[ Search ] [ PDF text ] [ Legislation ]
[ Home ] [ Back ] [ Bottom ]
92_HB0491
LRB9204459DJgc
1 AN ACT in relation to health care information.
2 Be it enacted by the People of the State of Illinois,
3 represented in the General Assembly:
4 Article 1. General Provisions
5 Section 1-1. Short title. This Act may be cited as the
6 Health Care Information Privacy Act.
7 Section 1-5. Legislative findings. The legislature
8 finds that individuals have a constitutional right to privacy
9 with respect to their personal health information and records
10 and with respect to information about their medical care and
11 health status.
12 Traditionally, the primary health care relationship
13 existed only between the patient and the doctor and was
14 founded on the principle that all information transmitted
15 between the patient and the doctor was confidential. With
16 advancements in modern technology and systematic changes in
17 health care practices, the patient-doctor relationship has
18 expanded into a multi-party relationship that includes
19 employers, health plans, consulting physicians and other
20 health care providers, laboratories and hospitals,
21 researchers and data organizations, and various governmental
22 and private oversight agencies. These multiple relationships
23 have fundamentally changed the handling and use of medical
24 information.
25 The legislature acknowledges that individuals are often
26 unaware of how their medical information is being used and
27 disclosed in the modern health care delivery system.
28 Currently, there is no statute that comprehensively governs
29 the disclosure of medical records. Most individuals sign a
30 one-time blanket consent to release their medical records
-2- LRB9204459DJgc
1 when they sign up for medical insurance, and doctors,
2 hospitals, and insurance companies share these records as
3 they see fit. Thus, the legislature believes that an
4 individual's right to privacy of their medical records is
5 currently unclear and at risk.
6 The legislature also recognizes, however, that there are
7 strong public policy justifications for encouraging health
8 care quality through the review of medical information.
9 First, these reviews help to improve the quality of health
10 care in Illinois by providing assessments of the results or
11 outcomes of certain modes of treatment, thereby giving
12 patients more information with which to make better medical
13 choices. Second, medical information review helps to ferret
14 out and prevent fraud and abuse in the health care delivery
15 system. It is estimated that approximately $100 billion of
16 the $1 trillion spent on health care nationally can be
17 attributed to health care fraud. This drives up health care
18 costs and takes needed health care dollars away from
19 deserving patients. Third, clinical and epidemiological
20 research based on medical information helps to promote the
21 quality, efficiency, and effectiveness of the modern health
22 care delivery system, and leads to new treatments which
23 relieve suffering and save lives.
24 Therefore, the legislature firmly believes that
25 encouraging affordable quality health care, facilitating
26 effective medical research, and preventing fraud and abuse
27 are necessary to the health and safety of our citizens.
28 These are compelling State interests that may be furthered by
29 allowing the sharing of medical information for limited
30 purposes, without eliminating the confidentiality of the
31 patient-doctor relationship.
32 Section 1-10. Purpose. The purpose of this Act is to:
33 (1) Protect individuals from the adverse effects of
-3- LRB9204459DJgc
1 the improper disclosure of protected health information.
2 (2) Establish strong and effective mechanisms to
3 protect against the unauthorized and inappropriate use of
4 protected health information that is created or
5 maintained as part of health care treatment, diagnosis,
6 enrollment, payment, plan administration, testing, or
7 research processes.
8 (3) Promote the health and welfare of the public by
9 encouraging the effective exchange and transfer of health
10 information in a manner that will ensure the
11 confidentiality of protected health information without
12 impeding the delivery of high quality healthcare.
13 (4) Promote the public health and welfare by
14 allowing, when appropriate, the transfer of personal
15 health information into nonidentifiable health
16 information for oversight, health research, public
17 health, law enforcement, judicial, and administrative
18 purposes.
19 (5) Discourage litigation by establishing a
20 standard set of procedures that may be complied with to
21 provide courts with strong evidence that medical
22 information was properly handled and disclosed.
23 (6) Establish remedies for violations of this Act.
24 Section 1-15. Definitions. In this Act, except as
25 otherwise specifically provided:
26 "Accrediting body" means a committee, organization, or
27 institution that has been authorized by law or is recognized
28 by a health care regulating authority as an accrediting
29 entity or any other entity that has been similarly authorized
30 or recognized by law to perform specific accreditation,
31 licensing, or credentialing activities.
32 "Agent" means a person who represents and acts for
33 another under a contract or relationship of agency, or whose
-4- LRB9204459DJgc
1 function is to bring about, modify, affect, accept
2 performance of, or terminate contractual obligations between
3 the principal and a third person, including a contractor.
4 "Disclose" means to release, transfer, provide access to,
5 share, or otherwise divulge protected health information to
6 any person other than the individual who is the subject of
7 the information. The term includes the initial disclosure
8 and any subsequent redisclosures of protected health
9 information.
10 "Educational institution" means an institution or place
11 for instruction or education including any public or private
12 elementary school, secondary school, vocational school,
13 correspondence school, business school, community college,
14 teachers college, college, normal school, professional
15 school, university, or scientific or technical institution,
16 or other institution furnishing education for children and
17 adults.
18 "Employer" means any individual or type of organization,
19 including any partnership, association, trust, estate, joint
20 stock company, insurance company, or corporation, whether
21 domestic or foreign, a debtor in possession or receiver or
22 trustee in bankruptcy, or a legal representative of a
23 deceased person, who has one or more regular individuals in
24 his or her employment.
25 "Employment" means services performed for wages under any
26 contract of hire, written or oral, expressed or implied, with
27 an employer.
28 "Health care" means any of the following:
29 (1) Preventive, diagnostic, therapeutic,
30 rehabilitative, palliative, or maintenance services:
31 (A) with respect to the physical or mental
32 condition of an individual; or
33 (B) affecting the structure or function of the
34 human body or any part of the human body, including
-5- LRB9204459DJgc
1 the banking of blood, sperm, organs, or any other
2 tissue.
3 (2) Any sale or dispensing of a drug, a device,
4 equipment, or another health care-related item to an
5 individual, or for the use of an individual pursuant to a
6 prescription or order by a health care provider.
7 "Health care data organization" means an entity that
8 engages primarily in the business of collecting, analyzing,
9 and disseminating identifiable and nonidentifiable patient
10 information. A health care data organization is not a health
11 care provider, an insurer, a health researcher, or a health
12 oversight agency.
13 "Health care provider" means a person who, with respect
14 to any protected health information, receives, creates, uses,
15 maintains, or discloses the protected health information
16 while acting in whole or in part in the capacity of any of
17 the following:
18 (1) A person who is licensed, certified,
19 registered, or otherwise authorized by federal or State
20 law to provide an item or service that constitutes health
21 care in the ordinary course of business or practice of a
22 profession.
23 (2) A federal, State, or employer-sponsored program
24 that directly provides items or services that constitute
25 health care to beneficiaries.
26 (3) An officer, employee, or agent of a person
27 described in paragraph (1) or (2).
28 "Health oversight agency" means a person who, with
29 respect to any protected health information, receives,
30 creates, uses, maintains, or discloses the information while
31 acting in whole or in part in the capacity of any of the
32 following:
33 (1) A person who performs or oversees the
34 performance of an assessment, evaluation, determination,
-6- LRB9204459DJgc
1 or investigation relating to the licensing,
2 accreditation, or credentialing of health care providers.
3 (2) A person who:
4 (A) performs or oversees the performance of an
5 audit, assessment, evaluation, determination, or
6 investigation relating to the effectiveness of,
7 compliance with, or applicability of, legal, fiscal,
8 medical, or scientific standards or aspects of
9 performance related to the delivery of, or payment
10 for, health care; and
11 (B) is a public agency, acting on behalf of a
12 public agency, acting pursuant to a requirement of a
13 public agency, or carrying out activities under a
14 federal or State law governing the assessment,
15 evaluation, determination, investigation, or
16 prosecution for violations of paragraph (1).
