[ Search ] [ PDF text ] [ Legislation ]
[ Home ] [ Back ] [ Bottom ]
92_HB0491 LRB9204459DJgc 1 AN ACT in relation to health care information. 2 Be it enacted by the People of the State of Illinois, 3 represented in the General Assembly: 4 Article 1. General Provisions 5 Section 1-1. Short title. This Act may be cited as the 6 Health Care Information Privacy Act. 7 Section 1-5. Legislative findings. The legislature 8 finds that individuals have a constitutional right to privacy 9 with respect to their personal health information and records 10 and with respect to information about their medical care and 11 health status. 12 Traditionally, the primary health care relationship 13 existed only between the patient and the doctor and was 14 founded on the principle that all information transmitted 15 between the patient and the doctor was confidential. With 16 advancements in modern technology and systematic changes in 17 health care practices, the patient-doctor relationship has 18 expanded into a multi-party relationship that includes 19 employers, health plans, consulting physicians and other 20 health care providers, laboratories and hospitals, 21 researchers and data organizations, and various governmental 22 and private oversight agencies. These multiple relationships 23 have fundamentally changed the handling and use of medical 24 information. 25 The legislature acknowledges that individuals are often 26 unaware of how their medical information is being used and 27 disclosed in the modern health care delivery system. 28 Currently, there is no statute that comprehensively governs 29 the disclosure of medical records. Most individuals sign a 30 one-time blanket consent to release their medical records -2- LRB9204459DJgc 1 when they sign up for medical insurance, and doctors, 2 hospitals, and insurance companies share these records as 3 they see fit. Thus, the legislature believes that an 4 individual's right to privacy of their medical records is 5 currently unclear and at risk. 6 The legislature also recognizes, however, that there are 7 strong public policy justifications for encouraging health 8 care quality through the review of medical information. 9 First, these reviews help to improve the quality of health 10 care in Illinois by providing assessments of the results or 11 outcomes of certain modes of treatment, thereby giving 12 patients more information with which to make better medical 13 choices. Second, medical information review helps to ferret 14 out and prevent fraud and abuse in the health care delivery 15 system. It is estimated that approximately $100 billion of 16 the $1 trillion spent on health care nationally can be 17 attributed to health care fraud. This drives up health care 18 costs and takes needed health care dollars away from 19 deserving patients. Third, clinical and epidemiological 20 research based on medical information helps to promote the 21 quality, efficiency, and effectiveness of the modern health 22 care delivery system, and leads to new treatments which 23 relieve suffering and save lives. 24 Therefore, the legislature firmly believes that 25 encouraging affordable quality health care, facilitating 26 effective medical research, and preventing fraud and abuse 27 are necessary to the health and safety of our citizens. 28 These are compelling State interests that may be furthered by 29 allowing the sharing of medical information for limited 30 purposes, without eliminating the confidentiality of the 31 patient-doctor relationship. 32 Section 1-10. Purpose. The purpose of this Act is to: 33 (1) Protect individuals from the adverse effects of -3- LRB9204459DJgc 1 the improper disclosure of protected health information. 2 (2) Establish strong and effective mechanisms to 3 protect against the unauthorized and inappropriate use of 4 protected health information that is created or 5 maintained as part of health care treatment, diagnosis, 6 enrollment, payment, plan administration, testing, or 7 research processes. 8 (3) Promote the health and welfare of the public by 9 encouraging the effective exchange and transfer of health 10 information in a manner that will ensure the 11 confidentiality of protected health information without 12 impeding the delivery of high quality healthcare. 13 (4) Promote the public health and welfare by 14 allowing, when appropriate, the transfer of personal 15 health information into nonidentifiable health 16 information for oversight, health research, public 17 health, law enforcement, judicial, and administrative 18 purposes. 19 (5) Discourage litigation by establishing a 20 standard set of procedures that may be complied with to 21 provide courts with strong evidence that medical 22 information was properly handled and disclosed. 23 (6) Establish remedies for violations of this Act. 24 Section 1-15. Definitions. In this Act, except as 25 otherwise specifically provided: 26 "Accrediting body" means a committee, organization, or 27 institution that has been authorized by law or is recognized 28 by a health care regulating authority as an accrediting 29 entity or any other entity that has been similarly authorized 30 or recognized by law to perform specific accreditation, 31 licensing, or credentialing activities. 32 "Agent" means a person who represents and acts for 33 another under a contract or relationship of agency, or whose -4- LRB9204459DJgc 1 function is to bring about, modify, affect, accept 2 performance of, or terminate contractual obligations between 3 the principal and a third person, including a contractor. 4 "Disclose" means to release, transfer, provide access to, 5 share, or otherwise divulge protected health information to 6 any person other than the individual who is the subject of 7 the information. The term includes the initial disclosure 8 and any subsequent redisclosures of protected health 9 information. 10 "Educational institution" means an institution or place 11 for instruction or education including any public or private 12 elementary school, secondary school, vocational school, 13 correspondence school, business school, community college, 14 teachers college, college, normal school, professional 15 school, university, or scientific or technical institution, 16 or other institution furnishing education for children and 17 adults. 18 "Employer" means any individual or type of organization, 19 including any partnership, association, trust, estate, joint 20 stock company, insurance company, or corporation, whether 21 domestic or foreign, a debtor in possession or receiver or 22 trustee in bankruptcy, or a legal representative of a 23 deceased person, who has one or more regular individuals in 24 his or her employment. 25 "Employment" means services performed for wages under any 26 contract of hire, written or oral, expressed or implied, with 27 an employer. 28 "Health care" means any of the following: 29 (1) Preventive, diagnostic, therapeutic, 30 rehabilitative, palliative, or maintenance services: 31 (A) with respect to the physical or mental 32 condition of an individual; or 33 (B) affecting the structure or function of the 34 human body or any part of the human body, including -5- LRB9204459DJgc 1 the banking of blood, sperm, organs, or any other 2 tissue. 3 (2) Any sale or dispensing of a drug, a device, 4 equipment, or another health care-related item to an 5 individual, or for the use of an individual pursuant to a 6 prescription or order by a health care provider. 7 "Health care data organization" means an entity that 8 engages primarily in the business of collecting, analyzing, 9 and disseminating identifiable and nonidentifiable patient 10 information. A health care data organization is not a health 11 care provider, an insurer, a health researcher, or a health 12 oversight agency. 13 "Health care provider" means a person who, with respect 14 to any protected health information, receives, creates, uses, 15 maintains, or discloses the protected health information 16 while acting in whole or in part in the capacity of any of 17 the following: 18 (1) A person who is licensed, certified, 19 registered, or otherwise authorized by federal or State 20 law to provide an item or service that constitutes health 21 care in the ordinary course of business or practice of a 22 profession. 23 (2) A federal, State, or employer-sponsored program 24 that directly provides items or services that constitute 25 health care to beneficiaries. 26 (3) An officer, employee, or agent of a person 27 described in paragraph (1) or (2). 28 "Health oversight agency" means a person who, with 29 respect to any protected health information, receives, 30 creates, uses, maintains, or discloses the information while 31 acting in whole or in part in the capacity of any of the 32 following: 33 (1) A person who performs or oversees the 34 performance of an assessment, evaluation, determination, -6- LRB9204459DJgc 1 or investigation relating to the licensing, 2 accreditation, or credentialing of health care providers. 3 (2) A person who: 4 (A) performs or oversees the performance of an 5 audit, assessment, evaluation, determination, or 6 investigation relating to the effectiveness of, 7 compliance with, or applicability of, legal, fiscal, 8 medical, or scientific standards or aspects of 9 performance related to the delivery of, or payment 10 for, health care; and 11 (B) is a public agency, acting on behalf of a 12 public agency, acting pursuant to a requirement of a 13 public agency, or carrying out activities under a 14 federal or State law governing the assessment, 15 evaluation, determination, investigation, or 16 prosecution for violations of paragraph (1). 