Understanding the Minnesota Health Records Act (MHRA)

 

The Minnesota Health Records Act (MHRA) is a state law that governs how healthcare providers in Minnesota handle patient medical information. It provides additional protections beyond HIPAA (the federal healthcare privacy law) and contains Minnesota-specific requirements that all healthcare organizations in the state must follow.

 

Key Provisions of the Minnesota Health Records Act

 

• The MHRA requires specific written patient consent for nearly all disclosures of health records, which is more restrictive than HIPAA
• Minnesota law defines "health records" as any information, whether oral, written, electronic, or in any other form, that relates to the past, present, or future physical or mental health of a patient
• Healthcare providers must obtain separate authorization for each release of information unless specific exceptions apply
• Minnesota requires that consent forms include specific elements including the name of the patient, the specific information to be released, the specific purpose for the release, and an expiration date or event

 

Minnesota-Specific Patient Rights

 

• Patients have the right to access their health records within 7 business days after submitting a written request (faster than HIPAA's 30-day timeframe)
• Providers may charge patients state-regulated fees for copies of their health records ($0.75 per page for paper records, with a $10.00 retrieval fee)
• Minnesota patients have a right to submit a written statement of disagreement with their records, which must be kept with and released alongside the disputed record
• There are special protections for certain sensitive health information including mental health records, HIV/AIDS testing and treatment, and substance abuse treatment records

 

Key Differences Between MHRA and HIPAA

 

• HIPAA allows many disclosures for treatment, payment, and healthcare operations without patient authorization, but the MHRA generally requires patient consent for these activities
• Minnesota law has a narrower definition of "emergency" for when information can be shared without consent
• The MHRA provides stronger protections for deceased patients (health records remain private for 50 years after death)
• Minnesota prohibits the release of health records for marketing purposes without specific authorization

 

Exceptions to the Consent Requirement

 

• Medical emergencies when the provider is unable to obtain consent
• Disclosures mandated by law, such as reporting communicable diseases or suspected child abuse
• Certain public health activities as authorized by law
• Limited information sharing for internal quality improvement activities within a healthcare facility
• Disclosures for healthcare facility directories, unless the patient has specifically opted out

 

Cybersecurity Implications for Minnesota Healthcare Providers

 

• Healthcare organizations must implement stricter access controls to ensure that health information is only accessed with proper authorization
• Systems must be designed to track and document patient consent for each disclosure of information
• Electronic health record systems must have robust audit capabilities to monitor who accesses patient information and when
• Organizations need technical safeguards to prevent unauthorized access, including encryption, multi-factor authentication, and secure transmission methods
• Providers must have policies and procedures specific to Minnesota requirements, not just HIPAA compliance

 

Penalties for MHRA Violations

 

• Individuals who violate the MHRA may face civil liability to the patient
• Healthcare providers can be subject to professional discipline for improper disclosure of health records
• Intentional violations may result in criminal penalties including gross misdemeanor charges
• The Minnesota Department of Health can impose administrative penalties for violations
• MHRA violations may also constitute HIPAA violations, potentially triggering federal penalties as well

 

Best Practices for MHRA Compliance

 

• Develop Minnesota-specific consent forms that meet all MHRA requirements
• Implement staff training programs that emphasize the stricter Minnesota requirements
• Conduct regular security risk assessments that address both HIPAA and MHRA requirements
• Establish clear procedures for patient requests to access their records
• Maintain detailed documentation of all disclosures, including the specific consent obtained
• Implement data breach response plans that address both federal and Minnesota notification requirements
• Regularly audit systems and practices to ensure ongoing compliance

 

Recent Updates and Developments

 

• Minnesota has expanded provisions for sharing information through Health Information Exchanges (HIEs) while maintaining consent requirements
• The state has clarified rules regarding telehealth services and the sharing of information across state lines
• There are ongoing efforts to harmonize state and federal requirements while maintaining Minnesota's stronger privacy protections
• Minnesota has enhanced requirements for notifying patients of breaches involving their health information