17 "Health plan" means any health insurance plan, including
18 any hospital or medical service plan, dental or other health
19 service plan or health maintenance organization plan,
20 provider-sponsored organization, or other program providing
21 or arranging for the provision of health benefits, whether or
22 not funded through the purchase of insurance.
23 "Health researcher" means a person, or an officer,
24 employee, or independent contractor of a person, who receives
25 protected health information as part of a systematic
26 investigation, testing, or evaluation designed to develop or
27 contribute to generalized scientific and clinical knowledge.
28 "Individual's designated representative" means a person
29 who is authorized by law (based on grounds other than the
30 minority of an individual), or by an instrument recognized
31 under law, to act as an agent, attorney, guardian, proxy, or
32 other legal representative of a protected individual. The
33 term includes a person acting under authority of a power of
34 attorney for health care.
-7- LRB9204459DJgc
1 "Institutional review board" means a research committee
2 established and operating in accord with 45 C.F.R. 46.107,
3 46.108, 46.109, and 46.115.
4 "Insurer" means any entity regulated under the Health
5 Maintenance Organization Act, any entity regulated under
6 Article XVIII of the Illinois Insurance Code (Mutual Benefit
7 Associations), any entity that has purchased coverage under a
8 group contract issued by a person regulated under the Health
9 Maintenance Organization Act, and any entity regulated under
10 Article XX of the Illinois Insurance Code (Accident and
11 Health Insurance). The term does not include an entity to
12 the extent that the entity transacts the type of business
13 enumerated in clause (a) of Class 1 of Section 4 of the
14 Illinois Insurance Code (life insurance), provides disability
15 income protection coverage under Article XX of the Illinois
16 Insurance Code (Accident and Health Insurance), or is
17 regulated under Article XIXA of the Illinois Insurance Code
18 (Long-term Care Insurance).
19 "Law enforcement inquiry" means a lawful investigation
20 conducted by an appropriate government agency or official
21 inquiring into a violation of, or failure to comply with, any
22 civil or administrative statute or any regulation, rule, or
23 order issued pursuant to such a statute. It does not include
24 a lawful criminal investigation or prosecution conducted by a
25 State's Attorney or the Attorney General.
26 "Nonidentifiable health information" means any
27 information that would otherwise be protected health
28 information, except that the information does not reveal the
29 identity of the individual whose health or health care is the
30 subject of the information and there is no reasonable basis
31 to believe that the information could be used, either alone
32 or with other information that is, or should reasonably be,
33 known to be available to recipients of the information, to
34 reveal the identity of that individual.
-8- LRB9204459DJgc
1 "Protected health information" means any information,
2 identifiable to an individual, including demographic
3 information, whether or not recorded in any form or medium,
4 that relates directly or indirectly to the past, present, or
5 future:
6 (1) physical or mental health or condition of an
7 individual, including tissue and genetic information;
8 (2) provision of health care to an individual; or
9 (3) payment for the provision of health care to an
10 individual.
11 "Qualified health care operations" means only those
12 activities conducted by or on behalf of a health plan or
13 health care provider for the purpose of carrying out the
14 management functions of a health care provider or health
15 plan, or implementing the terms of a contract for health plan
16 benefits, as follows:
17 (1) Payment, which means the activities undertaken
18 by a health plan or provider that are reasonably
19 necessary to determine responsibility for coverage,
20 services, and the actual payment for services, if any.
21 (2) Conducting quality assurance activities or
22 outcomes assessments.
23 (3) Reviewing the competence or qualifications of
24 health care professionals.
25 (4) Performing accreditation, licensing, or
26 credentialing activities.
27 (5) Analyzing health plan claims or health care
28 records data.
29 (6) Evaluating provider clinical performance.
30 (7) Carrying out utilization management.
31 (8) Conducting or arranging for auditing services
32 in accordance with statute, rule, or accreditation
33 requirements.
34 A qualified health care operation must:
-9- LRB9204459DJgc
1 (A) Be an operation that cannot be carried on
2 with reasonable effectiveness and efficiency without
3 identifiable patient information.
4 (B) Be limited to only that protected health
5 information collected under the terms of the
6 contract for health plan benefits and without which
7 the operation cannot be carried on with reasonable
8 effectiveness and efficiency.
9 (C) Be limited to the minimum amount of
10 protected health information, including the minimum
11 number of records and the minimum number of
12 documents within each patient's record, necessary to
13 carry on the operation with reasonable effectiveness
14 and efficiency.
15 (D) Limit the handling and examination of
16 protected health information to those persons who
17 are reasonably well qualified, by training,
18 credentials, or experience, to conduct the phase of
19 the operation in which they are involved.
20 "Surrogate" means a person, other than an individual's
21 designated representative or relative, who is authorized to
22 make a health care decision for the individual.
23 "Treatment" means the provision of health care by, or the
24 coordination of health care between, health care providers,
25 or the referral of a patient from one provider to another, or
26 coordination of health care or other services between health
27 care providers and third parties authorized by the health
28 plan or the plan member.
29 "Unique patient identifier" means a number or
30 alpha-numeric string assigned to an individual, which can be
31 or is used to identify an individual's protected health
32 information.
33 "Writing" means a written form that is either paper or
34 computer-based. The term includes electronic signatures.
-10- LRB9204459DJgc
1 Article 5. Individuals' Rights
2 Section 5-5. Inspection and copying of protected health
3 information.
4 (a) For the purposes of this Section only, "entity"
5 means a health care provider, health plan, employer, health
6 care data organization, insurer, or educational institution.
7 (b) At the request in writing of an individual and
8 except as provided in subsection (c), an entity shall permit
9 an individual who is the subject of protected health
10 information or the individual's designee to inspect and copy
11 protected health information concerning the individual,
12 including records created under Section 5-10, that the entity
13 maintains. The entity shall adopt appropriate procedures to
14 be followed for the inspection or copying and may require an
15 individual to pay reasonable costs associated with the
16 inspection or copying.
17 (c) Unless ordered by a court of competent jurisdiction,
18 an entity is not required to permit the inspection or copying
19 of protected health information if any of the following
20 conditions are met:
21 (1) The entity determines that the disclosure of
22 the information could reasonably be expected to endanger
23 the life or physical safety of, or cause substantial
24 mental harm to, the individual who is the subject of the
25 information.
26 (2) The information identifies, or could reasonably
27 lead to the identification of, a person who provided
28 information under a promise of confidentiality concerning
29 the individual who is the subject of the information,
30 unless the confidential source can be protected by
31 redaction or other similar means.
32 (3) The information is protected from discovery as
33 provided by law.
-11- LRB9204459DJgc
1 (4) The information was collected for or during a
2 clinical trial monitored by an institutional review
3 board, the trial is not complete, and the researcher
4 reasonably believes that access would harm the conduct of
5 the trial.
6 (d) If an entity denies a request for inspection or
7 copying pursuant to subsection (c), the entity shall inform
8 the individual in writing of the following:
9 (1) The reasons for the denial of the request for
10 inspection or copying.
11 (2) Any procedures for further review of the
12 denial.
13 (3) The individual's right to file with the entity
14 a concise statement setting forth the request for
15 inspection or copying.
16 (e) If an individual has filed a statement under
17 subdivision (d)(3), the entity in any subsequent disclosure
18 of the portion of the information requested under subsection
19 (b) must include the following:
20 (1) A copy of the individual's statement.
21 (2) A concise statement of the reasons for denying
22 the request for inspection or copying.
23 (f) An entity must permit the inspection and copying
24 under subsection (b) of any reasonably segregable portion of
25 a record after deletion of any portion that is exempt under
26 subsection (c).
27 (g) An entity must comply with or deny, in accordance
28 with subsection (d), a request for inspection or copying of
29 protected health information under this Section not later
30 than 30 days after the date on which the entity or agent
31 receives the request.
32 (h) An agent of an entity is not required to provide for
33 the inspection and copying of protected health information
34 unless:
-12- LRB9204459DJgc
1 (1) the protected health information is retained by
2 the agent; and
3 (2) the agent has received in writing a request
4 from the entity involved to fulfill the requirements of
5 this Section, at which time this information must be
6 provided to the individual. The agent must comply with
7 subsection (g) with respect to any such information.