17 "Health plan" means any health insurance plan, including 18 any hospital or medical service plan, dental or other health 19 service plan or health maintenance organization plan, 20 provider-sponsored organization, or other program providing 21 or arranging for the provision of health benefits, whether or 22 not funded through the purchase of insurance. 23 "Health researcher" means a person, or an officer, 24 employee, or independent contractor of a person, who receives 25 protected health information as part of a systematic 26 investigation, testing, or evaluation designed to develop or 27 contribute to generalized scientific and clinical knowledge. 28 "Individual's designated representative" means a person 29 who is authorized by law (based on grounds other than the 30 minority of an individual), or by an instrument recognized 31 under law, to act as an agent, attorney, guardian, proxy, or 32 other legal representative of a protected individual. The 33 term includes a person acting under authority of a power of 34 attorney for health care. -7- LRB9204459DJgc 1 "Institutional review board" means a research committee 2 established and operating in accord with 45 C.F.R. 46.107, 3 46.108, 46.109, and 46.115. 4 "Insurer" means any entity regulated under the Health 5 Maintenance Organization Act, any entity regulated under 6 Article XVIII of the Illinois Insurance Code (Mutual Benefit 7 Associations), any entity that has purchased coverage under a 8 group contract issued by a person regulated under the Health 9 Maintenance Organization Act, and any entity regulated under 10 Article XX of the Illinois Insurance Code (Accident and 11 Health Insurance). The term does not include an entity to 12 the extent that the entity transacts the type of business 13 enumerated in clause (a) of Class 1 of Section 4 of the 14 Illinois Insurance Code (life insurance), provides disability 15 income protection coverage under Article XX of the Illinois 16 Insurance Code (Accident and Health Insurance), or is 17 regulated under Article XIXA of the Illinois Insurance Code 18 (Long-term Care Insurance). 19 "Law enforcement inquiry" means a lawful investigation 20 conducted by an appropriate government agency or official 21 inquiring into a violation of, or failure to comply with, any 22 civil or administrative statute or any regulation, rule, or 23 order issued pursuant to such a statute. It does not include 24 a lawful criminal investigation or prosecution conducted by a 25 State's Attorney or the Attorney General. 26 "Nonidentifiable health information" means any 27 information that would otherwise be protected health 28 information, except that the information does not reveal the 29 identity of the individual whose health or health care is the 30 subject of the information and there is no reasonable basis 31 to believe that the information could be used, either alone 32 or with other information that is, or should reasonably be, 33 known to be available to recipients of the information, to 34 reveal the identity of that individual. -8- LRB9204459DJgc 1 "Protected health information" means any information, 2 identifiable to an individual, including demographic 3 information, whether or not recorded in any form or medium, 4 that relates directly or indirectly to the past, present, or 5 future: 6 (1) physical or mental health or condition of an 7 individual, including tissue and genetic information; 8 (2) provision of health care to an individual; or 9 (3) payment for the provision of health care to an 10 individual. 11 "Qualified health care operations" means only those 12 activities conducted by or on behalf of a health plan or 13 health care provider for the purpose of carrying out the 14 management functions of a health care provider or health 15 plan, or implementing the terms of a contract for health plan 16 benefits, as follows: 17 (1) Payment, which means the activities undertaken 18 by a health plan or provider that are reasonably 19 necessary to determine responsibility for coverage, 20 services, and the actual payment for services, if any. 21 (2) Conducting quality assurance activities or 22 outcomes assessments. 23 (3) Reviewing the competence or qualifications of 24 health care professionals. 25 (4) Performing accreditation, licensing, or 26 credentialing activities. 27 (5) Analyzing health plan claims or health care 28 records data. 29 (6) Evaluating provider clinical performance. 30 (7) Carrying out utilization management. 31 (8) Conducting or arranging for auditing services 32 in accordance with statute, rule, or accreditation 33 requirements. 34 A qualified health care operation must: -9- LRB9204459DJgc 1 (A) Be an operation that cannot be carried on 2 with reasonable effectiveness and efficiency without 3 identifiable patient information. 4 (B) Be limited to only that protected health 5 information collected under the terms of the 6 contract for health plan benefits and without which 7 the operation cannot be carried on with reasonable 8 effectiveness and efficiency. 9 (C) Be limited to the minimum amount of 10 protected health information, including the minimum 11 number of records and the minimum number of 12 documents within each patient's record, necessary to 13 carry on the operation with reasonable effectiveness 14 and efficiency. 15 (D) Limit the handling and examination of 16 protected health information to those persons who 17 are reasonably well qualified, by training, 18 credentials, or experience, to conduct the phase of 19 the operation in which they are involved. 20 "Surrogate" means a person, other than an individual's 21 designated representative or relative, who is authorized to 22 make a health care decision for the individual. 23 "Treatment" means the provision of health care by, or the 24 coordination of health care between, health care providers, 25 or the referral of a patient from one provider to another, or 26 coordination of health care or other services between health 27 care providers and third parties authorized by the health 28 plan or the plan member. 29 "Unique patient identifier" means a number or 30 alpha-numeric string assigned to an individual, which can be 31 or is used to identify an individual's protected health 32 information. 33 "Writing" means a written form that is either paper or 34 computer-based. The term includes electronic signatures. -10- LRB9204459DJgc 1 Article 5. Individuals' Rights 2 Section 5-5. Inspection and copying of protected health 3 information. 4 (a) For the purposes of this Section only, "entity" 5 means a health care provider, health plan, employer, health 6 care data organization, insurer, or educational institution. 7 (b) At the request in writing of an individual and 8 except as provided in subsection (c), an entity shall permit 9 an individual who is the subject of protected health 10 information or the individual's designee to inspect and copy 11 protected health information concerning the individual, 12 including records created under Section 5-10, that the entity 13 maintains. The entity shall adopt appropriate procedures to 14 be followed for the inspection or copying and may require an 15 individual to pay reasonable costs associated with the 16 inspection or copying. 17 (c) Unless ordered by a court of competent jurisdiction, 18 an entity is not required to permit the inspection or copying 19 of protected health information if any of the following 20 conditions are met: 21 (1) The entity determines that the disclosure of 22 the information could reasonably be expected to endanger 23 the life or physical safety of, or cause substantial 24 mental harm to, the individual who is the subject of the 25 information. 26 (2) The information identifies, or could reasonably 27 lead to the identification of, a person who provided 28 information under a promise of confidentiality concerning 29 the individual who is the subject of the information, 30 unless the confidential source can be protected by 31 redaction or other similar means. 32 (3) The information is protected from discovery as 33 provided by law. -11- LRB9204459DJgc 1 (4) The information was collected for or during a 2 clinical trial monitored by an institutional review 3 board, the trial is not complete, and the researcher 4 reasonably believes that access would harm the conduct of 5 the trial. 6 (d) If an entity denies a request for inspection or 7 copying pursuant to subsection (c), the entity shall inform 8 the individual in writing of the following: 9 (1) The reasons for the denial of the request for 10 inspection or copying. 11 (2) Any procedures for further review of the 12 denial. 13 (3) The individual's right to file with the entity 14 a concise statement setting forth the request for 15 inspection or copying. 16 (e) If an individual has filed a statement under 17 subdivision (d)(3), the entity in any subsequent disclosure 18 of the portion of the information requested under subsection 19 (b) must include the following: 20 (1) A copy of the individual's statement. 21 (2) A concise statement of the reasons for denying 22 the request for inspection or copying. 23 (f) An entity must permit the inspection and copying 24 under subsection (b) of any reasonably segregable portion of 25 a record after deletion of any portion that is exempt under 26 subsection (c). 27 (g) An entity must comply with or deny, in accordance 28 with subsection (d), a request for inspection or copying of 29 protected health information under this Section not later 30 than 30 days after the date on which the entity or agent 31 receives the request. 