Health Care Availability and Access Committee

Adopted in House Comm. on Mar 03, 2004

 

 


 

 


 
09300HB4059ham002 LRB093 15454 DRJ 48452 a

1
AMENDMENT TO HOUSE BILL 4059

2     AMENDMENT NO. ______. Amend House Bill 4059, AS AMENDED, in
3 Section 5, Sec. 367.4, by replacing all of subsections (b)
4 through (f) with the following:
5     "Summary health information" means information that may be
6 individually identifiable health information and (i) that
7 summarizes the claims history, claims expenses, or type of
8 claims experienced by individuals for whom a plan sponsor has
9 provided health benefits under a group health plan and (ii)
10 from which the information described in subdivision (d)(2)(i)
11 has been deleted, except that the geographic information
12 described in subdivision (d)(2)(i)(B) need only be aggregated
13 to the level of a 5-digit zip code.
14     (b) Except as otherwise provided in this subsection, a
15 group health plan, in order to disclose protected health
16 information to the plan sponsor or to provide for or permit the
17 disclosure of protected health information to the plan sponsor
18 by a health insurance issuer or health maintenance organization
19 with respect to the group health plan, must ensure that the
20 plan documents restrict uses and disclosures of such
21 information by the plan sponsor consistent with the
22 requirements of this Section.
23     The group health plan, or a health insurance issuer or
24 health maintenance organization with respect to the group
25 health plan, shall disclose summary health information to the
26 plan sponsor if the plan sponsor requests the summary health

 

 

09300HB4059ham002 - 2 - LRB093 15454 DRJ 48452 a

1 information for the purpose of (i) obtaining premium bids from
2 health plans for providing health insurance coverage under the
3 group health plan or (ii) modifying, amending, or terminating
4 the group health plan.
5     The plan documents of the group health plan must be amended
6 to incorporate provisions to do the following:
7         (1) Establish the permitted and required uses and
8 disclosures of such information by the plan sponsor,
9 provided that such permitted and required uses and
10 disclosures may not be inconsistent with this Section.
11         (2) Provide that the group health plan will disclose
12 protected health information to the plan sponsor only upon
13 receipt of a certification by the plan sponsor that the
14 plan documents have been amended to incorporate the
15 following provisions and that the plan sponsor agrees to:
16             (A) Not use or further disclose the information
17 other than as permitted or required by the plan
18 documents or as required by law.
19             (B) Ensure that any agents, including a
20 subcontractor, to whom it provides protected health
21 information received from the group health plan agree
22 to the same restrictions and conditions that apply to
23 the plan sponsor with respect to such information.
24             (C) Not use or disclose the information for
25 employment-related actions and decisions or in
26 connection with any other benefit or employee benefit
27 plan of the plan sponsor.
28             (D) Report to the group health plan any use or
29 disclosure of the information that is inconsistent
30 with the uses or disclosures provided for of which it
31 becomes aware.
32             (E) Make available protected health information.
33             (F) Make available protected health information
34 for amendment, and incorporate any amendments to

 

 

09300HB4059ham002 - 3 - LRB093 15454 DRJ 48452 a

1 protected health information.
2             (G) Make available the information required to
3 provide an accounting of disclosures.
4             (H) Make its internal practices, books, and
5 records relating to the use and disclosure of protected
6 health information received from the group health plan
7 available to the Director for purposes of determining
8 compliance by the group health plan with this Section.
9             (I) If feasible, return or destroy all protected
10 health information received from the group health plan
11 that the sponsor still maintains in any form and retain
12 no copies of such information when no longer needed for
13 the purpose for which disclosure was made, except that,
14 if such return or destruction is not feasible, limit
15 further uses and disclosures to those purposes that
16 make the return or destruction of the information
17 infeasible.
18             (J) Ensure that the adequate separation required
19 in paragraph (3) is established.
20         (3) Provide for adequate separation between the group
21 health plan and the plan sponsor. The plan documents must
22 do the following:
23             (A) Describe those employees or classes of
24 employees or other persons under the control of the
25 plan sponsor to be given access to the protected health
26 information to be disclosed, provided that any
27 employee or person who receives protected health
28 information relating to payment under, health care
29 operations of, or other matters pertaining to the group
30 health plan in the ordinary course of business must be
31 included in such description.
32             (B) Restrict the access to and use by such
33 employees and other persons described in subparagraph
34 (A) of this paragraph (3) to the plan administration