8 (i) The entity must afford at least one level of appeal
9 by parties not involved in the original decision.
10 (j) This Section shall not be construed to require that
11 an entity described in subsection (a) conduct a formal,
12 informal, or other hearing or proceeding concerning a request
13 for inspection or copying of protected health information.
14 (k) If an entity denies an individual's request for
15 copying pursuant to subsection (c), or if an individual so
16 requests, the entity shall permit the inspection or copying
17 of the requested protected health information by the
18 individual's designated representative upon presentation of a
19 proper authorization signed by the individual, unless it is
20 patently clear that doing so would defeat the purpose for
21 which the entity originally denied the individual's request
22 for inspection and copying.
23 Section 5-10. Additions to protected health information.
24 A health care provider is the owner of the medical records in
25 the health care provider's possession that were created by
26 the health care provider in treating a patient. An
27 individual or the individual's authorized representative may
28 request in writing that a health care provider that generated
29 certain health care information append additional information
30 to the record in order to improve the accuracy or
31 completeness of the information, provided that appending this
32 information does not erase or obliterate any of the original
33 information. A health care provider must do one of the
-13- LRB9204459DJgc
1 following:
2 (1) Append the information as requested.
3 (2) Provide to the individual notice that the
4 request has been denied, notice of the reason for the
5 denial, and notice that the individual may file a
6 statement of reasonable length explaining the correctness
7 or relevance of existing information or as to the
8 addition of new information. The statement or copies
9 must be appended to the medical record and must at all
10 times accompany that part of the information in
11 contention.
12 Section 5-15. Notice of confidentiality practices.
13 (a) For the purposes of this Section only, "entity"
14 means a health care provider, health care data organization,
15 health plan, health oversight agency, employer, insurer,
16 health researcher, or educational institution or the
17 Department of Public Health.
18 (b) An entity must prominently post or provide the
19 current notice of the entity's confidentiality practices.
20 The notice must be printed in clear type and composed in
21 plain language. This notice must be given as required under
22 Section 10-10.
23 For the purpose of informing each individual of the
24 importance of the notice and educating the individual about
25 the individual's rights under this Act, the notice must
26 contain the following language, placed prominently at the
27 beginning:
28 IMPORTANT: THIS NOTICE DEALS WITH THE SHARING
29 INFORMATION FROM YOUR MEDICAL RECORDS. PLEASE READ IT
30 CAREFULLY. This notice describes your confidentiality
31 rights as they relate to information from your medical
32 records and explains the circumstances under which
33 information from your medical records may be shared with
-14- LRB9204459DJgc
1 others. This information in this notice also applies to
2 others covered under your health plan, such as your
3 spouse or children. If you do not understand the terms
4 of this notice, please ask for further explanation.
5 In addition, the notice must include the following
6 information as appropriate to the size and nature of the
7 entity:
8 (1) A description of an individual's rights with
9 respect to protected health information, which shall
10 contain at least the following:
11 (A) An individual's right to inspect and copy
12 his or her record.
13 (B) An individual's right to request that a
14 health care provider append information to the
15 individual's medical record.
16 (C) An individual's right to receive this
17 notice by each health plan upon enrollment, annually
18 thereafter, and whenever the entity's
19 confidentiality practices are substantially amended.
20 (2) The uses and disclosures of protected health
21 information authorized under this Act, including
22 information about the following:
23 (A) Payment.
24 (B) Conducting quality assurance activities or
25 outcomes assessments.
26 (C) Reviewing the competence or qualifications
27 of health care professionals.
28 (D) Performing accreditation, licensing, or
29 credentialing activities.
30 (E) Analyzing health plan claims or health
31 care records data.
32 (F) Evaluating provider clinical performance.
33 (G) Carrying out utilization management.
34 (H) Conducting or arranged for auditing
-15- LRB9204459DJgc
1 services in accordance with statute, rule or
2 accreditation requirements.
3 (3) The right of the individual to limit disclosure
4 of protected health information by deciding not to
5 utilize any health insurance or other third party payment
6 as payment for the service, as set forth in subsection
7 (c) of Section 10-5.
8 (4) The procedures for giving consent to
9 disclosures of protected health information and for
10 revoking the consent to disclose.
11 (5) The description of procedures established by
12 the entity for the exercise of the individual's rights
13 required under this Act.
14 (6) The right to obtain a copy of the notice of
15 confidentiality practices required under this Act.
16 (c) The actual procedures established by an entity for
17 the exercise of individual rights under this Article 5 must
18 be made available to an individual in writing upon request.
19 Section 5-20. Establishment of safeguards.
20 (a) An entity must establish and maintain
21 administrative, technical, and physical safeguards that are
22 appropriate to the size and nature of the entity establishing
23 the safeguards and that are appropriate to protect the
24 confidentiality, security, accuracy, and integrity of
25 protected health information created, received, obtained,
26 maintained, used, transmitted, or disposed of by the entity.
27 (b) The Department of Public Health shall adopt rules to
28 implement subsection (a).
29 Article 10. Restrictions on Use and Disclosure
30 of Protected Health Information
31 Section 10-5. General rules regarding use and disclosure
-16- LRB9204459DJgc
1 of protected health information.
2 (a) An entity may not use or disclose protected health
3 information except as authorized under this Article 10 and
4 under Article 15. Disclosure of health information in the
5 form of nonidentifiable health information shall not be
6 construed as a disclosure of protected health information.
7 (b) For the purpose of treatment or qualified health
8 care operations, an entity may use or disclose protected
9 health information within the entity only if notice of the
10 use or disclosure is given as required under Sections 5-15
11 and 10-10. For all other uses and disclosures, an entity may
12 use or disclose protected health information only if the use
13 or disclosure is properly consented to pursuant to Section
14 10-15. Disclosure to agents of an entity described in
15 subsection (a) shall be considered as a disclosure within an
16 entity.
17 (c) If an individual does not want protected health
18 information disclosed pursuant to subsection (b), the
19 individual must (i) advise the health care provider before
20 the delivery of services that the relevant protected health
21 information may not be disclosed pursuant to subsection (b)
22 and (ii) pay the health care provider directly for health
23 care services. A health plan may decline to cover particular
24 health care services if an individual has refused to allow
25 the disclosure of protected health care information
26 pertaining to those particular health care services.
27 Protected health information related to health care services
28 paid for directly by the individual may not be disclosed
29 without the individual's consent.
30 (d) An agent who receives protected health information
31 from an entity is subject to all rules of disclosure and
32 safeguard requirements under this Article 10.
33 (e) Every use and disclosure of protected health
34 information must be limited to the purpose for which it was
-17- LRB9204459DJgc
1 collected. Any other use without a valid consent to disclose
2 is an unauthorized disclosure.
3 (f) Nothing in this Article 10 permitting the disclosure
4 of protected health information shall be construed to require
5 disclosure.
6 (g) An entity may disclose protected health information
7 to an employee or agent of the entity not otherwise
8 authorized to receive that information for purposes of
9 creating nonidentifiable information if the entity prohibits
10 the employee or agent from using or disclosing the protected
11 health information for purposes other than the sole purpose
12 of creating nonidentifiable information, as specified by the
13 entity.
14 (h) Any individual or entity who manipulates or uses
15 nonidentifiable health information to identify an individual
16 is deemed to have disclosed protected health information. The
17 disclosure or transmission of a unique patient identifier
18 shall be deemed to be a disclosure of protected health
19 information.
20 Section 10-10. Disclosure of protected health
21 information for treatment or qualified health care
22 operations.
23 (a) The notice required by Section 5-15 must be:
24 (1) given by each health plan upon enrollment,
25 annually thereafter, and whenever the health plan's
26 confidentiality practices are substantially amended, to
27 each individual who is eligible to receive care under the
28 health plan, or to the individual's parent or guardian if
29 the individual is a minor or incompetent; and
30 (2) posted in a conspicuous place or provided by an
31 entity other than a health plan.
