Protection of Patient Confidentiality – Wis. Stat. Ann. § 153.50

Protection of patient confidentiality

This section lays out steps that the Department of Health Services (or the contracted data collection entity) must take to protect patient confidentiality in data collection and dissemination:

• Data must be aggregated if a data element category contains small numbers
• Specific data elements must be removed, including specific individually identifying data (Name, address, date of birth, etc)
• DHS must develop a data use agreement for use by purchasers of data specifying data use restrictions and appropriate uses of data, and DHS must require that data purchasers sign and notarize such a data use agreement

Patient identifying data can only be released to:

• An agent of the Department responsible for that specific type of data or an agent of the contracted entity responsible for that type of data to verify the accuracy of the information, or
• A health care provider (not a hospital, ambulatory surgical center, or insurer) to verify the accuracy of the information, or
• The Department or federal or state entity for epidemiological research.

In order to release patient identifying information to the entities mentioned above, the releasing entity (DHS or contracted entity) must have a written request from the entity seeking the information including the reason for request and evidence that the entity is authorized to receive this information.  However, under no circumstances, is an employer allowed to request the release of or access to patient identifying information of an employee.  The section also outlines specific data elements that a health care provider that is not a hospital or ambulatory surgery center may not submit to the Department.  These data elements include items such as patient's telephone number and employment status.