(410 ILCS 305/9.8)
    Sec. 9.8. Disclosure of limited data sets and de-identified information. Notwithstanding the provisions of Sections 9 and 10 of this Act:
        (1) a covered entity may, without a patient's consent, create, use, and disclose a
    
limited data set using HIV-related information from a patient's record or disclose HIV-related information from a patient's record to a business associate for the purpose of establishing a limited data set; the creation, use, and disclosure of such a limited data set must comply with the requirements set forth under HIPAA;
        (2) a covered entity may, without a patient's consent, create, use, and disclose
    
de-identified information using information from a patient's record that is subject to this Act or disclose HIV-related information from a patient's record to a business associate for the purpose of de-identifying the information; the creation, use, and disclosure of such de-identified data must comply with the requirements set forth under HIPAA. A covered entity or a business associate may disclose information that is de-identified; and
        (3) the recipient of de-identified information shall not re-identify de-identified
    
information using any public or private data source.
(Source: P.A. 98-1046, eff. 1-1-15.)