State of Illinois
2017 and 2018


Introduced 2/14/2018, by Sen. Chapin Rose


410 ILCS 513/31
410 ILCS 513/31.1
410 ILCS 513/31.2
410 ILCS 513/31.3
410 ILCS 513/31.5
410 ILCS 513/31.7

    Amends the Genetic Information Privacy Act. In provisions concerning uses and disclosures for treatment, payment, health care operations, health oversight activities, and public health activities; uses and disclosures of information to a health information exchange; business associates; and establishment and disclosure of limited data sets and de-identified information, provides that various uses or disclosures of a patient's genetic information may not (rather than may) occur without the patient's consent. Effective immediately.

LRB100 19091 MJP 34348 b





SB2924LRB100 19091 MJP 34348 b

1    AN ACT concerning health.
2    Be it enacted by the People of the State of Illinois,
3represented in the General Assembly:
4    Section 5. The Genetic Information Privacy Act is amended
5by changing Sections 31, 31.1, 31.2, 31.3, 31.5, and 31.7 as
7    (410 ILCS 513/31)
8    Sec. 31. Uses and disclosures for treatment, payment, and
9health care operations. A Notwithstanding Sections 30 and 35 of
10this Act, a covered entity may not, without a patient's
12        (1) use or disclose genetic information for its own
13    treatment, payment, or health care operations;
14        (2) disclose genetic information for treatment
15    activities of a health care provider;
16        (3) disclose genetic information to another covered
17    entity or health care provider for the payment activities
18    of the entity that receives the information;
19        (4) disclose genetic information to another covered
20    entity for health care operations activities of the entity
21    that receives the information, if each entity has or had a
22    relationship with the individual who is the subject of the
23    genetic information being requested, the genetic



SB2924- 2 -LRB100 19091 MJP 34348 b

1    information pertains to such relationship, and the
2    disclosure is for the purpose of (A) conducting quality
3    assessment and improvement activities, including outcomes
4    evaluation and development of clinical guidelines,
5    provided that the obtaining of generalizable knowledge is
6    not the primary purpose of any studies resulting from such
7    activities; patient safety activities; population-based
8    activities relating to improving health or reducing health
9    care costs, protocol development, case management, and
10    care coordination, contacting of health care providers and
11    patients with information about treatment alternatives;
12    and related functions that do not include treatment; (B)
13    reviewing the competence or qualifications of health care
14    professionals or health care providers, evaluating
15    practitioner and provider performance, health plan
16    performance, conducting training programs in which
17    students, trainees, or practitioners in areas of health
18    care learn under supervision to practice or improve their
19    skills as health care providers, training of non-health
20    care professionals, accreditation, certification,
21    licensing, or credentialing activities; or (C) health care
22    fraud and abuse detection or compliance; and
23        (5) disclose genetic information to other participants
24    in an organized health care arrangement in which the
25    covered entity is also a participant for any health care
26    operations activities of the organized health care



SB2924- 3 -LRB100 19091 MJP 34348 b

1    arrangement.
2(Source: P.A. 98-1046, eff. 1-1-15.)
3    (410 ILCS 513/31.1)
4    Sec. 31.1. Uses and disclosures for health oversight
6    (a) A Notwithstanding Sections 30 and 35 of this Act, a
7covered entity may not disclose genetic information, without a
8patient's consent, to a health oversight agency for health
9oversight activities authorized by law, including audits,
10civil, administrative, or criminal investigations;
11inspections; licensure or disciplinary actions; civil
12administrative or criminal proceedings or actions; or other
13activities necessary for appropriate oversight of (i) the
14health care system; (ii) government benefit programs for which
15health information is relevant to beneficiary eligibility;
16(iii) entities subject to government regulatory programs for
17which health information is necessary for determining
18compliance with program standards; or (iv) entities subject to
19civil rights laws for which health information is necessary for
20determining compliance.
21    (b) For purposes of the disclosures permitted by this
22Section, a health oversight activity does not include an
23investigation or other activity in which the individual is the
24subject of the investigation or activity and such investigation
25or other activity does not arise out of and is not directly



