Wisconsin Healthcare Compliance Requirements
State-specific breach notification rules, medical records retention periods, PDMP requirements, and mandatory reporting obligations for medical practices operating in Wisconsin.
Wisconsin healthcare compliance is governed by the Wisconsin Notice of Personal Information Breach statute, Wis. Stat. §134.98, enforced by the Wisconsin Attorney General through the Department of Justice's Office of Consumer Protection in Madison. Wisconsin is one of the few central-Midwest states whose breach rule is explicitly stricter than the HIPAA Breach Notification Rule: notice must be made within 45 days of learning of the breach, undercutting the federal 60-day outer limit by two weeks. Penalties under §134.98 reach $10,000 per negligent violation and $100,000 per intentional violation, with the AG retaining discretion to layer deceptive-trade-practices claims under Wis. Stat. §100.18. Hospital records must be retained 7 years from last treatment under Wis. Admin. Code DHS §124.14, with pediatric records held until age of majority plus 7 years. The Wisconsin ePDMP requires queries before every controlled-substance prescription. Wisconsin's stricter-than-HIPAA posture means practices accustomed to federal-baseline workflows need to compress detection-to-notice timelines by approximately 25%.
Breach Notification Rules
Notification deadline
45 calendar days
Notification must be made within 45 days of learning of the breach.
AG notification threshold
Not explicitly required
Harm analysis required
Penalty range
Up to $10,000 per negligent violation, $100,000 per intentional violation
Enforcement Posture
The Wisconsin Attorney General's posture is moderate, with consistent enforcement of the 45-day deadline as the differentiator from federal baseline. The Department of Justice's Office of Consumer Protection coordinates breach-notice review, and the AG can pursue parallel claims under Wis. Stat. §100.18 deceptive-trade-practices for confusing or misleading consumer notices. The Madison-Milwaukee corridor generates most enforcement activity, with cross-border health-system incidents adding complexity when records flow across Wisconsin's Illinois, Minnesota, Iowa, and Michigan borders. Wisconsin's stricter-than-HIPAA framing means OCR coordination matters substantively: a notice that satisfies the federal 60-day deadline can still violate Wisconsin's 45-day rule, and OCR will not defend a federally-compliant practice from state-level enforcement.
Medical Records Retention
| Record type | Retention period | Measured from |
|---|---|---|
| General medical | 7 years | Last treatment |
| Pediatric | 7 years | Patient turns 18 |
Controlled-Substance Prescription Monitoring (WI ePDMP)
The Wisconsin ePDMP requires queries before every controlled-substance prescription, with delegation to licensed staff permitted. Exemptions cover hospice, cancer treatment, ER three-day supplies, and inpatient or long-term-care administration. Civil penalties reach $1,000 per violation, with Wisconsin Medical Examining Board discipline available in parallel. Register at pdmp.wi.gov and document the query in the patient chart. Wisconsin's ePDMP supports integrated EHR queries that satisfy both the documentation requirement and the every-prescription mandate when configured correctly.
Check required
Every prescription
Check frequency
Every prescription
Delegation allowed
Penalty range
Licensing board discipline; civil penalties up to $1,000 per violation; possible misdemeanor charges
Exemptions
Hospice patients, cancer treatment, ≤3 day supply in ER, inpatient hospital or long-term care administration
How Wisconsin Rules Hit by Specialty
Telehealth providers
Wisconsin requires telehealth providers furnishing care to Wisconsin patients to hold a Wisconsin Medical Examining Board license or qualify under IMLC. Breach response involving cross-border telehealth services must distinguish the licensing state from the patient-residence state — Wisconsin's 45-day notice rule follows the patient's residence regardless of provider location.
Hospital systems
Aurora, Froedtert, Marshfield Clinic, and Ascension Wisconsin span the state with cross-border networks reaching Illinois, Minnesota, Iowa, and Michigan. A single regional EHR incident must satisfy Wisconsin's 45-day rule alongside Minnesota's 60-day, Iowa's 90-day-plus-5-business-day, and Michigan's discovery-driven standard simultaneously.
