Legislative Watch: Disposing Medical, Financial Records
The "dumpster
diving" law is trying to reduce the likelihood that confidential medical
and financial records will be invaded after their disposal, but before
final destruction in the waste management system.
By Scott B. Franklin
Section 3113n of the state budget bill1
has added an additional section to Chapter
895 of the Wisconsin Statutes. New section
895.505 provides guidelines for the disposal of certain records
containing personal information. Although a well-intentioned effort, the
new law may not be the best solution for an important issue.
The new provision ties in with the statutory
right to privacy found in section
895.50. In particular, subsection 895.50(2)(a) maintains that an
invasion of privacy can be an "[i]ntrusion upon the privacy of another
... in a place that a reasonable person would consider private ... ." By
creating the new section, the Legislature is attempting to reduce the
likelihood that confidential medical and financial records will be
invaded after their disposal, but before final destruction in the waste
management system. The prospect of "dumpster diving" scavengers
acquiring personal records is a real threat. Recent news reports have
shown just how easy it is to obtain confidential information.
Section 895.505 Applicability
Section
895.505 applies to three broad types of businesses. The first type
is a medical business that possesses information relating to a person's
physical or mental health, medical history, or medical treatment.2 This could range from the family practitioner to
the corner pharmacist to the HMO claims processing center. The second
type of business is a tax preparation business that prepares an
individual's federal, state, or local tax returns or counsels a person
about such returns.3 Anyone from a tax
attorney to a certified public accountant to a national tax preparation
chain would fall under this definition. Financial isnstitutions are the
third type of business to fall under the new law's reach, and this term
includes banks, savings and loans, credit unions, and investment
companies.4 Department store credit card
divisions and brokerage firm branches may meet this definition.
Records Must be "Personally Identifiable"
To qualify for protection under the new law, the record must be
"personally identifiable" and capable of being associated with a
particular individual through identifiers, circumstances, or other
information.5 The four main categories of
eligible personal information include: 1) data about a person's medical
condition if such information is not already public knowledge; 2) data
detailing a person's credit or customer account number, outstanding
balance, or credit limit arising from accounts or transactions with a
financial institution; 3) data provided to financial institutions when
opening an account or applying for a loan or line of credit; and 4) data
about a person's tax returns.6
The businesses that are described above and possess the types of
records identified may not dispose of such records without first
shredding a physical record, erasing a computer storage system
containing a record, otherwise modifying a record to render it
unreadable, or taking other appropriate actions to reasonably ensure
that no unauthorized person will have access to a record prior to its
destruction.7
If a business disposes of a record without shredding or erasing it
consistent with this new law, the business is liable to the subject of
the record for any damages arising out its failure to properly destroy
the personal information.8 The business also
may be at risk for a civil forfeiture of up to $1,000 for its failure to
shred.9 In addition to holding the business
responsible, the law provides that the person who obtains and uses the
improperly disposed record (that is, the "dumpster diver") is liable to
both the subject of the record and the business for any resulting civil
damages,10 and potentially faces a fine of
up to $1,000 and up to 90 days imprisonment, or both.11
This new law, although onerous in some respects, should not impose
too much additional hardship on businesses to ensure compliance.
Physicians are already subject to a moral oath of confidentiality, and
statutory and licensing rules offer some legislative guidance on
disclosure.12 (Curiously, although the
Wisconsin Administrative Code appears to offer standards on what should
be in a medical record and how long it should be kept, the code is
silent on what to do with the record after it is no longer
needed.13) Most financial institutions are
already aware of the risks of credit fraud and take the necessary steps
to safeguard customer information. And, tax preparation professionals,
such as certified public accountants, attorneys, and enrolled agents,
also have professional rules governing confidentiality.
Questions Remain on the Unauthorized Disclosure of Confidential
Data
The new law doesn't answer all of the questions regarding the
unauthorized disclosure of confidential data. For instance, the
definition of protected tax returns includes only an "individual's" tax
materials. Most small business owners, among others, probably would
agree that their business records are just as private and should be
afforded the same protection as their personal, nonbusiness information.
Will the undefined term "individual" be applied to all types of entities
or only real persons?
A second concern is that the penalties for violating this law are
questionable. Particularly in the case of physicians and accountants
where ethical rules also are involved, how does a plaintiff place a
dollar amount on being harmed by the improper disclosure of information?
There is an obvious difference between obtaining confidential
information to commit fraud versus just being a snoop. And, since the
"dumpster diver" is liable to both the business and the person
identified in the record for each one's resulting damage, couldn't the
business seek reimbursement for its civil liability and potential
forfeiture from the person who obtained the record in violation of the
law?
Scott B.
Franklin, Marquette 1995, C.P.A., is a tax manager with the
Milwaukee accounting firm of Kohler and Franklin CPAs and an instructor
for the Becker C.P.A. Review Course. He is a member of the Wisconsin
Institute of Certified Public Accountants' Federal Taxation Committee
and the State Bar's Taxation Section.
Lastly, the statutory language neither differentiates between a
willful failure to shred and an inadvertent disposal, nor offers
standards for "proper" destruction such as using an electric machine to
"cross-cut" shred versus merely ripping up a file with one's hands.
Conclusion
Many questions will remain unanswered until events occur that fall
under this law's jurisdiction and the court system looks at enforcing
the new section for the first time. In the meantime, attorneys should
advise their affected clients of this new law and the risks under it.
The many medical and tax preparation businesses and financial
institutions in Wisconsin should revise or institute operating policies
to promote compliance with this law to prevent situations from arising
under it in the first place.
The new requirement is effective Feb. 1, 2000.14
Endnotes
1 1999 Wis.
Act 9.
2 Wis. Stat. §
895.505(1)(d).
3 Wis. Stat. §
895.505(1)(h).
4 Wis. Stat. §
895.505(1)(b).
5 Wis. Stat. §
895.505(1)(f).
6 Wis. Stat. §
895.505(1)(e).
7 Wis. Stat. §
895.505(2).
8 Wis. Stat. §
895.505(3)(a).
9 Wis. Stat. §
895.505(4)(a).
10 Wis. Stat. §
895.505(3)(b).
11 Wis. Stat. §
895.505(4)(b).
12 Wis. Stat. §
153.50 and Wis. Adm. Code § Med.
10.02(n).
13 Wis. Adm. Code § Med.
21.03.
14 1999 Wis.
Act 9, § 9458(5g).
Wisconsin
Lawyer