Draft Only. Not Effective Until 01/01/14. Subject to Change.
200 Overview Information |
Effective: January 1, 2014 |
200.35 Release of Information |
|
Agencies must follow state and federal laws when collecting private information. This includes providing a Notice of Privacy Practices as required by the Health Insurance Portability and Accountability Act and a Tennessen Warning as required by the Data Practices Act. Both the MNsure online application and the paper MNsure Application for Health Coverage and Help Paying Costs (DHS-6696) includes this information.
The Notice of Privacy Practices informs people applying for health care coverage that the agency will obtain and use information available through electronic data matches to verify income and eligibility or for other purposes directly connected to determining health care eligibility and enrollment. This information may be disclosed to Qualified Health Plans (QHPs), issue certificates of exemption, and perform oversight and financial integrity requirements.
The federal Health Insurance Portability and Accountability Act (HIPAA) was passed by Congress in 1996 and initiated in phases from 1998 to 2004. HIPAA is an industry-wide effort to:
ensure consumer control over health information.
provide enhanced physical and technological security for personal health information.
HIPAA responds to concerns from citizens, the health care industry and government agencies for enhanced security and privacy of individual health information. Furthermore, HIPAA creates uniform methods to bill and share health information electronically between health care providers, payers and other organizations involved with health care delivery and payment.
HIPAA privacy standards create a regulatory floor for health care privacy nationwide.
If a provision of the HIPAA privacy regulations conflicts with a state law, HIPAA will preempt the state law unless the state law offers more privacy protection to the person’s health care information. In that case, state law will govern.
If HIPAA privacy regulations offer more protection to the privacy of the person's health care information, HIPAA will govern in that area.
If the two laws do not conflict, covered entities will need to comply with both state and federal privacy laws.
Government data is presumed to be public unless there is federal law or statute that classifies it as not public data.
Public Data is data which can be disclosed to anyone for any purpose, such as names and salaries of agency employees.
Private Data is data about people which can be disclosed only to the subject of the data, or to government entities, employees, and contractors whose work assignments reasonably require access to the data. Much of the data collected and maintained by state and county agencies is private, such as the names of health care program applicants or enrollees. Private data is accessible to the subject of the data or the subject's authorized representative.
Confidential Data is data about people that even they themselves cannot access, such as information from an investigation about welfare fraud or adoption records. Even if the confidential data cannot be disclosed to people, they retain the right to know whether an agency is maintaining confidential data about them.
Notice of Privacy Practices is a statement of rights given to people who are asked to provide private or confidential data about themselves. The Notice of Privacy Practices was formerly referred to as “Tennessen Notice,” “Practices Rights Statement,” or “Privacy Act Notice.”
Parents may see information about children under age 18 and allow others to see this information, unless either of the conditions below is met:
The child has requested that this information not be shared with his or her parents.
This request must be in writing and must state what information the child wants withheld and why.
If the agency agrees that sharing the information is not in the child's best interest, the information will not be shared with the child's parents.
It involved medical treatment for which parental consent was not required, such as pregnancy, sexually transmitted diseases and chemical dependency. If a health care provider believes failing to share the information would jeopardize the child’s health, the information may be shown to the parents.
For more information about what information may or may not be shared about children under age 18, see Minors in the DHS Data Practices Manual.
The Safe at Home (SAH) Address Confidentiality Program helps survivors of violence by providing a substitute address for people and their children who move to a new location unknown to assailants or probable assailants. The Minnesota Secretary of State, who administers this program, assures that participants receive their mail.
A participant applying for or renewing Insurance Affordability Program (IAP) coverage is not required to verify participation in the SAH program.
A court order is required to release a participant’s information, including confirming or denying program participation.
The Postal Box address provided by the Secretary of State is used as the participant’s residential and mailing address.
SAH participants may request and be granted good cause for late premium payments and for late submission or completion of renewals for Medical Assistance (MA) and MinnesotaCare.
SAH participants are granted good cause for not cooperating with medical support if they verify participation in the program with the ID card.
For more information on SAH:
Call (651) 201-1399 or (866) 723-3035 or TTY (800) 627-3529 or 711.
MNsure ensures:
Individual Access: People are provided with a timely means to dispute the accuracy or integrity of their individually identifiable health information, and to have erroneous information corrected or to have a dispute documented if their requests are denied.
Openness and Transparency: There is openness and transparency about policies, procedures, and technologies that directly affect people and their individually identifiable health information.
Individual Choice: People are provided a reasonable opportunity and capability to make informed decisions about the collection, use, and disclosure of their individually identifiable health information.
Collection, Use, and Disclosure Limitation: Individually identifiable health information is collected, used, or disclosed only to the extent necessary to accomplish a specified purpose and never to discriminate inappropriately.
Data Quality and Integrity: Persons and entities will take reasonable steps to ensure that individually identifiable health information is complete, accurate, and up-to-date to the extent necessary for the person’s or entity’s intended purposes and has not been altered or destroyed in an unauthorized manner.
Safeguards: Individually identifiable health information is protected with reasonable administrative, technical, and physical safeguards to ensure its confidentiality, integrity, and availability and to prevent unauthorized or inappropriate access, use, or disclosure.
Accountability: These principles are adhered to through appropriate monitoring and other means and methods in place to report and mitigate non-adherence and breaches.
Any person who knowingly and willfully discloses personal identifying information may be subject to a civil penalty of $25,000 (per use or disclosure) in addition to other penalties prescribed by law.
MA, MinnesotaCare and Advanced Premium Tax Credit (APTC) enrollees must provide information to state and federal quality control staff to verify eligibility for MA. No specific authorization is required for the agency to release information to quality control staff because this release is included in the Notice of Privacy Practices.
MA and MinnesotaCare enrollees authorize the release of all personal medical records developed while receiving coverage for investigations of provider fraud.
MA, MinnesotaCare and APTC applications and renewals include an authorization for release to receive documentation of information on that application or renewal if involved in a fraud prevention investigation.
The Minnesota Health Records Act limits the disclosure of health records without written consent. A provider or a person who receives health records from a provider may not release the health records without a signed and dated consent unless there is specific authorization in law for the release. Generally, the consent is valid for one year or for a different period provided in the consent or by law; however, if a patient explicitly gives informed consent to the release of health records for a certain reason, the consent does not expire after one year.
A provider can obtain the following information about enrollees in MA or MinnesotaCare through the Minnesota Information Transfer System (MN-ITS). MN-ITS is a system for medical providers and their affiliated billers. The following information does not require a release form from a client:
Major program
Prepaid health plan
Spenddowns
Special transportation
Copay
Hospice
Waiver eligibility
Minnesota Restricted Recipient Program (MRRP)
Other health insurance coverage
Medicare coverage
Fee-for-service benefit limits
A release form must be obtained from an enrollee before sharing any other enrollee information with a provider. An enrollee can complete the General Consent/Authorization for Release of Information (DHS-3549) to authorize the release of his or her information.
The purpose of a pre-populated renewal is to determine if any information has changed. Social Security numbers (SSNs) do not change and are verified at application. Therefore, the SSN is not included on pre-populated renewals.
Code of Federal Regulations, title 42, section 431.305
Code of Federal Regulations, title 42, section 435.945
Code of Federal Regulations, title 42, section 435.945
Code of Federal Regulations, title 45, section 155.260
Code of Federal Regulations, title 45, section 155.270
Code of Federal Regulations, title 45, section 155.335
Code of Federal Regulations, title 45, section 155.345