|
Rep. Mary Beth Canty
Filed: 5/28/2026
| | 10400SB3222ham001 | | LRB104 19119 BAB 38481 a |
|
|
| 1 | | AMENDMENT TO SENATE BILL 3222
|
| 2 | | AMENDMENT NO. ______. Amend Senate Bill 3222 by replacing |
| 3 | | everything after the enacting clause with the following:
|
| 4 | | "Section 1. Short title. This Act may be cited as the |
| 5 | | Protect Health Data Privacy Act.
|
| 6 | | Section 5. Definitions. As used in this Act: |
| 7 | | "Affiliate" means a legal entity that shares common |
| 8 | | branding with another legal entity or controls, is controlled |
| 9 | | by or is under common control with another legal entity. For |
| 10 | | the purposes of this definition, "control" and "controlled" |
| 11 | | mean (1) ownership of, or the power to vote, more than 50% of |
| 12 | | the outstanding shares of any class of voting security of a |
| 13 | | company, (2) control in any manner over the election of a |
| 14 | | majority of the directors or of individuals exercising similar |
| 15 | | functions, or (3) the power to exercise controlling influence |
| 16 | | over the management of a company. |
|
| | 10400SB3222ham001 | - 2 - | LRB104 19119 BAB 38481 a |
|
|
| 1 | | "Collect" means to buy, rent, lease, access, retain, |
| 2 | | receive, derive, or acquire health data in any manner, |
| 3 | | including receiving the data from an individual, either |
| 4 | | actively or passively, or by observing or tracking the |
| 5 | | individual's online activity or precise location. |
| 6 | | "Consent" means a clear, affirmative act by an individual |
| 7 | | that unambiguously communicates the individual's express, |
| 8 | | freely given, informed, opted-into, voluntary, specific, and |
| 9 | | unambiguous written agreement, including written consent |
| 10 | | provided by electronic means to the processing or sale of |
| 11 | | health data. "Consent" does not include implied consent or |
| 12 | | consent obtained by: |
| 13 | | (1) acceptance of a general or broad terms of use |
| 14 | | agreement or a similar document that contains descriptions |
| 15 | | of personal data processing along with other, unrelated |
| 16 | | information; |
| 17 | | (2) hovering over, muting, pausing, or closing a given |
| 18 | | piece of digital content; or |
| 19 | | (3) agreement obtained through the use of deceptive |
| 20 | | designs. |
| 21 | | "Deceptive design" means any user interface or element |
| 22 | | thereof that has the substantial effect of subverting, |
| 23 | | impairing, or impeding an individual's autonomy, |
| 24 | | decision-making, or choice. |
| 25 | | "Deidentified data" means data that cannot be used to |
| 26 | | infer information about, or otherwise be linked to, an |
|
| | 10400SB3222ham001 | - 3 - | LRB104 19119 BAB 38481 a |
|
|
| 1 | | identified or identifiable individual, or a device linked to |
| 2 | | such individual. |
| 3 | | "Geofence" means technology that uses global positioning |
| 4 | | coordinates, cell tower connectivity, cellular data, radio |
| 5 | | frequency identification, wireless Internet data, or any other |
| 6 | | form of spatial or location detection to establish a virtual |
| 7 | | boundary around a specific physical location, or to locate an |
| 8 | | individual within a virtual boundary that is no more than |
| 9 | | 1,750 feet around a specific physical location. |
| 10 | | "Health data" means (1) an individual's personal |
| 11 | | information that identifies a past or present health condition |
| 12 | | of that individual, or (2) information that is linked or can be |
| 13 | | reasonably linked to an individual that a regulated entity |
| 14 | | derives or extrapolates from nonhealth information that a |
| 15 | | regulated entity uses or processes to determine a past, |
| 16 | | present, or future health condition of that individual. |
| 17 | | "Health data" includes any information relating to an |
| 18 | | individual's: |
| 19 | | (1) health conditions, status, diseases, diagnoses, or |
| 20 | | testing; |
| 21 | | (2) health-related treatment, surgeries, or |
| 22 | | procedures; |
| 23 | | (3) use or purchase of medication; |
| 24 | | (4) social, psychological, behavioral, and medical |
| 25 | | interventions; |
| 26 | | (5) measurement or tracking of bodily functions, vital |
|
| | 10400SB3222ham001 | - 4 - | LRB104 19119 BAB 38481 a |
|
|
| 1 | | signs, or symptoms; |
| 2 | | (6) responses to and results from online screenings |
| 3 | | and online tests and quizzes regarding the individual's |
| 4 | | health conditions that are used to determine an |
| 5 | | individual's health condition; |
| 6 | | (7) efforts to research or obtain health services or |
| 7 | | supplies; |
| 8 | | (8) health services or products that support or relate |
| 9 | | to lawful health care, as defined in Section 28-10 of the |
| 10 | | Lawful Health Care Activity Act; and |
| 11 | | (9) precise location information used to determine an |
| 12 | | individual's attempt to acquire or receive health services |
| 13 | | or supplies. |
| 14 | | "Health data" does not include: |
| 15 | | (1) information about an individual's purchase or |
| 16 | | acquisition of retail goods or services that the regulated |
| 17 | | entity uses or processes for a purpose other than to |
| 18 | | determine an individual's past, present, or future |
| 19 | | physical or mental health condition; or |
| 20 | | (2) deidentified data. |
| 21 | | "Health services" means any service, medical care, or |
| 22 | | information related to an individual's health condition |
| 23 | | provided to an individual. |
| 24 | | "HIPAA" means the Health Insurance Portability and |
| 25 | | Accountability Act of 1996, Public Law 104-191, the Health |
| 26 | | Information Technology for Economic and Clinical Health Act, |
|
| | 10400SB3222ham001 | - 5 - | LRB104 19119 BAB 38481 a |
|
|
| 1 | | and any subsequent amendments thereto and any regulations |
| 2 | | promulgated thereunder, including the Privacy Rule, as |
| 3 | | specified in 45 CFR 164.500-534, the Security Rule, as |
| 4 | | specified in 45 CFR 164.302-318, and the Breach Notification |
| 5 | | rule, as specified in 45 CFR 164.400-414. |
| 6 | | "Homepage" means the introductory page of a website where |
| 7 | | personal information is collected. In the case of an online |
| 8 | | service, such as a mobile application, "homepage" means the |
| 9 | | application's platform page or download page, such as from the |
| 10 | | application configuration, "About" page, "Information" page, |
| 11 | | or "Settings" page, and any other location that allows |
| 12 | | individuals to review the notice. |
| 13 | | "Individual" means a natural person who is a resident of |
| 14 | | this State or whose health data is collected when present in |
| 15 | | this State, however identified, including by any unique |
| 16 | | identifier. "Individual" does not include a person acting |
| 17 | | within the scope of the person's duties as an employee, |
| 18 | | independent contractor, officer, board member, or sole |
| 19 | | proprietorship. |
| 20 | | "Person" means, where applicable, natural persons, |
| 21 | | corporations, trusts, unincorporated associations, and |
| 22 | | partnerships. "Person" does not include (1) any branch of |
| 23 | | State government, unit of local government, or school |
| 24 | | district; (2) any tribal nation, or (3) any contractor, |
| 25 | | subcontractor, or agent that processes health data on behalf |
| 26 | | of, and in accordance with the terms and conditions of a |
|
| | 10400SB3222ham001 | - 6 - | LRB104 19119 BAB 38481 a |
|
|
| 1 | | contract with, any branch of State government, tribal nation, |
| 2 | | unit of local government, or school district. |
| 3 | | "Personal information" means information that identifies, |
| 4 | | is reasonably capable of being associated with, or is linked, |
