153.50(1)(b)1m.
1m. "Patient-identifiable data" does not include calculated variables that are derived from patient-identifiable data and the dissemination of which does not permit patient identification.
153.50(1)(b)2.
2. "Patient-identifiable data", for information submitted by health care providers who are not hospitals or ambulatory surgery centers and by insurers and administrators, means all of the following data elements:
153.50(1)(b)2.b.
b. Whether the patient's condition is related to employment, and occurrence and place of an auto accident or other accident.
153.50(1)(b)2.c.
c. Date of first symptom of current illness, of current injury or of current pregnancy.
153.50(1)(b)2.d.
d. First date of the patient's same or similar illness, if any.
153.50(1)(b)2.e.
e. Dates that the patient has been unable to work in his or her current occupation.
153.50(1)(c)
(c) "Small number" means a number that is insufficiently large to be statistically significant, as determined by the department.
153.50(3)
(3) Measures to ensure protection of patient identity. To ensure that the identity of patients is protected when information obtained by the department, by the entity under contract under
s. 153.05 (2m) (a), or by the data organization under contract under
s. 153.05 (2r) is disseminated, the department, the entity, and the data organization shall do all of the following:
153.50(3)(a)
(a) Aggregate any data element category containing small numbers. The department, in so doing, shall use procedures that are developed by the department and that follow commonly accepted statistical methodology.
153.50(3)(b)
(b) Remove and destroy all of the following data elements on the uniform patient billing forms that are received by the department, the entity, or the data organization under the requirements of this subchapter:
153.50(3)(b)3.
3. Any other insured's name, employer name and date of birth.
153.50(3)(b)4.
4. The signature of the patient or other authorized signature.
153.50(3)(b)5.
5. The signature of the insured or other authorized signature.
153.50(3)(b)7.
7. The patient's account number, after use only as verification of data by the department or by the entity.
153.50(3)(c)
(c) Develop, for use by purchasers of data under this subchapter, a data use agreement that specifies data use restrictions, appropriate uses of data and penalties for misuse of data, and notify prospective and current purchasers of data of the appropriate uses.
153.50(3)(d)
(d) Require that a purchaser of data under this subchapter sign and have notarized the data use agreement of the department, the entity, or the data organization, as applicable.
153.50(3m)
(3m) Provider, administrator, or insurer measures to ensure patient identity protection. A health care provider that is not a hospital or ambulatory surgery center or an insurer or an administrator shall, before submitting information required by the department, or by the data organization under contract under
s. 153.05 (2r), under this subchapter, convert to a payer category code as specified by the department or the data organization, as applicable, any names of an insured's payer or other insured's payer.
153.50(4)
(4) Release of patient-identifiable data. 153.50(4)(a)(a) Except as specified in.
pars. (b) and
(c), under the procedures specified in
sub. (5), release of patient-identifiable data may be made only to any of the following:
153.50(4)(a)1.a.a. An agent of the department who is responsible for the patient-identifiable data in the department, in order to store the data and ensure the accuracy of the information in the database of the department or to create a calculated variable that is derived from the patient-identifiable data.
153.50(4)(a)1.b.
b. An agent of the entity under contract under
s. 153.05 (2m) (a) who is responsible for the patient-identifiable data of the entity, in order to store the data and ensure the accuracy of the information in the database of the entity or to create a calculated variable that is derived from the patient-identifiable data.
153.50(4)(a)1.c.
c. An agent of the data organization under contract under
s. 153.05 (2r) who is responsible for the patient-identifiable data of the data organization, in order to store the data and ensure the accuracy of the information in the database of the data organization or to create a calculated variable that is derived from the patient-identifiable data.
153.50(4)(a)2.
2. A health care provider that is not a hospital or ambulatory surgery center or the agent of such a health care provider, to ensure the accuracy of the information in the database of the department or the data organization under contract under
s. 153.05 (2r), or a health care provider that is a hospital or ambulatory surgery center or the agent of such a health care provider, to ensure the accuracy of the information in the database of the entity under contract under
s. 153.05 (2m) (a).
153.50(4)(a)3.
3. The department or its agent, for purposes of epidemiological investigation, or, with respect to information from health care providers that are not hospitals or ambulatory surgery centers, the department or the data organization under contract under
s. 153.05 (2r), to eliminate the need for duplicative databases.
153.50(4)(a)4.
4. An agency or organization that is required by federal or state statute to obtain patient-identifiable data for purposes of epidemiological investigation or to eliminate the need for duplicative databases.
153.50(4)(b)
(b) Of information submitted by health care providers that are not hospitals or ambulatory surgery centers, patient-identifiable data that contain a patient's date of birth may be released under
par. (a) only under circumstances as specified by rule by the department.
153.50(5)
(5) Procedures for release of patient-identifiable data. 153.50(5)(a)(a) The department, an entity that is under contract under
s. 153.05 (2m) (a), or a data organization that is under contract under
s. 153.05 (2r) may not release or provide access to patient-identifiable data to a person authorized under
sub. (4) (a) unless the authorized person requests the department, entity, or data organization, in writing, to release the patient-identifiable data. The request shall include all of the following:
153.50(5)(a)3.
