AB133-SSA1-SA1,296,33 2. Population density is sufficient to mask patient identity.

AB133-SSA1-SA1,296,54 3. Other potentially identifying data elements are grouped to provide
5population density sufficient to protect identity.

AB133-SSA1-SA1,296,66 4. Multiple years of data elements are added to protect identity.

AB133-SSA1-SA1,296,118 153.45 (6) The department may not sell or distribute data bases of information,
9from health care providers who are not hospitals or ambulatory surgery centers, that
10are able to be linked with public use data files, unless first approved by the
11independent review board.

AB133-SSA1-SA1,296,1715 153.50 (1) (b) 1. (intro.) "Patient-identifiable data", for information submitted
16by hospitals and ambulatory surgery centers, means all of the following data
17elements:

AB133-SSA1-SA1,296,2119 153.50 (1) (b) 2. "Patient-identifiable data", for information submitted by
20health care providers who are not hospitals or ambulatory surgery centers, means
21all of the following data elements:

AB133-SSA1-SA1,296,2222 a. Data elements specified in subd. 1. a. to g., L. and m.

AB133-SSA1-SA1,296,2423 b. Whether the patient's condition is related to employment, and occurrence
24and place of an auto accident or other accident.

AB133-SSA1-SA1,297,2

---

1c. Date of first symptom of current illness, of current injury or of current
2pregnancy.

AB133-SSA1-SA1,297,33 d. First date of patient's same or similar illness, if any.

AB133-SSA1-SA1,297,54 e. Dates that the patient has been unable to work in his or her current
5occupation.

AB133-SSA1-SA1,297,66 f. Dates of receipt by patient of medical service.

AB133-SSA1-SA1,297,77 g. The patient's city, town or village.

AB133-SSA1-SA1,297,1110 153.50 (3) (b) 7. The patient's account number, after use only as verification of
11data by the department.

AB133-SSA1-SA1,297,1613 153.50 (3) (c) Develop, for use by purchasers of data under this chapter, a data
14use agreement that specifies data use restrictions, appropriate uses of data and
15penalties for misuse of data, and notify prospective and current purchasers of data
16of the appropriate uses.

AB133-SSA1-SA1,297,1918 153.50 (3) (d) Require that a purchaser of data under this chapter sign and have
19notarized the data use agreement of the department specified in par. (c).

AB133-SSA1-SA1,297,2521 153.50 (3m) Healthcare provider measures to ensure patient identity
22protection. A health care provider that is not a hospital or ambulatory surgery
23center shall, before submitting information required by the department under this
24chapter, convert to a payer category code as specified by the department any names
25of an insured's payer or other insured's payer.

AB133-SSA1-SA1,298,53 153.50 (4) (a) (intro.) Under Except as specified in par. (b), under the
4procedures specified in sub. (5), release of patient-identifiable data may be made
5only to any of the following:

AB133-SSA1-SA1,298,1310 153.50 (4) (b) Of information submitted by health care providers that are not
11hospitals or ambulatory surgery centers, patient-identifiable data that contains a
12patient's date of birth may be released under par. (a) only under circumstances as
13specified by rule by the department.

AB133-SSA1-SA1,298,1815 153.50 (5) (a) (intro.) The department may not release or provide access to
16patient-identifiable data to a person authorized under sub. (4) (a) , (c), (d) or (e)
17unless the authorized person requests the department, in writing, to release the
18patient-identifiable data. The request shall include all of the following:

AB133-SSA1-SA1,298,2220 153.50 (5) (a) 3. For a person who is authorized under sub. (4) (a), (c) or (d) to
21receive or have access to patient-identifiable data, evidence, in writing, that
22indicates that authorization.

AB133-SSA1-SA1,299,3

---

1153.50 (5) (a) 4. (intro.) For an entity that is authorized under sub. (4) (e) (a)
24. to receive or have access to patient-identifiable data, evidence, in writing, of all
3of the following:

AB133-SSA1-SA1,299,65 153.50 (5) (b) 3. For a person who believes that he or she is authorized under
6sub. (4) (a), the action provided under s. 19.37.".