| 5 | | directly or indirectly, with a particular individual or |
| 6 | | household. "Personal information" includes, but is not limited |
| 7 | | to, data associated with a persistent unique identifier, such |
| 8 | | as a cookie ID, an IP address, a device identifier, or any |
| 9 | | other form of persistent unique identifier. "Personal |
| 10 | | information" does not include publicly available information |
| 11 | | or deidentified data. |
| 12 | | "Precise location information" means information derived |
| 13 | | from technology, including, but not limited to, Global |
| 14 | | Positioning System level latitude and longitude coordinates or |
| 15 | | other mechanisms, that identifies the specific location of an |
| 16 | | individual with precision and accuracy within a radius of |
| 17 | | 1,750 feet. "Precise location information" does not include: |
| 18 | | (1) the content of communications, or (2) any data generated |
| 19 | | by or connected to advanced utility metering infrastructure |
| 20 | | systems or equipment for use by a utility. |
| 21 | | "Process" or "processing" means any operation or set of |
| 22 | | operations performed, whether by manual or automated means, on |
| 23 | | personal information or on sets of personal information, |
| 24 | | whether alone or in combination with other data, such as the |
| 25 | | collection, use, access, sharing, analysis, retention, |
| 26 | | creation, generation, derivation, recording, organization, |
|
| | 10400SB3222ham001 | - 7 - | LRB104 19119 BAB 38481 a |
|
|
| 1 | | structuring, storage, disclosure, transmission, disposal, |
| 2 | | licensing, destruction, deletion, retrieval, modification, or |
| 3 | | deidentification of health data. |
| 4 | | "Processor" means a person or legal entity that processes |
| 5 | | health data on behalf of a regulated entity pursuant to a |
| 6 | | written agreement or contract. |
| 7 | | "Publicly available" means information that is made |
| 8 | | available to the general public from (1) federal, State, or |
| 9 | | local government records; (2) widely distributed media, |
| 10 | | including health data intentionally made available by the |
| 11 | | individual to the general public and in which the individual |
| 12 | | did not maintain a reasonable expectation of privacy; or (3) a |
| 13 | | disclosure that has been made to the general public as |
| 14 | | required by federal, State, or local law. "Publicly available |
| 15 | | information" does not include (1) personal information that is |
| 16 | | created through the combination of personal information with |
| 17 | | publicly available information; (2) information made available |
| 18 | | by an individual on a website or online service open to all |
| 19 | | members of the public, for free or for a fee, where the |
| 20 | | individual has maintained a reasonable expectation of privacy |
| 21 | | by restricting the information to a specific audience; or (3) |
| 22 | | any obscene visual depiction, as defined in 18 U.S.C. 1460. |
| 23 | | "Regulated entity" means any individual, partnership, |
| 24 | | corporation, limited liability company, or association that: |
| 25 | | (1) conducts business in this State, or produces or provides |
| 26 | | products or services that are available to individuals in this |
|
| | 10400SB3222ham001 | - 8 - | LRB104 19119 BAB 38481 a |
|
|
| 1 | | State; and (2) determines the purpose and means of processing |
| 2 | | or selling of health data. |
| 3 | | "Regulated entity" does not include: |
| 4 | | (1) any branch of State government, a tribal nation, a |
| 5 | | unit of local government, or a school district; |
| 6 | | (2) a contractor, subcontractor, or agent that |
| 7 | | processes health data on behalf of, and in accordance with |
| 8 | | the terms and conditions of a contract with, any branch of |
| 9 | | State government, a tribal nation, a unit of local |
| 10 | | government, or a school district; |
| 11 | | (3) a processor that processes health data on behalf |
| 12 | | of a regulated entity; |
| 13 | | (4) a not-for-profit legal entity that is subject to |
| 14 | | and in compliance with the Illinois Insurance Guaranty |
| 15 | | Fund Article of the Illinois Insurance Code or the Life |
| 16 | | and Health Insurance Guaranty Association Article of the |
| 17 | | Illinois Insurance Code, to the extent such entity is |
| 18 | | acting in a capacity subject to the supervision of the |
| 19 | | Department of Insurance; |
| 20 | | (5) a covered entity or a business associate, as |
| 21 | | defined in 45 CFR 160.103, subject to and in substantial |
| 22 | | compliance with HIPAA to the extent such entity is acting |
| 23 | | as a covered entity or business associate under the |
| 24 | | Privacy and Security rules issued by the United States |
| 25 | | Department of Health and Human Services, Parts 160 and 164 |
| 26 | | of Title 45 of the Code of Federal Regulations; |
|
| | 10400SB3222ham001 | - 9 - | LRB104 19119 BAB 38481 a |
|
|
| 1 | | (6) any entity that is subject to and in compliance |
| 2 | | with restrictions on disclosure of records under Section |
| 3 | | 543 of the Public Health Service Act, 42 U.S.C. 290dd-2, |
| 4 | | to the extent such entity is acting in a capacity subject |
| 5 | | to such restrictions; or |
| 6 | | (7) an entity that is subject to and in compliance |
| 7 | | with the Insurance Information and Privacy Protection |
| 8 | | Article of the Illinois Insurance Code, the Insurance Data |
| 9 | | Security Law, and any corresponding privacy protection |
| 10 | | rules adopted by the Director of Insurance to the extent |
| 11 | | such entity is acting in a capacity subject to such laws |
| 12 | | and rules. |
| 13 | | "Sell" or "sale" means the exchange of health data for |
| 14 | | monetary or other valuable consideration. |
| 15 | | "Sell" or "sale" does not include: |
| 16 | | (1) the sharing or transfer of an individual's health |
| 17 | | data by a regulated entity to a processor that processes |
| 18 | | the individual's health data on behalf of the regulated |
| 19 | | entity; |
| 20 | | (2) the sharing or transfer of an individual's health |
| 21 | | data to an affiliate of the regulated entity; |
| 22 | | (3) the sharing or transfer of an individual's health |
| 23 | | data by a regulated entity to a third party with whom the |
| 24 | | individual has a direct relationship when the sharing is |
| 25 | | for the purpose of, and only to the extent necessary for |
| 26 | | providing a product or service requested by the |
|
| | 10400SB3222ham001 | - 10 - | LRB104 19119 BAB 38481 a |
|
|
| 1 | | individual, and the third party maintains or uses the |
| 2 | | individual's health data consistent with the purpose for |
| 3 | | which it was collected and consented to by the individual; |
| 4 | | (4) the sharing or transfer of an individual's health |
| 5 | | data when the individual directs the regulated entity to |
| 6 | | disclose the individual's health data or intentionally |
| 7 | | uses the regulated entity to interact with a third party; |
| 8 | | (5) the sharing or transfer of an individual's health |
| 9 | | data to a third party as an asset that is part of a merger, |
| 10 | | acquisition, bankruptcy, or other transaction in which the |
| 11 | | third party assumes control of all or part of the |
| 12 | | regulated entity's assets and complies with the |
| 13 | | requirements and obligations in this Act, but only if the |
| 14 | | regulated entity, within a reasonable time before the |
| 15 | | exchange, provides the affected individual with: |
| 16 | | (A) a notice describing the transfer, including |
| 17 | | the name of the entity receiving the individual's |
| 18 | | health data and the applicable privacy policies of the |
| 19 | | entity; and |
| 20 | | (B) a reasonable opportunity to withdraw |
| 21 | | previously provided consent related to the |
