What
the statutes mean
In
order to provide consumers with information about health care providers and hospitals,
the Office of the Commissioner of Insurance has the authority to collect, analyze
and distribute information about every aspect of a health care provider’s
practice. While the department has limited its work, it has the authority to ask
you to provide information about your:
- fees
- post graduate
education
- services offered
- quality of service
Through
2001 the department has limited its data collection to general background information
about a chiropractor including their post graduate education. During the 1999
legislative session, an effort was made to greatly expand the data collection
efforts to provide consumers with a full range of comparative data as listed above.
The effort was narrowly defeated. The insurance commissioner’s goal is to
prepare an annual guide, written in plain English, to assist consumers in selecting
health care providers and health care plans.
For information that is submitted
by chiropractors and other health care providers, the department must use data
files that do not permit the identification of specific patients, employers or
health care providers. The identification of patients, employers or health care
providers must be protected by all necessary means, including the deletion of
patient identifiers; re-writing data to conceal its source, using counties rather
than zip codes to identify geographic locations, the use of 5-year categories
for age, and masking sensitive diagnoses and procedures by use of larger diagnostic
and procedure categories.
Protection
of patient confidentiality.
The state is required to strip identifying
information from the records it receives. When the state requests information,
you are required to present the data in the way specified by the state on the
forms they supply to conceal patient and payer identities. You are not allowed
to identify patients by their social security number or any portion of their social
security number on reports requested by the department. Under current law, the
department may not require you to submit information that includes the patient’s
name, street address, social security number or the HCFA 1500 billing form.
Civil
liability and state penalties
A doctor who violates these laws is liable
to the patient for actual damages and costs, plus exemplary damages of up to $1,000
for a negligent violation and up to $5,000 for an intentional violation. The state
may also impose a penalty of a fine of not more than $15,000 or imprisonment for
not more than one year in the county jail or both. In addition, any person who
violates these laws is subject to a fine of up to $100 for each violation. Each
day of violation constitutes a separate offense. However, a chiropractor that
submits information to the department is immune from civil liability for all of
the following:
• Any act or omission of an employee, of yours that
results in the release of a prohibited data element while submitting data to the
department.
• Any act or omission of the department that results in
the release of data.
The immunity provided under this section does not apply
to intentional, willful or reckless acts or omissions.
Statute excerpts
153.01 Definitions
153.05 Collection and dissemination of health care
and related information
153.07 Board powers and duties
153.10 Health care
data reports
153.21 Consumer guide
153.45 Release of data
153.50 Protection
of patient confidentiality
153.50(5) Procedures for release of patient- identifiable
data
153.50(6) Information submitted
153.86(1) Immunity from liability
153.90 Penalties
153.01 Definitions.
In this chapter:
153.01(1) “Ambulatory surgery center” has the
meaning given under 42 CFR 416.2.
153.01(2) “Board” means the
board on health care information.
153.01(2m) “Data element” means
an item of information from a uniform patient billing form.
153.01(4) “Department”
means the department of health and family services.
153.01(4h) “Employer
coalition” means an organization of employers formed for the purpose of purchasing
health care coverage or services as a group.
153.01(4p) “Health care
plan” means an insured or self-insured plan providing coverage of health
care expenses or an employer coalition.
153.01(4t) “Health care provider”
has the meaning given in s. 146.81 (1) and includes an ambulatory surgery center.
153.01(5)
“Hospital” has the meaning given under s. 50.33 (2).
153.01(5m)
“Insurer” has the meaning given under s. 600.03 (27).
153.01(7)
“Patient” means a person who receives health care services from a health
care provider.
153.01(8) “Payer” means a 3rd party payer, including
an insurer, federal, state or local government or another who is responsible for
payment of a hospital charge.
Collection and dissemination of health care
and related information.
153.05(1) In order to provide to hospitals, health
care providers, insurers, consumers, governmental agencies and others information
concerning health care providers and uncompensated health care services, and in
order to provide information to assist in peer review for the purpose of quality
assurance, the department shall collect, analyze and disseminate health care information,
as adjusted for case mix and severity, in language that is understandable to lay
persons.
153.05(3) Upon request of the department, state agencies shall
provide health care information to the department for use in preparing reports
under this chapter.