AB133-SSA1-SA1,299,1210 153.50 (6) (b) The department may not require under this chapter a health care
11provider that is a hospital or ambulatory surgery center to submit uniform patient
12billing forms.

AB133-SSA1-SA1,299,1513 (c) A health care provider that is not a hospital or ambulatory surgery center
14may not submit any of the following to the department under the requirements of
15this chapter:

AB133-SSA1-SA1,299,1616 1. The data elements specified under sub. (3) (b).

AB133-SSA1-SA1,299,1717 2. The patient's telephone number.

AB133-SSA1-SA1,299,1818 3. The insured's employer's name or school name.

AB133-SSA1-SA1,299,2019 4. Data regarding insureds other than the patient, other than the payer
20category code under sub. (3m).

AB133-SSA1-SA1,299,2121 5. The patient's employer's name or school name.

AB133-SSA1-SA1,299,2222 6. The patient's relationship to the insured.

AB133-SSA1-SA1,299,2323 7. The insured's identification number.

AB133-SSA1-SA1,299,2424 8. The insured's policy or group number.

AB133-SSA1-SA1,300,1

---

19. The insured's date of birth or sex.

AB133-SSA1-SA1,300,22 10. The patient's marital, employment or student status.

AB133-SSA1-SA1,300,63 (d) If a health care provider that is not a hospital or ambulatory surgery center
4submits a data element that is specified in par. (c) 1. to 10., the department shall
5immediately return this information to the health care provider or, if discovered
6later, shall remove and destroy the information.

AB133-SSA1-SA1,300,87 (e) A health care provider may not submit information that uses any of the
8following as a patient account number:

AB133-SSA1-SA1,300,109 1. The patient's social security number or any substantial portion of the
10patient's social security number.

AB133-SSA1-SA1,300,1111 2. A number that is related to another patient identifying number.

AB133-SSA1-SA1,300,15 13153.55 Protection of health care provider confidentiality. Health care
14provider-identifiable data Data obtained under this chapter is not subject to
15inspection, copying or receipt under s. 19.35 (1).".

AB133-SSA1-SA1,300,23 18153.67 Independent review board. The independent review board shall
19review any request under s. 153.45 (1) (c) for data elements other than those
20available for public use data files under s. 153.45 (1) (b). Unless the independent
21review board approves such a request or unless independent review board approval
22is not required under rules of the department promulgated under s. 153.45 (1) (c)
23(intro.), the data elements requested may not be released.

AB133-SSA1-SA1,301,4

---

1153.76 Rule-making by the independent review board.
2Notwithstanding s. 15.01 (1r), the independent review board may promulgate only
3those rules that are first reviewed and approved by the board on health care
4information.

AB133-SSA1-SA1,301,9 6153.85 Civil liability. Any Except as provided in s. 153.86, any person
7violating s. 153.50 or rules promulgated under s. 153.75 (1) (a) is liable to the patient
8for actual damages and costs, plus exemplary damages of up to $1,000 for a negligent
9violation and up to $5,000 for an intentional violation.

AB133-SSA1-SA1,301,16 11153.86 Immunity from liability. A health care provider that submits
12information to the department under this chapter is immune from civil liability for
13any act or omission of an employe, official or agent of the health care provider that
14results in the release of a prohibited data element while submitting data to the
15department of health and family services. The immunity provided under this section
16does not apply to intentional, wilful or reckless acts or omissions.

AB133-SSA1-SA1,301,2018 153.90 (1) Whoever intentionally violates s. 153.45 (5) or 153.50 or rules
19promulgated under s. 153.75 (1) (a) may be fined not more than $10,000 $15,000 or
20imprisoned for not more than 9 months one year or both.".

AB133-SSA1-SA1,301,2423 165.25 (2m) Prosecution services. Provide general program operations
24related to ch. 978.

