Vol. 72, No. 12, December 1999

Legislative Watch

Disposing Medical,
Financial Records

The "dumpster diving" law is trying to reduce the likelihood that confidential medical and financial records will be invaded after their disposal, but before final destruction in the waste management system.

By Scott B. Franklin

Section 3113n of the state budget bill¹ has added an additional section to Chapter 895 of the Wisconsin Statutes. New section 895.505 provides guidelines for the disposal of certain records containing personal information. Although a well-intentioned effort, the new law may not be the best solution for an important issue.

The new provision ties in with the statutory right to privacy found in section 895.50. In particular, subsection 895.50(2)(a) maintains that an invasion of privacy can be an "[i]ntrusion upon the privacy of another ... in a place that a reasonable person would consider private ... ." By creating the new section, the Legislature is attempting to reduce the likelihood that confidential medical and financial records will be invaded after their disposal, but before final destruction in the waste management system. The prospect of "dumpster diving" scavengers acquiring personal records is a real threat. Recent news reports have shown just how easy it is to obtain confidential information.

Section 895.505 Applicability

Section 895.505 applies to three broad types of businesses. The first type is a medical business that possesses information relating to a person's physical or mental health, medical history, or medical treatment.² This could range from the family practitioner to the corner pharmacist to the HMO claims processing center. The second type of business is a tax preparation business that prepares an individual's federal, state, or local tax returns or counsels a person about such returns.³ Anyone from a tax attorney to a certified public accountant to a national tax preparation chain would fall under this definition. Financial isnstitutions are the third type of business to fall under the new law's reach, and this term includes banks, savings and loans, credit unions, and investment companies.⁴ Department store credit card divisions and brokerage firm branches may meet this definition.

Records Must be "Personally Identifiable"

To qualify for protection under the new law, the record must be "personally identifiable" and capable of being associated with a particular individual through identifiers, circumstances, or other information.⁵ The four main categories of eligible personal information include: 1) data about a person's medical condition if such information is not already public knowledge; 2) data detailing a person's credit or customer account number, outstanding balance, or credit limit arising from accounts or transactions with a financial institution; 3) data provided to financial institutions when opening an account or applying for a loan or line of credit; and 4) data about a person's tax returns.⁶

The businesses that are described above and possess the types of records identified may not dispose of such records without first shredding a physical record, erasing a computer storage system containing a record, otherwise modifying a record to render it unreadable, or taking other appropriate actions to reasonably ensure that no unauthorized person will have access to a record prior to its destruction.⁷

If a business disposes of a record without shredding or erasing it consistent with this new law, the business is liable to the subject of the record for any damages arising out its failure to properly destroy the personal information.⁸ The business also may be at risk for a civil forfeiture of up to $1,000 for its failure to shred.⁹ In addition to holding the business responsible, the law provides that the person who obtains and uses the improperly disposed record (that is, the "dumpster diver") is liable to both the subject of the record and the business for any resulting civil damages,¹⁰ and potentially faces a fine of up to $1,000 and up to 90 days imprisonment, or both.¹¹

This new law, although onerous in some respects, should not impose too much additional hardship on businesses to ensure compliance. Physicians are already subject to a moral oath of confidentiality, and statutory and licensing rules offer some legislative guidance on disclosure.¹² (Curiously, although the Wisconsin Administrative Code appears to offer standards on what should be in a medical record and how long it should be kept, the code is silent on what to do with the record after it is no longer needed.¹³) Most financial institutions are already aware of the risks of credit fraud and take the necessary steps to safeguard customer information. And, tax preparation professionals, such as certified public accountants, attorneys, and enrolled agents, also have professional rules governing confidentiality.

Questions Remain on the Unauthorized Disclosure
of Confidential Data

The new law doesn't answer all of the questions regarding the unauthorized disclosure of confidential data. For instance, the definition of protected tax returns includes only an "individual's" tax materials. Most small business owners, among others, probably would agree that their business records are just as private and should be afforded the same protection as their personal, nonbusiness information. Will the undefined term "individual" be applied to all types of entities or only real persons?

A second concern is that the penalties for violating this law are questionable. Particularly in the case of physicians and accountants where ethical rules also are involved, how does a plaintiff place a dollar amount on being harmed by the improper disclosure of information? There is an obvious difference between obtaining confidential information to commit fraud versus just being a snoop. And, since the "dumpster diver" is liable to both the business and the person identified in the record for each one's resulting damage, couldn't the business seek reimbursement for its civil liability and potential forfeiture from the person who obtained the record in violation of the law?

Scott B. Franklin, Marquette 1995, C.P.A., is a tax manager with the Milwaukee accounting firm of Kohler and Franklin CPAs and an instructor for the Becker C.P.A. Review Course. He is a member of the Wisconsin Institute of Certified Public Accountants' Federal Taxation Committee and the State Bar's Taxation Section.

Lastly, the statutory language neither differentiates between a willful failure to shred and an inadvertent disposal, nor offers standards for "proper" destruction such as using an electric machine to "cross-cut" shred versus merely ripping up a file with one's hands.

Conclusion

Many questions will remain unanswered until events occur that fall under this law's jurisdiction and the court system looks at enforcing the new section for the first time. In the meantime, attorneys should advise their affected clients of this new law and the risks under it. The many medical and tax preparation businesses and financial institutions in Wisconsin should revise or institute operating policies to promote compliance with this law to prevent situations from arising under it in the first place.

The new requirement is effective Feb. 1, 2000.¹⁴

Endnotes

¹ 1999 Wis. Act 9.

² Wis. Stat. § 895.505(1)(d).

³ Wis. Stat. § 895.505(1)(h).

⁴ Wis. Stat. § 895.505(1)(b).

⁵ Wis. Stat. § 895.505(1)(f).

⁶ Wis. Stat. § 895.505(1)(e).

⁷ Wis. Stat. § 895.505(2).

⁸ Wis. Stat. § 895.505(3)(a).

⁹ Wis. Stat. § 895.505(4)(a).

¹⁰ Wis. Stat. § 895.505(3)(b).

¹¹ Wis. Stat. § 895.505(4)(b).

¹² Wis. Stat. § 153.50 and Wis. Adm. Code § Med. 10.02(n).

¹³ Wis. Adm. Code § Med. 21.03.

¹⁴ 1999 Wis. Act 9, § 9458(5g).