Skip to main content Skip to office menu Skip to footer
Capital IconMinnesota Legislature

Office of the Revisor of Statutes

62J.452 Protection of privacy and confidentiality of health care data.

Subdivision 1. Statement of purpose. The health data institute shall adopt data collection, analysis, and dissemination policies that reflect the importance of protecting the right of privacy of patients in their health care data in connection with each data initiative that the health data institute intends to undertake.

Subd. 2. Data classifications. (a) Data collected, obtained, received, or created by the health data institute shall be private or nonpublic, as applicable, unless given a different classification in this subdivision. Data classified as private or nonpublic under this subdivision may be released or disclosed only as permitted under this subdivision and under the other subdivisions referenced in this subdivision. For purposes of this section, data that identify individual patients or industry participants are private data on individuals or nonpublic data, as appropriate. Data not on individuals are nonpublic data. Notwithstanding sections 13.03, subdivisions 6 to 8; 13.10, subdivisions 1 to 4; and 138.17, data received by the health data institute shall retain the classification designated under this chapter and shall not be disclosed other than pursuant to this chapter. Nothing in this subdivision prevents patients from gaining access to their health record information pursuant to section 144.335.

(b) When industry participants, as defined in section 62J.451, are required by statute to provide, either directly or through a contractor, as defined in section 62J.451, subdivision 2, paragraph (c), patient identifying data to the commissioner pursuant to this chapter or to the health data institute pursuant to section 62J.451, the industry participant or its contractor shall be able to provide the data with or without patient consent, and may not be held liable for doing so.

(c) When an industry participant submits patient identifying data to the health data institute, and the data is submitted to the health data institute in electronic form, or through other electronic means including, but not limited to, the electronic data interchange system defined in section 62J.451, the industry participant shall submit the patient identifying data in encrypted form, using an encryption method supplied or specified by the health data institute. Submission of encrypted data as provided in this paragraph satisfies the requirements of section 144.335, subdivision 3b.

(d) Patient identifying data may be disclosed only as permitted under subdivision 3.

(e) Industry participant identifying data which is not patient identifying data may be disclosed only by being made public in an analysis as permitted under subdivisions 4 and 5 or through access to an approved researcher, industry participant, or contractor as permitted under subdivision 6 or 7.

(f) Data that is not patient identifying data and not industry participant identifying data is public data.

(g) Data that describes the finances, governance, internal operations, policies, or operating procedures of the health data institute, and that does not identify patients or industry participants or identifies them only in connection with their involvement with the health data institute, is public data.

Subd. 3. Patient identifying data. (a) The health data institute must not make public any analysis that contains patient identifying data.

(b) The health data institute may disclose patient identifying data only as follows:

(1) to research organizations that meet the requirements set forth in subdivision 6, paragraph (a), but only to the extent that such disclosure is also permitted by section 144.335, subdivision 3a, paragraph (a); or

(2) to a contractor of, or vendor of services to the health data institute for the purposes of conducting a survey or analysis, provided that such contractor or vendor agrees to comply with all data privacy requirements applicable to the health data institute, and to destroy or return to the health data institute all copies of patient identifying data in the possession of such contractor or vendor upon completion of the contract.

Subd. 4. Analysis to be made public by the health data institute. (a) Notwithstanding the classification under subdivision 2 or other provision of state law of data included or used in an analysis, the health data institute may make public data in an analysis pursuant to this subdivision and subdivision 5. Such analysis may include industry participant identifying data but must not include patient identifying data. In making its determination as to whether to make an analysis or the data used in the analysis public, the health data institute shall consider and determine, in accordance with policies and criteria developed by the health data institute, that the data and analysis are sufficiently accurate, complete, reliable, valid, and as appropriate, case-mixed and severity adjusted, and statistically and clinically significant.

(b) Prior to making an analysis public, the health data institute must provide to any industry participant identified in the analysis an opportunity to use the fair hearing procedure established under subdivision 5.

