Health Law Alert: Will This Be the Year? Legislature Contemplates Modifying the Minnesota Health Records Act to Better Align With HIPAA
Health care providers have long struggled with reconciling the requirements of the Health Insurance Portability and Accountability Act (HIPAA) and the Minnesota Health Records Act (MNHRA). MNHRA’s requirement of obtaining consent from patients before their health records are disclosed has proven particularly challenging to address, especially as technology has changed and the flow of electronic information exchange has accelerated. Other distinctions between HIPAA and MNHRA have similarly created confusion among providers, health plans, patients, and the businesses that serve them all. The Minnesota Legislature is currently considering a bill in the Senate that would align MNHRA with HIPAA.
I. Current Efforts to Align MNHRA, HIPAA
Throughout the years, there have been various efforts in Minnesota to bring MNHRA into lock-step with HIPAA. Currently, the Senate is considering a piece of legislation that, if passed, would make many amendments to MNHRA to bring MNHRA into conformity with HIPAA. Follow the status of the Senate Bill, SF3109, currently moving through committee here.
Senate Bill 3109 proposes to make many changes throughout MNHRA as well as certain corresponding changes to the Minnesota Government Data Practices Act (MNDPA) and limited changes to the Minnesota Insurance Fair Information Reporting Act. Highlights of the legislation are outlined below:
- The legislation removes the MNHRA’s requirement of obtaining consent from patients for the release of their health records. Instead, providers would be allowed to disclose health records if the disclosure is in compliance with the HIPAA privacy rule. Notably, “providers” (which has its own amended definition under the legislation) who are not “covered entities” under HIPAA would still need to follow the privacy rule for purposes of making disclosures of health records.
- The current definition of “health record” used in the MNHRA would be deleted and replaced with the definition of protected health information under HIPAA.
- Amends the definition of “provider” or “health care provider” in the MNHRA. Under the Senate bill, the term would mean “health care provider” as used in HIPAA, while also leaving in the list of individual practitioners and certain facilities found in the existing statute.
- Requires the patient identifiers to be encrypted upon receipt of the data in the instance any health record is disclosed to the Commissioner of Health or the Health Data Institute.
- Amends Minn. Stat 144.293, subd. 8(a) such that the patient must opt-out of, instead of opting in, to allow a provider to use their patient identifying information and information about the location of the patient’s health records when the provider participates in a health information exchange.
- Amends Minnesota Stat. 144.293, subd. 8(d) such that a patient must request a provider, or entity which operates a locator or patient information service, to provide a mechanism under which patients may exclude their identifying information and information about the location of their health records form a record locator or patient information service. Further, the bill removes the need for providers to get the patient’s consent to allow the provider to access a record locator or patient information service.
- Repeals Minnesota Stat. 144.293, subds. 4, 6, and 10. These subdivisions covered the duration, expiration, and warranties of the consent requirement that the proposed legislation suggests to eliminate.
- In addition, Senate Bill 3109 makes a number of changes to the MNDPA that are intended to bring certain provisions of that law into compliance with HIPAA. Potential modifications to the MNDPA include changes to the requirements for informed consent for insurance and noninsurance purposes, changes to the requirements for disclosing “medical data,” and a number of other adjustments.
Of course, this list is subject to change according to any amendments made to the bill or the introduction of completely separate legislation introduced to the House or Senate.
II. Minnesota Legislature’s Next Steps
Senate Bill 3109 was introduced to the Minnesota Senate on March 8, 2018 and the Senate immediately referred the bill to the Senate Judiciary and Public Safety Finance and Policy Committee. The bill was introduced by three Democrats and one Republican, which lends at least some degree of bipartisan support. Once the committee hears the bill, it could vote to send it to another committee if need be, or back to the Senate floor for a vote.
If you have questions about MNHRA, proposed changes to MNHRA, HIPAA, or other federal and state privacy and security requirements, please contact Jesse Berg at email@example.com (612.632.3374), Tim Johnson at firstname.lastname@example.org (612.623.3208), or Julia Reiland at Julia.email@example.com (612.623.3280).
Health Law Event April 12
You’re invited to join the Gray Plant Mooty Health Law Team for a roundtable breakfast and webinar on April 12 to discuss the Top 10 Enforcement Trends for 2018 in the health care industry. We will provide an overview of recent enforcement efforts by the Department of Justice, Office of Inspector General, and Office for Civil Rights, highlighting compliance issues that we expect to be in the spotlight this year and what these trends might mean for your organization. Click here to view the invitation and register for the event.