State of Illinois
92nd General Assembly
Legislation

   [ Search ]   [ PDF text ]   [ Legislation ]   
[ Home ]   [ Back ]   [ Bottom ]



92_HB0491

 
                                               LRB9204459DJgc

 1        AN ACT in relation to health care information.

 2        Be it enacted by the People of  the  State  of  Illinois,
 3    represented in the General Assembly:

 4                   Article 1.  General Provisions

 5        Section  1-1.  Short  title. This Act may be cited as the
 6    Health Care Information Privacy Act.

 7        Section  1-5.  Legislative  findings.   The   legislature
 8    finds that individuals have a constitutional right to privacy
 9    with respect to their personal health information and records
10    and  with respect to information about their medical care and
11    health status.
12        Traditionally,  the  primary  health  care   relationship
13    existed  only  between  the  patient  and  the doctor and was
14    founded on the principle  that  all  information  transmitted
15    between  the  patient  and the doctor was confidential.  With
16    advancements in modern technology and systematic  changes  in
17    health  care  practices,  the patient-doctor relationship has
18    expanded  into  a  multi-party  relationship  that   includes
19    employers,  health  plans,  consulting  physicians  and other
20    health   care   providers,   laboratories   and    hospitals,
21    researchers  and data organizations, and various governmental
22    and private oversight agencies.  These multiple relationships
23    have fundamentally changed the handling and  use  of  medical
24    information.
25        The  legislature  acknowledges that individuals are often
26    unaware of how their medical information is  being  used  and
27    disclosed   in   the  modern  health  care  delivery  system.
28    Currently, there is no statute that  comprehensively  governs
29    the  disclosure  of medical records.  Most individuals sign a
30    one-time blanket consent to  release  their  medical  records
 
                            -2-                LRB9204459DJgc
 1    when  they  sign  up  for  medical  insurance,  and  doctors,
 2    hospitals,  and  insurance  companies  share these records as
 3    they  see  fit.   Thus,  the  legislature  believes  that  an
 4    individual's right to privacy of  their  medical  records  is
 5    currently unclear and at risk.
 6        The  legislature also recognizes, however, that there are
 7    strong public policy justifications  for  encouraging  health
 8    care  quality  through  the  review  of  medical information.
 9    First, these reviews help to improve the  quality  of  health
10    care  in  Illinois by providing assessments of the results or
11    outcomes  of  certain  modes  of  treatment,  thereby  giving
12    patients more information with which to make  better  medical
13    choices.   Second, medical information review helps to ferret
14    out and prevent fraud and abuse in the health  care  delivery
15    system.   It  is estimated that approximately $100 billion of
16    the $1 trillion  spent  on  health  care  nationally  can  be
17    attributed  to health care fraud.  This drives up health care
18    costs  and  takes  needed  health  care  dollars  away   from
19    deserving  patients.   Third,  clinical  and  epidemiological
20    research  based  on  medical information helps to promote the
21    quality, efficiency, and effectiveness of the  modern  health
22    care  delivery  system,  and  leads  to  new treatments which
23    relieve suffering and save lives.
24        Therefore,   the   legislature   firmly   believes   that
25    encouraging  affordable  quality  health  care,  facilitating
26    effective medical research, and preventing  fraud  and  abuse
27    are  necessary  to  the  health  and  safety of our citizens.
28    These are compelling State interests that may be furthered by
29    allowing the  sharing  of  medical  information  for  limited
30    purposes,  without  eliminating  the  confidentiality  of the
31    patient-doctor relationship.

32        Section 1-10.  Purpose. The purpose of this Act is to:
33             (1)  Protect individuals from the adverse effects of
 
                            -3-                LRB9204459DJgc
 1        the improper disclosure of protected health information.
 2             (2)  Establish strong and  effective  mechanisms  to
 3        protect against the unauthorized and inappropriate use of
 4        protected   health   information   that   is  created  or
 5        maintained as part of health care  treatment,  diagnosis,
 6        enrollment,  payment,  plan  administration,  testing, or
 7        research processes.
 8             (3)  Promote the health and welfare of the public by
 9        encouraging the effective exchange and transfer of health
10        information  in   a   manner   that   will   ensure   the
11        confidentiality  of  protected health information without
12        impeding the delivery of high quality healthcare.
13             (4)  Promote  the  public  health  and  welfare   by
14        allowing,  when  appropriate,  the  transfer  of personal
15        health   information    into    nonidentifiable    health
16        information   for   oversight,  health  research,  public
17        health, law  enforcement,  judicial,  and  administrative
18        purposes.
19             (5)  Discourage   litigation   by   establishing   a
20        standard  set  of procedures that may be complied with to
21        provide  courts  with  strong   evidence   that   medical
22        information was properly handled and disclosed.
23             (6)  Establish remedies for violations of this Act.

24        Section  1-15.  Definitions.   In  this  Act,  except  as
25    otherwise specifically provided:
26        "Accrediting  body"  means  a committee, organization, or
27    institution that has been authorized by law or is  recognized
28    by  a  health  care  regulating  authority  as an accrediting
29    entity or any other entity that has been similarly authorized
30    or recognized  by  law  to  perform  specific  accreditation,
31    licensing, or credentialing activities.
32        "Agent"  means  a  person  who  represents  and  acts for
33    another under a contract or relationship of agency, or  whose
 
                            -4-                LRB9204459DJgc
 1    function   is   to   bring   about,  modify,  affect,  accept
 2    performance of, or terminate contractual obligations  between
 3    the principal and a third person, including a contractor.
 4        "Disclose" means to release, transfer, provide access to,
 5    share,  or  otherwise divulge protected health information to
 6    any person other than the individual who is  the  subject  of
 7    the  information.   The  term includes the initial disclosure
 8    and  any  subsequent  redisclosures   of   protected   health
 9    information.
10        "Educational  institution"  means an institution or place
11    for instruction or education including any public or  private
12    elementary   school,  secondary  school,  vocational  school,
13    correspondence school, business  school,  community  college,
14    teachers   college,   college,  normal  school,  professional
15    school, university, or scientific or  technical  institution,
16    or  other  institution  furnishing education for children and
17    adults.
18        "Employer" means any individual or type of  organization,
19    including  any partnership, association, trust, estate, joint
20    stock company, insurance  company,  or  corporation,  whether
21    domestic  or  foreign,  a debtor in possession or receiver or
22    trustee  in  bankruptcy,  or  a  legal  representative  of  a
23    deceased person, who has one or more regular  individuals  in
24    his or her employment.
25        "Employment" means services performed for wages under any
26    contract of hire, written or oral, expressed or implied, with
27    an employer.
28        "Health care" means any of the following:
29             (1)  Preventive,       diagnostic,      therapeutic,
30        rehabilitative, palliative, or maintenance services:
31                  (A)  with respect to  the  physical  or  mental
32             condition of an individual; or
33                  (B)  affecting the structure or function of the
34             human  body or any part of the human body, including
 
                            -5-                LRB9204459DJgc
 1             the banking of blood, sperm, organs,  or  any  other
 2             tissue.
 3             (2)  Any  sale  or  dispensing  of a drug, a device,
 4        equipment, or another  health  care-related  item  to  an
 5        individual, or for the use of an individual pursuant to a
 6        prescription or order by a health care provider.
 7        "Health  care  data  organization"  means  an entity that
 8    engages primarily in the business of  collecting,  analyzing,
 9    and  disseminating  identifiable  and nonidentifiable patient
10    information.  A health care data organization is not a health
11    care provider, an insurer, a health researcher, or  a  health
12    oversight agency.
13        "Health  care  provider" means a person who, with respect
14    to any protected health information, receives, creates, uses,
15    maintains, or  discloses  the  protected  health  information
16    while  acting  in  whole or in part in the capacity of any of
17    the following:
18             (1)  A   person   who   is   licensed,    certified,
19        registered,  or  otherwise authorized by federal or State
20        law to provide an item or service that constitutes health
21        care in the ordinary course of business or practice of  a
22        profession.
23             (2)  A federal, State, or employer-sponsored program
24        that  directly provides items or services that constitute
25        health care to beneficiaries.
26             (3)  An officer, employee,  or  agent  of  a  person
27        described in paragraph (1) or (2).
28        "Health  oversight  agency"  means  a  person  who,  with
29    respect   to  any  protected  health  information,  receives,
30    creates, uses, maintains, or discloses the information  while
31    acting  in  whole  or  in  part in the capacity of any of the
32    following:
33             (1)  A  person  who   performs   or   oversees   the
34        performance  of an assessment, evaluation, determination,
 
                            -6-                LRB9204459DJgc
 1        or   investigation    relating    to    the    licensing,
 2        accreditation, or credentialing of health care providers.
 3             (2)  A person who:
 4                  (A)  performs or oversees the performance of an
 5             audit,  assessment,  evaluation,  determination,  or
 6             investigation  relating  to  the  effectiveness  of,
 7             compliance with, or applicability of, legal, fiscal,
 8             medical,  or  scientific  standards  or  aspects  of
 9             performance  related  to the delivery of, or payment
10             for, health care; and
11                  (B)  is a public agency, acting on behalf of  a
12             public agency, acting pursuant to a requirement of a
13             public  agency,  or  carrying out activities under a
14             federal  or  State  law  governing  the  assessment,
15             evaluation,   determination,    investigation,    or
16             prosecution for violations of paragraph (1).
17        "Health  plan" means any health insurance plan, including
18    any hospital or medical service plan, dental or other  health
19    service   plan   or  health  maintenance  organization  plan,
20    provider-sponsored organization, or other  program  providing
21    or arranging for the provision of health benefits, whether or
22    not funded through the purchase of insurance.
23        "Health  researcher"  means  a  person,  or  an  officer,
24    employee, or independent contractor of a person, who receives
25    protected   health   information  as  part  of  a  systematic
26    investigation, testing, or evaluation designed to develop  or
27    contribute to generalized scientific and clinical knowledge.
28        "Individual's  designated  representative" means a person
29    who is authorized by law (based on  grounds  other  than  the
30    minority  of  an  individual), or by an instrument recognized
31    under law, to act as an agent, attorney, guardian, proxy,  or
32    other  legal  representative  of a protected individual.  The
33    term includes a person acting under authority of a  power  of
34    attorney for health care.
 
