HIPAA news
HIPAA advisory
HIPAAdvisory > HIPAAnews Phoenix Health Systems
news
regs
action
tech
views
wares
alert
live
notes
latest
online HIPAA training
HIPAAstore
HIPAA help desk
search
contact us
site map

Minnesota Plans to Collect Personal Medical Data

October 1, 2002 -- A proposed rule before the Minnesota legislature would require Minnesota hospitals, insurers, and health plans to electronically transmit the private individually-identifiable health data of most Minnesota residents to the health department without patient or parent consent. The Minnesota Department of Health informed Citizens' Council on Health Care (CCHC) that enough letters requesting a hearing on the proposed health data collection rule were received to require a hearing before an administrative law judge.

The hearing will be held on Friday, October 4, 2002 beginning at 9:00 AM and continuing until all persons wishing to speak have been allowed to speak. All public comments received by the health department prior to September 18, 2002, will be given to the judge for his consideration. Citizens and organizations can still send comments and concerns directly to the judge until October 11, 2002:

Judge Allan W. Klein
Office of Administrative Hearings
100 Washington Square, Suite 1700
Minneapolis, MN 55401-2138
(FAX 612-349-2665, Phone: 612-341-7609)

Health insurers and hospitals will together electronically transmit nearly 100 data elements, including patient name and gender, date of birth, patient identification and medical record numbers, patient address, patient race and ethnic background, patient employment and marital status, medical and mental health diagnoses, procedures performed, medications prescribed, health status, doctor's names and identification numbers, name of health insurer, name of hospital, dollar amount charged, total sum of medical bill, type of insurance, hospital discharge and admission dates, cause of injury and date of onset of illness, injury or pregnancy.

According to CCHC, although the 174-page MinnesotaCare health care reform bill of 1993 gave the Department of Health legal access to patient medical records, the Minnesota legislature is for the most part unaware of this law. With bipartisan support, the 2002 legislature came close to passing an amendment that would have required the department to bring the rule before the 2003 legislature for approval prior to adoption, but it was withdrawn.

CCHC's Concerns with the Proposed Rule:

  • GOVERNMENT ACCESS TO PRIVATE MEDICAL RECORDS. The State of Minnesota plans to collect personal, individually-identifiable medical, health, billing, enrollment, demographic, diagnosis, race, ethnic, employment, marital, prescription, and mental health data. (Section 4653.0200)
  • NO PATIENT OR PARENT CONSENT. No patient consent is required before any data is disclosed or electronically transmitted to the government. This is a violation of constitutional rights against unreasonable search and seizure as provided in the Fourth Amendment. (Section 4653.0200, subpart 7, page 249)
  • VOLUMES OF DATA WILL BE TRANSMITTED TO STATE GOVERNMENT OFFICIALS. Once a year, health insurers and hospitals will together electronically transmit to the government nearly 100 data elements, including patient name and gender, date of birth, patient identification and medical record numbers, patient address, patient race and ethnic background, patient employment and marital status, medical and mental health diagnoses, procedures performed, medications prescribed, health status, doctor's names and identification numbers, name of health insurer, name of hospital, dollar amount charged, total sum of medical bill, type of insurance, hospital discharge and admission dates, cause of injury and date of onset of illness, injury or pregnancy. Health officials will also be given data on the number of service units (days, visits, miles, or injections) that were provided to individuals patients during the entire year. (Section 4653.0200, pp 246-9)
  • HEALTH COMMISSIONER CAN ADD NEW DATA REQUIREMENTS WITHOUT PUBLIC NOTICE. Genetic and lifestyle data could be added to the list of data requirements. The Commissioner can at his/her own discretion choose to add a new data element requirement if the element is part of "the national recommendations for the collection of public health data elements," or if the element is needed to support assessment of a public health goal, to affect the quality of or directly enhance the use of another data element or to fulfill a state or federal law. No notice must be made to the public regarding the new data to be transmitted to the state government. No public comment period is required. (Section 4653.0200, subpart 8, page 250)
  • HEALTH DEPARTMENT HAS BROAD DISCRETION FOR INTERNAL USE OF DATA. There is no independent review of use of the data if the Health Department uses it internally for 4 purposes, including complying with state or federal law, providing background, planning, or policy development for a project with another state agency, implementing and planning health department's program activities, or for performing preliminary data analysis that may result in a department research project proposal. (Section 4653.0500, subpart 1, page 254)
  • CONSUMERS NOT REPRESENTED APPROPRIATELY. The data use committee that makes recommendations for department use of the data for research projects has only one consumer representative, who is appointed by the commissioner. There are four insurance representatives, three government representatives, three hospital reps, one research institution rep, one health services researcher rep, one nurse rep and one physician representative. (Section 4653.0600, page 255)
  • CONCENTRATION OF POWER. The data use committee can only make recommendations. It has no authority to authorize or deny access to data for research. Sole authority is vested in the Commissioner of Health. (Section 4653.0500, subpart 4, page 254)
  • DEPARTMENT RESEARCH RESULTS MAY GO UNCHALLENGED. A request by a member of the public for access to "public use data" can be denied if a characteristic of the data could directly or indirectly identify an individual, provider, or health plan. This prohibits independent validation of research results, results that may influence policy changes. This also acknowledges that the data is identifiable even when the personal identifiers have been removed or encrypted as law requires (the department keeps the identifiers in a separate vault). (Section 4653.0800, subpart 3, page 256)
  • NO ENFORCEMENT OR PENALTIES FOR BREACH OF PRIVACY. Although the health commissioner must do audits, require training, and report on breaches or misuse of data, the commissioner must only report "what has been done to address any outstanding issues." (Section 4653.0900, subpart 1, page 257-8)
  • NOT ENOUGH MANPOWER TO PROTECT DATA. There are, according to the department, 100 health department research positions. The Department's sole data steward, who is responsible for limiting access, implementing system security safeguards, reporting breaches, overseeing the provision of data, and complying with data practices, may not be able to effectively assess problems and control access. (Section 4653.0900, subpart 2, page 258)
  • BASED ON A PROMISE ONLY. Health officials can contract with outside agencies, organizations and others to process the data, leading to privacy hazards external to the department. Researchers and contractors are required to agree to not use the data to identify individuals and not duplicate or distribute the data. They also must destroy any copies made. But there is nothing to guarantee this will happen. Given the current value of data and the ease of electronic access, it will be easy and tempting to ignore regulatory requirements - whether or not there are penalties.(Section 4653.0900, subpart 3, page 257)
  • TRYING TO GET ALL PATIENT DATA. The department is as yet unable to get data from third-party administrators (TPAs) - those who administer the health plans of self-insured employers (employers who use their own cash reserves to pay for the health care costs of their employees). The Health Department will investigate how they might access this data and the availability of other sources of health data on individuals who are in these self-insured plans. (Section 4653.1300, page 259)
  • HEALTH CARE INSTITUTIONS MAY PROFIT OFF THE "SALE" OF PATIENT DATA. The department will pay $20,000 per year to private entities collecting and transmitting health data and $5,000 per year "for EACH contract or grant for enhancements to ongoing data collection." The term "enhancements" is not clear.

