While two bills would eat away at patient privacy, another protects it

Nothing is more personal than the data in one's health records. In Minnesota, patients have the right to determine who sees this confidential information and where it can be sent. The Minnesota Legislature enacted patient consent requirements about 30 years ago, long before the federal HIPAA rule. In fact, the Minnesota Health Records Act (MHRA) is better than HIPAA. It's a real privacy law.

The HIPAA privacy rule is actually not a privacy rule; it's a permissive disclosure rule. In most cases, it permits those who have patient information, called "covered entities," to disclose and use that information without patient consent.

These covered entities, such as hospitals, clinics, and health plans, aren't required to share individually identifiable patient data, but HIPAA permits it and no patient can stop them. Patients can request that their information not be shared or used, but the covered entity can refuse that request.

This is why HIPAA is not a privacy rule. It doesn't protect anyone's privacy — except the corporations sharing patient data. They can't be sued and they're not required to give patients an accounting of disclosures made for purposes of treatment, payment and health care operations ("TPO").

Patients are left in the dark as their data is exposed to a vast array of outsiders. The definition of "health care operations" is a nearly 400-word list of more than 65 nonclinical business activities.

Thankfully, the MHRA prohibits TPO disclosures without patient consent. It protects Minnesota patients from HIPAA.

But a movement is afoot to change this. The Minnesota Chamber of Commerce, Minnesota Business Partnership, and Minnesota Council of Health Plans are pushing the Legislature to exempt TPO disclosures from consent requirements, a plan the Minnesota Department of Health wrote, "may raise privacy concerns because of the broad scope of health care operations."

In Minnesota, if health records are improperly released, the MHRA gives patients a private right of action to sue for damages. But if Minnesota corporations get their way, patients would lose this right to sue. Filing a complaint with the Office for Civil Rights at the U.S. Department of Health and Human Services, which is in charge of HIPAA compliance, will be unproductive. HIPAA permits these violations of patient privacy.

There is another way. In December, after hearing testimony from groups on both sides, the Minnesota Legislative Commission on Data Practices unanimously voted for a universal patient consent form giving patients the right to choose "yes" or "no" for the sharing of their information for TPO. I am the author of HF 1686, a bill that would put that consent form in place statewide.

This consent form allows complete sharing of every detail of a patient's health records — if that's what the patient wants. Or if the patient wants to share their records only for treatment and payment, but not operations, they can do that. My bill acknowledges patient rights and keeps patients in control.

Personally speaking, my health record is not the property of a clinic, hospital, insurance company, dentist, medical record-keeping business, or the Minnesota Department of Health. It's mine.

State legislators were elected to protect Minnesotans, not to take away their right to control the destiny of their health data. Why would any legislator want to be responsible for taking away constituents' privacy and consent rights? To appease the business community and Big Data? That's not a reason to eliminate something so precious. I will do all I can to keep the Legislature from giving corporate Minnesota a right to the confidential records of every Minnesota patient.