153.05(5) Unless sub. (13) applies, the department may
require health care providers to submit to the department information specified
by rule under s. 153.75 (1) (n) for the preparation of reports, plans and recommendations
in the form specified by the department by rule.
153.05(6) The department
may contract with a public or private entity that is not a major purchaser, payer
or provider of health care services in this state for the provision of data processing
services for the collection, analysis and dissemination of health care information
under sub. (1).
153.05(6m) The department may contract with the group insurance
board for the provision of data collection and analysis services related to health
maintenance organizations and insurance companies that provide health insurance
for state employees. The department shall establish contract fees for the provision
of the services. All moneys collected under this subsection shall be credited
to the appropriation under s. 20.435 (4) (hg).
153.05(6r) The department
shall study and, based on the results of the study, may develop and implement
a voluntary system of health care plan reporting that enables purchasers and consumers
to assess the performance of health care plans and the health care providers that
are employed or reimbursed by the health care plans. The department shall undertake
the study and any development and implementation in cooperation with private health
care purchasers, the board, the department of employee trust funds, the office
of the commissioner of insurance, the interagency coordinating council created
under s. 15.107 (7), major associations of health care providers, health care
plans and consumers. If implemented, the department shall operate the system in
a manner so as to enable purchasers, consumers, the public, the governor and legislators
to assess the performance of health care plans and health care providers.
153.05(8)
Unless sub. (13) applies, the department shall collect, analyze and disseminate,
in language that is understandable to lay persons, claims information and other
health care information, as adjusted for case mix and severity, under the provisions
of this chapter, as determined by rules promulgated by the department, from health
care providers specified by rules promulgated by the department. Data from health
care providers may be obtained through sampling techniques in lieu of collection
of data on all patient encounters and data collection procedures shall minimize
unnecessary duplication and administrative burdens. If the department collects
health care provider-specific data from health care plans, the department shall
attempt to avoid collecting the same data from health care providers.
153.05(9)
The department shall provide orientation and training to health care providers
who submit data under this chapter to explain the process of data collection and
analysis and the procedures for data verification, comment, interpretation and
release.
153.05(12) The department shall, to the extent possible and upon
request, assist members of the public in interpreting data in health care information
disseminated by the department.
153.05(13) The department may waive the
requirement under sub. (1), (5) or (8) for a health care provider, who requests
the waiver and presents evidence to the department that the requirement under
sub. (1), (5) or (8) is burdensome, under standards established by the department
by rule. The department shall develop a form for use by a health care provider
in submitting a request under this subsection.
Board powers and duties.
153.07(1) The board shall advise the department with regard to the collection,
analysis and dissemination of health care information required by this chapter.
153.07(3)
The board shall approve all rules which are proposed by the department for promulgation
to implement this chapter.
153.07(4) The board and the department shall
jointly do all of the following:
153.07(4)(b) Provide oversight on the standard
reports under this chapter, including the reports under ss. 153.20 and 153.21.
153.07(4)(c)
Develop the overall strategy and direction for implementation of this chapter.
153.07(4)(d)
Provide information on their activities to the interagency coordinating council
created under s. 15.107 (7).
153.10 Health care data reports. The department
shall prepare, and submit to the governor and the chief clerk of each house of
the legislature for distribution to the legislature under s. 13.172 (2), standard
reports that the department prepares and shall collect information necessary for
preparation of those reports.
153.21 Consumer guide.
The department
shall prepare and submit to the governor and to the chief clerk of each house
of the legislature for distribution to the legislature under s. 13.172 (2) an
annual guide to assist consumers in selecting health care providers and health
care plans. The guide shall be written in language that is understandable to lay
persons. The department shall widely publicize and distribute the guide to consumers.
Release
of data.
153.45(1) After completion of data verification, comment and review
procedures specified by the department by rule, the department shall release data,
together with comments, if any, in the following forms:
153.45(1)(a) Standard
reports.
153.45(1)(b)2. For information
that is submitted by health care providers other than hospitals or ambulatory
surgery centers, public use data files that do not permit the identification of
specific patients, employers or health care providers, as defined by rules promulgated
by the department. The identification of patients, employers or health care providers
shall be protected by all necessary means, including the deletion of patient identifiers;
the use of calculated variables and aggregated variables; the specification of
counties as to residence, rather than zip codes; the use of 5-year categories
for age, rather than exact age; not releasing information concerning a patient’s
race or ethnicity or dates of admission, discharge, procedures or visits; and
masking sensitive diagnoses and procedures by use of larger diagnostic and procedure
categories. Public use data files under this subdivision may include only the
following:
153.45(1)(b)2.a. The patient’s county of residence.
