|
Effective: December 1, 2006 |
|
|
05.10ar1 - Data Privacy (Archive) |
Archived: March 1, 2008 |
The Health Care Application (HCAPP) collects sensitive information on an individual that is needed to determine eligibility. Individuals can be harmed by the reckless disclosure of information about them, and, accordingly, there are significant penalties under both state and federal laws for government agencies that violate laws designed to protect individuals and groups from such disclosure of information.
Data Classifications and Definitions.
Worker Assigned to a Relative or Friend.
What Privacy Rights Do Children Have.
Penalties for Data Practices Violations.
Data Classifications and Definitions
Data collected and maintained by state and county agencies is private, unless specifically classified otherwise by law. Private data is accessible to the subject of the data or the subject's authorized representative.
State law classifies some data collected and maintained by county and state agencies as confidential. Confidential data is not accessible to the subject of the data.
A Tennessen Notice is a statement of rights given to people who are asked to provide private or confidential data about themselves.
When you ask people to provide private data or confidential data about themselves, tell them:
l The purpose and intended use of the requested data.
l Whether they may refuse or if the law requires them to supply the data.
l The consequences of supplying or refusing to supply the data.
l The identity of other people or entities authorized to receive the data.
These elements are also known as the Tennessen Notice or Tennessen Warning. The HCAPP, Combined Application Form (CAF), and other DHS forms provide this information. Also include this information on other requests for information you send to the client.
Clients may review private records which contain information on them.
l Only the information classified as private or public is available for review.
l Private or public data must be actually shown to the subject of the data and not summarized.
Honor requests for review as soon as possible, but no later than five days following the request.
l Do not count weekends and holidays in the five-day period.
l When the county or state agency tells the client during the initial five days that it needs more time, it may take an additional five days.
l The county or state agency may set the place and time of review.
Delete material in joint records about the person not requesting the review to protect that person's privacy.
Note: Data on two or more people maintained in a common file because of family relationships are joint records.
Provide copies of original documents when requested by the subject of the data or the subject's authorized representative. Provide one free copy of a document and additional copies at the cost of reproduction.
Worker Assigned to a Relative or Friend
Follow your agency’s procedures if you are assigned an application or active record of a relative or close friend.
l Many agencies prefer to reassign these cases when possible for the protection of all parties.
n If your agency does not reassign the case:
m Be sure to protect the person’s privacy rights.
m Do not discuss the case with the person outside of normal business hours.
m Afford the person the same treatment as all other clients.
What Privacy Rights do Children Have?
Parents may see information about children under 18 and allow others to see this information, unless either of the conditions below is met:
l The child has requested that this information not be shared with their parents.
n This request must be in writing and say what information the child wants withheld and why.
n If the agency agrees that sharing the information is not in their best interest, the information will not be shared with their parents.
n If the agency does not agree, the information will be shared with their parents if the parents ask for it.
l It involved medical treatment for which parental consent was not required.
Note: If the health care provider believes failing to share the information would jeopardize the child’s health, the information may be shown to the parents.
Penalties for Data Practices Violations
Minnesota law authorizes lawsuits for data practices violations:
l To seek damages resulting from violations of the Government Data Practices Act.
l To prohibit the agency from conduct allegedly in violation of the statute.
l To compel the agency to comply with the provisions of the statute.
Any person, whether public employee or not, who willfully violates the provisions of the Act is guilty of a misdemeanor.
Willful violation of the statute by a public employee is just cause for dismissal or suspension without pay. The law also provides that in cases of willful violation a political subdivision, statewide system or state agency may be liable for punitive damages of $100 to $10,000 for each violation.
A person who wins a lawsuit alleging losses as a result of violation of the data practices act may be awarded compensation for the loss and for costs of the lawsuit and reasonable attorney fees.
Refer to the Data Practices Policy and Procedure Manual issued by DHS for further information.