| 22 | | individual's health data and request the deletion of |
| 23 | | the individual's health data; and |
| 24 | | (6) the sharing or transfer of an individual's |
| 25 | | publicly available health data. |
| 26 | | "Share" or "sharing" means to release, disclose, |
|
| | 10400SB3222ham001 | - 11 - | LRB104 19119 BAB 38481 a |
|
|
| 1 | | disseminate, divulge, loan, make available, provide access to, |
| 2 | | license, transfer, or otherwise communicate orally, in |
| 3 | | writing, or by electronic or other means, an individual's |
| 4 | | health data by a regulated entity to a third party, except |
| 5 | | where the regulated entity maintains exclusive control and |
| 6 | | ownership of the health data. |
| 7 | | "Share" or "sharing" does not include: |
| 8 | | (1) the sharing or transfer of an individual's health |
| 9 | | data by a regulated entity to a processor that processes |
| 10 | | the individual's health data on behalf of the regulated |
| 11 | | entity; |
| 12 | | (2) the sharing or transfer of an individual's health |
| 13 | | data to an affiliate of the regulated entity; |
| 14 | | (3) the sharing or transfer of an individual's health |
| 15 | | data by a regulated entity to a third party with whom the |
| 16 | | individual has a direct relationship when the sharing is |
| 17 | | for the purpose of, and only to the extent necessary for |
| 18 | | providing a product or service requested by the |
| 19 | | individual, and the third party maintains or uses the |
| 20 | | individual's health data consistent with the purpose for |
| 21 | | which it was collected and consented to by the individual; |
| 22 | | (4) the sharing or transfer of an individual's health |
| 23 | | data when the individual directs the regulated entity to |
| 24 | | disclose the individual's health data or intentionally |
| 25 | | uses the regulated entity to interact with a third party; |
| 26 | | (5) the sharing or transfer of an individual's health |
|
| | 10400SB3222ham001 | - 12 - | LRB104 19119 BAB 38481 a |
|
|
| 1 | | data to a third party as an asset that is part of a merger, |
| 2 | | acquisition, bankruptcy, or other transaction in which the |
| 3 | | third party assumes control of all or part of the |
| 4 | | regulated entity's assets and complies with the |
| 5 | | requirements and obligations in this Act, but only if the |
| 6 | | regulated entity, within a reasonable time before the |
| 7 | | exchange, provides the affected individual with: |
| 8 | | (A) a notice describing the transfer, including |
| 9 | | the name of the entity receiving the individual's |
| 10 | | health data and the applicable privacy policies of the |
| 11 | | entity; and |
| 12 | | (B) a reasonable opportunity to withdraw |
| 13 | | previously provided consent related to the |
| 14 | | individual's health data and request the deletion of |
| 15 | | the individual's health data; and |
| 16 | | (6) the sharing or transfer of an individual's |
| 17 | | publicly available health data. |
| 18 | | "Strictly necessary" means essential or required to be |
| 19 | | done. |
| 20 | | "Substantial compliance" means a level of compliance with |
| 21 | | Title 45 of the Code of Federal Regulations Sections 164.502, |
| 22 | | 164.508, 164.510, 164.512, 164.514, 164.520, 164.522, 164.524, |
| 23 | | 164.526, 164.528, and 164.530 that does not arise from gross |
| 24 | | negligence, recklessness, or willful misconduct by the entity |
| 25 | | acting as a covered entity or business associate. |
| 26 | | "Third party" means an entity other than an individual, |
|
| | 10400SB3222ham001 | - 13 - | LRB104 19119 BAB 38481 a |
|
|
| 1 | | regulated entity, processor, or affiliate of the regulated |
| 2 | | entity. |
| 3 | | "Unit of local government" means a county, municipality, |
| 4 | | township, special district, or any other unit designated as a |
| 5 | | unit of local government by law.
|
| 6 | | Section 10. Health data privacy policy required. |
| 7 | | (a) A regulated entity shall disclose and maintain a |
| 8 | | health data privacy policy that, in plain language, clearly |
| 9 | | and conspicuously includes and discloses: |
| 10 | | (1) the categories of health data processed, including |
| 11 | | the specific categories of health data collected, the |
| 12 | | purposes for which the health data is collected, and how |
| 13 | | the health data will be used; |
| 14 | | (2) the categories of sources from which health data |
| 15 | | is collected; |
| 16 | | (3) whether the regulated entity collects health data |
| 17 | | when the individual is not directly interacting with the |
| 18 | | regulated entity or its services; |
| 19 | | (4) the specific categories of health data shared and |
| 20 | | sold; |
| 21 | | (5) the categories of third parties to whom the |
| 22 | | regulated entity shares and sells health data, if |
| 23 | | applicable; |
| 24 | | (6) the process for opt-in consent to collection of |
| 25 | | health data; |
|
| | 10400SB3222ham001 | - 14 - | LRB104 19119 BAB 38481 a |
|
|
| 1 | | (7) how to withdraw consent from the collection, |
| 2 | | processing, and selling of an individual's health data; |
| 3 | | (8) the process to withdraw consent from having health |
| 4 | | data collected; |
| 5 | | (9) the length of time the regulated entity intends to |
| 6 | | retain each category of health data, or if that is not |
| 7 | | possible, the criteria used to determine that period; |
| 8 | | however, a regulated entity shall not retain health data |
| 9 | | for each disclosed purpose for which the health data was |
| 10 | | collected for longer than is reasonably necessary to |
| 11 | | fulfill that disclosed purpose or as otherwise permitted |
| 12 | | by this Act; |
| 13 | | (10) how an individual may exercise the rights |
| 14 | | provided in this Act, including, but not limited to, |
| 15 | | identifying 2 or more designated methods for an individual |
| 16 | | to contact the regulated entity in connection with the |
| 17 | | exercise of any rights provided in this Act; |
| 18 | | (11) an active email address or other online mechanism |
| 19 | | that the individual may use to contact the regulated |
| 20 | | entities, free of charge; and |
| 21 | | (12) the date the health data privacy notice was last |
| 22 | | updated. |
| 23 | | (b) A regulated entity shall prominently publish or link |
| 24 | | to its health data privacy policy on its website homepage, |
| 25 | | mobile application, or in another manner that is clear and |
| 26 | | conspicuous to individuals. A regulated entity's health data |
|
| | 10400SB3222ham001 | - 15 - | LRB104 19119 BAB 38481 a |
|
|
| 1 | | privacy policy must be distinguishable from other matters. Any |
| 2 | | regulated entity providing health services in a physical |
| 3 | | location shall also post its health data privacy policy in a |
| 4 | | conspicuous place that is readily available for viewing by |
| 5 | | individuals. |
| 6 | | (c) A regulated entity shall not process or sell |
| 7 | | additional categories of health data not disclosed in the |
| 8 | | health data privacy policy without first disclosing the |
| 9 | | additional categories of health data and obtaining the |
| 10 | | individual's consent before the processing or selling of the |
| 11 | | health data. |
| 12 | | (d) A regulated entity shall not process or sell health |
| 13 | | data for additional purposes not disclosed in the health data |
| 14 | | privacy policy without first disclosing the additional |
| 15 | | purposes and obtaining the individual's consent before the |
| 16 | | processing or selling of the health data. |
| 17 | | (e) It is a violation of this Act for a regulated entity to |
| 18 | | contract with a processor to process an individual's health |
| 19 | | data in a manner that is inconsistent with the regulated |
| 20 | | entity's health data privacy policy.
