Public Act 101-0132
 
HB2189 EnrolledLRB101 06626 CPF 51653 b

    AN ACT concerning health.
 
    Be it enacted by the People of the State of Illinois,
represented in the General Assembly:
 
    Section 5. The Genetic Information Privacy Act is amended
by changing Sections 10 and 20 as follows:
 
    (410 ILCS 513/10)
    Sec. 10. Definitions. As used in this Act:
    "Authority" means the Illinois Health Information Exchange
Authority established pursuant to the Illinois Health
Information Exchange and Technology Act.
    "Business associate" has the meaning ascribed to it under
HIPAA, as specified in 45 CFR 160.103.
    "Covered entity" has the meaning ascribed to it under
HIPAA, as specified in 45 CFR 160.103.
    "De-identified information" means health information that
is not individually identifiable as described under HIPAA, as
specified in 45 CFR 164.514(b).
    "Disclosure" has the meaning ascribed to it under HIPAA, as
specified in 45 CFR 160.103.
    "Employer" means the State of Illinois, any unit of local
government, and any board, commission, department,
institution, or school district, any party to a public
contract, any joint apprenticeship or training committee
within the State, and every other person employing employees
within the State.
    "Employment agency" means both public and private
employment agencies and any person, labor organization, or
labor union having a hiring hall or hiring office regularly
undertaking, with or without compensation, to procure
opportunities to work, or to procure, recruit, refer, or place
employees.
    "Family member" means, with respect to an individual, (i)
the spouse of the individual; (ii) a dependent child of the
individual, including a child who is born to or placed for
adoption with the individual; (iii) any other person qualifying
as a covered dependent under a managed care plan; and (iv) all
other individuals related by blood or law to the individual or
the spouse or child described in subsections (i) through (iii)
of this definition.
    "Genetic information" has the meaning ascribed to it under
HIPAA, as specified in 45 CFR 160.103.
    "Genetic monitoring" means the periodic examination of
employees to evaluate acquired modifications to their genetic
material, such as chromosomal damage or evidence of increased
occurrence of mutations that may have developed in the course
of employment due to exposure to toxic substances in the
workplace in order to identify, evaluate, and respond to
effects of or control adverse environmental exposures in the
workplace.
    "Genetic services" has the meaning ascribed to it under
HIPAA, as specified in 45 CFR 160.103.
    "Genetic testing" and "genetic test" have the meaning
ascribed to "genetic test" under HIPAA, as specified in 45 CFR
160.103. "Genetic testing" includes direct-to-consumer
commercial genetic testing.
    "Health care operations" has the meaning ascribed to it
under HIPAA, as specified in 45 CFR 164.501.
    "Health care professional" means (i) a licensed physician,
(ii) a licensed physician assistant, (iii) a licensed advanced
practice registered nurse, (iv) a licensed dentist, (v) a
licensed podiatrist, (vi) a licensed genetic counselor, or
(vii) an individual certified to provide genetic testing by a
state or local public health department.
    "Health care provider" has the meaning ascribed to it under
HIPAA, as specified in 45 CFR 160.103.
    "Health facility" means a hospital, blood bank, blood
center, sperm bank, or other health care institution, including
any "health facility" as that term is defined in the Illinois
Finance Authority Act.
    "Health information exchange" or "HIE" means a health
information exchange or health information organization that
exchanges health information electronically that (i) is
established pursuant to the Illinois Health Information
Exchange and Technology Act, or any subsequent amendments
thereto, and any administrative rules promulgated thereunder;
(ii) has established a data sharing arrangement with the
Authority; or (iii) as of August 16, 2013, was designated by
the Authority Board as a member of, or was represented on, the
Authority Board's Regional Health Information Exchange
Workgroup; provided that such designation shall not require the
establishment of a data sharing arrangement or other
participation with the Illinois Health Information Exchange or
the payment of any fee. In certain circumstances, in accordance
with HIPAA, an HIE will be a business associate.
    "Health oversight agency" has the meaning ascribed to it
under HIPAA, as specified in 45 CFR 164.501.
    "HIPAA" means the Health Insurance Portability and
Accountability Act of 1996, Public Law 104-191, as amended by
the Health Information Technology for Economic and Clinical
Health Act of 2009, Public Law 111-05, and any subsequent
amendments thereto and any regulations promulgated thereunder.
    "Insurer" means (i) an entity that is subject to the
jurisdiction of the Director of Insurance and (ii) a managed
care plan.
    "Labor organization" includes any organization, labor
union, craft union, or any voluntary unincorporated
association designed to further the cause of the rights of
union labor that is constituted for the purpose, in whole or in
part, of collective bargaining or of dealing with employers
concerning grievances, terms or conditions of employment, or
apprenticeships or applications for apprenticeships, or of
other mutual aid or protection in connection with employment,
including apprenticeships or applications for apprenticeships.
    "Licensing agency" means a board, commission, committee,
council, department, or officers, except a judicial officer, in
this State or any political subdivision authorized to grant,
deny, renew, revoke, suspend, annul, withdraw, or amend a
license or certificate of registration.
    "Limited data set" has the meaning ascribed to it under
HIPAA, as described in 45 CFR 164.514(e)(2).
    "Managed care plan" means a plan that establishes,
operates, or maintains a network of health care providers that
have entered into agreements with the plan to provide health
care services to enrollees where the plan has the ultimate and
direct contractual obligation to the enrollee to arrange for
the provision of or pay for services through:
        (1) organizational arrangements for ongoing quality
    assurance, utilization review programs, or dispute
    resolution; or
        (2) financial incentives for persons enrolled in the
    plan to use the participating providers and procedures
    covered by the plan.
    A managed care plan may be established or operated by any
entity including a licensed insurance company, hospital or
medical service plan, health maintenance organization, limited
health service organization, preferred provider organization,
third party administrator, or an employer or employee
organization.
    "Minimum necessary" means HIPAA's standard for using,
disclosing, and requesting protected health information found
in 45 CFR 164.502(b) and 164.514(d).
    "Nontherapeutic purpose" means a purpose that is not
intended to improve or preserve the life or health of the
individual whom the information concerns.
    "Organized health care arrangement" has the meaning
ascribed to it under HIPAA, as specified in 45 CFR 160.103.
    "Patient safety activities" has the meaning ascribed to it
under 42 CFR 3.20.
    "Payment" has the meaning ascribed to it under HIPAA, as
specified in 45 CFR 164.501.
    "Person" includes any natural person, partnership,
association, joint venture, trust, governmental entity, public
or private corporation, health facility, or other legal entity.
    "Protected health information" has the meaning ascribed to
it under HIPAA, as specified in 45 CFR 164.103.
    "Research" has the meaning ascribed to it under HIPAA, as
specified in 45 CFR 164.501.
    "State agency" means an instrumentality of the State of
Illinois and any instrumentality of another state which
pursuant to applicable law or a written undertaking with an
instrumentality of the State of Illinois is bound to protect
the privacy of genetic information of Illinois persons.
    "Treatment" has the meaning ascribed to it under HIPAA, as
specified in 45 CFR 164.501.
    "Use" has the meaning ascribed to it under HIPAA, as
specified in 45 CFR 160.103, where context dictates.
(Source: P.A. 99-173, eff. 7-29-15; 100-513, eff. 1-1-18.)
 
