Bill Text: IL SB2924 | 2017-2018 | 100th General Assembly | Introduced
Bill Title: Amends the Genetic Information Privacy Act. In provisions concerning uses and disclosures for treatment, payment, health care operations, health oversight activities, and public health activities; uses and disclosures of information to a health information exchange; business associates; and establishment and disclosure of limited data sets and de-identified information, provides that various uses or disclosures of a patient's genetic information may not (rather than may) occur without the patient's consent. Effective immediately.
Spectrum: Partisan Bill (Republican 1-0)
Status: (Failed) 2019-01-09 - Session Sine Die [SB2924 Detail]
Download: Illinois-2017-SB2924-Introduced.html
| ||||||||||||||||||||||||||||||
| ||||||||||||||||||||||||||||||
| ||||||||||||||||||||||||||||||
| ||||||||||||||||||||||||||||||
| ||||||||||||||||||||||||||||||
1 | AN ACT concerning health.
| |||||||||||||||||||||||||||||
2 | Be it enacted by the People of the State of Illinois,
| |||||||||||||||||||||||||||||
3 | represented in the General Assembly:
| |||||||||||||||||||||||||||||
4 | Section 5. The Genetic Information Privacy Act is amended | |||||||||||||||||||||||||||||
5 | by changing Sections 31, 31.1, 31.2, 31.3, 31.5, and 31.7 as | |||||||||||||||||||||||||||||
6 | follows:
| |||||||||||||||||||||||||||||
7 | (410 ILCS 513/31) | |||||||||||||||||||||||||||||
8 | Sec. 31. Uses and disclosures for treatment, payment, and | |||||||||||||||||||||||||||||
9 | health care operations. A Notwithstanding Sections 30 and 35 of | |||||||||||||||||||||||||||||
10 | this Act, a covered entity may not , without a patient's | |||||||||||||||||||||||||||||
11 | consent: | |||||||||||||||||||||||||||||
12 | (1) use or disclose genetic information for its own | |||||||||||||||||||||||||||||
13 | treatment, payment, or health care operations; | |||||||||||||||||||||||||||||
14 | (2) disclose genetic information for treatment | |||||||||||||||||||||||||||||
15 | activities of a health care provider; | |||||||||||||||||||||||||||||
16 | (3) disclose genetic information to another covered | |||||||||||||||||||||||||||||
17 | entity or health care provider for the payment activities | |||||||||||||||||||||||||||||
18 | of the entity that receives the information; | |||||||||||||||||||||||||||||
19 | (4)
disclose genetic information to another covered | |||||||||||||||||||||||||||||
20 | entity for health care operations activities of the entity | |||||||||||||||||||||||||||||
21 | that receives the information, if each entity has or had a | |||||||||||||||||||||||||||||
22 | relationship with the individual who is the subject of the | |||||||||||||||||||||||||||||
23 | genetic information being requested, the genetic |
| |||||||
| |||||||
1 | information pertains to such relationship, and the | ||||||
2 | disclosure is for the purpose of (A) conducting quality | ||||||
3 | assessment and improvement activities, including outcomes | ||||||
4 | evaluation and development of clinical guidelines, | ||||||
5 | provided that the obtaining of generalizable knowledge is | ||||||
6 | not the primary purpose of any studies resulting from such | ||||||
7 | activities; patient safety activities; population-based | ||||||
8 | activities relating to improving health or reducing health | ||||||
9 | care costs, protocol development, case management, and | ||||||
10 | care coordination, contacting of health care providers
and | ||||||
11 | patients with information about treatment alternatives; | ||||||
12 | and related functions that do not include treatment; (B) | ||||||
13 | reviewing the competence or qualifications of health care | ||||||
14 | professionals or health care providers, evaluating | ||||||
15 | practitioner and provider performance, health plan | ||||||
16 | performance, conducting training programs in which | ||||||
17 | students, trainees, or practitioners in areas of health | ||||||
18 | care learn under supervision to practice or improve their | ||||||
19 | skills as health care providers, training of non-health | ||||||
20 | care professionals, accreditation, certification, | ||||||
21 | licensing, or credentialing activities; or (C) health care | ||||||
22 | fraud and abuse detection or compliance; and | ||||||
23 | (5) disclose genetic information to other participants | ||||||
24 | in an organized health care arrangement in which the | ||||||
25 | covered entity is also a participant for any health care | ||||||
26 | operations activities of the organized health care |
| |||||||
| |||||||
1 | arrangement.