(c) Accompanying an analysis made public by the health data institute, the health data institute shall also make public descriptions of the database used in the analysis, the methods of adjusting for case mix and severity, and assuring accuracy, completeness, reliability, and statistical and clinical significance, as appropriate, and appropriate uses of the analysis and related analytical data, including precautionary statements regarding the limitations of the analysis and related analytical data.

Subd. 5. Fair hearing procedure prior to making an analysis public. (a) The health data institute may not make public an analysis that identifies an industry participant unless the health data institute first complies with this subdivision. A draft of the portion of the analysis that identifies an industry participant must be furnished upon an industry participant's request to that industry participant prior to making that portion of the analysis public. Such draft analysis is private or nonpublic, as applicable. The industry participants so identified have the right to a hearing, at which the industry participants or their contractors, as defined in section 62J.451, subdivision 2, paragraph (c), may object to or seek modification of the analysis. The cost of the hearing shall be borne by the industry participant requesting the hearing.

(b) The health data institute shall establish the hearing procedure in writing. The hearing procedure shall include the following:

(1) the provision of reasonable notice of the health data institute's intention to make such analysis public;

(2) an opportunity for the identified industry participants to submit written statements to the health data institute board of directors or its designate, to be represented by a contractor, as defined in section 62J.451, subdivision 2, paragraph (c), or other individual or entity acting on behalf of and chosen by the industry participant for this purpose, and to append a statement to such analysis to be included with it when and if the analysis is made public; and

(3) access by the identified industry participants to industry participant identifying data, but only as permitted by subdivision 6 or 7.

(c) The health data institute shall make the hearing procedure available in advance to industry participants which are identified in an analysis. The written hearing procedure is public data. The following data related to a hearing is public:

(1) the parties involved;

(2) the dates of the hearing; and

(3) a general description of the issue and the results of the hearing.

All other data relating to the hearing is private or nonpublic.

Subd. 6. Access by approved researchers to data that identifies industry participants but does not identify patients. (a) The health data institute shall provide access to industry participant identifying data, but not patient identifying data, once those data are in analyzable form, upon request to research organizations or individuals that:

(1) have as explicit goals research purposes that promote individual or public health and the release of research results to the public as determined by the health data institute according to standards it adopts for evaluating such goals;

(2) enforce strict and explicit policies which protect the confidentiality and integrity of data as determined by the health data institute according to standards it adopts for evaluating such policies;

(3) agree not to make public, redisclose, or transfer the data to any other individual or organization, except as permitted under paragraph (b);

(4) demonstrate a research purpose for the data that can be accomplished only if the data are provided in a form that identifies specific industry participants as determined by the health data institute according to standards it adopts for evaluating such research purposes; and

(5) agree to disclose analysis in a public forum or publication only pursuant to subdivisions 4 and 5 and other applicable statutes and the health data institute's operating rules governing the making of an analysis public by the health data institute.

(b) Contractors of entities that have access under paragraph (a) may also have access to industry participant identifying data, provided that the contract requires the contractor to comply with the confidentiality requirements set forth in this section and under any other statute applicable to the entity.

Subd. 7. Access by industry participants to data that identifies industry participants but does not identify patients. (a) The health data institute may provide, to an industry participant, data that identifies that industry participant or other industry participants, to the extent permitted under this subdivision. An employer or an employer purchasing group may receive data relating to care provided to patients for which that employer acts as the payer. A health plan company may receive data relating to care provided to enrollees of that health plan company. A provider may receive data relating to care provided to patients of that provider.

(b) An industry participant may receive data that identifies that industry participant or other industry participants and that relates to care purchased or provided by industry participants other than the industry participant seeking the data. These data must be provided by the health data institute only with appropriate authorization from all industry participants identified.

(c) The health data institute must not provide access to any data under this subdivision that is patient identifying data as defined in section 62J.451, subdivision 2, paragraph (m), even if providing that data would otherwise be allowed under this subdivision.

(d) To receive data under this subdivision, an industry participant must cooperate with the health data institute as provided under section 62J.451, subdivision 7, paragraph (c).

(e) Contractors of entities that have access under paragraph (b) may have access to industry participant identifying data, provided that the contract requires the contractor to comply with the confidentiality requirements set forth in this section and under any other statute applicable to the entity.

