Minnesota Health Care Programs Data Privacy

Applications and other forms collect sensitive information on an individual that is needed to determine eligibility. Individuals can be harmed by the reckless disclosure of information about them, and, accordingly, there are significant penalties under both state and federal law for government agencies that violate laws designed to protect individuals and groups from such disclosure of information.

All Minnesota Health Care Programs (MHCP) application forms include a Notice of Privacy Practices. There is also a brochure on Information access and privacy (DHS-2667) that describes applicant and enrollee privacy rights.

Sharing of Information

State, county and tribal servicing agencies will only share information about applicants and enrollees as needed and as allowed or required by law.

Information sharing with providers

A provider can obtain the following information about MHCP enrollees without a release form from the enrollee:

  • Major program

  • Prepaid health plan

  • Spenddowns

  • Special transportation

  • Copay

  • Hospice

  • Waiver eligibility

  • Minnesota Restricted Recipient Program (MRRP)

  • Other health insurance coverage

  • Medicare coverage

  • Fee-for-service benefit limits

Long-term care providers can also obtain the following without a release form from an applicant or enrollee:

  • Confirmation that the person has applied for MA

  • Effective date of MHCP approval, denial or termination

Information sharing with Applicants

Information about an adult applicant cannot be shared without the individual's consent, even with the application filer. This includes spouses, children and attorneys. In certain situations, another individual may have the legal authority to access the applicant's data or act on their behalf, such as an authorized representative, guardian, navigator, or persons with a power of attorney. State, tribal and county servicing agencies should request a copy of the legal document to verify that the legal relationship exists. If there is no legal relationship, consent must be obtained from the applicant either verbally or through the DHS-3549 General Consent/Authorization for Release of Information.

Information sharing about Children

Parents generally have the right to access their child's private information. State, tribal and county servicing agencies can disclose information about minors to their parents, except in the following four circumstances:

  • If the minor is emancipated

  • If state law provides the minor with the right to obtain treatment without parental consent

  • If the agency has a reasonable belief that a minor has been, or may be subject to, abuse or neglect , or that the disclosure of private information could endanger the minor

  • If the child asks the agency to deny parental access to their information. In this scenario, the agency can decide whether to honor the request for privacy.

  • Safe at Home Address Confidentiality Program

    The Safe at Home (SAH) Address Confidentiality Program helps survivors of violence by providing a substitute address for individuals and their children who move to a new location unknown to assailants or probable assailants. SAH participants can apply for MHCPs using their SAH address. The Minnesota Secretary of State, who administers this program, assures that participants receive their mail.

    A person is not required to provide proof of participation in the SAH program. A court order is required to release a SAH participant’s information, including confirming or denying program participation.

    Safe at Home program participants are granted good cause for not cooperating with medical support if they verify participation in the program with the ID card. SAH participants may also request and be granted good cause for late premium payments and for late submission or completion of renewals. See the MA Medical Support policy for more information.

    MHCP enrollees participating in the Safe at Home program must notify their county, tribal or state servicing agency of their county of residence, but do not have to provide their address. Managed care enrollment and county of financial responsibility are determined by county of residence.

    Immigration Information

    Immigration information applicants and enrollees provide to state, county and tribal servicing agencies is private. Immigration information is only used to determine MHCP eligibility. Immigration information is only shared when the law allows it or requires it, such as to verify identity. In most cases, applying for health coverage will not affect an applicant’s immigration status unless they are applying for payment of long-term care services. See the U.S. Immigration and Customs Enforcement (ICE), Clarification of Existing Practices Related to Certain Health Care Information website for more information.

    People do not have to provide immigration information when they are:

    • Applying for Emergency MA (EMA) or MA for people receiving services at the Centers for Victims of Torture (MA-CVT)

    • Helping someone else apply

    • A pregnant person living in the United States without the knowledge or approval of the United States Citizenship and Immigration Services (USCIS)

    • Not an applicant

    Data Practices Violations

    Willful violation of data privacy laws by a public employee is just cause for dismissal or suspension without pay. It is also a crime.

    An individual affected by an agency’s violation of data privacy laws can seek several remedies under state and federal law. Applicants and enrollees may also file a lawsuit under the Minnesota Government Data Practices Act. They may also send a written complaint to the county, tribal or state servicing agency, the provider, or the federal civil rights office at:

    U.S. Department of Health and Human Services

    Office for Civil Rights, Region V

    233 N. Michigan Avenue, Suite 240

    Chicago, IL 60601

    312-886-2359 (Voice)

    800-368-1019 (Toll Free)

    800-537-7697 (TTY)

    312-886-1807 (Fax)

    If an applicant or enrollee thinks that DHS or MNsure has violated their privacy rights, they may send a written complaint to the U.S. Department of Health and Human Services at the address above or to:

    Minnesota Department of Human Services – MNsure

    Attn:  Privacy Official

    PO Box 64998

    St. Paul, MN 55164-0998


    The federal Health Insurance Portability and Accountability Act of 1996 (HIPAA), provides for the protection of individually identifiable health information that is transmitted or maintained in any form or medium. The privacy rules affect the day-to-day business operations of all organizations that provide medical care and maintain personal health information.

    Applicants and enrollees are informed of their rights under HIPAA at application, renewal or any other time information is requested.

    HIPAA also creates uniform methods to bill and share health information electronically between health care providers, payers and other organizations involved with health care delivery and payment.

    State, county and tribal servicing agencies must follow HIPAA provisions as follows:

    • If a provision of the HIPAA privacy regulations conflicts with a state law, whichever offers more privacy protection governs.

    • If HIPAA and state law do not conflict, both state and federal privacy laws are followed.

    Record Retention Policy

    State, county and tribal servicing agencies maintain data in accordance with state and federal law. Information provided in an application for coverage is subject to the False Claims Act and may be retained for up to ten years. After the appropriate period, data is destroyed in a manner that prevents their contents from being determined, including the shredding of paper files and permanently removing electronic data to prevent the possibility of recovery. County servicing agencies must follow the County Human Services General Records Retention Schedule.

    Data Review

    MHCP applicants and enrollees may review private data that contain information about them. Both private and public data is shown to the subject of the data upon request.

    Release of Information

    An applicant or enrollee can complete the General Consent/Authorization for Release of Information (DHS-3549) to authorize the release of their information. In addition, they can authorize the release of their information to a Long Term Care Facility on the Long-Term Care/County Communication Form (DHS-3050).

    Legal Citations

    Code of Federal Regulations, title 45, section 155.310

    Code of Federal Regulations, title 45, section 155.1210

    Code of Federal Regulations, title 45, section 164.502

    Code of Federal Regulations, title 45, section 164.508

    Health Insurance Portability and Accountability Act, Public Law 104-191, 110 Stat. 1936 (1996)

    Minnesota Rules, part 1205.0500

    Minnesota Rules, part 1205.1500

    Minnesota Statutes, chapter  5B

    Minnesota Statutes, chapter 13

    Minnesota Statutes, section 138.17

    Minnesota Statutes, sections 144.341 to 144.347

    Minnesota Statutes, section 256B.056