32 (h) An agent of an entity is not required to provide for 33 the inspection and copying of protected health information 34 unless: -12- LRB9204459DJgc 1 (1) the protected health information is retained by 2 the agent; and 3 (2) the agent has received in writing a request 4 from the entity involved to fulfill the requirements of 5 this Section, at which time this information must be 6 provided to the individual. The agent must comply with 7 subsection (g) with respect to any such information. 8 (i) The entity must afford at least one level of appeal 9 by parties not involved in the original decision. 10 (j) This Section shall not be construed to require that 11 an entity described in subsection (a) conduct a formal, 12 informal, or other hearing or proceeding concerning a request 13 for inspection or copying of protected health information. 14 (k) If an entity denies an individual's request for 15 copying pursuant to subsection (c), or if an individual so 16 requests, the entity shall permit the inspection or copying 17 of the requested protected health information by the 18 individual's designated representative upon presentation of a 19 proper authorization signed by the individual, unless it is 20 patently clear that doing so would defeat the purpose for 21 which the entity originally denied the individual's request 22 for inspection and copying. 23 Section 5-10. Additions to protected health information. 24 A health care provider is the owner of the medical records in 25 the health care provider's possession that were created by 26 the health care provider in treating a patient. An 27 individual or the individual's authorized representative may 28 request in writing that a health care provider that generated 29 certain health care information append additional information 30 to the record in order to improve the accuracy or 31 completeness of the information, provided that appending this 32 information does not erase or obliterate any of the original 33 information. A health care provider must do one of the -13- LRB9204459DJgc 1 following: 2 (1) Append the information as requested. 3 (2) Provide to the individual notice that the 4 request has been denied, notice of the reason for the 5 denial, and notice that the individual may file a 6 statement of reasonable length explaining the correctness 7 or relevance of existing information or as to the 8 addition of new information. The statement or copies 9 must be appended to the medical record and must at all 10 times accompany that part of the information in 11 contention. 12 Section 5-15. Notice of confidentiality practices. 13 (a) For the purposes of this Section only, "entity" 14 means a health care provider, health care data organization, 15 health plan, health oversight agency, employer, insurer, 16 health researcher, or educational institution or the 17 Department of Public Health. 18 (b) An entity must prominently post or provide the 19 current notice of the entity's confidentiality practices. 20 The notice must be printed in clear type and composed in 21 plain language. This notice must be given as required under 22 Section 10-10. 23 For the purpose of informing each individual of the 24 importance of the notice and educating the individual about 25 the individual's rights under this Act, the notice must 26 contain the following language, placed prominently at the 27 beginning: 28 IMPORTANT: THIS NOTICE DEALS WITH THE SHARING 29 INFORMATION FROM YOUR MEDICAL RECORDS. PLEASE READ IT 30 CAREFULLY. This notice describes your confidentiality 31 rights as they relate to information from your medical 32 records and explains the circumstances under which 33 information from your medical records may be shared with -14- LRB9204459DJgc 1 others. This information in this notice also applies to 2 others covered under your health plan, such as your 3 spouse or children. If you do not understand the terms 4 of this notice, please ask for further explanation. 5 In addition, the notice must include the following 6 information as appropriate to the size and nature of the 7 entity: 8 (1) A description of an individual's rights with 9 respect to protected health information, which shall 10 contain at least the following: 11 (A) An individual's right to inspect and copy 12 his or her record. 13 (B) An individual's right to request that a 14 health care provider append information to the 15 individual's medical record. 16 (C) An individual's right to receive this 17 notice by each health plan upon enrollment, annually 18 thereafter, and whenever the entity's 19 confidentiality practices are substantially amended. 20 (2) The uses and disclosures of protected health 21 information authorized under this Act, including 22 information about the following: 23 (A) Payment. 24 (B) Conducting quality assurance activities or 25 outcomes assessments. 26 (C) Reviewing the competence or qualifications 27 of health care professionals. 28 (D) Performing accreditation, licensing, or 29 credentialing activities. 30 (E) Analyzing health plan claims or health 31 care records data. 32 (F) Evaluating provider clinical performance. 33 (G) Carrying out utilization management. 34 (H) Conducting or arranged for auditing -15- LRB9204459DJgc 1 services in accordance with statute, rule or 2 accreditation requirements. 3 (3) The right of the individual to limit disclosure 4 of protected health information by deciding not to 5 utilize any health insurance or other third party payment 6 as payment for the service, as set forth in subsection 7 (c) of Section 10-5. 8 (4) The procedures for giving consent to 9 disclosures of protected health information and for 10 revoking the consent to disclose. 11 (5) The description of procedures established by 12 the entity for the exercise of the individual's rights 13 required under this Act. 14 (6) The right to obtain a copy of the notice of 15 confidentiality practices required under this Act. 16 (c) The actual procedures established by an entity for 17 the exercise of individual rights under this Article 5 must 18 be made available to an individual in writing upon request. 19 Section 5-20. Establishment of safeguards. 20 (a) An entity must establish and maintain 21 administrative, technical, and physical safeguards that are 22 appropriate to the size and nature of the entity establishing 23 the safeguards and that are appropriate to protect the 24 confidentiality, security, accuracy, and integrity of 25 protected health information created, received, obtained, 26 maintained, used, transmitted, or disposed of by the entity. 27 (b) The Department of Public Health shall adopt rules to 28 implement subsection (a). 29 Article 10. Restrictions on Use and Disclosure 30 of Protected Health Information 31 Section 10-5. General rules regarding use and disclosure -16- LRB9204459DJgc 1 of protected health information. 2 (a) An entity may not use or disclose protected health 3 information except as authorized under this Article 10 and 4 under Article 15. Disclosure of health information in the 5 form of nonidentifiable health information shall not be 6 construed as a disclosure of protected health information. 7 (b) For the purpose of treatment or qualified health 8 care operations, an entity may use or disclose protected 9 health information within the entity only if notice of the 10 use or disclosure is given as required under Sections 5-15 11 and 10-10. For all other uses and disclosures, an entity may 12 use or disclose protected health information only if the use 13 or disclosure is properly consented to pursuant to Section 14 10-15. Disclosure to agents of an entity described in 15 subsection (a) shall be considered as a disclosure within an 16 entity. 17 (c) If an individual does not want protected health 18 information disclosed pursuant to subsection (b), the 19 individual must (i) advise the health care provider before 20 the delivery of services that the relevant protected health 21 information may not be disclosed pursuant to subsection (b) 22 and (ii) pay the health care provider directly for health 23 care services. A health plan may decline to cover particular 24 health care services if an individual has refused to allow 25 the disclosure of protected health care information 26 pertaining to those particular health care services. 27 Protected health information related to health care services 28 paid for directly by the individual may not be disclosed 29 without the individual's consent. 30 (d) An agent who receives protected health information 31 from an entity is subject to all rules of disclosure and 32 safeguard requirements under this Article 10. 33 (e) Every use and disclosure of protected health 34 information must be limited to the purpose for which it was -17- LRB9204459DJgc 1 collected. Any other use without a valid consent to disclose 2 is an unauthorized disclosure. 3 (f) Nothing in this Article 10 permitting the disclosure 4 of protected health information shall be construed to require 5 disclosure. 6 (g) An entity may disclose protected health information 7 to an employee or agent of the entity not otherwise 8 authorized to receive that information for purposes of 9 creating nonidentifiable information if the entity prohibits 10 the employee or agent from using or disclosing the protected 11 health information for purposes other than the sole purpose 12 of creating nonidentifiable information, as specified by the 13 entity. 14 (h) Any individual or entity who manipulates or uses 15 nonidentifiable health information to identify an individual 16 is deemed to have disclosed protected health information. The 17 disclosure or transmission of a unique patient identifier 18 shall be deemed to be a disclosure of protected health 19 information. 