Health Care Availability and Access Committee
Adopted in House Comm. on Mar 03, 2004
 
 

 




 

 		












09300HB4059ham002

LRB093 15454 DRJ 48452 a






1

AMENDMENT TO HOUSE BILL 4059




2
    AMENDMENT NO. ______. Amend House Bill 4059, AS AMENDED, in 
3
Section 5, Sec. 367.4, by replacing all of subsections (b) 
4
through (f) with the following:

5
    "Summary health information" means information that may be

6
individually identifiable health information and
    (i) that 
7
summarizes the claims history, claims expenses, or type of

8
claims experienced by individuals for whom a plan sponsor has 
9
provided
health benefits under a group health plan and
    (ii) 
10
from which the information described in subdivision (d)(2)(i)

11
has been deleted, except that the geographic information 
12
described in
subdivision (d)(2)(i)(B) need only be aggregated 
13
to the level of a 5-digit zip code.

14
    (b) Except as otherwise
provided in this subsection, a 
15
group health plan, in order
to disclose protected health 
16
information to the plan sponsor or to
provide for or permit the 
17
disclosure of protected health information to
the plan sponsor 
18
by a health insurance issuer or health maintenance organization 
19
with respect to the
group health plan, must ensure that the 
20
plan documents restrict uses and
disclosures of such 
21
information by the plan sponsor consistent with the

22
requirements of this Section.
23
    The group health plan, or a health insurance issuer or 
24
health maintenance organization with
respect to the group 
25
health plan, shall disclose summary health
information to the 
26
plan sponsor if the plan sponsor requests the
summary health 
 


 






09300HB4059ham002
- 2 -
LRB093 15454 DRJ 48452 a




1
information for the purpose of (i) obtaining premium bids from 
2
health plans for providing health
insurance coverage under the 
3
group health plan or (ii) modifying, amending, or terminating 
4
the group health plan.
5
    The plan documents of the group health plan must be amended 
6
to
incorporate provisions to do the following:
7
        (1) Establish the permitted and required uses and 
8
disclosures of
such information by the plan sponsor, 
9
provided that such permitted and
required uses and 
10
disclosures may not be inconsistent with this Section.
11
        (2) Provide that the group health plan will disclose 
12
protected
health information to the plan sponsor only upon 
13
receipt of a
certification by the plan sponsor that the 
14
plan documents have been
amended to incorporate the 
15
following provisions and that the plan
sponsor agrees to:
16
            (A) Not use or further disclose the information 
17
other than as
permitted or required by the plan 
18
documents or as required by law.
19
            (B) Ensure that any agents, including a 
20
subcontractor, to whom it
provides protected health 
21
information received from the group health
plan agree 
22
to the same restrictions and conditions that apply to 
23
the
plan sponsor with respect to such information.
24
            (C) Not use or disclose the information for 
25
employment-related
actions and decisions or in 
26
connection with any other benefit or
employee benefit 
27
plan of the plan sponsor.
28
            (D) Report to the group health plan any use or 
29
disclosure of the
information that is inconsistent 
30
with the uses or disclosures provided
for of which it 
31
becomes aware.
32
            (E) Make available protected health information.
33
            (F) Make available protected health information 
34
for amendment, and
incorporate any amendments to 
 


 






09300HB4059ham002
- 3 -
LRB093 15454 DRJ 48452 a




1
protected health information.
2
            (G) Make available the information required to 
3
provide an accounting
of disclosures.
4
            (H) Make its internal practices, books, and 
5
records relating to the
use and disclosure of protected 
6
health information received from the
group health plan 
7
available to the Director for purposes of determining

8
compliance by the group health plan with this Section.
9
            (I) If feasible, return or destroy all protected 
10
health information
received from the group health plan 
11
that the sponsor still maintains in
any form and retain 
12
no copies of such information when no longer needed
for 
13
the purpose for which disclosure was made, except that, 
14
if such
return or destruction is not feasible, limit 
15
further uses and
disclosures to those purposes that 
16
make the return or destruction of the
information 
17
infeasible.
18
            (J) Ensure that the adequate separation required 
19
in paragraph
(3) is established.
20
        (3) Provide for adequate separation between the group 
21
health plan
and the plan sponsor. The plan documents must 
22
do the following:
23
            (A) Describe those employees or classes of 
24
employees or other
persons under the control of the 
25
plan sponsor to be given access to the
protected health 
26
information to be disclosed, provided that any 
27
employee
or person who receives protected health 
28
information relating to payment
under, health care 
29
operations of, or other matters pertaining to the
group 
30
health plan in the ordinary course of business must be 
31
included in
such description.
32
            (B) Restrict the access to and use by such 
33
employees and other
persons described in subparagraph 
34
(A) of this paragraph (3) to the
plan administration 
 