3. For a person who is authorized under
sub. (4) (a) to receive or have access to patient-identifiable data, evidence, in writing, that indicates that authorization.
153.50(5)(a)4.
4. For an agency or organization that is authorized under
sub. (4) (a) 4. to receive or have access to patient-identifiable data, evidence, in writing, of all of the following:
153.50(5)(a)4.a.
a. The federal or state statutory requirement to obtain the patient-identifiable data.
153.50(5)(a)4.b.
b. Any federal or state statutory requirement to uphold the patient confidentiality provisions of this subchapter or patient confidentiality provisions that are more restrictive than those of this subchapter; or, if the latter evidence is inapplicable, an agreement, in writing, to uphold the patient confidentiality provisions of this subchapter.
153.50(5)(b)
(b) Upon receipt of a request under
par. (a), the department, entity, or data organization, whichever is applicable, shall, as soon as practicable, comply with the request or notify the requester, in writing, of all of the following:
153.50(5)(b)1.
1. That the department, entity, or data organization, as applicable, is denying the request in whole or in part.
153.50(5m)
(5m) Employers not to request patient-identifiable data. Notwithstanding
subs. (4) and
(5) no employer may request the release of or access to patient-identifiable data of an employee of the employer.
153.50(6)(a)(a) The department or entity under contract under
s. 153.05 (2m) (a) may not require a health care provider submitting health care information under this subchapter to include the patient's name, street address or social security number.
153.50(6)(b)
(b) The department may not require under this subchapter a health care provider that is not a hospital or ambulatory surgery center to submit uniform patient billing forms.
153.50(6)(c)
(c) A health care provider that is not a hospital or ambulatory surgery center may not submit any of the following to the department under the requirements of this subchapter:
153.50(6)(c)4.
4. Data regarding insureds other than the patient, other than the payer category code under
sub. (3m).
153.50(6)(d)
(d) If a health care provider that is not a hospital or ambulatory surgery center submits a data element that is specified in
par. (c) 1. to
10., the department shall immediately return this information to the health care provider or, if discovered later, shall remove and destroy the information.
153.50(6)(e)
(e) A health care provider may not submit information that uses any of the following as a patient account number:
153.50(6)(e)1.
1. The patient's social security number or any substantial portion of the patient's social security number.
153.50(6)(e)2.
2. A number that is related to another patient identifying number.
153.55
153.55
Protection of confidentiality. Data obtained under this subchapter is not subject to inspection, copying or receipt under
s. 19.35 (1).
153.60
153.60
Assessments to fund operations of department. Subject to
s. 153.455:
153.60(1)
(1) The department shall, by the first October 1 after the commencement of each fiscal year, estimate the total amount of expenditures under this subchapter for the department for that fiscal year for data collection, database development and maintenance, generation of data files and standard reports, orientation and training provided under
s. 153.05 (9) (a) and contracting with the data organization under
s. 153.05 (2r). The department shall assess the estimated total amount for that fiscal year, less the estimated total amount to be received for purposes of administration of this subchapter under
s. 20.435 (1) (hi) during the fiscal year and the unencumbered balance of the amount received for purposes of administration of this subchapter under
s. 20.435 (1) (hi) from the prior fiscal year, to health care providers, other than hospitals and ambulatory surgery centers, who are in a class of health care providers from whom the department collects data under this subchapter in a manner specified by the department by rule. The department shall work together with the department of safety and professional services to develop a mechanism for collecting assessments from health care providers other than hospitals and ambulatory surgery centers. No health care provider that is not a facility may be assessed under this subsection an amount that exceeds $75 per fiscal year. All payments of assessments shall be credited to the appropriation under
s. 20.435 (1) (hg).
153.65
153.65
Provision of special information; user fees. 153.65(1)(1) Subject to
s. 153.455, the department may, but is not required to, provide, upon request from a person, a data compilation or a special report based on the information collected by the department. The department shall establish user fees for the provision of these compilations or reports, payable by the requester, which shall be sufficient to fund the actual necessary and direct cost of the compilation or report. All moneys collected under this subsection shall be credited to the appropriation under
s. 20.435 (1) (hi).
153.65(2)
(2) Beginning January 1, 2004, unless the entity under contract under
s. 153.05 (2m) (a) otherwise agrees and except as provided in
s. 153.46 (6), the entity has the exclusive right to use and to provide for a fee, upon request from a person, a data compilation or a special report based on the information concerning hospitals and ambulatory surgery centers that is collected by the entity or provided by the department to the entity. Subject to approval under
s. 153.01 (4j) (b), the entity shall establish reasonable and necessary user fees for the provision of a compilation or report, payable by the requester, which shall be sufficient to fund the cost of the compilation or report. The entity may retain all user fees paid under this subsection.
153.75(1)(1) The department shall promulgate the following rules, of which
pars. (a),
(b),
(f),
(h),
(m),
(n),
(o),
(r),
(t), and
(u) shall apply only if the contract under
s. 153.05 (2r) is terminated under
s. 153.455 (3) and
s. 153.455 (4) applies:
153.75(1)(a)
(a) Providing procedures, for information submitted by health care providers who are not hospitals or ambulatory surgery centers, to ensure the protection of patient confidentiality under
s. 153.50.