Full Text of HB4059 93rd General Assembly
HB4059ham002 93RD GENERAL ASSEMBLY
|
Health Care Availability and Access Committee
Adopted in House Comm. on Mar 03, 2004
|
|
09300HB4059ham002 |
|
LRB093 15454 DRJ 48452 a |
|
| 1 |
| AMENDMENT TO HOUSE BILL 4059
| 2 |
| AMENDMENT NO. ______. Amend House Bill 4059, AS AMENDED, in | 3 |
| Section 5, Sec. 367.4, by replacing all of subsections (b) | 4 |
| through (f) with the following:
| 5 |
| " Summary health information" means information that may be
| 6 |
| individually identifiable health information and
(i) that | 7 |
| summarizes the claims history, claims expenses, or type of
| 8 |
| claims experienced by individuals for whom a plan sponsor has | 9 |
| provided
health benefits under a group health plan and
(ii) | 10 |
| from which the information described in subdivision (d)(2)(i)
| 11 |
| has been deleted, except that the geographic information | 12 |
| described in
subdivision (d)(2)(i)(B) need only be aggregated | 13 |
| to the level of a 5-digit zip code.
| 14 |
| (b) Except as otherwise
provided in this subsection, a | 15 |
| group health plan, in order
to disclose protected health | 16 |
| information to the plan sponsor or to
provide for or permit the | 17 |
| disclosure of protected health information to
the plan sponsor | 18 |
| by a health insurance issuer or health maintenance organization | 19 |
| with respect to the
group health plan, must ensure that the | 20 |
| plan documents restrict uses and
disclosures of such | 21 |
| information by the plan sponsor consistent with the
| 22 |
| requirements of this Section. | 23 |
| The group health plan, or a health insurance issuer or | 24 |
| health maintenance organization with
respect to the group | 25 |
| health plan, shall disclose summary health
information to the | 26 |
| plan sponsor if the plan sponsor requests the
summary health |
|
|
|
09300HB4059ham002 |
- 2 - |
LRB093 15454 DRJ 48452 a |
|
| 1 |
| information for the purpose of (i) obtaining premium bids from | 2 |
| health plans for providing health
insurance coverage under the | 3 |
| group health plan or (ii) modifying, amending, or terminating | 4 |
| the group health plan. | 5 |
| The plan documents of the group health plan must be amended | 6 |
| to
incorporate provisions to do the following: | 7 |
| (1) Establish the permitted and required uses and | 8 |
| disclosures of
such information by the plan sponsor, | 9 |
| provided that such permitted and
required uses and | 10 |
| disclosures may not be inconsistent with this Section. | 11 |
| (2) Provide that the group health plan will disclose | 12 |
| protected
health information to the plan sponsor only upon | 13 |
| receipt of a
certification by the plan sponsor that the | 14 |
| plan documents have been
amended to incorporate the | 15 |
| following provisions and that the plan
sponsor agrees to: | 16 |
| (A) Not use or further disclose the information | 17 |
| other than as
permitted or required by the plan | 18 |
| documents or as required by law. | 19 |
| (B) Ensure that any agents, including a | 20 |
| subcontractor, to whom it
provides protected health | 21 |
| information received from the group health
plan agree | 22 |
| to the same restrictions and conditions that apply to | 23 |
| the
plan sponsor with respect to such information. | 24 |
| (C) Not use or disclose the information for | 25 |
| employment-related
actions and decisions or in | 26 |
| connection with any other benefit or
employee benefit | 27 |
| plan of the plan sponsor. | 28 |
| (D) Report to the group health plan any use or | 29 |
| disclosure of the
information that is inconsistent | 30 |
| with the uses or disclosures provided
for of which it | 31 |
| becomes aware. | 32 |
| (E) Make available protected health information. | 33 |
| (F) Make available protected health information | 34 |
| for amendment, and
incorporate any amendments to |
|
|
|
09300HB4059ham002 |
- 3 - |
LRB093 15454 DRJ 48452 a |
|
| 1 |
| protected health information. | 2 |
| (G) Make available the information required to | 3 |
| provide an accounting
of disclosures. | 4 |
| (H) Make its internal practices, books, and | 5 |
| records relating to the
use and disclosure of protected | 6 |
| health information received from the
group health plan | 7 |
| available to the Director for purposes of determining
| 8 |
| compliance by the group health plan with this Section. | 9 |
