The Privacy Rule is designed to minimize conflicts between Federal requirements and those of State law. It establishes a floor of Federal privacy protections and individual rights with respect to individually identifiable health information held by covered entities and their business associates. Minnesota has a few different areas where state law preempts federal law. North Dakota doesn t have any law that preempts federal law, except for the definition of fees for copying medical records.
The first area of Minnesota State Law that preempt HIPAA is the disclosure for external research. Minnesota law defines that information can be released for the purpose of external research if the following criteria is met: 1. Health records generated before January 1, 1997, may be released if the patient has not objected or does not elect to object after that date 2. Health records generated on or after January 1, 1997, the provider must: disclose in writing to patients currently being treated by the provider that health records, regardless of when generated, may be released and that the patient may object, in which case the records will not be released Use reasonable efforts to obtain the patient's written general authorization that describes the release of records in item (i), which does not expire but may be revoked or limited in writing at any time by the patient or the patient's authorized representative; 3. The provider must advise the patient of the rights 4. The provider must, at the request of the patient, provide information on how the patient may contact an external researcher to whom the health record was released and the date it was released. Authorization may be established if an authorization is mailed at least two times to the patient's last known address with a prepaid postage return envelope and a conspicuous notice that the patient's medical records may be released if the patient does not object, and at least 60 days have expired since the second notice was sent.
The researcher has responsibilities and duties under Minnesota state law in protecting health information. The researcher must ensure that: The use or disclosure does not violate any limitations under which the health information was collected. The use or disclosure in individually identifiable form is necessary to accomplish the research or statistical purpose for which the use or disclosure is to be made The recipient has established and maintains adequate safeguards to protect the records from unauthorized disclosure, including a procedure for removal or destruction of information that identifies the patient Further use or release of the records in individually identifiable form to a person other than the patient without the patient's consent is prohibited.
Another area where Minnesota state law preempts HIPAA is for specific disclosures of health information. To meet the requirements in Minnesota, all disclosures should have a signed authorization that meets the requirements of HIPAA and Minnesota State Law. There are a number of scenarios where Minnesota Law requires authorizations for disclosures, which you see listed here. Treatment, payment, and operations Subpoenas Immunization Information Notice of Privacy Practices Minnesota Healthcare Bill of Rights Workers Compensation Patient Access Minors Provider to Provider Record Locator Service
Here is a look into specific areas of preemption in Minnesota. The first area pertains to release of information, specifically releasing records with or without a consent. Minnesota law states that a health care provider may not release a patient s health records without the patient s (or the patient s legally authorized representative s) written consent. Federal law states that a covered entity cannot use or disclose Protected Health Information to anyone other than the individual who is the subject of the information except for a few specified situations: for specified treatment payment or health care operations Following an authorization under or an agreement under 164.510; or for any of the exceptions specified under the HIPAA uses and disclosures requirements Since Minnesota law is more stringent, Minnesota law should be followed.
This is another area of preemption with Minnesota State Law and release of information. Minnesota state law indicates that a patient must consent for each disclosure of their health information for any purpose, before health records can be shared. Providers may use representation of consent to facilitate the ROI process. Federal Law states that a Covered Entity cannot use or disclose PHI except for the purposes of treatment, payment health care operations (TPO). Minnesota Law is more restrictive and protective in individual privacy rights; therefore, Minnesota law should be followed since it preempts the federal law.
Minnesota law is also more strict when it comes to releasing information to other providers. Minnesota state law says that Patient consent is not needed for ROI to other providers within a related health care entity when it is necessary for treatment of the patient. If the other provider is not within a related health care entity, an authorization for disclosure should be obtained. Federal law states a covered entity is not required to obtain consent to disclose PHI for use in TPO. Minnesota Law is more restrictive, preempting federal HIPAA privacy law as a result
The last area where Minnesota State Law preempts HIPAA is related to required or permitted releases without a consent. Under Minnesota Law, a patient consent is not needed for ROI in a medical emergency when medical/mental health care is needed to preserve life and prevent serious impairment to bodily functions, or when a court order or subpoena requires a release of PHI, or for public health purposes through the Minnesota Department of Health Activities. Under federal law, PHI may be disclosed when specifically authorized by law for public health activities, disclosures about violence/abuse, health oversight activities, judicial and administrative proceedings, law enforcement purposes, organ donation, certain research purposes, to avert serious health threats, special government functions, workman s compensation and disclosures to the HHS secretary to investigate compliance. In this case, Minnesota Law is more restrictive and preempts federal HIPAA privacy law.
Minnesota state law also requires that covered entities within the state of Minnesota post the Access to Health Records Notice of rights in addition to the HIPAA Notice of Privacy Practices.
Healthcare organizations need to be aware that each state law defines the amount that healthcare organizations can charge for copying medical records for the use and disclosure of health information. Minnesota and North Dakota have different fee requirements for copying records, which are outlined here.