| ||||||
2 | (Source: P.A. 98-1046, eff. 1-1-15 .)
| ||||||
3 | (410 ILCS 513/31.1) | ||||||
4 | Sec. 31.1. Uses and disclosures for health oversight | ||||||
5 | activities. | ||||||
6 | (a) A Notwithstanding Sections 30 and 35 of this Act, a | ||||||
7 | covered entity may not disclose genetic information, without a | ||||||
8 | patient's consent, to a health oversight agency for health | ||||||
9 | oversight activities authorized by law, including audits, | ||||||
10 | civil, administrative, or criminal investigations; | ||||||
11 | inspections; licensure or disciplinary actions; civil | ||||||
12 | administrative or criminal proceedings or actions; or other | ||||||
13 | activities necessary for appropriate oversight of (i) the | ||||||
14 | health care system; (ii) government benefit programs for which | ||||||
15 | health information is relevant to beneficiary eligibility; | ||||||
16 | (iii) entities subject to government regulatory programs for | ||||||
17 | which health information is necessary for determining | ||||||
18 | compliance with program standards; or (iv) entities subject to | ||||||
19 | civil rights laws for which health information is necessary for | ||||||
20 | determining compliance. | ||||||
21 | (b) For purposes of the disclosures permitted by this | ||||||
22 | Section, a health oversight activity does not include an | ||||||
23 | investigation or other activity in which the individual is the | ||||||
24 | subject of the investigation or activity and such investigation | ||||||
25 | or other activity does not arise out of and is not directly |
| |||||||
| |||||||
1 | related to (i) the receipt of health care; (ii) a claim for | ||||||
2 | public benefits related to health; or (iii) qualification for, | ||||||
3 | or receipt of, public benefits or services when a patient's | ||||||
4 | health is integral to the claim for public benefits or | ||||||
5 | services, except that, if a health oversight activity or | ||||||
6 | investigation is conducted in conjunction with an oversight | ||||||
7 | activity or investigation relating to a claim for public | ||||||
8 | benefits not related to health, the joint activity or | ||||||
9 | investigation is considered a health oversight activity for | ||||||
10 | purposes of this Section. | ||||||
11 | (c) If a covered entity is also a health oversight agency, | ||||||
12 | the covered entity may use genetic information for health | ||||||
13 | oversight activities permitted by this Section.
| ||||||
14 | (Source: P.A. 98-1046, eff. 1-1-15 .)
| ||||||
15 | (410 ILCS 513/31.2) | ||||||
16 | Sec. 31.2. Uses and disclosures for public health | ||||||
17 | activities. Genetic Notwithstanding Sections 30 and 35 of this | ||||||
18 | Act, genetic information may not be disclosed without a | ||||||
19 | patient's consent for public health activities and purposes to | ||||||
20 | the Department, when the Department is authorized by law to | ||||||
21 | collect or receive such information for the purpose of | ||||||
22 | preventing or controlling disease, injury, or disability, | ||||||
23 | including, but not limited to, the reporting of disease, | ||||||
24 | injury, vital events such as birth or death, and the conduct of | ||||||
25 | public health surveillance, public health investigations, and |
| |||||||
| |||||||
1 | public health interventions.
| ||||||
2 | (Source: P.A. 98-1046, eff. 1-1-15 .)
