Skip to main content Skip to office menu Skip to footer
Capital IconMinnesota Legislature

HF 1109

1st Engrossment - 89th Legislature (2015 - 2016) Posted on 05/17/2016 04:00pm

KEY: stricken = removed, old language.
underscored = added, new language.

Bill Text Versions

Engrossments
Introduction Posted on 02/23/2015
1st Engrossment Posted on 03/14/2016

Current Version - 1st Engrossment

Line numbers 1.1 1.2 1.3 1.4 1.5
1.6 1.7 1.8 1.9 1.10 1.11 1.12 1.13 1.14 1.15 1.16 1.17 1.18 1.19 1.20 1.21 1.22 1.23 1.24 2.1 2.2 2.3 2.4 2.5 2.6 2.7 2.8 2.9 2.10 2.11 2.12 2.13 2.14 2.15 2.16 2.17 2.18 2.19 2.20 2.21 2.22 2.23 2.24 2.25 2.26
2.27 2.28 2.29 2.30 2.31 2.32 2.33 2.34 3.1 3.2 3.3 3.4 3.5 3.6 3.7 3.8 3.9 3.10 3.11 3.12 3.13 3.14 3.15 3.16
3.17 3.18 3.19 3.20 3.21

A bill for an act
relating to data practices; modifying requirements related to access to and
transfer of MNsure data; amending Minnesota Statutes 2014, section 62V.06,
subdivisions 5, 8.

BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF MINNESOTA:

Section 1.

Minnesota Statutes 2014, section 62V.06, subdivision 5, is amended to read:


Subd. 5.

Data sharing.

(a) MNsure may share or disseminate data classified as
private or nonpublic in subdivision 3 as follows:

(1) to the subject of the data, as provided in section 13.04;

(2) according to a court order;

(3) according to a state or federal law specifically authorizing access to the data;

(4) with other state or federal agencies, only to the extent necessary to verify the
identity of, determine the eligibility of, process premiums for, process enrollment of, or
investigate fraud related to an individual, employer, or employee participating in MNsure,
provided that MNsure must enter into a data-sharing agreement with the agency prior to
sharing data under this clause; and

(5) with a nongovernmental person or entity, only to the extent necessary to verify
the identity of, determine the eligibility of, process premiums for, process enrollment of, or
investigate fraud related to an individual, employer, or employee participating in MNsure,
provided that MNsure must enter into a contract with the person or entity, as provided in
section 13.05, subdivision 6 or 11, prior to disseminating data under this clause.

(b) MNsure may share or disseminate data classified as private or nonpublic in
subdivision 4 as follows:

(1) to the subject of the data, as provided in section 13.04;

(2) according to a court order;

(3) according to a state or federal law specifically authorizing access to the data;

(4) with other state or federal agencies, only to the extent necessary to carry out the
functions of MNsure, provided that MNsure must enter into a data-sharing agreement with
the agency prior to sharing data under this clause; and

(5) with a nongovernmental person or entity, only to the extent necessary to carry
out the functions of MNsure, provided that MNsure must enter a contract with the person
or entity, as provided in section 13.05, subdivision 6 or 11, prior to disseminating data
under this clause.

(c) Sharing or disseminating data outside of MNsure in a manner not authorized by
this subdivision is prohibited. The list of authorized dissemination and sharing contained
in this subdivision must be included in the Tennessen warning required by section 13.04,
subdivision 2
.

(d) Until July 1, 2014, state agencies must share data classified as private or
nonpublic on individuals, employees, or employers participating in MNsure with MNsure,
only to the extent such data are necessary to verify the identity of, determine the eligibility
of, process premiums for, process enrollment of, or investigate fraud related to a MNsure
participant. The agency must enter into a data-sharing agreement with MNsure prior
to sharing any data under this paragraph.

new text begin (e) Notwithstanding paragraphs (a) and (b), MNsure may only transfer or allow
access to data under this subdivision if MNsure has implemented, and the receiving entity
has agreed to implement, adequate control procedures to ensure and verify that all data that
is transferred or authorized for access is accurate, complete, and secure. Where applicable,
the control procedures must include, but not be limited to, the requirements of subdivision
8. To the extent that a contract or data-sharing agreement is required by this subdivision,
the control procedures must be included in the terms of the contract or agreement.
new text end

Sec. 2.

Minnesota Statutes 2014, section 62V.06, subdivision 8, is amended to read:


Subd. 8.

Access to data; audit trail.

(a) Only individuals with explicit authorization
from the board may enter, update, or access not public data collected, created, or
maintained by MNsure. The ability of authorized individuals to enter, update, or access
data must be limited through the use of role-based access that corresponds to the official
duties or training level of the individual, and the statutory authorization that grants access
for that purpose. All queries and responses, and all actions in which data are entered,
updated, accessed, or shared or disseminated outside of MNsure, must be recorded in a
data audit trail. Data contained in the audit trail are public, to the extent that the data
are not otherwise classified by this section.

The board shall immediately and permanently revoke the authorization of any
individual determined to have willfully entered, updated, accessed, shared, or disseminated
data in violation of this section, or any provision of chapter 13. If an individual is
determined to have willfully gained access to data without explicit authorization from the
board, the board shall forward the matter to the county attorney for prosecution.

(b) This subdivision shall not limit or affect the authority of the legislative auditor
to access data needed to conduct audits, evaluations, or investigations of MNsure or the
obligation of the board and MNsure employees to comply with section 3.978, subdivision 2.

(c) This subdivision does not apply to actions taken by a MNsure participant to enter,
update, or access data held by MNsure, if the participant is the subject of the data that
is entered, updated, or accessed.

new text begin (d) To the extent that data collected, created, or maintained by MNsure are
transferred to another state agency pursuant to an authorization under subdivision 5, the
requirements of this subdivision apply to the receiving agency.
new text end

Sec. 3. new text beginEFFECTIVE DATE.
new text end

new text begin This act is effective the day following final enactment provided that, to the extent
that a new or revised contract or data-sharing agreement is required according to the
provisions of this act, the new or revised contract or agreement must be entered no later
than July 1, 2016.
new text end