AB552-ASA1-AA1,6,74 4. Provide to the individual or authorized representative a summary of the
5procedures by which the individual or authorized representative may request the
6correction, amendment or deletion of any recorded personal medical information in
7the possession of the insurer.
AB552-ASA1-AA1,6,168 (b) Notwithstanding par. (a), an insurer may, in the insurer's discretion,
9provide a copy of any recorded personal medical information requested by an
10individual or authorized representative under par. (a) to a health care provider who
11is designated by the individual or authorized representative and who is licensed,
12registered, permitted or certified to provide health care services with respect to the
13condition to which the information relates. If the insurer chooses to provide the
14information to the designated health care provider under this paragraph, the insurer
15shall notify the individual or authorized representative, at the time of disclosure,
16that the information has been provided to the health care provider.
AB552-ASA1-AA1,6,2017 (c) An insurer is required to comply with par. (a) or (b) only if the individual or
18authorized representative provides a reasonable description of the information that
19is the subject of the request and if the information is reasonably easy to locate and
20retrieve by the insurer.
AB552-ASA1-AA1,7,221 (d) If an insurer receives personal medical information from a health care
22provider or a medical care institution with instructions restricting disclosure of the
23information under s. 51.30 (4) (d) 1. to the individual to whom the information
24relates, the insurer may not disclose the personal medical information to the

1individual under this subsection, but shall disclose to the individual the identity of
2the health care provider or a medical care institution that provided the information.
AB552-ASA1-AA1,7,53 (e) Any copy of recorded personal medical information provided under par. (a)
4or (b) shall include the identity of the source of the information if the source is a
5health care provider or a medical care institution.
AB552-ASA1-AA1,7,86 (f) An insurer may charge the individual a reasonable fee to cover the costs
7incurred in providing a copy of recorded personal medical information under par. (a)
8or (b).
AB552-ASA1-AA1,7,119 (g) The requirements for an insurer under this subsection may be satisfied by
10another insurer, an insurance agent, an insurance support organization or any other
11entity authorized by the insurer to act on its behalf.
AB552-ASA1-AA1,7,1512 (h) The requirements under this subsection do not apply to information
13concerning an individual that relates to, and that is collected in connection with or
14in reasonable anticipation of, a claim or civil or criminal proceeding involving the
AB552-ASA1-AA1,7,19 16(4) Correction, amendment or deletion of recorded personal medical
(a) Within 30 business days after receiving a written request from an
18individual to correct, amend or delete any recorded personal medical information
19that is in the insurer's possession, an insurer shall do either of the following:
AB552-ASA1-AA1,7,2020 1. Comply with the request.
AB552-ASA1-AA1,7,2121 2. Notify the individual of all of the following:
AB552-ASA1-AA1,7,2222 a. That the insurer refuses to comply with the request.
AB552-ASA1-AA1,7,2323 b. The reasons for the refusal.
AB552-ASA1-AA1,7,2424 c. That the individual has a right to file a statement as provided in par. (c).
1(b) An insurer that complies with a request under par. (a) shall notify the
2individual of that compliance in writing and furnish the correction, amendment or
3fact of deletion to all of the following:
AB552-ASA1-AA1,8,64 1. Any person who may have received, within the preceding 2 years, the
5recorded personal medical information concerning the individual and who is
6specifically designated by the individual.
AB552-ASA1-AA1,8,127 2. Any insurance support organization for which insurers are the primary
8source of personal medical information and to which the insurer, within the
9preceding 7 years, has systematically provided recorded personal medical
10information. This subdivision does not apply to an insurance support organization
11that does not maintain recorded personal medical information concerning the
AB552-ASA1-AA1,8,1413 3. Any insurance support organization that furnished to the insurer the
14personal medical information that has been corrected, amended or deleted.
AB552-ASA1-AA1,8,1715 (c) If an insurer refuses to comply with a request under par. (a) 1., the individual
16making the request may file with the insurer, an insurance agent or an insurance
17support organization any of the following:
AB552-ASA1-AA1,8,1918 1. A concise statement setting forth the information that the individual
19believes to be correct, relevant or fair.