| ||||||
3 | (410 ILCS 513/31.3) | ||||||
4 | Sec. 31.3. Business associates. | ||||||
5 | (a) A Notwithstanding Sections 30 and 35 of this Act, a | ||||||
6 | covered entity may not , without a patient's consent, disclose a | ||||||
7 | patient's genetic information to a business associate and may | ||||||
8 | allow a business associate to create, receive, maintain, or | ||||||
9 | transmit protected health information on its behalf, if the | ||||||
10 | covered entity obtains, through a written contract or other | ||||||
11 | written agreement or arrangement that meets the applicable | ||||||
12 | requirements of 45 CFR 164.504(e), satisfactory assurance that | ||||||
13 | the business associate will appropriately safeguard the | ||||||
14 | information. A covered entity is not required to obtain such | ||||||
15 | satisfactory assurances from a business associate that is a | ||||||
16 | subcontractor. | ||||||
17 | (b) A business associate may disclose protected health | ||||||
18 | information to a business associate that is a subcontractor and | ||||||
19 | may allow the subcontractor to create, receive, maintain, or | ||||||
20 | transmit protected health information on its behalf, if the | ||||||
21 | business associate obtains satisfactory assurances, in | ||||||
22 | accordance with 45 CFR 164.504(e)(1)(i), that the | ||||||
23 | subcontractor will appropriately safeguard the information.
| ||||||
24 | (Source: P.A. 98-1046, eff. 1-1-15 .)
|
| |||||||
| |||||||
1 | (410 ILCS 513/31.5) | ||||||
2 | Sec. 31.5. Use and disclosure of information to an HIE. A
| ||||||
3 | Notwithstanding the provisions of Section 30 and 35 of this | ||||||
4 | Act, a covered entity may not , without a patient's consent, | ||||||
5 | disclose the identity of any patient upon whom a test is | ||||||
6 | performed and such patient's genetic information from a | ||||||
7 | patient's record to a HIE if the disclosure is a required or | ||||||
8 | permitted disclosure to a business associate or is a disclosure | ||||||
9 | otherwise required or permitted under this Act. An HIE may not , | ||||||
10 | without a patient's consent, use or disclose such information | ||||||
11 | to the extent it is allowed to use or disclose such information | ||||||
12 | as a business associate in compliance with 45 CFR 164.502(e) or | ||||||
13 | for such other purposes as are specifically allowed under this | ||||||
14 | Act.
| ||||||
15 | (Source: P.A. 98-1046, eff. 1-1-15 .)
| ||||||
16 | (410 ILCS 513/31.7) | ||||||
17 | Sec. 31.7. Establishment and disclosure of limited data | ||||||
18 | sets and de-identified information. | ||||||
19 | (a) A covered entity may not , without a genetic information | ||||||
20 | test subject's consent, create, use, and disclose a limited | ||||||
21 | data set using information subject to this Act or disclose | ||||||
22 | information subject to this Act to a business associate for the | ||||||
23 | purpose of establishing a limited data set. The creation, use, | ||||||
24 | and disclosure of such a limited data set must comply with the | ||||||
25 | requirements set forth under HIPAA. |
| |||||||
| |||||||
1 | (b) A covered entity may not , without a genetic information | ||||||
2 | test subject's consent, create, use, and disclose | ||||||
3 | de-identified information using information subject to this | ||||||
4 | Act or disclose information subject to this Act to a business | ||||||
5 | associate for the purpose of de-identifying the information. | ||||||
6 | The creation, use, and disclosure of such de-identified | ||||||
7 | information must comply with the requirements set forth under | ||||||
8 | HIPAA. A covered entity or a business associate may disclose | ||||||
9 | information that is de-identified in accordance with HIPAA. | ||||||
10 | (c) The recipient of de-identified information shall not | ||||||
11 | re-identify de-identified information using any public or | ||||||
12 | private data source.
| ||||||
13 | (Source: P.A. 98-1046, eff. 1-1-15 .)
| ||||||
14 | Section 99. Effective date. This Act takes effect upon | ||||||
15 | becoming law.
|