| (I) If feasible, return or destroy all protected | 10 |
| health information
received from the group health plan | 11 |
| that the sponsor still maintains in
any form and retain | 12 |
| no copies of such information when no longer needed
for | 13 |
| the purpose for which disclosure was made, except that, | 14 |
| if such
return or destruction is not feasible, limit | 15 |
| further uses and
disclosures to those purposes that | 16 |
| make the return or destruction of the
information | 17 |
| infeasible. | 18 |
| (J) Ensure that the adequate separation required | 19 |
| in paragraph
(3) is established. | 20 |
| (3) Provide for adequate separation between the group | 21 |
| health plan
and the plan sponsor. The plan documents must | 22 |
| do the following: | 23 |
| (A) Describe those employees or classes of | 24 |
| employees or other
persons under the control of the | 25 |
| plan sponsor to be given access to the
protected health | 26 |
| information to be disclosed, provided that any | 27 |
| employee
or person who receives protected health | 28 |
| information relating to payment
under, health care | 29 |
| operations of, or other matters pertaining to the
group | 30 |
| health plan in the ordinary course of business must be | 31 |
| included in
such description. | 32 |
| (B) Restrict the access to and use by such | 33 |
| employees and other
persons described in subparagraph | 34 |
| (A) of this paragraph (3) to the
plan administration |
|
|
|
09300HB4059ham002 |
- 4 - |
LRB093 15454 DRJ 48452 a |
|
| 1 |
| functions that the plan sponsor performs for the
group | 2 |
| health plan. | 3 |
| (C) Provide an effective mechanism for resolving | 4 |
| any issues of
noncompliance by persons described in | 5 |
| subparagraph (A) of this paragraph (3) with the plan | 6 |
| document provisions required by this subsection.
| 7 |
| (c) Standard: de-identification of protected health | 8 |
| information.
Health information that does not identify an | 9 |
| individual and with respect
to which there is no reasonable | 10 |
| basis to believe that the information
can be used to identify | 11 |
| an individual is not individually identifiable
health | 12 |
| information. | 13 |
| (d) Implementation specifications: requirements for de-
| 14 |
| identification of protected health information. A covered | 15 |
| entity may
determine that health information is not | 16 |
| individually identifiable
health information only if: | 17 |
| (1) A person with appropriate knowledge of and | 18 |
| experience with
generally accepted statistical and | 19 |
| scientific principles and methods for
rendering | 20 |
| information not individually identifiable: | 21 |
| (A) Applying such principles and methods, | 22 |
| determines that the risk
is very small that the | 23 |
| information could be used, alone or in
combination with | 24 |
| other reasonably available information, by an
| 25 |
| anticipated recipient to identify an individual who is | 26 |
| a subject of the
information; and | 27 |
| (B) Documents the methods and results of the | 28 |
| analysis that justify
such determination; or | 29 |
| (2)(i) The following identifiers of the individual or | 30 |
| of relatives,
employers, or household members of the | 31 |
| individual, are removed: | 32 |
| (A) Names; | 33 |
| (B) All geographic subdivisions smaller than a | 34 |
| State, including
street address, city, county, |
|
|
|
09300HB4059ham002 |
- 5 - |
LRB093 15454 DRJ 48452 a |
|
| 1 |
| precinct, zip code, and their equivalent
geocodes, | 2 |
| except for the initial 3 digits of a zip code if,
| 3 |
| according to the current publicly available data from | 4 |
| the Bureau of the
Census: | 5 |
| (i) The geographic unit formed by combining | 6 |
| all zip codes with the
same 3 initial digits | 7 |
| contains more than 20,000 people; and
| 8 |
| (ii) The initial 3 digits of a zip code for all | 9 |
| such geographic
units containing 20,000 or fewer | 10 |
| people is changed to 000; | 11 |
| (C) All elements of dates (except year) for dates | 12 |
| directly related
to an individual, including birth | 13 |
| date, admission date, discharge date,
date of death; | 14 |
| and all ages over 89 and all elements of dates | 15 |
| (including
year) indicative of such age, except that | 16 |
| such ages and elements may be
aggregated into a single | 17 |
| category of age 90 or older; | 18 |
| (D) Telephone numbers; | 19 |
| (E) Fax numbers;
