[co-author: Madeline Henschel]
On October 11, 2023 the Minnesota Supreme Court issued an opinion in Schneider v. Children’s Health Care holding that the Minnesota Health Records Act (“MHRA”) provision allowing health care providers to release health records when there is “specific authorization in law” encompasses all operative law in Minnesota, including permitted disclosures under the federal HIPAA privacy rule. This case appears to resolve longstanding questions about the interaction between the MHRA and the HIPAA privacy rule, and concludes that the MHRA’s health records release prohibitions are no stricter than the HIPAA privacy rule.
In 2020, Children’s Health Care alerted the Schneider family that a third-party vendor for its foundation had suffered a data breach, and that their child’s protected health information may have been compromised. The Schneiders were not aware that Children’s had disclosed their child’s protected health information to its related foundation. The family sued Children’s, alleging a violation of the MHRA and claiming that Children’s had obtained no written consent to disclose health records to the foundation for fundraising purposes.
However, Children’s was permitted to disclose the health information to its foundation under the federal HIPAA privacy rule. Children’s moved for summary judgment, arguing that the MHRA provision allowing release of health records when there is a “specific authorization in law” permits Children’s to release records when permitted under the HIPAA privacy rule. The district court and court of appeals granted summary judgment to Children’s, and the Schneiders then petitioned the Minnesota Supreme Court to review.
Statutory Background
The HIPAA privacy rule prohibits covered entities, such as health care providers, from using or disclosing protected health information (“PHI”) unless permitted under the rule. The HIPAA privacy rule permits the use and disclosure of PHI under various circumstances, including for fundraising purposes. Covered entities under HIPAA may use a limited set of data elements for fundraising (or disclose that same information to a related foundation for fundraising), without any written consent or authorization from the patient.
The HIPAA privacy rule also contains a general preemption rule, which provides that any state law that is contrary to the federal privacy rule is preempted. However if a state law affords greater privacy protection for identifiable health information, then the federal rule will not preempt that state law.
The MHRA limits when certain Minnesota-licensed health care providers (including hospitals) are permitted to release health records without a patient’s written consent. The MHRA has a fewer number of permitted disclosures without patient consent than the HIPAA privacy rule does. But the MHRA exception at issue in Schneider allows for release of health records if there is a “specific authorization in law.”
Brief Analysis
The Schneiders first argued that the scope of the phrase “specific authorization in law” refers only to Minnesota laws, and thus would not extend to the federal HIPAA fundraising exception. The Court rejected this argument, finding that in this context the plain and ordinary meaning of “law” refers to law that is binding and enforceable in Minnesota, which includes both Minnesota and federal law.
Second, the Schneiders argued that the Court has required the Minnesota legislature to explicitly reference a federal law that is to be incorporated into a state statute. They claimed that because the MHRA does not explicitly reference federal law or HIPAA, the HIPAA fundraising exception is not a “specific authorization in law.” The Court rejected that argument, instead finding that the plain language of “law” makes it clear that the legislature explicitly intended to incorporate federal law into the MHRA.
The final argument was that the MHRA is more stringent than the HIPAA privacy rule, and as such, is not preempted by the federal rule. This argument rested on the premise that because the MHRA does not have a separate fundraising exception, the MHRA must be more stringent than the HIPAA privacy rule. The Court disagreed, noting that the argument assumes its conclusion that the MHRA does not incorporate the HIPAA privacy rule as a “specific authorization in law.” Because the Court determined that the MHRA does incorporate the HIPAA privacy rule it was unpersuaded by this argument, effectively ruling that the MHRA’s records release provisions are no more stringent than the HIPAA privacy rule.
The Schneider v. Children’s Health Care case has practical, operational impact on health care providers in Minnesota. The case essentially reconciles permitted health records release under the MHRA with permitted disclosures of PHI under HIPAA. This should relieve Minnesota health care providers of the need to obtain a written patient consent under the MHRA in order to release health records for purposes for which disclosure is permitted under the HIPAA privacy rule, such as coordinating care with unaffiliated providers or billing health insurance.