 






09300HB4059ham002
- 4 -
LRB093 15454 DRJ 48452 a




1
functions that the plan sponsor performs for the
group 
2
health plan.
3
            (C) Provide an effective mechanism for resolving 
4
any issues of
noncompliance by persons described in 
5
subparagraph (A) of this paragraph (3) with the plan 
6
document provisions required by this subsection.

7
    (c) Standard: de-identification of protected health 
8
information.
Health information that does not identify an 
9
individual and with respect
to which there is no reasonable 
10
basis to believe that the information
can be used to identify 
11
an individual is not individually identifiable
health 
12
information.
13
    (d) Implementation specifications: requirements for de-

14
identification of protected health information. A covered 
15
entity may
determine that health information is not 
16
individually identifiable
health information only if:
17
        (1) A person with appropriate knowledge of and 
18
experience with
generally accepted statistical and 
19
scientific principles and methods for
rendering 
20
information not individually identifiable:
21
            (A) Applying such principles and methods, 
22
determines that the risk
is very small that the 
23
information could be used, alone or in
combination with 
24
other reasonably available information, by an

25
anticipated recipient to identify an individual who is 
26
a subject of the
information; and
27
            (B) Documents the methods and results of the 
28
analysis that justify
such determination; or
29
        (2)(i) The following identifiers of the individual or 
30
of relatives,
employers, or household members of the 
31
individual, are removed:
32
            (A) Names;
33
            (B) All geographic subdivisions smaller than a 
34
State, including
street address, city, county, 
 


 






09300HB4059ham002
- 5 -
LRB093 15454 DRJ 48452 a




1
precinct, zip code, and their equivalent
geocodes, 
2
except for the initial 3 digits of a zip code if,

3
according to the current publicly available data from 
4
the Bureau of the
Census:
5
                (i) The geographic unit formed by combining 
6
all zip codes with the
same 3 initial digits 
7
contains more than 20,000 people; and
    
8
                (ii) The initial 3 digits of a zip code for all 
9
such geographic
units containing 20,000 or fewer 
10
people is changed to 000;
11
            (C) All elements of dates (except year) for dates 
12
directly related
to an individual, including birth 
13
date, admission date, discharge date,
date of death; 
14
and all ages over 89 and all elements of dates 
15
(including
year) indicative of such age, except that 
16
such ages and elements may be
aggregated into a single 
17
category of age 90 or older;
18
            (D) Telephone numbers;
19
            (E) Fax numbers;
    
20
            (F) Electronic mail addresses;
21
            (G) Social security numbers;
22
            (H) Medical record numbers;
23
            (I) Health plan beneficiary numbers;
24
            (J) Account numbers;
25
            (K) Certificate/license numbers;
26
            (L) Vehicle identifiers and serial numbers, 
27
including license plate
numbers;
28
            (M) Device identifiers and serial numbers;
29
            (N) Web Universal Resource Locators (URLs);
30
            (O) Internet Protocol (IP) address numbers;
31
            (P) Biometric identifiers, including finger and 
32
voice prints;
33
            (Q) Full face photographic images and any 
34
comparable images; and
 


 






09300HB4059ham002
- 6 -
LRB093 15454 DRJ 48452 a




1
            (R) Any other unique identifying number, 
2
characteristic, or code,
except as permitted by 
3
subsection (i) of this Section; and
4
        (ii) The covered entity does not have actual knowledge 
5
that the
information could be used alone or in combination 
6
with other information
to identify an individual who is a 
7
subject of the information.
8
    (e) Implementation specifications: re-identification. A 
9
covered
entity may assign a code or other means of record 
10
identification to
allow information de-identified under this 
11
Section to be re-identified
by the covered entity, provided 
12
that:
13
        (1) Derivation. The code or other means of record 
14
identification is
not derived from or related to 
15
information about the individual and is
not otherwise 
16
capable of being translated so as to identify the

17
individual; and
18
        (2) Security. The covered entity does not use or 
19
disclose the code
or other means of record identification 
20
for any other purpose, and does
not disclose the mechanism 
21
for re-identification.
22
    (f)(1) Standard: minimum necessary requirements. In order 
23
to comply
with this Section, a covered entity must meet the