| 20 |
| (F) Electronic mail addresses; | 21 |
| (G) Social security numbers; | 22 |
| (H) Medical record numbers; | 23 |
| (I) Health plan beneficiary numbers; | 24 |
| (J) Account numbers; | 25 |
| (K) Certificate/license numbers; | 26 |
| (L) Vehicle identifiers and serial numbers, | 27 |
| including license plate
numbers; | 28 |
| (M) Device identifiers and serial numbers; | 29 |
| (N) Web Universal Resource Locators (URLs); | 30 |
| (O) Internet Protocol (IP) address numbers; | 31 |
| (P) Biometric identifiers, including finger and | 32 |
| voice prints; | 33 |
| (Q) Full face photographic images and any | 34 |
| comparable images; and |
|
|
|
09300HB4059ham002 |
- 6 - |
LRB093 15454 DRJ 48452 a |
|
| 1 |
| (R) Any other unique identifying number, | 2 |
| characteristic, or code,
except as permitted by | 3 |
| subsection (i) of this Section; and | 4 |
| (ii) The covered entity does not have actual knowledge | 5 |
| that the
information could be used alone or in combination | 6 |
| with other information
to identify an individual who is a | 7 |
| subject of the information. | 8 |
| (e) Implementation specifications: re-identification. A | 9 |
| covered
entity may assign a code or other means of record | 10 |
| identification to
allow information de-identified under this | 11 |
| Section to be re-identified
by the covered entity, provided | 12 |
| that: | 13 |
| (1) Derivation. The code or other means of record | 14 |
| identification is
not derived from or related to | 15 |
| information about the individual and is
not otherwise | 16 |
| capable of being translated so as to identify the
| 17 |
| individual; and | 18 |
| (2) Security. The covered entity does not use or | 19 |
| disclose the code
or other means of record identification | 20 |
| for any other purpose, and does
not disclose the mechanism | 21 |
| for re-identification. | 22 |
| (f)(1) Standard: minimum necessary requirements. In order | 23 |
| to comply
with this Section, a covered entity must meet the
| 24 |
| requirements of subdivisions (f)(2) through (f)(5) of this | 25 |
| Section with
respect to a request for, or the use and | 26 |
| disclosure of, protected health
information. | 27 |
| (2) Implementation specifications: minimum necessary | 28 |
| uses of
protected health information. | 29 |
| (i) A covered entity must identify: | 30 |
| (A) Those persons or classes of persons, as | 31 |
| appropriate, in its
workforce who need access to | 32 |
| protected health information to carry out
their | 33 |
| duties; and
| 34 |
| (B) For each such person or class of persons, the |
|
|
|
09300HB4059ham002 |
- 7 - |
LRB093 15454 DRJ 48452 a |
|
| 1 |
| category or
categories of protected health information | 2 |
| to which access is needed and
any conditions | 3 |
| appropriate to such access. | 4 |
| (ii) A covered entity must make reasonable efforts to | 5 |
| limit the
access of such persons or classes identified in | 6 |
| subdivision (f)(2)(i)(A)
of this Section to protected | 7 |
| health information consistent with
subdivision | 8 |
| (f)(2)(i)(B) of this Section. | 9 |
| (3) Implementation specification: Minimum necessary | 10 |
| disclosures of
protected health information. | 11 |
| (i) For any type of disclosure that it
makes on a | 12 |
| routine and recurring basis, a covered entity must | 13 |
| implement
policies and procedures (which may be | 14 |
| standard protocols) that limit the
protected health | 15 |
| information disclosed to the amount reasonably
| 16 |
| necessary to achieve the purpose of the disclosure. | 17 |
| (ii) For all other disclosures, a covered entity | 18 |
| must: | 19 |
| (A) Develop criteria designed to limit the | 20 |
| protected health
information disclosed to the | 21 |
| information reasonably necessary to
accomplish the | 22 |
| purpose for which disclosure is sought; and | 23 |
| (B) Review requests for disclosure on an | 24 |
| individual basis in
accordance with such criteria. | 25 |
| (iii) A covered entity may rely, if such reliance | 26 |
| is reasonable
under the circumstances, on a requested | 27 |
| disclosure as the minimum
necessary for the stated | 28 |
| purpose when: | 29 |
| (A) Making disclosures to public officials, if | 30 |
| the public official represents that the | 31 |
| information
requested is the minimum necessary for | 32 |
| the stated purpose or purposes; | 33 |
| (B) The information is requested by another | 34 |