153.45(1)(b)2.b.
The payment source, by type.
153.45(1)(b)2.c. The patient’s age category,
by 5-year intervals.
153.45(1)(b)2.d. The patient’s procedure code.
153.45(1)(b)2.e.
The patient’s diagnosis code.
153.45(1)(b)2.f. Charges assessed with
respect to the
procedure code.153.45(1)(b)2.g. The name and address of
the facility in which the patient’s services were rendered.
153.45(1)(b)2.h.
The patient’s sex.
153.45(1)(b)2.i. Information that contains the name
of a health care provider that is not a hospital or ambulatory surgery center,
if the independent review board first reviews and approves the release or if the
department promulgates rules that specify circumstances under which the independent
review board need not review and approve the release.
153.45(1)(b)2.j. Calendar
quarters of service, except if the department specifies by rule that the number
of data elements included in the public use data file is too small to enable protection
of patient confidentiality.
153.45(1)(b)2.k. Information other than patient-identifiable
data, as defined in s. 153.50 (1) (b), as approved by the independent review board.
153.45(1)(c)
Custom-designed reports containing portions of the data under par. (b). Of information
submitted by health care providers that are not hospitals or ambulatory surgery
centers, requests under this paragraph for data elements other than those available
for public use data files under par. (b) 2., including the patient’s month
and year of birth, require review and approval by the independent review board
before the data elements may be released. Information that contains the name of
a health care provider that is not a hospital or ambulatory surgery center may
be released only if the independent review board first reviews and approves the
release or if the department promulgates rules that specify circumstances under
which the independent review board need not review and approve the release. Reports
under this paragraph may include the patient’s zip code only if at least
one of the following applies:
153.45(1)(c)1. Other potentially identifying
data elements are not released.
153.45(1)(c)2. Population density is sufficient
to mask patient identity.
153.45(1)(c)3. Other potentially identifying data
elements are grouped to provide population density sufficient to protect identity.
153.45(1)(c)4.
Multiple years of data elements are added to protect identity.
153.45(1m)
After completion of data verification and review procedures specified by the department
by rule, the department may, but is not required to, release special data compilations.
153.45(2)
The department shall provide to other entities the data necessary to fulfill their
statutory mandates for epidemiological purposes or to minimize the duplicate collection
of similar data elements.
153.45(3) The department may, but is not required
to, release health care provider-specific and employer-specific data, except in
public use data files as specified under sub. (1) (b), in a manner that is specified
in rules promulgated by the department.
153.45(4) The department shall prohibit
purchasers of data from rereleasing individual data elements of health care data
files.
153.45(5) The department may not release any health care information
that is subject to rules promulgated under s. 153.75 (1) (b) until the verification,
comment and review procedures required under those rules have been complied with.
Nothing in this subsection prohibits release of health care provider-specific
information to the health care provider to whom the information relates.
153.45(6)
The department may not sell or distribute data bases of information, from health
care providers who are not hospitals or ambulatory surgery centers, that are able
to be linked with public use data files, unless first approved by the independent
review board.
Protection of patient
confidentiality.
153.50(1) Definitions. In this section:
153.50(1)(b)1.
“Patient-identifiable data”, for information submitted by hospitals
and ambulatory surgery centers, means all of the following data elements:
153.50(1)(b)1.a.
Patient medical record or chart number.
153.50(1)(b)1.b. Patient control
number.
153.50(1)(b)1.c. Patient date of birth.
153.50(1)(b)1.d. Date
of patient admission.
153.50(1)(b)1.e. Date of patient discharge.
153.50(1)(b)1.f.
Date of patient’s principal procedure.
153.50(1)(b)1.g. Encrypted case
identifier.
153.50(1)(b)1.h. Insured’s policy number.
153.50(1)(b)1.i.
Patient’s employer’s name.
153.50(1)(b)1.j. Insured’s date
of birth.
153.50(1)(b)1.k. Insured’s identification number.
153.50(1)(b)1.L.
Medicaid resubmission code.
153.50(1)(b)1.m. Medicaid prior authorization
number.
