May 5, 2017, City of Duluth
5/5/2017 10:14:43 AM
Note: Minnesota Statutes, section 13.387, is also applicable to the data at issue in this opinion.
This is an opinion of the Commissioner of Administration issued pursuant to Minnesota Statutes, section 13.072 (2016). It is based on the facts and information available to the Commissioner as described below.
Steven Hanke, attorney for the City of Duluth, requested an advisory opinion regarding the classification of data the City maintains.
The City provided the following summary of the facts:
The City of Duluth operates a self-insurance pool, referred to as the Duluth Joint Powers Enterprise Trust, for the City’s group health insurance plan. The plans cover eligible current employees, retired employees, and their dependents. The City’s collective bargaining agreement [sic] contain specific health insurance plan design requirements in regards to covered procedures, prescription drug pricing, monthly premium cost sharing, and so forth. The collective bargaining agreements also require retired employees and their qualified dependents to obtain Medicare Part A and B coverage if they are eligible.
The City of Duluth contracts with HealthPartners Administrators, Inc., as third-party administrator of the City’s self-insured group health plan. HealthPartners Administrators, Inc. sends City plan participants correspondence (several examples attached) soliciting information from Plan participants.
The City believes that the data collected by HealthPartners Administrators, Inc. constitutes “government data” because it is being collected to perform a government function: administration of the City's self-insured health plan for its eligible employees, retirees, and their dependents.
Thus, the City believes that HealthPartners Administrators, Inc. is subject to Minnesota Statutes, section 13.05, subdivision 11(a). The City also believes the data in question are private, and therefore, per Minnesota Statutes, section 13.04, subdivision 2, HealthPartners Administrators, Inc. must give a Tennessen Warning notice when it collects the data listed on the above-referenced questionnaires and forms.
Based on the opinion request, the Commissioner agreed to address the following issues:
Pursuant to Minnesota Statutes, section 13.03, government data are public unless otherwise classified.
When a government entity contracts with a private person to perform any of its functions, data related to performance of the contract are subject to the requirements of Minnesota Statutes, Chapter 13, and the private person must comply with those requirements as if it were a government entity. (Minnesota Statutes, section 13.05, subdivision 11.)
Minnesota Statutes, section 13.43, classifies data on individuals who are current or former employees of a government entity. Subdivision 2 lists the types of personnel data that are public and subdivision 4 classifies most other types of personnel data as private. It also classifies "data pertaining" to an employee’s dependents as private.
Issue 1. Are the data collected by the third-party administrator of the City of Duluth’s self-insured group health plan "government data" under Minnesota Statutes Section 13.02, subdivision 7?
"Government data" are defined in Minnesota Statutes, section 13.02, subdivision 7, as “all data collected, created, received, maintained or disseminated by any government entity regardless of its physical form, storage media or conditions of use.
The City's third-party administrator collects and maintains the data in question to carry out the function of administrating the City’s self-insured group health plan. Under section 13.05, subdivision 11, it must comply with the Data Practices Act as if it were a government entity in carrying out its duties related to the contract. Thus, the data are government data.
Issue 2. If the answer to Issue 1 is yes, are the data classified as private data on individuals under Minnesota Statutes section 13.02, subdivision 12?
As noted above, data on public employees and their dependents are classified under section 13.43. The data collected on the forms that are used to administer the City’s self-insured health plan are private per section 13.43, subdivision 4, because they are data on employees/former employees that are not explicitly classified as public under subdivision 2, or are data on dependents.
Issue 3. If the answer to Issue 2 is yes, must the City or its third-party administrator provide a Tennessen warning notice prior to obtaining the data, per Minnesota Statutes section 13.04, subdivision 2?
When a government entity collects private or confidential data about an individual from that individual, the entity is required to provide a notice, commonly referred to as a Tennessen warning. (Minnesota Statutes, section 13.04, subdivision 2.) This notice must contain the following: (a) the purpose and intended use of the data; (b) whether the individual can refuse or is legally required to provide the requested data; (c) what the consequences are of supplying or not supplying the data; and (d) the identity of other persons or entities outside of the collecting agency authorized by state or federal law to receive the data.
The Commissioner previously has opined that if an entity does not give an individual a Tennessen warning notice when required, or if an entity’s notice is inadequate, the entity cannot store, use, or disclose any of the data it collected from the individual. (Minnesota Statutes, section 13.05, subdivision 4.) (See also Advisory Opinions, 95-028, 02-045, 07-009, and 13-011.)
In order to administer the City’s self-insurance plan, its third-party administrator collects private data from eligible City employees, retirees, and their dependents. As noted above, the third-party administrator must comply with the Data Practices Act as if it were a government entity, and therefore it must provide a Tennessen warning notice prior to obtaining private data from those individuals.
Finally, at least one of the forms the City submitted asks for Social Security Numbers (SSN). The Commissioner previously has opined that when an entity collects an individual’s SSN, federal law imposes some additional notice requirements. (See Advisory Opinions 01-040, 04-020, and 04-048.)
Based on the facts and information provided, the Commissioner’s opinion on the issues is as follows:
Signed:
Matthew Massman
Commissioner
Dated: May 5, 2017
Informed consent
Tennessen warning notice
Insurance companies