Section 2060.319  Confidentiality – Patient Information

a)         The organization shall have written policies and procedures controlling access to and use of records and information that are governed by the Confidentiality of Alcohol and Drug Abuse Patient Records regulations (42 CFR 2 (1987)) of the Alcohol, Drug Abuse, and Mental Health Administration of the Public Health Service of the United States Department of Health and Human Services effective August 10, 1987 and Article 30 of the Act [20 ILCS 301/Art. 30], and access to and use of protected health information governed by the Health Insurance Portability and Accountability Act (HIPAA), 42 USC 1320 et seq., and the regulations promulgated thereunder at 45 CFR 160, 162 and 164.  The policies and procedures shall be consistent with said regulations and statutes.  The organization shall comply with said regulations and statutes.  However, nothing in this Part shall be construed as having the effect of imposing HIPAA requirements on a provider to whom HIPAA does not apply.

b)         This Section shall not prohibit:

1)         disclosure of information about a crime committed by a patient at the organization, or a threat to commit such crime;

2)         disclosure of information about suspected child abuse or neglect, as allowed by, required by and consistent with State law;

3)         disclosure of a patient's own records to the patient, or as consented to in writing by the patient;

4)         communications of information between or among personnel having a need for the information in connection with their duties either within the organization or with an entity having direct administrative control over the services;

5)         disclosure of information to medical personnel if necessary in a medical emergency;

6)         disclosure of information as authorized by an appropriate court order upon showing of good cause, after appropriate procedure and notice, and with appropriate safeguards against unauthorized disclosure contained in the order as set forth in 42 CFR 2.61-2.67 (1987);

7)         disclosure of information to qualified personnel for the purpose of conducting scientific research as set forth in 42 CFR 2.52 (1987) (if such disclosure is in compliance with HIPAA regulations, 45 CFR 160, 162 and 164);

8)         disclosure of information to qualified personnel who are authorized by law or who provide financial assistance for the purpose of conducting audit or evaluation activity (services review or evaluation, quality review, financial or management audits, etc., as set forth in 42 CFR 2.53 (1987)).

            This Section shall also not prohibit any other disclosure not precluded by the regulations and statute cited in subsection (a), nor by any other applicable law, provided that any and all of the above disclosure is done consistent with the regulations and laws in subsection (a), is made only to the extent allowed, for the purposes allowed and that appropriate safeguards as required therein are provided.

c)         Patient records and any other information which is subject to any laws and rules cited in this Section shall be maintained in a secure room, locked file cabinet, safe or other similar container when not in use. If patient information is stored in electronic or other types of automated information systems, security measures shall be in place to prevent inadvertent or unauthorized access to such information.

d)         Except as authorized by an appropriate court order granted pursuant to the regulations and statutes cited in this Section, no record referred to by said laws may be used to initiate or substantiate any charges against a patient or to conduct any investigation of a patient.

e)         The prohibitions cited in this Section apply to records concerning any individual who has been a patient, regardless of whether or when he or she ceases to be a patient.

f)         When the Department requests a record or information which is subject to the regulations and statutes cited in this Section for audit, evaluation, research or other authorized purposes, it shall, in writing:

1)         indicate the purpose for obtaining the information;

2)         agree to maintain the information in accordance with security requirements of said laws;

3)         agree to comply with limitations on disclosures in said laws;

4)         agree to destroy all the information upon completion of its use; and

5)         indicate the authorized personnel to whom such information is to be submitted.

g)         Organizations providing a DUI evaluation or risk education intervention service shall disclose offender information as allowed by law. The informed consent form and procedures as referenced in Section 2060.503(d) and (e) of this Part shall be utilized to allow for the disclosure of evaluation and risk education information to Illinois court officials, the Illinois Office of the Secretary of State and the Department for the purpose of adjudicating and court monitoring of DUI cases, drivers license issues and for monitoring licensed services.

h)         Organizations shall have policies and procedures to comply with HIPAA and its regulations as set forth more specifically in Sections 2060.323(e) and 2060.325(u) of this Part, if the organization is required to comply with HIPAA.

(Source:  Amended at 27 Ill. Reg. 13997, effective August 8, 2003)