 

 

09300HB4059ham002 - 4 - LRB093 15454 DRJ 48452 a

1 functions that the plan sponsor performs for the group
2 health plan.
3             (C) Provide an effective mechanism for resolving
4 any issues of noncompliance by persons described in
5 subparagraph (A) of this paragraph (3) with the plan
6 document provisions required by this subsection.
7     (c) Standard: de-identification of protected health
8 information. Health information that does not identify an
9 individual and with respect to which there is no reasonable
10 basis to believe that the information can be used to identify
11 an individual is not individually identifiable health
12 information.
13     (d) Implementation specifications: requirements for de-
14 identification of protected health information. A covered
15 entity may determine that health information is not
16 individually identifiable health information only if:
17         (1) A person with appropriate knowledge of and
18 experience with generally accepted statistical and
19 scientific principles and methods for rendering
20 information not individually identifiable:
21             (A) Applying such principles and methods,
22 determines that the risk is very small that the
23 information could be used, alone or in combination with
24 other reasonably available information, by an
25 anticipated recipient to identify an individual who is
26 a subject of the information; and
27             (B) Documents the methods and results of the
28 analysis that justify such determination; or
29         (2)(i) The following identifiers of the individual or
30 of relatives, employers, or household members of the
31 individual, are removed:
32             (A) Names;
33             (B) All geographic subdivisions smaller than a
34 State, including street address, city, county,

 

 

09300HB4059ham002 - 5 - LRB093 15454 DRJ 48452 a

1 precinct, zip code, and their equivalent geocodes,
2 except for the initial 3 digits of a zip code if,
3 according to the current publicly available data from
4 the Bureau of the Census:
5                 (i) The geographic unit formed by combining
6 all zip codes with the same 3 initial digits
7 contains more than 20,000 people; and
8                 (ii) The initial 3 digits of a zip code for all
9 such geographic units containing 20,000 or fewer
10 people is changed to 000;
11             (C) All elements of dates (except year) for dates
12 directly related to an individual, including birth
13 date, admission date, discharge date, date of death;
14 and all ages over 89 and all elements of dates
15 (including year) indicative of such age, except that
16 such ages and elements may be aggregated into a single
17 category of age 90 or older;
18             (D) Telephone numbers;
19             (E) Fax numbers;
20             (F) Electronic mail addresses;
21             (G) Social security numbers;
22             (H) Medical record numbers;
23             (I) Health plan beneficiary numbers;
24             (J) Account numbers;
25             (K) Certificate/license numbers;
26             (L) Vehicle identifiers and serial numbers,
27 including license plate numbers;
28             (M) Device identifiers and serial numbers;
29             (N) Web Universal Resource Locators (URLs);
30             (O) Internet Protocol (IP) address numbers;
31             (P) Biometric identifiers, including finger and
32 voice prints;
33             (Q) Full face photographic images and any
34 comparable images; and

 

 

09300HB4059ham002 - 6 - LRB093 15454 DRJ 48452 a

1             (R) Any other unique identifying number,
2 characteristic, or code, except as permitted by
3 subsection (i) of this Section; and
4         (ii) The covered entity does not have actual knowledge
5 that the information could be used alone or in combination
6 with other information to identify an individual who is a
7 subject of the information.
8     (e) Implementation specifications: re-identification. A
9 covered entity may assign a code or other means of record
10 identification to allow information de-identified under this
11 Section to be re-identified by the covered entity, provided
12 that:
13         (1) Derivation. The code or other means of record
14 identification is not derived from or related to
15 information about the individual and is not otherwise
16 capable of being translated so as to identify the
17 individual; and
18         (2) Security. The covered entity does not use or
19 disclose the code or other means of record identification
20 for any other purpose, and does not disclose the mechanism
21 for re-identification.
22     (f)(1) Standard: minimum necessary requirements. In order
23 to comply with this Section, a covered entity must meet the
24 requirements of subdivisions (f)(2) through (f)(5) of this
25 Section with respect to a request for, or the use and
26 disclosure of, protected health information.
27         (2) Implementation specifications: minimum necessary
28 uses of protected health information.
29         (i) A covered entity must identify:
30             (A) Those persons or classes of persons, as
31 appropriate, in its workforce who need access to
32 protected health information to carry out their
33 duties; and
34             (B) For each such person or class of persons, the

