Section 689.70 Confidentiality and Access of Information

a) Records maintained as part of the Registry are confidential. (Section 20(a) of the Act) The Department will maintain the confidentiality of information within the Registry that would identify individual patients.

b) The Department may release an individual's confidential information to the individual or the individual's parent or guardian if the individual is less than 18 years of age. (Section 20(b) of the Act)

c) Subject to subsection (c), the Department may release information in the Registry concerning an individual to the following entities if the entity has a provider site or authorized user agreement with the Department:

1) The immunization data registry of another state;

2) A health care provider or a health care provider's designee;

3) A certified local health department;

4) An elementary or secondary school that is attended by the individual;

5) A licensed child care center in which the individual is enrolled;

6) A licensed child placing agency;

7) A college or university that is attended by the individual;

8) The Department of Healthcare and Family Services or a managed care entity contracted with the Department of Healthcare and Family Services to coordinate the provision of medical care to enrollees of the medical assistance program; (Section 20(c) of the Act);

9) Health insurance plans not under contract with the Department of Healthcare and Family Services to coordinate the provision of medical care to enrollees of the health insurance plan; and

10) Department employees and authorized agents or designees of the Department, including, but not limited to, Registry staff and Department vendors.

d) By July 1 of each year, the Department of Healthcare and Family Services shall provide to the Department a list of managed care entities under contract with the Department of Healthcare and Family Services to coordinate the provision of medical care to enrollees of the medical assistance program. The Department of Healthcare and Family Services will provide updates regarding the list of managed care entities to the Department as needed throughout the year.

e) Health care providers, schools, child care centers, colleges, universities, and health plans provided access to the Registry in subsection (c) will be granted access to information in the Registry for the purposes of verification of immunization status, the coordination of medical care or the provision of medical care to patients, residents, attendees, or enrollees of the institutions. Access to the Registry will not be granted for the verification of immunization status of employees, contractors, or volunteers.

f) Before immunization data may be released to an entity listed in subsection (c), the entity must enter into a Confidentiality Agreement with the Department that provides that information that identifies a patient will not be released to any other person without the written consent of the patient. (Section 20(d) of the Act) The Confidentiality Agreement provides that:

1) Only personnel whose assigned duties include functions associated with the immunization of clients can be given access to Registry information.

2) Users who willfully misuse information contained in the Registry will have their access immediately restricted by the Department.

3) Any non-health use of Registry data is prohibited, and no user shall attempt to copy the database or software used to access the Registry without written consent from the Department.

4) Site administrators may enroll users who have been trained in the use of the Registry at the appropriate access level and have signed the Individual User Agreement.

5) Identifying information contained in the Registry will be accessible only to Department personnel, their authorized agents and authorized users. Requests for data for research purposes that go beyond the scope of the individual provider's patients or the certified local health department area of jurisdiction shall be forwarded to the Department.

6) Registry data identifying clients will not be disclosed to unauthorized individuals, including law enforcement, without the approval of the Department.

g) All enrolled sites shall maintain reasonable and appropriate administrative, technical and physical safeguards to ensure the integrity and confidentiality of the Registry information. The Department will conduct periodic assessments on privacy and security policies.

h) No person or automated system may access or attempt to access the Registry without approval from the Department.

i) A person who knowingly, intentionally, or recklessly discloses confidential information contained in the Registry in violation of the Act and this Part commits a Class A Misdemeanor. (Section 25 of the Act)

j) The Department may release summary statistics regarding information in the immunization data registry if the summary statistics do not reveal the identity of an individual. (Section 20(e) of the Act) Aggregate data from which personal identifying data has been removed may be released for the purposes of statistical analysis, research or reporting only after approval by the Department. Release of data, including requests by medical or epidemiologic researchers, will be done in accordance with the Illinois Health Statistics Act upon submission of a written request to the Department.

k) Identifiable data may be released to the extent necessary for the treatment, control, investigation or prevention of diseases and conditions dangerous to the public health. Identifiable data can be shared for conditions of public health significance, e.g., as permitted by HIPAA regulations, the Medical Studies Act, and the Health Statistics Act. As described in the Health Statistics Act, a Department-approved Institutional Review Board, or its equivalent on the protection of human subjects in research, will review and approve requests from researchers for individually identifiable data.

(Source: Amended at 46 Ill. Reg. 2680, effective January 28, 2022)