AB552-ASA1-AA1,8,2220 2. A concise statement setting forth the reasons why the individual disagrees
21with the insurer's refusal to correct, amend or delete the recorded personal medical
AB552-ASA1-AA1,8,2423 (d) If the individual files a statement under par. (c), the insurer shall do all of
24the following:
11. File any statement filed by the individual under par. (c) with the recorded
2personal medical information that is the subject of the request under par. (a) in such
3a manner that any person reviewing the recorded personal medical information will
4be aware of and have access to the statement.
AB552-ASA1-AA1,9,85 2. In any subsequent disclosure by the insurer of the recorded personal medical
6information, clearly identify any matter in dispute and provide any statement filed
7by the individual under par. (c) that relates to the recorded personal medical
8information along with the information.
AB552-ASA1-AA1,9,119 3. Furnish any statement filed by the individual under par. (c) to any person
10to whom the insurer would have been required to furnish a correction, amendment
11or fact of deletion under par. (b).
AB552-ASA1-AA1,9,1512 (e) The requirements under this subsection do not apply to information
13concerning an individual that relates to, and that is collected in connection with or
14in reasonable anticipation of, a claim or civil or criminal proceeding involving the
AB552-ASA1-AA1,9,19 16(5) Disclosure of personal medical information by insurers. Any disclosure
17by an insurer of personal medical information concerning an individual shall be
18consistent with the individual's signed disclosure authorization form, unless the
19disclosure satisfies any of the following:
AB552-ASA1-AA1,9,2120 (a) Is otherwise authorized by the individual, or by a person who is authorized
21to consent on behalf of an individual who lacks the capacity to consent.
AB552-ASA1-AA1,9,2422 (b) Is reasonably related to the protection of the insurer's interests in the
23assessment of causation, fault or liability or in the detection or prevention of criminal
24activity, fraud, material misrepresentation or material nondisclosure.
1(c) Is made to an insurance regulatory authority or in response to an
2administrative or judicial order, including a search warrant or subpoena, that is
3valid on its face.
AB552-ASA1-AA1,10,44 (d) Is otherwise permitted by law.
AB552-ASA1-AA1,10,55 (e) Is made for purposes of pursuing a contribution or subrogation claim.
AB552-ASA1-AA1,10,96 (f) Is made to a professional peer review organization, bill review organization,
7health care provider or medical consultant or reviewer for the purpose of reviewing
8the services, fees, treatment or conduct of a medical care institution or health care
AB552-ASA1-AA1,10,1110 (g) Is made to a medical care institution or health care provider for any of the
11following purposes:
AB552-ASA1-AA1,10,1212 1. Verifying insurance coverage or benefits.
AB552-ASA1-AA1,10,1413 2. Conducting an operations or services audit to verify the individuals treated
14by the health care provider or at the medical care institution.
AB552-ASA1-AA1,10,1915 (h) Is made to a network plan that is offered by an insurer in order to make
16arrangements for coordinated health care in which personal medical information
17concerning an individual is available for providing treatment, making payment for
18health care under the plan and undertaking such plan operations as are necessary
19to fulfill the contract for provision of coordinated health care.
AB552-ASA1-AA1,10,2320 (i) Is made to a group policyholder for the purpose of reporting claims
21experience or conducting an audit of the insurer's operations or services. Disclosure
22may be made under this paragraph only if the disclosure is reasonably necessary for
23the group policyholder to conduct the review or audit.
1(j) Is made for purposes of enabling business decisions to be made regarding
2the purchase, transfer, merger, reinsurance or sale of all or part of an insurance
AB552-ASA1-AA1,11,84 (k) Is made for purposes of actuarial or research studies or for accreditation or
5auditing. With respect to a disclosure made under this paragraph, any materials
6that allow for the identification of an individual must be returned to the insurer or
7destroyed as soon as reasonably practicable, and no individual may be identified in
8any actuarial, research, accreditation or auditing report.
AB552-ASA1-AA1,11,109 (L) Is made to the insurer's legal representative for purposes of claims review
10or legal advice or defense.
AB552-ASA1-AA1,11,11 11(6) Immunity. (a) A person is not liable to any person for any of the following:
AB552-ASA1-AA1,11,1212 1. Disclosing personal medical information in accordance with this section.