                            -7-                LRB9204459DJgc
 1        "Institutional  review  board" means a research committee
 2    established and operating in accord with  45  C.F.R.  46.107,
 3    46.108, 46.109, and 46.115.
 4        "Insurer"  means  any  entity  regulated under the Health
 5    Maintenance Organization  Act,  any  entity  regulated  under
 6    Article  XVIII of the Illinois Insurance Code (Mutual Benefit
 7    Associations), any entity that has purchased coverage under a
 8    group contract issued by a person regulated under the  Health
 9    Maintenance  Organization Act, and any entity regulated under
10    Article XX of  the  Illinois  Insurance  Code  (Accident  and
11    Health  Insurance).   The  term does not include an entity to
12    the extent that the entity transacts  the  type  of  business
13    enumerated  in  clause  (a)  of  Class  1 of Section 4 of the
14    Illinois Insurance Code (life insurance), provides disability
15    income protection coverage under Article XX of  the  Illinois
16    Insurance   Code  (Accident  and  Health  Insurance),  or  is
17    regulated under Article XIXA of the Illinois  Insurance  Code
18    (Long-term Care Insurance).
19        "Law  enforcement  inquiry"  means a lawful investigation
20    conducted by an appropriate  government  agency  or  official
21    inquiring into a violation of, or failure to comply with, any
22    civil  or  administrative statute or any regulation, rule, or
23    order issued pursuant to such a statute.  It does not include
24    a lawful criminal investigation or prosecution conducted by a
25    State's Attorney or the Attorney General.
26        "Nonidentifiable   health    information"    means    any
27    information   that   would   otherwise  be  protected  health
28    information, except that the information does not reveal  the
29    identity of the individual whose health or health care is the
30    subject  of  the information and there is no reasonable basis
31    to believe that the information could be used,  either  alone
32    or  with  other information that is, or should reasonably be,
33    known to be available to recipients of  the  information,  to
34    reveal the identity of that individual.
 
                            -8-                LRB9204459DJgc
 1        "Protected  health  information"  means  any information,
 2    identifiable  to   an   individual,   including   demographic
 3    information,  whether  or not recorded in any form or medium,
 4    that relates directly or indirectly to the past, present,  or
 5    future:
 6             (1)  physical  or  mental  health or condition of an
 7        individual, including tissue and genetic information;
 8             (2)  provision of health care to an individual; or
 9             (3)  payment for the provision of health care to  an
10        individual.
11        "Qualified  health  care  operations"  means  only  those
12    activities  conducted  by  or  on  behalf of a health plan or
13    health care provider for the  purpose  of  carrying  out  the
14    management  functions  of  a  health  care provider or health
15    plan, or implementing the terms of a contract for health plan
16    benefits, as follows:
17             (1)  Payment, which means the activities  undertaken
18        by   a  health  plan  or  provider  that  are  reasonably
19        necessary  to  determine  responsibility  for   coverage,
20        services, and the actual payment for services, if any.
21             (2)  Conducting   quality  assurance  activities  or
22        outcomes assessments.
23             (3)  Reviewing the competence or  qualifications  of
24        health care professionals.
25             (4)  Performing    accreditation,    licensing,   or
26        credentialing activities.
27             (5)  Analyzing health plan  claims  or  health  care
28        records data.
29             (6)  Evaluating provider clinical performance.
30             (7)  Carrying out utilization management.
31             (8)  Conducting  or  arranging for auditing services
32        in  accordance  with  statute,  rule,  or   accreditation
33        requirements.
34        A qualified health care operation must:
 
                            -9-                LRB9204459DJgc
 1                  (A)  Be  an operation that cannot be carried on
 2             with reasonable effectiveness and efficiency without
 3             identifiable patient information.
 4                  (B)  Be limited to only that  protected  health
 5             information   collected   under  the  terms  of  the
 6             contract for health plan benefits and without  which
 7             the  operation  cannot be carried on with reasonable
 8             effectiveness and efficiency.
 9                  (C)  Be  limited  to  the  minimum  amount   of
10             protected  health information, including the minimum
11             number  of  records  and  the  minimum   number   of
12             documents within each patient's record, necessary to
13             carry on the operation with reasonable effectiveness
14             and efficiency.
15                  (D)  Limit  the  handling  and  examination  of
16             protected  health  information  to those persons who
17             are  reasonably   well   qualified,   by   training,
18             credentials,  or experience, to conduct the phase of
19             the operation in which they are involved.
20        "Surrogate" means a person, other  than  an  individual's
21    designated  representative  or relative, who is authorized to
22    make a health care decision for the individual.
23        "Treatment" means the provision of health care by, or the
24    coordination of health care between, health  care  providers,
25    or the referral of a patient from one provider to another, or
26    coordination  of health care or other services between health
27    care providers and third parties  authorized  by  the  health
28    plan or the plan member.
29        "Unique   patient   identifier"   means   a   number   or
30    alpha-numeric  string assigned to an individual, which can be
31    or is used  to  identify  an  individual's  protected  health
32    information.
33        "Writing"  means  a  written form that is either paper or
34    computer-based.  The term includes electronic signatures.
 
                            -10-               LRB9204459DJgc
 1                   Article 5. Individuals' Rights

 2        Section 5-5.  Inspection and copying of protected  health
 3    information.
 4        (a)  For  the  purposes  of  this  Section only, "entity"
 5    means a health care provider, health plan,  employer,  health
 6    care data organization, insurer, or educational institution.
 7        (b)  At  the  request  in  writing  of  an individual and
 8    except as provided in subsection (c), an entity shall  permit
 9    an   individual  who  is  the  subject  of  protected  health
10    information or the individual's designee to inspect and  copy
11    protected   health  information  concerning  the  individual,
12    including records created under Section 5-10, that the entity
13    maintains.  The entity shall adopt appropriate procedures  to
14    be  followed for the inspection or copying and may require an
15    individual  to  pay  reasonable  costs  associated  with  the
16    inspection or copying.
17        (c)  Unless ordered by a court of competent jurisdiction,
18    an entity is not required to permit the inspection or copying
19    of protected health  information  if  any  of  the  following
20    conditions are met:
21             (1)  The  entity  determines  that the disclosure of
22        the information could reasonably be expected to  endanger
23        the  life  or  physical  safety  of, or cause substantial
24        mental harm to, the individual who is the subject of  the
25        information.
26             (2)  The information identifies, or could reasonably
27        lead  to  the  identification  of,  a person who provided
28        information under a promise of confidentiality concerning
29        the individual who is the  subject  of  the  information,
30        unless  the  confidential  source  can  be  protected  by
31        redaction or other similar means.
32             (3)  The  information is protected from discovery as
33        provided by law.
 
                            -11-               LRB9204459DJgc
 1             (4)  The information was collected for or  during  a
 2        clinical  trial  monitored  by  an  institutional  review
 3        board,  the  trial  is  not  complete, and the researcher
 4        reasonably believes that access would harm the conduct of
 5        the trial.
 6        (d)  If an entity denies  a  request  for  inspection  or
 7    copying  pursuant  to subsection (c), the entity shall inform
 8    the individual in writing of the following:
 9             (1)  The reasons for the denial of the  request  for
10        inspection or copying.
11             (2)  Any   procedures  for  further  review  of  the
12        denial.
13             (3)  The individual's right to file with the  entity
14        a   concise  statement  setting  forth  the  request  for
15        inspection or copying.
16        (e)  If  an  individual  has  filed  a  statement   under
17    subdivision  (d)(3),  the entity in any subsequent disclosure
18    of the portion of the information requested under  subsection
19    (b) must include the following:
20             (1)  A copy of the individual's statement.
21             (2)  A  concise statement of the reasons for denying
22        the request for inspection or copying.
23        (f)  An entity must permit  the  inspection  and  copying
24    under  subsection (b) of any reasonably segregable portion of
25    a record after deletion of any portion that is  exempt  under
26    subsection (c).
27        (g)  An  entity  must  comply with or deny, in accordance
28    with subsection (d), a request for inspection or  copying  of
29    protected  health  information  under  this Section not later
30    than 30 days after the date on  which  the  entity  or  agent
31    receives the request.
32        (h)  An agent of an entity is not required to provide for
33    the  inspection  and  copying of protected health information
34    unless:
 
                            -12-               LRB9204459DJgc
 1             (1)  the protected health information is retained by
 2        the agent; and
 3             (2)  the agent has received  in  writing  a  request
 4        from  the  entity involved to fulfill the requirements of
 5        this Section, at which  time  this  information  must  be
 6        provided  to  the  individual. The agent must comply with
 7        subsection (g) with respect to any such information.
 8        (i)  The entity must afford at least one level of  appeal
 9    by parties not involved in the original decision.
10        (j)  This  Section shall not be construed to require that
11    an entity described  in  subsection  (a)  conduct  a  formal,
12    informal, or other hearing or proceeding concerning a request
13    for inspection or copying of protected health information.
14        (k)  If  an  entity  denies  an  individual's request for
15    copying pursuant to subsection (c), or if  an  individual  so
16    requests,  the  entity shall permit the inspection or copying
17    of  the  requested  protected  health  information   by   the
18    individual's designated representative upon presentation of a
19    proper  authorization  signed by the individual, unless it is
20    patently clear that doing so would  defeat  the  purpose  for
21    which  the  entity originally denied the individual's request
22    for inspection and copying.

