Full Text of SB1307 101st General Assembly
SB1307 101ST GENERAL ASSEMBLY |
| | 101ST GENERAL ASSEMBLY
State of Illinois
2019 and 2020 SB1307 Introduced 2/7/2019, by Sen. Chapin Rose SYNOPSIS AS INTRODUCED: |
| 410 ILCS 513/31 | | 410 ILCS 513/31.1 | | 410 ILCS 513/31.2 | | 410 ILCS 513/31.3 | | 410 ILCS 513/31.5 | | 410 ILCS 513/31.7 | |
|
Amends the Genetic Information Privacy Act. In provisions concerning uses and disclosures for treatment, payment, health care operations, health oversight activities, and public health activities; uses and disclosures of information to a health information exchange; business associates; and establishment and disclosure of limited data sets and de-identified information, provides that various uses or disclosures of a patient's genetic information may not (rather than may) occur without the patient's consent. Effective immediately.
|
| |
| | A BILL FOR |
|
| | | SB1307 | | LRB101 06900 CPF 51932 b |
|
| 1 | | AN ACT concerning health.
| 2 | | Be it enacted by the People of the State of Illinois,
| 3 | | represented in the General Assembly:
| 4 | | Section 5. The Genetic Information Privacy Act is amended | 5 | | by changing Sections 31, 31.1, 31.2, 31.3, 31.5, and 31.7 as | 6 | | follows: | 7 | | (410 ILCS 513/31) | 8 | | Sec. 31. Uses and disclosures for treatment, payment, and | 9 | | health care operations. A Notwithstanding Sections 30 and 35 of | 10 | | this Act, a covered entity may not , without a patient's | 11 | | consent: | 12 | | (1) use or disclose genetic information for its own | 13 | | treatment, payment, or health care operations; | 14 | | (2) disclose genetic information for treatment | 15 | | activities of a health care provider; | 16 | | (3) disclose genetic information to another covered | 17 | | entity or health care provider for the payment activities | 18 | | of the entity that receives the information; | 19 | | (4)
disclose genetic information to another covered | 20 | | entity for health care operations activities of the entity | 21 | | that receives the information, if each entity has or had a | 22 | | relationship with the individual who is the subject of the | 23 | | genetic information being requested, the genetic |
| | | SB1307 | - 2 - | LRB101 06900 CPF 51932 b |
|
| 1 | | information pertains to such relationship, and the | 2 | | disclosure is for the purpose of (A) conducting quality | 3 | | assessment and improvement activities, including outcomes | 4 | | evaluation and development of clinical guidelines, | 5 | | provided that the obtaining of generalizable knowledge is | 6 | | not the primary purpose of any studies resulting from such | 7 | | activities; patient safety activities; population-based | 8 | | activities relating to improving health or reducing health | 9 | | care costs, protocol development, case management, and | 10 | | care coordination, contacting of health care providers
and | 11 | | patients with information about treatment alternatives; | 12 | | and related functions that do not include treatment; (B) | 13 | | reviewing the competence or qualifications of health care | 14 | | professionals or health care providers, evaluating | 15 | | practitioner and provider performance, health plan | 16 | | performance, conducting training programs in which | 17 | | students, trainees, or practitioners in areas of health | 18 | | care learn under supervision to practice or improve their | 19 | | skills as health care providers, training of non-health | 20 | | care professionals, accreditation, certification, | 21 | | licensing, or credentialing activities; or (C) health care | 22 | | fraud and abuse detection or compliance; and | 23 | | (5) disclose genetic information to other participants | 24 | | in an organized health care arrangement in which the | 25 | | covered entity is also a participant for any health care | 26 | | operations activities of the organized health care |
| | | SB1307 | - 3 - | LRB101 06900 CPF 51932 b |
|
| 1 | | arrangement.
| 2 | | (Source: P.A. 98-1046, eff. 1-1-15 .) | 3 | | (410 ILCS 513/31.1) | 4 | | Sec. 31.1. Uses and disclosures for health oversight | 5 | | activities. | 6 | | (a) A Notwithstanding Sections 30 and 35 of this Act, a | 7 | | covered entity may not disclose genetic information, without a | 8 | | patient's consent, to a health oversight agency for health | 9 | | oversight activities authorized by law, including audits, | 10 | | civil, administrative, or criminal investigations; | 11 | | inspections; licensure or disciplinary actions; civil | 12 | | administrative or criminal proceedings or actions; or other | 13 | | activities necessary for appropriate oversight of (i) the | 14 | | health care system; (ii) government benefit programs for which | 15 | | health information is relevant to beneficiary eligibility; | 16 | | (iii) entities subject to government regulatory programs for | 17 | | which health information is necessary for determining | 18 | | compliance with program standards; or (iv) entities subject to | 19 | | civil rights laws for which health information is necessary for | 20 | | determining compliance. | 21 | | (b) For purposes of the disclosures permitted by this | 22 | | Section, a health oversight activity does not include an | 23 | | investigation or other activity in which the individual is the | 24 | | subject of the investigation or activity and such investigation | 25 | | or other activity does not arise out of and is not directly |
| | | SB1307 | - 4 - | LRB101 06900 CPF 51932 b |
|
| 1 | | related to (i) the receipt of health care; (ii) a claim for | 2 | | public benefits related to health; or (iii) qualification for, | 3 | | or receipt of, public benefits or services when a patient's | 4 | | health is integral to the claim for public benefits or | 5 | | services, except that, if a health oversight activity or | 6 | | investigation is conducted in conjunction with an oversight | 7 | | activity or investigation relating to a claim for public | 8 | | benefits not related to health, the joint activity or | 9 | | investigation is considered a health oversight activity for | 10 | | purposes of this Section. | 11 | | (c) If a covered entity is also a health oversight agency, | 12 | | the covered entity may use genetic information for health | 13 | | oversight activities permitted by this Section.