 

 

09300HB4059ham002 - 7 - LRB093 15454 DRJ 48452 a

1 category or categories of protected health information
2 to which access is needed and any conditions
3 appropriate to such access.
4         (ii) A covered entity must make reasonable efforts to
5 limit the access of such persons or classes identified in
6 subdivision (f)(2)(i)(A) of this Section to protected
7 health information consistent with subdivision
8 (f)(2)(i)(B) of this Section.
9         (3) Implementation specification: Minimum necessary
10 disclosures of protected health information.
11             (i) For any type of disclosure that it makes on a
12 routine and recurring basis, a covered entity must
13 implement policies and procedures (which may be
14 standard protocols) that limit the protected health
15 information disclosed to the amount reasonably
16 necessary to achieve the purpose of the disclosure.
17             (ii) For all other disclosures, a covered entity
18 must:
19                 (A) Develop criteria designed to limit the
20 protected health information disclosed to the
21 information reasonably necessary to accomplish the
22 purpose for which disclosure is sought; and
23                 (B) Review requests for disclosure on an
24 individual basis in accordance with such criteria.
25             (iii) A covered entity may rely, if such reliance
26 is reasonable under the circumstances, on a requested
27 disclosure as the minimum necessary for the stated
28 purpose when:
29                 (A) Making disclosures to public officials, if
30 the public official represents that the
31 information requested is the minimum necessary for
32 the stated purpose or purposes;
33                 (B) The information is requested by another
34 covered entity;

 

 

09300HB4059ham002 - 8 - LRB093 15454 DRJ 48452 a

1                 (C) The information is requested by a
2 professional who is a member of its workforce or is
3 a business associate of the covered entity for the
4 purpose of providing professional services to the
5 covered entity, if the professional represents
6 that the information requested is the minimum
7 necessary for the stated purpose or purposes; or
8                 (D) Documentation or representations that
9 comply with the applicable requirements have been
10 provided by a person requesting the information
11 for research purposes.
12         (4) Implementation specifications: Minimum necessary
13 requests for protected health information.
14             (i) A covered entity must limit any request for
15 protected health information to that which is
16 reasonably necessary to accomplish the purpose for
17 which the request is made, when requesting such
18 information from other covered entities.
19             (ii) For a request that is made on a routine and
20 recurring basis, a covered entity must implement
21 policies and procedures (which may be standard
22 protocols) that limit the protected health information
23 requested to the amount reasonably necessary to
24 accomplish the purpose for which the request is made.
25             (iii) For all other requests, a covered entity
26 must:
27                 (A) Develop criteria designed to limit the
28 request for protected health information to the
29 information reasonably necessary to accomplish the
30 purpose for which the request is made; and
31                 (B) Review requests for disclosure on an
32 individual basis in accordance with such criteria.
33         (5) Implementation specification: Other content
34 requirement. For all uses, disclosures, or requests to

 

 