20 Section 10-10. Disclosure of protected health 21 information for treatment or qualified health care 22 operations. 23 (a) The notice required by Section 5-15 must be: 24 (1) given by each health plan upon enrollment, 25 annually thereafter, and whenever the health plan's 26 confidentiality practices are substantially amended, to 27 each individual who is eligible to receive care under the 28 health plan, or to the individual's parent or guardian if 29 the individual is a minor or incompetent; and 30 (2) posted in a conspicuous place or provided by an 31 entity other than a health plan. 32 (b) For each new enrollment or re-enrollment by an 33 individual in a health plan, on or after the effective date -18- LRB9204459DJgc 1 of this Act, a health plan must make reasonable efforts to 2 obtain the individual's signature on the notice of 3 confidentiality practices. The notice to be signed must 4 state that the individual is signing on behalf of the 5 individual and all others covered by the individual's health 6 plan. If the plan is unable to obtain the individual's 7 signature, the plan must note the reason for the failure to 8 obtain the signature. For the purposes of this subsection, 9 "reasonable efforts" may include but are not limited to 10 requiring the employer to present the notice to the 11 individual and to request a signature, or mailing the notice 12 to the individual with instructions to sign and return the 13 notice within a specified period of time. 14 The lack of a signed notice of confidentiality practices 15 does not justify a denial of coverage of a claim, nor does it 16 limit a health plan's access to information necessary for 17 treatment and qualified health care operations. The 18 individual may, however, elect to keep the records from being 19 disclosed by paying for the subject health care services as 20 provided under subsection (c) of Section 10-5. 21 (c) Except as provided in this Act, the notice required 22 by this Section and Section 5-15 shall not be construed as a 23 waiver of any rights that the individual has under other 24 federal or State laws, rules of evidence, or common law. 25 Section 10-15. Disclosure of protected health 26 information other than for treatment, payment, or qualified 27 health care operations. 28 (a) An entity may disclose protected health information 29 for purposes other than those for which notice is given under 30 Section 10-10, pursuant to a separate written authorization 31 to disclose executed by the individual who is the subject of 32 the information. The authorization must meet the 33 requirements of subsection (b). -19- LRB9204459DJgc 1 (b) To be valid, an authorization must be separate from 2 any other notice or authorization required by this Article 3 10, must be either (i) in writing, dated, and signed by the 4 individual or (ii) in electronic form, dated, and 5 authenticated by the individual using a unique identifier, 6 must not have been revoked, and must do the following: 7 (1) Identify the person or entity authorized to 8 disclose protected health information. 9 (2) Identify the individual who is the subject of 10 the protected health information. 11 (3) Describe the nature of and the time span of the 12 protected health information to be disclosed. 13 (4) Identify the person to whom the information is 14 to be disclosed. 15 (5) Describe the purpose of the disclosure. 16 (6) State that it is subject to revocation by the 17 individual and indicate that the consent to disclose is 18 valid until revocation by the individual. 19 (7) Include the date on which the consent to 20 disclose ends. 21 (c) An individual may revoke in writing an authorization 22 under this Section at any time. An authorization obtained by 23 a health plan under this Section is deemed to be revoked at 24 the time of the cancellation or nonrenewal of enrollment in 25 the health plan. An entity that discloses protected health 26 information pursuant to an authorization that has been 27 revoked under this subsection is not subject to any liability 28 or penalty under this Article 10 for the disclosure if that 29 entity acted in good faith and had no actual or constructive 30 notice of the revocation. 31 (d) Article 15 provides for exceptions to the 32 requirement for the authorization. 33 (e) A recipient of protected health information 34 disclosed pursuant to an authorization under this Section may -20- LRB9204459DJgc 1 use the information solely to carry out the purpose for which 2 the information was authorized for disclosure. 3 (f) Each entity collecting or storing protected health 4 information must maintain for 7 years, as part of an 5 individual's protected health information, a record of each 6 authorization by the individual and any revocation of 7 authorization by the individual. 8 Article 15. Excepted Uses and Disclosures 9 of Protected Health Information. 10 Section 15-5. Coroner or medical examiner. When a 11 coroner or medical examiner or one of their duly appointed 12 deputies seeks protected health information for the purpose 13 of inquiry into and determination of the cause, manner, and 14 circumstances of a death, any person shall provide the 15 requested protected health information to the coroner or 16 medical examiner or to the duly appointed deputies without 17 undue delay. If a coroner or medical examiner or one of 18 their duly appointed deputies receives protected health 19 information, this protected health information shall remain 20 protected health information unless it is attached to or 21 otherwise made a part of a coroner's or medical examiner's 22 official report. Health information attached to or otherwise 23 made a part of a coroner's or medical examiner's official 24 report is exempt from this Act. 25 Section 15-10. Disclosure to an individual's designated 26 representative, relative, or surrogate. 27 (a) A health care provider, or a person who receives 28 protected health information under subsection (b), may 29 disclose protected health information regarding an individual 30 to an individual's designated representative, relative, or 31 surrogate if: -21- LRB9204459DJgc 1 (1) the individual who is the subject of the 2 information: 3 (A) has been notified of the individual's 4 right to object to the disclosure and the individual 5 has not objected to the disclosure; or 6 (B) is in a physical or mental condition such 7 that the individual is not capable of objecting, and 8 there are no prior indications that the individual 9 would object; and 10 (2) the information disclosed is for the purpose of 11 providing health care to that individual; or 12 (3) the disclosure of the protected health 13 information is consistent with good medical or 14 professional practice. 15 (b) Except as provided in subsection (d), a health care 16 provider may disclose the information described in subsection 17 (c) to any other person if the individual who is the subject 18 of the information: 19 (1) has been notified of the individual's right to 20 object and the individual has not objected to the 21 disclosure; or 22 (2) is in a physical or mental condition such that 23 the individual is not capable of objecting and 24 (A) the individual's designated 25 representative, relative, or surrogate has not 26 objected and 27 (B) there are no prior indications that the 28 individual would object. 29 (c) Information that may be disclosed under subsection 30 (b) is only that information that consists of any of the 31 following items: 32 (1) The name of the individual who is the subject 33 of the information. 34 (2) The general health status of the individual, -22- LRB9204459DJgc 1 described as critical, poor, fair, stable, or 2 satisfactory or in terms denoting similar conditions. 3 (3) The location of the individual on premises 4 controlled by a provider. A disclosure of information 5 under this paragraph (3) may not be made if the 6 information would reveal specific information about the 7 physical or mental condition of the individual, unless 8 the individual expressly authorizes the disclosure. 9 (d) A disclosure may not be made under this Section if 10 the health care provider involved has reason to believe that 11 the disclosure of this information could lead to physical or 12 mental harm to the individual, unless the individual 13 expressly authorizes the disclosure. 14 Section 15-15. Identification of deceased individuals. 15 A health care provider may disclose protected health 16 information if the disclosure is necessary to assist in the 17 identification or safe handling of a deceased individual. 18 Section 15-20. Emergency circumstances. Any person who 19 creates or receives protected health information under this 20 Act may use or disclose protected health information in 21 emergency circumstances when the use or disclosure is 22 necessary to protect the health or safety of the individual 23 who is the subject of the information from serious, imminent 24 harm. A disclosure made in the good faith belief that the 25 use or disclosure was necessary to protect the health or 26 safety of an individual from serious, imminent harm is not a 27 violation of this Act. 28 Section 15-25. Disclosure for health oversight purposes. 29 (a) Any person may disclose protected health information 30 to a health oversight agency for purposes of an oversight 31 function authorized by law. -23- LRB9204459DJgc 1 (b) For purposes of this Section, the individual with 2 authority to authorize the health oversight function involved 3 shall provide to the person described in subsection (a) a 4 statement that the protected health information is being 5 sought for a legally authorized oversight function. 