AB552-ASA1-AA1,2,11 10610.70 Disclosure of personal medical information. (1) Definitions. In
11this section:

AB552-ASA1-AA1,2,1512 (a) "Health care provider" means any person licensed, registered, permitted or
13certified by the department of health and family services or the department of
14regulation and licensing to provide health care services, items or supplies in this
15state.

AB552-ASA1-AA1,2,1916 (b) "Individual" means a natural person who is a resident of this state. For
17purposes of this paragraph, a person is a state resident if his or her last-known
18mailing address, according to the records of an insurer or insurance support
19organization, was in this state.

AB552-ASA1-AA1,3,320 (c) 1. "Insurance support organization" means any person that regularly
21engages in assembling or collecting personal medical information about natural
22persons for the primary purpose of providing the personal medical information to
23insurers for insurance transactions, including the collection of personal medical
24information from insurers and other insurance support organizations for the

---

1purpose of detecting or preventing fraud, material misrepresentation or material
2nondisclosure in connection with insurance underwriting or insurance claim
3activity.

AB552-ASA1-AA1,3,54 2. Notwithstanding subd. 1., "insurance support organization" does not include
5insurance agents, government institutions, insurers or health care providers.

AB552-ASA1-AA1,3,76 (d) "Insurance transaction" means any of the following involving insurance
7that is primarily for personal, family or household needs:

AB552-ASA1-AA1,3,98 1. The determination of an individual's eligibility for an insurance coverage,
9benefit or payment.

AB552-ASA1-AA1,3,1010 2. The servicing of an insurance application, policy, contract or certificate.

AB552-ASA1-AA1,3,1911 (e) "Medical care institution" means a facility, as defined in s. 647.01 (4), or any
12hospital, nursing home, community-based residential facility, county home, county
13infirmary, county hospital, county mental health center, tuberculosis sanatorium,
14adult family home, assisted living facility, rural medical center, hospice or other place
15licensed, certified or approved by the department of health and family services under
16s. 49.70, 49.71, 49.72, 50.02, 50.03, 50.032, 50.033, 50.034, 50.35, 50.52, 50.90, 51.04,
1751.08, 51.09, 58.06, 252.073 or 252.076 or a facility under s. 45.365, 51.05, 51.06 or
18252.10 or under ch. 233 or licensed or certified by a county department under s.
1950.032 or 50.033.

AB552-ASA1-AA1,3,2120 (f) 1. "Personal medical information" means information concerning an
21individual that satisfies all of the following:

AB552-ASA1-AA1,3,2322 a. Relates to the individual's physical or mental health, medical history or
23medical treatment.

AB552-ASA1-AA1,3,2524 b. Is obtained from a health care provider, a medical care institution, the
25individual or the individual's spouse, parent or legal guardian.

AB552-ASA1-AA1,4,4

---

12. "Personal medical information" does not include information that is obtained
2from the public records of a governmental authority and that is maintained by an
3insurer or its representatives for the purpose of insuring title to real property located
4in this state.

AB552-ASA1-AA1,4,7 5(2) Disclosure authorization. (a) Any form that is used in connection with
6an insurance transaction and that authorizes the disclosure of personal medical
7information about an individual to an insurer shall comply with all of the following:

AB552-ASA1-AA1,4,98 1. All instructions and other information contained in the form are presented
9in plain language.

AB552-ASA1-AA1,4,1010 2. The form is dated.

AB552-ASA1-AA1,4,1211 3. The form specifies the types of persons that are authorized to disclose
12information about the individual.

AB552-ASA1-AA1,4,1413 4. The form specifies the nature of the information that is authorized to be
14disclosed.

AB552-ASA1-AA1,4,1615 5. The form names the insurer, and identifies by generic reference
16representatives of the insurer, to whom the information is authorized to be disclosed.

AB552-ASA1-AA1,4,1717 6. The form specifies the purposes for which the information is being obtained.

AB552-ASA1-AA1,4,1918 7. Subject to par. (b), the form specifies the length of time for which the
19authorization remains valid.

AB552-ASA1-AA1,4,2120 8. The form advises that the individual, or an authorized representative of the
21individual, is entitled to receive a copy of the completed authorization form.

AB552-ASA1-AA1,5,222 (b) 1. For an authorization under this subsection that will be used for the
23purpose of obtaining information in connection with an insurance policy application,
24an insurance policy reinstatement or a request for a change in policy benefits, the

---

1length of time specified in par. (a) 7. may not exceed 30 months from the date on which
2the authorization is signed.

