DHS 120.30(3)
(3) Access to patient-identifiable data. In accordance with s.
153.50, Stats., only the following persons or entities may have access to patient-identifiable data maintained by the department:
DHS 120.30(3)(a)
(a) A health care provider or the agent of a health care provider to ensure the accuracy of the information in the department database.
DHS 120.30(3)(b)
(b) An agent of the department responsible for collecting and maintaining data under this chapter and who is responsible for the patient-identifiable data in the department in order to safely store the data and ensure the accuracy of the information in the department's database.
DHS 120.30(3)(c)2.
2. Eliminating the need to maintain duplicative databases where the requesting department agent has statutory authority to collect patient-identifiable data as defined in s.
153.50 (1) (b), Stats.
DHS 120.30(3)(d)
(d) Other entities that have a signed, notarized written agreement with the department, in accordance with the following conditions:
DHS 120.30(3)(d)1.
1. The entity has a statutory requirement for obtaining patient-identifiable data for any of the following:
DHS 120.30(3)(d)2.
2. The department may review and approve specific requests by the entity for patient-identifiable data to fulfill the entity's statutory requirement. The entity's request shall include all of the following:
DHS 120.30(3)(d)2.a.
a. Written statutory evidence that the entity is entitled to have access to patient-identifiable data.
DHS 120.30(3)(d)2.b.
b. Written statutory evidence requiring the entity to uphold the patient confidentiality provisions specified in this section or stricter patient confidentiality provisions than those specified in this section. If these statutory requirements do not exist, the department shall require the entity to sign and notarize a written data use agreement to uphold the patient confidentiality provisions in this section.
DHS 120.30 Note
Note: Examples of other entities include the U.S. Centers for Disease Control and cancer registries in other states.
DHS 120.30(3)(e)
(e) Of information submitted by health care providers that are not hospitals or ambulatory surgery centers, patient-identifiable data that contain a patient's date of birth may be released to an entity specified under s.
153.50 (4) (a), Stats., upon request and a demonstrated need for the date of birth.
DHS 120.30(3)(f)
(f) Notwithstanding
sub. (2) and
pars. (a) to
(e), no employer may request the release of or access to patient-identifiable data of an employee of the employer.
DHS 120.30(3)(g)
(g) An entity specified under s.
153.50 (4), Stats., having access to data elements considered patient-identifiable may not rerelease these data elements.
DHS 120.30(4)(a)(a) For information submitted by hospitals and ambulatory surgery centers, all of the following data elements from the uniform patient billing form that identify a patient shall be considered confidential, except as stated in
sub. (3):
DHS 120.30(4)(a)4.
4. Patient's employment status and occurrence and place of an auto or other accident.
DHS 120.30(4)(a)9.
9. Date of patient's first symptom of current illness, injury or pregnancy.
DHS 120.30(4)(b)
(b) For information submitted by health care providers who are not hospitals or ambulatory surgery centers, patient-identifiable data means all of the following elements:
DHS 120.30(4)(b)2.
2. Whether the patient's condition is related to employment, and the occurrence and place of an auto accident or other accident.
DHS 120.30(4)(b)3.
3. Date of first symptom of current illness, of current injury or of current pregnancy.
DHS 120.30(4)(b)5.
5. Dates that the patient has been unable to work in his or her current occupation.
DHS 120.30(5)
(5) Additional methods for ensuring confidentiality of data. DHS 120.30(5)(a)(a) In this subsection, “small number" means any number that is not large enough to be statistically significant, as determined by the department.
DHS 120.30(5)(b)
(b) Requests for customized data from the physician office data collection including data elements other than those available in public use files require the approval of the independent review board, except in cases where the custom request has been previously authorized in administrative rule or in policies approved by the independent review board.
DHS 120.30(5)(c)
(c) To ensure that the identity of patients is protected when information generated by the department is released, the department shall do all of the following:
DHS 120.30(5)(c)1.
1. Aggregate any data element category containing small numbers that would allow identification of an individual patient using procedures developed by the department and approved by the board. The procedures shall follow commonly accepted statistical methodology.
