A provider, or a person who receives health records from a provider, may not release a patient's health records to a person without:
(1) a signed and dated consent from the patient or the patient's legally authorized representative authorizing the release;
(2) specific authorization in law; or
(3) a representation from a provider that holds a signed and dated consent from the patient authorizing the release.
A patient's health record, including, but not limited to, laboratory reports, x-rays, prescriptions, and other technical information used in assessing the patient's condition, or the pertinent portion of the record relating to a specific condition, or a summary of the record, shall promptly be furnished to another provider upon the written request of the patient. The written request shall specify the name of the provider to whom the health record is to be furnished. The provider who furnishes the health record or summary may retain a copy of the materials furnished. The patient shall be responsible for the reasonable costs of furnishing the information.
Except as provided in this section, a consent is valid for one year or for a period specified in the consent or for a different period provided by law.
This section does not prohibit the release of health records:
(1) for a medical emergency when the provider is unable to obtain the patient's consent due to the patient's condition or the nature of the medical emergency;
(2) to other providers within related health care entities when necessary for the current treatment of the patient; or
(3) to a health care facility licensed by this chapter, chapter 144A, or to the same types of health care facilities licensed by this chapter and chapter 144A that are licensed in another state when a patient:
(i) is returning to the health care facility and unable to provide consent; or
(ii) who resides in the health care facility, has services provided by an outside resource under Code of Federal Regulations, title 42, section 483.75(h), and is unable to provide consent.
Notwithstanding subdivision 4, if a patient explicitly gives informed consent to the release of health records for the purposes and restrictions in clauses (1) and (2), the consent does not expire after one year for:
(1) the release of health records to a provider who is being advised or consulted with in connection with the releasing provider's current treatment of the patient;
(2) the release of health records to an accident and health insurer, health service plan corporation, health maintenance organization, or third-party administrator for purposes of payment of claims, fraud investigation, or quality of care review and studies, provided that:
(ii) further use or release of the records in individually identifiable form to a person other than the patient without the patient's consent is prohibited; and
(iii) the recipient establishes adequate safeguards to protect the records from unauthorized disclosure, including a procedure for removal or destruction of information that identifies the patient.
Subdivision 2 does not apply to the release of health records to the commissioner of health or the Health Data Institute under chapter 62J, provided that the commissioner encrypts the patient identifier upon receipt of the data.
(a) A provider or group purchaser may release patient identifying information and information about the location of the patient's health records to a record locator service without consent from the patient, unless the patient has elected to be excluded from the service under paragraph (d). The Department of Health may not access the record locator service or receive data from the record locator service. Only a provider may have access to patient identifying information in a record locator service. Except in the case of a medical emergency, a provider participating in a health information exchange using a record locator service does not have access to patient identifying information and information about the location of the patient's health records unless the patient specifically consents to the access. A consent does not expire but may be revoked by the patient at any time by providing written notice of the revocation to the provider.
(b) A health information exchange maintaining a record locator service must maintain an audit log of providers accessing information in a record locator service that at least contains information on:
(1) the identity of the provider accessing the information;
(2) the identity of the patient whose information was accessed by the provider; and
(3) the date the information was accessed.
(c) No group purchaser may in any way require a provider to participate in a record locator service as a condition of payment or participation.
(d) A provider or an entity operating a record locator service must provide a mechanism under which patients may exclude their identifying information and information about the location of their health records from a record locator service. At a minimum, a consent form that permits a provider to access a record locator service must include a conspicuous check-box option that allows a patient to exclude all of the patient's information from the record locator service. A provider participating in a health information exchange with a record locator service who receives a patient's request to exclude all of the patient's information from the record locator service or to have a specific provider contact excluded from the record locator service is responsible for removing that information from the record locator service.
(a) In cases where a provider releases health records without patient consent as authorized by law, the release must be documented in the patient's health record. In the case of a release under section 144.294, subdivision 2, the documentation must include the date and circumstances under which the release was made, the person or agency to whom the release was made, and the records that were released.
(b) When a health record is released using a representation from a provider that holds a consent from the patient, the releasing provider shall document:
(1) the provider requesting the health records;
(2) the identity of the patient;
(3) the health records requested; and
(4) the date the health records were requested.
(a) When requesting health records using consent, a person warrants that the consent:
(1) contains no information known to the person to be false; and
(2) accurately states the patient's desire to have health records disclosed or that there is specific authorization in law.
(b) When requesting health records using consent, or a representation of holding a consent, a provider warrants that the request:
(1) contains no information known to the provider to be false;
(2) accurately states the patient's desire to have health records disclosed or that there is specific authorization in law; and
(3) does not exceed any limits imposed by the patient in the consent.
(c) When disclosing health records, a person releasing health records warrants that the person:
(1) has complied with the requirements of this section regarding disclosure of health records;
(2) knows of no information related to the request that is false; and
(3) has complied with the limits set by the patient in the consent.