| covered entity; |
|
|
|
09300HB4059ham002 |
- 8 - |
LRB093 15454 DRJ 48452 a |
|
| 1 |
| (C) The information is requested by a | 2 |
| professional who is a member
of its workforce or is | 3 |
| a business associate of the covered entity for
the | 4 |
| purpose of providing professional services to the | 5 |
| covered entity, if
the professional represents | 6 |
| that the information requested is the
minimum | 7 |
| necessary for the stated purpose or purposes; or | 8 |
| (D) Documentation or representations that | 9 |
| comply with the applicable
requirements have been | 10 |
| provided by a person
requesting the information | 11 |
| for research purposes. | 12 |
| (4) Implementation specifications: Minimum necessary | 13 |
| requests for
protected health information. | 14 |
| (i) A covered entity must limit any
request for | 15 |
| protected health information to that which is | 16 |
| reasonably
necessary to accomplish the purpose for | 17 |
| which the request is made,
when requesting such | 18 |
| information from other covered entities. | 19 |
| (ii) For a request that is made on a routine and | 20 |
| recurring basis, a
covered entity must implement | 21 |
| policies and procedures (which may be
standard | 22 |
| protocols) that limit the protected health information
| 23 |
| requested to the amount reasonably necessary to | 24 |
| accomplish the purpose
for which the request is made. | 25 |
| (iii) For all other requests, a covered entity | 26 |
| must: | 27 |
| (A) Develop criteria designed to limit the | 28 |
| request for protected
health information to the | 29 |
| information reasonably necessary to accomplish
the | 30 |
| purpose for which the request is made; and | 31 |
| (B) Review requests for disclosure on an | 32 |
| individual basis in
accordance with such criteria. | 33 |
| (5) Implementation specification: Other content | 34 |
| requirement. For all
uses, disclosures, or requests to |
|
|
|
09300HB4059ham002 |
- 9 - |
LRB093 15454 DRJ 48452 a |
|
| 1 |
| which the requirements in this subsection
(f) apply, a | 2 |
| covered entity may not use, disclose, or
request an entire | 3 |
| medical record, except when the entire medical record
is | 4 |
| specifically justified as the amount that is reasonably | 5 |
| necessary to
accomplish the purpose of the use, disclosure, | 6 |
| or request. | 7 |
| (g)(1) Standard: Limited data set. A covered entity may use | 8 |
| or
disclose a limited data set that meets the requirements of | 9 |
| subdivisions
(g)(2) and (g)(3) of this Section if the covered | 10 |
| entity enters into a
data use agreement with the limited data | 11 |
| set recipient in accordance
with subdivision (g)(4) of this | 12 |
| Section. | 13 |
| (2) Implementation specification: Limited data set. A | 14 |
| limited data
set is protected health information that | 15 |
| excludes the following direct
identifiers of the | 16 |
| individual or of relatives, employers, or household
| 17 |
| members of the individual: | 18 |
| (i) Names; | 19 |
| (ii) Postal address information, other than town | 20 |
| or city, State, and
zip code;
| 21 |
| (iii) Telephone numbers; | 22 |
| (iv) Fax numbers;
| 23 |
| (v) Electronic mail addresses; | 24 |
| (vi) Social security numbers; | 25 |
| (vii) Medical record numbers; | 26 |
| (viii) Health plan beneficiary numbers; | 27 |
| (ix) Account numbers; | 28 |
| (x) Certificate/license numbers; | 29 |
| (xi) Vehicle identifiers and serial numbers, | 30 |
| including license plate
numbers; | 31 |
| (xii) Device identifiers and serial numbers; | 32 |
| (xiii) Web Universal Resource Locators (URLs); | 33 |
| (xiv) Internet Protocol (IP) address numbers; | 34 |
| (xv) Biometric identifiers, including finger and |
|
|
|
09300HB4059ham002 |
- 10 - |
LRB093 15454 DRJ 48452 a |
|
| 1 |
| voice prints; and | 2 |
| (xvi) Full face photographic images and any | 3 |
| comparable images. | 4 |
| (3) Implementation specification: Permitted purposes | 5 |
| for uses and
disclosures. | 6 |
| (i) A covered entity may use or disclose a limited | 7 |
| data set
under subdivision (g)(1) of this Section only | 8 |
| for the purposes of
research, public health, or health | 9 |
| care operations. | 10 |
| (ii) A covered entity may use protected health | 11 |
| information to create
a limited data set that meets the | 12 |
| requirements of subdivision (g)(2) of
this Section, or | 13 |
| disclose protected health information only to a