23        Section 5-10.  Additions to protected health information.
24    A health care provider is the owner of the medical records in
25    the health care provider's possession that  were  created  by
26    the   health   care  provider  in  treating  a  patient.   An
27    individual or the individual's authorized representative  may
28    request in writing that a health care provider that generated
29    certain health care information append additional information
30    to   the   record   in  order  to  improve  the  accuracy  or
31    completeness of the information, provided that appending this
32    information does not erase or obliterate any of the  original
33    information.   A  health  care  provider  must  do one of the
 
                            -13-               LRB9204459DJgc
 1    following:
 2             (1)  Append the information as requested.
 3             (2)  Provide  to  the  individual  notice  that  the
 4        request has been denied, notice of  the  reason  for  the
 5        denial,  and  notice  that  the  individual  may  file  a
 6        statement of reasonable length explaining the correctness
 7        or  relevance  of  existing  information  or  as  to  the
 8        addition  of  new  information.   The statement or copies
 9        must be appended to the medical record and  must  at  all
10        times   accompany   that   part  of  the  information  in
11        contention.

12        Section 5-15.  Notice of confidentiality practices.
13        (a)  For the purposes  of  this  Section  only,  "entity"
14    means  a health care provider, health care data organization,
15    health plan,  health  oversight  agency,  employer,  insurer,
16    health   researcher,   or   educational  institution  or  the
17    Department of Public Health.
18        (b)  An entity  must  prominently  post  or  provide  the
19    current  notice  of  the  entity's confidentiality practices.
20    The notice must be printed in  clear  type  and  composed  in
21    plain  language.  This notice must be given as required under
22    Section 10-10.
23        For the purpose  of  informing  each  individual  of  the
24    importance  of  the notice and educating the individual about
25    the individual's rights  under  this  Act,  the  notice  must
26    contain  the  following  language,  placed prominently at the
27    beginning:
28        IMPORTANT:   THIS   NOTICE   DEALS   WITH   THE   SHARING
29        INFORMATION  FROM  YOUR  MEDICAL RECORDS.  PLEASE READ IT
30        CAREFULLY.  This notice  describes  your  confidentiality
31        rights  as  they  relate to information from your medical
32        records  and  explains  the  circumstances  under   which
33        information  from your medical records may be shared with
 
                            -14-               LRB9204459DJgc
 1        others.  This information in this notice also applies  to
 2        others  covered  under  your  health  plan,  such as your
 3        spouse or children.  If you do not understand  the  terms
 4        of this notice, please ask for further explanation.
 5        In  addition,  the  notice  must  include  the  following
 6    information  as  appropriate  to  the  size and nature of the
 7    entity:
 8             (1)  A description of an  individual's  rights  with
 9        respect  to  protected  health  information,  which shall
10        contain at least the following:
11                  (A)  An individual's right to inspect and  copy
12             his or her record.
13                  (B)  An  individual's  right  to request that a
14             health  care  provider  append  information  to  the
15             individual's medical record.
16                  (C)  An  individual's  right  to  receive  this
17             notice by each health plan upon enrollment, annually
18             thereafter,    and     whenever     the     entity's
19             confidentiality practices are substantially amended.
20             (2)  The  uses  and  disclosures of protected health
21        information  authorized   under   this   Act,   including
22        information about the following:
23                  (A)  Payment.
24                  (B)  Conducting quality assurance activities or
25             outcomes assessments.
26                  (C)  Reviewing the competence or qualifications
27             of health care professionals.
28                  (D)  Performing  accreditation,  licensing,  or
29             credentialing activities.
30                  (E)  Analyzing  health  plan  claims  or health
31             care records data.
32                  (F)  Evaluating provider clinical performance.
33                  (G)  Carrying out utilization management.
34                  (H)  Conducting  or   arranged   for   auditing
 
                            -15-               LRB9204459DJgc
 1             services   in   accordance  with  statute,  rule  or
 2             accreditation requirements.
 3             (3)  The right of the individual to limit disclosure
 4        of  protected  health  information  by  deciding  not  to
 5        utilize any health insurance or other third party payment
 6        as payment for the service, as set  forth  in  subsection
 7        (c) of Section 10-5.
 8             (4)  The    procedures   for   giving   consent   to
 9        disclosures  of  protected  health  information  and  for
10        revoking the consent to disclose.
11             (5)  The description of  procedures  established  by
12        the  entity  for  the exercise of the individual's rights
13        required under this Act.
14             (6)  The right to obtain a copy  of  the  notice  of
15        confidentiality practices required under this Act.
16        (c)  The  actual  procedures established by an entity for
17    the exercise of individual rights under this Article  5  must
18    be made available to an individual in writing upon request.

19        Section 5-20.  Establishment of safeguards.
20        (a)  An    entity    must    establish    and    maintain
21    administrative,  technical,  and physical safeguards that are
22    appropriate to the size and nature of the entity establishing
23    the safeguards  and  that  are  appropriate  to  protect  the
24    confidentiality,   security,   accuracy,   and  integrity  of
25    protected health  information  created,  received,  obtained,
26    maintained, used, transmitted, or disposed of by the entity.
27        (b)  The Department of Public Health shall adopt rules to
28    implement subsection (a).

29           Article 10.  Restrictions on Use and Disclosure
30                   of Protected Health Information

31        Section 10-5.  General rules regarding use and disclosure
 
                            -16-               LRB9204459DJgc
 1    of protected health information.
 2        (a)  An  entity  may not use or disclose protected health
 3    information except as authorized under this  Article  10  and
 4    under  Article  15.  Disclosure  of health information in the
 5    form of  nonidentifiable  health  information  shall  not  be
 6    construed as a disclosure of protected health information.
 7        (b)  For  the  purpose  of  treatment or qualified health
 8    care operations, an entity  may  use  or  disclose  protected
 9    health  information  within  the entity only if notice of the
10    use or disclosure is given as required  under  Sections  5-15
11    and 10-10.  For all other uses and disclosures, an entity may
12    use  or disclose protected health information only if the use
13    or disclosure is properly consented to  pursuant  to  Section
14    10-15.   Disclosure  to  agents  of  an  entity  described in
15    subsection (a) shall be considered as a disclosure within  an
16    entity.
17        (c)  If  an  individual  does  not  want protected health
18    information  disclosed  pursuant  to  subsection   (b),   the
19    individual  must  (i)  advise the health care provider before
20    the delivery of services that the relevant  protected  health
21    information  may  not be disclosed pursuant to subsection (b)
22    and (ii) pay the health care  provider  directly  for  health
23    care services.  A health plan may decline to cover particular
24    health  care  services  if an individual has refused to allow
25    the  disclosure  of   protected   health   care   information
26    pertaining   to   those   particular  health  care  services.
27    Protected health information related to health care  services
28    paid  for  directly  by  the  individual may not be disclosed
29    without the individual's consent.
30        (d)  An agent who receives protected  health  information
31    from  an  entity  is  subject  to all rules of disclosure and
32    safeguard requirements under this Article 10.
33        (e)  Every  use  and  disclosure  of   protected   health
34    information  must  be limited to the purpose for which it was
 
                            -17-               LRB9204459DJgc
 1    collected.  Any other use without a valid consent to disclose
 2    is an unauthorized disclosure.
 3        (f)  Nothing in this Article 10 permitting the disclosure
 4    of protected health information shall be construed to require
 5    disclosure.
 6        (g)  An entity may disclose protected health  information
 7    to   an  employee  or  agent  of  the  entity  not  otherwise
 8    authorized  to  receive  that  information  for  purposes  of
 9    creating nonidentifiable information if the entity  prohibits
10    the  employee or agent from using or disclosing the protected
11    health information for purposes other than the  sole  purpose
12    of  creating nonidentifiable information, as specified by the
13    entity.
14        (h)  Any individual or entity  who  manipulates  or  uses
15    nonidentifiable  health information to identify an individual
16    is deemed to have disclosed protected health information. The
17    disclosure or transmission of  a  unique  patient  identifier
18    shall  be  deemed  to  be  a  disclosure  of protected health
19    information.

