AUTHORITY: Implementing and authorized by the Illinois Health Statistics Act [410 ILCS 520].
SOURCE: Adopted and codified at 7 Ill. Reg. 11293, effective August 26, 1983; amended at 38 Ill. Reg. 19251, effective September 10, 2014.
SUBPART A: GENERAL PROVISIONS
Section 1005.10 Definitions
"Act" means the Illinois Health Statistics Act [410 ILCS 520].
"Aggregate Health Data" means a tabulation of one or more individual records or case reports that have been combined for statistical, descriptive or analytic purposes.
"Department" means the Illinois Department of Public Health.
(Section 2(a) of the Act)
"Director" means the Director of the Illinois Department of Public Health.
"Disclosure" means the communication of health data to an individual or organization outside the Department.
"Health Data", for the purposes of this Part, includes but is not limited to:
Data concerning the extent, nature and impact of illness and disability on the population of the State;
The determinants of health and health hazards;
Health resources, including the extent of available manpower and resources;
Utilization and quality of health care; and
Health care costs and financing.
"Health Facility" means an entity including, but not limited to, a hospital, long-term care facility or ambulatory surgical treatment center licensed by the State to provide health care.
"Health Facility Data" means the data element of a hospital, nursing home, or other health facility identification.
"Health Insurance Portability and Accountability Act" or "HIPAA" means the federal law (Public Law 104-191) that establishes standards for the privacy and security of health information and its associated regulations (45 CFR 160, 162 and 164).
"HIPAA
Covered Program" means a Department program identified by the
Department as a health care component in accordance with HIPAA.
"HIPAA Identifiers" means the 18 direct identifiers listed in the Privacy Rule:
Names;
All geographical subdivisions smaller than a State, including street address, city, county, precinct, zip code, and their equivalent geocodes, except for the initial three digits of a zip code, if, according to the current publicly available data from the Bureau of the Census:
the geographic unit formed by combining all zip codes with the same three initial digits contains more than 20,000 people; and
the initial three digits of a zip code for all such geographic units containing 20,000 or fewer people is changed to 000;
All elements of dates (except year) for dates directly
related to an individual, including birth date, admission date, discharge date,
date of death; and all ages over 89 and all elements of dates (including year)
indicative of age over 89, except that ages and elements may be aggregated into
a single category of age 90 or older;
Phone numbers;
Fax numbers;
Electronic mail addresses;
Social Security numbers;
Medical record numbers;
Health plan beneficiary numbers;
Account numbers;
Certificate/license numbers;
Vehicle identifiers and serial numbers, including license plate numbers;
Device identifiers and serial numbers;
Web Universal Resource Locators (URLs);
Internet Protocol (IP) address numbers;
Biometric identifiers, including finger- and voice-prints;
Full face photographic images and any comparable images; and
Any other unique identifying number, characteristic, or code (not including the unique code assigned by the investigator to code the data).
"Human Subject" means a living individual about whom a researcher obtains data through intervention or interaction with the individual or individual private information.
"Identifiable Health Facility" means any health facility that is specified by name or precise geographical location or other precise characteristics in the data sets or analyses.
"Indirect Identifiers" means elements in documents and records that increase the likelihood of identifying an individual, but do not involve direct identifiers. The indirect identifiers included in files or documents may vary based on whether the indirect identifier serves to increase the likelihood of identifying the individual and whether the privacy interests outweigh the public interest in releasing the indirect identifier.
"Individually Identifiable Health Data" means any health data that can be used to identify the individual supplying or described in the health data. Specifically included are data elements, alone or in combination with other elements in the health data, containing unique patient or individual provider identifiers. Any health data pertaining to fewer than six individual providers at any single identifiable health facility constitutes individually identifiable health data.
"Individually Identifiable Health Information" means information that:
is a subset of individually identifiable health data that is created or received by the Department;
relates to the past, present or future physical or mental health or condition of an individual, the provision of health care to an individual, or the past, present or future payment for the provision of health care to an individual; and
identifies the individual or there is a reasonable basis to believe the information can be used to identify the individual.
"Individual Provider" means any physician, dentist, podiatrist, chiropractic physician or other individual licensed or otherwise authorized in this State to furnish health care services.
"Institutional Review Board" or "IRB" means a body established in accordance with applicable federal regulations for human research protections as set forth in 45 CFR 46. The IRB chairperson may act on behalf of the IRB as specified in 45 CFR 46.
"Limited Health Data Sets" means confidential information that excludes specific direct identifiers of the individual, or of relatives, employers or household members of the individual, as described in federal regulations (45 CFR 46), that may be disclosed for research, public health or operations purposes, at the discretion of the Department, if approved by the Department's IRB as authorized under Section 1005.120. Indirect identifiers in limited health data sets may include, but are not limited to: admission, discharge, service, or incident dates; dates of birth or death, ages in years, months or days or hours; and five digit or more zip code or any other geographic subdivision, except for street name and number, four digit zip code extension, latitude and longitude, or census block.
"Patient" means an individual who receives health care from an individual provider or who receives care while in a health facility; this includes residents of licensed long-term care facilities.
"Privacy Rule" means the Health Insurance Portability and Accountability Act regulations.
"Public Use Health Data File" means a Department health data file designated as de-identified by the IRB that is available to anyone. Health data elements are limited and health data values are aggregated in the files so that the proportion of unique records is below thresholds as determined by the IRB and consistent with common practice for developing the files.
"Safe Harbor De-identification Method" means a method of de-identification so that the Department staff member who discloses the de-identified information does not have actual knowledge that the information could be used alone or in combination with other information to identify an individual who is the subject of the information, and that the 18 HIPAA identifiers of the individual, or of relatives, employers or household members, are removed.
"Statistical De-identification" means that, upon the request of the Department, a qualified statistician using accepted analytic techniques concludes that the risk is very small that the individual level health data could be used alone or in combination with other reasonably available information to identify the subject of the health data. For the purposes of this procedure, a qualified statistician shall be a member of the Department's staff who is identified by the IRB for this purpose.
(Source: Amended at 38 Ill. Reg. 19251, effective September 10, 2014)
Section 1005.15 Incorporated and Referenced Materials
a) The following federal regulations are incorporated by reference in this Part:
1) 45 CFR 46 − Protection of Human Subjects (2009)
2) 21 CFR 50 − Protection of Human Subjects (2011)
3) 21 CFR 56 − Institutional Review Boards (2009)
4) 45 CFR 160, 162 and Subparts A and E of 164 − HIPAA Privacy Rule (2006)
b) The following Illinois statutes are referenced in this Part:
1) Illinois Health Statistics Act [410 ILCS 520]
2) Open Meetings Act [5 ILCS 120]
3) Freedom of Information Act [5 ILCS 140]
c) All incorporations by reference of federal regulations or guidelines refer to the regulations or guidelines on the date specified and do not include any amendments or editions subsequent to the date specified.
(Source: Added at 38 Ill. Reg. 19251, effective September 10, 2014)