32 (b) For each new enrollment or re-enrollment by an
33 individual in a health plan, on or after the effective date
-18- LRB9204459DJgc
1 of this Act, a health plan must make reasonable efforts to
2 obtain the individual's signature on the notice of
3 confidentiality practices. The notice to be signed must
4 state that the individual is signing on behalf of the
5 individual and all others covered by the individual's health
6 plan. If the plan is unable to obtain the individual's
7 signature, the plan must note the reason for the failure to
8 obtain the signature. For the purposes of this subsection,
9 "reasonable efforts" may include but are not limited to
10 requiring the employer to present the notice to the
11 individual and to request a signature, or mailing the notice
12 to the individual with instructions to sign and return the
13 notice within a specified period of time.
14 The lack of a signed notice of confidentiality practices
15 does not justify a denial of coverage of a claim, nor does it
16 limit a health plan's access to information necessary for
17 treatment and qualified health care operations. The
18 individual may, however, elect to keep the records from being
19 disclosed by paying for the subject health care services as
20 provided under subsection (c) of Section 10-5.
21 (c) Except as provided in this Act, the notice required
22 by this Section and Section 5-15 shall not be construed as a
23 waiver of any rights that the individual has under other
24 federal or State laws, rules of evidence, or common law.
25 Section 10-15. Disclosure of protected health
26 information other than for treatment, payment, or qualified
27 health care operations.
28 (a) An entity may disclose protected health information
29 for purposes other than those for which notice is given under
30 Section 10-10, pursuant to a separate written authorization
31 to disclose executed by the individual who is the subject of
32 the information. The authorization must meet the
33 requirements of subsection (b).
-19- LRB9204459DJgc
1 (b) To be valid, an authorization must be separate from
2 any other notice or authorization required by this Article
3 10, must be either (i) in writing, dated, and signed by the
4 individual or (ii) in electronic form, dated, and
5 authenticated by the individual using a unique identifier,
6 must not have been revoked, and must do the following:
7 (1) Identify the person or entity authorized to
8 disclose protected health information.
9 (2) Identify the individual who is the subject of
10 the protected health information.
11 (3) Describe the nature of and the time span of the
12 protected health information to be disclosed.
13 (4) Identify the person to whom the information is
14 to be disclosed.
15 (5) Describe the purpose of the disclosure.
16 (6) State that it is subject to revocation by the
17 individual and indicate that the consent to disclose is
18 valid until revocation by the individual.
19 (7) Include the date on which the consent to
20 disclose ends.
21 (c) An individual may revoke in writing an authorization
22 under this Section at any time. An authorization obtained by
23 a health plan under this Section is deemed to be revoked at
24 the time of the cancellation or nonrenewal of enrollment in
25 the health plan. An entity that discloses protected health
26 information pursuant to an authorization that has been
27 revoked under this subsection is not subject to any liability
28 or penalty under this Article 10 for the disclosure if that
29 entity acted in good faith and had no actual or constructive
30 notice of the revocation.
31 (d) Article 15 provides for exceptions to the
32 requirement for the authorization.
33 (e) A recipient of protected health information
34 disclosed pursuant to an authorization under this Section may
-20- LRB9204459DJgc
1 use the information solely to carry out the purpose for which
2 the information was authorized for disclosure.
3 (f) Each entity collecting or storing protected health
4 information must maintain for 7 years, as part of an
5 individual's protected health information, a record of each
6 authorization by the individual and any revocation of
7 authorization by the individual.
8 Article 15. Excepted Uses and Disclosures
9 of Protected Health Information.
10 Section 15-5. Coroner or medical examiner. When a
11 coroner or medical examiner or one of their duly appointed
12 deputies seeks protected health information for the purpose
13 of inquiry into and determination of the cause, manner, and
14 circumstances of a death, any person shall provide the
15 requested protected health information to the coroner or
16 medical examiner or to the duly appointed deputies without
17 undue delay. If a coroner or medical examiner or one of
18 their duly appointed deputies receives protected health
19 information, this protected health information shall remain
20 protected health information unless it is attached to or
21 otherwise made a part of a coroner's or medical examiner's
22 official report. Health information attached to or otherwise
23 made a part of a coroner's or medical examiner's official
24 report is exempt from this Act.
25 Section 15-10. Disclosure to an individual's designated
26 representative, relative, or surrogate.
27 (a) A health care provider, or a person who receives
28 protected health information under subsection (b), may
29 disclose protected health information regarding an individual
30 to an individual's designated representative, relative, or
31 surrogate if:
-21- LRB9204459DJgc
1 (1) the individual who is the subject of the
2 information:
3 (A) has been notified of the individual's
4 right to object to the disclosure and the individual
5 has not objected to the disclosure; or
6 (B) is in a physical or mental condition such
7 that the individual is not capable of objecting, and
8 there are no prior indications that the individual
9 would object; and
10 (2) the information disclosed is for the purpose of
11 providing health care to that individual; or
12 (3) the disclosure of the protected health
13 information is consistent with good medical or
14 professional practice.
15 (b) Except as provided in subsection (d), a health care
16 provider may disclose the information described in subsection
17 (c) to any other person if the individual who is the subject
18 of the information:
19 (1) has been notified of the individual's right to
20 object and the individual has not objected to the
21 disclosure; or
22 (2) is in a physical or mental condition such that
23 the individual is not capable of objecting and
24 (A) the individual's designated
25 representative, relative, or surrogate has not
26 objected and
27 (B) there are no prior indications that the
28 individual would object.
29 (c) Information that may be disclosed under subsection
30 (b) is only that information that consists of any of the
31 following items:
32 (1) The name of the individual who is the subject
33 of the information.
34 (2) The general health status of the individual,
-22- LRB9204459DJgc
1 described as critical, poor, fair, stable, or
2 satisfactory or in terms denoting similar conditions.
3 (3) The location of the individual on premises
4 controlled by a provider. A disclosure of information
5 under this paragraph (3) may not be made if the
6 information would reveal specific information about the
7 physical or mental condition of the individual, unless
8 the individual expressly authorizes the disclosure.
9 (d) A disclosure may not be made under this Section if
10 the health care provider involved has reason to believe that
11 the disclosure of this information could lead to physical or
12 mental harm to the individual, unless the individual
13 expressly authorizes the disclosure.
14 Section 15-15. Identification of deceased individuals.
15 A health care provider may disclose protected health
16 information if the disclosure is necessary to assist in the
17 identification or safe handling of a deceased individual.
18 Section 15-20. Emergency circumstances. Any person who
19 creates or receives protected health information under this
20 Act may use or disclose protected health information in
21 emergency circumstances when the use or disclosure is
22 necessary to protect the health or safety of the individual
23 who is the subject of the information from serious, imminent
24 harm. A disclosure made in the good faith belief that the
25 use or disclosure was necessary to protect the health or
26 safety of an individual from serious, imminent harm is not a
27 violation of this Act.
28 Section 15-25. Disclosure for health oversight purposes.
29 (a) Any person may disclose protected health information
30 to a health oversight agency for purposes of an oversight
31 function authorized by law.
-23- LRB9204459DJgc
1 (b) For purposes of this Section, the individual with
2 authority to authorize the health oversight function involved
3 shall provide to the person described in subsection (a) a
4 statement that the protected health information is being
5 sought for a legally authorized oversight function.
6 (c) Protected health information about an individual
7 that was obtained under this Section may not be used in, or
8 disclosed to any person for use in, an administrative, civil,
9 or criminal action or investigation directed against the
10 individual unless the action or investigation arises out of
11 and is directly related to one of the following:
12 (1) The receipt of health care or payment for
13 health care.
14 (2) An action involving a fraudulent claim related
15 to health.
16 (3) An action involving oversight of a public
17 health authority or a health researcher.
18 (d) Protected health information disclosed for purposes
19 of this Section remains protected health information and may
20 not be further disclosed by the receiving health oversight
21 agency, except as permitted under this Section.
