Monday, March 11, 2013

Bye-Bye to your medical privacy in Minnesota

You may have to say good-bye to a strong part of Minnesota's health records privacy law if House File 824 passes as is.  House File 824/Senate File 970 is being pushed by Minnesota's powerful health industry. As one person said to me from the industry we need to "integrate" our business.  So we do away with one of the best medical privacy protection/rights provisions in the country?

The basic premise is that HIPAA, a federal regulation, sets a floor of some privacy protection and rights, but allows states to be more protective of your information or provides you with greater rights.  This is what Minnesota has done.  Even before HIPAA, Minnesota has been a leader in privacy protection. We are one of the most progressive states in the field protecting individual's privacy with their health records and giving patients more rights. Now a bit about House File 824 which dum-downs our privacy protections.

The bill as proposed states in part the following:

Sec. 4. Minnesota Statutes 2012, section 144.293, subdivision 2, is amended to read:  

Subd. 2. Patient consent to release of records. A provider, or a person who
receives health records from a provider, may not release a patient's health records to a
person without:
(1) without a signed and dated consent from the patient or the patient's legally
authorized representative authorizing the release;
(2) unless permitted or required under HIPAA or specific authorization in other
applicable federal or state law; or
(3) without a representation from a provider that holds a signed and dated consent
from the patient authorizing the release.

Under state law, the language with no underlines is current law.  This gives Minnesotans a strong consent provision.  In other words, you have control where your sensitive medical data goes.  What the new language does which is underlined in (2) is undercut Minnesota's privacy protections.  What ever HIPAA allows happens, therefore, your state law consent provisions are undercut.  It's a legislative sleight of hand.  A blatant attempt to gut the medical privacy rights of Minnesotans.

There are other sections of House File 824 which need attention also.

The bill has impact on your rights and privacy protections in many ways.  Some of them are as follows:

Consent to the use of medical information is not required under HIPAA if it is used or disclosed for treatment, payment, or health care operations. This is not the case with Minnesota law. The definitions of treatment, payment, and health care operations have broad definitions that encompass many activities that most people are not familiar with and may want to control what type of health record and where it goes to. Under Minnesota law a patient can restrict the use or disclosure of their medical data through the consent provisions.

Health entities are required to follow that consent. The Minnesota Department of Health in 2007 was asked to outline a standard consent form which allows Minnesotans to control their records and with our state law in mind.

With lawsuits and other kind of judicial proceedings health care entities can only give out medical data in response to a valid court order, or consent under Minnesota law. Requires consent from the patient in regards to court orders from other states, subpoenas, and discovery requests per Minnesota law. This would not be the case under HIPAA.

Minnesota law generally requires written consent before before a health system can disclose any medical information about you for medical research to an outside researcher. A health provider needs to obtain consent or refusal to participate in any research study.

Law enforcement access to Minnesotans health records under HIPAA is a serious concern. Under HIPAA, some disclosures may be made to law enforcement without a warrant or court order. This is not the case with Minnesota law. Our state law generally does not allow the release of medical information to law enforcement without a valid court order or a search warrant. Minnesota law allows it in certain circumstances in limited situations.

For decades, Minnesota has had a comprehensive health records privacy law which has been recognized nationally. Why would we want to lower our standards? The federal regulations did not become law until 2003. Do not expect HIPAA to give you a comfortable feeling of reassurance that sensitive medical data is a matter between you and your doctor, you will be deluded. The federal regulations set standards for privacy where health industry, government, and public interests often prevail over the patients desire for confidentiality.