Subd. 8. Status of data on the electronic data interchange system. (a) Data created or generated by or in the custody of an industry participant, and transferred electronically by that industry participant to another industry participant using the EDI system developed, implemented, maintained, or operated by the health data institute, as permitted by section 62J.451, subdivision 3, clause (2), and subdivision 5, is not subject to this section or to chapter 13 except as provided below.

(b) Data created or generated by or in the custody of an industry participant is subject to the privacy protections applicable to the data, including, but not limited to, chapter 13 with respect to state agencies and political subdivisions, the Minnesota Insurance Fair Information Reporting Act with respect to industry participants subject to it, and section 144.335, with respect to providers and other industry participants subject to such section.

Subd. 9. Authorization of state agencies and political subdivisions to provide data. (a) Notwithstanding any limitation in chapter 13 or section 62J.321, subdivision 5, regarding the disclosure of not public data, all state agencies and political subdivisions, including, but not limited to, municipalities, counties, and hospital districts may provide not public data relating to health care costs, quality, or outcomes to the health data institute for the purposes set forth in section 62J.451.

(b) Data provided by the commissioner pursuant to paragraph (a) may not include patient identifying data as defined in section 62J.451, subdivision 2, paragraph (m). For data provided by the commissioner of health pursuant to paragraph (a), the health data institute and anyone receiving the data from the health data institute, is prohibited from unencrypting or attempting to link the data with other patient identifying data sources.

(c) Any data provided to the health data institute pursuant to paragraph (a) shall retain the same classification that it had with the state agency or political subdivision that provided it. The authorization in this subdivision is subject to any federal law restricting or prohibiting such disclosure of the data described above.

(d) Notwithstanding any limitation in chapter 13 or this section and section 62J.451 regarding the disclosure of nonpublic and private data, the health data institute may provide nonpublic and private data to any state agency that is a member of the board of the health data institute. Any such data provided to a state agency shall retain nonpublic or private classification, as applicable.

Subd. 10. Civil remedies. Violation of any of the confidentiality requirements set forth in subdivision 3; 4, paragraph (a); 6; or 7, by the health data institute, its board members, employees and contractors, any industry participant, or by any other person shall be subject to section 13.08, including, but not limited to, the immunities set forth in section 13.08, subdivisions 5 and 6. The health data institute shall not be liable for exercising its discretion in a manner that is not an abuse of discretion with respect to matters under its discretion by this section or section 62J.451. The health data institute shall not be liable for the actions of persons not under the direction and control of the health data institute, where it has performed its responsibilities to protect data privacy by complying with the requirements of this section and other applicable laws with regard to the disclosure of data. The remedies set forth in this section do not preclude any person from pursuing any other remedies authorized by law.

Subd. 11. Penalties. (a) Any person who willfully violates the confidentiality requirements set forth in subdivision 3; 4, paragraph (a); 6; or 7, shall be guilty of a misdemeanor.

(b) Any person who willfully violates the confidentiality requirements of subdivision 3, 4, 6, 7, 8, or 9, by willfully disclosing patient or industry participant identifying data for compensation or remuneration of any kind or for the purpose of damaging the reputation of any patient or industry participant or any other malicious purpose, shall be guilty of a gross misdemeanor.

Subd. 12. Discoverability of health data institute data. (a) Data created, collected, received, maintained, or disseminated by the health data institute shall not be subject to discovery or introduction into evidence in any civil or criminal action. Data created, collected, received, maintained, or disseminated by the health data institute that is otherwise available from original sources is subject to discovery from those sources and may be introduced into evidence in civil or criminal actions in accordance with and subject to applicable laws and rules of evidence and civil or criminal procedure, as applicable.

(b) Information related to submission of data to the health data institute by industry participants or contractors of industry participants is not discoverable from the health data institute, the industry participants, the contractors, or any other person or entity, in any civil or criminal action. Discovery requests prohibited under this paragraph include, but are not limited to, document requests or interrogatories that ask for "all data provided to the Minnesota health data institute."

HIST: 1995 c 234 art 5 s 16

Official Publication of the State of Minnesota
Revisor of Statutes