22 Section 15-30. Disclosure for public health purposes.
23 (a) Any person or entity may disclose protected health
24 information to the Department of Public Health or to another
25 person authorized by law, for use in any of the following
26 that is legally authorized:
27 (1) A disease or injury report.
28 (2) A public health surveillance.
29 (3) A public health investigation or intervention.
30 (4) A health or disease registry.
31 (b) The disclosure of protected health information
32 pursuant this Section to the Department of Public Health or
33 another person authorized by law is not a violation of this
-24- LRB9204459DJgc
1 Article 15.
2 (c) Protected health information disclosed for purposes
3 of this Section remains protected health information and may
4 not be further disclosed by the receiving authority or
5 person, except as permitted under this Section.
6 Section 15-35. Health research.
7 (a) A health care provider, health plan, employer,
8 insurer, or educational institution or the Department of
9 Public Health may disclose protected health information to a
10 health researcher if the following requirements are met:
11 (1) The research must have been approved by an
12 institutional review board. In evaluating a research
13 proposal, an institutional review board shall require
14 that the proposal demonstrate a clear purpose, scientific
15 integrity, and a realistic plan for maintaining the
16 confidentiality of protected health information.
17 (2) The health care provider, health plan,
18 employer, insurer, or educational institution or the
19 Department of Public Health may disclose only protected
20 health information that it has previously created or
21 collected.
22 (3) The holder of protected health information must
23 keep a record of all health researchers to whom protected
24 health information has been made available.
25 (b) A health researcher who receives protected health
26 information must remove and destroy, at the earliest
27 opportunity consistent with the purposes of the project
28 involved, any information that would enable an individual to
29 be identified.
30 (c) A health researcher who receives protected health
31 information may not disclose or use the protected health
32 information for any purpose other than that for which the
33 information was obtained, except that the health researcher
-25- LRB9204459DJgc
1 may disclose the information pursuant to subsection (a) of
2 Section 15-25.
3 Section 15-40. Disclosure in a civil, judicial, or
4 administrative proceeding.
5 (a) Protected health information may be disclosed
6 pursuant to a discovery request or subpoena in a civil action
7 brought in a State court or pursuant to a request or subpoena
8 related to a State administrative proceeding, but only if the
9 disclosure is made pursuant to a court order as provided for
10 in subsection (b) or pursuant to a written authorization
11 under Section 10-15.
12 (b) A court order issued under this Section must do the
13 following:
14 (1) Provide that the protected health information
15 involved is subject to court protection.
16 (2) Specify to whom the information may be
17 disclosed.
18 (3) Specify that the information may not otherwise
19 be disclosed or used.
20 (4) Meet any other requirements that the court
21 determines are needed to protect the confidentiality of
22 the information.
23 (c) This Section does not apply in a case in which the
24 protected health information sought under the discovery
25 request or subpoena is:
26 (1) nonidentifiable health information; and
27 (2) related to a party to the litigation whose
28 medical condition is at issue.
29 (d) The release of any protected health information
30 under this Section does not violate this Article 15.
31 Section 15-45. Disclosure for civil or administrative
32 law enforcement purposes.
-26- LRB9204459DJgc
1 (a) For the purposes of this Section only, "entity"
2 means a health care provider, health plan, health oversight
3 agency, employer, insurer, or educational institution.
4 (b) Except as to disclosures to a health oversight
5 agency, which are governed by Section 15-25, an entity or
6 person who receives protected health information pursuant to
7 Section 10-15 or Sections 15-5 through 15-35 may disclose
8 protected health information under this Section if the
9 disclosure is pursuant to one of the following:
10 (1) An administrative subpoena or summons or
11 judicial subpoena.
12 (2) Consent in accordance with Section 10-15.
13 (3) A court order.
14 (c) A subpoena or summons for a disclosure under
15 subdivision (b)(1) may be issued only if the civil or
16 administrative law enforcement agency involved shows that
17 there is probable cause to believe that the information is
18 relevant to a legitimate law enforcement inquiry.
19 (d) When the matter or need for which protected health
20 information was disclosed to a civil or administrative law
21 enforcement agency under subsection (b) has concluded,
22 including the conclusion of any derivative matters arising
23 from the matter or need, the civil or administrative law
24 enforcement agency must either destroy the protected health
25 information or return all of the protected health information
26 to the person from whom it was obtained.
27 (e) To the extent practicable, and consistent with the
28 requirements of due process, a civil or administrative law
29 enforcement agency must redact personally identifying
30 information from protected health information before the
31 public disclosure of the protected information in a judicial
32 or administrative proceeding.
33 (f) Protected health information obtained by a civil or
34 administrative law enforcement agency pursuant to this
-27- LRB9204459DJgc
1 Section may be used only for purposes of a legitimate law
2 enforcement activity.
3 (g) If protected health information is obtained without
4 meeting the requirements of subdivision (b)(1), (b)(2), or
5 (b)(3), any information that is unlawfully obtained must be
6 excluded from a court proceeding unless the defendant
7 requests otherwise.
8 Article 20. Violations of the Act
9 Section 20-5. Wrongful disclosure of protected health
10 information.
11 (a) A person who knowingly or intentionally obtains
12 protected health information relating to an individual in
13 violation of this Act or who knowingly or intentionally
14 discloses protected health information to another person in
15 violation of this Act is guilty of a Class 3 felony.
16 (b) A person who knowingly or intentionally sells,
17 transfers, or uses protected health information for
18 commercial advantage, personal gain, or malicious harm in
19 violation of this Act is guilty of a Class 2 felony.
20 Section 20-10. Civil actions by individuals.
21 (a) Any individual whose rights under this Act have been
22 violated may bring a civil action against the person or
23 entity responsible for the violation.
24 (b) In any civil action brought under this Section, if
25 the court finds a violation of an individual's rights under
26 this Act, the court may award one or more of the following:
27 (1) Injunctive relief, including enjoining an
28 individual or entity from engaging in a practice that
29 violates this Act.
30 (2) Equitable relief.
31 (3) Compensatory damages for injuries suffered by
-28- LRB9204459DJgc
1 the individual. Injuries compensable under this Section
2 include, but are not limited to, personal injury
3 including emotional distress, reputational injury, injury
4 to property, and consequential damages.
5 (4) Punitive damages, as appropriate.
6 (5) Costs of the action.
7 (6) Attorney's fees, as appropriate.
8 (7) Any other relief the court finds appropriate.
9 (c) An action may not be commenced under this Section
10 after the time period stated in Section 13-202 of the Code of
11 Civil Procedure.
12 Section 20-15. Cease and desist orders; civil penalty.
13 (a) A court shall issue and cause to be served upon a
14 person who has violated any provision of this Act a copy of
15 the court's findings and an order requiring the person to
16 cease and desist from violating this Act or to otherwise
17 comply with the requirements of this Act. The court may also
18 order any one or more of the following:
19 (1) For any violation of this Act, payment of a
20 civil penalty of not more than $500 for each violation
21 but not more than $5,000 in the aggregate for multiple
22 violations.
23 (2) For a knowing violation of this Act, payment of
24 a civil penalty of not more than $25,000 for each
25 violation but not more than $100,000 in the aggregate for
26 multiple violations.
27 (3) For violations of this Act that have occurred
28 with such frequency as to constitute a general business
29 practice, a civil penalty of $100,000.
30 (b) Any person who violates a cease and desist order or
31 injunction issued under this Section may be subject to a
32 civil penalty of not more than $10,000 for each act in
33 violation of the cease and desist order.
-29- LRB9204459DJgc
1 (c) An order or injunction issued under this Section
2 does not in any way relieve or absolve any person affected by
3 the order from any other liability, penalty, or forfeiture
4 required by law.
5 (d) Any civil penalties collected under this Section
6 shall be deposited into the General Revenue Fund.
7 Section 20-20. Prevention and deterrence. To promote
8 the prevention and deterrence of acts or omissions that
9 violate laws designed to safeguard the protected health
10 information in a manner consistent with this Act, the
11 Director of Public Health, in cooperation with any other
12 appropriate individual, organization, or agency as determined
13 by the Director, may provide advice, training, technical
14 assistance, and guidance regarding ways to prevent improper
15 disclosure of protected health information.