20        Section   10-10.  Disclosure    of    protected    health
21    information   for   treatment   or   qualified   health  care
22    operations.
23        (a)  The notice required by Section 5-15 must be:
24             (1)  given by  each  health  plan  upon  enrollment,
25        annually  thereafter,  and  whenever  the  health  plan's
26        confidentiality  practices  are substantially amended, to
27        each individual who is eligible to receive care under the
28        health plan, or to the individual's parent or guardian if
29        the individual is a minor or incompetent; and
30             (2)  posted in a conspicuous place or provided by an
31        entity other than a health plan.
32        (b)  For each  new  enrollment  or  re-enrollment  by  an
33    individual  in  a health plan, on or after the effective date
 
                            -18-               LRB9204459DJgc
 1    of this Act, a health plan must make  reasonable  efforts  to
 2    obtain   the   individual's   signature   on  the  notice  of
 3    confidentiality practices.  The  notice  to  be  signed  must
 4    state  that  the  individual  is  signing  on  behalf  of the
 5    individual and all others covered by the individual's  health
 6    plan.   If  the  plan  is  unable  to obtain the individual's
 7    signature, the plan must note the reason for the  failure  to
 8    obtain  the  signature.  For the purposes of this subsection,
 9    "reasonable efforts" may  include  but  are  not  limited  to
10    requiring   the   employer  to  present  the  notice  to  the
11    individual and to request a signature, or mailing the  notice
12    to  the  individual  with instructions to sign and return the
13    notice within a specified period of time.
14        The lack of a signed notice of confidentiality  practices
15    does not justify a denial of coverage of a claim, nor does it
16    limit  a  health  plan's  access to information necessary for
17    treatment  and  qualified  health   care   operations.    The
18    individual may, however, elect to keep the records from being
19    disclosed  by  paying for the subject health care services as
20    provided under subsection (c) of Section 10-5.
21        (c)  Except as provided in this Act, the notice  required
22    by  this Section and Section 5-15 shall not be construed as a
23    waiver of any rights that  the  individual  has  under  other
24    federal or State laws, rules of evidence, or common law.

25        Section    10-15.  Disclosure    of    protected   health
26    information other than for treatment, payment,  or  qualified
27    health care operations.
28        (a)  An  entity may disclose protected health information
29    for purposes other than those for which notice is given under
30    Section 10-10, pursuant to a separate  written  authorization
31    to  disclose executed by the individual who is the subject of
32    the   information.    The   authorization   must   meet   the
33    requirements of subsection (b).
 
                            -19-               LRB9204459DJgc
 1        (b)  To be valid, an authorization must be separate  from
 2    any  other  notice  or authorization required by this Article
 3    10, must be either (i) in writing, dated, and signed  by  the
 4    individual   or   (ii)   in   electronic   form,  dated,  and
 5    authenticated by the individual using  a  unique  identifier,
 6    must not have been revoked, and must do the following:
 7             (1)  Identify  the  person  or  entity authorized to
 8        disclose protected health information.
 9             (2)  Identify the individual who is the  subject  of
10        the protected health information.
11             (3)  Describe the nature of and the time span of the
12        protected health information to be disclosed.
13             (4)  Identify  the person to whom the information is
14        to be disclosed.
15             (5)  Describe the purpose of the disclosure.
16             (6)  State that it is subject to revocation  by  the
17        individual  and  indicate that the consent to disclose is
18        valid until revocation by the individual.
19             (7)  Include  the  date  on  which  the  consent  to
20        disclose ends.
21        (c)  An individual may revoke in writing an authorization
22    under this Section at any time.  An authorization obtained by
23    a health plan under this Section is deemed to be  revoked  at
24    the  time  of the cancellation or nonrenewal of enrollment in
25    the health plan.  An entity that discloses  protected  health
26    information  pursuant  to  an  authorization  that  has  been
27    revoked under this subsection is not subject to any liability
28    or  penalty  under this Article 10 for the disclosure if that
29    entity acted in good faith and had no actual or  constructive
30    notice of the revocation.
31        (d)  Article   15   provides   for   exceptions   to  the
32    requirement for the authorization.
33        (e)  A  recipient   of   protected   health   information
34    disclosed pursuant to an authorization under this Section may
 
                            -20-               LRB9204459DJgc
 1    use the information solely to carry out the purpose for which
 2    the information was authorized for disclosure.
 3        (f)  Each  entity  collecting or storing protected health
 4    information  must  maintain  for  7  years,  as  part  of  an
 5    individual's protected health information, a record  of  each
 6    authorization   by  the  individual  and  any  revocation  of
 7    authorization by the individual.

 8             Article 15.  Excepted Uses and Disclosures
 9                  of Protected Health Information.

10        Section  15-5.  Coroner  or  medical  examiner.   When  a
11    coroner or medical examiner or one of  their  duly  appointed
12    deputies  seeks  protected health information for the purpose
13    of inquiry into and determination of the cause,  manner,  and
14    circumstances  of  a  death,  any  person  shall  provide the
15    requested protected health  information  to  the  coroner  or
16    medical  examiner  or  to the duly appointed deputies without
17    undue delay.  If a coroner or  medical  examiner  or  one  of
18    their  duly  appointed  deputies  receives  protected  health
19    information,  this  protected health information shall remain
20    protected health information unless  it  is  attached  to  or
21    otherwise  made  a  part of a coroner's or medical examiner's
22    official report.  Health information attached to or otherwise
23    made a part of a coroner's  or  medical  examiner's  official
24    report is exempt from this Act.

25        Section  15-10.  Disclosure to an individual's designated
26    representative, relative, or surrogate.
27        (a)  A health care provider, or  a  person  who  receives
28    protected   health  information  under  subsection  (b),  may
29    disclose protected health information regarding an individual
30    to an individual's designated  representative,  relative,  or
31    surrogate if:
 
                            -21-               LRB9204459DJgc
 1             (1)  the  individual  who  is  the  subject  of  the
 2        information:
 3                  (A)  has  been  notified  of  the  individual's
 4             right to object to the disclosure and the individual
 5             has not objected to the disclosure; or
 6                  (B)  is  in a physical or mental condition such
 7             that the individual is not capable of objecting, and
 8             there are no prior indications that  the  individual
 9             would object; and
10             (2)  the information disclosed is for the purpose of
11        providing health care to that individual; or
12             (3)  the   disclosure   of   the   protected  health
13        information  is   consistent   with   good   medical   or
14        professional practice.
15        (b)  Except  as provided in subsection (d), a health care
16    provider may disclose the information described in subsection
17    (c) to any other person if the individual who is the  subject
18    of the information:
19             (1)  has  been notified of the individual's right to
20        object  and  the  individual  has  not  objected  to  the
21        disclosure; or
22             (2)  is in a physical or mental condition such  that
23        the individual is not capable of objecting and
24                  (A)  the         individual's        designated
25             representative,  relative,  or  surrogate  has   not
26             objected and
27                  (B)  there  are  no  prior indications that the
28             individual would object.
29        (c)  Information that may be disclosed  under  subsection
30    (b)  is  only  that  information  that consists of any of the
31    following items:
32             (1)  The name of the individual who is  the  subject
33        of the information.
34             (2)  The  general  health  status of the individual,
 
                            -22-               LRB9204459DJgc
 1        described   as   critical,   poor,   fair,   stable,   or
 2        satisfactory or in terms denoting similar conditions.
 3             (3)  The location  of  the  individual  on  premises
 4        controlled  by  a  provider.  A disclosure of information
 5        under  this  paragraph  (3)  may  not  be  made  if   the
 6        information  would  reveal specific information about the
 7        physical or mental condition of  the  individual,  unless
 8        the individual expressly authorizes the disclosure.
 9        (d)  A  disclosure  may not be made under this Section if
10    the health care provider involved has reason to believe  that
11    the  disclosure of this information could lead to physical or
12    mental  harm  to  the  individual,  unless   the   individual
13    expressly authorizes the disclosure.

14        Section  15-15.  Identification  of deceased individuals.
15    A  health  care  provider  may  disclose   protected   health
16    information  if  the disclosure is necessary to assist in the
17    identification or safe handling of a deceased individual.

18        Section 15-20.  Emergency circumstances.  Any person  who
19    creates  or  receives protected health information under this
20    Act may use  or  disclose  protected  health  information  in
21    emergency   circumstances  when  the  use  or  disclosure  is
22    necessary to protect the health or safety of  the  individual
23    who  is the subject of the information from serious, imminent
24    harm.  A disclosure made in the good faith  belief  that  the
25    use  or  disclosure  was  necessary  to protect the health or
26    safety of an individual from serious, imminent harm is not  a
27    violation of this Act.

28        Section 15-25.  Disclosure for health oversight purposes.
29        (a)  Any person may disclose protected health information
30    to  a  health  oversight  agency for purposes of an oversight
31    function authorized by law.
 
                            -23-               LRB9204459DJgc
 1        (b)  For purposes of this Section,  the  individual  with
 2    authority to authorize the health oversight function involved
 3    shall  provide  to  the  person described in subsection (a) a
 4    statement that the  protected  health  information  is  being
 5    sought for a legally authorized oversight function.
 6        (c)  Protected  health  information  about  an individual
 7    that was obtained under this Section may not be used  in,  or
 8    disclosed to any person for use in, an administrative, civil,
 9    or  criminal  action  or  investigation  directed against the
10    individual unless the action or investigation arises  out  of
11    and is directly related to one of the following:
12             (1)  The  receipt  of  health  care  or  payment for
13        health care.
14             (2)  An action involving a fraudulent claim  related
15        to health.
16             (3)  An  action  involving  oversight  of  a  public
17        health authority or a health researcher.
18        (d)  Protected  health information disclosed for purposes
19    of this Section remains protected health information and  may
20    not  be  further  disclosed by the receiving health oversight
21    agency, except as permitted under this Section.

