Health Care Availability and Access Committee

Adopted in House Comm. on Mar 03, 2004

 

 

 

09300HB4059ham002 LRB093 15454 DRJ 48452 a
1		AMENDMENT TO HOUSE BILL 4059
2		AMENDMENT NO. ______. Amend House Bill 4059, AS AMENDED, in
3		Section 5, Sec. 367.4, by replacing all of subsections (b)
4		through (f) with the following:
5		"Summary health information" means information that may be
6		individually identifiable health information and (i) that
7		summarizes the claims history, claims expenses, or type of
8		claims experienced by individuals for whom a plan sponsor has
9		provided health benefits under a group health plan and (ii)
10		from which the information described in subdivision (d)(2)(i)
11		has been deleted, except that the geographic information
12		described in subdivision (d)(2)(i)(B) need only be aggregated
13		to the level of a 5-digit zip code.
14		(b) Except as otherwise provided in this subsection, a
15		group health plan, in order to disclose protected health
16		information to the plan sponsor or to provide for or permit the
17		disclosure of protected health information to the plan sponsor
18		by a health insurance issuer or health maintenance organization
19		with respect to the group health plan, must ensure that the
20		plan documents restrict uses and disclosures of such
21		information by the plan sponsor consistent with the
22		requirements of this Section.
23		The group health plan, or a health insurance issuer or
24		health maintenance organization with respect to the group
25		health plan, shall disclose summary health information to the
26		plan sponsor if the plan sponsor requests the summary health

09300HB4059ham002 - 2 - LRB093 15454 DRJ 48452 a
1		information for the purpose of (i) obtaining premium bids from
2		health plans for providing health insurance coverage under the
3		group health plan or (ii) modifying, amending, or terminating
4		the group health plan.
5		The plan documents of the group health plan must be amended
6		to incorporate provisions to do the following:
7		(1) Establish the permitted and required uses and
8		disclosures of such information by the plan sponsor,
9		provided that such permitted and required uses and
10		disclosures may not be inconsistent with this Section.
11		(2) Provide that the group health plan will disclose
12		protected health information to the plan sponsor only upon
13		receipt of a certification by the plan sponsor that the
14		plan documents have been amended to incorporate the
15		following provisions and that the plan sponsor agrees to:
16		(A) Not use or further disclose the information
17		other than as permitted or required by the plan
18		documents or as required by law.
19		(B) Ensure that any agents, including a
20		subcontractor, to whom it provides protected health
21		information received from the group health plan agree
22		to the same restrictions and conditions that apply to
23		the plan sponsor with respect to such information.
24		(C) Not use or disclose the information for
25		employment-related actions and decisions or in
26		connection with any other benefit or employee benefit
27		plan of the plan sponsor.
28		(D) Report to the group health plan any use or
29		disclosure of the information that is inconsistent
30		with the uses or disclosures provided for of which it
31		becomes aware.
32		(E) Make available protected health information.
33		(F) Make available protected health information
34		for amendment, and incorporate any amendments to

09300HB4059ham002 - 3 - LRB093 15454 DRJ 48452 a
1		protected health information.
2		(G) Make available the information required to
3		provide an accounting of disclosures.
4		(H) Make its internal practices, books, and
5		records relating to the use and disclosure of protected
6		health information received from the group health plan
7		available to the Director for purposes of determining
8		compliance by the group health plan with this Section.
9		(I) If feasible, return or destroy all protected
10		health information received from the group health plan
11		that the sponsor still maintains in any form and retain
12		no copies of such information when no longer needed for
13		the purpose for which disclosure was made, except that,
14		if such return or destruction is not feasible, limit
15		further uses and disclosures to those purposes that
16		make the return or destruction of the information
17		infeasible.
18		(J) Ensure that the adequate separation required
19		in paragraph (3) is established.
20		(3) Provide for adequate separation between the group
21		health plan and the plan sponsor. The plan documents must
22		do the following:
23		(A) Describe those employees or classes of
24		employees or other persons under the control of the
25		plan sponsor to be given access to the protected health
26		information to be disclosed, provided that any
27		employee or person who receives protected health
28		information relating to payment under, health care
29		operations of, or other matters pertaining to the group
30		health plan in the ordinary course of business must be
31		included in such description.
32		(B) Restrict the access to and use by such
33		employees and other persons described in subparagraph
34		(A) of this paragraph (3) to the plan administration