16 Article 25. Miscellaneous Provisions
17 Section 25-5. Payment card or electronic payment
18 transaction.
19 (a) If an individual pays for health care by presenting
20 a debit, credit, or other payment card or account number, or
21 by any other electronic payment means, the entity receiving
22 payment may disclose to a person described in subsection (b)
23 only the protected health information about the individual
24 that is necessary for the processing of the payment
25 transaction or the billing or collection of amounts charged
26 to, debited from, or otherwise paid by the individual using
27 the card, number, or other electronic means.
28 (b) A person who is a debit, credit, or other payment
29 card issuer, who is otherwise directly involved in the
30 processing of payment transactions involving such cards or
31 other electronic payment transactions, or who is otherwise
-30- LRB9204459DJgc
1 directly involved in the billing or collection of amounts
2 paid through these means may use or disclose protected health
3 information about an individual that has been disclosed in
4 accordance with subsection (a) only when necessary for one or
5 more of the following:
6 (1) The settlement, billing, or collection of
7 amounts charged to, debited from, or otherwise paid by
8 the individual using a debit, credit, or other payment
9 card or account number or by other electronic payment
10 means.
11 (2) The transfer of receivables or accounts or an
12 interest in receivables or accounts.
13 (3) The internal audit of the debit, credit, or
14 other payment card account information.
15 (4) Compliance with a federal or State law or a
16 local ordinance.
17 (5) Compliance with a properly authorized civil,
18 criminal, or regulatory investigation by federal, State,
19 or local authorities as governed by the requirements of
20 this Section.
21 Section 25-10. Standards for electronic disclosures.
22 The Department of Public Health shall adopt rules to
23 establish standards for disclosing, authorizing, and
24 authenticating, protected health information in electronic
25 form consistent with this Act.
26 Section 25-15. Rights of minors.
27 (a) In the case of an individual who is 18 years of age
28 or older, all rights of an individual under this Act shall be
29 exercised by the individual.
30 (b) In the case of an individual of any age who, acting
31 alone, may obtain a type of health care without violating any
32 applicable federal or State law, and who has sought this
-31- LRB9204459DJgc
1 care, the individual shall exercise all rights of an
2 individual under this Act with respect to health care.
3 (c) Except as provided in subsection (b):
4 (1) In the case of an individual who is under 14
5 years of age, all of the individual's rights under this
6 Act may be exercised only through the parent or legal
7 guardian.
8 (2) In the case of an individual who is at least 14
9 but less than 18 years of age, the rights of inspection
10 and amendment and the right to authorize use and
11 disclosure of protected health information of the
12 individual may be exercised by the individual or by the
13 parent or legal guardian of the individual. If the
14 individual and the parent or legal guardian do not agree
15 as to whether to authorize the use or disclosure of
16 protected health information of the individual, the
17 individual's authorization or revocation of authorization
18 shall control.
19 Section 25-20. Deceased individuals. This Act continues
20 to apply to protected health information concerning a
21 deceased individual following the death of that individual.
22 A person who is authorized by law or by an instrument
23 recognized under law to act as a personal representative of
24 the estate of a deceased individual or otherwise to exercise
25 the rights of the deceased individual, to the extent so
26 authorized, may exercise and discharge the rights of the
27 deceased individual under this Act.
28 Section 25-25. Relationship to other laws.
29 (a) Nothing in this Act shall be construed to preempt or
30 modify any provisions of State law concerning a privilege of
31 a witness or other person in a court of this State. Receipt
32 of notice pursuant to Section 10-10 or consent to disclosure
-32- LRB9204459DJgc
1 pursuant to Section 10-15 shall not be construed as a waiver
2 of these privileges.
3 (b) Nothing in this Act shall be construed to preempt,
4 supersede, or modify the operation of any State law that does
5 any of the following:
6 (1) Provides for the reporting of vital statistics
7 such as birth or death information.
8 (2) Requires the reporting of abuse or neglect
9 information about any individual.
10 (3) Relates to public or mental health and prevents
11 or otherwise restricts disclosure of information
12 otherwise permissible under this Act, except that if this
13 Act is more protective of information, it shall prevail.
14 (4) Governs a minor's right to access protected
15 health information or health care services.
16 (5) Meets any other requirements that the court
17 determines are needed to protect the confidentiality of
18 the information.
19 In particular, nothing in this Act shall be construed to
20 preempt, supersede, or modify the operation of any provision
21 of the Mental Health and Developmental Disabilities
22 Confidentiality Act, Section 8-2101 of the Code of Civil
23 Procedure, or Section 6.17 of the Hospital Licensing Act. In
24 the case of a conflict between a provision of this Act and
25 one of those other provisions, the other provision controls.
26 Section 25-30. Report by Department of Public Health.
27 The Department of Public Health shall submit a status report
28 to the General Assembly on the adoption of rules required by
29 this Act and regarding existing licensure, certification, and
30 regulatory mechanisms for the imposition of sanctions or
31 penalties for the wrongful disclosure of protected health
32 information. The Department shall submit the report no later
33 than one year after the effective date of this Act.
-33- LRB9204459DJgc
1 Section 25-35. Reports by insurers.
2 (a) Subsection (b) applies to every entity to the extent
3 that the entity meets the following criteria:
4 (1) The entity transacts the type of business
5 enumerated in clause (a) (life insurance) of Class 1 of
6 Section 4 of the Illinois Insurance Code.
7 (2) The entity transacts the types of business
8 enumerated in clauses of Class 2 of Section 4 of the
9 Illinois Insurance Code other than clauses (a) (accident
10 and health insurance), (g) (fidelity and surety
11 insurance), and (l) (legal expense insurance).
12 (3) The entity transacts the types of business
13 enumerated in Class 3 (fire and marine, etc.) of Section
14 4 of the Illinois Insurance Code.
15 (4) The entity provides disability income
16 protection coverage under Article XX (Accident and Health
17 Insurance) of the Illinois Insurance Code.
18 (5) The entity is regulated under Article XIXA
19 (Long-term Care Insurance) of the Illinois Insurance
20 Code.
21 (b) Every entity described in subsection (a) must submit
22 to the Director of Insurance a report and recommendations for
23 proposed legislation governing the treatment of protected
24 health information. The report shall include, but need not
25 be limited to, a discussion of the National Association of
26 Insurance Commissioners Insurance Information and Privacy
27 Protection Act, or substantially similar legislation. The
28 entity shall submit the report no later than 9 months after
29 the effective date of this Act.
30 (c) No later than one year after the effective date of
31 this Act, the Director of Insurance shall submit to the
32 General Assembly a report that summarizes the reports and
33 recommendations submitted to the Director by insurers under
34 subsection (b).
-34- LRB9204459DJgc
1 Section 25-40. Severability. The provisions of this Act
2 are severable under Section 1.31 of the Statute on Statutes.
3 Article 90. Amendatory Provisions.
4 Section 90-5. The Hospital Licensing Act is amended by
5 changing Section 6.17 as follows:
6 (210 ILCS 85/6.17)
7 Sec. 6.17. Protection of and confidential access to
8 medical records and information.
9 (a) Every hospital licensed under this Act shall develop
10 a medical record for each of its patients as required by the
11 Department by rule.
12 (b) All information regarding a hospital patient
13 gathered by the hospital's medical staff and its agents and
14 employees shall be the property and responsibility of the
15 hospital and must be protected from inappropriate disclosure
16 as provided in this Section.
17 (c) Every hospital shall preserve its medical records in
18 a format and for a duration established by hospital policy
19 and for not less than 10 years, provided that if the hospital
20 has been notified in writing by an attorney before the
21 expiration of the 10 year retention period that there is
22 litigation pending in court involving the record of a
23 particular patient as possible evidence and that the patient
24 is his client or is the person who has instituted such
25 litigation against his client, then the hospital shall retain
26 the record of that patient until notified in writing by the
27 plaintiff's attorney, with the approval of the defendant's
28 attorney of record, that the case in court involving such
29 record has been concluded or for a period of 12 years from
30 the date that the record was produced, whichever occurs first
31 in time.
