LRB-3035/2
DAK:jlg&cmh:jf
1999 - 2000 LEGISLATURE
October 6, 1999 - Introduced by Senator Moen. Referred to Committee on Health,
Utilities, Veterans and Military Affairs.
SB249,1,12
1An Act to repeal 153.50 (2) and 153.50 (4) (a);
to renumber 153.50 (1) (a), 153.50
2(4) (b) to (e) and 153.50 (6);
to renumber and amend 153.45 (1) (b), 153.45 (1)
3(c), 153.50 (1) (b) and 153.50 (4) (intro.);
to amend 15.195 (6), 146.84 (3), 153.50
4(5) (a) (intro.), 153.50 (5) (a) 3., 153.50 (5) (a) 4. (intro.), 153.50 (5) (b) 3., 153.55,
5153.85 and 153.90 (1); and
to create 15.195 (9), 153.45 (1) (b) 2., 153.45 (1) (c)
61. to 4., 153.45 (6), 153.50 (1) (b) 2., 153.50 (3) (b) 7., 153.50 (3) (c), 153.50 (3) (d),
7153.50 (3m), 153.50 (4) (bm), 153.50 (6) (b), (c), (d) and (e), 153.67, 153.76 and
8153.86 of the statutes;
relating to: patient privacy protections in collection and
9dissemination of health care information, changing requirements for
10membership on the board on health care information and creating an
11independent review board, granting rule-making authority and providing a
12penalty.
Analysis by the Legislative Reference Bureau
Under current law, the department of health and family services (DHFS) must
collect, analyze and disseminate health care information, as adjusted for case mix
and severity, in language that is understandable to lay persons, in order to provide
to hospitals, health care providers, insurers, consumers, governmental agencies and
others information concerning health care providers and uncompensated health care
services and in order to provide information to assist in peer review for the purpose
of quality assurance. Among the information collected by DHFS is that contained
on uniform patient billing forms, as provided by health care providers. To ensure
that the identity of health care patients is protected when information obtained by
DHFS is disseminated, DHFS must, among other things, remove and destroy
specified information on the uniform patient billing forms. This information
includes the patient's name and street address; the insured's name, address and
telephone number; any other insured's name, employer name and date of birth; the
signature of the patient and the insured and other authorized signatures; and the
signature of the physician.
Currently, DHFS must release data as standard reports, public use data files
that do not permit specific patients, employers or health care providers to be
identified and custom-designed reports. DHFS must protect the identification of
these groups by all necessary means. DHFS may not release patient-identifiable
data except to the patient or a person granted permission in writing by the patient;
an agent of DHFS who is responsible for storage and ensuring the accuracy of the
DHFS' data base; a health care provider or his or her agent, to ensure accuracy of
information in the DHFS' data base; and staff of DHFS, or of an entity that is
required by federal or state statute to obtain patient-identifiable data, for purposes
of epidemiological investigation or to eliminate the need for duplicative data bases.
("Patient-identifiable data" is defined to mean the patient's medical record or chart
number, control number, date of birth and employer's name; the dates of the patient's
admission, discharge and principal procedure; the encrypted case identifier; the
insured's policy number, date of birth and identification number; and the federal
medicaid resubmission code and prior authorization number.) Patient-identifiable
data and health care provider-identifiable data are not subject to inspection, copying
or receipt under the law relating to open records.
Currently, the board on health care information consists of 11 members,
including a record administrator and five health care providers; of the health care
providers, one must be a licensed registered nurse and two must be physicians.
This bill creates an independent review board, attached to DHFS, that consists
of five members, as specified in the bill. Rules promulgated by the independent
review board must first be approved by the board on health care information.
For information submitted by health care providers other than hospitals and
ambulatory surgery centers, that is the basis for custom-designed reports, the bill
authorizes release only after review and approval by the independent review board
or if DHFS promulgates rules that specify circumstances under which the review and
approval is unnecessary. In addition, these custom-designed reports may include
the patient's zip code only if other potentially identifying data elements are not
released, population density is sufficient to mask patient identity, other potentially
identifying data elements are grouped to provide population density sufficient to
protect identity and multiple years of data elements are added to the released
information to protect identity. Also, the bill authorizes release of the patient's year
of birth; a patient's full date of birth, however, may be used only subject to rules
promulgated by DHFS.
