Section 610.70. Disclosure of personal medical information.


Latest version.
  • (1) Definitions. In this section:
    (a) “Health care provider" means any person licensed, registered, permitted or certified by the department of health services or the department of safety and professional services to provide health care services, items or supplies in this state.
    (b) “Individual" means a natural person who is a resident of this state. For purposes of this paragraph, a person is a state resident if his or her last-known mailing address, according to the records of an insurer or insurance support organization, was in this state.
    (c)
    1. “Insurance support organization" means any person that regularly engages in assembling or collecting personal medical information about natural persons for the primary purpose of providing the personal medical information to insurers for insurance transactions, including the collection of personal medical information from insurers and other insurance support organizations for the purpose of detecting or preventing fraud, material misrepresentation or material nondisclosure in connection with insurance underwriting or insurance claim activity.
    2. Notwithstanding subd. 1. , “insurance support organization" does not include insurance agents, government institutions, insurers or health care providers.
    (d) “Insurance transaction" means any of the following involving insurance that is primarily for personal, family or household needs:
    1. The determination of an individual's eligibility for an insurance coverage, benefit or payment.
    2. The servicing of an insurance application, policy, contract or certificate.
    (e) “Medical care institution" means a facility, as defined in s. 647.01 (4) , or any hospital, nursing home, community-based residential facility, county home, county infirmary, county hospital, county mental health center, adult family home, assisted living facility, rural medical center, hospice or other place licensed, certified or approved by the department of health services under s. 49.70 , 49.71 , 49.72 , 50.02 , 50.03 , 50.032 , 50.033 , 50.034 , 50.35 , 50.52 , 50.90 , 51.04 , 51.08 , or 51.09 or a facility under s. 45.50 , 51.05 , 51.06 , or 252.10 or under ch. 233 , or licensed or certified by a county department under s. 50.032 or 50.033 .
    (f)
    1. “Personal medical information" means information concerning an individual that satisfies all of the following:
    a. Relates to the individual's physical or mental health, medical history or medical treatment.
    b. Is obtained from a health care provider, a medical care institution, the individual or the individual's spouse, parent or legal guardian.
    2. “Personal medical information" does not include information that is obtained from the public records of a governmental authority and that is maintained by an insurer or its representatives for the purpose of insuring title to real property located in this state.
    (2) Disclosure authorization.
    (a) Any form that is used in connection with an insurance transaction and that authorizes the disclosure of personal medical information about an individual to an insurer shall comply with all of the following:
    1. All instructions and other information contained in the form are presented in plain language.
    2. The form is dated.
    3. The form specifies the types of persons that are authorized to disclose information about the individual.
    4. The form specifies the nature of the information that is authorized to be disclosed.
    5. The form names the insurer, and identifies by generic reference representatives of the insurer, to whom the information is authorized to be disclosed.
    6. The form specifies the purposes for which the information is being obtained.
    7. Subject to par. (b) , the form specifies the length of time for which the authorization remains valid.
    8. The form advises that the individual, or an authorized representative of the individual, is entitled to receive a copy of the completed authorization form.
    (b)
    1. For an authorization under this subsection that will be used for the purpose of obtaining information in connection with an insurance policy application, an insurance policy reinstatement or a request for a change in policy benefits, the length of time specified in par. (a) 7. may not exceed 30 months from the date on which the authorization is signed.
    2. For an authorization under this subsection that will be used for the purpose of obtaining information in connection with a claim for benefits under an insurance policy, the length of time specified in par. (a) 7. may not exceed the policy term or the pendency of a claim for benefits under the policy, whichever is longer.
    (3) Access to recorded personal medical information.
    (a) If, after proper identification, an individual or an authorized representative of an individual submits a written request to an insurer for access to recorded personal medical information that concerns the individual and that is in the insurer's possession, within 30 business days after receiving the request the insurer shall do all of the following:
    1. Inform the individual or authorized representative of the nature and substance of the recorded personal medical information in writing, by telephone or by any other means of communication at the discretion of the insurer.