153.50(1)(b)2. “Patient-identifiable data”, for information
submitted by health care providers who are not hospitals or ambulatory surgery
centers, means all of the following data
elements:153.50(1)(b)2.a. Data
elements specified in subd. 1. a. to g., L. and m.
153.50(1)(b)2.b. Whether
the patient’s condition is related to employment, and occurrence and place
of an auto accident or other accident.
153.50(1)(b)2.c. Date of first symptom
of current illness, of current injury or of current pregnancy.
153.50(1)(b)2.d.
First date of patient’s same or similar illness, if any.
153.50(1)(b)2.e.
Dates that the patient has been unable to work in his or her current occupation.
153.50(1)(b)2.f.
Dates of receipt by patient of medical service.
153.50(1)(b)2.g. The patient’s
city, town or village.
153.50(1)(c) “Small number” means a number
that is insufficiently large to be statistically significant, as determined by
the department.
153.50(3) Departmental measures to ensure protection of
patient identity. To ensure that the identity of patients is protected when information
obtained by the department is disseminated, the department shall do all of the
following:
153.50(3)(a) Aggregate any data element category containing small
numbers, using procedures that are developed by the department and approved by
the board and that follow commonly accepted statistical methodology.
153.50(3)(b)
Remove and destroy all of the following data elements on the uniform patient billing
forms that are received by the department under the requirements of this chapter:
153.50(3)(b)1.
The patient’s name and street address.
153.50(3)(b)2. The insured’s
name, address and telephone number.
153.50(3)(b)3. Any other insured’s
name, employer name and date of birth.
153.50(3)(b)4. The signature of the
patient or other authorized signature.
153.50(3)(b)5. The signature of the
insured or other authorized signature.
153.50(3)(b)6. The signature of the
physician.
153.50(3)(b)7. The patient’s account number, after use only
as verification of data by the department.
153.50(3)(c) Develop, for use
by purchasers of data under this chapter, a data use agreement that specifies
data use restrictions, appropriate uses of data and penalties for misuse of data,
and notify prospective and current purchasers of data of the appropriate uses.
153.50(3)(d)
Require that a purchaser of data under this chapter sign and have notarized the
data use agreement of the department specified in par. (c).
153.50(3m) Health
care provider measures to ensure patient identity protection. A health care provider
that is not a hospital or ambulatory surgery center shall, before submitting information
required by the department under this chapter, convert to a payer category code
as specified by the department any names of an insured’s payer or other insured’s
payer.
153.50(4) Release of patient-identifiable data.
153.50(4)(a)
Except as specified in par. (b), under the procedures specified in sub. (5), release
of patient-identifiable data may be made only to any of the following:
153.50(4)(a)1.
An agent of the department who is responsible for the patient-identifiable data
in the department, in order to store the data and ensure the accuracy of the information
in the data base of the department.
153.50(4)(a)2. A health care provider
or the agent of a health care provider, to ensure the accuracy of the information
in the data base of the department.
153.50(4)(a)3. The department, for purposes
of epidemiological investigation or to eliminate the need for duplicative data
bases.
153.50(4)(a)4. An entity that is required by federal or state statute
to obtain patient-identifiable data for purposes of epidemiological investigation
or to eliminate the need for duplicative data bases.
153.50(4)(b) Of information
submitted by health care providers that are not hospitals or ambulatory surgery
centers, patient-identifiable data that contain a patient’s date of birth
may be released under par. (a) only under circumstances as specified by rule by
the department.
Procedures for release of patient-identifiable data.
153.50(5)(a)
The department may not release or provide access to patient-identifiable data
to a person authorized under sub. (4) (a) unless the authorized person requests
the department, in writing, to release the patient-identifiable data. The request
shall include all of the following:
153.50(5)(a)1. The requester’s
name and address.
153.50(5)(a)2. The reason for the request.
153.50(5)(a)3.
For a person who is authorized under sub. (4) (a) to receive or have access to
patient-identifiable data, evidence, in writing, that indicates that authorization.
153.50(5)(a)4.
For an entity that is authorized under sub. (4)
(a) 4. to receive or have
access to patient-identifiable data, evidence, in writing, of all of the following:153.50(5)(a)4.a.
The federal or state statutory requirement to obtain the patient-identifiable
data.