|
| 21 | | Section 15. Processing of health data. |
| 22 | | (a) Except as provided in subsection (c), a regulated |
| 23 | | entity shall not process an individual's health data unless it |
| 24 | | first obtains consent of the individual to whom the data |
| 25 | | relates. Before a regulated entity processes an individual's |
|
| | 10400SB3222ham001 | - 16 - | LRB104 19119 BAB 38481 a |
|
|
| 1 | | health data, it shall first: |
| 2 | | (1) disclose its health data privacy policy as |
| 3 | | required under Section 10; and |
| 4 | | (2) separate from the health data privacy policy, |
| 5 | | request the individual's consent to process the |
| 6 | | information for a specified purpose and clearly and |
| 7 | | conspicuously disclose within the request the following |
| 8 | | information: |
| 9 | | (A) the categories of health data processed; |
| 10 | | (B) the regulated entity's specific purpose for |
| 11 | | processing the health data, including the specific |
| 12 | | ways in which the individual's health data will be |
| 13 | | used; |
| 14 | | (C) the categories of entities with whom the |
| 15 | | health data is shared; and |
| 16 | | (D) how the individual can withdraw consent from |
| 17 | | future processing of the individual's health data. |
| 18 | | (b) A regulated entity shall not process an individual's |
| 19 | | health data for any additional purpose that was not |
| 20 | | specifically disclosed and consented to by the individual in |
| 21 | | accordance with this Act. |
| 22 | | (c) Consent to process an individual's health data is not |
| 23 | | required if the individual's health data is processed only for |
| 24 | | one or more of the following permissible purposes: |
| 25 | | (1) as is strictly necessary to provide a product, |
| 26 | | service, or service feature that the individual to whom |
|
| | 10400SB3222ham001 | - 17 - | LRB104 19119 BAB 38481 a |
|
|
| 1 | | the health data relates has specifically requested from |
| 2 | | the regulated entity; |
| 3 | | (2) to initiate, manage, execute, or complete a |
| 4 | | financial or commercial transaction or to fulfill an order |
| 5 | | for a specific product or service requested by an |
| 6 | | individual to whom the individual health data pertains, |
| 7 | | including, but not limited to, associated routine |
| 8 | | administrative, operational, or account-servicing |
| 9 | | activity, such as billing, shipping, storage, or |
| 10 | | accounting; |
| 11 | | (3) to comply with an obligation under a law of this |
| 12 | | State or federal law; |
| 13 | | (4) to protect public safety or public health; |
| 14 | | (5) to prevent, detect, protect against, or respond to |
| 15 | | a security incident, identity theft, fraud, harassment, |
| 16 | | malicious or deceptive activities, or activities that are |
| 17 | | illegal under the laws of this State; |
| 18 | | (6) to preserve the integrity or security of systems; |
| 19 | | or |
| 20 | | (7) to investigate, report, or prosecute persons |
| 21 | | responsible for activities that are illegal under the laws |
| 22 | | of this State. |
| 23 | | (d) For purposes of this Act, the processing of precise |
| 24 | | location information or health data to provide transportation |
| 25 | | services by private entities regulated under the |
| 26 | | Transportation Network Providers Act is strictly necessary to |
|
| | 10400SB3222ham001 | - 18 - | LRB104 19119 BAB 38481 a |
|
|
| 1 | | the extent that the private entity uses the precise location |
| 2 | | information or health data for the sole purpose of providing a |
| 3 | | service requested by the individual or the use is otherwise |
| 4 | | consistent with that individual's reasonable expectations, |
| 5 | | considering the context in which the individual provided the |
| 6 | | precise location information to the private entity.
|
| 7 | | Section 20. Sale of health data. |
| 8 | | (a) It is unlawful for any regulated entity to sell or |
| 9 | | offer to sell health data concerning an individual without |
| 10 | | first obtaining consent required under Section 15 and valid |
| 11 | | authorization from the individual. The sale of individual |
| 12 | | health data must be consistent with the valid authorization |
| 13 | | signed or electronically documented by the individual. |
| 14 | | (b) A valid authorization to sell an individual's health |
| 15 | | data is an agreement consistent with this Section and must be |
| 16 | | provided in plain language. The valid authorization to sell |
| 17 | | the individual's health data must contain the following: |
| 18 | | (1) the specific health data concerning the individual |
| 19 | | that the regulated entity intends to sell; |
| 20 | | (2) the name and contact information of the regulated |
| 21 | | entity collecting and selling the health data; |
| 22 | | (3) the name and contact information of the regulated |
| 23 | | entity purchasing the health data from the seller |
| 24 | | identified in paragraph (2) of this subsection; |
| 25 | | (4) a description of the purpose for the sale, |
|
| | 10400SB3222ham001 | - 19 - | LRB104 19119 BAB 38481 a |
|
|
| 1 | | including how the health data will be gathered and how it |
| 2 | | will be used by the purchaser identified in paragraph (3) |
| 3 | | of this subsection when sold; |
| 4 | | (5) a statement that the provision of goods or |
| 5 | | services may not be conditioned on the individual signing |
| 6 | | the valid authorization; |
| 7 | | (6) a statement that the individual has a right to |
| 8 | | revoke the valid authorization at any time and a |
| 9 | | description on how an individual may revoke the valid |
| 10 | | authorization; |
| 11 | | (7) a statement that the individual health data sold |
| 12 | | pursuant to the valid authorization may be subject to |
| 13 | | redisclosure by the purchaser and may no longer be |
| 14 | | protected by this Section; |
| 15 | | (8) an expiration date for the valid authorization |
| 16 | | that expires one year after the individual signs the valid |
| 17 | | authorization, unless the individual extends the valid |
| 18 | | authorization before it expires. The individual may renew |
| 19 | | the individual's valid authorization annually if the |
| 20 | | regulated entity provides the individual with a notice |
| 21 | | that alerts the individual that the valid authorization |
| 22 | | will expire within 30 days before the expiration date and |
| 23 | | provides the individual with a mechanism that allows the |
| 24 | | individual to renew the valid authorization for an |
| 25 | | additional year or withdraw consent; and |
| 26 | | (9) the signature of the individual and date. |
|
| | 10400SB3222ham001 | - 20 - | LRB104 19119 BAB 38481 a |
|
|
| 1 | | (c) An authorization is not valid if the document has any |
| 2 | | of the following defects: |
| 3 | | (1) the expiration date has passed and the individual |
| 4 | | did not sign an updated valid authorization before the |
| 5 | | expiration date passed; |
| 6 | | (2) the valid authorization does not contain all the |
| 7 | | information required under this Section; |
| 8 | | (3) the valid authorization has been revoked by the |
| 9 | | individual; |
| 10 | | (4) the valid authorization has been combined with |
| 11 | | other documents to create a compound authorization; or |
| 12 | | (5) the provision of goods or services is conditioned |
| 13 | | on the individual signing the authorization. |
| 14 | | (d) A copy of the signed valid authorization must be |
| 15 | | provided to the individual. |
| 16 | | (e) The seller and purchaser of health data must retain a |
| 17 | | copy of all valid authorizations for the sale of health data |
| 18 | | for 6 years after the date of its signature or the date when it |
| 19 | | was last in effect, whichever is later.
