The privacy of your health records is at risk at legislature

I have some encouraging news. Minnesota is very good at something, better than any other state.

Thirty years ago, lawmakers wisely passed a comprehensive patient data privacy law. It is unlikely they were thinking about Big Data hoovering up our private information. The law passed long before we began to realize that our personal data is a product for sale.

I think the law reflected our strong culture of privacy and the wisdom that people would be less candid with doctors and nurses if the information was not carefully guarded. You may be comfortable with sharing your consumer data, but do you really want your medical records hoovered up without your consent? And that is the key: your consent.

Other states have either dropped privacy laws or watered them down. Minnesota has the best law in the nation. Instead of following the lead other states, Minnesota should be leading the way in patient privacy and consent.

Be sure to read the fine print in Rep. Peggy Scott’s (R-Andover) clear explanation in the Star Tribune, “While two bills would eat away at patient privacy, another protects it” this week. This is one of the issues that has split the Republican and DFL caucuses this session. Supporters of changing the law say that it helps medical providers save money, and that is true. But at what cost? They also have not been transparent about how much money the industry is making selling your private data. Read on….

Nothing is more personal than the data in one’s health records. In Minnesota, patients have the right to determine who sees this confidential information and where it can be sent. The Minnesota Legislature enacted patient consent requirements about 30 years ago, long before the federal HIPAA rule. In fact, the Minnesota Health Records Act (MHRA) is better than HIPAA. It’s a real privacy law.

The HIPAA privacy rule is actually not a privacy rule; it’s a permissive disclosure rule. In most cases, it permits those who have patient information, called “covered entities,” to disclose and use that information without patient consent.

These covered entities, such as hospitals, clinics, and health plans, aren’t required to share individually identifiable patient data, but HIPAA permits it and no patient can stop them. Patients can request that their information not be shared or used, but the covered entity can refuse that request.

This is why HIPAA is not a privacy rule. It doesn’t protect anyone’s privacy — except the corporations sharing patient data. They can’t be sued and they’re not required to give patients an accounting of disclosures made for purposes of treatment, payment and health care operations (“TPO”).

Patients are left in the dark as their data is exposed to a vast array of outsiders. The definition of “health care operations” is a nearly 400-word list of more than 65 nonclinical business activities.

Thankfully, the MHRA prohibits TPO disclosures without patient consent. It protects Minnesota patients from HIPAA.

But a movement is afoot to change this. The Minnesota Chamber of Commerce, Minnesota Business Partnership, and Minnesota Council of Health Plans are pushing the Legislature to exempt TPO disclosures from consent requirements, a plan the Minnesota Department of Health wrote, “may raise privacy concerns because of the broad scope of health care operations.”

If these corporations succeed in getting HF 831 and SF 1575 enacted, Minnesotans will lose the protective consent rights they have. Patient-identifiable data will be shared with potentially thousands of business associates across the globe. The data they receive could include diagnoses, behaviors, medications, treatments, genetic information, personal comments and more. Corporations will be in the winner’s circle. The storage and analysis of health data alone is a $7 billion a year business, according to the Advisory Board.

In Minnesota, if health records are improperly released, the MHRA gives patients a private right of action to sue for damages. But if Minnesota corporations get their way, patients would lose this right to sue. Filing a complaint with the Office for Civil Rights at the U.S. Department of Health and Human Services, which is in charge of HIPAA compliance, will be unproductive. HIPAA permits these violations of patient privacy.

There is another way. In December, after hearing testimony from groups on both sides, the Minnesota Legislative Commission on Data Practices unanimously voted for a universal patient consent form giving patients the right to choose “yes” or “no” for the sharing of their information for TPO. I am the author of HF 1686, a bill that would put that consent form in place statewide.

This consent form allows complete sharing of every detail of a patient’s health records — if that’s what the patient wants. Or if the patient wants to share their records only for treatment and payment, but not operations, they can do that. My bill acknowledges patient rights and keeps patients in control.

Personally speaking, my health record is not the property of a clinic, hospital, insurance company, dentist, medical record-keeping business, or the Minnesota Department of Health. It’s mine.

State legislators were elected to protect Minnesotans, not to take away their right to control the destiny of their health data. Why would any legislator want to be responsible for taking away constituents’ privacy and consent rights? To appease the business community and Big Data? That’s not a reason to eliminate something so precious. I will do all I can to keep the Legislature from giving corporate Minnesota a right to the confidential records of every Minnesota patient.