Behavioral health
Wisconsin's behavioral-health record protections under Wis. Stat. §51.30 layer atop the §134.98 breach rule, requiring written authorization for most disclosures. A breach involving §51.30-protected records must address both statutes in the consumer notice.
Dental practices
Wisconsin dentists are mandated reporters of child abuse under Wis. Stat. §48.981, with up to $1,000 fine and 6 months jail for failure to report. The 45-day breach rule applies equally to dental practices, which often run with smaller compliance staff than medical offices.
Mandatory Reporting Obligations
Mandated reporters
Physicians, nurses, dentists, psychologists, social workers, EMTs, and all healthcare professionals
Report to
County Department of Human/Social Services or local law enforcement
Timeline
Immediately / as soon as possible
Penalty for failure
Up to $1,000 fine and/or 6 months jail
Immunity provision
Good faith reporters immune from civil and criminal liability under Wis. Stat. 48.981(4)
Mandated reporters
Physicians, nurses, social workers, and all healthcare professionals
Report to
County Department of Human/Social Services, Elder Abuse Reporting Agency
Timeline
Immediately / as soon as possible
Penalty for failure
Up to $500 fine
Immunity provision
Good faith reporters immune from civil and criminal liability
Mandated reporters
Healthcare providers treating injuries from suspected domestic abuse or criminal acts
Report to
Local law enforcement
Timeline
Immediately / as soon as possible
Immunity provision
Good faith reporters immune from civil liability
Mandated reporters
Physicians, laboratories, and healthcare facility administrators
Report to
Wisconsin Department of Health Services, Division of Public Health, or local health department
Timeline
Within 24 hours
Penalty for failure
Up to $500 fine per violation
Immunity provision
Good faith reporters immune from civil liability
Mandated reporters
All healthcare providers treating gunshot wounds or injuries from criminal violence
Report to
Local law enforcement
Timeline
Immediately / as soon as possible
Penalty for failure
Up to $500 fine
Immunity provision
Good faith reporters immune from civil and criminal liability
Wisconsin Compliance FAQs
Wis. Stat. §134.98 requires notice within 45 days of learning of the breach — a deadline 15 days shorter than the HIPAA 60-day outer limit. Wisconsin is explicitly stricter than federal baseline. Practices accustomed to the federal timeline should compress detection-to-notice workflows by approximately 25% to satisfy Wisconsin's window.
Wis. Stat. §134.98 violations carry up to $10,000 per negligent violation and $100,000 per intentional violation. The AG retains discretion to layer Wis. Stat. §100.18 deceptive-trade-practices claims on top, and the Department of Justice's Office of Consumer Protection can pursue restitution and injunctive relief. The intentional-vs-negligent distinction matters; document the investigation timeline contemporaneously.
Wis. Stat. §134.98 does not impose a separate AG-notification mandate, but the Department of Justice's Office of Consumer Protection retains broad oversight authority. Practices experiencing a multi-thousand-record breach should consider voluntary AG notice as a defensive measure — proactive disclosure reduces the office's appetite for parallel enforcement.
Wis. Admin. Code DHS §124.14 requires hospitals to retain general medical records for 7 years from last treatment. Pediatric records must be retained until age of majority plus 7 years. Physician offices follow the same 7-year benchmark under Wisconsin Medical Examining Board guidance, providing consistency between hospital and outpatient retention.
The Wisconsin ePDMP (electronic Prescription Drug Monitoring Program) is the state's controlled-substance monitoring database. Prescribers must query before every controlled-substance prescription, with delegation to licensed staff allowed. Civil penalties reach $1,000 per violation, plus Wisconsin Medical Examining Board discipline. Integrated EHR queries can satisfy both documentation and frequency requirements.
Guides & Articles
Stay audit-ready in Wisconsin
GuardWell tracks Wisconsin-specific breach deadlines, retention periods, WI ePDMP PDMP queries, and mandatory reporting obligations automatically.