AB552-ASA1-AA1,5,63 2. For an authorization under this subsection that will be used for the purpose
4of obtaining information in connection with a claim for benefits under an insurance
5policy, the length of time specified in par. (a) 7. may not exceed the policy term or the
6pendency of a claim for benefits under the policy, whichever is longer.

AB552-ASA1-AA1,5,12 7(3) Access to recorded personal medical information. (a) If, after proper
8identification, an individual or an authorized representative of an individual
9submits a written request to an insurer for access to recorded personal medical
10information that concerns the individual and that is in the insurer's possession,
11within 30 business days after receiving the request the insurer shall do all of the
12following:

AB552-ASA1-AA1,5,1513 1. Inform the individual or authorized representative of the nature and
14substance of the recorded personal medical information in writing, by telephone or
15by any other means of communication at the discretion of the insurer.

AB552-ASA1-AA1,5,2216 2. At the option of the individual or authorized representative, permit the
17individual or authorized representative to inspect and copy the recorded personal
18medical information, in person and during the insurer's normal business hours, or
19provide by mail to the individual or authorized representative a copy of the recorded
20personal medical information. If the recorded personal medical information is in
21coded form, the insurer shall provide to the individual or authorized representative
22an accurate written translation in plain language.

AB552-ASA1-AA1,6,323 3. Disclose to the individual or authorized representative the identities, if
24recorded, of any persons to whom the insurer has disclosed the recorded personal
25medical information within 2 years prior to the request. If the identities are not

---

1recorded, the insurer shall disclose to the individual or authorized representative the
2names of any insurance agents, insurance support organizations or other entities to
3whom such information is normally disclosed.

AB552-ASA1-AA1,6,74 4. Provide to the individual or authorized representative a summary of the
5procedures by which the individual or authorized representative may request the
6correction, amendment or deletion of any recorded personal medical information in
7the possession of the insurer.

AB552-ASA1-AA1,6,168 (b) Notwithstanding par. (a), an insurer may, in the insurer's discretion,
9provide a copy of any recorded personal medical information requested by an
10individual or authorized representative under par. (a) to a health care provider who
11is designated by the individual or authorized representative and who is licensed,
12registered, permitted or certified to provide health care services with respect to the
13condition to which the information relates. If the insurer chooses to provide the
14information to the designated health care provider under this paragraph, the insurer
15shall notify the individual or authorized representative, at the time of disclosure,
16that the information has been provided to the health care provider.

AB552-ASA1-AA1,6,2017 (c) An insurer is required to comply with par. (a) or (b) only if the individual or
18authorized representative provides a reasonable description of the information that
19is the subject of the request and if the information is reasonably easy to locate and
20retrieve by the insurer.

AB552-ASA1-AA1,7,221 (d) If an insurer receives personal medical information from a health care
22provider or a medical care institution with instructions restricting disclosure of the
23information under s. 51.30 (4) (d) 1. to the individual to whom the information
24relates, the insurer may not disclose the personal medical information to the

---

1individual under this subsection, but shall disclose to the individual the identity of
2the health care provider or a medical care institution that provided the information.

AB552-ASA1-AA1,7,53 (e) Any copy of recorded personal medical information provided under par. (a)
4or (b) shall include the identity of the source of the information if the source is a
5health care provider or a medical care institution.

AB552-ASA1-AA1,7,86 (f) An insurer may charge the individual a reasonable fee to cover the costs
7incurred in providing a copy of recorded personal medical information under par. (a)
8or (b).

AB552-ASA1-AA1,7,119 (g) The requirements for an insurer under this subsection may be satisfied by
10another insurer, an insurance agent, an insurance support organization or any other
11entity authorized by the insurer to act on its behalf.

AB552-ASA1-AA1,7,1512 (h) The requirements under this subsection do not apply to information
13concerning an individual that relates to, and that is collected in connection with or
14in reasonable anticipation of, a claim or civil or criminal proceeding involving the
15individual.

AB552-ASA1-AA1,7,19 16(4) Correction, amendment or deletion of recorded personal medical
17information. (a) Within 30 business days after receiving a written request from an
18individual to correct, amend or delete any recorded personal medical information
19that is in the insurer's possession, an insurer shall do either of the following:

AB552-ASA1-AA1,7,2020 1. Comply with the request.

