*** The Health Care Programs Manual (HCPM) has been replaced by the Minnesota Health Care Programs Eligibility Policy Manual (EPM) as of June 1, 2016. Please refer to the EPM for current health care program policy information. ***

Chapter 05 - Client Rights

Effective:  June 1, 2012

05.10 - Data Privacy

Archived:  June 1, 2016 (Previous Versions)

Data Privacy

Applications and other forms collect sensitive information on an individual that is needed to determine eligibility. Individuals can be harmed by the reckless disclosure of information about them, and, accordingly, there are significant penalties under both state and federal laws for government agencies that violate laws designed to protect individuals and groups from such disclosure of information.

This section provides a general overview of data privacy. Refer to the DHS Data Practices Manual for further information.

Data Classifications and Definitions.

Worker Responsibilities.

Data Review.

Worker Assigned to a Relative or Friend.

Privacy Rights of Children.

Penalties for Data Practices Violations.

Safe At Home (SAH) Address Confidentiality Program.

Information Sharing With Providers.

Top of Page

Data Classifications and Definitions

Government data is presumed to be public unless there is federal law or statute that classifies it as not public data.

Public Data .

Data which can be disclosed to anyone for any purpose, such as names and salaries of agency employees.

Private Data .

Data about individuals which can be disclosed only to the subject of the data or to government entities, employees, and contractors whose work assignments reasonably require access to the data. Much of the data collected and maintained by state and county agencies is private, such as the names of health care program applicants or enrollees. Private data is accessible to the subject of the data or the subject's authorized representative.

Confidential Data .

Data about individuals that even the individuals themselves cannot access, such as information from an investigation about welfare fraud or adoption records. Note, however, that even if the confidential data itself cannot be disclosed to individuals, individuals do retain the right to know whether an agency is maintaining confidential data about them.

Notice of Privacy Practices .

The Notice of Privacy Practices (DHS-3979) is a statement of rights given to people who are asked to provide private or confidential data about themselves. The Notice of Privacy Practices was formerly referred to as ”Tennessen Notice,” ”Practices Rights Statement,” or ”Privacy Act Notice.”

Top of Page

Worker Responsibilities

When asking people to provide private data or confidential data about themselves, tell them:

l  The purpose and intended use of the requested data.

l  Whether they may refuse or if the law requires them to supply the data.

l  The consequences of supplying or refusing to supply the data.

l  The identity of other agencies or entities authorized to receive the data.

l  What people can do if they believe the information is incorrect or incomplete.

l  How people can see and get copies of the data collected about them.

l  Any other rights they may have regarding the specific type of information collected.

These elements are also known as the Notice of Privacy Practice. Applications, including those submitted thorough ApplyMN, and other DHS forms provide this information. Also include this information on other requests for information sent to the client.

Send private data by fax only if the fax is secure or encrypted, such as the HealthQuest fax. Do not include private data when sending e-mail via the Internet.

Top of Page

Data Review

Clients may review private data which contain information about them.

l  Only the information classified as private or public is available for review.

l  Private or public data must be shown to the subject of the data if requested.

Honor requests for review as soon as possible, but no later than five days following the request.

l  Do not count weekends and holidays in the five-day period.

l  The county or state agency may take an additional five days if they tell the client during the initial five days that they need more time.

l  The county or state agency may set the place and time of review.

Data about two or more people are maintained in a common file because of family relationships, and are joint records. In joint records, delete material about the person not requesting the review to protect that person's privacy.

Provide copies of original documents when requested by the subject of the data or the subject's authorized representative. Provide one free copy of a document and additional copies at the cost of reproduction. See the DHS Data Practices Manual for further information about these costs.

Top of Page

Worker Assigned to a Relative or Friend

Follow agency procedures if assigned an application or active record of a relative or close friend. Many agencies prefer to reassign these cases when possible for the protection of all parties. If your agency does not reassign the case:

l  Be sure to protect the person’s privacy rights.

l  Do not discuss the case with the person outside of normal business hours.

l  Afford the person the same treatment as all other clients.

