Current through Register Vol. 48, No. 45, November 8, 2024
Section 1005.35 - Department Standards for Health Data Releasea) Disclosure of Individually Identifiable Health Data 1) The Department may make no disclosure of any item, collection or grouping of health data that makes the individual supplying or described in the health data identifiable unless: A) The individual described in the health data, or the parent or legal guardian if the individual is a minor or mentally incompetent or a person holding a power of attorney covering the matters on behalf of the individual, has consented to the disclosure;B) The disclosure is to a governmental entity in this State or in another state or to the federal government, provided that: i) The health data will be used for a purpose for which the health data was collected by the Department;ii) The recipient of the health data has entered into a written agreement, satisfactory to the Department, that it will protect the health data in accordance with the requirements of the Act and this Part and will not permit further disclosure without prior approval of the Department (Section 5(a)(2) of the Act);C) The disclosure is to an individual or organization, for a specified time period as set forth in the written agreement and as determined by the Department, solely for bona fide research or statistical purposes, as determined in accordance with guidelines and procedures adopted by the Department, and the Department determines that: i) the disclosure of the health data to the requesting individual or organization is required for the research or statistical purposes proposed;ii) the requesting individual or organization has entered into a written agreement satisfactory to the Department that it will protect the health data in accordance with the requirements of the Act and this Part and will not permit further disclosure without prior approval of the Department. In no event, however, may the name, address, social security number, recipient number, or other unique personal identifier of an individual supplying the health data to the Department or described in it be disclosed under this Part to the requesting individual or organization, unless a Department-approved Institutional Review Board or its equivalent on the protection of human subjects in research has reviewed and approved the health data request. (Section 5(a)(3) of the Act); andiii) The applicant is qualified to undertake the intended activity or study, as determined by the Department, based upon the IRB's assessment. In making its determination, the Department will consider, but is not limited to, the applicant's credentials and experience; and complexity of the health data request;D) The disclosure is to a governmental entity for the purpose of conducting an audit, evaluation or investigation of the Department and the governmental entity agrees not to use the health data for making any determination to whom the health data relates (Section 5(a)(4) of the Act);E) The disclosure is of specific medical or epidemiological information to authorized personnel in this or another state or the federal government, or agencies responsible to enforce quarantine, when necessary to continue patient services or to undertake public health efforts to control communicable, infectious, acute, chronic, or any other disease or health hazard that the Department considers to be dangerous or important or that may affect public health;F) The disclosure is of specific medical or epidemiologic information to a health care provider, health care personnel, or public health personnel who has a legitimate need to have access to the information in order to assist the patient or protect the patient. This does not create a duty to warn third parties; orG) The disclosure is necessary to obtain payment from an insurer or other third party payor in order for the Department to obtain payment or coordinate benefits for a patient.b) Any disclosure provided for in subsection (a) of this Section shall be made at the discretion of the Department except that the disclosure provided for in subsection (a)(1)(D) of this Section must be made when the requirements of that subsection have been met. (Section 5(b) of the Act)c) No identifiable health data obtained in the course of activities undertaken or supported under the Act or this Part shall be subject to subpoena, or similar compulsory process in any civil or criminal, judicial, administrative or legislative proceeding, nor shall any individual or organization with lawful access to identifiable health data under the provisions of the Act or this Part be compelled to testify with regard to the health data, except that data pertaining to a party in litigation may be subject to subpoena or similar compulsory process in an action brought by or on behalf of the individual to enforce any liability arising under the Act or this Part. (Section 5(c) of the Act)d) Standards for Disclosure of De-Identified Health Data1) De-identification Standard: Individual health data is sufficiently de- identified and does not constitute confidential information if a statistical or a safe harbor de-identification method is used. Public use data files approved for publication by the Department also meet the de- identification standard.2) Re-identification of De-identified Health Data: The Department may assign a code or other means of health data identification to allow information that has been de-identified to be re-identified, provided that the Department does not disclose the code or other means of health data identification for any other purpose and does not disclose the mechanism for re-identification of the individual, and that the code or other means of data identification is not derived from or related to information about the individual and cannot otherwise be translated to identify the individual.e) Standards for Disclosure of Aggregate Health Data 1) Any disclosure of aggregate health data shall ensure that there is no reasonable basis to believe that the identity of an individual could be derived from disclosure of aggregate health data, unless the Director determines that the public health benefit of the disclosure is warranted or that conditions specified in subsection (a) are met.2) When releasing de-identified aggregate health data, Department programs will use accepted methods for de-identification of aggregate health data and will take into account whether values should be suppressed in situations in which numbers are too small to produce reliable statistics.Ill. Admin. Code tit. 77, § 1005.35
Added at 38 Ill. Reg. 19251, effective 9/10/2014