|
| | 101ST GENERAL ASSEMBLY
State of Illinois
2019 and 2020 SB1307 Introduced 2/7/2019, by Sen. Chapin Rose SYNOPSIS AS INTRODUCED: |
| 410 ILCS 513/31 | | 410 ILCS 513/31.1 | | 410 ILCS 513/31.2 | | 410 ILCS 513/31.3 | | 410 ILCS 513/31.5 | | 410 ILCS 513/31.7 | |
|
Amends the Genetic Information Privacy Act. In provisions concerning uses and disclosures for treatment, payment, health care operations, health oversight activities, and public health activities; uses and disclosures of information to a health information exchange; business associates; and establishment and disclosure of limited data sets and de-identified information, provides that various uses or disclosures of a patient's genetic information may not (rather than may) occur without the patient's consent. Effective immediately.
|
| |
| | A BILL FOR |
|
|
| | SB1307 | | LRB101 06900 CPF 51932 b |
|
|
1 | | AN ACT concerning health.
|
2 | | Be it enacted by the People of the State of Illinois,
|
3 | | represented in the General Assembly:
|
4 | | Section 5. The Genetic Information Privacy Act is amended |
5 | | by changing Sections 31, 31.1, 31.2, 31.3, 31.5, and 31.7 as |
6 | | follows: |
7 | | (410 ILCS 513/31) |
8 | | Sec. 31. Uses and disclosures for treatment, payment, and |
9 | | health care operations. A Notwithstanding Sections 30 and 35 of |
10 | | this Act, a covered entity may not , without a patient's |
11 | | consent: |
12 | | (1) use or disclose genetic information for its own |
13 | | treatment, payment, or health care operations; |
14 | | (2) disclose genetic information for treatment |
15 | | activities of a health care provider; |
16 | | (3) disclose genetic information to another covered |
17 | | entity or health care provider for the payment activities |
18 | | of the entity that receives the information; |
19 | | (4)
disclose genetic information to another covered |
20 | | entity for health care operations activities of the entity |
21 | | that receives the information, if each entity has or had a |
22 | | relationship with the individual who is the subject of the |
23 | | genetic information being requested, the genetic |
|
| | SB1307 | - 2 - | LRB101 06900 CPF 51932 b |
|
|
1 | | information pertains to such relationship, and the |
2 | | disclosure is for the purpose of (A) conducting quality |
3 | | assessment and improvement activities, including outcomes |
4 | | evaluation and development of clinical guidelines, |
5 | | provided that the obtaining of generalizable knowledge is |
6 | | not the primary purpose of any studies resulting from such |
7 | | activities; patient safety activities; population-based |
8 | | activities relating to improving health or reducing health |
9 | | care costs, protocol development, case management, and |
10 | | care coordination, contacting of health care providers
and |
11 | | patients with information about treatment alternatives; |
12 | | and related functions that do not include treatment; (B) |
13 | | reviewing the competence or qualifications of health care |
14 | | professionals or health care providers, evaluating |
15 | | practitioner and provider performance, health plan |
16 | | performance, conducting training programs in which |
17 | | students, trainees, or practitioners in areas of health |
18 | | care learn under supervision to practice or improve their |
19 | | skills as health care providers, training of non-health |
20 | | care professionals, accreditation, certification, |
21 | | licensing, or credentialing activities; or (C) health care |
22 | | fraud and abuse detection or compliance; and |
23 | | (5) disclose genetic information to other participants |
24 | | in an organized health care arrangement in which the |
25 | | covered entity is also a participant for any health care |
26 | | operations activities of the organized health care |
|
| | SB1307 | - 3 - | LRB101 06900 CPF 51932 b |
|
|
1 | | arrangement.
|
2 | | (Source: P.A. 98-1046, eff. 1-1-15 .) |
3 | | (410 ILCS 513/31.1) |
4 | | Sec. 31.1. Uses and disclosures for health oversight |
5 | | activities. |
6 | | (a) A Notwithstanding Sections 30 and 35 of this Act, a |
7 | | covered entity may not disclose genetic information, without a |
8 | | patient's consent, to a health oversight agency for health |
9 | | oversight activities authorized by law, including audits, |
10 | | civil, administrative, or criminal investigations; |
11 | | inspections; licensure or disciplinary actions; civil |
12 | | administrative or criminal proceedings or actions; or other |
13 | | activities necessary for appropriate oversight of (i) the |
14 | | health care system; (ii) government benefit programs for which |
15 | | health information is relevant to beneficiary eligibility; |
16 | | (iii) entities subject to government regulatory programs for |
17 | | which health information is necessary for determining |
18 | | compliance with program standards; or (iv) entities subject to |
19 | | civil rights laws for which health information is necessary for |
20 | | determining compliance. |
21 | | (b) For purposes of the disclosures permitted by this |
22 | | Section, a health oversight activity does not include an |
23 | | investigation or other activity in which the individual is the |
24 | | subject of the investigation or activity and such investigation |
25 | | or other activity does not arise out of and is not directly |
|
| | SB1307 | - 4 - | LRB101 06900 CPF 51932 b |
|
|
1 | | related to (i) the receipt of health care; (ii) a claim for |
2 | | public benefits related to health; or (iii) qualification for, |
3 | | or receipt of, public benefits or services when a patient's |
4 | | health is integral to the claim for public benefits or |
5 | | services, except that, if a health oversight activity or |
6 | | investigation is conducted in conjunction with an oversight |
7 | | activity or investigation relating to a claim for public |
8 | | benefits not related to health, the joint activity or |
9 | | investigation is considered a health oversight activity for |
10 | | purposes of this Section. |
11 | | (c) If a covered entity is also a health oversight agency, |
12 | | the covered entity may use genetic information for health |
13 | | oversight activities permitted by this Section.