| 14 |
| business associate for such purpose, whether or not the | 15 |
| limited data set
is to be used by the covered entity. | 16 |
| (4) Implementation specifications: Data use agreement. | 17 |
| (i)
Agreement required. A covered entity may use or | 18 |
| disclose a limited data
set under subdivision (g)(1) of | 19 |
| this Section only if the covered entity
obtains | 20 |
| satisfactory assurance, in the form of a data use | 21 |
| agreement that
meets the requirements of this Section, | 22 |
| that the limited data set
recipient will only use or | 23 |
| disclose the protected health information for
limited | 24 |
| purposes. | 25 |
| (ii) Contents. A data use agreement between the | 26 |
| covered entity and
the limited data set recipient must: | 27 |
| (A) Establish the permitted uses and | 28 |
| disclosures of such information
by the limited | 29 |
| data set recipient, consistent with subdivision | 30 |
| (g)(3) of
this Section. The data use agreement may | 31 |
| not authorize the limited data
set recipient to use | 32 |
| or further disclose the information in a manner
| 33 |
| that would violate the requirements of this | 34 |
| subpart, if done by the
covered entity; |
|
|
|
09300HB4059ham002 |
- 11 - |
LRB093 15454 DRJ 48452 a |
|
| 1 |
| (B) Establish who is permitted to use or | 2 |
| receive the limited data
set; and | 3 |
| (C) Provide that the limited data set | 4 |
| recipient will: | 5 |
| (1) Not use or further disclose the | 6 |
| information other than as
permitted by the data | 7 |
| use agreement or as otherwise required by law; | 8 |
| (2) Use appropriate safeguards to prevent | 9 |
| use or disclosure of the
information other than | 10 |
| as provided for by the data use agreement; | 11 |
| (3) Report to the covered entity any use or | 12 |
| disclosure of the
information not provided for | 13 |
| by its data use agreement of which it
becomes | 14 |
| aware; | 15 |
| (4) Ensure that any agents, including a | 16 |
| subcontractor, to whom it
provides the limited | 17 |
| data set agrees to the same restrictions and
| 18 |
| conditions that apply to the limited data set | 19 |
| recipient with respect to
such information; | 20 |
| and | 21 |
| (5) Not identify the information or | 22 |
| contact the individuals. | 23 |
| (iii) Compliance. | 24 |
| (A) A covered entity is not in compliance with | 25 |
| the
standards in this subsection (g) if the covered | 26 |
| entity knew of
a pattern of activity or practice of | 27 |
| the limited data set recipient that
constituted a | 28 |
| material breach or violation of the data use | 29 |
| agreement,
unless the covered entity took | 30 |
| reasonable steps to cure the breach or
end the | 31 |
| violation, as applicable, and, if such steps were | 32 |
| unsuccessful: | 33 |
| (1) Discontinued disclosure of protected | 34 |
| health information to the
recipient; and |
|
|
|
09300HB4059ham002 |
- 12 - |
LRB093 15454 DRJ 48452 a |
|
| 1 |
| (2) Reported the problem to the Secretary. | 2 |
| (B) A covered entity that is a limited data set | 3 |
| recipient and
violates a data use agreement will be | 4 |
| in noncompliance with the
standards, | 5 |
| implementation specifications, and requirements of | 6 |
| this subsection
(g). | 7 |
| (h)(1) Standard: Uses and disclosures for fundraising. A | 8 |
| covered
entity may use, or disclose to a business associate or | 9 |
| to an
institutionally related foundation, the following | 10 |
| protected health
information for the purpose of raising funds | 11 |
| for its own benefit,
without an authorization meeting | 12 |
| requirements adopted by the Department: | 13 |
| (i) Demographic information relating to an | 14 |
| individual; and | 15 |
| (ii) Dates of health care provided to an | 16 |
| individual. | 17 |
| (2) Implementation specifications: Fundraising | 18 |
| requirements. | 19 |
| (i) The
covered entity may not use or disclose | 20 |
| protected health information for
fundraising purposes | 21 |
| as otherwise permitted by subdivision (h)(1) of this
| 22 |
| Section. | 23 |
| (ii) The covered entity must include in any | 24 |
| fundraising materials it
sends to an individual under | 25 |
| this paragraph a description of how the
individual may | 26 |
| opt out of receiving any further fundraising
| 27 |
| communications. | 28 |
| (iii) The covered entity must make reasonable | 29 |
| efforts to ensure that