22        Section 15-30.  Disclosure for public health purposes.
23        (a)  Any person or entity may disclose  protected  health
24    information  to the Department of Public Health or to another
25    person authorized by law, for use in  any  of  the  following
26    that is legally authorized:
27             (1)  A disease or injury report.
28             (2)  A public health surveillance.
29             (3)  A public health investigation or intervention.
30             (4)  A health or disease registry.
31        (b)  The   disclosure  of  protected  health  information
32    pursuant this Section to the Department of Public  Health  or
33    another  person  authorized by law is not a violation of this
 
                            -24-               LRB9204459DJgc
 1    Article 15.
 2        (c)  Protected health information disclosed for  purposes
 3    of  this Section remains protected health information and may
 4    not be  further  disclosed  by  the  receiving  authority  or
 5    person, except as permitted under this Section.

 6        Section 15-35.  Health research.
 7        (a)  A  health  care  provider,  health  plan,  employer,
 8    insurer,  or  educational  institution  or  the Department of
 9    Public Health may disclose protected health information to  a
10    health researcher if the following requirements are met:
11             (1)  The  research  must  have  been  approved by an
12        institutional review board.   In  evaluating  a  research
13        proposal,  an  institutional  review  board shall require
14        that the proposal demonstrate a clear purpose, scientific
15        integrity, and  a  realistic  plan  for  maintaining  the
16        confidentiality of protected health information.
17             (2)  The   health   care   provider,   health  plan,
18        employer, insurer,  or  educational  institution  or  the
19        Department  of  Public Health may disclose only protected
20        health information that  it  has  previously  created  or
21        collected.
22             (3)  The holder of protected health information must
23        keep a record of all health researchers to whom protected
24        health information has been made available.
25        (b)  A  health  researcher  who receives protected health
26    information  must  remove  and  destroy,  at   the   earliest
27    opportunity  consistent  with  the  purposes  of  the project
28    involved, any information that would enable an individual  to
29    be identified.
30        (c)  A  health  researcher  who receives protected health
31    information may not disclose  or  use  the  protected  health
32    information  for  any  purpose  other than that for which the
33    information was obtained, except that the  health  researcher
 
                            -25-               LRB9204459DJgc
 1    may  disclose  the  information pursuant to subsection (a) of
 2    Section 15-25.

 3        Section  15-40.  Disclosure  in  a  civil,  judicial,  or
 4    administrative proceeding.
 5        (a)  Protected  health  information  may   be   disclosed
 6    pursuant to a discovery request or subpoena in a civil action
 7    brought in a State court or pursuant to a request or subpoena
 8    related to a State administrative proceeding, but only if the
 9    disclosure  is made pursuant to a court order as provided for
10    in subsection (b) or  pursuant  to  a  written  authorization
11    under Section 10-15.
12        (b)  A  court order issued under this Section must do the
13    following:
14             (1)  Provide that the protected  health  information
15        involved is subject to court protection.
16             (2)  Specify   to   whom   the  information  may  be
17        disclosed.
18             (3)  Specify that the information may not  otherwise
19        be disclosed or used.
20             (4)  Meet  any  other  requirements  that  the court
21        determines are needed to protect the  confidentiality  of
22        the information.
23        (c)  This  Section  does not apply in a case in which the
24    protected  health  information  sought  under  the  discovery
25    request or subpoena is:
26             (1)  nonidentifiable health information; and
27             (2)  related to a  party  to  the  litigation  whose
28        medical condition is at issue.
29        (d)  The  release  of  any  protected  health information
30    under this Section does not violate this Article 15.

31        Section 15-45.  Disclosure for  civil  or  administrative
32    law enforcement purposes.
 
                            -26-               LRB9204459DJgc
 1        (a)  For  the  purposes  of  this  Section only, "entity"
 2    means a health care provider, health plan,  health  oversight
 3    agency, employer, insurer, or educational institution.
 4        (b)  Except  as  to  disclosures  to  a  health oversight
 5    agency, which are governed by Section  15-25,  an  entity  or
 6    person  who receives protected health information pursuant to
 7    Section 10-15 or Sections 15-5  through  15-35  may  disclose
 8    protected  health  information  under  this  Section  if  the
 9    disclosure is pursuant to one of the following:
10             (1)  An   administrative   subpoena  or  summons  or
11        judicial subpoena.
12             (2)  Consent in accordance with Section 10-15.
13             (3)  A court order.
14        (c)  A  subpoena  or  summons  for  a  disclosure   under
15    subdivision  (b)(1)  may  be  issued  only  if  the  civil or
16    administrative law enforcement  agency  involved  shows  that
17    there  is  probable  cause to believe that the information is
18    relevant to a legitimate law enforcement inquiry.
19        (d)  When the matter or need for which  protected  health
20    information  was  disclosed  to a civil or administrative law
21    enforcement  agency  under  subsection  (b)  has   concluded,
22    including  the  conclusion  of any derivative matters arising
23    from the matter or need,  the  civil  or  administrative  law
24    enforcement  agency  must either destroy the protected health
25    information or return all of the protected health information
26    to the person from whom it was obtained.
27        (e)  To the extent practicable, and consistent  with  the
28    requirements  of  due  process, a civil or administrative law
29    enforcement  agency  must   redact   personally   identifying
30    information  from  protected  health  information  before the
31    public disclosure of the protected information in a  judicial
32    or administrative proceeding.
33        (f)  Protected  health information obtained by a civil or
34    administrative  law  enforcement  agency  pursuant  to   this
 
                            -27-               LRB9204459DJgc
 1    Section  may  be  used  only for purposes of a legitimate law
 2    enforcement activity.
 3        (g)  If protected health information is obtained  without
 4    meeting  the  requirements  of subdivision (b)(1), (b)(2), or
 5    (b)(3), any information that is unlawfully obtained  must  be
 6    excluded   from  a  court  proceeding  unless  the  defendant
 7    requests otherwise.

 8                 Article 20.  Violations of the Act

 9        Section 20-5.  Wrongful disclosure  of  protected  health
10    information.
11        (a)  A  person  who  knowingly  or  intentionally obtains
12    protected health information relating  to  an  individual  in
13    violation  of  this  Act  or  who  knowingly or intentionally
14    discloses protected health information to another  person  in
15    violation of this Act is guilty of a Class 3 felony.
16        (b)  A  person  who  knowingly  or  intentionally  sells,
17    transfers,   or   uses   protected   health  information  for
18    commercial advantage, personal gain,  or  malicious  harm  in
19    violation of this Act is guilty of a Class 2 felony.

20        Section 20-10.  Civil actions by individuals.
21        (a)  Any individual whose rights under this Act have been
22    violated  may  bring  a  civil  action  against the person or
23    entity responsible for the violation.
24        (b)  In any civil action brought under this  Section,  if
25    the  court  finds a violation of an individual's rights under
26    this Act, the court may award one or more of the following:
27             (1)  Injunctive  relief,  including   enjoining   an
28        individual  or  entity  from  engaging in a practice that
29        violates this Act.
30             (2)  Equitable relief.
31             (3)  Compensatory damages for injuries  suffered  by
 
                            -28-               LRB9204459DJgc
 1        the  individual.  Injuries compensable under this Section
 2        include,  but  are  not  limited  to,   personal   injury
 3        including emotional distress, reputational injury, injury
 4        to property, and consequential damages.
 5             (4)  Punitive damages, as appropriate.
 6             (5)  Costs of the action.
 7             (6)  Attorney's fees, as appropriate.
 8             (7)  Any other relief the court finds appropriate.
 9        (c)  An  action  may  not be commenced under this Section
10    after the time period stated in Section 13-202 of the Code of
11    Civil Procedure.

12        Section 20-15.  Cease and desist orders; civil penalty.
13        (a)  A court shall issue and cause to be  served  upon  a
14    person  who  has violated any provision of this Act a copy of
15    the court's findings and an order  requiring  the  person  to
16    cease  and  desist  from  violating  this Act or to otherwise
17    comply with the requirements of this Act.  The court may also
18    order any one or more of the following:
19             (1)  For any violation of this  Act,  payment  of  a
20        civil  penalty  of  not more than $500 for each violation
21        but not more than $5,000 in the  aggregate  for  multiple
22        violations.
23             (2)  For a knowing violation of this Act, payment of
24        a  civil  penalty  of  not  more  than  $25,000  for each
25        violation but not more than $100,000 in the aggregate for
26        multiple violations.
27             (3)  For violations of this Act that  have  occurred
28        with  such  frequency as to constitute a general business
29        practice, a civil penalty of $100,000.
30        (b)  Any person who violates a cease and desist order  or
31    injunction  issued  under  this  Section  may be subject to a
32    civil penalty of not  more  than  $10,000  for  each  act  in
33    violation of the cease and desist order.
 
                            -29-               LRB9204459DJgc
 1        (c)  An  order  or  injunction  issued under this Section
 2    does not in any way relieve or absolve any person affected by
 3    the order from any other liability,  penalty,  or  forfeiture
 4    required by law.
 5        (d)  Any  civil  penalties  collected  under this Section
 6    shall be deposited into the General Revenue Fund.