AB552-ASA1-AA1,7,2121 2. Notify the individual of all of the following:

AB552-ASA1-AA1,7,2222 a. That the insurer refuses to comply with the request.

AB552-ASA1-AA1,7,2323 b. The reasons for the refusal.

AB552-ASA1-AA1,7,2424 c. That the individual has a right to file a statement as provided in par. (c).

AB552-ASA1-AA1,8,3

---

1(b) An insurer that complies with a request under par. (a) shall notify the
2individual of that compliance in writing and furnish the correction, amendment or
3fact of deletion to all of the following:

AB552-ASA1-AA1,8,64 1. Any person who may have received, within the preceding 2 years, the
5recorded personal medical information concerning the individual and who is
6specifically designated by the individual.

AB552-ASA1-AA1,8,127 2. Any insurance support organization for which insurers are the primary
8source of personal medical information and to which the insurer, within the
9preceding 7 years, has systematically provided recorded personal medical
10information. This subdivision does not apply to an insurance support organization
11that does not maintain recorded personal medical information concerning the
12individual.

AB552-ASA1-AA1,8,1413 3. Any insurance support organization that furnished to the insurer the
14personal medical information that has been corrected, amended or deleted.

AB552-ASA1-AA1,8,1715 (c) If an insurer refuses to comply with a request under par. (a) 1., the individual
16making the request may file with the insurer, an insurance agent or an insurance
17support organization any of the following:

AB552-ASA1-AA1,8,1918 1. A concise statement setting forth the information that the individual
19believes to be correct, relevant or fair.

AB552-ASA1-AA1,8,2220 2. A concise statement setting forth the reasons why the individual disagrees
21with the insurer's refusal to correct, amend or delete the recorded personal medical
22information.

AB552-ASA1-AA1,8,2423 (d) If the individual files a statement under par. (c), the insurer shall do all of
24the following:

AB552-ASA1-AA1,9,4

---

11. File any statement filed by the individual under par. (c) with the recorded
2personal medical information that is the subject of the request under par. (a) in such
3a manner that any person reviewing the recorded personal medical information will
4be aware of and have access to the statement.

AB552-ASA1-AA1,9,85 2. In any subsequent disclosure by the insurer of the recorded personal medical
6information, clearly identify any matter in dispute and provide any statement filed
7by the individual under par. (c) that relates to the recorded personal medical
8information along with the information.

AB552-ASA1-AA1,9,119 3. Furnish any statement filed by the individual under par. (c) to any person
10to whom the insurer would have been required to furnish a correction, amendment
11or fact of deletion under par. (b).

AB552-ASA1-AA1,9,1512 (e) The requirements under this subsection do not apply to information
13concerning an individual that relates to, and that is collected in connection with or
14in reasonable anticipation of, a claim or civil or criminal proceeding involving the
15individual.

AB552-ASA1-AA1,9,19 16(5) Disclosure of personal medical information by insurers. Any disclosure
17by an insurer of personal medical information concerning an individual shall be
18consistent with the individual's signed disclosure authorization form, unless the
19disclosure satisfies any of the following:

AB552-ASA1-AA1,9,2120 (a) Is otherwise authorized by the individual, or by a person who is authorized
21to consent on behalf of an individual who lacks the capacity to consent.

AB552-ASA1-AA1,9,2422 (b) Is reasonably related to the protection of the insurer's interests in the
23assessment of causation, fault or liability or in the detection or prevention of criminal
24activity, fraud, material misrepresentation or material nondisclosure.

AB552-ASA1-AA1,10,3

---

1(c) Is made to an insurance regulatory authority or in response to an
2administrative or judicial order, including a search warrant or subpoena, that is
3valid on its face.

AB552-ASA1-AA1,10,44 (d) Is otherwise permitted by law.

AB552-ASA1-AA1,10,55 (e) Is made for purposes of pursuing a contribution or subrogation claim.

AB552-ASA1-AA1,10,96 (f) Is made to a professional peer review organization, bill review organization,
7health care provider or medical consultant or reviewer for the purpose of reviewing
8the services, fees, treatment or conduct of a medical care institution or health care
9provider.

AB552-ASA1-AA1,10,1110 (g) Is made to a medical care institution or health care provider for any of the
11following purposes:

AB552-ASA1-AA1,10,1212 1. Verifying insurance coverage or benefits.

AB552-ASA1-AA1,10,1413 2. Conducting an operations or services audit to verify the individuals treated
14by the health care provider or at the medical care institution.