09300HB4059ham002 - 9 - LRB093 15454 DRJ 48452 a

1 which the requirements in this subsection (f) apply, a
2 covered entity may not use, disclose, or request an entire
3 medical record, except when the entire medical record is
4 specifically justified as the amount that is reasonably
5 necessary to accomplish the purpose of the use, disclosure,
6 or request.
7     (g)(1) Standard: Limited data set. A covered entity may use
8 or disclose a limited data set that meets the requirements of
9 subdivisions (g)(2) and (g)(3) of this Section if the covered
10 entity enters into a data use agreement with the limited data
11 set recipient in accordance with subdivision (g)(4) of this
12 Section.
13         (2) Implementation specification: Limited data set. A
14 limited data set is protected health information that
15 excludes the following direct identifiers of the
16 individual or of relatives, employers, or household
17 members of the individual:
18             (i) Names;
19             (ii) Postal address information, other than town
20 or city, State, and zip code;
21             (iii) Telephone numbers;
22             (iv) Fax numbers;
23             (v) Electronic mail addresses;
24             (vi) Social security numbers;
25             (vii) Medical record numbers;
26             (viii) Health plan beneficiary numbers;
27             (ix) Account numbers;
28             (x) Certificate/license numbers;
29             (xi) Vehicle identifiers and serial numbers,
30 including license plate numbers;
31             (xii) Device identifiers and serial numbers;
32             (xiii) Web Universal Resource Locators (URLs);
33             (xiv) Internet Protocol (IP) address numbers;
34             (xv) Biometric identifiers, including finger and

 

 

09300HB4059ham002 - 10 - LRB093 15454 DRJ 48452 a

1 voice prints; and
2             (xvi) Full face photographic images and any
3 comparable images.
4         (3) Implementation specification: Permitted purposes
5 for uses and disclosures.
6             (i) A covered entity may use or disclose a limited
7 data set under subdivision (g)(1) of this Section only
8 for the purposes of research, public health, or health
9 care operations.
10             (ii) A covered entity may use protected health
11 information to create a limited data set that meets the
12 requirements of subdivision (g)(2) of this Section, or
13 disclose protected health information only to a
14 business associate for such purpose, whether or not the
15 limited data set is to be used by the covered entity.
16         (4) Implementation specifications: Data use agreement.
17             (i) Agreement required. A covered entity may use or
18 disclose a limited data set under subdivision (g)(1) of
19 this Section only if the covered entity obtains
20 satisfactory assurance, in the form of a data use
21 agreement that meets the requirements of this Section,
22 that the limited data set recipient will only use or
23 disclose the protected health information for limited
24 purposes.
25             (ii) Contents. A data use agreement between the
26 covered entity and the limited data set recipient must:
27                 (A) Establish the permitted uses and
28 disclosures of such information by the limited
29 data set recipient, consistent with subdivision
30 (g)(3) of this Section. The data use agreement may
31 not authorize the limited data set recipient to use
32 or further disclose the information in a manner
33 that would violate the requirements of this
34 subpart, if done by the covered entity;

 

 

09300HB4059ham002 - 11 - LRB093 15454 DRJ 48452 a

1                 (B) Establish who is permitted to use or
2 receive the limited data set; and
3                 (C) Provide that the limited data set
4 recipient will:
5                     (1) Not use or further disclose the
6 information other than as permitted by the data
7 use agreement or as otherwise required by law;
8                     (2) Use appropriate safeguards to prevent
9 use or disclosure of the information other than
10 as provided for by the data use agreement;
11                     (3) Report to the covered entity any use or
12 disclosure of the information not provided for
13 by its data use agreement of which it becomes
14 aware;
15                     (4) Ensure that any agents, including a
16 subcontractor, to whom it provides the limited
17 data set agrees to the same restrictions and
18 conditions that apply to the limited data set
19 recipient with respect to such information;
20 and
21                     (5) Not identify the information or
22 contact the individuals.
23             (iii) Compliance.
24                 (A) A covered entity is not in compliance with
25 the standards in this subsection (g) if the covered
26 entity knew of a pattern of activity or practice of
27 the limited data set recipient that constituted a
28 material breach or violation of the data use
29 agreement, unless the covered entity took
30 reasonable steps to cure the breach or end the
31 violation, as applicable, and, if such steps were
32 unsuccessful:
33                     (1) Discontinued disclosure of protected
34 health information to the recipient; and

 

 