09300HB4059ham002 - 4 - LRB093 15454 DRJ 48452 a
1		functions that the plan sponsor performs for the group
2		health plan.
3		(C) Provide an effective mechanism for resolving
4		any issues of noncompliance by persons described in
5		subparagraph (A) of this paragraph (3) with the plan
6		document provisions required by this subsection.
7		(c) Standard: de-identification of protected health
8		information. Health information that does not identify an
9		individual and with respect to which there is no reasonable
10		basis to believe that the information can be used to identify
11		an individual is not individually identifiable health
12		information.
13		(d) Implementation specifications: requirements for de-
14		identification of protected health information. A covered
15		entity may determine that health information is not
16		individually identifiable health information only if:
17		(1) A person with appropriate knowledge of and
18		experience with generally accepted statistical and
19		scientific principles and methods for rendering
20		information not individually identifiable:
21		(A) Applying such principles and methods,
22		determines that the risk is very small that the
23		information could be used, alone or in combination with
24		other reasonably available information, by an
25		anticipated recipient to identify an individual who is
26		a subject of the information; and
27		(B) Documents the methods and results of the
28		analysis that justify such determination; or
29		(2)(i) The following identifiers of the individual or
30		of relatives, employers, or household members of the
31		individual, are removed:
32		(A) Names;
33		(B) All geographic subdivisions smaller than a
34		State, including street address, city, county,

09300HB4059ham002 - 5 - LRB093 15454 DRJ 48452 a
1		precinct, zip code, and their equivalent geocodes,
2		except for the initial 3 digits of a zip code if,
3		according to the current publicly available data from
4		the Bureau of the Census:
5		(i) The geographic unit formed by combining
6		all zip codes with the same 3 initial digits
7		contains more than 20,000 people; and
8		(ii) The initial 3 digits of a zip code for all
9		such geographic units containing 20,000 or fewer
10		people is changed to 000;
11		(C) All elements of dates (except year) for dates
12		directly related to an individual, including birth
13		date, admission date, discharge date, date of death;
14		and all ages over 89 and all elements of dates
15		(including year) indicative of such age, except that
16		such ages and elements may be aggregated into a single
17		category of age 90 or older;
18		(D) Telephone numbers;
19		(E) Fax numbers;
20		(F) Electronic mail addresses;
21		(G) Social security numbers;
22		(H) Medical record numbers;
23		(I) Health plan beneficiary numbers;
24		(J) Account numbers;
25		(K) Certificate/license numbers;
26		(L) Vehicle identifiers and serial numbers,
27		including license plate numbers;
28		(M) Device identifiers and serial numbers;
29		(N) Web Universal Resource Locators (URLs);
30		(O) Internet Protocol (IP) address numbers;
31		(P) Biometric identifiers, including finger and
32		voice prints;
33		(Q) Full face photographic images and any
34		comparable images; and

09300HB4059ham002 - 6 - LRB093 15454 DRJ 48452 a
1		(R) Any other unique identifying number,
2		characteristic, or code, except as permitted by
3		subsection (i) of this Section; and
4		(ii) The covered entity does not have actual knowledge
5		that the information could be used alone or in combination
6		with other information to identify an individual who is a
7		subject of the information.
8		(e) Implementation specifications: re-identification. A
9		covered entity may assign a code or other means of record
10		identification to allow information de-identified under this
11		Section to be re-identified by the covered entity, provided
12		that:
13		(1) Derivation. The code or other means of record
14		identification is not derived from or related to
15		information about the individual and is not otherwise
16		capable of being translated so as to identify the
17		individual; and
18		(2) Security. The covered entity does not use or
19		disclose the code or other means of record identification
20		for any other purpose, and does not disclose the mechanism
21		for re-identification.
22		(f)(1) Standard: minimum necessary requirements. In order
23		to comply with this Section, a covered entity must meet the
24		requirements of subdivisions (f)(2) through (f)(5) of this
25		Section with respect to a request for, or the use and
26		disclosure of, protected health information.
27		(2) Implementation specifications: minimum necessary
28		uses of protected health information.
29		(i) A covered entity must identify:
30		(A) Those persons or classes of persons, as
31		appropriate, in its workforce who need access to
32		protected health information to carry out their
33		duties; and
34		(B) For each such person or class of persons, the

