Privacy and Information Security
Wisconsin consumers are entitled to privacy protection for medical and financial information. The legal framework comes from a combination of:
- The federal Health Insurance Portability and Accountability Act of 1996 (HIPAA), governing medical information.
- The federal Gramm-Leach-Bliley Act of 1999 (GLB), governing nonpublic personal financial information.
- Wisconsin’s ch. Ins 25, Wis. Adm. Code, addressing intermediary responsibilities in sharing consumer information with third parties.
- Wisconsin’s s. 610.70, regulating disclosure of personal medical information by insurers.
- Wisconsin’s s. 134.97 — the “dumpster diving” law on proper disposal of personal medical information.
Notice Requirements
The administrative code requires that a licensee provide written notice of its privacy policies and practices. Most insurance agents can rely on the notice procedures of the insurance companies they represent — as long as the agent doesn’t share nonpublic personal information in ways the rule doesn’t except. If the agent shares information with third parties in activities not excepted by the rule, the agent must issue the same kinds of notices required of the insurer.
Medical Information Specifically
Wisconsin’s medical records privacy statute restricts both insurers and entities that regularly collect personal medical information to provide to insurers. The law spells out:
- The form used to obtain authorization for release of personal medical information.
- The timeframe for which information may be requested and maintained.
- How and to whom information may be released.
- Notice requirements to individuals and insureds.
- The individual’s right to request correction, amendment, or deletion of personal medical information held by the insurer.
Financial Information
The privacy rules also describe the conditions under which insurance companies and their agents may disclose nonpublic personal financial information, and establish requirements for the corresponding privacy notices. The rules establish restrictions on the sharing of health information generally — but because Wisconsin has a separate medical records privacy statute, the rule’s health information provisions apply primarily to health information involving claimants against workers’ compensation or commercial liability policies.
Disposing of Records
Insurers and intermediaries who obtain information about an insured’s or applicant’s physical or mental health, medical history, or medical treatment must shred, erase, modify, or otherwise handle that personally identifiable information so that no unauthorized person can access it. Tossing client files in the regular trash isn’t enough. The law has practical bite — agency staff have to be trained, the shredder has to be used, and electronic disposal has to be done properly.