HIPAA and Minnesota Government Entities

What is HIPAA?

The Health Insurance Portability and Accountability Act (HIPAA), is a federal law that Congress passed in 1996 to make the sharing and protecting of health data more consistent, efficient, and safe. The U.S. Department of Health and Human Services then issued rules (45 CFR Parts 160, 162, and 164) intended to carry out those aims. One of the rules is called the Privacy Rule, which is a set of regulations that protect the privacy of individually identifiable health information.

Do Minnesota government entities have to comply with HIPAA?

A Minnesota government entity is not required to comply with HIPAA's requirements unless it is a covered entity, as that term is defined by HIPAA (45 CFR 160.103).

However, it is also possible that a specific function a government entity performs may be subject to HIPAA's requirements because that function is considered a covered entity for purposes of HIPAA. For example, an entity may sponsor an employee health plan, administer a public health program, or own a health clinic or nursing home.

The definition of covered entity includes:

Health Plans, including individual and group plans, companies that issue health insurance, HMOs, and certain government programs that pay for health care, such as Medicare and Medicaid.
Health Care Providers that conduct certain business electronically, such as electronically billing your health insurance company. These include most doctors, clinics, hospitals, psychologists, chiropractors, nursing homes, pharmacies, and dentists.
Health Care Clearinghouses are entities that standardize health information. They translate healthcare transactions from various nonstandard formats into the standard data elements. These include billing services, repricing companies, and community health information systems.

Government entities should work with their legal counsel in determining whether they must comply with HIPAA requirements.

If a Minnesota government entity is not a HIPAA covered entity, how should it treat health information?

A Minnesota government entity is not bound by HIPAA’s requirements solely because it collects or maintains individually identifiable health information. However, even if the government entity is not a HIPAA covered entity, the individually identifiable health information may be private data under Minnesota law. Minnesota government entities must always follow Minnesota’s Data Practices Act (Minnesota Statutes, Chapter 13) and protect private and confidential data even if they are not a covered entity under HIPAA.

Under Minnesota law, a provider or person that receives health records directly from a provider may not disclose those records without consent/specific authority/court order (Minnesota Statutes, section 144.293, subd. 2).

What are some examples of individually identifiable health information that likely are private data under Minnesota laws but not subject to HIPAA?

Certain data maintained by the “welfare system” (Minnesota Statutes, section 13.46)
Certain public health data maintained by government relating to control of disease or as part of an epidemiological investigation (Minnesota Statutes, section 13.3805)
Certain medical data maintained by government-run hospitals or clinics (Minnesota Statutes, section 13.384)
Genetic information held by government (Minnesota Statutes, section 13.386)

Does HIPAA apply to education data?

The HIPAA Privacy Rule excludes from coverage “education records” or “treatment records” covered by the federal Family Educational Rights and Privacy Act (FERPA), 20 USC 1232g. Even though a school may be a covered entity under HIPAA because it offers services as a health care provider, it is not required to comply with the HIPAA Privacy Rule (see definition of protected health information in 45 CFR 160.103).