-35- LRB9204459DJgc
1 (d) No member of a hospital's medical staff and no agent
2 or employee of a hospital shall disclose the nature or
3 details of services provided to patients, except that the
4 information may be disclosed to the patient, persons
5 authorized by the patient, the party making treatment
6 decisions, if the patient is incapable of making decisions
7 regarding the health services provided, those parties
8 directly involved with providing treatment to the patient or
9 processing the payment for that treatment, those parties
10 responsible for peer review, utilization review, quality
11 assurance, risk management or defense of claims brought
12 against the hospital arising out of the care, and those
13 parties required to be notified under the Abused and
14 Neglected Child Reporting Act, the Illinois Sexually
15 Transmissible Disease Control Act, or where otherwise
16 authorized or required by law.
17 (e) The hospital's medical staff members and the
18 hospital's agents and employees may communicate, at any time
19 and in any fashion, with legal counsel for the hospital
20 concerning the patient medical record privacy and retention
21 requirements of this Section and any care or treatment they
22 provided or assisted in providing to any patient within the
23 scope of their employment or affiliation with the hospital.
24 (f) Each hospital licensed under this Act shall provide
25 its federally designated organ procurement agency and any
26 tissue bank with which it has an agreement with access to the
27 medical records of deceased patients for the following
28 purposes:
29 (1) estimating the hospital's organ and tissue
30 donation potential;
31 (2) identifying the educational needs of the
32 hospital with respect to organ and tissue donation; and
33 (3) identifying the number of organ and tissue
34 donations and referrals to potential organ and tissue
-36- LRB9204459DJgc
1 donors.
2 (g) All hospital and patient information, interviews,
3 reports, statements, memoranda, and other data obtained or
4 created by a tissue bank or federally designated organ
5 procurement agency from the medical records review described
6 in subsection (f) shall be privileged, strictly confidential,
7 and used only for the purposes put forth in subsection (f) of
8 this Section and shall not be admissible as evidence nor
9 discoverable in an action of any kind in court or before a
10 tribunal, board, agency, or person.
11 (h) Any person who, in good faith, acts in accordance
12 with the terms of this Section shall not be subject to any
13 type of civil or criminal liability or discipline for
14 unprofessional conduct for those actions.
15 (i) Any individual who wilfully or wantonly discloses
16 hospital or medical record information in violation of this
17 Section is guilty of a Class A misdemeanor. As used in this
18 subsection, "wilfully or wantonly" means a course of action
19 that shows an actual or deliberate intention to cause harm or
20 that, if not intentional, shows an utter indifference to or
21 conscious disregard for the safety of others or their
22 property.
23 (j) In the case of a conflict between a provision of
24 this Section and a provision of the Health Care Information
25 Privacy Act, this Section controls.
26 (Source: P.A. 91-526, eff. 1-1-00.)
27 Section 90-10. The Illinois Insurance Code is amended by
28 changing Section 1014 as follows:
29 (215 ILCS 5/1014) (from Ch. 73, par. 1065.714)
30 Sec. 1014. Disclosure Limitations and Conditions. An
31 insurance institution, agent or insurance-support
32 organization shall not disclose any personal or privileged
-37- LRB9204459DJgc
1 information about an individual collected or received in
2 connection with an insurance transaction unless the
3 disclosure is:
4 (A) with the written authorization of the individual,
5 provided:
6 (1) if such authorization is submitted by another
7 insurance institution, agent or insurance-support
8 organization, the authorization meets the requirements of
9 Section 1007 of this Article, or
10 (2) if such authorization is submitted by a person other
11 than an insurance institution, agent or insurance-support
12 organization, the authorization is:
13 (a) dated,
14 (b) signed by the individual, and
15 (c) obtained one year or less prior to the date a
16 disclosure is sought pursuant to this subsection; or
17 (B) to a person other than an insurance institution,
18 agent or insurance-support organization, provided such
19 disclosure is reasonably necessary:
20 (1) to enable such person to perform a business,
21 professional or insurance function for the disclosing
22 insurance institution, agent or insurance-support
23 organization and such person agrees not to disclose the
24 information further without the individual's written
25 authorization unless the further disclosure:
26 (a) would otherwise be permitted by this Section if made
27 by an insurance institution, agent, or insurance-support
28 organization, or
29 (b) is reasonably necessary for such person to perform
30 its function for the disclosing insurance institution, agent,
31 or insurance-support organization, or
32 (2) to enable such person to provide information to the
33 disclosing insurance institution, agent, or insurance-support
34 organization for the purpose of:
-38- LRB9204459DJgc
1 (a) determining an individual's eligibility for an
2 insurance benefit or payment, or
3 (b) detecting or preventing criminal activity, fraud,
4 material misrepresentation or material nondisclosure in
5 connection with an insurance transaction; or
6 (C) to an insurance institution, agent,
7 insurance-support organization or self-insurer, provided the
8 information disclosed is limited to that which is reasonably
9 necessary:
10 (1) to detect or prevent criminal activity, fraud,
11 material misrepresentation or material nondisclosure in
12 connection with insurance transactions, or
13 (2) for either the disclosing or receiving insurance
14 institution, agent or insurance-support organization to
15 perform its function in connection with an insurance
16 transaction involving the individual; or
17 (D) to a medical care institution or medical
18 professional for the purpose of:
19 (1) verifying insurance coverage or benefits,
20 (2) informing an individual of a medical problem of which
21 the individual may not be aware, or
22 (3) conducting an operations or services audit, provided
23 only such information is disclosed as is reasonably necessary
24 to accomplish the foregoing purposes; or
25 (E) to an insurance regulatory authority; or
26 (F) to a law enforcement or other governmental
27 authority:
28 (1) to protect the interests of the insurance
29 institution, agent or insurance-support organization in
30 preventing or prosecuting the perpetration of fraud upon it,
31 or
32 (2) if the insurance institution, agent or
33 insurance-support organization reasonably believes that
34 illegal activities have been conducted by the individual; or
-39- LRB9204459DJgc
1 (G) otherwise permitted or required by law; or
2 (H) in response to a facially valid administrative or
3 judicial order, including a search warrant or subpoena; or
4 (I) made for the purpose of conducting actuarial or
5 research studies provided:
6 (1) no individual may be identified in any actuarial or
7 research report,
8 (2) materials allowing the individual to be identified
9 are returned or destroyed as soon as they are no longer
10 needed, and
11 (3) the actuarial or research organization agrees not to
12 disclose the information unless the disclosure would
13 otherwise be permitted by this Section if made by an
14 insurance institution, agent or insurance-support
15 organization; or
16 (J) to a party or a representative of a party to a
17 proposed or consummated sale, transfer, merger or
18 consolidation of all or part of the business of the insurance
19 institution, agent or insurance support organization,
20 provided:
21 (1) prior to the consummation of the sale, transfer,
22 merger or consolidation only such information is disclosed as
23 is reasonably necessary to enable the recipient to make
24 business decisions about the purchase, transfer, merger or
25 consolidation, and
26 (2) the recipient agrees not to disclose the information
27 unless the disclosure would otherwise be permitted by this
28 Section if made by an insurance institution, agent or
29 insurance-support organization; or
30 (K) to a person whose only use of such information will
31 be in connection with the marketing of a product or service,
32 provided:
33 (1) no medical-record information, privileged
34 information, or personal information relating to an
-40- LRB9204459DJgc
1 individual's character, personal habits, mode of living or
2 general reputation is disclosed, and no classification
3 derived from such information is disclosed,
4 (2) the individual has been given an opportunity to
5 indicate that he or she does not want personal information
6 disclosed for marketing purposes and has given no indication
7 that he or she does not want the information disclosed, and
8 (3) the person receiving such information agrees not to
9 use it except in connection with the marketing of a product
10 or service; or
11 (L) to an affiliate whose only use of the information
12 will be in connection with an audit of the insurance
13 institution or agent or the marketing of an insurance product
14 or service, provided the affiliate agrees not to disclose the
15 information for any other purpose or to unaffiliated persons;
16 or
17 (M) by a consumer reporting agency, provided: the
18 disclosure is to a person other than an insurance institution
19 or agent; or
20 (N) to a group policyholder for the purpose of reporting
21 claims experience or conducting an audit of the insurance
22 institution's or agent's operations or services, provided the
23 information disclosed is reasonably necessary for the group
24 policyholder to conduct the review or audit; or
25 (O) to a professional peer review organization for the
26 purpose of reviewing the service or conduct of a medical-care
27 institution or medical professional; or
28 (P) to a governmental authority for the purpose of
29 determining the individual's eligibility for health benefits
30 for which the governmental authority may be liable; or
31 (Q) to a certificateholder or policyholder for the
32 purpose of providing information regarding the status of an
33 insurance transaction; or
34 (R) to a lienholder, mortgagee, assignee, lessee, or
-41- LRB9204459DJgc
1 other person shown on the records of an insurance institution
2 or agent as having a legal or beneficial interest in a policy
3 of insurance; provided that information disclosed is limited
4 to that which is reasonably necessary to permit such person
5 to protect its interest in such policy.