24
requirements of subdivisions (f)(2) through (f)(5) of this 
25
Section with
respect to a request for, or the use and 
26
disclosure of, protected health
information.
27
        (2) Implementation specifications: minimum necessary 
28
uses of
protected health information.
29
        (i) A covered entity must identify:
30
            (A) Those persons or classes of persons, as 
31
appropriate, in its
workforce who need access to 
32
protected health information to carry out
their 
33
duties; and
    
34
            (B) For each such person or class of persons, the 
 


 






09300HB4059ham002
- 7 -
LRB093 15454 DRJ 48452 a




1
category or
categories of protected health information 
2
to which access is needed and
any conditions 
3
appropriate to such access.
4
        (ii) A covered entity must make reasonable efforts to 
5
limit the
access of such persons or classes identified in 
6
subdivision (f)(2)(i)(A)
of this Section to protected 
7
health information consistent with
subdivision  
8
(f)(2)(i)(B) of this Section.
9
        (3) Implementation specification: Minimum necessary 
10
disclosures of
protected health information.
11
            (i) For any type of disclosure that it
makes on a 
12
routine and recurring basis, a covered entity must 
13
implement
policies and procedures (which may be 
14
standard protocols) that limit the
protected health 
15
information disclosed to the amount reasonably

16
necessary to achieve the purpose of the disclosure.
17
            (ii) For all other disclosures, a covered entity 
18
must:
19
                (A) Develop criteria designed to limit the 
20
protected health
information disclosed to the 
21
information reasonably necessary to
accomplish the 
22
purpose for which disclosure is sought; and
23
                (B) Review requests for disclosure on an 
24
individual basis in
accordance with such criteria.
25
            (iii) A covered entity may rely, if such reliance 
26
is reasonable
under the circumstances, on a requested 
27
disclosure as the minimum
necessary for the stated 
28
purpose when:
29
                (A) Making disclosures to public officials, if 
30
the public official represents that the 
31
information
requested is the minimum necessary for 
32
the stated purpose or purposes;
33
                (B) The information is requested by another 
34
covered entity;
 


 






09300HB4059ham002
- 8 -
LRB093 15454 DRJ 48452 a




1
                (C) The information is requested by a 
2
professional who is a member
of its workforce or is 
3
a business associate of the covered entity for
the 
4
purpose of providing professional services to the 
5
covered entity, if
the professional represents 
6
that the information requested is the
minimum 
7
necessary for the stated purpose or purposes; or
8
                (D) Documentation or representations that 
9
comply with the applicable
requirements have been 
10
provided by a person
requesting the information 
11
for research purposes.
12
        (4) Implementation specifications: Minimum necessary 
13
requests for
protected health information.
14
            (i) A covered entity must limit any
request for 
15
protected health information to that which is 
16
reasonably
necessary to accomplish the purpose for 
17
which the request is made,
when requesting such 
18
information from other covered entities.
19
            (ii) For a request that is made on a routine and 
20
recurring basis, a
covered entity must implement 
21
policies and procedures (which may be
standard 
22
protocols) that limit the protected health information

23
requested to the amount reasonably necessary to 
24
accomplish the purpose
for which the request is made.
25
            (iii) For all other requests, a covered entity 
26
must:
27
                (A) Develop criteria designed to limit the 
28
request for protected
health information to the 
29
information reasonably necessary to accomplish
the 
30
purpose for which the request is made; and
31
                (B) Review requests for disclosure on an 
32
individual basis in
accordance with such criteria.
33
        (5) Implementation specification: Other content 
34
requirement. For all
uses, disclosures, or requests to 
 


 






09300HB4059ham002
- 9 -
LRB093 15454 DRJ 48452 a




1
which the requirements in this subsection
(f) apply, a 
2
covered entity may not use, disclose, or
request an entire 
3
medical record, except when the entire medical record
is 
4
specifically justified as the amount that is reasonably 
5
necessary to
accomplish the purpose of the use, disclosure, 
6
or request.
7
    (g)(1) Standard: Limited data set. A covered entity may use 
8
or
disclose a limited data set that meets the requirements of 
9
subdivisions
(g)(2) and (g)(3) of this Section if the covered 
10
entity enters into a
data use agreement with the limited data 
11
set recipient in accordance
with subdivision (g)(4) of this 
12
Section.
13
        (2) Implementation specification: Limited data set. A 
14
limited data
set is protected health information that 
15
excludes the following direct
identifiers of the 
16
individual or of relatives, employers, or household