 7        Section 20-20.  Prevention and  deterrence.   To  promote
 8    the  prevention  and  deterrence  of  acts  or omissions that
 9    violate laws  designed  to  safeguard  the  protected  health
10    information  in  a  manner  consistent  with  this  Act,  the
11    Director  of  Public  Health,  in  cooperation with any other
12    appropriate individual, organization, or agency as determined
13    by the Director,  may  provide  advice,  training,  technical
14    assistance,  and  guidance regarding ways to prevent improper
15    disclosure of protected health information.

16                Article 25.  Miscellaneous Provisions

17        Section  25-5.  Payment  card   or   electronic   payment
18    transaction.
19        (a)  If  an individual pays for health care by presenting
20    a debit, credit, or other payment card or account number,  or
21    by  any  other electronic payment means, the entity receiving
22    payment may disclose to a person described in subsection  (b)
23    only  the  protected  health information about the individual
24    that  is  necessary  for  the  processing  of   the   payment
25    transaction  or  the billing or collection of amounts charged
26    to, debited from, or otherwise paid by the  individual  using
27    the card, number, or other electronic means.
28        (b)  A  person  who  is a debit, credit, or other payment
29    card issuer,  who  is  otherwise  directly  involved  in  the
30    processing  of  payment  transactions involving such cards or
31    other electronic payment transactions, or  who  is  otherwise
 
                            -30-               LRB9204459DJgc
 1    directly  involved  in  the  billing or collection of amounts
 2    paid through these means may use or disclose protected health
 3    information about an individual that has  been  disclosed  in
 4    accordance with subsection (a) only when necessary for one or
 5    more of the following:
 6             (1)  The   settlement,  billing,  or  collection  of
 7        amounts charged to, debited from, or  otherwise  paid  by
 8        the  individual  using  a debit, credit, or other payment
 9        card or account number or  by  other  electronic  payment
10        means.
11             (2)  The  transfer  of receivables or accounts or an
12        interest in receivables or accounts.
13             (3)  The internal audit of  the  debit,  credit,  or
14        other payment card account information.
15             (4)  Compliance  with  a  federal  or State law or a
16        local ordinance.
17             (5)  Compliance with a  properly  authorized  civil,
18        criminal,  or regulatory investigation by federal, State,
19        or local authorities as governed by the  requirements  of
20        this Section.

21        Section  25-10.  Standards  for  electronic  disclosures.
22    The   Department  of  Public  Health  shall  adopt  rules  to
23    establish  standards   for   disclosing,   authorizing,   and
24    authenticating,  protected  health  information in electronic
25    form consistent with this Act.

26        Section 25-15.  Rights of minors.
27        (a)  In the case of an individual who is 18 years of  age
28    or older, all rights of an individual under this Act shall be
29    exercised by the individual.
30        (b)  In  the case of an individual of any age who, acting
31    alone, may obtain a type of health care without violating any
32    applicable federal or State law,  and  who  has  sought  this
 
                            -31-               LRB9204459DJgc
 1    care,   the  individual  shall  exercise  all  rights  of  an
 2    individual under this Act with respect to health care.
 3        (c)  Except as provided in subsection (b):
 4             (1)  In the case of an individual who  is  under  14
 5        years  of  age, all of the individual's rights under this
 6        Act may be exercised only through  the  parent  or  legal
 7        guardian.
 8             (2)  In the case of an individual who is at least 14
 9        but  less  than 18 years of age, the rights of inspection
10        and  amendment  and  the  right  to  authorize  use   and
11        disclosure   of   protected  health  information  of  the
12        individual may be exercised by the individual or  by  the
13        parent  or  legal  guardian  of  the  individual.  If the
14        individual and the parent or legal guardian do not  agree
15        as  to  whether  to  authorize  the  use or disclosure of
16        protected  health  information  of  the  individual,  the
17        individual's authorization or revocation of authorization
18        shall control.

19        Section 25-20.  Deceased individuals.  This Act continues
20    to  apply  to  protected  health  information  concerning   a
21    deceased  individual  following the death of that individual.
22    A person who  is  authorized  by  law  or  by  an  instrument
23    recognized  under  law to act as a personal representative of
24    the estate of a deceased individual or otherwise to  exercise
25    the  rights  of  the  deceased  individual,  to the extent so
26    authorized, may exercise and  discharge  the  rights  of  the
27    deceased individual under this Act.

28        Section 25-25.  Relationship to other laws.
29        (a)  Nothing in this Act shall be construed to preempt or
30    modify  any provisions of State law concerning a privilege of
31    a witness or other person in a court of this State.   Receipt
32    of  notice pursuant to Section 10-10 or consent to disclosure
 
                            -32-               LRB9204459DJgc
 1    pursuant to Section 10-15 shall not be construed as a  waiver
 2    of these privileges.
 3        (b)  Nothing  in  this Act shall be construed to preempt,
 4    supersede, or modify the operation of any State law that does
 5    any of the following:
 6             (1)  Provides for the reporting of vital  statistics
 7        such as birth or death information.
 8             (2)  Requires  the  reporting  of  abuse  or neglect
 9        information about any individual.
10             (3)  Relates to public or mental health and prevents
11        or  otherwise   restricts   disclosure   of   information
12        otherwise permissible under this Act, except that if this
13        Act is more protective of information, it shall prevail.
14             (4)  Governs  a  minor's  right  to access protected
15        health information or health care services.
16             (5)  Meets any other  requirements  that  the  court
17        determines  are  needed to protect the confidentiality of
18        the information.
19        In particular, nothing in this Act shall be construed  to
20    preempt,  supersede, or modify the operation of any provision
21    of  the  Mental   Health   and   Developmental   Disabilities
22    Confidentiality  Act,  Section  8-2101  of  the Code of Civil
23    Procedure, or Section 6.17 of the Hospital Licensing Act.  In
24    the case of a conflict between a provision of  this  Act  and
25    one of those other provisions, the other provision controls.

26        Section  25-30.  Report  by  Department of Public Health.
27    The Department of Public Health shall submit a status  report
28    to  the General Assembly on the adoption of rules required by
29    this Act and regarding existing licensure, certification, and
30    regulatory mechanisms for  the  imposition  of  sanctions  or
31    penalties  for  the  wrongful  disclosure of protected health
32    information.  The Department shall submit the report no later
33    than one year after the effective date of this Act.
 
                            -33-               LRB9204459DJgc
 1        Section 25-35.  Reports by insurers.
 2        (a)  Subsection (b) applies to every entity to the extent
 3    that the entity meets the following criteria:
 4             (1)  The  entity  transacts  the  type  of  business
 5        enumerated in clause (a) (life insurance) of Class  1  of
 6        Section 4 of the Illinois Insurance Code.
 7             (2)  The  entity  transacts  the  types  of business
 8        enumerated in clauses of Class 2  of  Section  4  of  the
 9        Illinois  Insurance Code other than clauses (a) (accident
10        and  health  insurance),   (g)   (fidelity   and   surety
11        insurance), and (l) (legal expense insurance).
12             (3)  The  entity  transacts  the  types  of business
13        enumerated in Class 3 (fire and marine, etc.) of  Section
14        4 of the Illinois Insurance Code.
15             (4)  The    entity    provides   disability   income
16        protection coverage under Article XX (Accident and Health
17        Insurance) of the Illinois Insurance Code.
18             (5)  The entity  is  regulated  under  Article  XIXA
19        (Long-term  Care  Insurance)  of  the  Illinois Insurance
20        Code.
21        (b)  Every entity described in subsection (a) must submit
22    to the Director of Insurance a report and recommendations for
23    proposed legislation governing  the  treatment  of  protected
24    health  information.   The report shall include, but need not
25    be limited to, a discussion of the  National  Association  of
26    Insurance  Commissioners  Insurance  Information  and Privacy
27    Protection Act, or substantially  similar  legislation.   The
28    entity  shall  submit the report no later than 9 months after
29    the effective date of this Act.
30        (c)  No later than one year after the effective  date  of
31    this  Act,  the  Director  of  Insurance  shall submit to the
32    General Assembly a report that  summarizes  the  reports  and
33    recommendations  submitted  to the Director by insurers under
34    subsection (b).
 
                            -34-               LRB9204459DJgc
 1        Section 25-40.  Severability. The provisions of this  Act
 2    are severable under Section 1.31 of the Statute on Statutes.

 3                 Article 90.  Amendatory Provisions.

 4        Section  90-5.  The  Hospital Licensing Act is amended by
 5    changing Section 6.17 as follows:

 6        (210 ILCS 85/6.17)
 7        Sec. 6.17.  Protection  of  and  confidential  access  to
 8    medical records and information.
 9        (a)  Every hospital licensed under this Act shall develop
10    a medical record for each of its patients as required by  the
11    Department by rule.
12        (b)  All   information   regarding   a  hospital  patient
13    gathered by the hospital's medical staff and its  agents  and
14    employees  shall  be  the  property and responsibility of the
15    hospital and must be protected from inappropriate  disclosure
16    as provided in this Section.
17        (c)  Every hospital shall preserve its medical records in
18    a  format  and  for a duration established by hospital policy
19    and for not less than 10 years, provided that if the hospital
20    has been notified  in  writing  by  an  attorney  before  the
21    expiration  of  the  10  year  retention period that there is
22    litigation  pending  in  court  involving  the  record  of  a
23    particular patient as possible evidence and that the  patient
24    is  his  client  or  is  the  person  who has instituted such
25    litigation against his client, then the hospital shall retain
26    the record of that patient until notified in writing  by  the
27    plaintiff's  attorney,  with  the approval of the defendant's
28    attorney of record, that the case  in  court  involving  such
29    record  has  been  concluded or for a period of 12 years from
30    the date that the record was produced, whichever occurs first
31    in time.
 