SB2924- 4 -LRB100 19091 MJP 34348 b

1related to (i) the receipt of health care; (ii) a claim for
2public benefits related to health; or (iii) qualification for,
3or receipt of, public benefits or services when a patient's
4health is integral to the claim for public benefits or
5services, except that, if a health oversight activity or
6investigation is conducted in conjunction with an oversight
7activity or investigation relating to a claim for public
8benefits not related to health, the joint activity or
9investigation is considered a health oversight activity for
10purposes of this Section.
11    (c) If a covered entity is also a health oversight agency,
12the covered entity may use genetic information for health
13oversight activities permitted by this Section.
14(Source: P.A. 98-1046, eff. 1-1-15.)
15    (410 ILCS 513/31.2)
16    Sec. 31.2. Uses and disclosures for public health
17activities. Genetic Notwithstanding Sections 30 and 35 of this
18Act, genetic information may not be disclosed without a
19patient's consent for public health activities and purposes to
20the Department, when the Department is authorized by law to
21collect or receive such information for the purpose of
22preventing or controlling disease, injury, or disability,
23including, but not limited to, the reporting of disease,
24injury, vital events such as birth or death, and the conduct of
25public health surveillance, public health investigations, and



SB2924- 5 -LRB100 19091 MJP 34348 b

1public health interventions.
2(Source: P.A. 98-1046, eff. 1-1-15.)
3    (410 ILCS 513/31.3)
4    Sec. 31.3. Business associates.
5    (a) A Notwithstanding Sections 30 and 35 of this Act, a
6covered entity may not, without a patient's consent, disclose a
7patient's genetic information to a business associate and may
8allow a business associate to create, receive, maintain, or
9transmit protected health information on its behalf, if the
10covered entity obtains, through a written contract or other
11written agreement or arrangement that meets the applicable
12requirements of 45 CFR 164.504(e), satisfactory assurance that
13the business associate will appropriately safeguard the
14information. A covered entity is not required to obtain such
15satisfactory assurances from a business associate that is a
17    (b) A business associate may disclose protected health
18information to a business associate that is a subcontractor and
19may allow the subcontractor to create, receive, maintain, or
20transmit protected health information on its behalf, if the
21business associate obtains satisfactory assurances, in
22accordance with 45 CFR 164.504(e)(1)(i), that the
23subcontractor will appropriately safeguard the information.
24(Source: P.A. 98-1046, eff. 1-1-15.)



SB2924- 6 -LRB100 19091 MJP 34348 b

1    (410 ILCS 513/31.5)
2    Sec. 31.5. Use and disclosure of information to an HIE. A
3Notwithstanding the provisions of Section 30 and 35 of this
4Act, a covered entity may not, without a patient's consent,
5disclose the identity of any patient upon whom a test is
6performed and such patient's genetic information from a
7patient's record to a HIE if the disclosure is a required or
8permitted disclosure to a business associate or is a disclosure
9otherwise required or permitted under this Act. An HIE may not,
10without a patient's consent, use or disclose such information
11to the extent it is allowed to use or disclose such information
12as a business associate in compliance with 45 CFR 164.502(e) or
13for such other purposes as are specifically allowed under this
15(Source: P.A. 98-1046, eff. 1-1-15.)
16    (410 ILCS 513/31.7)
17    Sec. 31.7. Establishment and disclosure of limited data
18sets and de-identified information.
19    (a) A covered entity may not, without a genetic information
20test subject's consent, create, use, and disclose a limited
21data set using information subject to this Act or disclose
22information subject to this Act to a business associate for the
23purpose of establishing a limited data set. The creation, use,
24and disclosure of such a limited data set must comply with the
25requirements set forth under HIPAA.



SB2924- 7 -LRB100 19091 MJP 34348 b

1    (b) A covered entity may not, without a genetic information
2test subject's consent, create, use, and disclose
3de-identified information using information subject to this
4Act or disclose information subject to this Act to a business
5associate for the purpose of de-identifying the information.
6The creation, use, and disclosure of such de-identified
7information must comply with the requirements set forth under
8HIPAA. A covered entity or a business associate may disclose
9information that is de-identified in accordance with HIPAA.
10    (c) The recipient of de-identified information shall not
11re-identify de-identified information using any public or
12private data source.
13(Source: P.A. 98-1046, eff. 1-1-15.)
14    Section 99. Effective date. This Act takes effect upon
15becoming law.