Wisconsin Legislature: DHS 120.30(3)(e)

(1) Nonrelease of patient-identifiable data. The department may not release or provide access to patient-identifiable data, except as provided in s. 153.50 (4), Stats. The department shall protect the identity of a patient by all necessary means, including the use of calculated, masked or aggregated variables.

(2) Procedures governing release of patient-identifiable data.

(a) Persons authorized and desiring to access patient-identifiable data under s. 153.50 (4), Stats., shall submit to the department a request for the release of the data in writing and shall include all of the following:

1. The requester’s name and address.

2. The reason for the request.

3. For a person who is authorized under s. 153.50 (4), Stats., to receive or have access to patient-identifiable data, evidence, in writing, that indicates the authorization.

4. For an entity that is authorized under s. 153.50 (4), Stats., to receive or have access to patient-identifiable data, evidence, in writing, of all of the following:

a. The federal or state statutory requirement to obtain the patient-identifiable data.

b. Any federal or state statutory requirement to uphold the patient confidentiality provisions of this chapter or patient confidentiality provisions that are more restrictive than those of this chapter; or, if the latter evidence is inapplicable, an agreement, in writing, to uphold the patient confidentiality provisions of this chapter.

c. An entity specified under s. 153.50 (4), Stats., having access to data elements considered patient-identifiable may not rerelease these data elements.

Note: Requests should be sent to the following address: Bureau of Health Information and Policy, P. O. Box 26599, Madison, Wisconsin 53701-2659, or deliver the communications to Room 372, 1 W. Wilson Street, Madison, Wisconsin.

(b) Upon receiving a request for patient-identifiable data under par. (a), the department shall, as soon as practicable, either comply with the request or notify the requester, in writing, of all of the following:

1. That the department is denying the request in whole or in part.

2. The reason for the denial.

3. For a person who believes that he or she is authorized under s. 153.50 (4), Stats., the procedures for appealing the denial under s. 19.37 (1), Stats.

(3) Access to patient-identifiable data. In accordance with s. 153.50, Stats., only the following persons or entities may have access to patient-identifiable data maintained by the department:

(a) A health care provider or the agent of a health care provider to ensure the accuracy of the information in the department database.

(b) An agent of the department responsible for collecting and maintaining data under this chapter and who is responsible for the patient-identifiable data in the department in order to safely store the data and ensure the accuracy of the information in the department’s database.

1. Epidemiological investigation purposes specified in writing.

2. Eliminating the need to maintain duplicative databases where the requesting department agent has statutory authority to collect patient-identifiable data as defined in s. 153.50 (1) (b), Stats.

(d) Other entities that have a signed, notarized written agreement with the department, in accordance with the following conditions:

1. The entity has a statutory requirement for obtaining patient-identifiable data for any of the following:

a. Epidemiological investigation purposes.

b. Eliminating the need to maintain duplicative databases, under s. 153.50 (4) (a), Stats.

2. The department may review and approve specific requests by the entity for patient-identifiable data to fulfill the entity’s statutory requirement. The entity’s request shall include all of the following:

a. Written statutory evidence that the entity is entitled to have access to patient-identifiable data.

b. Written statutory evidence requiring the entity to uphold the patient confidentiality provisions specified in this section or stricter patient confidentiality provisions than those specified in this section. If these statutory requirements do not exist, the department shall require the entity to sign and notarize a written data use agreement to uphold the patient confidentiality provisions in this section.

Note: Examples of other entities include the U.S. Centers for Disease Control and cancer registries in other states.

(e) Of information submitted by health care providers that are not hospitals or ambulatory surgery centers, patient-identifiable data that contain a patient’s date of birth may be released to an entity specified under s. 153.50 (4) (a), Stats., upon request and a demonstrated need for the date of birth.

(f) Notwithstanding sub. (2) and pars. (a) to (e), no employer may request the release of or access to patient-identifiable data of an employee of the employer.

(g) An entity specified under s. 153.50 (4), Stats., having access to data elements considered patient-identifiable may not rerelease these data elements.

