Voiding Minnesota's strong health data privacy protections with
an amendment by Representative Zerwas to SF 3019 on the House floor tomorrow (Thursday May 17th) is foolish and senseless.
Of all the votes in the Minnesota Legislature on privacy this session, this is the ONE the public needs and legislators need to pay attention too. The amendment slays Minnesotan's robust right to consent where your most sensitive health data shall go. The proposal is poorly designed and done in a hustled way by business and health industry interests.
The attempt by the author is to do away with one of the best health data privacy protection/rights in the country and replace it with parts
of the HIPAA regulations. Important to understand the premise, that HIPAA, a federal regulation sets a minimum floor of privacy protections and rights, but allows states to be more protective of your information or provides you with more rights.
When I pressed Representative Zerwas, who is the author of the original bill, and corporate and health industry lobbyists I did not get a coherent and detailed rationale. What one hears for this change: will save money and give coordinated care. (questionable) Also said the proposal will not damage your health data privacy, because you have the federal government minimum standards to rely on.
But proponents of the amendment are wrong in their surety that adopting HIPAA standards and ditching our state protections will fill the gap of privacy protections.
Our current law assures you have control where your most sensitive data goes to and for what purpose. For example, you do not want your mental health data to be seen or sent to the foot doctor, you have that choice and right. Minnesota law allows you to CONTROL where your health data goes.
Slapping down Minnesota's consent provision jeopardizes your privacy to where your health data can be widely disseminated and be used for purposes without your knowledge and consent.
Who decides where, for what purpose, and to whom your personal health data is used and dispersed, you or the business and health interests?
If the proponents want to ditch Minnesota's consent and privacy protections show how HIPAA has same robust protection with consent and privacy protection.
Instead, what is proposed on the floor of the House is deletion of about 13 words of our current law and replace it with some twenty words referring to a federal regulation. The regulation is pages long and I am sure many of the House members have not read and understand.
The regulation with its broad language and definitions encompasses many activities that many people are not familiar with and allows for health data to be strewed about which individuals may want to control and not so easily be strewn about.
There has been no hearing on the Senate side on the original bill or amendment. In the House only one hearing in a health committee. The bill has not been heard in the Civil Law and Data Practices Committee.
To be clear, can there be changes to Minnesota law to accommodate concerns and issues, yes, but not in this manner. Trading this amendment for the loss of our states protections is a bad exchange. If this proposal along with others can be discussed in a rationale and comprehensive way, it would be better for us.
The place for this rationale and comprehensive discussion is the Legislative Commission on Data Practices and Data Privacy. With suggestions to be made for January 2019 when the Legislature comes back. Many questions and issues can be discussed in a way that all parties will get their say.
The commission can explore many questions and issues such as:
How can state law deal with the wishes of an individual patient to not have certain sensitive data be shared with others?
Can coordination of care and individuals right to control where their data goes co-exist within state law? (Note: Over the years when issues arose they have been addressed within our state law on health data)
How can penalties and rights for patients be more enhanced on a state level where there are violations of privacy rather than rely on a federal agency?
These are just some examples of points of questions that need and can be explored.
Minnesota has had a comprehensive health data privacy law which has been recognized nationally. Why would we want to lower our standards? Do not think the HIPAA regulations give you a comfortable feeling of reassurance that sensitive health data is a matter between you and your doctor, you'll be duped. The federal regulations set standards for privacy where health, business, and public interests often prevail over the patients desire for confidentiality.
Do not abrogate Minnesota's privacy/consent provisions in this hasty and sloppy way.