                            -35-               LRB9204459DJgc
 1        (d)  No member of a hospital's medical staff and no agent
 2    or employee of  a  hospital  shall  disclose  the  nature  or
 3    details  of  services  provided  to patients, except that the
 4    information  may  be  disclosed  to  the   patient,   persons
 5    authorized   by  the  patient,  the  party  making  treatment
 6    decisions, if the patient is incapable  of  making  decisions
 7    regarding   the   health  services  provided,  those  parties
 8    directly involved with providing treatment to the patient  or
 9    processing  the  payment  for  that  treatment, those parties
10    responsible for  peer  review,  utilization  review,  quality
11    assurance,  risk  management  or  defense  of  claims brought
12    against the hospital arising  out  of  the  care,  and  those
13    parties   required  to  be  notified  under  the  Abused  and
14    Neglected  Child  Reporting  Act,   the   Illinois   Sexually
15    Transmissible   Disease   Control  Act,  or  where  otherwise
16    authorized or required by law.
17        (e)  The  hospital's  medical  staff  members   and   the
18    hospital's  agents and employees may communicate, at any time
19    and in any fashion,  with  legal  counsel  for  the  hospital
20    concerning  the  patient medical record privacy and retention
21    requirements of this Section and any care or  treatment  they
22    provided  or  assisted in providing to any patient within the
23    scope of their employment or affiliation with the hospital.
24        (f)  Each hospital licensed under this Act shall  provide
25    its  federally  designated  organ  procurement agency and any
26    tissue bank with which it has an agreement with access to the
27    medical  records  of  deceased  patients  for  the  following
28    purposes:
29             (1)  estimating  the  hospital's  organ  and  tissue
30        donation potential;
31             (2)  identifying  the  educational  needs   of   the
32        hospital with respect to organ and tissue donation; and
33             (3)  identifying  the  number  of  organ  and tissue
34        donations and referrals to  potential  organ  and  tissue
 
                            -36-               LRB9204459DJgc
 1        donors.
 2        (g)  All  hospital  and  patient information, interviews,
 3    reports, statements, memoranda, and other  data  obtained  or
 4    created  by  a  tissue  bank  or  federally  designated organ
 5    procurement agency from the medical records review  described
 6    in subsection (f) shall be privileged, strictly confidential,
 7    and used only for the purposes put forth in subsection (f) of
 8    this  Section  and  shall  not  be admissible as evidence nor
 9    discoverable in an action of any kind in court  or  before  a
10    tribunal, board, agency, or person.
11        (h)   Any  person  who, in good faith, acts in accordance
12    with the terms of this Section shall not be  subject  to  any
13    type  of  civil  or  criminal  liability  or  discipline  for
14    unprofessional conduct for those actions.
15        (i)  Any  individual  who  wilfully or wantonly discloses
16    hospital or medical record information in violation  of  this
17    Section  is guilty of a Class A misdemeanor.  As used in this
18    subsection, "wilfully or wantonly" means a course  of  action
19    that shows an actual or deliberate intention to cause harm or
20    that,  if  not intentional, shows an utter indifference to or
21    conscious  disregard  for  the  safety  of  others  or  their
22    property.
23        (j)  In the case of a conflict  between  a  provision  of
24    this  Section  and a provision of the Health Care Information
25    Privacy Act, this Section controls.
26    (Source: P.A. 91-526, eff. 1-1-00.)

27        Section 90-10.  The Illinois Insurance Code is amended by
28    changing Section 1014 as follows:

29        (215 ILCS 5/1014) (from Ch. 73, par. 1065.714)
30        Sec. 1014.  Disclosure Limitations  and  Conditions.   An
31    insurance    institution,    agent    or    insurance-support
32    organization  shall  not  disclose any personal or privileged
 
                            -37-               LRB9204459DJgc
 1    information about an  individual  collected  or  received  in
 2    connection   with   an   insurance   transaction  unless  the
 3    disclosure is:
 4        (A)  with the written authorization  of  the  individual,
 5    provided:
 6        (1)  if   such  authorization  is  submitted  by  another
 7    insurance    institution,    agent    or    insurance-support
 8    organization, the authorization  meets  the  requirements  of
 9    Section 1007 of this Article, or
10        (2)  if such authorization is submitted by a person other
11    than  an  insurance  institution,  agent or insurance-support
12    organization, the authorization is:
13        (a)  dated,
14        (b)  signed by the individual, and
15        (c)  obtained one year  or  less  prior  to  the  date  a
16    disclosure is sought pursuant to this subsection; or
17        (B)  to  a  person  other  than an insurance institution,
18    agent  or  insurance-support  organization,   provided   such
19    disclosure is reasonably necessary:
20        (1) to   enable   such  person  to  perform  a  business,
21    professional  or  insurance  function  for   the   disclosing
22    insurance    institution,    agent    or    insurance-support
23    organization  and  such  person  agrees  not  to disclose the
24    information  further   without   the   individual's   written
25    authorization unless the further disclosure:
26        (a) would  otherwise be permitted by this Section if made
27    by an  insurance  institution,  agent,  or  insurance-support
28    organization, or
29        (b) is  reasonably  necessary  for such person to perform
30    its function for the disclosing insurance institution, agent,
31    or insurance-support organization, or
32        (2) to enable such person to provide information  to  the
33    disclosing insurance institution, agent, or insurance-support
34    organization for the purpose of:
 
                            -38-               LRB9204459DJgc
 1        (a) determining   an   individual's  eligibility  for  an
 2    insurance benefit or payment, or
 3        (b) detecting or  preventing  criminal  activity,  fraud,
 4    material   misrepresentation  or  material  nondisclosure  in
 5    connection with an insurance transaction; or
 6        (C)  to     an     insurance     institution,      agent,
 7    insurance-support  organization or self-insurer, provided the
 8    information disclosed is limited to that which is  reasonably
 9    necessary:
10        (1)  to  detect  or  prevent  criminal  activity,  fraud,
11    material   misrepresentation  or  material  nondisclosure  in
12    connection with insurance transactions, or
13        (2)  for either the  disclosing  or  receiving  insurance
14    institution,   agent  or  insurance-support  organization  to
15    perform  its  function  in  connection  with   an   insurance
16    transaction involving the individual; or
17        (D)  to   a   medical   care   institution   or   medical
18    professional for the purpose of:
19        (1) verifying insurance coverage or benefits,
20        (2) informing an individual of a medical problem of which
21    the individual may not be aware, or
22        (3) conducting  an operations or services audit, provided
23    only such information is disclosed as is reasonably necessary
24    to accomplish the foregoing purposes; or
25        (E)  to an insurance regulatory authority; or
26        (F)  to  a  law   enforcement   or   other   governmental
27    authority:
28        (1)  to   protect   the   interests   of   the  insurance
29    institution,  agent  or  insurance-support  organization   in
30    preventing or prosecuting the perpetration of  fraud upon it,
31    or
32        (2)  if    the    insurance    institution,    agent   or
33    insurance-support  organization  reasonably   believes   that
34    illegal activities have been conducted by the individual; or
 
                            -39-               LRB9204459DJgc
 1        (G)  otherwise permitted or required by law; or
 2        (H)  in  response  to  a facially valid administrative or
 3    judicial order, including a search warrant or subpoena; or
 4        (I)  made for the  purpose  of  conducting  actuarial  or
 5    research studies provided:
 6        (1)  no  individual may be identified in any actuarial or
 7    research report,
 8        (2)  materials allowing the individual to  be  identified
 9    are  returned  or  destroyed  as  soon  as they are no longer
10    needed, and
11        (3) the actuarial or research organization agrees not  to
12    disclose   the   information   unless  the  disclosure  would
13    otherwise  be  permitted  by  this  Section  if  made  by  an
14    insurance    institution,    agent    or    insurance-support
15    organization; or
16        (J)  to a party or a  representative  of  a  party  to  a
17    proposed   or   consummated   sale,   transfer,   merger   or
18    consolidation of all or part of the business of the insurance
19    institution,   agent   or   insurance  support  organization,
20    provided:
21        (1)  prior to the consummation  of  the  sale,  transfer,
22    merger or consolidation only such information is disclosed as
23    is  reasonably  necessary  to  enable  the  recipient to make
24    business decisions about the purchase,  transfer,  merger  or
25    consolidation, and
26        (2)  the recipient agrees not to disclose the information
27    unless  the  disclosure  would otherwise be permitted by this
28    Section  if  made  by  an  insurance  institution,  agent  or
29    insurance-support organization; or
30        (K)  to a person whose only use of such information  will
31    be  in connection with the marketing of a product or service,
32    provided:
33        (1)  no    medical-record     information,     privileged
34    information,   or   personal   information   relating  to  an
 
