•  info@koepkelaw.net
  • Call Us: (217) 726-8646


Posted on Apr 24th, 2020

Hipaa Protective Orders and Use of Protected Health Information in Litigation

By Jason G. Schutte


Recent Illinois Case law sets avenue for plaintiff’s attorneys to limit the use of protected health information obtained through litigation of personal injury claims via HIPAA.

Protective orders and protected health information:

In this newsletter, we will be discussing the recent Illinois Appellate Case Haage v. Zavala and Protective orders entered in personal injury cases pursuant to the Health Insurance Portability and Accountability Act of 1966 (herein HIPAA) and the rules promogulated pursuant to that Act.

All people have a right to privacy regarding their medical treatment and health; however, some of these protections and privileges are waived when a personal injury plaintiff seeks compensation for bodily injury. The extent to which these protections are waived is often a contentious subject during the litigation of personal injury claims.

Plaintiff’s attorneys often seek to restrict how far back in time the defense can obtain medical records for the plaintiff’s medical care. Likewise, they often try to prevent the defense from obtaining records for treatment that the plaintiff deems irrelevant. The defense, on the other hand, often seeks to have as much access as possible to plaintiff’s pre accident medical care to evaluate the existence of pre-existing conditions and the plaintiff’s activity level before the accident, in comparison to after the accident.

It is common practice in personal injury cases for the parties and courts to enter a Protective Order controlling the disclosure of protected health information by medical providers and to whom the protected information may be disclosed to by the parties during the litigation. We have been seeing plaintiff’s attorneys recently push to limit the ability for liability insurers and defense counsel to retain medical records and documents described as protected health information (herein PHI) under the HIPAA laws after the close of litigation. Plaintiffs are doing this by pushing the courts to require that parties either destroy or return the PHI within a time frame of the close of the case, usually 60 days.

Underlying facts of case:

This issue was addressed in the recent Illinois Appellate Court Case Haage v. Zavala[i]. The Haage case arose from two personal injury automobile accident cases. The plaintiffs in Haage proposed that the protective orders “(1) prohibited the parties and any other persons or entities from using or disclosing PHI for any purpose other than the litigation for which it was requested and (2) required the return or destruction of the PHI within 60 days after the conclusion of the litigation.”[ii] State Farm Insurance petitioned to intervene in the case and proposed the use of a protective order that did not include return and destroy provisions.[iii] The trial court approved the plaintiff’s proposed order and stated that any individual or entry receiving the order must comply with its provisions.[iv]

State Farm asserted they were exempt from the protective orders and that the entry of the same as proposed would prevent them with complying with their obligations under the Illinois Insurance Code.[v] Likewise, they asserted that such restrictions in the use of PHI would interfere with State Farm’s rights to use that information for claims administration, detection/investigation of fraud, underwriting, rate making and guaranty fund functions, reinsurance and excess loss insurance and research including actuarial, medical, scientific and public policy.[vi]

Court’s analysis of the applicable law and ruling:

The Haage court provided a great discussion of some of the basic concepts of the HIPAA laws and regulations. For instance, the Privacy Rule as adopted in the Code of Federal Regulations prohibits the disclosure of an individual’s PHI by a “covered entity” or “business associate” unless that individual has consented to the same or the disclosure is permitted under the rules.[vii] PHI is defined as “individually identifiable health information”.[viii]

Qualified protective orders under the Privacy Rule are an order from the court or a stipulation by the parties to the legal action that (1) prohibits those “parties from using or disclosing the [PHI] for any purpose other than the litigation or proceeding for which such information was requested” and (2) mandates that the PHI be returned “to the covered entity or destruction of the” PHI and any copies thereof at the close of the legal action.[ix]

The court noted that the HIPAA laws and regulations created a floor of privacy protections for an individual’s medical information. Further, these laws pre-empt any contrary State provisions unless those contrary provisions are more stringent than the HIPAA Privacy Rule.[x] Additionally, the court noted that State Farm did not qualify as a “covered entity” under the HIPAA laws.[xi]

