(410 ILCS 513/31.3)
(a) Notwithstanding Sections 30 and 35 of this Act, a covered entity may, without a patient's consent, disclose a patient's genetic information to a business associate and may allow a business associate to create, receive, maintain, or transmit protected health information on its behalf, if the covered entity obtains, through a written contract or other written agreement or arrangement that meets the applicable requirements of 45 CFR 164.504(e), satisfactory assurance that the business associate will appropriately safeguard the information. A covered entity is not required to obtain such satisfactory assurances from a business associate that is a subcontractor.
(b) A business associate may disclose protected health information to a business associate that is a subcontractor and may allow the subcontractor to create, receive, maintain, or transmit protected health information on its behalf, if the business associate obtains satisfactory assurances, in accordance with 45 CFR 164.504(e)(1)(i), that the subcontractor will appropriately safeguard the information.
(Source: P.A. 98-1046, eff. 1-1-15