Patient Consent Not Required for Disclosures of PHI for Fundraising, Rules Minnesota Supreme Court
Healthcare organizations in Minnesota are permitted to use patient data for fundraising purposes without obtaining patient consent, according to Minnesota Supreme Court Chief Justice Natalie Hudson.
The Supreme Court was petitioned to review a lower court’s decision to dismiss a lawsuit against Children’s Health Care, which does business as Children’s Hospital and Clinics (Children’s). Legal action was taken against Children’s following a data breach at a third-party vendor that was used for fundraising purposes. The plaintiffs, Kelly and Evarist Schneider, were informed that their child’s name, age, date of birth, and treatment details were in the healthcare provider’s fundraising database and had potentially been compromised. They believed the hospital should have obtained permission before disclosing their child’s protected health information to the foundation’s fundraising database and argued that the disclosure violated the Minnesota Health Records Act (MHRA).
The case concerned the interpretation of the MHRA, which prohibits the disclosure of protected health information without “specific authorization in law.” Children’s moved to have the lawsuit dismissed and argued that the federal Health Insurance Portability and Accountability Act (HIPAA) is a specific authorization in law and that HIPAA permits the disclosure of protected health information for fundraising purposes without patient consent.
The district court denied Children’s motion to dismiss, as while HIPAA was determined to be a specific authorization in law under the MHRA, it was unclear whether Children’s had complied with the privacy notice requirements of the HIPAA Privacy Rule. Children’s moved for summary judgment, which the district court granted. The district court reiterated its conclusion that the disclosure was permitted under the MHRA and HIPAA and found there was no dispute about whether the required privacy practices had been provided. The court of appeals affirmed the district court’s ruling.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
The plaintiffs argued that states are permitted to implement more stringent privacy regulations than HIPAA and that the MHRA preempted the HIPAA fundraising exception; however, the court of appeals rejected that argument as the MHRA was determined not to be more stringent than HIPAA with respect to disclosures of protected health information for fundraising purposes. The plaintiffs petitioned the Supreme Court for review on whether the MHRA’s reference to a “specific authorization in law” includes the fundraising exception in the HIPAA Privacy Rule. Chief Justice Hudson ruled that the HIPAA Privacy Rule permits a hospital to disclose a patient’s protected health information to a foundation or business associate for fundraising purposes without requiring patient consent and that HIPAA is a “specific authorization in law” under the Minnesota Health Records Act.