17
members of the individual:
18
            (i) Names;
19
            (ii) Postal address information, other than town 
20
or city, State, and
zip code;
    
21
            (iii) Telephone numbers;
22
            (iv) Fax numbers;
    
23
            (v) Electronic mail addresses;
24
            (vi) Social security numbers;
25
            (vii) Medical record numbers;
26
            (viii) Health plan beneficiary numbers;
27
            (ix) Account numbers;
28
            (x) Certificate/license numbers;
29
            (xi) Vehicle identifiers and serial numbers, 
30
including license plate
numbers;
31
            (xii) Device identifiers and serial numbers;
32
            (xiii) Web Universal Resource Locators (URLs);
33
            (xiv) Internet Protocol (IP) address numbers;
34
            (xv) Biometric identifiers, including finger and 
 


 






09300HB4059ham002
- 10 -
LRB093 15454 DRJ 48452 a




1
voice prints; and
2
            (xvi) Full face photographic images and any 
3
comparable images.
4
        (3) Implementation specification: Permitted purposes 
5
for uses and
disclosures.
6
            (i) A covered entity may use or disclose a limited 
7
data set
under subdivision (g)(1) of this Section only 
8
for the purposes of
research, public health, or health 
9
care operations.
10
            (ii) A covered entity may use protected health 
11
information to create
a limited data set that meets the 
12
requirements of subdivision (g)(2) of
this Section, or 
13
disclose protected health information only to a

14
business associate for such purpose, whether or not the 
15
limited data set
is to be used by the covered entity.
16
        (4) Implementation specifications: Data use agreement.
17
            (i)
Agreement required. A covered entity may use or 
18
disclose a limited data
set under subdivision (g)(1) of 
19
this Section only if the covered entity
obtains 
20
satisfactory assurance, in the form of a data use 
21
agreement that
meets the requirements of this Section, 
22
that the limited data set
recipient will only use or 
23
disclose the protected health information for
limited 
24
purposes.
25
            (ii) Contents. A data use agreement between the 
26
covered entity and
the limited data set recipient must:
27
                (A) Establish the permitted uses and 
28
disclosures of such information
by the limited 
29
data set recipient, consistent with subdivision 
30
(g)(3) of
this Section. The data use agreement may 
31
not authorize the limited data
set recipient to use 
32
or further disclose the information in a manner

33
that would violate the requirements of this 
34
subpart, if done by the
covered entity;
 


 






09300HB4059ham002
- 11 -
LRB093 15454 DRJ 48452 a




1
                (B) Establish who is permitted to use or 
2
receive the limited data
set; and
3
                (C) Provide that the limited data set 
4
recipient will:
5
                    (1) Not use or further disclose the 
6
information other than as
permitted by the data 
7
use agreement or as otherwise required by law;
8
                    (2) Use appropriate safeguards to prevent 
9
use or disclosure of the
information other than 
10
as provided for by the data use agreement;
11
                    (3) Report to the covered entity any use or 
12
disclosure of the
information not provided for 
13
by its data use agreement of which it
becomes 
14
aware;
15
                    (4) Ensure that any agents, including a 
16
subcontractor, to whom it
provides the limited 
17
data set agrees to the same restrictions and

18
conditions that apply to the limited data set 
19
recipient with respect to
such information; 
20
and
21
                    (5) Not identify the information or 
22
contact the individuals.
23
            (iii) Compliance. 
24
                (A) A covered entity is not in compliance with 
25
the
standards in this subsection  (g) if the covered 
26
entity knew of
a pattern of activity or practice of 
27
the limited data set recipient that
constituted a 
28
material breach or violation of the data use 
29
agreement,
unless the covered entity took 
30
reasonable steps to cure the breach or
end the 
31
violation, as applicable, and, if such steps were 
32
unsuccessful:
33
                    (1) Discontinued disclosure of protected 
34
health information to the
recipient; and
 


 






