The Minnesota Health Records Act (MHRA), which supersedes some of the provisions of the federal Health Insurance Portability and Accountability Act (HIPAA), enforces strict standards for the handling of health information.

HIPAA has a built-in “preemption rule” that allows any state law with more protective patient privacy restrictions to take precedence over the federal law. In states that don’t have their own more rigorous patient health information protections, HIPAA still applies.

The Minnesota Health Records Act Imposes Stricter Consent Requirements on Healthcare Providers

In states where only HIPAA applies, there are scenarios where a healthcare provider can send a patient’s health records to another doctor or the insurance company without the patient’s consent. For example, under HIPAA, a primary care doctor who refers a patient to a specialist may be legally allowed to send their patient’s medical records to the specialist without the patient’s written consent. They could also share the patient’s medical records with the insurance company for billing purposes.

Under MHRA, doctors in Minnesota are required to obtain written consent to send a patient’s records over to a specialist and the insurance company.

MHRA Applies to Healthcare Adjacent Professionals

HIPAA doesn’t automatically apply to alternative medicine practitioners, like chiropractors, acupuncturists, massage therapists and naturopaths, unless they can bill insurance or transmit health information electronically.

In some cases, non-covered alternative medicine providers who are not subject to HIPAA may disclose information without a client’s consent to third parties, family members or other healthcare professionals.

MHRA does apply in those types of scenarios, meaning a client of an alternative medicine practitioner would need to provide written consent before any of their information could be shared with a third party, even if the request isn’t transmitted electronically. 

Public health clinics, school nurses, nonprofits, home health aides and other medicine-adjacent professionals who don’t typically transmit any health information electronically must still abide by MHRA, even if they are not subject to HIPAA.

MHRA Has a Narrower Focus Than HIPAA

HIPAA has two primary roles:

1. It requires medical practitioners to obtain patient consent for certain types of medical record sharing
2. It mandates minimum security requirements for electronic health records

MHRA primarily deals with the first part of HIPAA. Medical practitioners in Minnesota who electronically store or transmit patient medical information must ensure HIPAA compliance with their software and security protocols.  

The Types of Security Rules HIPAA Enforces

Any healthcare provider who stores electronic health records (EHRs) must implement strict safeguards to maintain the integrity and confidentiality of their patients’ electronic protected health information (ePHI).

• Technical Safeguards: Software, security settings and accessibility restrictions, including encryption, access controls and audit trails, must be implemented on any equipment storing ePHI.

• Administrative Safeguards: Healthcare practitioners and employers in the medical field must implement strict HIPAA training procedures for workers, enforce HIPAA compliant policies for patient information handling, and adhere to risk management procedures.

• Physical Safeguards: Healthcare practitioners are responsible for ensuring physical access to computers or equipment where ePHI is stored is only accessible to approved individuals.

Detailed Record Keeping

Any business that stores or transfers HIPAA-protected patient records must maintain strict auditing trails to ensure breaches can be tracked and any party responsible for HIPAA violations can be identified. This includes tracking who accessed which patient records and when. Some software can even track why information was accessed to ascertain whether the worker who opened ePHI had a legitimate reason to do so.

Information Breach Notification

Even medical providers who adhere to HIPAA security requirements may still be vulnerable to data breaches. If electronic medical records are accessed in violation of HIPAA, healthcare providers are required to follow the Act’s breach notification rule, which means notifying affected patients, the Department of Health and Human Services (HHS), and potentially the media depending on the scope of the breach.   

Are You Concerned That Your Rights as a Minneapolis–St. Paul Patient Were Violated?

Patients in Minnesota who suspect their healthcare provider or practitioner violated MHRA or HIPAA by allowing their medical records to be accessed without their consent should consider contacting an attorney experienced in healthcare privacy law. Our referral counselors are here to assist in your search for a qualified Minneapolis–St. Paul lawyer. Call us at (612) 752-6699 to get started.