|
| 20 | | Section 25. Rights and requests |
| 21 | | (a) An individual has the right to confirm: (i) whether a |
| 22 | | regulated entity has, or is, processing or selling the |
| 23 | | individual's health data and to access such data, including a |
| 24 | | list of all third parties and affiliates with whom the |
| 25 | | regulated entity shared or sold the individual's health data, |
|
| | 10400SB3222ham001 | - 21 - | LRB104 19119 BAB 38481 a |
|
|
| 1 | | and an active email address or other online mechanism that the |
| 2 | | individual may use to contact these third parties; and (ii) |
| 3 | | that a regulated entity has deleted the individual's health |
| 4 | | data following a deletion request pursuant to subsection (c). |
| 5 | | (1) A regulated entity that receives an individual's |
| 6 | | request to confirm shall respond within 45 calendar days |
| 7 | | after receiving the request to confirm from the |
| 8 | | individual. |
| 9 | | (2) The regulated entity shall, without reasonable |
| 10 | | delay, promptly take all steps necessary to verify the |
| 11 | | individual's request, but this shall not extend the |
| 12 | | regulated entity's duty to respond within 45 calendar days |
| 13 | | after receipt of the individual's request. |
| 14 | | (3) The time period to provide the required |
| 15 | | confirmation may be extended once by an additional 45 |
| 16 | | calendar days when reasonably necessary if the individual |
| 17 | | is provided notice of the extension within the first |
| 18 | | 45-day period. |
| 19 | | (b) An individual has the right to withdraw (i) consent |
| 20 | | for processing, including collection and sharing, and (ii) |
| 21 | | authorization for the sale of health data consistent with the |
| 22 | | requirements of Sections 15 and 20, respectively. |
| 23 | | (1) An individual may exercise rights under this |
| 24 | | subsection (b) by submitting a request to a regulated |
| 25 | | entity using the method the regulated entity specifies in |
| 26 | | the privacy policy under paragraph (10) of subsection (a) |
|
| | 10400SB3222ham001 | - 22 - | LRB104 19119 BAB 38481 a |
|
|
| 1 | | of Section 10. |
| 2 | | (2) A regulated entity may cease providing a product, |
| 3 | | service, or service feature upon the withdrawal of consent |
| 4 | | for collection if the collection of health data is |
| 5 | | strictly necessary to provide that product, service, or |
| 6 | | service feature. |
| 7 | | (c) An individual whose health data is collected by a |
| 8 | | regulated entity has the right to have the individual's health |
| 9 | | data that is collected by a regulated entity deleted by |
| 10 | | informing the regulated entity of the individual's request for |
| 11 | | deletion, except as provided in paragraph (6) of this |
| 12 | | subsection. |
| 13 | | (1) Except as otherwise specified in paragraph (5), a |
| 14 | | regulated entity that receives an individual's request to |
| 15 | | delete any of the individual's health data shall, without |
| 16 | | unreasonable delay, and no more than 45 calendar days |
| 17 | | after receiving the deletion request: |
| 18 | | (A) delete the individual's health data from its |
| 19 | | records, including from all parts of the regulated |
| 20 | | entity's network; and |
| 21 | | (B) notify all processors, affiliates, and third |
| 22 | | parties with whom the regulated entity has shared the |
| 23 | | individual's health data of the deletion request. |
| 24 | | (2) If a regulated entity stores any health data on |
| 25 | | archived or backup systems, it may delay compliance with |
| 26 | | the individual's request to delete with respect to the |
|
| | 10400SB3222ham001 | - 23 - | LRB104 19119 BAB 38481 a |
|
|
| 1 | | health data stored on the archived or backup system until |
| 2 | | the archived or backup system relating to that data is |
| 3 | | restored to an active system or is next accessed or used. |
| 4 | | (3) Any processors, affiliates, or other third parties |
| 5 | | that receive notice of an individual's deletion request |
| 6 | | from a regulated entity shall honor the individual's |
| 7 | | deletion request and delete the health data from the |
| 8 | | regulated entity's records, including from all parts of |
| 9 | | its network or backup systems. |
| 10 | | (4) An individual or an individual's authorized agent |
| 11 | | may exercise the rights set forth in this Act by |
| 12 | | submitting a request, at any time, to a regulated entity. |
| 13 | | This request may be made by: |
| 14 | | (A) contacting the regulated entity in the manner |
| 15 | | included in its health data privacy policy; |
| 16 | | (B) by designating an authorized agent who may |
| 17 | | exercise the rights on behalf of the individual; |
| 18 | | (C) in the case of collecting health data of a |
| 19 | | minor, the minor seeking health services may exercise |
| 20 | | their rights under this Act, or the parent or legal |
| 21 | | guardian of the minor may exercise the minor's rights |
| 22 | | of this Act on the minor's behalf; or |
| 23 | | (D) in the case of collecting health data |
| 24 | | concerning an individual subject to guardianship, |
| 25 | | conservatorship, or other protective arrangement under |
| 26 | | the Probate Act of 1975, the guardian or the |
|
| | 10400SB3222ham001 | - 24 - | LRB104 19119 BAB 38481 a |
|
|
| 1 | | conservator of the individual may exercise the rights |
| 2 | | of this Act on the individual's behalf. |
| 3 | | (5) The time period to delete any of the individual's |
| 4 | | health data may be extended once by an additional 45 |
| 5 | | calendar days when reasonably necessary, if the individual |
| 6 | | is provided notice of the extension within the first |
| 7 | | 45-day period. |
| 8 | | (6) Neither a regulated entity nor a processor shall |
| 9 | | be required to comply with an individual's request to |
| 10 | | delete the individual's health data if it is necessary for |
| 11 | | the regulated entity or the processor to maintain the |
| 12 | | individual's health data to: |
| 13 | | (A) provide a product, service, or service feature |
| 14 | | to the individual to whom the health data pertains |
| 15 | | when requested by that individual. In such cases, the |
| 16 | | regulated entity shall confirm whether the individual |
| 17 | | wishes the request for deletion to be treated as a |
| 18 | | request to terminate the associated product, service, |
| 19 | | or feature; |
| 20 | | (B) execute or complete a financial or commercial |