individuals who decide to opt | 30 |
| out of receiving future fundraising
communications are | 31 |
| not sent such communications. | 32 |
| (i) Standard: Uses and disclosures for underwriting and | 33 |
| related
purposes. If a health plan receives protected heath | 34 |
| information for the
purpose of underwriting, premium rating, or |
|
|
|
09300HB4059ham002 |
- 13 - |
LRB093 15454 DRJ 48452 a |
|
| 1 |
| other activities relating to
the creation, renewal, or | 2 |
| replacement of a contract of health insurance
or health | 3 |
| benefits, and if such health insurance or health benefits are
| 4 |
| not placed with the health plan, such health plan may not use | 5 |
| or
disclose such protected health information for any other | 6 |
| purpose, except
as may be required by law. | 7 |
| (j)(1) Standard: Verification requirements. Prior to any | 8 |
| disclosure
permitted by this Section, a covered entity must: | 9 |
| (i) Verify
the identity of a person requesting | 10 |
| protected health information and the
authority of any | 11 |
| such person to have access to protected health
| 12 |
| information under this Section, if the identity or any | 13 |
| such authority of
such person is not known to the | 14 |
| covered entity; and | 15 |
| (ii) Obtain any documentation, statements, or | 16 |
| representations,
whether oral or written, from the | 17 |
| person requesting the protected health
information | 18 |
| when such documentation, statement, or representation | 19 |
| is a
condition of the disclosure under this Section. | 20 |
| (2) Implementation specifications: Verification. | 21 |
| (i) Conditions on
disclosures. If a disclosure is | 22 |
| conditioned by this subpart on
particular | 23 |
| documentation, statements, or representations from the | 24 |
| person
requesting the protected health information, a | 25 |
| covered entity may rely,
if such reliance is reasonable
| 26 |
| under the circumstances, on documentation, statements, | 27 |
| or
representations that, on their face, meet the | 28 |
| applicable requirements. | 29 |
| (ii) Identity of public officials. A covered | 30 |
| entity may rely, if
such reliance is reasonable under | 31 |
| the circumstances, on any of the
following to verify | 32 |
| identity when the disclosure of protected health
| 33 |
| information is to a public official or a person acting | 34 |
| on behalf of the
public official: |
|
|
|
09300HB4059ham002 |
- 14 - |
LRB093 15454 DRJ 48452 a |
|
| 1 |
| (A) If the request is made in person, | 2 |
| presentation of an agency
identification badge, | 3 |
| other official credentials, or other proof of
| 4 |
| government status; | 5 |
| (B) If the request is in writing, the request | 6 |
| is on the appropriate
government letterhead; or | 7 |
| (C) If the disclosure is to a person acting on | 8 |
| behalf of a public
official, a written statement on | 9 |
| appropriate government letterhead that
the person | 10 |
| is acting under the government's authority or | 11 |
| other evidence
or documentation of agency, such as | 12 |
| a contract for services, memorandum
of | 13 |
| understanding, or purchase order, that establishes | 14 |
| that the person is
acting on behalf of the public | 15 |
| official. | 16 |
| (iii) Authority of public officials. A covered | 17 |
| entity may rely, if
such reliance is reasonable under | 18 |
| the circumstances, on any of the
following to verify | 19 |
| authority when the disclosure of protected health
| 20 |
| information is to a public official or a person acting | 21 |
| on behalf of the
public official: | 22 |
| (A) A written statement of the legal authority | 23 |
| under which the
information is requested, or, if a | 24 |
| written statement would be
impracticable, an oral | 25 |
| statement of such legal authority; | 26 |
| (B) If a request is made pursuant to legal | 27 |
| process, warrant,
subpoena, order, or other legal | 28 |
| process issued by a grand jury or a
judicial or | 29 |
| administrative tribunal is presumed to constitute | 30 |
| legal
authority. | 31 |
| (iv) Exercise of professional judgment. The | 32 |
| verification
requirements of this subsection (n) are | 33 |
| met if the covered entity relies on
the exercise of | 34 |
| professional judgment in making a use or disclosure or |
|
|
|
09300HB4059ham002 |
- 15 - |
LRB093 15454 DRJ 48452 a |
|
| 1 |
| acts on a good faith belief in making a
disclosure. ".
|
|