The question for the court then became “whether a ‘non-covered entity’ that receives PHI from a covered entity in response to a HIPAA qualified protective order is bound to comply with any of the order’s restrictions regarding the use of and disclosure of PHI.”[xii] The court found that, since State Farm is an entity that is wanting to obtain PHI (obviously to investigate the underlying bodily injury claim), it must “abide by the terms of the HIPAA qualified protective orders entered by the court.” Meaning that State Farm must comply with the use and disclosure requirements set forth in the order entered by the court if they want to access the PHI.[xiii]

The Haage court did not find that State Farm’s arguments that they were required to use and disclose PHI under the Illinois Insurance Codes and regulations to be convincing.[xiv] The court noted that State Farm’s preferred order that did not include return or destroy provisions at the close of litigation would lower the floor of the privacy protections that the Privacy Rule for HIPAA provided. Hence, the court considered State Farm’s position that they should be able to use and retain PHI outside litigation would be an obstacle to accomplishing HIPAA’s purposes and objectives.[xv] The Appellate court in Haage affirmed the trial court’s approval of the Plaintiff’s proposed HIPAA order with destroy/return provisions and that State Farm must abide by those provisions.[xvi]

Practical Effect of Case:

This case could be taken up to the Illinois Supreme Court, but this has not been determined at the time of this writing. There is no doubt that plaintiff’s attorneys will utilize this case to push for language tracking the Privacy Rule within protective orders, which is more restrictive than many insurance companies and defendants would prefer. Trial court judges will be more likely to approve an order with return and destroy provisions in light of the precedent set in Haage case.

Failure to comply with return and destroy provisions could open defendants, counsel and insurers up to potential lawsuits or sanctions for noncompliance with court orders. Defendants, insurers and defense attorneys must carefully review any proposed HIPAA protective order prior to entry of the same. The defense should push for the entry of an order that does not contain such return and destroy provisions. If an agreed order is entered that does not require the return/destruction of PHI, then the concerns regarding return/destruction should be avoided. In practice I have often pushed for language in protective orders stating that PHI can be “maintained and destroyed pursuant to in place file retention policies for law firms and insurers.”

Defense attorneys must consult with their client and claims representatives regarding dissemination of PHI if the defense cannot convince the plaintiff to enter an order that does not include return and destroy provisions. Obviously, defense counsel has to advise the defendant and insurer of the facts of the case, which inevitably includes information about the plaintiff’s health in a personal injury case. This is made more difficult by the fact that PHI has a very general definition, PHI is defined as “individually identifiable health information” transmitted or maintained via electronic media or other medium.[xvii]

The defense should consider alternative methods for providing this information to their clients and insurers that do not include transmission of actual medical records. Potential avenues would include providing summaries of medical records excluding as much identifying information as possible or secure cloud storage where the records are not downloaded or transferred. Alternatively, if PHI must be transferred to other persons or entities during litigation, a plan should be implemented for the return/destruction of the PHI at the close of litigation.


[i] Haage v. Zavala, et. al., 2020 IL App (2d) 190499;

[ii] Haage at ¶ 2;

[iii] Haage at ¶23;

[iv] Haage at ¶3;

[v] Haage at ¶ 2;

[vi] Haage at ¶21;

[vii] Haage at ¶ 8;

[viii] Haage at ¶ 8 citing 45 C.F.R. § 160.103(2018)

[ix] Haage at ¶ 9, citing 45 C.F.R. 164.512 (2018);

[x] Haage at ¶10;

[xi] Haage at ¶40;

[xii] Haage at ¶44;

[xiii] Haage at ¶44 & 49;

[xiv] Haage at ¶60;

[xv] Haage at ¶ 63;

[xvi] Haage at ¶3 and 72;

[xvii] 45 C.F.R. §160.103 (2020).

Speak with Our Legal Counselors Now

Call (217) 726-8646

logo 3

We are lawyers who are motivated, prepared and focused to meet client expectations.

With over fifty years of combined experience among our professional team of attorneys, we can take on a range of sophisticated and complex insurance defense cases.

Contact Info

Koepke & Hiltabrand P.C.
2341 W. White Oaks Dr.
Springfield, IL 62704

 (217) 726-8646

This email address is being protected from spambots. You need JavaScript enabled to view it.

8.00 am to 7.00 pm