| 21 | | transaction, or to fulfill an order for a specific |
| 22 | | product, good, or service requested by an individual |
| 23 | | to whom the individual health data pertains, |
| 24 | | including, but not limited to, associated routine |
| 25 | | administrative, operational, and account-servicing |
| 26 | | activity, such as billing, shipping, storage, and |
|
| | 10400SB3222ham001 | - 25 - | LRB104 19119 BAB 38481 a |
|
|
| 1 | | accounting, or otherwise fulfill the requirements of |
| 2 | | an agreement between the regulated entity and the |
| 3 | | individual; |
| 4 | | (C) prevent, detect, protect against, or respond |
| 5 | | to a security incident, identity theft, fraud, |
| 6 | | harassment, malicious or deceptive activities, or |
| 7 | | activities that are illegal under the laws of this |
| 8 | | State, or investigate, report, or prosecute those |
| 9 | | responsible for any such activity; |
| 10 | | (D) comply with an obligation under a law of this |
| 11 | | State or federal law, including any applicable data |
| 12 | | retention requirements in accordance with State and |
| 13 | | federal law, including the data retention requirements |
| 14 | | set forth in Section 6 of the Hospital Licensing Act, |
| 15 | | 45 CFR 164.316, and 45 CFR 164.530; |
| 16 | | (E) engage in public or peer-reviewed scientific, |
| 17 | | historical, or statistical research in the public |
| 18 | | interest that adheres to all other applicable ethics |
| 19 | | and privacy laws, if the regulated entity's or |
| 20 | | processor's deletion of the information is likely to |
| 21 | | render impossible or seriously impair the achievement |
| 22 | | of such research and if the individual has provided |
| 23 | | consent to such use of the individual's health data; |
| 24 | | (F) comply with any applicable data retention |
| 25 | | requirements in accordance with State and federal law, |
| 26 | | including the data retention requirements set forth in |
|
| | 10400SB3222ham001 | - 26 - | LRB104 19119 BAB 38481 a |
|
|
| 1 | | Section 6 of the Hospital Licensing Act, 45 CFR |
| 2 | | 164.316, and 45 CFR 164.530; or |
| 3 | | (G) investigate, establish, exercise, prepare for, |
| 4 | | or defend legal claims. |
| 5 | | (d) An individual may exercise rights under this Section |
| 6 | | by submitting a request to a regulated entity using the method |
| 7 | | the regulated entity specifies in the privacy policy under |
| 8 | | paragraph (10) of subsection (a) of Section 10. |
| 9 | | (e) A regulated entity shall not engage in discriminatory |
| 10 | | practices against an individual solely because the individual |
| 11 | | has not provided consent to the sale or processing of the |
| 12 | | individual's health data pursuant to this Act or has exercised |
| 13 | | any other rights provided by this Act or guaranteed by law. |
| 14 | | Discriminatory practices include, but are not limited to: |
| 15 | | (1) denying goods or services to the individual; |
| 16 | | (2) imposing additional requirements or restrictions |
| 17 | | on the individual that would not be necessary if the |
| 18 | | individual provided consent; |
| 19 | | (3) providing materially different treatment to |
| 20 | | individuals who provide consent, as compared to |
| 21 | | individuals who do not provide consent; |
| 22 | | (4) providing or suggesting that the individual will |
| 23 | | receive a lower level or quality of goods or services. |
| 24 | | For the purposes of this subsection, discriminatory |
| 25 | | practices do not prohibit a regulated entity from suggesting |
| 26 | | that the individual will receive a different price or rate for |
|
| | 10400SB3222ham001 | - 27 - | LRB104 19119 BAB 38481 a |
|
|
| 1 | | goods or services or charging different prices or rates for |
| 2 | | goods or services, including using discounts or other |
| 3 | | benefits, when done in connection with an individual's |
| 4 | | voluntary participation in a bona fide loyalty, rewards, |
| 5 | | premium features, discounts, or club card program.
|
| 6 | | Section 30. Processors. |
| 7 | | (a) A processor may process an individual's health data |
| 8 | | only pursuant to a binding contract between the processor and |
| 9 | | the regulated entity that sets forth the processing |
| 10 | | instructions and limits the actions the processor may take |
| 11 | | with respect to the individual health data it processes on |
| 12 | | behalf of the regulated entity. A processor may process |
| 13 | | individual health data only in a manner that is consistent |
| 14 | | with the binding instructions set forth in the contract with |
| 15 | | the regulated entity. |
| 16 | | (b) A processor shall assist the regulated entity using |
| 17 | | appropriate technical and organizational measures, whenever |
| 18 | | possible, in fulfilling the regulated entity's obligations |
| 19 | | under this Act. |
| 20 | | (c) If a processor fails to adhere to the regulated |
| 21 | | entity's instructions or processes individual health data in a |
| 22 | | manner that is outside the scope of the processor's contract |
| 23 | | with the regulated entity, the processor is considered a |
| 24 | | regulated entity with regard to such data and is subject to all |
| 25 | | the requirements of this Act with regard to such data. |
|
| | 10400SB3222ham001 | - 28 - | LRB104 19119 BAB 38481 a |
|
|
| 1 | | (d) Determining whether a person is acting as a regulated |
| 2 | | entity or processor with respect to a specific processing of |
| 3 | | health data is a fact-based determination that depends upon |
| 4 | | the context in which health data is to be processed. A |
| 5 | | processor that continues to adhere to a regulated entity's |
| 6 | | instructions with respect to a specific processing of health |
| 7 | | data remains a processor. |
| 8 | | (e) A regulated entity or processor that discloses health |
| 9 | | data to a processor or third party in accordance with this Act |
| 10 | | shall not be liable under this Act if the processor or third |
| 11 | | party receiving the health data violates this Act, so long as |
| 12 | | the disclosing regulated entity or processor did not have |
| 13 | | actual knowledge that the receiving processor or third-party |
| 14 | | controller would violate this Act. A third party or processor |
| 15 | | receiving personal data from a regulated entity or processor |
| 16 | | in compliance with this Act is not liable under this Act for |
| 17 | | violations committed by the regulated entity or processor that |
| 18 | | disclosed the health data.