6 (c) Protected health information about an individual 7 that was obtained under this Section may not be used in, or 8 disclosed to any person for use in, an administrative, civil, 9 or criminal action or investigation directed against the 10 individual unless the action or investigation arises out of 11 and is directly related to one of the following: 12 (1) The receipt of health care or payment for 13 health care. 14 (2) An action involving a fraudulent claim related 15 to health. 16 (3) An action involving oversight of a public 17 health authority or a health researcher. 18 (d) Protected health information disclosed for purposes 19 of this Section remains protected health information and may 20 not be further disclosed by the receiving health oversight 21 agency, except as permitted under this Section. 22 Section 15-30. Disclosure for public health purposes. 23 (a) Any person or entity may disclose protected health 24 information to the Department of Public Health or to another 25 person authorized by law, for use in any of the following 26 that is legally authorized: 27 (1) A disease or injury report. 28 (2) A public health surveillance. 29 (3) A public health investigation or intervention. 30 (4) A health or disease registry. 31 (b) The disclosure of protected health information 32 pursuant this Section to the Department of Public Health or 33 another person authorized by law is not a violation of this -24- LRB9204459DJgc 1 Article 15. 2 (c) Protected health information disclosed for purposes 3 of this Section remains protected health information and may 4 not be further disclosed by the receiving authority or 5 person, except as permitted under this Section. 6 Section 15-35. Health research. 7 (a) A health care provider, health plan, employer, 8 insurer, or educational institution or the Department of 9 Public Health may disclose protected health information to a 10 health researcher if the following requirements are met: 11 (1) The research must have been approved by an 12 institutional review board. In evaluating a research 13 proposal, an institutional review board shall require 14 that the proposal demonstrate a clear purpose, scientific 15 integrity, and a realistic plan for maintaining the 16 confidentiality of protected health information. 17 (2) The health care provider, health plan, 18 employer, insurer, or educational institution or the 19 Department of Public Health may disclose only protected 20 health information that it has previously created or 21 collected. 22 (3) The holder of protected health information must 23 keep a record of all health researchers to whom protected 24 health information has been made available. 25 (b) A health researcher who receives protected health 26 information must remove and destroy, at the earliest 27 opportunity consistent with the purposes of the project 28 involved, any information that would enable an individual to 29 be identified. 30 (c) A health researcher who receives protected health 31 information may not disclose or use the protected health 32 information for any purpose other than that for which the 33 information was obtained, except that the health researcher -25- LRB9204459DJgc 1 may disclose the information pursuant to subsection (a) of 2 Section 15-25. 3 Section 15-40. Disclosure in a civil, judicial, or 4 administrative proceeding. 5 (a) Protected health information may be disclosed 6 pursuant to a discovery request or subpoena in a civil action 7 brought in a State court or pursuant to a request or subpoena 8 related to a State administrative proceeding, but only if the 9 disclosure is made pursuant to a court order as provided for 10 in subsection (b) or pursuant to a written authorization 11 under Section 10-15. 12 (b) A court order issued under this Section must do the 13 following: 14 (1) Provide that the protected health information 15 involved is subject to court protection. 16 (2) Specify to whom the information may be 17 disclosed. 18 (3) Specify that the information may not otherwise 19 be disclosed or used. 20 (4) Meet any other requirements that the court 21 determines are needed to protect the confidentiality of 22 the information. 23 (c) This Section does not apply in a case in which the 24 protected health information sought under the discovery 25 request or subpoena is: 26 (1) nonidentifiable health information; and 27 (2) related to a party to the litigation whose 28 medical condition is at issue. 29 (d) The release of any protected health information 30 under this Section does not violate this Article 15. 31 Section 15-45. Disclosure for civil or administrative 32 law enforcement purposes. -26- LRB9204459DJgc 1 (a) For the purposes of this Section only, "entity" 2 means a health care provider, health plan, health oversight 3 agency, employer, insurer, or educational institution. 4 (b) Except as to disclosures to a health oversight 5 agency, which are governed by Section 15-25, an entity or 6 person who receives protected health information pursuant to 7 Section 10-15 or Sections 15-5 through 15-35 may disclose 8 protected health information under this Section if the 9 disclosure is pursuant to one of the following: 10 (1) An administrative subpoena or summons or 11 judicial subpoena. 12 (2) Consent in accordance with Section 10-15. 13 (3) A court order. 14 (c) A subpoena or summons for a disclosure under 15 subdivision (b)(1) may be issued only if the civil or 16 administrative law enforcement agency involved shows that 17 there is probable cause to believe that the information is 18 relevant to a legitimate law enforcement inquiry. 19 (d) When the matter or need for which protected health 20 information was disclosed to a civil or administrative law 21 enforcement agency under subsection (b) has concluded, 22 including the conclusion of any derivative matters arising 23 from the matter or need, the civil or administrative law 24 enforcement agency must either destroy the protected health 25 information or return all of the protected health information 26 to the person from whom it was obtained. 27 (e) To the extent practicable, and consistent with the 28 requirements of due process, a civil or administrative law 29 enforcement agency must redact personally identifying 30 information from protected health information before the 31 public disclosure of the protected information in a judicial 32 or administrative proceeding. 33 (f) Protected health information obtained by a civil or 34 administrative law enforcement agency pursuant to this -27- LRB9204459DJgc 1 Section may be used only for purposes of a legitimate law 2 enforcement activity. 3 (g) If protected health information is obtained without 4 meeting the requirements of subdivision (b)(1), (b)(2), or 5 (b)(3), any information that is unlawfully obtained must be 6 excluded from a court proceeding unless the defendant 7 requests otherwise. 8 Article 20. Violations of the Act 9 Section 20-5. Wrongful disclosure of protected health 10 information. 11 (a) A person who knowingly or intentionally obtains 12 protected health information relating to an individual in 13 violation of this Act or who knowingly or intentionally 14 discloses protected health information to another person in 15 violation of this Act is guilty of a Class 3 felony. 16 (b) A person who knowingly or intentionally sells, 17 transfers, or uses protected health information for 18 commercial advantage, personal gain, or malicious harm in 19 violation of this Act is guilty of a Class 2 felony. 20 Section 20-10. Civil actions by individuals. 21 (a) Any individual whose rights under this Act have been 22 violated may bring a civil action against the person or 23 entity responsible for the violation. 24 (b) In any civil action brought under this Section, if 25 the court finds a violation of an individual's rights under 26 this Act, the court may award one or more of the following: 27 (1) Injunctive relief, including enjoining an 28 individual or entity from engaging in a practice that 29 violates this Act. 30 (2) Equitable relief. 31 (3) Compensatory damages for injuries suffered by -28- LRB9204459DJgc 1 the individual. Injuries compensable under this Section 2 include, but are not limited to, personal injury 3 including emotional distress, reputational injury, injury 4 to property, and consequential damages. 5 (4) Punitive damages, as appropriate. 6 (5) Costs of the action. 7 (6) Attorney's fees, as appropriate. 8 (7) Any other relief the court finds appropriate. 9 (c) An action may not be commenced under this Section 10 after the time period stated in Section 13-202 of the Code of 11 Civil Procedure. 12 Section 20-15. Cease and desist orders; civil penalty. 13 (a) A court shall issue and cause to be served upon a 14 person who has violated any provision of this Act a copy of 15 the court's findings and an order requiring the person to 16 cease and desist from violating this Act or to otherwise 17 comply with the requirements of this Act. The court may also 18 order any one or more of the following: 19 (1) For any violation of this Act, payment of a 20 civil penalty of not more than $500 for each violation 21 but not more than $5,000 in the aggregate for multiple 22 violations. 23 (2) For a knowing violation of this Act, payment of 24 a civil penalty of not more than $25,000 for each 25 violation but not more than $100,000 in the aggregate for 26 multiple violations. 27 (3) For violations of this Act that have occurred 28 with such frequency as to constitute a general business 29 practice, a civil penalty of $100,000. 