    2. At the option of the individual or authorized representative, permit the individual or authorized representative to inspect and copy the recorded personal medical information, in person and during the insurer's normal business hours, or provide by mail to the individual or authorized representative a copy of the recorded personal medical information. If the recorded personal medical information is in coded form, the insurer shall provide to the individual or authorized representative an accurate written translation in plain language.
    3. Disclose to the individual or authorized representative the identities, if recorded, of any persons to whom the insurer has disclosed the recorded personal medical information within 2 years prior to the request. If the identities are not recorded, the insurer shall disclose to the individual or authorized representative the names of any insurance agents, insurance support organizations or other entities to whom such information is normally disclosed.
    4. Provide to the individual or authorized representative a summary of the procedures by which the individual or authorized representative may request the correction, amendment or deletion of any recorded personal medical information in the possession of the insurer.
    (b) Notwithstanding par. (a) , an insurer may, in the insurer's discretion, provide a copy of any recorded personal medical information requested by an individual or authorized representative under par. (a) to a health care provider who is designated by the individual or authorized representative and who is licensed, registered, permitted or certified to provide health care services with respect to the condition to which the information relates. If the insurer chooses to provide the information to the designated health care provider under this paragraph, the insurer shall notify the individual or authorized representative, at the time of disclosure, that the information has been provided to the health care provider.
    (c) An insurer is required to comply with par. (a) or (b) only if the individual or authorized representative provides a reasonable description of the information that is the subject of the request and if the information is reasonably easy to locate and retrieve by the insurer.
    (d) If an insurer receives personal medical information from a health care provider or a medical care institution with instructions restricting disclosure of the information under s. 51.30 (4) (d) 1. to the individual to whom the information relates, the insurer may not disclose the personal medical information to the individual under this subsection, but shall disclose to the individual the identity of the health care provider or a medical care institution that provided the information.
    (e) Any copy of recorded personal medical information provided under par. (a) or (b) shall include the identity of the source of the information if the source is a health care provider or a medical care institution.
    (f) An insurer may charge the individual a reasonable fee to cover the costs incurred in providing a copy of recorded personal medical information under par. (a) or (b) .
    (g) The requirements for an insurer under this subsection may be satisfied by another insurer, an insurance agent, an insurance support organization or any other entity authorized by the insurer to act on its behalf.
    (h) The requirements under this subsection do not apply to information concerning an individual that relates to, and that is collected in connection with or in reasonable anticipation of, a claim or civil or criminal proceeding involving the individual.
    (4) Correction, amendment or deletion of recorded personal medical information.
    (a) Within 30 business days after receiving a written request from an individual to correct, amend or delete any recorded personal medical information that is in the insurer's possession, an insurer shall do either of the following:
    1. Comply with the request.
    2. Notify the individual of all of the following:
    a. That the insurer refuses to comply with the request.
    b. The reasons for the refusal.
    c. That the individual has a right to file a statement as provided in par. (c) .
    (b) An insurer that complies with a request under par. (a) shall notify the individual of that compliance in writing and furnish the correction, amendment or fact of deletion to all of the following:
    1. Any person who may have received, within the preceding 2 years, the recorded personal medical information concerning the individual and who is specifically designated by the individual.
    2. Any insurance support organization for which insurers are the primary source of personal medical information and to which the insurer, within the preceding 7 years, has systematically provided recorded personal medical information. This subdivision does not apply to an insurance support organization that does not maintain recorded personal medical information concerning the individual.
    3. Any insurance support organization that furnished to the insurer the personal medical information that has been corrected, amended or deleted.
    (c) If an insurer refuses to comply with a request under par. (a) 1. , the individual making the request may file with the insurer, an insurance agent or an insurance support organization any of the following:
    1. A concise statement setting forth the information that the individual believes to be correct, relevant or fair.
    2. A concise statement setting forth the reasons why the individual disagrees with the insurer's refusal to correct, amend or delete the recorded personal medical information.