|
| 19 | | Section 35. Authentication of an individual's identity. |
| 20 | | (a) A regulated entity that receives an individual's |
| 21 | | request to confirm or delete may take reasonable measures to |
| 22 | | authenticate the individual's identity, or authorized agent's |
| 23 | | identity, to a reasonably high degree of certainty. A |
| 24 | | reasonably high degree of certainty may include matching at |
| 25 | | least 3 pieces of personal information provided by the |
|
| | 10400SB3222ham001 | - 29 - | LRB104 19119 BAB 38481 a |
|
|
| 1 | | individual, or the individual's authorized agent, with |
| 2 | | personal information maintained by the regulated entity that |
| 3 | | the regulated entity has determined to be reliable for the |
| 4 | | purpose of authenticating the individual, or the individual's |
| 5 | | authorized agent, together with a signed declaration under |
| 6 | | penalty of perjury that the individual or the individual's |
| 7 | | authorized agent making the request is the individual or the |
| 8 | | individual's authorized agent whose health data is the subject |
| 9 | | of the request. If a regulated entity uses this method for |
| 10 | | authentication, the regulated entity shall make all forms |
| 11 | | necessary for authentication of an individual's or the |
| 12 | | individual's authorized agent's identity available to the |
| 13 | | individual or the individual's authorized agent and shall |
| 14 | | maintain all signed declarations as part of its recordkeeping |
| 15 | | obligations. |
| 16 | | (b) A regulated entity is not required to comply with an |
| 17 | | individual's or the individual's authorized agent's request to |
| 18 | | confirm or delete if the regulated entity, using commercially |
| 19 | | reasonable efforts, is unable to authenticate the identity of |
| 20 | | the individual or the individual's authorized agent making the |
| 21 | | request. If a regulated entity is unable to authenticate the |
| 22 | | individual's or the individual's authorized agent's identity, |
| 23 | | the regulated entity shall inform the individual or the |
| 24 | | individual's authorized agent that it was unable to |
| 25 | | authenticate the individual's or the individual's authorized |
| 26 | | agent's identity and advise the individual or the individual's |
|
| | 10400SB3222ham001 | - 30 - | LRB104 19119 BAB 38481 a |
|
|
| 1 | | authorized agent of other methods, if available, of |
| 2 | | authenticating the individual's or the individual's authorized |
| 3 | | agent's identity. |
| 4 | | (c) If a regulated entity denies an authenticated |
| 5 | | individual's request to delete that individual's health data, |
| 6 | | in whole or in part, because of a conflict with federal or |
| 7 | | State law, the regulated entity shall inform the requesting |
| 8 | | individual and explain the basis for the denial, unless |
| 9 | | prohibited from doing so by law. |
| 10 | | (d) Any information provided by an individual or the |
| 11 | | individual's authorized agent to a regulated entity for the |
| 12 | | purpose of authenticating the individual's or the individual's |
| 13 | | authorized agent's identity shall not be used for any purpose |
| 14 | | other than authenticating the individual's identity and shall |
| 15 | | be destroyed immediately following the authentication process.
|
| 16 | | Section 40. Individual health data security and |
| 17 | | minimization. |
| 18 | | (a) A regulated entity shall restrict access to health |
| 19 | | data to only the employees, processors, and contractors, |
| 20 | | subcontractors, agents, and third parties of the regulated |
| 21 | | entity for whom access is necessary to provide a product or |
| 22 | | service that the individual to whom the health data relates |
| 23 | | has requested from the regulated entity. |
| 24 | | (b) A regulated entity shall establish, implement, and |
| 25 | | maintain administrative, technical, and physical data security |
|
| | 10400SB3222ham001 | - 31 - | LRB104 19119 BAB 38481 a |
|
|
| 1 | | practices that at least satisfy a reasonable standard of care |
| 2 | | within the regulated entity's industry to protect the |
| 3 | | confidentiality, integrity, and accessibility of health data |
| 4 | | appropriate to the volume and nature of the personal data at |
| 5 | | issue. |
| 6 | | (c) A regulated entity in possession of deidentified data |
| 7 | | shall: |
| 8 | | (1) take reasonable measures to ensure that such data |
| 9 | | cannot be associated with an individual; |
| 10 | | (2) publicly commit to process such data only in a |
| 11 | | deidentified fashion and not attempt to reidentify such |
| 12 | | data; and |
| 13 | | (3) contractually obligate any recipients of such data |
| 14 | | to satisfy the criteria set forth in items (1) and (2).
|
| 15 | | Section 45. Prohibition on geofencing. It is unlawful for |
| 16 | | a regulated entity to implement a geofence around any entity |
| 17 | | that provides in-person health care services and products |
| 18 | | where the geofence is used to: |
| 19 | | (1) identify or track individuals seeking health care |
| 20 | | services or products, or to determine whether the |
| 21 | | individual is seeking health care services or products; or |
| 22 | | (2) collect data from an individual who enters the |
| 23 | | virtual perimeter.
|
| 24 | | Section 50. Limits on access to an individual's health |
|
| | 10400SB3222ham001 | - 32 - | LRB104 19119 BAB 38481 a |
|
|
| 1 | | information by government agencies, officials, and law |
| 2 | | enforcement. |
| 3 | | (a) A regulated entity shall not disclose an individual's |
| 4 | | health data to a federal, State, or local governmental agency, |
| 5 | | official, or law enforcement agent or agency unless: (1) |
| 6 | | disclosure is requested by the individual to whom the health |
| 7 | | data pertains or (2) the governmental entity or official |
| 8 | | serves the regulated entity with a valid warrant, except as |
| 9 | | prohibited under the laws of this State, including, but not |
| 10 | | limited to, Section 3.5 of the Uniform Interstate Depositions |
| 11 | | and Discovery Act. |
| 12 | | (b) A regulated entity shall not collect, sell, share, |
| 13 | | allow access to, or disclose an individual's health data to |
| 14 | | any state or local jurisdiction for the purpose of |
| 15 | | investigating or enforcing a law that denies or interferes |
| 16 | | with an individual's right to obtain any lawful health care |
| 17 | | services as defined by the Lawful Health Care Activity Act.
|
| 18 | | Section 55. Private right of action. Any person aggrieved |
| 19 | | by a violation of this Act shall have a right of action in a |
| 20 | | State circuit court or as a supplemental claim in federal |
| 21 | | district court against an offending party. A prevailing party |
| 22 | | may recover for each violation: |
| 23 | | (1) against any offending party that negligently |
| 24 | | violates a provision of this Act, damages in the amount of |
| 25 | | $1,000 or compensatory damages, whichever is greater; |
|
| | 10400SB3222ham001 | - 33 - | LRB104 19119 BAB 38481 a |
|
|
| 1 | | (2) against any offending party that intentionally or |
| 2 | | recklessly violates a provision of this Act, damages in |
| 3 | | the amount of $5,000 or compensatory damages, whichever is |
| 4 | | greater; |
| 5 | | (3) reasonable attorney's fees and costs, including |
| 6 | | expert witness fees and other litigation expenses; and |
| 7 | | (4) other relief, including an injunction, as the |
| 8 | | State or federal court may deem appropriate.
|
| 9 | | Section 60. Enforcement by the Attorney General. The |
| 10 | | Attorney General may enforce a violation of this Act as an |
| 11 | | unlawful practice under the Consumer Fraud and Deceptive |
| 12 | | Business Practices Act. All rights and remedies provided by |
| 13 | | the Attorney General under the Consumer Fraud and Deceptive |
| 14 | | Business Practices Act shall be available for enforcement of a |
| 15 | | violation of this Act.