    (410 ILCS 513/20)
    Sec. 20. Use of genetic testing information for insurance
purposes.
    (a) An insurer may not seek information derived from
genetic testing for use in connection with a policy of accident
and health insurance. Except as provided in subsection (c), an
insurer that receives information derived from genetic
testing, regardless of the source of that information, may not
use the information for a nontherapeutic purpose as it relates
to a policy of accident and health insurance.
    (b) An insurer shall not use or disclose protected health
information that is genetic information for underwriting
purposes. For purposes of this Section, "underwriting
purposes" means, with respect to an insurer:
        (1) rules for, or determination of, eligibility
    (including enrollment and continued eligibility) for, or
    determination of, benefits under the plan, coverage, or
    policy (including changes in deductibles or other
    cost-sharing mechanisms in return for activities such as
    completing a health risk assessment or participating in a
    wellness program);
        (2) the computation of premium or contribution amounts
    under the plan, coverage, or policy (including discounts,
    rebates, payments in kind, or other premium differential
    mechanisms in return for activities, such as completing a
    health risk assessment or participating in a wellness
    program);
        (3) the application of any pre-existing condition
    exclusion under the plan, coverage, or policy; and
        (4) other activities related to the creation, renewal,
    or replacement of a contract of health insurance or health
    benefits.
    "Underwriting purposes" does not include determinations of
medical appropriateness where an individual seeks a benefit
under the plan, coverage, or policy.
    This subsection (b) does not apply to insurers that are
issuing a long-term care policy, excluding a nursing home fixed
indemnity plan.
    (c) An insurer may consider the results of genetic testing
in connection with a policy of accident and health insurance if
the individual voluntarily submits the results and the results
are favorable to the individual.
    (d) An insurer that possesses information derived from
genetic testing may not release the information to a third
party, except as specified in this Act.
    (e) A company providing direct-to-consumer commercial
genetic testing is prohibited from sharing any genetic test
information or other personally identifiable information about
a consumer with any health or life insurance company without
written consent from the consumer.
(Source: P.A. 98-1046, eff. 1-1-15.)