Top of Page

Privacy Rights of Children

Parents may see information about children under age 18 and allow others to see this information, unless either of the conditions below is met:

l  The child has requested that this information not be shared with their parents.

n  This request must be in writing and must state what information the child wants withheld and why.

n  If the agency agrees that sharing the information is not in the child's best interest, the information will not be shared with the child's parents.

l  It involved medical treatment for which parental consent was not required, such as pregnancy, sexually transmitted diseases, and chemical dependency.

Note:  If the health care provider believes failing to share the information would jeopardize the child’s health, the information may be shown to the parents.

For more information about what information may or may not be shared about children under age 18, see ”Minors” in the DHS Data Practices Manual.

Top of Page

Penalties for Data Practices Violations

Minnesota law authorizes lawsuits for data practices violations:

l  To seek damages resulting from violations of the Government Data Practices Act.

l  To prohibit the agency from conduct allegedly in violation of the statute.

l  To compel the agency to comply with the provisions of the statute.

Any public employee who willfully violates the provisions of the Act is guilty of a misdemeanor.

Willful violation of the statute by a public employee is just cause for dismissal or suspension without pay. The law also provides that in cases of willful violation a political subdivision, statewide system or state agency may be liable for punitive damages of $100 to $10,000 for each violation.

A person who wins a lawsuit alleging losses as a result of violation of the data practices act may be awarded compensation for the loss and for costs of the lawsuit and reasonable attorney fees.

Top of Page

Safe at Home Address Confidentiality Program

The Safe at Home (SAH) Address Confidentiality Program helps survivors of violence by providing a substitute address for individuals and their children who move to a new location unknown to assailants or probable assailants. The Minnesota Secretary of State, who administers this program, assures that participants receive their mail.   

l  A participant applying for or renewing Minnesota Health Care Programs coverage is not required to verify participation in the SAH program.

Note:  A participant applying or receiving other public assistance programs may be required to verify participation in the SAH with the SAH Identification Card.

l  A court order is required to release a participant’s information, including confirming or denying program participation.

l  SAH cases must be set to privileged (PRIV) status in MAXIS. Complete the TSS Help Desk Request form on the SIR MAXIS home page to request this status for a SAH participant.

Inform participants they must identify their current county of residence to apply for or renew Minnesota Health Care Programs coverage if the client provides a Safe at Home address and does not provide a county of residence.  

l  Code MAXIS and MMIS with the current county of residence. See POLI/TEMP TE02.13.74 for further system information.

l  Use the Postal Box address provided by the Secretary of State as both the residential and mailing address of the participant.

Safe at Home participants may request and be granted good cause for late premium payments and for late submission or completion of renewals.

Safe at Home participants are granted good cause for not cooperating with medical support if they verify participation in the program with the ID card. See Evidence of Good Cause.

For more information on the Safe at Home Program:

l  See the Minnesota Secretary of State’s Web site.

l  Call (651) 201-1399 or (866) 723-3035 or TTY (800) 627-3529 or 711.  

Top of Page

Information Sharing With Providers

A provider can obtain the following information about clients enrolled in the Minnesota Health Care Programs (MHCP) through the Minnesota Information Transfer System (MN-ITS). MN-ITS is a system for MHCP Providers and their affiliated billers. The following information does not require a release form from a client:

l  Major Program.

l  Prepaid health plan.

l  Spenddowns.

l  Special Transportation.

l  Copay.

l  Hospice.

l  Waiver eligibility.

l  Minnesota Restricted Recipient Program (MRRP).

l  Other health insurance coverage.

l  Medicare coverage.

l  Fee-for-service benefit limits.

Workers can share this information, if known, with providers. In addition, workers may provide the following information to a long-term care facility without a release form:

l  Confirmation that a person has applied for MA when requesting a Physician Certification (DHS-1503) or information relative to a SMRT.

l  Effective date of MHCP approval, denial or termination.

Obtain a release form from the client before sharing any other client information with a provider. A client can complete the General Consent/Authorization for Release of Information (DHS-3549) to authorize the release of his or her information. In addition, a client can authorize the release of his or her information to an LTCF on the Long-Term Care/County Communication Form (DHS-3050).

Top of Page