|
| 16 | | Section 65. Conflicts with other laws. |
| 17 | | (a) Nothing in this Act shall be construed to prohibit the |
| 18 | | lawful and authorized disclosure of health data by regulated |
| 19 | | entities to local health departments or State government |
| 20 | | agencies or by or among local health departments and State |
| 21 | | government agencies as may be required by State and federal |
| 22 | | law, including under the Adult Protective Services Act, the |
| 23 | | Abused and Neglected Child Reporting Act, the Criminal Code of |
| 24 | | 2012, and the Disclosure of Offenses Against Children Act. |
|
| | 10400SB3222ham001 | - 34 - | LRB104 19119 BAB 38481 a |
|
|
| 1 | | (b) This Act shall not be construed to conflict with, or |
| 2 | | limit the application of, any of the following laws, rules, or |
| 3 | | regulations governing the sharing, collection, processing, or |
| 4 | | disclosure of personal information or health data: the Medical |
| 5 | | Patient Rights Act; the Hospital Licensing Act; Sections 2, 4, |
| 6 | | 5, 6, 7, 8, 9, 9.3, 9.8, and 11 of the Mental Health and |
| 7 | | Developmental Disabilities Confidentiality Act; subsections |
| 8 | | (c) through (f) of Section 10 of the Mental Health and |
| 9 | | Developmental Disabilities Confidentiality Act; and Sections |
| 10 | | 8-2001 and 8-2001.5 of the Code of Civil Procedure. |
| 11 | | (c) In the event of a conflict between the provisions of |
| 12 | | this Act and any other law, rule, or regulation listed in |
| 13 | | subsection (b), the law, rule, or regulation that provides the |
| 14 | | greater right, benefit, or protection to individuals shall |
| 15 | | apply. Nothing in this Act shall be construed to diminish or |
| 16 | | limit any rights, benefits, or protections afforded under the |
| 17 | | laws, rules, or regulations referenced in subsection (b).
|
| 18 | | Section 70. Exemptions. |
| 19 | | (a) This Act shall not apply to: |
| 20 | | (1) information that meets the definition of: |
| 21 | | (A) protected health information, as defined by, |
| 22 | | and for purposes of the Health Insurance Portability |
| 23 | | and Accountability Act of 1996, Public Law 104-191, |
| 24 | | and related regulations; |
| 25 | | (B) patient identifying information collected, |
|
| | 10400SB3222ham001 | - 35 - | LRB104 19119 BAB 38481 a |
|
|
| 1 | | used, or disclosed in accordance with 42 CFR Part 2, |
| 2 | | established pursuant to 42 U.S.C. 290dd-2; |
| 3 | | (C)(i) identifiable private information for |
| 4 | | purposes of the federal policy for the protection of |
| 5 | | human subjects, 45 CFR Part 46; |
| 6 | | (ii) identifiable private information that is |
| 7 | | otherwise information collected as part of human |
| 8 | | subjects research pursuant to the Good Clinical |
| 9 | | Practice guidelines issued by the International |
| 10 | | Council for Harmonisation of Technical Requirements |
| 11 | | for Pharmaceuticals for Human Use; |
| 12 | | (iii) the protection of human subjects under 21 |
| 13 | | CFR Parts 50 and 56; or |
| 14 | | (iv) personal data used or shared in research |
| 15 | | conducted in accordance with one or more of the |
| 16 | | requirements set forth in this subparagraph (C); |
| 17 | | (D) information and documents created for purposes |
| 18 | | of the federal Health Care Quality Improvement Act of |
| 19 | | 1986, Public Law 99-660, and related regulations; |
| 20 | | (E) patient safety work product for purposes of 42 |
| 21 | | CFR Part 3, established pursuant to 42 U.S.C. 299b-21 |
| 22 | | through 42 U.S.C. 299b-26; or |
| 23 | | (F) information that is deidentified in accordance |
| 24 | | with the requirements for deidentification set forth |
| 25 | | in 45 CFR Part 164, and derived from any of the health |
| 26 | | care-related information listed under this paragraph; |
|
| | 10400SB3222ham001 | - 36 - | LRB104 19119 BAB 38481 a |
|
|
| 1 | | (2) information originating from and intermingled to |
| 2 | | be indistinguishable with information under paragraph (1) |
| 3 | | that is maintained by: |
| 4 | | (A) a covered entity or a business associate, as |
| 5 | | defined in 45 CFR 160.103, subject to and in |
| 6 | | substantial compliance with the Health Insurance |
| 7 | | Portability and Accountability Act of 1996, Public Law |
| 8 | | 104-191, and to the extent such entity is acting as a |
| 9 | | covered entity or business associate under the Privacy |
| 10 | | and Security rules issued by the United States |
| 11 | | Department of Health and Human Services, Parts 160 and |
| 12 | | 164 of Title 45 of the Code of Federal Regulations; |
| 13 | | (B) a health care facility, including a private |
| 14 | | hospital, clinic, center, medical school, medical |
| 15 | | training institution, laboratory or diagnostic |
| 16 | | facility, physician's office, infirmary, dispensary, |
| 17 | | ambulatory surgical treatment center, or other |
| 18 | | institution or location wherein health care services |
| 19 | | are provided to any person, including physician |
| 20 | | organizations and associations, networks, joint |
| 21 | | ventures, and all other combinations of those |
| 22 | | organizations; |
| 23 | | (C) a health care provider, including a physician, |
| 24 | | hospital facility, or other person that is licensed or |
| 25 | | otherwise authorized to deliver health care services; |
| 26 | | or |
|
| | 10400SB3222ham001 | - 37 - | LRB104 19119 BAB 38481 a |
|
|
| 1 | | (D) a program or a qualified service organization |
| 2 | | as defined in 42 CFR 2.11; or |
| 3 | | (3) information used only for public health activities |
| 4 | | and purposes as described in 45 CFR 164.512 or that is part |
| 5 | | of a limited data set, as defined in 45 CFR 164.514, and is |
| 6 | | used, disclosed, and maintained in the manner required, by |
| 7 | | 45 CFR 164.514. |
| 8 | | (b) Personal information that is governed by and |
| 9 | | collected, used, or disclosed pursuant to the following laws |
| 10 | | or regulations is exempt from this Act: (1) the |
| 11 | | Gramm-Leach-Bliley Act, 15 U.S.C. 6801 et seq., and |
| 12 | | implementing regulations; (2) Part C of Title XI of the Social |
| 13 | | Security Act, 42 U.S.C. 1320d et seq.; (3) The Fair Credit |
| 14 | | Reporting Act, 15 U.S.C. 1681 et seq.; (4) the Family |
| 15 | | Educational Rights and Privacy Act, 20 U.S.C. 1232g; Part 99 |
| 16 | | of Title 34 of the Code of Federal Regulations; or (5) the |
| 17 | | Insurance Information and Privacy Protection Article of the |
| 18 | | Illinois Insurance Code, the Insurance Data Security Law, and |
| 19 | | any corresponding privacy protection rules adopted by the |
| 20 | | Department of Insurance.
|
| 21 | | Section 97. Severability. The provisions of this Act are |
| 22 | | severable under Section 1.31 of the Statute on Statutes.
|
| 23 | | Section 500. The Consumer Fraud and Deceptive Business |
| 24 | | Practices Act is amended by adding Section 2MMMM as follows:
|
|
| | 10400SB3222ham001 | - 38 - | LRB104 19119 BAB 38481 a |
|
|
| 1 | | (815 ILCS 505/2MMMM new) |
| 2 | | Sec. 2MMMM. Violations of the Protect Health Data Privacy |
| 3 | | Act. Only for purposes of enforcing Section 60 of the Protect |
| 4 | | Health Data Privacy Act, any person who violates the Protect |
| 5 | | Health Data Privacy Act commits an unlawful practice within |
| 6 | | the meaning of this Act.
|
| 7 | | Section 999. Effective date. This Act takes effect August |
| 8 | | 1, 2027, except that Section 55 takes effect February 1, |
| 9 | | 2028.". |