|
14 | | (Source: P.A. 98-1046, eff. 1-1-15 .) |
15 | | (410 ILCS 513/31.2) |
16 | | Sec. 31.2. Uses and disclosures for public health |
17 | | activities. Genetic Notwithstanding Sections 30 and 35 of this |
18 | | Act, genetic information may not be disclosed without a |
19 | | patient's consent for public health activities and purposes to |
20 | | the Department, when the Department is authorized by law to |
21 | | collect or receive such information for the purpose of |
22 | | preventing or controlling disease, injury, or disability, |
23 | | including, but not limited to, the reporting of disease, |
24 | | injury, vital events such as birth or death, and the conduct of |
25 | | public health surveillance, public health investigations, and |
|
| | SB1307 | - 5 - | LRB101 06900 CPF 51932 b |
|
|
1 | | public health interventions.
|
2 | | (Source: P.A. 98-1046, eff. 1-1-15 .) |
3 | | (410 ILCS 513/31.3) |
4 | | Sec. 31.3. Business associates. |
5 | | (a) A Notwithstanding Sections 30 and 35 of this Act, a |
6 | | covered entity may not , without a patient's consent, disclose a |
7 | | patient's genetic information to a business associate and may |
8 | | allow a business associate to create, receive, maintain, or |
9 | | transmit protected health information on its behalf, if the |
10 | | covered entity obtains, through a written contract or other |
11 | | written agreement or arrangement that meets the applicable |
12 | | requirements of 45 CFR 164.504(e), satisfactory assurance that |
13 | | the business associate will appropriately safeguard the |
14 | | information. A covered entity is not required to obtain such |
15 | | satisfactory assurances from a business associate that is a |
16 | | subcontractor. |
17 | | (b) A business associate may disclose protected health |
18 | | information to a business associate that is a subcontractor and |
19 | | may allow the subcontractor to create, receive, maintain, or |
20 | | transmit protected health information on its behalf, if the |
21 | | business associate obtains satisfactory assurances, in |
22 | | accordance with 45 CFR 164.504(e)(1)(i), that the |
23 | | subcontractor will appropriately safeguard the information.
|
24 | | (Source: P.A. 98-1046, eff. 1-1-15 .) |
|
| | SB1307 | - 6 - | LRB101 06900 CPF 51932 b |
|
|
1 | | (410 ILCS 513/31.5) |
2 | | Sec. 31.5. Use and disclosure of information to an HIE. A
|
3 | | Notwithstanding the provisions of Section 30 and 35 of this |
4 | | Act, a covered entity may not , without a patient's consent, |
5 | | disclose the identity of any patient upon whom a test is |
6 | | performed and such patient's genetic information from a |
7 | | patient's record to a HIE if the disclosure is a required or |
8 | | permitted disclosure to a business associate or is a disclosure |
9 | | otherwise required or permitted under this Act. An HIE may not , |
10 | | without a patient's consent, use or disclose such information |
11 | | to the extent it is allowed to use or disclose such information |
12 | | as a business associate in compliance with 45 CFR 164.502(e) or |
13 | | for such other purposes as are specifically allowed under this |
14 | | Act.
|
15 | | (Source: P.A. 98-1046, eff. 1-1-15 .) |
16 | | (410 ILCS 513/31.7) |
17 | | Sec. 31.7. Establishment and disclosure of limited data |
18 | | sets and de-identified information. |
19 | | (a) A covered entity may not , without a genetic information |
20 | | test subject's consent, create, use, and disclose a limited |
21 | | data set using information subject to this Act or disclose |
22 | | information subject to this Act to a business associate for the |
23 | | purpose of establishing a limited data set. The creation, use, |
24 | | and disclosure of such a limited data set must comply with the |
25 | | requirements set forth under HIPAA. |
|
| | SB1307 | - 7 - | LRB101 06900 CPF 51932 b |
|
|
1 | | (b) A covered entity may not , without a genetic information |
2 | | test subject's consent, create, use, and disclose |
3 | | de-identified information using information subject to this |
4 | | Act or disclose information subject to this Act to a business |
5 | | associate for the purpose of de-identifying the information. |
6 | | The creation, use, and disclosure of such de-identified |
7 | | information must comply with the requirements set forth under |
8 | | HIPAA. A covered entity or a business associate may disclose |
9 | | information that is de-identified in accordance with HIPAA. |
10 | | (c) The recipient of de-identified information shall not |
11 | | re-identify de-identified information using any public or |
12 | | private data source.
|
13 | | (Source: P.A. 98-1046, eff. 1-1-15 .)
|
14 | | Section 99. Effective date. This Act takes effect upon |
15 | | becoming law.
|