HIPAA Compliance in Wisconsin: State‑Specific Requirements You Need to Know

Wisconsin Statutes Compliance

HIPAA sets nationwide baselines, but HIPAA compliance in Wisconsin also depends on several state laws that govern Health Record Confidentiality, breach response, and Protected Health Information Disposal. Key provisions include: confidentiality rules for “patient health care records” (§146.82), an “Applicability” rule clarifying that these protections apply to records in any format (§146.836), a disposal rule for records containing personal information (§134.97), and a general data‑breach statute with state‑level duties (§134.98). ([law.justia.com](https://law.justia.com/codes/wisconsin/chapter-146/section-146-82/?utm_source=openai))

What this means in practice: you must treat PHI and other state‑defined “personal information” as protected, ensure destruction methods prevent reconstruction, and apply Wisconsin’s rules alongside HIPAA unless preempted or an exemption applies. For example, §134.97 requires shredding, erasing, or otherwise making data unreadable and obligates “medical businesses” and their contractors to prevent access between disposal and destruction. ([law.justia.com](https://law.justia.com/codes/wisconsin/chapter-134/section-134-97/))

Breach Notification Procedures

When HIPAA governs the incident

If a breach involves unsecured PHI held by a HIPAA covered entity, notify affected individuals without unreasonable delay and no later than 60 calendar days after discovery. For breaches affecting 500+ residents of a state, you must also notify prominent media; all breaches must be reported to HHS (immediately for 500+, or logged and reported annually if fewer than 500). Business associates must notify the covered entity without unreasonable delay and no later than 60 days after discovery. ([law.cornell.edu](https://www.law.cornell.edu/cfr/text/45/164.404?utm_source=openai))

When Wisconsin’s general breach law applies

Wisconsin’s data‑breach statute (Wis. Stat. §134.98) requires notice to affected individuals “within a reasonable time, not to exceed 45 days” after learning of an unauthorized acquisition of personal information. It also requires notifying nationwide consumer reporting agencies if 1,000+ individuals are notified, and permits law‑enforcement delay. However, entities that are HIPAA covered entities and comply with HIPAA’s breach rule are expressly exempt from §134.98. Contractors that store personal information for another entity must notify the owner “as soon as practicable.” Align your plans so HIPAA timelines and state Breach Notification Deadlines are both met when applicable. ([dhs.wisconsin.gov](https://www.dhs.wisconsin.gov/lh-depts/health-officers/ph-statutes.htm?utm_source=openai))

Health Record Retention Policies

Minimum retention by provider type (Wisconsin)

• Physicians/physician assistants: retain patient health care records at least 5 years after the last entry (Med 21.03). ([wirules.elaws.us](https://wirules.elaws.us/rule/Med21.03?utm_source=openai))
• Hospitals: determine a schedule based on needs, but at minimum maintain records for 5 years (DHS 124.14). ([wirules.elaws.us](https://wirules.elaws.us/rule/DHS124.14?utm_source=openai))
• Nursing homes: retain records at least 5 years following discharge or death (DHS 132.45). ([law.cornell.edu](https://www.law.cornell.edu/regulations/wisconsin/Wis-Admin-Code-SS-DHS-132-45?utm_source=openai))
• Home health agencies: retain records a minimum of 5 years after discharge (DHS 133.21). ([law.cornell.edu](https://www.law.cornell.edu/regulations/wisconsin/Wis-Admin-Code-SS-DHS-133-21?utm_source=openai))
• Mental health treatment records (DHS 92.12): retain at least 7 years after treatment completion; for minors, retain until age 19 or 7 years after treatment—whichever is longer. ([law.cornell.edu](https://www.law.cornell.edu/regulations/wisconsin/Wis-Admin-Code-SS-DHS-92-12))

When closing or ceasing practice

Wis. Stat. §146.819 outlines duties when a provider ceases practice (for example, arranging compliant maintenance, or providing advance notice for destruction and retrieval opportunities). Build these steps into your wind‑down plan and patient notifications. ([law.justia.com](https://law.justia.com/codes/wisconsin/chapter-146/section-146-819/))

Practical considerations

These are minimums. Program rules, payer contracts, litigation holds, or federal documentation standards may require you to retain certain records longer; align your retention schedule with all applicable obligations before destroying any records. ([dhs.wisconsin.gov](https://www.dhs.wisconsin.gov/areaadmin/records-management.htm?utm_source=openai))

Business Associate Responsibilities

Core HIPAA duties

Business associates are directly liable for complying with applicable HIPAA Security, Privacy, and Breach Notification provisions and must execute business associate agreements defining permitted uses, safeguards, and breach reporting. A BA that discovers a breach of unsecured PHI must notify the covered entity without unreasonable delay and no later than 60 days. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/business-associates/index.html?utm_source=openai))