                            -40-               LRB9204459DJgc
 1    individual's character, personal habits, mode  of  living  or
 2    general   reputation  is  disclosed,  and  no  classification
 3    derived from such information is disclosed,
 4        (2)  the individual has  been  given  an  opportunity  to
 5    indicate  that  he  or she does not want personal information
 6    disclosed for marketing purposes and has given no  indication
 7    that he or she does not want the information disclosed, and
 8        (3)  the  person receiving such information agrees not to
 9    use it except in connection with the marketing of  a  product
10    or service; or
11        (L)  to  an  affiliate  whose only use of the information
12    will  be  in  connection  with  an  audit  of  the  insurance
13    institution or agent or the marketing of an insurance product
14    or service, provided the affiliate agrees not to disclose the
15    information for any other purpose or to unaffiliated persons;
16    or
17        (M)  by  a  consumer  reporting  agency,  provided:   the
18    disclosure is to a person other than an insurance institution
19    or agent; or
20        (N) to  a group policyholder for the purpose of reporting
21    claims experience or conducting an  audit  of  the  insurance
22    institution's or agent's operations or services, provided the
23    information  disclosed  is reasonably necessary for the group
24    policyholder to conduct the review or audit; or
25        (O) to a professional peer review  organization  for  the
26    purpose of reviewing the service or conduct of a medical-care
27    institution or medical professional; or
28        (P) to  a  governmental  authority  for  the  purpose  of
29    determining  the individual's eligibility for health benefits
30    for which the governmental authority may be liable; or
31        (Q) to  a  certificateholder  or  policyholder  for   the
32    purpose  of  providing information regarding the status of an
33    insurance transaction; or
34        (R) to a  lienholder,  mortgagee,  assignee,  lessee,  or
 
                            -41-               LRB9204459DJgc
 1    other person shown on the records of an insurance institution
 2    or agent as having a legal or beneficial interest in a policy
 3    of  insurance; provided that information disclosed is limited
 4    to that which is reasonably necessary to permit  such  person
 5    to protect its interest in such policy.
 6        In  the  case  of  a conflict between a provision of this
 7    Section and  a  provision  of  the  Health  Care  Information
 8    Privacy Act, this Section controls.
 9    (Source: P.A. 82-108.)

10        Section 90-15.  The Code of Civil Procedure is amended by
11    changing  Sections  2-1101  and  8-2101  and  adding  Section
12    2-1101.5 as follows:

13        (735 ILCS 5/2-1101) (from Ch. 110, par. 2-1101)
14        Sec.  2-1101.  Subpoenas. The clerk of any court in which
15    an  action  is  pending  shall,  from  time  to  time,  issue
16    subpoenas for those witnesses and to those  counties  in  the
17    State  as  may  be  required by either party. Every clerk who
18    shall refuse so to do shall be guilty of a petty offense  and
19    fined  any  sum  not to exceed $100. An order of court is not
20    required to obtain the issuance by the clerk  of  a  subpoena
21    duces  tecum.  For  good cause shown, the court on motion may
22    quash or modify any subpoena or, in the case  of  a  subpoena
23    duces  tecum, condition the denial of the motion upon payment
24    in advance by the person in  whose  behalf  the  subpoena  is
25    issued  of  the  reasonable  expense  of  producing  any item
26    therein specified.
27        In the event  that  a  party  has  subpoenaed  an  expert
28    witness  including,  but not limited to physicians or medical
29    providers, and the expert witness appears  in  court,  and  a
30    conflict  arises  between  the  party  subpoenaing the expert
31    witness and the expert witness over the fees charged  by  the
32    expert  witness,  the  trial  court  shall  be advised of the
 
                            -42-               LRB9204459DJgc
 1    conflict.  The trial court shall conduct a hearing subsequent
 2    to the testimony of the expert witness  and  shall  determine
 3    the reasonable fee to be paid to the expert witness.
 4        In  the  case  of  a conflict between a provision of this
 5    Section and  a  provision  of  the  Health  Care  Information
 6    Privacy Act, this Section controls.
 7    (Source: P.A. 87-418.)

 8        (735 ILCS 5/2-1101.5 new)
 9        Sec.  2-1101.5.  Subpoena  duces  tecum; protected health
10    information.
11        (a)  In this Section, "protected health information"  has
12    the  meaning  ascribed  to  that  term  in  the  Health  Care
13    Information Privacy Act.
14        (b)  A  subpoena  duces tecum to produce protected health
15    information is valid only if accompanied by  either  a  court
16    order  or  a  written authorization signed in accordance with
17    Section 10-15 of the Health Care Information Privacy Act.
18        (c)  An order for  a  subpoena  duces  tecum  to  produce
19    protected health information must do all of the following:
20             (1)  Provide  that  the protected health information
21        involved is subject to court protection.
22             (2)  Specify  to  whom  the   information   may   be
23        disclosed.
24             (3)  Specify   that   the  information  may  not  be
25        disclosed or used except as provided in the order.
26             (4)  Meet any  other  requirements  that  the  court
27        determines  are  needed to protect the confidentiality of
28        the information.
29        (d)  Whenever (A)  a  subpoena  duces  tecum  to  produce
30    protected  health information is served upon the custodian of
31    medical records or  another  qualified  witness  in  a  civil
32    action  or  other  proceeding  in  which (i) the custodian or
33    other witness or the custodian's or other witness's  employer
 
                            -43-               LRB9204459DJgc
 1    is not a party to the action or proceeding and (ii) it is not
 2    alleged  that  the  claim  arose  at the office, facility, or
 3    institution to which the subpoena duces tecum is directed and
 4    (B) the subpoena requires the production in court, or  before
 5    an  officer,  board,  commission,  or tribunal, of all or any
 6    part of the medical records of a patient who is or  has  been
 7    cared for or treated at the office, facility, or institution,
 8    it shall be deemed sufficient compliance with the subpoena if
 9    the  custodian or other qualified witness within 5 days after
10    receipt of the subpoena delivers by registered  or  certified
11    mail  or  by  messenger  a  true  and correct copy of all the
12    medical records described in the subpoena to the clerk of the
13    court or the clerk's deputy authorized to issue it,  together
14    with an affidavit stating in substance each of the following:
15             (1)  The affiant is the duly authorized custodian of
16        the  medical  records  and  has  authority to certify the
17        medical records.
18             (2)  The copy is a true  copy  of  all  the  medical
19        records described in the subpoena.
20             (3)  The   medical  records  were  prepared  by  the
21        personnel of the medical facility, by  staff  physicians,
22        or  by  persons  acting  under  the  control of either of
23        those, in the regular course of business at or  near  the
24        time of the act, condition, or event.
25        (e)  This Section shall not be construed to supersede any
26    grounds  that  may  apply  under  federal  or  State  law for
27    objecting to turning over the protected health information.
28    (Source: P.A. 87-418.)

29        (735 ILCS 5/8-2101) (from Ch. 110, par. 8-2101)
30        Sec.  8-2101.  Information  obtained.   All  information,
31    interviews, reports, statements, memoranda,  recommendations,
32    letters  of  reference  or  other  third  party  confidential
33    assessments  of  a  health  care  practitioner's professional
 
                            -44-               LRB9204459DJgc
 1    competence, or other  data  of  the  Illinois  Department  of
 2    Public  Health,  local  health departments, the Department of
 3    Human Services (as successor  to  the  Department  of  Mental
 4    Health and Developmental Disabilities), the Mental Health and
 5    Developmental  Disabilities  Medical  Review  Board, Illinois
 6    State  Medical  Society,  allied  medical  societies,  health
 7    maintenance  organizations,   medical   organizations   under
 8    contract   with  health  maintenance  organizations  or  with
 9    insurance  or  other  health  care   delivery   entities   or
10    facilities,   tissue   banks,   organ  procurement  agencies,
11    physician-owned inter-insurance exchanges and  their  agents,
12    committees   of  ambulatory  surgical  treatment  centers  or
13    post-surgical recovery centers or their  medical  staffs,  or
14    committees  of  licensed  or  accredited  hospitals  or their
15    medical staffs,  including  Patient  Care  Audit  Committees,
16    Medical   Care   Evaluation  Committees,  Utilization  Review
17    Committees, Credential Committees and  Executive  Committees,
18    or their designees (but not the medical records pertaining to
19    the  patient), used in the course of internal quality control
20    or of medical study for the purpose of reducing morbidity  or
21    mortality,  or for improving patient care or increasing organ
22    and  tissue   donation,   shall   be   privileged,   strictly
23    confidential  and  shall  be  used only for medical research,
24    increasing organ and  tissue  donation,  the  evaluation  and
25    improvement   of  quality  care,  or  granting,  limiting  or
26    revoking staff privileges or agreements for services,  except
27    that  in  any  health  maintenance organization proceeding to
28    decide  upon  a  physician's  services  or  any  hospital  or
29    ambulatory surgical treatment  center  proceeding  to  decide
30    upon  a  physician's  staff  privileges,  or  in any judicial
31    review of either, the claim of confidentiality shall  not  be
32    invoked  to deny such physician access to or use of data upon
33    which such a decision was based.
34        In the case of a conflict between  a  provision  of  this
 
                            -45-               LRB9204459DJgc
 1    Section  and  a  provision  of  the  Health  Care Information
 2    Privacy Act, this Section controls.
 3    (Source: P.A. 89-393, eff. 8-20-95; 89-507, eff. 7-1-97.)

 4        Section  90-20.  The  Mental  Health  and   Developmental
 5    Disabilities Confidentiality Act is amended by adding Section
 6    1.5 as follows:

 7        (740 ILCS 110/1.5 new)
 8        Sec.  1.5.  Relationship  to  the Health Care Information
 9    Privacy Act. In the case of a conflict between a provision of
10    this Act and a  provision  of  the  Health  Care  Information
11    Privacy Act, this Act controls.

[ Top ]