30 (b) Any person who violates a cease and desist order or 31 injunction issued under this Section may be subject to a 32 civil penalty of not more than $10,000 for each act in 33 violation of the cease and desist order. -29- LRB9204459DJgc 1 (c) An order or injunction issued under this Section 2 does not in any way relieve or absolve any person affected by 3 the order from any other liability, penalty, or forfeiture 4 required by law. 5 (d) Any civil penalties collected under this Section 6 shall be deposited into the General Revenue Fund. 7 Section 20-20. Prevention and deterrence. To promote 8 the prevention and deterrence of acts or omissions that 9 violate laws designed to safeguard the protected health 10 information in a manner consistent with this Act, the 11 Director of Public Health, in cooperation with any other 12 appropriate individual, organization, or agency as determined 13 by the Director, may provide advice, training, technical 14 assistance, and guidance regarding ways to prevent improper 15 disclosure of protected health information. 16 Article 25. Miscellaneous Provisions 17 Section 25-5. Payment card or electronic payment 18 transaction. 19 (a) If an individual pays for health care by presenting 20 a debit, credit, or other payment card or account number, or 21 by any other electronic payment means, the entity receiving 22 payment may disclose to a person described in subsection (b) 23 only the protected health information about the individual 24 that is necessary for the processing of the payment 25 transaction or the billing or collection of amounts charged 26 to, debited from, or otherwise paid by the individual using 27 the card, number, or other electronic means. 28 (b) A person who is a debit, credit, or other payment 29 card issuer, who is otherwise directly involved in the 30 processing of payment transactions involving such cards or 31 other electronic payment transactions, or who is otherwise -30- LRB9204459DJgc 1 directly involved in the billing or collection of amounts 2 paid through these means may use or disclose protected health 3 information about an individual that has been disclosed in 4 accordance with subsection (a) only when necessary for one or 5 more of the following: 6 (1) The settlement, billing, or collection of 7 amounts charged to, debited from, or otherwise paid by 8 the individual using a debit, credit, or other payment 9 card or account number or by other electronic payment 10 means. 11 (2) The transfer of receivables or accounts or an 12 interest in receivables or accounts. 13 (3) The internal audit of the debit, credit, or 14 other payment card account information. 15 (4) Compliance with a federal or State law or a 16 local ordinance. 17 (5) Compliance with a properly authorized civil, 18 criminal, or regulatory investigation by federal, State, 19 or local authorities as governed by the requirements of 20 this Section. 21 Section 25-10. Standards for electronic disclosures. 22 The Department of Public Health shall adopt rules to 23 establish standards for disclosing, authorizing, and 24 authenticating, protected health information in electronic 25 form consistent with this Act. 26 Section 25-15. Rights of minors. 27 (a) In the case of an individual who is 18 years of age 28 or older, all rights of an individual under this Act shall be 29 exercised by the individual. 30 (b) In the case of an individual of any age who, acting 31 alone, may obtain a type of health care without violating any 32 applicable federal or State law, and who has sought this -31- LRB9204459DJgc 1 care, the individual shall exercise all rights of an 2 individual under this Act with respect to health care. 3 (c) Except as provided in subsection (b): 4 (1) In the case of an individual who is under 14 5 years of age, all of the individual's rights under this 6 Act may be exercised only through the parent or legal 7 guardian. 8 (2) In the case of an individual who is at least 14 9 but less than 18 years of age, the rights of inspection 10 and amendment and the right to authorize use and 11 disclosure of protected health information of the 12 individual may be exercised by the individual or by the 13 parent or legal guardian of the individual. If the 14 individual and the parent or legal guardian do not agree 15 as to whether to authorize the use or disclosure of 16 protected health information of the individual, the 17 individual's authorization or revocation of authorization 18 shall control. 19 Section 25-20. Deceased individuals. This Act continues 20 to apply to protected health information concerning a 21 deceased individual following the death of that individual. 22 A person who is authorized by law or by an instrument 23 recognized under law to act as a personal representative of 24 the estate of a deceased individual or otherwise to exercise 25 the rights of the deceased individual, to the extent so 26 authorized, may exercise and discharge the rights of the 27 deceased individual under this Act. 28 Section 25-25. Relationship to other laws. 29 (a) Nothing in this Act shall be construed to preempt or 30 modify any provisions of State law concerning a privilege of 31 a witness or other person in a court of this State. Receipt 32 of notice pursuant to Section 10-10 or consent to disclosure -32- LRB9204459DJgc 1 pursuant to Section 10-15 shall not be construed as a waiver 2 of these privileges. 3 (b) Nothing in this Act shall be construed to preempt, 4 supersede, or modify the operation of any State law that does 5 any of the following: 6 (1) Provides for the reporting of vital statistics 7 such as birth or death information. 8 (2) Requires the reporting of abuse or neglect 9 information about any individual. 10 (3) Relates to public or mental health and prevents 11 or otherwise restricts disclosure of information 12 otherwise permissible under this Act, except that if this 13 Act is more protective of information, it shall prevail. 14 (4) Governs a minor's right to access protected 15 health information or health care services. 16 (5) Meets any other requirements that the court 17 determines are needed to protect the confidentiality of 18 the information. 19 In particular, nothing in this Act shall be construed to 20 preempt, supersede, or modify the operation of any provision 21 of the Mental Health and Developmental Disabilities 22 Confidentiality Act, Section 8-2101 of the Code of Civil 23 Procedure, or Section 6.17 of the Hospital Licensing Act. In 24 the case of a conflict between a provision of this Act and 25 one of those other provisions, the other provision controls. 26 Section 25-30. Report by Department of Public Health. 27 The Department of Public Health shall submit a status report 28 to the General Assembly on the adoption of rules required by 29 this Act and regarding existing licensure, certification, and 30 regulatory mechanisms for the imposition of sanctions or 31 penalties for the wrongful disclosure of protected health 32 information. The Department shall submit the report no later 33 than one year after the effective date of this Act. -33- LRB9204459DJgc 1 Section 25-35. Reports by insurers. 2 (a) Subsection (b) applies to every entity to the extent 3 that the entity meets the following criteria: 4 (1) The entity transacts the type of business 5 enumerated in clause (a) (life insurance) of Class 1 of 6 Section 4 of the Illinois Insurance Code. 7 (2) The entity transacts the types of business 8 enumerated in clauses of Class 2 of Section 4 of the 9 Illinois Insurance Code other than clauses (a) (accident 10 and health insurance), (g) (fidelity and surety 11 insurance), and (l) (legal expense insurance). 12 (3) The entity transacts the types of business 13 enumerated in Class 3 (fire and marine, etc.) of Section 14 4 of the Illinois Insurance Code. 15 (4) The entity provides disability income 16 protection coverage under Article XX (Accident and Health 17 Insurance) of the Illinois Insurance Code. 18 (5) The entity is regulated under Article XIXA 19 (Long-term Care Insurance) of the Illinois Insurance 20 Code. 21 (b) Every entity described in subsection (a) must submit 22 to the Director of Insurance a report and recommendations for 23 proposed legislation governing the treatment of protected 24 health information. The report shall include, but need not 25 be limited to, a discussion of the National Association of 26 Insurance Commissioners Insurance Information and Privacy 27 Protection Act, or substantially similar legislation. The 28 entity shall submit the report no later than 9 months after 29 the effective date of this Act. 30 (c) No later than one year after the effective date of 31 this Act, the Director of Insurance shall submit to the 32 General Assembly a report that summarizes the reports and 33 recommendations submitted to the Director by insurers under 34 subsection (b). -34- LRB9204459DJgc 1 Section 25-40. Severability. The provisions of this Act 2 are severable under Section 1.31 of the Statute on Statutes. 3 Article 90. Amendatory Provisions. 4 Section 90-5. The Hospital Licensing Act is amended by 5 changing Section 6.17 as follows: 6 (210 ILCS 85/6.17) 7 Sec. 6.17. Protection of and confidential access to 8 medical records and information. 9 (a) Every hospital licensed under this Act shall develop 10 a medical record for each of its patients as required by the 11 Department by rule. 12 (b) All information regarding a hospital patient 13 gathered by the hospital's medical staff and its agents and 14 employees shall be the property and responsibility of the 15 hospital and must be protected from inappropriate disclosure 16 as provided in this Section. 