153.50(5)(a)4.b. Any federal or state statutory requirement to uphold
the patient confidentiality provisions of this chapter or patient confidentiality
provisions that are more restrictive than those of this chapter; or, if the latter
evidence is inapplicable, an agreement, in writing, to uphold the patient confidentiality
provisions of this chapter.
153.50(5)(b) Upon receipt of a request under
par. (a), the department shall, as soon as practicable, comply with the request
or notify the requester, in writing, of all of the following:
153.50(5)(b)1.
That the department is denying the request in whole or in part.
153.50(5)(b)2.
The reason for the denial.
153.50(5)(b)3. For a person who believes that
he or she is authorized under sub. (4) (a), the action provided under s. 19.37.
153.50(5m)
Employers not to request patient-identifiable data. Notwithstanding subs. (4)
and (5) no employer may request the release of or access to patient-identifiable
data of an employee of the employer.
Information submitted.
153.50(6)(a)
The department may not require a health care provider submitting health care information
under this chapter to include the patient’s name, street address or social
security number.
153.50(6)(b) The department may not require under this
chapter a health care provider that is not a hospital or ambulatory surgery center
to submit uniform patient billing forms.
153.50(6)(c) A health care provider
that is not a hospital or ambulatory surgery center may not submit any of the
following to the department under the requirements of this chapter:
153.50(6)(c)1.
The data elements specified under sub. (3) (b).
153.50(6)(c)2. The patient’s
telephone number.
153.50(6)(c)3. The insured’s employer’s name
or school name.
153.50(6)(c)4. Data regarding insureds other than the patient,
other than the payer category code under sub. (3m).
153.50(6)(c)5. The patient’s
employer’s name or school name.
153.50(6)(c)6. The patient’s relationship
to the insured.
153.50(6)(c)7. The insured’s identification number.
153.50(6)(c)8.
The insured’s policy or group number.
153.50(6)(c)9. The insured’s
date of birth or sex.
153.50(6)(c)10. The patient’s marital, employment
or student status.
153.50(6)(d) If a health care provider that is not a
hospital or ambulatory surgery center submits a data element that is specified
in par. (c) 1. to 10., the department shall immediately return this information
to the health care provider or, if discovered later, shall remove and destroy
the information.
153.50(6)(e) A health care provider may not submit information
that uses any of the following as a patient account number:
153.50(6)(e)1.
The patient’s social security number or any substantial portion of the patient’s
social security number.
153.50(6)(e)2. A number that is related to another
patient identifying number.
Protection of confidentiality.
Data obtained
under this chapter is not subject to inspection, copying or receipt under s. 19.35
(1).
Civil liability.
Except as provided in s. 153.86, any person
violating s. 153.50 or rules promulgated under s. 153.75 (1) (a) is liable to
the patient for actual damages and costs, plus exemplary damages of up to $1,000
for a negligent violation and up to $5,000 for an intentional violation.
Immunity
from liability.
153.86(1) A health care provider that submits information
to the department under this chapter is immune from civil liability for all of
the following:
153.86(1)(a) Any act or omission of an employee, official
or agent of the health care provider that results in the release of a prohibited
data element while submitting data to the department.
153.86(1)(b) Any act
or omission of the department that results in the release of data.
153.86(2)
The immunity provided under this section does not apply to intentional, willful
or reckless acts or omissions by health care providers.
Penalties
153.90(1)
Whoever intentionally violates s. 153.45 (5) or 153.50 or rules promulgated under
s. 153.75 (1) (a) may be fined not more than $15,000 or imprisoned for not more
than one year in the county jail or both.
153.90(2) Any person who violates
this chapter or any rule promulgated under the authority of this chapter, except
ss. 153.45 (5), 153.50 and 153.75 (1) (a), as provided in s. 153.85 and sub. (1),
shall forfeit not more than $100 for each violation. Each day of violation constitutes
a separate offense, except that no day in the period between the date on which
a request for a hearing is filed under s. 227.44 and the date of the conclusion
of all administrative and judicial proceedings arising out of a decision under
this section constitutes a violation.
153.90(3) The department may directly
assess forfeitures under sub. (2). If the department determines that a forfeiture
should be assessed for a particular violation or for failure to correct the violation,
the department shall send a notice of assessment to the alleged violator. The
notice shall specify the alleged violation of the statute or rule and the amount
of the forfeiture assessed and shall inform the alleged violator of the right
to contest the assessment under s. 227.44.
