New FOIA Exemption for Medical Records

by Ericka J. Thomas

The Illinois General Assembly recently updated the definition of “private information” for certain public bodies under the Freedom of Information Act (“FOIA”), and in so doing created a new exception for what must be produced in response to a FOIA request.

Public bodies are generally required to make public records available for inspection and copying to any person who requests them. But certain information is exempt from this requirement by law, and a public body may either not produce the records, or redact the exempt information if other, non-exempt information also exists in responsive records. “Private information” is exempt from disclosure under the Act. 5 ILCS 140/7(1)(b).

A person holding a tablet with icons

Description automatically generated

Section 7 of FOIA lists types of information that are exempt from disclosure under the Act, such as personal information that would constitute an unwarranted invasion of personal privacy if disclosed, trade secrets, banking and credit card information of the public body, and privileged information between a public body and an attorney or accountant.

Now, because of Public Act 103-554, “private information” for public bodies that are HIPAA-covered entities includes electronic medical records and all information, including demographic information, contained within or extracted from an electronic medical records system operated or maintained by the public body in compliance with State and federal medical privacy laws and regulations. 5 ILCS 140/2(c-5). A “HIPAA-covered entity” means a health plan, health plan clearinghouse, or a health care provider who transmits any health information in electronic form. 45 C.F.R. 160.103.

With the expanded definition of “private information” for HIPAA-covered entities comes an addition to Section 7 of FOIA. When a public body that is also a HIPAA-covered entity receives a FOIA request, all information that is protected health information, including demographic information, that may be contained within or extracted from any record held by the public body in compliance with State and federal medical privacy laws and regulations is exempt from disclosure. 5 ILCS 140/7(pp).

These updates to FOIA will apply to several public bodies, because many offer services that qualify it as a “health care provider” and transmit electronic medical records. For example, a county that operates a health clinic within a county health department would be a HIPAA-covered entity if they transmit electronic medical records, and so would a fire protection district that offers emergency medical services and transmits electronic records. A local government would also be a HIPAA-covered entity if it operates a Local Government Health Plan funded solely by participating units.

These updates go into effect on January 1, 2024. Public bodies are encouraged to contact their legal counsel if they are unsure whether they are a HIPAA-covered entity, and when responding to FOIA requests to ensure they do not disclose exempt information.