09300HB4059ham002 - 7 - LRB093 15454 DRJ 48452 a
1		category or categories of protected health information
2		to which access is needed and any conditions
3		appropriate to such access.
4		(ii) A covered entity must make reasonable efforts to
5		limit the access of such persons or classes identified in
6		subdivision (f)(2)(i)(A) of this Section to protected
7		health information consistent with subdivision
8		(f)(2)(i)(B) of this Section.
9		(3) Implementation specification: Minimum necessary
10		disclosures of protected health information.
11		(i) For any type of disclosure that it makes on a
12		routine and recurring basis, a covered entity must
13		implement policies and procedures (which may be
14		standard protocols) that limit the protected health
15		information disclosed to the amount reasonably
16		necessary to achieve the purpose of the disclosure.
17		(ii) For all other disclosures, a covered entity
18		must:
19		(A) Develop criteria designed to limit the
20		protected health information disclosed to the
21		information reasonably necessary to accomplish the
22		purpose for which disclosure is sought; and
23		(B) Review requests for disclosure on an
24		individual basis in accordance with such criteria.
25		(iii) A covered entity may rely, if such reliance
26		is reasonable under the circumstances, on a requested
27		disclosure as the minimum necessary for the stated
28		purpose when:
29		(A) Making disclosures to public officials, if
30		the public official represents that the
31		information requested is the minimum necessary for
32		the stated purpose or purposes;
33		(B) The information is requested by another
34		covered entity;

09300HB4059ham002 - 8 - LRB093 15454 DRJ 48452 a
1		(C) The information is requested by a
2		professional who is a member of its workforce or is
3		a business associate of the covered entity for the
4		purpose of providing professional services to the
5		covered entity, if the professional represents
6		that the information requested is the minimum
7		necessary for the stated purpose or purposes; or
8		(D) Documentation or representations that
9		comply with the applicable requirements have been
10		provided by a person requesting the information
11		for research purposes.
12		(4) Implementation specifications: Minimum necessary
13		requests for protected health information.
14		(i) A covered entity must limit any request for
15		protected health information to that which is
16		reasonably necessary to accomplish the purpose for
17		which the request is made, when requesting such
18		information from other covered entities.
19		(ii) For a request that is made on a routine and
20		recurring basis, a covered entity must implement
21		policies and procedures (which may be standard
22		protocols) that limit the protected health information
23		requested to the amount reasonably necessary to
24		accomplish the purpose for which the request is made.
25		(iii) For all other requests, a covered entity
26		must:
27		(A) Develop criteria designed to limit the
28		request for protected health information to the
29		information reasonably necessary to accomplish the
30		purpose for which the request is made; and
31		(B) Review requests for disclosure on an
32		individual basis in accordance with such criteria.
33		(5) Implementation specification: Other content
34		requirement. For all uses, disclosures, or requests to

09300HB4059ham002 - 9 - LRB093 15454 DRJ 48452 a
1		which the requirements in this subsection (f) apply, a
2		covered entity may not use, disclose, or request an entire
3		medical record, except when the entire medical record is
4		specifically justified as the amount that is reasonably
5		necessary to accomplish the purpose of the use, disclosure,
6		or request.
7		(g)(1) Standard: Limited data set. A covered entity may use
8		or disclose a limited data set that meets the requirements of
9		subdivisions (g)(2) and (g)(3) of this Section if the covered
10		entity enters into a data use agreement with the limited data
11		set recipient in accordance with subdivision (g)(4) of this
12		Section.
13		(2) Implementation specification: Limited data set. A
14		limited data set is protected health information that
15		excludes the following direct identifiers of the
16		individual or of relatives, employers, or household
17		members of the individual:
18		(i) Names;
19		(ii) Postal address information, other than town
20		or city, State, and zip code;
21		(iii) Telephone numbers;
22		(iv) Fax numbers;
23		(v) Electronic mail addresses;
24		(vi) Social security numbers;
25		(vii) Medical record numbers;
26		(viii) Health plan beneficiary numbers;
27		(ix) Account numbers;
28		(x) Certificate/license numbers;
29		(xi) Vehicle identifiers and serial numbers,
30		including license plate numbers;
31		(xii) Device identifiers and serial numbers;
32		(xiii) Web Universal Resource Locators (URLs);
33		(xiv) Internet Protocol (IP) address numbers;
34		(xv) Biometric identifiers, including finger and

09300HB4059ham002 - 10 - LRB093 15454 DRJ 48452 a
1		voice prints; and
2		(xvi) Full face photographic images and any
3		comparable images.
4		(3) Implementation specification: Permitted purposes
5		for uses and disclosures.
6		(i) A covered entity may use or disclose a limited
7		data set under subdivision (g)(1) of this Section only
8		for the purposes of research, public health, or health
9		care operations.
10		(ii) A covered entity may use protected health
11		information to create a limited data set that meets the
12		requirements of subdivision (g)(2) of this Section, or
13		disclose protected health information only to a
14		business associate for such purpose, whether or not the
15		limited data set is to be used by the covered entity.
16		(4) Implementation specifications: Data use agreement.
17		(i) Agreement required. A covered entity may use or
18		disclose a limited data set under subdivision (g)(1) of
19		this Section only if the covered entity obtains
20		satisfactory assurance, in the form of a data use
21		agreement that meets the requirements of this Section,
22		that the limited data set recipient will only use or
23		disclose the protected health information for limited
24		purposes.
25		(ii) Contents. A data use agreement between the
26		covered entity and the limited data set recipient must:
27		(A) Establish the permitted uses and
28		disclosures of such information by the limited
29		data set recipient, consistent with subdivision
30		(g)(3) of this Section. The data use agreement may
31		not authorize the limited data set recipient to use
32		or further disclose the information in a manner
33		that would violate the requirements of this
34		subpart, if done by the covered entity;

09300HB4059ham002 - 11 - LRB093 15454 DRJ 48452 a
1		(B) Establish who is permitted to use or
2		receive the limited data set; and
3		(C) Provide that the limited data set
4		recipient will:
5		(1) Not use or further disclose the
6		information other than as permitted by the data
7		use agreement or as otherwise required by law;
8		(2) Use appropriate safeguards to prevent
9		use or disclosure of the information other than
10		as provided for by the data use agreement;
11		(3) Report to the covered entity any use or
12		disclosure of the information not provided for
13		by its data use agreement of which it becomes
14		aware;
15		(4) Ensure that any agents, including a
16		subcontractor, to whom it provides the limited
17		data set agrees to the same restrictions and
18		conditions that apply to the limited data set
19		recipient with respect to such information;
20		and
21		(5) Not identify the information or
22		contact the individuals.
23		(iii) Compliance.
24		(A) A covered entity is not in compliance with
25		the standards in this subsection (g) if the covered
26		entity knew of a pattern of activity or practice of
27		the limited data set recipient that constituted a
28		material breach or violation of the data use
29		agreement, unless the covered entity took
30		reasonable steps to cure the breach or end the
31		violation, as applicable, and, if such steps were
32		unsuccessful:
33		(1) Discontinued disclosure of protected
34		health information to the recipient; and

09300HB4059ham002 - 12 - LRB093 15454 DRJ 48452 a
1		(2) Reported the problem to the Secretary.
2		(B) A covered entity that is a limited data set
3		recipient and violates a data use agreement will be
4		in noncompliance with the standards,
5		implementation specifications, and requirements of
6		this subsection (g).
7		(h)(1) Standard: Uses and disclosures for fundraising. A
8		covered entity may use, or disclose to a business associate or
9		to an institutionally related foundation, the following
10		protected health information for the purpose of raising funds
11		for its own benefit, without an authorization meeting
12		requirements adopted by the Department:
13		(i) Demographic information relating to an
14		individual; and
15		(ii) Dates of health care provided to an
16		individual.
17		(2) Implementation specifications: Fundraising
18		requirements.
19		(i) The covered entity may not use or disclose
20		protected health information for fundraising purposes
21		as otherwise permitted by subdivision (h)(1) of this
22		Section.
23		(ii) The covered entity must include in any
24		fundraising materials it sends to an individual under
25		this paragraph a description of how the individual may
26		opt out of receiving any further fundraising
27		communications.
28		(iii) The covered entity must make reasonable
29		efforts to ensure that individuals who decide to opt
30		out of receiving future fundraising communications are
31		not sent such communications.
32		(i) Standard: Uses and disclosures for underwriting and
33		related purposes. If a health plan receives protected heath
34		information for the purpose of underwriting, premium rating, or

09300HB4059ham002 - 13 - LRB093 15454 DRJ 48452 a
1		other activities relating to the creation, renewal, or
2		replacement of a contract of health insurance or health
3		benefits, and if such health insurance or health benefits are
4		not placed with the health plan, such health plan may not use
5		or disclose such protected health information for any other
6		purpose, except as may be required by law.
7		(j)(1) Standard: Verification requirements. Prior to any
8		disclosure permitted by this Section, a covered entity must:
9		(i) Verify the identity of a person requesting
10		protected health information and the authority of any
11		such person to have access to protected health
12		information under this Section, if the identity or any
13		such authority of such person is not known to the
14		covered entity; and
15		(ii) Obtain any documentation, statements, or
16		representations, whether oral or written, from the
17		person requesting the protected health information
18		when such documentation, statement, or representation
19		is a condition of the disclosure under this Section.
20		(2) Implementation specifications: Verification.
21		(i) Conditions on disclosures. If a disclosure is
22		conditioned by this subpart on particular
23		documentation, statements, or representations from the
24		person requesting the protected health information, a
25		covered entity may rely, if such reliance is reasonable
26		under the circumstances, on documentation, statements,
27		or representations that, on their face, meet the
28		applicable requirements.
29		(ii) Identity of public officials. A covered
30		entity may rely, if such reliance is reasonable under
31		the circumstances, on any of the following to verify
32		identity when the disclosure of protected health
33		information is to a public official or a person acting
34		on behalf of the public official:

09300HB4059ham002 - 14 - LRB093 15454 DRJ 48452 a
1		(A) If the request is made in person,
2		presentation of an agency identification badge,
3		other official credentials, or other proof of
4		government status;
5		(B) If the request is in writing, the request
6		is on the appropriate government letterhead; or
7		(C) If the disclosure is to a person acting on
8		behalf of a public official, a written statement on
9		appropriate government letterhead that the person
10		is acting under the government's authority or
11		other evidence or documentation of agency, such as
12		a contract for services, memorandum of
13		understanding, or purchase order, that establishes
14		that the person is acting on behalf of the public
15		official.
16		(iii) Authority of public officials. A covered
17		entity may rely, if such reliance is reasonable under
18		the circumstances, on any of the following to verify
19		authority when the disclosure of protected health
20		information is to a public official or a person acting
21		on behalf of the public official:
22		(A) A written statement of the legal authority
23		under which the information is requested, or, if a
24		written statement would be impracticable, an oral
25		statement of such legal authority;
26		(B) If a request is made pursuant to legal
27		process, warrant, subpoena, order, or other legal
28		process issued by a grand jury or a judicial or
29		administrative tribunal is presumed to constitute
30		legal authority.
31		(iv) Exercise of professional judgment. The
32		verification requirements of this subsection (n) are
33		met if the covered entity relies on the exercise of
34		professional judgment in making a use or disclosure or

09300HB4059ham002 - 15 - LRB093 15454 DRJ 48452 a
1		acts on a good faith belief in making a disclosure.".