| 14 | | (Source: P.A. 98-1046, eff. 1-1-15 .) | 15 | | (410 ILCS 513/31.2) | 16 | | Sec. 31.2. Uses and disclosures for public health | 17 | | activities. Genetic Notwithstanding Sections 30 and 35 of this | 18 | | Act, genetic information may not be disclosed without a | 19 | | patient's consent for public health activities and purposes to | 20 | | the Department, when the Department is authorized by law to | 21 | | collect or receive such information for the purpose of | 22 | | preventing or controlling disease, injury, or disability, | 23 | | including, but not limited to, the reporting of disease, | 24 | | injury, vital events such as birth or death, and the conduct of | 25 | | public health surveillance, public health investigations, and |
| | | SB1307 | - 5 - | LRB101 06900 CPF 51932 b |
|
| 1 | | public health interventions.
| 2 | | (Source: P.A. 98-1046, eff. 1-1-15 .) | 3 | | (410 ILCS 513/31.3) | 4 | | Sec. 31.3. Business associates. | 5 | | (a) A Notwithstanding Sections 30 and 35 of this Act, a | 6 | | covered entity may not , without a patient's consent, disclose a | 7 | | patient's genetic information to a business associate and may | 8 | | allow a business associate to create, receive, maintain, or | 9 | | transmit protected health information on its behalf, if the | 10 | | covered entity obtains, through a written contract or other | 11 | | written agreement or arrangement that meets the applicable | 12 | | requirements of 45 CFR 164.504(e), satisfactory assurance that | 13 | | the business associate will appropriately safeguard the | 14 | | information. A covered entity is not required to obtain such | 15 | | satisfactory assurances from a business associate that is a | 16 | | subcontractor. | 17 | | (b) A business associate may disclose protected health | 18 | | information to a business associate that is a subcontractor and | 19 | | may allow the subcontractor to create, receive, maintain, or | 20 | | transmit protected health information on its behalf, if the | 21 | | business associate obtains satisfactory assurances, in | 22 | | accordance with 45 CFR 164.504(e)(1)(i), that the | 23 | | subcontractor will appropriately safeguard the information.
| 24 | | (Source: P.A. 98-1046, eff. 1-1-15 .) |
| | | SB1307 | - 6 - | LRB101 06900 CPF 51932 b |
|
| 1 | | (410 ILCS 513/31.5) | 2 | | Sec. 31.5. Use and disclosure of information to an HIE. A
| 3 | | Notwithstanding the provisions of Section 30 and 35 of this | 4 | | Act, a covered entity may not , without a patient's consent, | 5 | | disclose the identity of any patient upon whom a test is | 6 | | performed and such patient's genetic information from a | 7 | | patient's record to a HIE if the disclosure is a required or | 8 | | permitted disclosure to a business associate or is a disclosure | 9 | | otherwise required or permitted under this Act. An HIE may not , | 10 | | without a patient's consent, use or disclose such information | 11 | | to the extent it is allowed to use or disclose such information | 12 | | as a business associate in compliance with 45 CFR 164.502(e) or | 13 | | for such other purposes as are specifically allowed under this | 14 | | Act.
| 15 | | (Source: P.A. 98-1046, eff. 1-1-15 .) | 16 | | (410 ILCS 513/31.7) | 17 | | Sec. 31.7. Establishment and disclosure of limited data | 18 | | sets and de-identified information. | 19 | | (a) A covered entity may not , without a genetic information | 20 | | test subject's consent, create, use, and disclose a limited | 21 | | data set using information subject to this Act or disclose | 22 | | information subject to this Act to a business associate for the | 23 | | purpose of establishing a limited data set. The creation, use, | 24 | | and disclosure of such a limited data set must comply with the | 25 | | requirements set forth under HIPAA. |
| | | SB1307 | - 7 - | LRB101 06900 CPF 51932 b |
|
| 1 | | (b) A covered entity may not , without a genetic information | 2 | | test subject's consent, create, use, and disclose | 3 | | de-identified information using information subject to this | 4 | | Act or disclose information subject to this Act to a business | 5 | | associate for the purpose of de-identifying the information. | 6 | | The creation, use, and disclosure of such de-identified | 7 | | information must comply with the requirements set forth under | 8 | | HIPAA. A covered entity or a business associate may disclose | 9 | | information that is de-identified in accordance with HIPAA. | 10 | | (c) The recipient of de-identified information shall not | 11 | | re-identify de-identified information using any public or | 12 | | private data source.
| 13 | | (Source: P.A. 98-1046, eff. 1-1-15 .)
| 14 | | Section 99. Effective date. This Act takes effect upon | 15 | | becoming law.
|
|