Ill. Admin. Code tit. 77, § 697.220 - Release of HIV/AIDS Registry Data

a) The Department may not release data gathered pursuant tothe HIV/AIDS Registry Act unless:

1) It is in a statisticalformthat does not identify the reporting entity, physician and patient in any way, including by address;

2) The release or transfer is to an Illinois Local Public Health Department or to a registry or health department of another state, and is of data concerning a person who is residing in that jurisdiction. The Department shall disclose individual patient data concerning residents of another state to the Registry in the individual's state of residence if the recipient of reported information about HIV/AIDS is legally required to hold reported information about HIV/AIDS in confidence and provides protection from disclosure of patient identifying information equivalent to the protection afforded by the Illinois law. (Section 7(a) of the AIDS Registry Act)

b) All data obtained directly from medical records of individual patients shall be for the confidential use of the Department and those entities authorized by the Department to view those records in order to carry out the purposes of the HIV/AIDS Registry Act. (Section 7(b) of the HIV/AIDS Registry Act)

1) As outlined in the Privacy Rule (Standards for Privacy of Individually Identifiable Health Information) of the Health Insurance Portability and Accountability Act of 1996 (HIPAA), HIV/AIDS Registry information may be disclosed to public health authorities when required by federal, tribal, or state laws.

2) The Department will share the information in a manner that protects the confidentiality of the protected health information. Only the minimum information necessary for the intended purpose shall be disclosed.

3) For the sole purpose of treatment of a person living with HIV, the Department may share identifiable confidential health information contained in the HIV/AIDS Registry with the Illinois Department of Healthcare and Family Services.

4) A person or institution to whom information is furnished or to whom access to records has been given pursuant to this Section shall not divulge any part of the information or records so as to disclose the identity of the person to whom the information or record relates, except as necessary for the treatment of a person living with HIV. All health data shared by the Department shall be stored by the recipient of the data in a secure data environment. Disclosure may take place using electronic means compliant with HIPAA security and privacy standards. The Department may prescribe the use of a health information exchange to achieve these purposes when a health information exchange is available.

c) The identity of any person whose condition or treatment has been studied, or any facts which are likely to reveal the identity of such person, shall be confidential and shall not be revealed in any report or any other matter prepared, released or published. Researchers may, however, use the names of persons when requesting additional information for research studies approved by the Department; provided, however, that when a request for additional information is to be made, the Department shall first obtain authorization from the patient or the patient's legally authorized representative after ascertaining that a test subject's physical and psychological condition is suitable for the request in the opinion of the test subject's health care professional. (Section 7(c) of the HIV/AIDS Registry Act)

1) All requests by medical or epidemiologic researchers for confidential HIV/AIDS Registry data shall be submitted in writing to the Department. The request shall include a study protocol that contains: objectives of the research; rationale for the research, including scientific literature justifying the current proposal; overall study methods, including copies of forms, questionnaires, and consent forms used to contact facilities, health care professionals or study subjects, and including methods for documenting compliance with 42 CFR 2a.4(a) through (j), 2a.6(a) through (b), and 2a. 7(a) through (b)(1); methods for the processing of data; storage and security measures taken to ensure confidentiality of patient identifying information; time frame of the study; a description of the funding source of the study (e.g., federal contract); the curriculum vitae of the principal investigator and a list of collaborators. In addition, the research request shall specify what patient or facility identifying information is needed and how the information will be used.

2) All requests to conduct research and modifications to approved research proposals involving the use of data that includes patient or facility identifying information shall be subject to a review to determine compliance with the following conditions. The Department will enter into contracts for research that requires the release of patient or health care facility identifying information when requests meet the following conditions:

A) The request for patient or facility identifying information contains stated goals or objectives;

B) The request documents the feasibility of the study design in achieving the stated goals and objectives;

C) The request documents the need for the requested data to achieve the stated goals and objectives;

D) The requested data can be provided within the time frame set forth in the request;

E) The request documents that the researcher has qualifications relevant to the type of research being conducted;

F) The research will not duplicate other research already underway using the same Registry data; and

G) The request documents other such conditions relevant to the need for the patient or facility identifying information and the patient's confidentiality rights, because the Department will release only the patient or facility identifying information that is necessary for the research.

3) The Department will enter into research contracts for all approved research requests. These contracts shall specify exactly what information is being released and how it can be used. In addition, the researcher shall include assurances that:

A) The researcher understands that use of data is restricted to the specifications of the research protocol;

B) The researcher understands that any data that may lead to the identity of any patient, research subject, health care professional, other person, or hospital is strictly privileged and confidential and agrees to keep all data strictly confidential at all times;

C) The researcher understands that all officers, agents and employees are to keep all data strictly confidential;

D) The researcher agrees to communicate the requirements of this Section to all officers, agents, and employees, to discipline all persons who may violate the requirements of this Section, and to notify the Department in writing within 48 hours after any violation of this Section, including full details of the violation and corrective actions to be taken;

E) The researcher understands that all data provided by the Department pursuant to this contract may be used only for the purposes named in this contract and that any other or additional use of the data shall result in immediate termination of this contract by the Department; and

F) The researcher understands that all data provided by the Department pursuant to this contract is the sole property of the Department and may not be copied or reproduced in any form or manner and agrees to return all data and all copies and reproduction of the data to the Department upon termination of the contract.

4) Any departures from the approved protocol shall be submitted in writing and approved by the Director in accordance with subsection (c)(2) prior to initiation. No patient or facility identifying information may be released by a researcher to a third party.

5) The Department shall disclose individual patient or facility information to the reporting facility that originally supplied that information to the Department, upon written request of the facility.

d) HIV/AIDS information may be disclosed in accordance with Sections 697.140 and 697.400.

e) No liability shall attach to any hospital, physician or other facility submitting information pursuant to the Act based upon a claim that the hospital, physician or facility reported information that may be confidential. (Section 7(d) of the HIV/AIDS Registry Act)

Notes

Ill. Admin. Code tit. 77, § 697.220

Amended at 36 Ill. Reg. 7613, effective May 4, 2012

Amended at 44 Ill. Reg. 15770, effective 9/1/2020