AB552-ASA1-AA1,10,1915 (h) Is made to a network plan that is offered by an insurer in order to make
16arrangements for coordinated health care in which personal medical information
17concerning an individual is available for providing treatment, making payment for
18health care under the plan and undertaking such plan operations as are necessary
19to fulfill the contract for provision of coordinated health care.

AB552-ASA1-AA1,10,2320 (i) Is made to a group policyholder for the purpose of reporting claims
21experience or conducting an audit of the insurer's operations or services. Disclosure
22may be made under this paragraph only if the disclosure is reasonably necessary for
23the group policyholder to conduct the review or audit.

AB552-ASA1-AA1,11,3

---

1(j) Is made for purposes of enabling business decisions to be made regarding
2the purchase, transfer, merger, reinsurance or sale of all or part of an insurance
3business.

AB552-ASA1-AA1,11,84 (k) Is made for purposes of actuarial or research studies or for accreditation or
5auditing. With respect to a disclosure made under this paragraph, any materials
6that allow for the identification of an individual must be returned to the insurer or
7destroyed as soon as reasonably practicable, and no individual may be identified in
8any actuarial, research, accreditation or auditing report.

AB552-ASA1-AA1,11,109 (L) Is made to the insurer's legal representative for purposes of claims review
10or legal advice or defense.

AB552-ASA1-AA1,11,11 11(6) Immunity. (a) A person is not liable to any person for any of the following:

AB552-ASA1-AA1,11,1212 1. Disclosing personal medical information in accordance with this section.

AB552-ASA1-AA1,11,1413 2. Furnishing personal medical information to an insurer or insurance support
14organization in accordance with this section.

AB552-ASA1-AA1,11,1615 (b) Paragraph (a) does not apply to the disclosure or furnishing of false
16information with malice or intent to injure any person.

AB552-ASA1-AA1,11,20 17(7) Obtaining information under false pretenses. Any person who knowingly
18and wilfully obtains information about an individual from an insurer or insurance
19support organization under false pretenses may be fined not more than $10,000 or
20imprisoned for not more than one year in the county jail or both.

AB552-ASA1-AA1,11,23 22895.505 Storage and disposal of records containing personal
23information. (1) Definitions. In this section:

AB552-ASA1-AA1,12,3

---

1(a) "Business" means an organization or enterprise, whether or not operated
2for profit, including a sole proprietorship, partnership, firm, business trust, joint
3venture, syndicate, corporation, limited liability company or association.

AB552-ASA1-AA1,12,54 (b) "Destruction" means, with respect to a record, permanently rendering the
5personal information contained in the record incapable of being read.

AB552-ASA1-AA1,12,76 (c) "Disposal" means, with respect to a record, ceasing to have control over
7access to the record.

AB552-ASA1-AA1,12,108 (d) "Personal information" means personally identifiable data about the
9medical or financial condition of a state resident that is not generally considered to
10be public knowledge, including the individual's social security number.

AB552-ASA1-AA1,12,1311 (e) "Personally identifiable" means capable of being associated with a
12particular individual through one or more identifiers or other information or
13circumstances.

AB552-ASA1-AA1,12,1614 (f) "Record" means any material on which written, drawn, printed, spoken,
15visual or electromagnetic information is recorded or preserved, regardless of
16physical form or characteristics.

AB552-ASA1-AA1,12,20 17(2) Storage of records containing personal information. Prior to the
18disposal of a record under sub. (3), a business shall take all actions that it reasonably
19believes to be necessary to prevent unauthorized persons from obtaining access to
20personal information contained in the record.

AB552-ASA1-AA1,12,23 21(3) Disposal of records containing personal information. A business may not
22dispose of a record containing personal information unless it does at least one of the
23following:

AB552-ASA1-AA1,12,2524 (a) Prior to the disposal of the record, the business shreds, erases or otherwise
25modifies the record to make the personal information unreadable.

AB552-ASA1-AA1,13,3

---

1(b) The business takes actions that it reasonably believes will ensure that no
2unauthorized person will have access to the personal information contained in the
3record for the period between the record's disposal and the record's destruction.

AB552-ASA1-AA1,13,6 4(4) Cause of action. Notwithstanding s. 814.04 (1), a business that violates
5sub. (2) or (3) is liable to any person damaged by the violation for the amount of
6damages and for reasonable attorney fees.".