17 (c) Every hospital shall preserve its medical records in 18 a format and for a duration established by hospital policy 19 and for not less than 10 years, provided that if the hospital 20 has been notified in writing by an attorney before the 21 expiration of the 10 year retention period that there is 22 litigation pending in court involving the record of a 23 particular patient as possible evidence and that the patient 24 is his client or is the person who has instituted such 25 litigation against his client, then the hospital shall retain 26 the record of that patient until notified in writing by the 27 plaintiff's attorney, with the approval of the defendant's 28 attorney of record, that the case in court involving such 29 record has been concluded or for a period of 12 years from 30 the date that the record was produced, whichever occurs first 31 in time. -35- LRB9204459DJgc 1 (d) No member of a hospital's medical staff and no agent 2 or employee of a hospital shall disclose the nature or 3 details of services provided to patients, except that the 4 information may be disclosed to the patient, persons 5 authorized by the patient, the party making treatment 6 decisions, if the patient is incapable of making decisions 7 regarding the health services provided, those parties 8 directly involved with providing treatment to the patient or 9 processing the payment for that treatment, those parties 10 responsible for peer review, utilization review, quality 11 assurance, risk management or defense of claims brought 12 against the hospital arising out of the care, and those 13 parties required to be notified under the Abused and 14 Neglected Child Reporting Act, the Illinois Sexually 15 Transmissible Disease Control Act, or where otherwise 16 authorized or required by law. 17 (e) The hospital's medical staff members and the 18 hospital's agents and employees may communicate, at any time 19 and in any fashion, with legal counsel for the hospital 20 concerning the patient medical record privacy and retention 21 requirements of this Section and any care or treatment they 22 provided or assisted in providing to any patient within the 23 scope of their employment or affiliation with the hospital. 24 (f) Each hospital licensed under this Act shall provide 25 its federally designated organ procurement agency and any 26 tissue bank with which it has an agreement with access to the 27 medical records of deceased patients for the following 28 purposes: 29 (1) estimating the hospital's organ and tissue 30 donation potential; 31 (2) identifying the educational needs of the 32 hospital with respect to organ and tissue donation; and 33 (3) identifying the number of organ and tissue 34 donations and referrals to potential organ and tissue -36- LRB9204459DJgc 1 donors. 2 (g) All hospital and patient information, interviews, 3 reports, statements, memoranda, and other data obtained or 4 created by a tissue bank or federally designated organ 5 procurement agency from the medical records review described 6 in subsection (f) shall be privileged, strictly confidential, 7 and used only for the purposes put forth in subsection (f) of 8 this Section and shall not be admissible as evidence nor 9 discoverable in an action of any kind in court or before a 10 tribunal, board, agency, or person. 11 (h) Any person who, in good faith, acts in accordance 12 with the terms of this Section shall not be subject to any 13 type of civil or criminal liability or discipline for 14 unprofessional conduct for those actions. 15 (i) Any individual who wilfully or wantonly discloses 16 hospital or medical record information in violation of this 17 Section is guilty of a Class A misdemeanor. As used in this 18 subsection, "wilfully or wantonly" means a course of action 19 that shows an actual or deliberate intention to cause harm or 20 that, if not intentional, shows an utter indifference to or 21 conscious disregard for the safety of others or their 22 property. 23 (j) In the case of a conflict between a provision of 24 this Section and a provision of the Health Care Information 25 Privacy Act, this Section controls. 26 (Source: P.A. 91-526, eff. 1-1-00.) 27 Section 90-10. The Illinois Insurance Code is amended by 28 changing Section 1014 as follows: 29 (215 ILCS 5/1014) (from Ch. 73, par. 1065.714) 30 Sec. 1014. Disclosure Limitations and Conditions. An 31 insurance institution, agent or insurance-support 32 organization shall not disclose any personal or privileged -37- LRB9204459DJgc 1 information about an individual collected or received in 2 connection with an insurance transaction unless the 3 disclosure is: 4 (A) with the written authorization of the individual, 5 provided: 6 (1) if such authorization is submitted by another 7 insurance institution, agent or insurance-support 8 organization, the authorization meets the requirements of 9 Section 1007 of this Article, or 10 (2) if such authorization is submitted by a person other 11 than an insurance institution, agent or insurance-support 12 organization, the authorization is: 13 (a) dated, 14 (b) signed by the individual, and 15 (c) obtained one year or less prior to the date a 16 disclosure is sought pursuant to this subsection; or 17 (B) to a person other than an insurance institution, 18 agent or insurance-support organization, provided such 19 disclosure is reasonably necessary: 20 (1) to enable such person to perform a business, 21 professional or insurance function for the disclosing 22 insurance institution, agent or insurance-support 23 organization and such person agrees not to disclose the 24 information further without the individual's written 25 authorization unless the further disclosure: 26 (a) would otherwise be permitted by this Section if made 27 by an insurance institution, agent, or insurance-support 28 organization, or 29 (b) is reasonably necessary for such person to perform 30 its function for the disclosing insurance institution, agent, 31 or insurance-support organization, or 32 (2) to enable such person to provide information to the 33 disclosing insurance institution, agent, or insurance-support 34 organization for the purpose of: -38- LRB9204459DJgc 1 (a) determining an individual's eligibility for an 2 insurance benefit or payment, or 3 (b) detecting or preventing criminal activity, fraud, 4 material misrepresentation or material nondisclosure in 5 connection with an insurance transaction; or 6 (C) to an insurance institution, agent, 7 insurance-support organization or self-insurer, provided the 8 information disclosed is limited to that which is reasonably 9 necessary: 10 (1) to detect or prevent criminal activity, fraud, 11 material misrepresentation or material nondisclosure in 12 connection with insurance transactions, or 13 (2) for either the disclosing or receiving insurance 14 institution, agent or insurance-support organization to 15 perform its function in connection with an insurance 16 transaction involving the individual; or 17 (D) to a medical care institution or medical 18 professional for the purpose of: 19 (1) verifying insurance coverage or benefits, 20 (2) informing an individual of a medical problem of which 21 the individual may not be aware, or 22 (3) conducting an operations or services audit, provided 23 only such information is disclosed as is reasonably necessary 24 to accomplish the foregoing purposes; or 25 (E) to an insurance regulatory authority; or 26 (F) to a law enforcement or other governmental 27 authority: 28 (1) to protect the interests of the insurance 29 institution, agent or insurance-support organization in 30 preventing or prosecuting the perpetration of fraud upon it, 31 or 32 (2) if the insurance institution, agent or 33 insurance-support organization reasonably believes that 34 illegal activities have been conducted by the individual; or -39- LRB9204459DJgc 1 (G) otherwise permitted or required by law; or 2 (H) in response to a facially valid administrative or 3 judicial order, including a search warrant or subpoena; or 4 (I) made for the purpose of conducting actuarial or 5 research studies provided: 6 (1) no individual may be identified in any actuarial or 7 research report, 8 (2) materials allowing the individual to be identified 9 are returned or destroyed as soon as they are no longer 10 needed, and 11 (3) the actuarial or research organization agrees not to 12 disclose the information unless the disclosure would 13 otherwise be permitted by this Section if made by an 14 insurance institution, agent or insurance-support 15 organization; or 16 (J) to a party or a representative of a party to a 17 proposed or consummated sale, transfer, merger or 18 consolidation of all or part of the business of the insurance 19 institution, agent or insurance support organization, 20 provided: 21 (1) prior to the consummation of the sale, transfer, 22 merger or consolidation only such information is disclosed as 23 is reasonably necessary to enable the recipient to make 24 business decisions about the purchase, transfer, merger or 25 consolidation, and 26 (2) the recipient agrees not to disclose the information 27 unless the disclosure would otherwise be permitted by this 28 Section if made by an insurance institution, agent or 29 insurance-support organization; or 30 (K) to a person whose only use of such information will 31 be in connection with the marketing of a product or service, 32 provided: 33 (1) no medical-record information, privileged 34 information, or personal information relating to an -40- LRB9204459DJgc 1 individual's character, personal habits, mode of living or 2 general