AB552-ASA1-AA1,11,1413 2. Furnishing personal medical information to an insurer or insurance support
14organization in accordance with this section.
AB552-ASA1-AA1,11,1615 (b) Paragraph (a) does not apply to the disclosure or furnishing of false
16information with malice or intent to injure any person.
AB552-ASA1-AA1,11,20 17(7) Obtaining information under false pretenses. Any person who knowingly
18and wilfully obtains information about an individual from an insurer or insurance
19support organization under false pretenses may be fined not more than $10,000 or
20imprisoned for not more than one year in the county jail or both.
AB552-ASA1-AA1, s. 56s 21Section 56s. 895.505 of the statutes is created to read:
AB552-ASA1-AA1,11,23 22895.505 Storage and disposal of records containing personal
(1) Definitions. In this section:
1(a) "Business" means an organization or enterprise, whether or not operated
2for profit, including a sole proprietorship, partnership, firm, business trust, joint
3venture, syndicate, corporation, limited liability company or association.
AB552-ASA1-AA1,12,54 (b) "Destruction" means, with respect to a record, permanently rendering the
5personal information contained in the record incapable of being read.
AB552-ASA1-AA1,12,76 (c) "Disposal" means, with respect to a record, ceasing to have control over
7access to the record.
AB552-ASA1-AA1,12,108 (d) "Personal information" means personally identifiable data about the
9medical or financial condition of a state resident that is not generally considered to
10be public knowledge, including the individual's social security number.
AB552-ASA1-AA1,12,1311 (e) "Personally identifiable" means capable of being associated with a
12particular individual through one or more identifiers or other information or
AB552-ASA1-AA1,12,1614 (f) "Record" means any material on which written, drawn, printed, spoken,
15visual or electromagnetic information is recorded or preserved, regardless of
16physical form or characteristics.
AB552-ASA1-AA1,12,20 17(2) Storage of records containing personal information. Prior to the
18disposal of a record under sub. (3), a business shall take all actions that it reasonably
19believes to be necessary to prevent unauthorized persons from obtaining access to
20personal information contained in the record.
AB552-ASA1-AA1,12,23 21(3) Disposal of records containing personal information. A business may not
22dispose of a record containing personal information unless it does at least one of the
AB552-ASA1-AA1,12,2524 (a) Prior to the disposal of the record, the business shreds, erases or otherwise
25modifies the record to make the personal information unreadable.
1(b) The business takes actions that it reasonably believes will ensure that no
2unauthorized person will have access to the personal information contained in the
3record for the period between the record's disposal and the record's destruction.
AB552-ASA1-AA1,13,6 4(4) Cause of action. Notwithstanding s. 814.04 (1), a business that violates
5sub. (2) or (3) is liable to any person damaged by the violation for the amount of
6damages and for reasonable attorney fees.".
AB552-ASA1-AA1,13,8 74. Page 16, line 17: before "Section" insert "Board on health care
AB552-ASA1-AA1,13,9 95. Page 16, line 19: delete "act" and substitute "subsection".
AB552-ASA1-AA1,13,10 106. Page 16, line 19: after that line insert:
AB552-ASA1-AA1,13,17 11"(2) Disclosure by insurers of personal medical information. If a contract
12that is affected by section 610.70 of the statutes, as created by this act, that is in effect
13on the first day of the 13th month beginning after publication and that was not issued
14or renewed after the effective date of this subsection contains terms or provisions
15that are inconsistent with the requirements under section 610.70 of the statutes, as
16created by this act, the treatment of sections 51.30 (4) (a), 146.82 (2) (b) and 610.70
17of the statutes first applies to that contract upon renewal.
AB552-ASA1-AA1, s. 61m 18Section 61m. Effective dates. This act takes effect on the day after
19publication, except as follows:
AB552-ASA1-AA1,13,21 20(1) The treatment of sections 51.30 (4) (a), 146.82 (2) (b) and 610.70 of the
21statutes takes effect on the first day of the 13th month beginning after publication.
AB552-ASA1-AA1,13,23 22(2) The treatment of section 895.505 of the statutes takes effect on the first day
23of the 4th month beginning after publication.".