    (d) If the individual files a statement under par. (c) , the insurer shall do all of the following:
    1. File any statement filed by the individual under par. (c) with the recorded personal medical information that is the subject of the request under par. (a) in such a manner that any person reviewing the recorded personal medical information will be aware of and have access to the statement.
    2. In any subsequent disclosure by the insurer of the recorded personal medical information, clearly identify any matter in dispute and provide any statement filed by the individual under par. (c) that relates to the recorded personal medical information along with the information.
    3. Furnish any statement filed by the individual under par. (c) to any person to whom the insurer would have been required to furnish a correction, amendment or fact of deletion under par. (b) .
    (e) The requirements under this subsection do not apply to information concerning an individual that relates to, and that is collected in connection with or in reasonable anticipation of, a claim or civil or criminal proceeding involving the individual.
    (5) Disclosure of personal medical information by insurers. Any disclosure by an insurer of personal medical information concerning an individual shall be consistent with the individual's signed disclosure authorization form, unless the disclosure satisfies any of the following:
    (a) Is otherwise authorized by the individual, or by a person who is authorized to consent on behalf of an individual who lacks the capacity to consent.
    (b) Is reasonably related to the protection of the insurer's interests in the assessment of causation, fault or liability or in the detection or prevention of criminal activity, fraud, material misrepresentation or material nondisclosure.
    (c) Is made to an insurance regulatory authority or in response to an administrative or judicial order, including a search warrant or subpoena, that is valid on its face.
    (d) Is otherwise permitted by law.
    (e) Is made for purposes of pursuing a contribution or subrogation claim.
    (f) Is made to a professional peer review organization, bill review organization, health care provider or medical consultant or reviewer for the purpose of reviewing the services, fees, treatment or conduct of a medical care institution or health care provider.
    (g) Is made to a medical care institution or health care provider for any of the following purposes:
    1. Verifying insurance coverage or benefits.
    2. Conducting an operations or services audit to verify the individuals treated by the health care provider or at the medical care institution.
    (h) Is made to a network plan that is offered by an insurer in order to make arrangements for coordinated health care in which personal medical information concerning an individual is available for providing treatment, making payment for health care under the plan and undertaking such plan operations as are necessary to fulfill the contract for provision of coordinated health care.
    (i) Is made to a group policyholder for the purpose of reporting claims experience or conducting an audit of the insurer's operations or services. Disclosure may be made under this paragraph only if the disclosure is reasonably necessary for the group policyholder to conduct the review or audit.
    (j) Is made for purposes of enabling business decisions to be made regarding the purchase, transfer, merger, reinsurance or sale of all or part of an insurance business.
    (k) Is made for purposes of actuarial or research studies or for accreditation or auditing. With respect to a disclosure made under this paragraph, any materials that allow for the identification of an individual must be returned to the insurer or destroyed as soon as reasonably practicable, and no individual may be identified in any actuarial, research, accreditation or auditing report.
    (L) Is made to the insurer's legal representative for purposes of claims review or legal advice or defense.
    (6) Immunity.
    (a) A person is not liable to any person for any of the following:
    1. Disclosing personal medical information in accordance with this section.
    2. Furnishing personal medical information to an insurer or insurance support organization in accordance with this section.
    (b) Paragraph (a) does not apply to the disclosure or furnishing of false information with malice or intent to injure any person.
    (7) Obtaining information under false pretenses.
    (a) Any person who knowingly and willfully obtains information about an individual from an insurer or insurance support organization under false pretenses may be fined not more than $25,000 or imprisoned for not more than 9 months or both.
    (b) Any person who knowingly and willfully obtains information about an individual from an insurer or insurance support organization under false pretenses shall be liable to the individual for actual damages to that individual, exemplary damages of not more than $25,000 and costs and reasonable actual attorney fees.
1997 a. 231 ; 1999 a. 9 , 79 ; 2005 a. 22 ; 2007 a. 20 s. 9121 (6) (a) ; 2011 a. 32 . Cross-reference: See also ch. Ins 25 , Wis. adm. code.