The Rule and Current Law:

  • View the proposed rule: "Proposed Permanent Rules Relating to Administrative Billing Data, Minnesota Rules, Chapter 4653" (PDF).

  • MN State Law:

    Minnesota Statutes 62J (limited sections):
    ==62J.301
    62J.301 Research and data initiatives.

    [...]

    Subd. 2. Statement of purpose. The commissioner of health shall conduct data and research initiatives in order to monitor and improve the efficiency and effectiveness of health care in Minnesota.

    Subd. 3. General duties. The commissioner shall:

    collect and maintain data which enable population-based monitoring and trending of the access, utilization, quality, and cost of health care services within Minnesota;
    collect and maintain data for the purpose of estimating total Minnesota health care expenditures and trends;
    collect and maintain data for the purposes of setting cost containment goals under section 62J.04, and measuring cost containment goal compliance;
    conduct applied research using existing and new data and promote applications based on existing research;
    develop and implement data collection procedures to ensure a high level of cooperation from health care providers and health plan companies, as defined in section 62Q.01, subdivision 4;
    work closely with health plan companies and health care providers to promote improvements in health care efficiency and effectiveness; and
    participate as a partner or sponsor of private sector initiatives that promote publicly disseminated applied research on health care delivery, outcomes, costs, quality, and management.
    Subd. 4. Information to be collected. (a) The data collected may include health outcomes data, patient functional status, and health status. The data collected may include information necessary to measure and make adjustments for differences in the severity of patient condition across different health care providers, and may include data obtained directly from the patient or from patient medical records, as provided in section 62J.321, subdivision 1.

    [...]

    62J.321 Data collection and processing procedures.

    Subdivision 1. Data collection. (a) The commissioner shall collect data from health care providers, health plan companies, and individuals in the most cost-effective manner, which does not unduly burden them. The commissioner may require health care providers and health plan companies to collect and provide patient health records and claim files, and cooperate in other ways with the data collection process. The commissioner may also require health care providers and health plan companies to provide mailing lists of patients. Patient consent shall not be required for the release of data to the commissioner pursuant to sections 62J.301 to 62J.42 by any group purchaser, health plan company, health care provider; or agent, contractor, or association acting on behalf of a group purchaser or health care provider. Any group purchaser, health plan company, health care provider; or agent, contractor, or association acting on behalf of a group purchaser or health care provider, that releases data to the commissioner in good faith pursuant to sections 62J.301 to 62J.42 shall be immune from civil liability and criminal prosecution.

    (b) When a group purchaser, health plan company, or health care provider submits patient identifying data, as defined in section 62J.451, to the commissioner pursuant to sections 62J.301 to 62J.42, and the data is submitted to the commissioner in electronic form, or through other electronic means including, but not limited to, the electronic data interchange system defined in section 62J.451, the group purchaser, health plan company, or health care provider shall submit the patient identifying data in encrypted form, using an encryption method specified by the commissioner. Submission of encrypted data as provided in this paragraph satisfies the requirements of section 144.335, subdivision 3b.

    (c) The commissioner shall require all health care providers, group purchasers, and state agencies to use a standard patient identifier and a standard identifier for providers and health plan companies when reporting data under this chapter. The commissioner must encrypt patient identifiers to prevent identification of individual patients and to enable release of otherwise private data to researchers, providers, and group purchasers in a manner consistent with chapter 13 and sections 62J.55 and 144.335. This encryption must ensure that any data released must be in a form that makes it impossible to identify individual patients.

    Subd. 2. Failure to provide data. The intentional failure to provide the data requested under this chapter is grounds for disciplinary or regulatory action against a regulated provider or group purchaser. The commissioner may assess a fine against a provider or group purchaser who refuses to provide data required by the commissioner. If a provider or group purchaser refuses to provide the data required, the commissioner may obtain a court order requiring the provider or group purchaser to produce documents and allowing the commissioner to inspect the records of the provider or group purchaser for purposes of obtaining the data required.

    [...]

    Subd. 6. Rulemaking. The commissioner may adopt rules to implement sections 62J.301 to 62J.452.

Citizens' Council on Health Care (CCHC) is an independent non-profit free-market health care policy organization located in St. Paul, Minnesota.

Go to TOP