August 29, 2016

  By James A. Petrungaro and Anthony Scariano III

            Earlier this month, the Illinois Attorney General’s Public Access Counselor (“PAC”) Office issued a binding opinion that has sweeping implications under the Freedom of Information Act (“FOIA”). The opinion stemmed from a FOIA request submitted by CNN to the Chicago Police Department for “all emails related to Laquan McDonald from Police Department email accounts and personal email accounts where business was discussed” for 12 police officers within two date ranges. As you may recall, Laquan McDonald was shot and killed by a Chicago police officer in October of 2014 and the release of the police video related to the incident sparked outrage, protests and the firing of CPD Chief Gary McCarthy, among other CPD changes. 

             The PAC’s opinion addressed whether emails on the officers’ personal email accounts met FOIA’s definition of “public records,” which includes electronic communications “pertaining to the transaction of public business...having been prepared by or for, or having been or being used by, received by, in the possession of, or under the control of any public body.” Ultimately, the PAC determined that the emails on the officers’ personal accounts were public records.

             The PAC reasoned that because public bodies always act through its employees and officials, emails discussing public business that those employees and officials prepare and possess do not lose their public character merely because the public body does not possess them on its servers. To the PAC, the inquiry under FOIA should be focused on the content of correspondence (such as emails), and not the method by which the correspondence is sent. 

             The PAC also reiterated the Illinois General Assembly’s intent when it created FOIA, which was to ensure that the public had full access to records pertaining to the transaction of public business. If the General Assembly’s intent was ignored, the PAC opined, public officials would be able to circumvent FOIA’s reach by using personal devices to discuss public business. The PAC did not address whether its decision concerning the reach of the Illinois FOIA is permitted by the Fourth Amendment of the United States Constitution, which prohibits unreasonable government searches and seizures of persons and their property.

            The City of Chicago has not yet announced whether it will appeal the PAC’s decision and its time for doing so has not yet expired. Although the PAC’s decision is binding on only the City of Chicago, the broad ruling of the decision and the likelihood that the PAC would issue a similar ruling in other cases means that it is effectively the law of the land unless and until overturned by a judge. Your attorneys at Scariano, Himes and Petrarca stand ready to assist you with navigatinthis far-reaching FOIA decision.



December 31, 2009

By: Trisha A. Olson

The Department of Health and Human Services (“HHS”) issued a new regulation requiring entities covered by the Health Insurance and Portability and Accountability Act (“HIPAA”) to notify individuals when their protected health information is breached and the breach violates an individual’s right to protected health information.  School districts that self-insure in whole or part, or process Medicaid and/or other claims, may be HIPAA covered entities.

In general, “protected health information” is the individually identifiable health information held or transmitted in any form or medium by a HIPAA-covered entity.  A “breach” of this information is the acquisition, access, use or disclosure of unsecured protected health information in a manner not permitted by HIPAA, and which compromises the security or privacy of the protected health information.  A breach violates an individual’s right to protected health information only when it poses a significant risk of financial, reputational or other harm to the individual.

Following a breach that poses a significant risk, covered entities must notify affected individuals in writing within 60 calendar days after the discovery of the breach.  Notification must include:

      (1)         A brief description of what happened, including the date of the breach and the date of the discovery of the breach, if known;

      (2)        A description of the unsecured protected health information that was involved; (3) The steps an individual should take to protect him/herself from potential harm;

      (4)        A brief description of how the covered entity is investigating the breach, mitigating losses, and protecting against any further breach; and

      (5)        Contact information for individuals who have questions or concerns.

When a breach impacts more than 500 individuals, notice is required to the HHS Secretary and prominent media outlets.

The Act provides three narrow exceptions to the breach notification requirement:  (1) An unintentional acquisition, access or use of information by an employee who acts in good faith and in the scope of his/her employment is not considered a breach and does not trigger the notification requirement of the Act; (2) An inadvertent disclosure from one authorized person to another authorized person does not trigger the notification requirement; and (3) An unauthorized disclosure to an individual who would not reasonably be able to retain the information does not trigger the notification requirement.

Covered entities should develop policies and procedures and train employees regarding the above notification requirements for breaches of protected health information.  All policies, procedures and trainings must reflect that not every violation is a “breach” that triggers notification requirements.

Please do not hesitate to contact your attorney at Scariano, Himes, and Petrarca, Chtd., with any questions that you may have related to the new HIPAA regulation.