09300HB4059ham002
- 12 -
LRB093 15454 DRJ 48452 a




1
                    (2) Reported the problem to the Secretary.
2
                (B) A covered entity that is a limited data set 
3
recipient and
violates a data use agreement will be 
4
in noncompliance with the
standards, 
5
implementation specifications, and requirements of 
6
this subsection
(g).
7
    (h)(1) Standard: Uses and disclosures for fundraising. A 
8
covered
entity may use, or disclose to a business associate or 
9
to an
institutionally related foundation, the following 
10
protected health
information for the purpose of raising funds 
11
for its own benefit,
without an authorization meeting 
12
requirements adopted by the Department:
13
            (i) Demographic information relating to an 
14
individual; and
15
            (ii) Dates of health care provided to an 
16
individual.
17
        (2) Implementation specifications: Fundraising 
18
requirements.
19
            (i) The
covered entity may not use or disclose 
20
protected health information for
fundraising purposes 
21
as otherwise permitted by subdivision (h)(1) of this

22
Section.
23
            (ii) The covered entity must include in any 
24
fundraising materials it
sends to an individual under 
25
this paragraph a description of how the
individual may 
26
opt out of receiving any further fundraising

27
communications.
28
            (iii) The covered entity must make reasonable 
29
efforts to ensure that
individuals who decide to opt 
30
out of receiving future fundraising
communications are 
31
not sent such communications.
32
    (i) Standard: Uses and disclosures for underwriting and 
33
related
purposes. If a health plan receives protected heath 
34
information for the
purpose of underwriting, premium rating, or 
 


 






09300HB4059ham002
- 13 -
LRB093 15454 DRJ 48452 a




1
other activities relating to
the creation, renewal, or 
2
replacement of a contract of health insurance
or health 
3
benefits, and if such health insurance or health benefits are

4
not placed with the health plan, such health plan may not use 
5
or
disclose such protected health information for any other 
6
purpose, except
as may be required by law.
7
    (j)(1) Standard: Verification requirements. Prior to any 
8
disclosure
permitted by this Section, a covered entity must:
9
            (i) Verify
the identity of a person requesting 
10
protected health information and the
authority of any 
11
such person to have access to protected health

12
information under this Section, if the identity or any 
13
such authority of
such person is not known to the 
14
covered entity; and
15
            (ii) Obtain any documentation, statements, or 
16
representations,
whether oral or written, from the 
17
person requesting the protected health
information 
18
when such documentation, statement, or representation 
19
is a
condition of the disclosure under this Section.
20
        (2) Implementation specifications: Verification.
21
            (i) Conditions on
disclosures. If a disclosure is 
22
conditioned by this subpart on
particular 
23
documentation, statements, or representations from the 
24
person
requesting the protected health information, a 
25
covered entity may rely,
if such reliance is reasonable

26
under the circumstances, on documentation, statements, 
27
or
representations that, on their face, meet the 
28
applicable requirements.
29
            (ii) Identity of public officials. A covered 
30
entity may rely, if
such reliance is reasonable under 
31
the circumstances, on any of the
following to verify 
32
identity when the disclosure of protected health

33
information is to a public official or a person acting 
34
on behalf of the
public official:
 


 






09300HB4059ham002
- 14 -
LRB093 15454 DRJ 48452 a




1
                (A) If the request is made in person, 
2
presentation of an agency
identification badge, 
3
other official credentials, or other proof of

4
government status;
5
                (B) If the request is in writing, the request 
6
is on the appropriate
government letterhead; or
7
                (C) If the disclosure is to a person acting on 
8
behalf of a public
official, a written statement on 
9
appropriate government letterhead that
the person 
10
is acting under the government's authority or 
11
other evidence
or documentation of agency, such as 
12
a contract for services, memorandum
of 
13
understanding, or purchase order, that establishes 
14
that the person is
acting on behalf of the public 
15
official.
16
            (iii) Authority of public officials. A covered 
17
entity may rely, if
such reliance is reasonable under 
18
the circumstances, on any of the
following to verify 
19
authority when the disclosure of protected health

20
information is to a public official or a person acting 
21
on behalf of the
public official:
22
                (A) A written statement of the legal authority 
23
under which the
information is requested, or, if a 
24
written statement would be
impracticable, an oral 
25
statement of such legal authority;
26
                (B) If a request is made pursuant to legal 
27
process, warrant,
subpoena, order, or other legal 
28
process issued by a grand jury or a
judicial or 
29
administrative tribunal is presumed to constitute 
30
legal
authority.
31
            (iv) Exercise of professional judgment. The 
32
verification
requirements of this subsection (n) are 
33
met if the covered entity relies on
the exercise of 
34
professional judgment in making a use or disclosure or 
 


 






09300HB4059ham002
- 15 -
LRB093 15454 DRJ 48452 a




1
acts on a good faith belief in making a
disclosure.".