6 In the case of a conflict between a provision of this
7 Section and a provision of the Health Care Information
8 Privacy Act, this Section controls.
9 (Source: P.A. 82-108.)
10 Section 90-15. The Code of Civil Procedure is amended by
11 changing Sections 2-1101 and 8-2101 and adding Section
12 2-1101.5 as follows:
13 (735 ILCS 5/2-1101) (from Ch. 110, par. 2-1101)
14 Sec. 2-1101. Subpoenas. The clerk of any court in which
15 an action is pending shall, from time to time, issue
16 subpoenas for those witnesses and to those counties in the
17 State as may be required by either party. Every clerk who
18 shall refuse so to do shall be guilty of a petty offense and
19 fined any sum not to exceed $100. An order of court is not
20 required to obtain the issuance by the clerk of a subpoena
21 duces tecum. For good cause shown, the court on motion may
22 quash or modify any subpoena or, in the case of a subpoena
23 duces tecum, condition the denial of the motion upon payment
24 in advance by the person in whose behalf the subpoena is
25 issued of the reasonable expense of producing any item
26 therein specified.
27 In the event that a party has subpoenaed an expert
28 witness including, but not limited to physicians or medical
29 providers, and the expert witness appears in court, and a
30 conflict arises between the party subpoenaing the expert
31 witness and the expert witness over the fees charged by the
32 expert witness, the trial court shall be advised of the
-42- LRB9204459DJgc
1 conflict. The trial court shall conduct a hearing subsequent
2 to the testimony of the expert witness and shall determine
3 the reasonable fee to be paid to the expert witness.
4 In the case of a conflict between a provision of this
5 Section and a provision of the Health Care Information
6 Privacy Act, this Section controls.
7 (Source: P.A. 87-418.)
8 (735 ILCS 5/2-1101.5 new)
9 Sec. 2-1101.5. Subpoena duces tecum; protected health
10 information.
11 (a) In this Section, "protected health information" has
12 the meaning ascribed to that term in the Health Care
13 Information Privacy Act.
14 (b) A subpoena duces tecum to produce protected health
15 information is valid only if accompanied by either a court
16 order or a written authorization signed in accordance with
17 Section 10-15 of the Health Care Information Privacy Act.
18 (c) An order for a subpoena duces tecum to produce
19 protected health information must do all of the following:
20 (1) Provide that the protected health information
21 involved is subject to court protection.
22 (2) Specify to whom the information may be
23 disclosed.
24 (3) Specify that the information may not be
25 disclosed or used except as provided in the order.
26 (4) Meet any other requirements that the court
27 determines are needed to protect the confidentiality of
28 the information.
29 (d) Whenever (A) a subpoena duces tecum to produce
30 protected health information is served upon the custodian of
31 medical records or another qualified witness in a civil
32 action or other proceeding in which (i) the custodian or
33 other witness or the custodian's or other witness's employer
-43- LRB9204459DJgc
1 is not a party to the action or proceeding and (ii) it is not
2 alleged that the claim arose at the office, facility, or
3 institution to which the subpoena duces tecum is directed and
4 (B) the subpoena requires the production in court, or before
5 an officer, board, commission, or tribunal, of all or any
6 part of the medical records of a patient who is or has been
7 cared for or treated at the office, facility, or institution,
8 it shall be deemed sufficient compliance with the subpoena if
9 the custodian or other qualified witness within 5 days after
10 receipt of the subpoena delivers by registered or certified
11 mail or by messenger a true and correct copy of all the
12 medical records described in the subpoena to the clerk of the
13 court or the clerk's deputy authorized to issue it, together
14 with an affidavit stating in substance each of the following:
15 (1) The affiant is the duly authorized custodian of
16 the medical records and has authority to certify the
17 medical records.
18 (2) The copy is a true copy of all the medical
19 records described in the subpoena.
20 (3) The medical records were prepared by the
21 personnel of the medical facility, by staff physicians,
22 or by persons acting under the control of either of
23 those, in the regular course of business at or near the
24 time of the act, condition, or event.
25 (e) This Section shall not be construed to supersede any
26 grounds that may apply under federal or State law for
27 objecting to turning over the protected health information.
28 (Source: P.A. 87-418.)
29 (735 ILCS 5/8-2101) (from Ch. 110, par. 8-2101)
30 Sec. 8-2101. Information obtained. All information,
31 interviews, reports, statements, memoranda, recommendations,
32 letters of reference or other third party confidential
33 assessments of a health care practitioner's professional
-44- LRB9204459DJgc
1 competence, or other data of the Illinois Department of
2 Public Health, local health departments, the Department of
3 Human Services (as successor to the Department of Mental
4 Health and Developmental Disabilities), the Mental Health and
5 Developmental Disabilities Medical Review Board, Illinois
6 State Medical Society, allied medical societies, health
7 maintenance organizations, medical organizations under
8 contract with health maintenance organizations or with
9 insurance or other health care delivery entities or
10 facilities, tissue banks, organ procurement agencies,
11 physician-owned inter-insurance exchanges and their agents,
12 committees of ambulatory surgical treatment centers or
13 post-surgical recovery centers or their medical staffs, or
14 committees of licensed or accredited hospitals or their
15 medical staffs, including Patient Care Audit Committees,
16 Medical Care Evaluation Committees, Utilization Review
17 Committees, Credential Committees and Executive Committees,
18 or their designees (but not the medical records pertaining to
19 the patient), used in the course of internal quality control
20 or of medical study for the purpose of reducing morbidity or
21 mortality, or for improving patient care or increasing organ
22 and tissue donation, shall be privileged, strictly
23 confidential and shall be used only for medical research,
24 increasing organ and tissue donation, the evaluation and
25 improvement of quality care, or granting, limiting or
26 revoking staff privileges or agreements for services, except
27 that in any health maintenance organization proceeding to
28 decide upon a physician's services or any hospital or
29 ambulatory surgical treatment center proceeding to decide
30 upon a physician's staff privileges, or in any judicial
31 review of either, the claim of confidentiality shall not be
32 invoked to deny such physician access to or use of data upon
33 which such a decision was based.
34 In the case of a conflict between a provision of this
-45- LRB9204459DJgc
1 Section and a provision of the Health Care Information
2 Privacy Act, this Section controls.
3 (Source: P.A. 89-393, eff. 8-20-95; 89-507, eff. 7-1-97.)
4 Section 90-20. The Mental Health and Developmental
5 Disabilities Confidentiality Act is amended by adding Section
6 1.5 as follows:
7 (740 ILCS 110/1.5 new)
8 Sec. 1.5. Relationship to the Health Care Information
9 Privacy Act. In the case of a conflict between a provision of
10 this Act and a provision of the Health Care Information
11 Privacy Act, this Act controls.