Wisconsin‑specific expectations

Under Wisconsin Statutes §134.97, “medical businesses” and persons under contract with them must ensure proper Protected Health Information Disposal by shredding, erasing, making information unreadable, and preventing unauthorized access between disposal and destruction. If a contractor stores personal information for another entity and discovers unauthorized acquisition, §134.98 requires notification to the owner or licensee “as soon as practicable.” ([law.justia.com](https://law.justia.com/codes/wisconsin/chapter-134/section-134-97/))

State Privacy Law Obligations

Wisconsin’s Health Record Confidentiality statute (§146.82) restricts disclosures of patient health care records, while §146.836 confirms that these confidentiality and access provisions apply to all formats (written, spoken, visual, electromagnetic, or digital). Mental health treatment records also have separate confidentiality and re‑release limits under DHS ch. 92. When state and federal rules differ, the interpretation favoring stronger patient protections applies. ([law.justia.com](https://law.justia.com/codes/wisconsin/chapter-146/section-146-82/?utm_source=openai))

Safeguarding Electronic PHI

Security Rule‑aligned controls to prioritize

• Governance and risk: enterprise‑wide risk analysis, risk management, and third‑party risk oversight.
• Access controls: role‑based access, unique user IDs, MFA, session timeouts, and minimum‑necessary enforcement.
• Encryption and key management: protect data in transit and at rest; use vetted algorithms and rotate keys.
• Auditability: enable audit logs across EHRs, endpoints, and cloud systems; monitor and investigate anomalies.
• Resilience: patching, vulnerability management, secure configuration baselines, backups, and tested incident response.
• Workforce safeguards: training, phishing defense, sanctions for violations, and documented procedures.
• Secure disposal: apply defensible media‑sanitization practices and Wisconsin’s §134.97 destruction standards to devices and media containing ePHI. ([hhs.gov](https://www.hhs.gov/sites/default/files/ocr/privacy/hipaa/administrative/securityrule/securityrulepdf.pdf?utm_source=openai))

Penalties for Noncompliance

State penalties

Wisconsin imposes civil and criminal penalties for mishandling patient health care records. Under §146.84, negligent violations can trigger forfeitures and damages; knowing and willful violations may yield higher damages; intentional disclosures for pecuniary gain can carry fines up to $100,000 and imprisonment up to 3 years and 6 months. Improper disposal under §134.97 can also result in civil liability and forfeitures. ([statutes.laws.com](https://statutes.laws.com/wisconsin/146/146.84))

Federal HIPAA enforcement

HHS OCR enforces HIPAA via investigations, corrective action plans, and civil money penalties under the HIPAA Enforcement Rule; certain conduct can also be prosecuted criminally under 42 U.S.C. §1320d‑6. Keep in mind that OCR’s Breach Notification Rule timelines and documentation duties are actively monitored. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/index.html?utm_source=openai))

FAQs.

What are Wisconsin's specific breach notification requirements?

For unauthorized acquisition of “personal information,” Wisconsin’s §134.98 requires notice to affected individuals within a reasonable time, not to exceed 45 days after discovery; notify nationwide consumer reporting agencies if 1,000+ individuals are affected, and honor any law‑enforcement delay. HIPAA covered entities that comply with HIPAA’s breach rule are exempt from §134.98. For PHI breaches, follow HIPAA’s 60‑day timeline (and related media/HHS notices). ([law.justia.com](https://law.justia.com/codes/wisconsin/chapter-134/section-134-98/))

How long must health records be retained in Wisconsin?

Minimums vary by provider type. Physicians/physician assistants: at least 5 years after the last entry (Med 21.03). Hospitals: at least 5 years (DHS 124.14). Nursing homes: at least 5 years after discharge or death (DHS 132.45). Home health agencies: at least 5 years after discharge (DHS 133.21). Mental health treatment records: 7 years after completion of treatment; for minors, until age 19 or 7 years after treatment, whichever is longer (DHS 92.12). ([wirules.elaws.us](https://wirules.elaws.us/rule/Med21.03?utm_source=openai))

What penalties exist for HIPAA violations in Wisconsin?

At the federal level, OCR can impose civil money penalties and corrective action plans, and certain conduct may trigger criminal liability under 42 U.S.C. §1320d‑6. At the state level, §146.84 authorizes damages, fines, and—in severe cases—imprisonment for unlawful disclosures; improper record disposal under §134.97 can also result in forfeitures and civil liability. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/special-topics/enforcement-rule/index.html?utm_source=openai))

How does Wisconsin law affect business associates under HIPAA?

Business associates are directly liable for certain HIPAA requirements and must notify the covered entity of a breach without unreasonable delay (no later than 60 days). In Wisconsin, §134.97 imposes disposal safeguards on “medical businesses” and their contractors, and §134.98 requires any person storing personal information for another to notify the owner as soon as practicable after discovering unauthorized acquisition. Your BAA should reflect these dual obligations. ([law.cornell.edu](https://www.law.cornell.edu/cfr/text/45/164.410?utm_source=openai))