AB133-SSA1-SA1,302,62 165.25 (3g) Unfunded prior service for assistant district attorneys.
3Beginning in the 1999-2000 fiscal year and ending in the 2003-04 fiscal year, pay
4$80,000 in each fiscal year from the appropriation account under s. 20.475 (1) (d)
5toward the unfunded prior service liability under the Wisconsin retirement system
6that results from granting the creditable service under s. 40.02 (17) (gm).".

AB133-SSA1-SA1,302,23 9165.06 Assistant attorney general — consumer privacy advocate. (1)
10The attorney general shall designate an assistant attorney general on the attorney
11general's staff as the consumer privacy advocate. The consumer privacy advocate
12shall represent the consumers' interests in issues concerning consumer privacy,
13including the purchase of products on the Internet and the prevention of theft of the
14consumer's personal identifying information. The secretary of administration shall
15give the consumer privacy advocate written notices of all proceedings under subch.
16VII of ch. 16. The prosecutor of any action under s. 943.201, 943.392, 943.41 or 943.70
17shall give the consumer privacy advocate written notices of all proceedings under
18those sections. The consumer privacy advocate shall be provided the minutes,
19reports, recommendations and any documents provided by or to the joint committee
20on information policy and the standing committees of the assembly and senate
21dealing with privacy matters. Annually, the consumer privacy advocate shall report
22to the appropriate standing committees of the assembly and senate on the status of
23consumer privacy in this state.

AB133-SSA1-SA1,303,6

---

1(2) The consumer privacy advocate may, on his or her own initiative or upon
2request of any committee of the legislature, formally intervene in all civil
3proceedings described in sub. (1) whenever such intervention is needed for the
4protection of consumers' rights to privacy, including the restriction of access to the
5consumer's personal identifying information and the prevention of fraudulent use of
6the consumer's personal identifying information on the Internet.

AB133-SSA1-SA1,303,18 7(3) Personnel of the department of administration shall, upon the request of
8the consumer privacy advocate, make such investigations, studies and reports as the
9advocate may request in connection with proceedings described in sub. (1), either
10before or after formal intervention. Personnel of state agencies shall, at the
11consumer privacy advocate's request, provide information, serve as witnesses in civil
12proceedings described in sub. (1) and otherwise cooperate in the carrying out of the
13consumer privacy advocate's functions. Formal intervention shall be by filing a
14statement to that effect with the examiner or other person immediately in charge of
15the proceeding. Upon filing the statement, the consumer privacy advocate shall be
16considered a party in interest with full power to present evidence, subpoena and
17cross-examine witnesses, submit proof, file briefs or do any other acts appropriate
18for a party to the proceedings.

AB133-SSA1-SA1,303,23 19(4) The consumer privacy advocate may appeal from administrative rulings to
20the courts. In all administrative proceedings and judicial review proceedings the
21consumer privacy advocate shall be identified as "consumer privacy advocate". This
22section does not preclude or prevent any division of any department or independent
23agency from appearing by its staff as a party in those proceedings.

AB133-SSA1-SA1,304,5

---

1165.061 Assistant attorney general; consumer privacy advocate;
2authority. In carrying out his or her duty to protect the consumers' right to privacy,
3the consumer privacy advocate has the authority to initiate actions and proceedings
4before any agency or court related to consumer privacy, including issues concerning
5constitutionality, to present evidence and testimony and to make arguments.

AB133-SSA1-SA1,304,16 7165.062 Assistant attorney general; consumer privacy advocate;
8advisory committee. The attorney general shall appoint a consumer privacy
9advisory committee under s. 15.04 (1) (c). The consumer privacy advisory committee
10shall consist of not less than 7 nor more than 9 members. The members shall have
11backgrounds in or demonstrated experience or records relating to privacy protection,
12record security or information technology. The consumer privacy advisory
13committee shall advise the consumer privacy advocate consistent with his or her
14duty to protect the consumers' right to privacy. The consumer privacy advisory
15committee shall conduct meetings consistent with subch. V of ch. 19 and shall permit
16public participation and public comment on consumer privacy advocate activities.".