The bill increases protections from the identification of patients, employes and
health care providers in information that is submitted by health care providers other
than hospitals and ambulatory surgery centers for the release as public use data
files, by requiring specification of counties, rather than zip codes as to residence;
requiring the use of five-year age categories rather than exact age; prohibiting
release of information about a patient's race, ethnicity or dates of admission,
discharge, procedures or visits; and requiring that sensitive diagnoses and
procedures be masked. The bill authorizes public use data files for this information
to include only the patient's county of residence, the type of payment source, the
patient's age category, the patient's procedure and diagnosis code, charges assessed
with respect to the procedure code, the name and address of the facility rendering
service, the patient's sex, the name of the health care provider (if reviewed and
approved by the independent review board or if DHFS rules authorize the release),
calendar quarters of service and information other than patient-identifiable data
that is approved by the independent review board.
For patient-identifiable data, which may be released only to a few specified
entities, the bill differentiates between information submitted by hospitals and
ambulatory surgery centers and information submitted by health care providers who
are not hospitals or ambulatory surgery centers. For the latter group, the bill
expands the definition of "patient-identifiable data" to include whether the patient's
condition is related to employment and occurrence and place of an accident; the date
of first symptom of illness, injury or pregnancy; the first date of the patient's same
or similar illness; dates that the patient has been unable to work; dates of receipt of
medical service; and the city, town or village of residence of the patient. With respect
to release of patient-identifiable data, the bill permits the release only to the entities
specified in current law, except that the bill eliminates release of the data to a patient
or person granted permission by the patient. The bill prohibits an employer from
requesting patient-identifiable data that is specific to an employe of the employer.
The bill excepts all data obtained by DHFS, rather than just
patient-identifiable data or health care provider-identifiable data, from inspection,
copying or receipt under the laws relating to open records.
The bill requires that DHFS develop, for data purchases, a data use agreement
that specifies data use restrictions, appropriate uses of data and penalties for
misuse, and that DHFS notify prospective and current data purchasers of the
appropriate uses. Further, a purchaser of data must sign and have notarized the
data use agreement.
Under the bill, DHFS may not require health care providers that are not
hospitals or ambulatory surgery centers to submit uniform patient billing forms.
These health care providers are prohibited from providing to DHFS certain data
elements on uniform patient billing forms; a patient's telephone number; the
employer's name or school name of the insured; data regarding insureds other than
a payer category code; employer's name or school name of the patient; the patient's
relationship to the insured; the insured's identification number or policy or group
number; the insured's date of birth or sex; or the patient's marital, employment or
student status. If this material is provided to DHFS, DHFS must immediately
return it to the provider or remove and destroy it. Also, health care providers that
are not hospitals or ambulatory surgery centers must convert the name of the
insured's payer or other insured's payer to a DHFS payer category code before
submission. All health care providers are prohibited from submitting to DHFS
information that uses, as a patient account number, the patient's social security
number or a number that is related to another patient identifying number. A
patient's account number may be used by DHFS only for verification of data and must
be destroyed after the verification.
Health care providers are, under the bill, immune from civil liability for
releasing a prohibited data element when submitting data to DHFS and from an act
or omission by DHFS that results in the release of data, unless the release is an
intentional, wilful or reckless act or omission by the health care provider. State or
local governmental health care providers are also excepted from discharge or
suspension for a nonnegligent violation under laws relating to confidentiality of
patient health care records.
The bill prohibits DHFS from selling or distributing databases from health care
providers that are not hospitals or ambulatory surgery centers if the databases can
be linked with the public use data files, without the approval of the independent
review board.
The bill requires that two of the five representatives of health care providers
required to be on the board on health care information be representatives of
hospitals. Further, the bill requires that two of the five undesignated members of the
board be employer purchasers of health care.
Lastly, the bill increases the penalty for intentional violation of certain
limitations on release of health care information and protections of patient
confidentiality.
For further information see the state and local fiscal estimate, which will be
printed as an appendix to this bill.