(4) Data elements considered patient-identifiable.

(a) For information submitted by hospitals and ambulatory surgery centers, all of the following data elements from the uniform patient billing form that identify a patient shall be considered confidential, except as stated in sub. (3):

1. Patient medical record or chart number.

2. Patient control or account number.

3. Patient date of birth.

4. Patient’s employment status and occurrence and place of an auto or other accident.

5. Patient’s school name, if applicable.

6. Patient’s race.

7. Patient’s ethnicity.

8. Patient’s city of residence.

9. Date of patient’s first symptom of current illness, injury or pregnancy.

10. Dates of services provided to patient.

11. Hospitalization dates related to current services provided to patient.

12. Dates patient is unable to work in current occupation.

13. Date of patient admission.

14. Date of patient discharge.

15. Date of patient’s principal procedure.

16. Encrypted case identifier.

17. Insured’s policy number.

18. Insured’s date of birth.

19. Insured’s identification number.

20. Insured’s gender.

21. Medical assistance resubmission code.

22. Medical assistance prior authorization number.

23. Patient’s employer’s name.

(b) For information submitted by health care providers who are not hospitals or ambulatory surgery centers, patient-identifiable data means all of the following elements:

1. Data elements specified in par. (a) 1. to 3., 13. to 16., 21. and 22.

2. Whether the patient’s condition is related to employment, and the occurrence and place of an auto accident or other accident.

3. Date of first symptom of current illness, of current injury or of current pregnancy.

4. First date of patient’s same or similar illness, if any.

5. Dates that the patient has been unable to work in his or her current occupation.

6. Dates of receipt by patient of medical service.

7. The patient’s city, town or village.

(5) Additional methods for ensuring confidentiality of data.

(a) In this subsection, “small number” means any number that is not large enough to be statistically significant, as determined by the department.

(b) Requests for customized data from the physician office data collection including data elements other than those available in public use files require the approval of the independent review board, except in cases where the custom request has been previously authorized in administrative rule or in policies approved by the independent review board.

(c) To ensure that the identity of patients is protected when information generated by the department is released, the department shall do all of the following:

1. Aggregate any data element category containing small numbers that would allow identification of an individual patient using procedures developed by the department and approved by the board. The procedures shall follow commonly accepted statistical methodology.

2. Mask data through any of the following techniques:

a. Combining raw data elements.

b. Recoding data from individual values to category values.

Note: Typical techniques for recoding data from individual values to category values include replacing individual ages with 5-year age groups.

c. Removing raw data elements.

d. Combining years of data to assure that breakdowns of information adequately protect against identification.

e. Using averages based on combined years of data.

History: Cr. Register, December, 2000, No. 540, eff. 1-1-01.

DHS 120.31 Data dissemination.

(1) Definitions. In this section:

(a) “Calculated variable” means a data element that is computed or derived from an original data item or derived using another data source.

(b) “Release raw patient data” means to show, lend or give the raw patient data, or any subset thereof, to another person.

(2) Independent review board.

(a) The department and the board shall work with the independent review board created under s. 153.67, Stats., to establish policies and procedures applicable to processing requests for the release of physician office visit custom databases and custom analyses compiled by the department under this section. The IRB shall review any request under s. 153.45 (1) (c), Stats., for data elements other than those available for public use data files under s. 153.45 (1) (b), Stats. Unless the IRB approves a data request or unless IRB approval is not required under the rules, the department may not release the data elements.

Note: Section 153.67, Stats., was repealed by 2005 Wis. Act 228.

(b) Calculated variables added to the public use physician office databases do not require approval by the IRB before the department releases them.

(c) The independent review board shall establish acceptable custom requests for physician office data or analyses that will not require repeated re-authorizations by the IRB.

(d) The independent review board shall meet as often as necessary to review policies and requests for custom data or custom analyses of the physician office data.

(e) Notwithstanding s. 15.01 (1r), Stats., the independent review board may promulgate only those rules that are first reviewed and approved by the board on health care information.