore, be mindful not to interpret this term too broadly. In our view, by choosing to use the word ‘tends,’ the legislature has allowed for case-specific determinations with the respect to the release of Cancer Registry information, with the analysis meant to be adaptable to the particular circumstances presented.” Id. at 421-22. ¶ 44 In contrast to the Registry Act, the General Assembly has chosen to uphold the sanctity of mental health records and communications in the Confidentiality Act. See 740 ILCS 110/3 (West 2016); Johnston, 241 Ill. 2d at 187. As previously discussed, the General Assembly employed the use of the words “all” and “shall” when constructing the statute—“All records and communications shall be confidential and shall not be disclosed except as provided in [the Confidentiality] Act.” (Emphases added.) 740 ILCS 110/3(a) (West 2016). This demonstrates the legislature’s intent to restrict the disclosure of such information. See Reda, 199 Ill. 2d at 60. Such - 22 - 1-19-0925 a restriction was not codified within the Registry Act, and therefore Southern Illinoisan is inapplicable to the case at bar. ¶ 45 Along with the plain language of the Confidentiality Act, it is Illinois’s strong public policy in favor of the confidentiality of mental health information that informs and guides this opinion. As recognized by our supreme court, “It has been universally recognized that significant public and private interests are served by preserving the confidentiality of mental health records and communications. To that end, our legislature has enacted laws which place strict controls on the disclosure of mental health records and communications.” Norskog, 197 Ill. 2d at 86. The Confidentiality Act thus represents a “strong statement by the General Assembly about the importance of keeping mental-health records confidential.” Reda, 199 Ill. 2d at 60. And while FOIA serves to promote transparency in government actions (see Bowie, 128 Ill. 2d at 378), even FOIA recognizes that there are exceptions to this rule (see 5 ILCS 140/7(1) (West 2016)). In this case, where the zip codes sought were culled from the mental health records of former detainees, it is apparent to this court that the Confidentiality Act serves to protect this information. ¶ 46 We thus conclude that the circuit court erred when it ordered the disclosure of the unredacted zip codes of the mental health recipients. This information falls within the state law exception to FOIA (id. § 7(1)(a)), where the Confidentiality Act and the HIPAA regulations incorporated therein protect the unredacted zip codes from disclosure. It is for these reasons that we reverse the judgment of the circuit court of Cook County and remand the matter for the circuit court to enter an order providing that deidentified zip codes be produced to Dr. King in response to her FOIA request. ¶ 47 III. CONCLUSION ¶ 48 For the reasons stated above, we reverse the judgment of the circuit court of Cook County - 23 - 1-19-0925 and remand for further proceedings consistent with this opinion. ¶ 49 Reversed and remanded. - 24 - 1-19-0925 No. 1-19-0925 Cite as: King v. Cook County Health & Hospitals System, 2020 IL App (1st) 190925 Decision Under Review: Appeal from the Circuit Court of Cook County, No. 17-CH- 10748; the Hon. Celia G. Gamrath, Judge, presiding. Attorneys Kimberly M. Foxx, State’s Attorney, of Chicago (Cathy McNeil for Stein, Martha Victoria Jimenez, and James Beligratis, Assistant Appellant: State’s Attorneys, of counsel), for appellant. Attorneys Joshua Burday, Matthew Topic, and Merrick Wayne, for of Loevy & Loevy, of Chicago, for appellee. Appellee: - 25 -