reputation is disclosed, and no classification 3 derived from such information is disclosed, 4 (2) the individual has been given an opportunity to 5 indicate that he or she does not want personal information 6 disclosed for marketing purposes and has given no indication 7 that he or she does not want the information disclosed, and 8 (3) the person receiving such information agrees not to 9 use it except in connection with the marketing of a product 10 or service; or 11 (L) to an affiliate whose only use of the information 12 will be in connection with an audit of the insurance 13 institution or agent or the marketing of an insurance product 14 or service, provided the affiliate agrees not to disclose the 15 information for any other purpose or to unaffiliated persons; 16 or 17 (M) by a consumer reporting agency, provided: the 18 disclosure is to a person other than an insurance institution 19 or agent; or 20 (N) to a group policyholder for the purpose of reporting 21 claims experience or conducting an audit of the insurance 22 institution's or agent's operations or services, provided the 23 information disclosed is reasonably necessary for the group 24 policyholder to conduct the review or audit; or 25 (O) to a professional peer review organization for the 26 purpose of reviewing the service or conduct of a medical-care 27 institution or medical professional; or 28 (P) to a governmental authority for the purpose of 29 determining the individual's eligibility for health benefits 30 for which the governmental authority may be liable; or 31 (Q) to a certificateholder or policyholder for the 32 purpose of providing information regarding the status of an 33 insurance transaction; or 34 (R) to a lienholder, mortgagee, assignee, lessee, or -41- LRB9204459DJgc 1 other person shown on the records of an insurance institution 2 or agent as having a legal or beneficial interest in a policy 3 of insurance; provided that information disclosed is limited 4 to that which is reasonably necessary to permit such person 5 to protect its interest in such policy. 6 In the case of a conflict between a provision of this 7 Section and a provision of the Health Care Information 8 Privacy Act, this Section controls. 9 (Source: P.A. 82-108.) 10 Section 90-15. The Code of Civil Procedure is amended by 11 changing Sections 2-1101 and 8-2101 and adding Section 12 2-1101.5 as follows: 13 (735 ILCS 5/2-1101) (from Ch. 110, par. 2-1101) 14 Sec. 2-1101. Subpoenas. The clerk of any court in which 15 an action is pending shall, from time to time, issue 16 subpoenas for those witnesses and to those counties in the 17 State as may be required by either party. Every clerk who 18 shall refuse so to do shall be guilty of a petty offense and 19 fined any sum not to exceed $100. An order of court is not 20 required to obtain the issuance by the clerk of a subpoena 21 duces tecum. For good cause shown, the court on motion may 22 quash or modify any subpoena or, in the case of a subpoena 23 duces tecum, condition the denial of the motion upon payment 24 in advance by the person in whose behalf the subpoena is 25 issued of the reasonable expense of producing any item 26 therein specified. 27 In the event that a party has subpoenaed an expert 28 witness including, but not limited to physicians or medical 29 providers, and the expert witness appears in court, and a 30 conflict arises between the party subpoenaing the expert 31 witness and the expert witness over the fees charged by the 32 expert witness, the trial court shall be advised of the -42- LRB9204459DJgc 1 conflict. The trial court shall conduct a hearing subsequent 2 to the testimony of the expert witness and shall determine 3 the reasonable fee to be paid to the expert witness. 4 In the case of a conflict between a provision of this 5 Section and a provision of the Health Care Information 6 Privacy Act, this Section controls. 7 (Source: P.A. 87-418.) 8 (735 ILCS 5/2-1101.5 new) 9 Sec. 2-1101.5. Subpoena duces tecum; protected health 10 information. 11 (a) In this Section, "protected health information" has 12 the meaning ascribed to that term in the Health Care 13 Information Privacy Act. 14 (b) A subpoena duces tecum to produce protected health 15 information is valid only if accompanied by either a court 16 order or a written authorization signed in accordance with 17 Section 10-15 of the Health Care Information Privacy Act. 18 (c) An order for a subpoena duces tecum to produce 19 protected health information must do all of the following: 20 (1) Provide that the protected health information 21 involved is subject to court protection. 22 (2) Specify to whom the information may be 23 disclosed. 24 (3) Specify that the information may not be 25 disclosed or used except as provided in the order. 26 (4) Meet any other requirements that the court 27 determines are needed to protect the confidentiality of 28 the information. 29 (d) Whenever (A) a subpoena duces tecum to produce 30 protected health information is served upon the custodian of 31 medical records or another qualified witness in a civil 32 action or other proceeding in which (i) the custodian or 33 other witness or the custodian's or other witness's employer -43- LRB9204459DJgc 1 is not a party to the action or proceeding and (ii) it is not 2 alleged that the claim arose at the office, facility, or 3 institution to which the subpoena duces tecum is directed and 4 (B) the subpoena requires the production in court, or before 5 an officer, board, commission, or tribunal, of all or any 6 part of the medical records of a patient who is or has been 7 cared for or treated at the office, facility, or institution, 8 it shall be deemed sufficient compliance with the subpoena if 9 the custodian or other qualified witness within 5 days after 10 receipt of the subpoena delivers by registered or certified 11 mail or by messenger a true and correct copy of all the 12 medical records described in the subpoena to the clerk of the 13 court or the clerk's deputy authorized to issue it, together 14 with an affidavit stating in substance each of the following: 15 (1) The affiant is the duly authorized custodian of 16 the medical records and has authority to certify the 17 medical records. 18 (2) The copy is a true copy of all the medical 19 records described in the subpoena. 20 (3) The medical records were prepared by the 21 personnel of the medical facility, by staff physicians, 22 or by persons acting under the control of either of 23 those, in the regular course of business at or near the 24 time of the act, condition, or event. 25 (e) This Section shall not be construed to supersede any 26 grounds that may apply under federal or State law for 27 objecting to turning over the protected health information. 28 (Source: P.A. 87-418.) 29 (735 ILCS 5/8-2101) (from Ch. 110, par. 8-2101) 30 Sec. 8-2101. Information obtained. All information, 31 interviews, reports, statements, memoranda, recommendations, 32 letters of reference or other third party confidential 33 assessments of a health care practitioner's professional -44- LRB9204459DJgc 1 competence, or other data of the Illinois Department of 2 Public Health, local health departments, the Department of 3 Human Services (as successor to the Department of Mental 4 Health and Developmental Disabilities), the Mental Health and 5 Developmental Disabilities Medical Review Board, Illinois 6 State Medical Society, allied medical societies, health 7 maintenance organizations, medical organizations under 8 contract with health maintenance organizations or with 9 insurance or other health care delivery entities or 10 facilities, tissue banks, organ procurement agencies, 11 physician-owned inter-insurance exchanges and their agents, 12 committees of ambulatory surgical treatment centers or 13 post-surgical recovery centers or their medical staffs, or 14 committees of licensed or accredited hospitals or their 15 medical staffs, including Patient Care Audit Committees, 16 Medical Care Evaluation Committees, Utilization Review 17 Committees, Credential Committees and Executive Committees, 18 or their designees (but not the medical records pertaining to 19 the patient), used in the course of internal quality control 20 or of medical study for the purpose of reducing morbidity or 21 mortality, or for improving patient care or increasing organ 22 and tissue donation, shall be privileged, strictly 23 confidential and shall be used only for medical research, 24 increasing organ and tissue donation, the evaluation and 25 improvement of quality care, or granting, limiting or 26 revoking staff privileges or agreements for services, except 27 that in any health maintenance organization proceeding to 28 decide upon a physician's services or any hospital or 29 ambulatory surgical treatment center proceeding to decide 30 upon a physician's staff privileges, or in any judicial 31 review of either, the claim of confidentiality shall not be 32 invoked to deny such physician access to or use of data upon 33 which such a decision was based. 34 In the case of a conflict between a provision of this -45- LRB9204459DJgc 1 Section and a provision of the Health Care Information 2 Privacy Act, this Section controls. 3 (Source: P.A. 89-393, eff. 8-20-95; 89-507, eff. 7-1-97.) 4 Section 90-20. The Mental Health and Developmental 5 Disabilities Confidentiality Act is amended by adding Section 6 1.5 as follows: 7 (740 ILCS 110/1.5 new) 8 Sec. 1.5. Relationship to the Health Care Information 9 Privacy Act. In the case of a conflict between a provision of 10 this Act and a provision of the Health Care Information 11 Privacy Act, this Act controls.