DHS 120.30 Note
Note: Typical techniques for recoding data from individual values to category values include replacing individual ages with 5-year age groups.
DHS 120.30(5)(c)2.d.
d. Combining years of data to assure that breakdowns of information adequately protect against identification.
DHS 120.30 History
History: Cr.
Register, December, 2000, No. 540, eff. 1-1-01.
DHS 120.31(1)(a)
(a) “Calculated variable" means a data element that is computed or derived from an original data item or derived using another data source.
DHS 120.31(1)(b)
(b) “Release raw patient data" means to show, lend or give the raw patient data, or any subset thereof, to another person.
DHS 120.31(2)(a)(a) The department and the board shall work with the independent review board created under s.
153.67, Stats., to establish policies and procedures applicable to processing requests for the release of physician office visit custom databases and custom analyses compiled by the department under this section. The IRB shall review any request under s.
153.45 (1) (c), Stats., for data elements other than those available for public use data files under s.
153.45 (1) (b), Stats. Unless the IRB approves a data request or unless IRB approval is not required under the rules, the department may not release the data elements.
DHS 120.31(2)(b)
(b) Calculated variables added to the public use physician office databases do not require approval by the IRB before the department releases them.
DHS 120.31(2)(c)
(c) The independent review board shall establish acceptable custom requests for physician office data or analyses that will not require repeated re-authorizations by the IRB.
DHS 120.31(2)(d)
(d) The independent review board shall meet as often as necessary to review policies and requests for custom data or custom analyses of the physician office data.
DHS 120.31(2)(e)
(e) Notwithstanding s.
15.01 (1r), Stats., the independent review board may promulgate only those rules that are first reviewed and approved by the board on health care information.
DHS 120.31(3)(a)(a) The department may release health care provider-specific data to health care providers to whom the information relates. The department may not release any health care information prior to its review, verification and comment upon by those submitting the data in accordance with procedures described under subch.
III.
DHS 120.31(3)(b)
(b) The department shall provide to other entities the data necessary to fulfill their statutory mandates for epidemiological purposes or to minimize the duplicate collection of similar data elements.
DHS 120.31(3)(c)
(c) The department may release health care provider-specific data found in hospital and freestanding ambulatory surgery center databases to requesters when data review, verification and comment procedures have been followed under
s. DHS 120.11 (4).
DHS 120.31(3)(d)
(d) Before rereleasing any raw patient data element to subsequent users under this section, initial data purchasers shall receive written department approval for the initial purchaser's rerelease of data. Each initial purchaser request shall be submitted to the department in writing and shall contain all of the following information:
DHS 120.31(3)(d)2.
2. The person and, if applicable, the entity the person is associated with to whom the data is proposed to be released.
DHS 120.31(3)(d)3.
3. A statement from the initial purchaser that evidences all of the following:
DHS 120.31(3)(d)3.a.
a. The initial purchaser's understanding that the individual data elements cannot be rereleased until the initial purchaser receives written authorization to do so from the department.
DHS 120.31(3)(d)3.b.
b. The initial purchaser's agreement to distribute the department's confidentiality and data use agreement to subsequent users of the data.
DHS 120.31(3)(e)1.1. Upon receipt of an initial purchaser's request to rerelease any raw data element to subsequent users containing all of the information in
par. (d), the department shall review the request and determine whether to permit the rerelease. Prior to departmental approval of the rerelease, the department must have also received a signed and notarized data use agreement form from the subsequent user. If the department approves the rerelease, the department shall send a letter authorizing rerelease to the requesting initial purchaser. The department shall also send a copy of the letter to the proposed subsequent user.
DHS 120.31(3)(e)2.
2. The department shall include a copy of the pertinent sections of
ch. 153, Stats., and this chapter that prohibit the rerelease of any raw data element without department permission and that indicate the penalty for noncompliance with
ch. 153, Stats., and this chapter.
DHS 120.31(3)(f)
(f) Under no circumstances other than those specified in this paragraph may an individual obtain, use or release raw patient data. An initial data purchaser may do any of the following:
DHS 120.31(3)(f)1.
1. Release the raw patient data to a staff person under his or her direct supervision without requiring the recipient to file a separate data use agreement.