The people of the state of Wisconsin, represented in senate and assembly, do
enact as follows:
SB249, s. 1
1Section
1. 15.195 (6) of the statutes is amended to read:
SB249,5,62
15.195
(6) Board on health care information. There is created a board on
3health care information which is attached to the department of health and family
4services under s. 15.03. The board shall consist of 11 members, one of whom shall
5be a record administrator, registered by the American Medical Record Association
,
1and; at least 2 of whom shall be employer purchasers of health care; and 5 of whom
2shall be or represent health care providers, including one registered nurse, licensed
3under s. 441.06,
and 2 physicians, as defined in s. 448.01 (5)
, and 2 representatives
4of hospitals, as defined in s. 50.33 (2). The State Medical Society of Wisconsin may
5recommend board membership for 5 physicians, one of whom the governor shall
6appoint. The members shall be appointed for 4-year terms.
SB249, s. 2
7Section
2. 15.195 (9) of the statutes is created to read:
SB249,5,128
15.195
(9) Independent review board. There is created an independent review
9board that is attached to the department of health and family services under s. 15.03.
10The board may not include an employe of the department of health and family
11services and shall consist of the commissioner of insurance or his or her designee and
12the following members appointed for 4-year terms:
SB249,5,1313
(a) A statistician or researcher.
SB249,5,1514
(b) A medical ethicist of the University of Wisconsin System or the Medical
15College of Wisconsin.
SB249,5,1616
(c) An expert in issues relating to privacy.
SB249,5,1717
(d) A purchaser of health care.
SB249, s. 3
18Section
3. 146.84 (3) of the statutes is amended to read:
SB249,5,2219
146.84
(3) Discipline of employes. Any person employed by the state
, or any
20political subdivision of the state who violates s. 146.82 or 146.83
, except a health care
21provider that negligently violates s. 153.50 (6) (c), may be discharged or suspended
22without pay.
SB249, s. 4
23Section
4. 153.45 (1) (b) of the statutes is renumbered 153.45 (1) (b) 1. and
24amended to read:
SB249,6,7
1153.45
(1) (b) 1.
Public For information that is submitted by hospitals or
2ambulatory surgery centers, public use data files
which that do not permit the
3identification of specific patients, employers or health care providers, as defined by
4rules promulgated by the department. The identification of
these groups patients,
5employers or health care providers shall be protected by all necessary means,
6including the deletion of patient identifiers and the use of calculated variables and
7aggregated variables.
SB249, s. 5
8Section
5. 153.45 (1) (b) 2. of the statutes is created to read:
SB249,6,209
153.45
(1) (b) 2. For information that is submitted by health care providers
10other than hospitals or ambulatory surgery centers, public use data files that do not
11permit the identification of specific patients, employers or health care providers, as
12defined by rules promulgated by the department. The identification of patients,
13employers or health care providers shall be protected by all necessary means,
14including the deletion of patient identifiers; the use of calculated variables and
15aggregated variables; the specification of counties as to residence, rather than zip
16codes; the use of 5-year categories for age, rather than exact age; not releasing
17information concerning a patient's race or ethnicity or dates of admission, discharge,
18procedures or visits; and masking sensitive diagnoses and procedures by use of
19larger diagnostic and procedure categories. Public use data files under this
20subdivision may include only the following:
SB249,6,2121
a. The patient's county of residence.
SB249,6,2222
b. The payment source, by type.
SB249,6,2423
c. The patient's age category, by 5-year intervals up to age 80 and a category
24of 80 years or older.
SB249,6,2525
d. The patient's procedure code.
SB249,7,1
1e. The patient's diagnosis code.
SB249,7,22
f. Charges assessed with respect to the procedure code.
SB249,7,43
g. The name and address of the facility in which the patient's services were
4rendered.
SB249,7,55
h. The patient's sex.
SB249,7,106
i. Information that contains the name of a health care provider that is not a
7hospital or ambulatory surgery center, if the independent review board first reviews
8and approves the release or if the department promulgates rules that specify
9circumstances under which the independent review board need not review and
10approve the release.
SB249,7,1311
j. Calendar quarters of service, except if the department specifies by rule that
12the number of data elements included in the public use data file is too small to enable
13protection of patient confidentiality.
SB249,7,1514
k. Information other than patient-identifiable data, as defined in s. 153.50 (1)
15(b), as approved by the independent review board.
SB249, s. 6
16Section
6. 153.45 (1) (c) of the statutes is renumbered 153.45 (1) (c) (intro.) and
17amended to read:
