(215 ILCS 215/35)
    Sec. 35. Exceptions.
    (a) The following exceptions shall apply to this Act:
        (1) A licensee with fewer than 50 employees,
including any independent contractors, is exempt from Section 10.
        (2) A licensee that is subject to, governed by, and
compliant with the privacy, security, and breach notification rules issued by the United States Department of Health and Human Services, Parts 160 and 164 of Title 45 of the Code of Federal Regulations, established pursuant to the Health Insurance Portability and Accountability Act of 1996, Public Law 104-191, and the Health Information Technology for Economic and Clinical Health Act, Public Law 111-5, HITECH, and that maintains nonpublic information in the same manner as protected health information pursuant to an information security program shall be considered to meet the requirements of Section 10 and Section 15 of this Act. To claim this exemption, the licensee must submit an annual statement by April 15 certifying its compliance with the applicable provisions of federal law referenced in this paragraph.
        (3) An employee, agent, representative, or designee
of a licensee that is also a licensee is exempt from Section 10 and need not develop its own information security program to the extent that the employee, agent, representative, or designee is covered by the information security program of the other licensee.
    (b) If a licensee ceases to qualify for an exception, the licensee shall demonstrate a good faith effort to comply with this Act within 180 days and shall certify compliance in accordance with subsection (i) of Section 10 no sooner than one year after ceasing to qualify for an exception.
(Source: P.A. 103-142, eff. 1-1-24.)