09300HB4059ham002 - 12 - LRB093 15454 DRJ 48452 a

1                     (2) Reported the problem to the Secretary.
2                 (B) A covered entity that is a limited data set
3 recipient and violates a data use agreement will be
4 in noncompliance with the standards,
5 implementation specifications, and requirements of
6 this subsection (g).
7     (h)(1) Standard: Uses and disclosures for fundraising. A
8 covered entity may use, or disclose to a business associate or
9 to an institutionally related foundation, the following
10 protected health information for the purpose of raising funds
11 for its own benefit, without an authorization meeting
12 requirements adopted by the Department:
13             (i) Demographic information relating to an
14 individual; and
15             (ii) Dates of health care provided to an
16 individual.
17         (2) Implementation specifications: Fundraising
18 requirements.
19             (i) The covered entity may not use or disclose
20 protected health information for fundraising purposes
21 as otherwise permitted by subdivision (h)(1) of this
22 Section.
23             (ii) The covered entity must include in any
24 fundraising materials it sends to an individual under
25 this paragraph a description of how the individual may
26 opt out of receiving any further fundraising
27 communications.
28             (iii) The covered entity must make reasonable
29 efforts to ensure that individuals who decide to opt
30 out of receiving future fundraising communications are
31 not sent such communications.
32     (i) Standard: Uses and disclosures for underwriting and
33 related purposes. If a health plan receives protected heath
34 information for the purpose of underwriting, premium rating, or

 

 

09300HB4059ham002 - 13 - LRB093 15454 DRJ 48452 a

1 other activities relating to the creation, renewal, or
2 replacement of a contract of health insurance or health
3 benefits, and if such health insurance or health benefits are
4 not placed with the health plan, such health plan may not use
5 or disclose such protected health information for any other
6 purpose, except as may be required by law.
7     (j)(1) Standard: Verification requirements. Prior to any
8 disclosure permitted by this Section, a covered entity must:
9             (i) Verify the identity of a person requesting
10 protected health information and the authority of any
11 such person to have access to protected health
12 information under this Section, if the identity or any
13 such authority of such person is not known to the
14 covered entity; and
15             (ii) Obtain any documentation, statements, or
16 representations, whether oral or written, from the
17 person requesting the protected health information
18 when such documentation, statement, or representation
19 is a condition of the disclosure under this Section.
20         (2) Implementation specifications: Verification.
21             (i) Conditions on disclosures. If a disclosure is
22 conditioned by this subpart on particular
23 documentation, statements, or representations from the
24 person requesting the protected health information, a
25 covered entity may rely, if such reliance is reasonable
26 under the circumstances, on documentation, statements,
27 or representations that, on their face, meet the
28 applicable requirements.
29             (ii) Identity of public officials. A covered
30 entity may rely, if such reliance is reasonable under
31 the circumstances, on any of the following to verify
32 identity when the disclosure of protected health
33 information is to a public official or a person acting
34 on behalf of the public official:

 

 

09300HB4059ham002 - 14 - LRB093 15454 DRJ 48452 a

1                 (A) If the request is made in person,
2 presentation of an agency identification badge,
3 other official credentials, or other proof of
4 government status;
5                 (B) If the request is in writing, the request
6 is on the appropriate government letterhead; or
7                 (C) If the disclosure is to a person acting on
8 behalf of a public official, a written statement on
9 appropriate government letterhead that the person
10 is acting under the government's authority or
11 other evidence or documentation of agency, such as
12 a contract for services, memorandum of
13 understanding, or purchase order, that establishes
14 that the person is acting on behalf of the public
15 official.
16             (iii) Authority of public officials. A covered
17 entity may rely, if such reliance is reasonable under
18 the circumstances, on any of the following to verify
19 authority when the disclosure of protected health
20 information is to a public official or a person acting
21 on behalf of the public official:
22                 (A) A written statement of the legal authority
23 under which the information is requested, or, if a
24 written statement would be impracticable, an oral
25 statement of such legal authority;
26                 (B) If a request is made pursuant to legal
27 process, warrant, subpoena, order, or other legal
28 process issued by a grand jury or a judicial or
29 administrative tribunal is presumed to constitute
30 legal authority.
31             (iv) Exercise of professional judgment. The
32 verification requirements of this subsection (n) are
33 met if the covered entity relies on the exercise of
34 professional judgment in making a use or disclosure or

 

 

09300HB4059ham002 - 15 - LRB093 15454 DRJ 48452 a

1 acts on a good faith belief in making a disclosure.".