Discussion:

Mr. Shaller's request describes a situation in which various organizations, that are collecting and maintaining data on patients, are being required to provide data on those patients to the Commissioner and to the MHDI. The requirement for submitting this data is found in Minnesota Statutes Chapter 62J. Mr. Shaller's background explanation assumes, and correctly so, that in instances where the organizations, that are submitting data to the Commissioner and to MHDI, are state or local government entities, those entities are required to give Tennessen Warnings to patients when collecting data from them. The Tennessen Warning in this instance will, in addition to the other details of the actual notice, have to inform patients that data collected from them will be provided to the Commissioner and the MHDI. Mr. Shaller then asks what about instance when the organizations collecting data from patients are not state and local government entities but are private health care providers, hospitals and insurance carriers. Will those private entities be required to give patients a Tennessen Warning ?

The Tennessen Warning is a requirement of Minnesota Statutes Section 13.04, a part of the MGDPA. By its terms, the MGDPA regulates various activities of state agencies, political subdivisions and statewide systems. (See Minnesota Statutes Section 13.01, subdivisions 1 and 3.) Entities such as privately owned hospitals and health care providers do not fit the statutory definitions of the terms state agency, statewide system or political subdivision. (See Minnesota Statutes Section 13.02, subdivisions 11, 17 and 18.) Except in instances where nongovernmental entities agree to contractually bind themselves to be subject to the requirements of the MGDPA, they are not required to comply with the Tennessen Warning or other requirements of the MGDPA. (See Minnesota Statutes Sections 13.05, subdivision 6 and 13.46, subdivisions 1, (c) and 5. The duty to provide a Tennessen Warning is not imposed on a private sector entity by the MGDPA. Private sector organizations collecting and disseminating patient data to the Commissioner and the MHDI are not required by the MGDPA to give Tennessen Warnings to those patients.

In regard to the second issue raised by Mr. Shaller, he cites provisions of Minnesota Statutes Section 144.333. This is a provision of Minnesota Statutes that, among other things, gives patients the right to gain access to their health care records and limits dissemination of health care records. A key element of Section 144.335, quoted by Mr. Shaller, is a general rule that, except as otherwise specified in Section 144.335 or specifically authorized by law, patient health care records cannot be disseminated without the signed and dated consent of the patient. (Minnesota Statutes Section 144.335, subdivision 3a.) Mr. Shaller then quotes a 1993 amendment to Section 144.335 that specifies that the provisions of Section 144.335. subdivision 3a do . . . not apply to the release of health records to the commissioner of health or the data institute under chapter 62J, provided that the commissioner encrypts the patient identifier upon receipt of the data. Given that language, Mr. Shaller asks if providers must advise their patients that medical records could be released to the Commissioner and the MHDI without the consent of the patient?

It is not clear from Mr. Shaller's question whether the providers he mentions are private sector organizations or state and local governmental entities. The latter group of providers are subject to the Tennessen Warning requirement. If they provide Tennessen Warnings to patients and include in that Warning statements that medical data about the patient will be disseminated to the Commissioner and to the MHDI then the medical data can be disseminated to the Commissioner and the MHDI without the consent of the patient. (See Minnesota Statutes Sections 13.04, subdivision 2, 13.05, subdivision 4 and 13.42.)

As to private sector providers, as discussed above, those providers are not subject to the MGDPA and therefore are not affected by the Tennessen Warning requirement. Section 144.335 obligates these private health care providers, subject to certain exceptions, to only release health records with the consent of the patient. Health care providers can disseminate health records without the consent of the patient if the release of the record is specifically authorized by law. In a 1993 amendment, the legislature specifically stated that the limitation on the release of health records without consent is not applicable if the release of health records is to the Commissioner and to the MHDI. (See Session Laws of Minnesota 1993, Chapter 345, article 12, section 7.) Although this particular amendment is not stated in the form of an authorization for health care providers to release health records without consent, it seems clear the legislature intended that health records should be released to the Commissioner and the MHDI even if a patient has not consented to that particular release. Furthermore, there is nothing in the provisions regulating this submission of data by private providers that would require them to advise patients that data from their health records will be released to the Commissioner and to the MHDI.

The 1993 amendment cited above does condition this release of health records without consent on a requirement that the Commissioner take actions to encrypt the identifier of the patient upon receipt of the health record. Mr. Shaller did not provide information as to actions being taken or planned by the Commissioner or the MHDI to meet that requirement. It is reasonable for providers to receive information about compliance with that requirement from the Commissioner or MHDI so that they can be assured that this requirement of the amendment to Section 144.335 is being met. (See Session Laws of Minnesota 1993, Chapter 345, article 12, section 7.)

Opinion: