HIPAA Policy

Edina Sports + Family Medicine, P.A.
Effective Date: April 13, 2003

THIS NOTICE DESCRIBES HOW HEALTH INFORMATION
ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU
CAN GET ACCESS TO THIS INFORMATION

PLEASE REVIEW IT CAREFULLY

If you have any questions about this notice, please our Clinic Administrator and Privacy Officer at (952) 915-5263.

WHO WILL FOLLOW THIS NOTICE:

  • Edina Sports + Family Medicine, P.A.

This notice describes our privacy practices. We are affiliated with:

  • Minnesota Health Network Care System
  • Fairview Physician Associates Care System

All these entities, sites, and locations follow the terms of this notice. In addition, these entities, sites, and locations may share health information with each other for treatment, payment, or health care operations purposes described in this notice.

OUR PLEDGE REGARDING HEALTH INFORMATION:

We understand that health information about you and your health care is personal. We are committed to protecting health information about you. We create a record of the care and services you receive from us. We need this record to provide you with quality care and to comply with certain legal requirements. This notice applies to all of the records of your care generated by this health care practice, whether made by your personal doctor or others working in this office. This notice will tell you about the ways in which we may use and disclose health information about you. We also describe your rights to the health information we keep about you, and describe certain obligations we have regarding the use and disclosure of your health information.

We are required by law to:

  • make sure that health information that identifies you is kept private;
  • give you this notice of our legal duties and privacy practices with respect to health information about you; and
  • follow the terms of the notice that is currently in effect.

HOW WE MAY USE AND DISCLOSE HEALTH INFORMATION ABOUT YOU.

The following categories describe different ways that we use and disclose health information. For each category of uses or disclosures we will explain what we mean and try to give some examples. Not every use or disclosure in a category will be listed. However, all of the ways we are permitted to use and disclose information will fall within one of the categories.

For Treatment. We may use health information about you to provide you with health care treatment or services. We may disclose health information about you to doctors, nurses, technicians, health students, or other personnel who are involved in taking care of you. They may work at our offices, at the hospital if you are hospitalized under our supervision, or at another doctor’s office, lab, pharmacy, or other health care provider to whom we may refer you for consultation, to take x-rays, to perform lab tests, to have prescriptions filled, or for other treatment purposes. For example, a doctor treating you for a broken leg may need to know if you have diabetes because diabetes may slow the healing process. In addition, the doctor may need to tell the dietitian at the hospital if you have diabetes so that we can arrange for appropriate meals. We may also disclose health information about you to an entity assisting in a disaster relief effort so that your family can be notified about your condition, status and location.

For Payment: We may use and disclose health information about you so that the treatment and services you receive from us may be billed to and payment collected from you, an insurance company, or a third party. For example, we may need to give your health plan information about your office visit so your health plan will pay us or reimburse you for the visit. We may also tell your health plan about a treatment you are going to receive to obtain prior approval or to determine whether your plan will cover the treatment.

For Health Care Operations: We may use and disclose health information about you for operations of our health care practice. These uses and disclosures are necessary to run our practice and make sure that all of our patients receive quality care. For example, we may use health information to review our treatment and services and to evaluate the performance of our staff in caring for you. We may also combine health information about many patients to decide what additional services we should offer, what services are not needed, whether certain new treatments are effective, or to compare how we are doing with others and to see where we can make improvements. We may remove information that identifies you from this set of health information so others may use it to study health care delivery without learning who our specific patients are.

Appointment Reminders: We may use and disclose health information to contact you as a reminder that you have an appointment. Please let us know if you do not wish to have us contact you concerning your appointment, or if you wish to have us use a different telephone number or address to contact you for this purpose.

Health-Related Services and Treatment Alternatives: We may use and disclose health information to tell you about health-related services or recommend possible treatment options or alternatives that may be of interest to you. Please let us know if you do not wish us to send you this information, or if you wish to have us use a different address to send this information to you.

Research. Under certain circumstances, we may use and disclose health information about you for research purposes. For example, a research project may involve comparing the health and recovery of all patients who received one medication to those who received another, for the same condition. All research projects, however, are subject to a special approval process. This process evaluates a proposed research project and its use of health information, trying to balance the research needs with patients’ need for privacy of their health information. Before we use or disclose health information for research, the project will have been approved through this research approval process; but we may disclose health information about you to people preparing to conduct a research project. For example, we may help potential researchers look for patients with specific health needs, so long as the health information they review does not leave our facility. We will almost always ask for your specific permission if the researcher will have access to your name, address, or other information that reveals who you are, or will be involved in your care.
As Required By Law. We will disclose health information about you when required to do so by federal, state, or local law.
To Avert a Serious Threat to Health or Safety. We may use and disclose health information about you when necessary to prevent a serious threat to your health and safety or the health and safety of the public or another person. Any disclosure, however, would only be to someone able to help prevent the threat.
Military and Veterans. If you are a member of the armed forces or separated/discharged from military services, we may release health information about you as required by military command authorities or the Department of Veterans Affairs as may be applicable. We may also release health information about foreign military personnel to the appropriate foreign military authorities.
Workers’ Compensation. We may release health information about you for workers’ compensation or similar programs. These programs provide benefits for work-related injuries or illness.
Public Health Risks. We may disclose health information about you for public health activities. These activities generally include the following:

    • to prevent or control disease, injury or disability;

to report births and deaths;

  • to report child abuse or neglect;
  • to report reactions to medications or problems with products;
  • to notify people of recalls of products they may be using;
  • to notify person or organization required to receive information on FDA-regulated products;
  • to notify a person who may have been exposed to a disease or may be at risk for contracting or spreading a disease or condition;
  • to notify the appropriate government authority if we believe a patient has been the victim of abuse, neglect, or domestic violence. We will only make this disclosure if you agree or when required or authorized by law.

 

Health Oversight Activities. We may disclose health information to a health oversight agency for activities authorized by law. These oversight activities include, for example, audits, investigations, inspections, and licensure. These activities are necessary for the government to monitor the health care system, government programs, and compliance with civil rights laws.

Lawsuits and Disputes. If you are involved in a lawsuit or a dispute, we may disclose health information about you in response to a court or administrative order. We may also disclose health information about you in response to a subpoena, discovery request, or other lawful process by someone else involved in the dispute, but only if efforts have been made to tell you about the request or to obtain an order protecting the information requested.

Law Enforcement. We may release health information if asked to do so by a law enforcement official:

  • in reporting certain injuries, as required by law, gunshot wounds, burns, injuries to perpetrators of crime;
  • in response to a court order, subpoena, warrant, summons or similar process;
  • to identify or locate a suspect, fugitive, material witness, or missing person:
    • Name and address
    • Date of birth or place of birth;
    • Social security number;
    • Blood type or rh factor;
    • Type of injury;
    • Date and time of treatment and/or death, if applicable; and
  • A description of distinguishing physical characteristics.
  • about the victim of a crime, if the victim agrees to disclosure or under certain limited circumstances, we are unable to obtain the person’s agreement;
  • about a death we believe may be the result of criminal conduct;
  • about criminal conduct at our facility; and
  • in emergency circumstances to report a crime; the location of the crime or victims; or the identity, description, or location of the person who committed the crime.

Coroners, Health Examiners and Funeral Directors. We may release health information to a coroner or health examiner. This may be necessary, for example, to identify a deceased person or determine the cause of death. We may also release health information about patients to funeral directors as necessary to carry out their duties.

National Security and Intelligence Activities. We may release health information about you to authorized federal officials for intelligence, counterintelligence, and other national security activities authorized by law.

Protective Services for the President and Others. We may disclose health information about you to authorized federal officials so they may provide protection to the President, other authorized persons or foreign heads of state or conduct special investigations.

Inmates. If you are an inmate of a correctional institution or under the custody of a law enforcement official, we may release health information about you to the correctional institution or law enforcement official. This release would be necessary (1) for the institution to provide you with health care; (2) to protect your health and safety or the health and safety of others; or (3) for the safety and security of the correctional institution.

YOUR RIGHTS REGARDING HEALTH INFORMATION ABOUT YOU.
You have the following rights regarding health information we maintain about you:

Right to Inspect and Copy: You have the right to inspect and copy health information that may be used to make decisions about your care. Usually, this includes health and billing records.

To inspect and copy health information that may be used to make decisions about you, you must submit your request in writing to Julee Stoesz , Clinic Administrator and Privacy Officer. If you request a copy of the information, we may charge a fee for the costs of copying, mailing or other supplies and services associated with your request.

We may deny your request to inspect and copy in certain very limited circumstances. If you are denied access to health information, you may request that the denial be reviewed. Another licensed health care professional chosen by our practice will review your request and the denial. The person conducting the review will not be the person who denied your request. We will comply with the outcome of the review.

Right to Amend. If you feel that health information we have about you is incorrect or incomplete, you may ask us to amend the information. You have the right to request an amendment for as long as we keep the information. To request an amendment, your request must be made in writing, submitted to Julee Stoesz , Clinic Administrator and Privacy Officer, and must be contained on one page of paper legibly handwritten or typed in at least 10 point font size. In addition, you must provide a reason that supports your request for an amendment.

We may deny your request for an amendment if it is not in writing or does not include a reason to support the request. In addition, we may deny your request if you ask us to amend information that:

  • was not created by us, unless the person or entity that created the information is no longer available to make the amendment;
  • is not part of the health information kept by or for our practice;
  • is not part of the information which you would be permitted to inspect and copy; or
  • is accurate and complete.

Any amendment we make to your health information will be disclosed to those with whom we disclose information as previously specified.

Right to an Accounting of Disclosures. You have the right to request a list accounting for any disclosures of your health information we have made, except for uses and disclosures for treatment, payment, and health care operations, as previously described.

To request this list of disclosures, you must submit your request in writing to Julee Stoesz , Clinic Administrator and Privacy Officer. Your request must state a time period which may not be longer than six years and may not include dates before April 13, 2003. The first list you request within a 12 month period will be free. For additional lists, we may charge you for the costs of providing the list. We will notify you of the cost involved and you may choose to withdraw or modify your request at that time before any costs are incurred. We will mail you a list of disclosures in paper form within 30 days of your request, or notify you if we are unable to supply the list within that time period and by what date we can supply the list; but this date will not exceed a total of 60 days from the date you made the request.

Right to Request Restrictions. You have the right to request a restriction or limitation on the health information we use or disclose about you for treatment, payment, or health care operations. You also have the right to request a limit on the health information we disclose about you to someone who is involved in your care or the payment for your care, such as a family member or friend. For example, you could ask that we restrict a specified nurse from use of your information, or that we not disclose information to your spouse about a surgery you had.

We are not required to agree to your request for restrictions if it is not feasible for us to ensure our compliance or believe it will negatively impact the care we may provide you. If we do agree, we will comply with your request unless the information is needed to provide you emergency treatment. To request a restriction, you must make your request in writing to Julee Stoesz , Clinic Administrator and Privacy Officer. In your request, you must tell us what information you want to limit and to whom you want the limits to apply; for example, use of any information by a specified nurse, or disclosure of specified surgery to your spouse.

Right to Request Confidential Communications. You have the right to request that we communicate with you about health matters in a certain way or at a certain location. For example, you can ask that we only contact you at work or by mail to a post office box.

To request confidential communications, you must make your request in writing to Julee Stoesz , Clinic Administrator and Privacy Officer. We will not ask you the reason for your request. We will accommodate all reasonable requests. Your request must specify how or where you wish to be contacted.

Right to a Paper Copy of This Notice. You have the right to obtain a paper copy of this notice at any time. However, at the time of first service rendered after April 14, 2003, it is required that you receive a paper copy. To obtain a copy, please request it from Julee Stoesz , Clinic Administrator and Privacy Officer.

CHANGES TO THIS NOTICE

We reserve the right to change this notice. We reserve the right to make the revised or changed notice effective for health information we already have about you as well as any information we receive in the future. We will post a copy of the current notice in our facility. The notice will contain on the first page, in the top right-hand corner, the effective date. In addition, each time you register for treatment or health care services, we will offer you a copy of the current notice in effect.

COMPLAINTS

If you believe your privacy rights have been violated, you may file a complaint with us or with the Secretary of the Department of Health and Human Services. To file a complaint with us, contact Julee Stoesz , Clinic Administrator and Privacy Officer. All complaints must be submitted in writing. You will not be penalized for filing a complaint.

OTHER USES OF HEALTH INFORMATION.

Other uses and disclosures of health information not covered by this notice or the laws that apply to us will be made only with your written permission. If you provide us permission to use or disclose health information about you, you may revoke that permission, in writing, at any time. If you revoke your permission, we will no longer use or disclose health information about you for the reasons covered by your written authorization. You understand that we are unable to take back any disclosures we have already made with your permission, and that we are required to retain our records of the care that we provided to you.

Acknowledgement of Receipt of this Notice

We will request that you sign a separate form or notice acknowledging you have received a copy of this notice. If you choose, or are not able to sign, a staff member will sign their name, date. This acknowledgement will be filed with your records.

*******************************************

Acknowledgement of Receipt of Notice of Privacy Practices

I, ________________________________(Patient name), have received and/or have access to the Notice of Privacy Practices from Edina Sports Health & Wellness, P.A..

X________________________________ Date: ________________

In lieu of patient signature, I, _______________________________________,
a staff member of Edina Sports Health & Wellness, P.A. ,state that
________________________( Patient Name) has been given and/or has been notified of our current Notice Of Privacy Practices.

X________________________________ Date: ________________

State Law Information for Notice of Privacy Practices

Edina Sports Health & Wellness, P.A.
State: MN

Your state’s laws regarding Protected Health Information must be considered along with the HIPAA Privacy Regulation when updating your organization’s policies and procedures. We are providing the information below as a guide to what those other considerations may be. Consult your state’s laws to make sure you are meeting all of the requirements.

Summary: Minnesota statutes have a great impact on the Notice of Privacy Practices. There are provisions that affect the actual format of the NPP, and there are many restrictions on non-consensual disclosures. Carefully read each state provision and our “Expected Impact” and then incorporate appropriate language into your policy. Seek outside counsel if anything is unclear.

General Issues of Concern
According to the HIPAA Privacy Regulation, you are required to give a copy of this Notice to each patient at the first encounter after April 14, 2003. The state law may have additional provisions on the content in the Notice, presentation requirements for the notice and exceptions to this rule.

Notice of Privacy Practices
Content

Expected Impact [Medium]
The federal regulation requirement for a Notice of Privacy Practices is roughly comparable to the state law. The federal regulation does include more elements, and also calls for some mandatory language.

NOTE: Meeting the content requirements of the federal regulation should satisfy the state law requirement as well.

State Law Citation
Minnesota Statutes 144.335 subd. 5a
Highlight of State Provision
A provider should provide to patients, in a clear and conspicuous manner, a written notice concerning practices and rights with respect to access to health records. The notice must include an explanation of disclosures that may be made without the written consent of the patient (type of records and to whom they may be disclosed). The notice should also outline the right of the patient to have access to and obtain copies of health records and other information about the patient that is maintained by the provider.

Timing
Expected Impact [Low]
The state law is generally comparable to the HIPAA Privacy Regulation. The federal regulation requires that providers with a direct treatment relationship provide the notice no later than the date of the first service delivery. The regulation also requires that the notice be available for individuals to take with them, be posted in a clear and prominent location, and posted on a patient-oriented website if you have one.

NOTE: Following the federal regulation should satisfy all notice requirements.

State Law Citation
Minnesota Statutes 144.335 subd. 5a
Highlight of State Provision
Notice requirements are satisfied if the notice is included with the copy of the patient and resident bill of rights, or if it is displayed prominently in the provider’s place of business.

Use and Disclosure of Protected Health Information

The following sections describe different portions of the Notice of Privacy Practices. The State law may or may not allow the same categories for access or they may add additional restrictions in disclosing information for the categories. For each category you need to take a careful look at the state statutes and change the category accordingly. This may require you to remove some categories, add more categories or revise the explanation in the category.

For Treatment
According to the HIPAA Privacy Regulation, a healthcare provider may release PHI, without patient authorization for the purpose of treatment. State law may limit what information can be disclosed, if this information can be released without authorization and under what circumstances the information can be released without authorization.

Expected Impact [High]
The federal regulation broadly allows uses and disclosures for treatment of the patient or any other individual. The state law limits disclosures to treatment of the patient only, except in medical emergencies.

NOTE: For treatment uses and disclosures, state law is narrower than the federal regulation and should be followed. This won’t require any changes to current practice.

State Law Citation
Minnesota Statutes 144.335 subd. 3a(b)
Minnesota Statutes 144.335 subd. 3a(c)(1)
Highlight of State Provision
A provider may disclose records without a signed and dated consent under the following circumstances: 1) for a medical emergency when the provider is unable to obtain the patient’s consent due to the patient’s condition or the nature of the medical emergency; or 2) to other providers within related health care entities when necessary for the current treatment of the patient.

For Payment
According to the HIPAA Privacy Regulation, a healthcare provider may release PHI, without patient authorization for the purpose of payment. State law may limit what information can be disclosed, if this information can be released without authorization and under what circumstances the information can be released without authorization.

Expected Impact [High]
The federal regulation allows disclosures for payment without authorization. The state law however is restrictive and requires consent for disclosure.

NOTE: Continue to follow state law that requires patient consent for payment disclosures.

State Law Citation
Minnesota Statutes 144.335 subd. 3a(a)
Highlight of State Provision
A provider, or a person who receives health records from a provider, may not release a patient’s health records to a person without a signed and dated consent from the patient or the patient’s legally authorized representative, except when the release is specifically authorized by law.

For Healthcare Operations
According to the HIPAA Privacy Regulation, a healthcare provider may release PHI, without patient authorization for the purpose of healthcare operations. State law may limit what information can be disclosed, if this information can be released without authorization and under what circumstances the information can be released without authorization.

Expected Impact [High]
NOTE: This is a tough area because the federal definition of healthcare operations is so broad. If you have been able to make any of these disclosures with consent before HIPAA, you can probably continue to do so. You may need to consult with other authorities here.

State Law Citation
Minnesota Statutes 144.335 subd. 3a(a)
Highlight of State Provision
There is no specific state law on disclosures for health care operations.

Health-Related Services and Treatment Alternatives
According to the HIPAA Privacy Regulation, a healthcare provider may disclose health information to tell the patient about health-related services or to recommend possible treatment options, as long as the patient has the right to accept or reject such a disclosure. State law may have a different provision for handling this situation.

Marketing
Uses and Disclosures With Individual Involvement

Expected Impact [Medium]
State law is specific about the types of disclosures that are permitted without patient authorization. Marketing is not a permitted disclosure. Therefore, it appears that the absence of a state law addressing marketing makes the federal regulation allowing some marketing disclosures inapplicable.

NOTE: The federal regulation requires patient authorization for marketing uses and disclosures, but some marketing activities are permitted without patient approval. State law does not appear to allow any marketing disclosures without patient authorization. The safer course is to avoid marketing disclosures unless a definitive authority says otherwise.

Fundraising Activities
According to the HIPAA Privacy Regulation, a health care provider may disclose health information to contact patients in an effort to raise money for not-for-profit operations, as long as the patient has the right to accept or reject such a disclosure. State law may have a different provision for handling this situation.

Expected Impact [Medium]
State law is specific about the types of disclosures that are permitted without patient authorization. Fundraising is not a permitted disclosure. Therefore, it appears that the absence of a state law addressing fundraising makes the federal regulation allowing some fundraising disclosures inapplicable.

NOTE: Fundraising is an issue for some institutions but not for most providers. State law does not appear to allow any disclosures for fundraising. Follow state law unless a definitive authority says otherwise.

Research
According to the HIPAA Privacy Regulation, under certain circumstances a health care provider may release PHI, without patient consent, for the purpose of research. State law may limit what information can be disclosed, if this information can be released without authorization and under what circumstances the information can be released without authorization.

Expected Impact [Medium]
The federal regulation has several provisions governing disclosures of records to researchers without patient consent. The state law also has several provisions on research disclosures to protect against unauthorized disclosures.

NOTE: This is a complex area, but providers are already used to meeting state law requirements. The state law on research disclosures is applicable and must be followed.

State Law Citation
Minnesota Statutes 144.335 subd. 3a(d)
Highlight of State Provision
For records generated before 1997, state law provides that the records may be released to an external researcher solely for purposes of medical or scientific research, unless the patient has objected. For later records, the provider must provide notice of research disclosures, honor patient objections and also seek written authorizations for research disclosures. Further, in making a release for research purposes, the provider should make a reasonable effort to determine that the use or disclosure does not violate any limitations under which the record was collected; that the use or disclosure in individually identifiable form is necessary to accomplish the research; that the recipient has adequate safeguards against unauthorized disclosure, including a procedure for removal or destruction of identifiable information; and that further nonconsensual use or release of identifiable records is prohibited.

Organ and Tissue Donation
According to the HIPAA Privacy Regulation, a health care provider may release PHI, without patient consent, for the purpose of organ and tissue donation. State law may limit what information can be disclosed, if this information can be released without authorization and under what circumstances the information can be released without authorization.

Expected Impact [Medium]
The principal state health privacy statute governing providers does not appear to address non-consensual disclosures for this type of activity. Other laws may be relevant.

NOTE: We are not sure what to tell you because the principal state health privacy law is silent. Check with other authorities and proceed with caution.

As Required By Law
The HIPAA Privacy Regulation allows you to disclose PHI when required by federal, state, or local law. State law may have additional provisions when releasing information for such a purpose.

Expected Impact [Medium]
NOTE: This is a tricky area because of the difference between required by law and authorized by law. In each case, the answer depends on how just how the law is written. You may want to consult other authorities, especially for disclosures that you are used to making without patient consent.

State Law Citation
Minnesota Statutes 144.335 subd. 3a(a)
Highlight of State Provision
State law allows disclosures that are specifically authorized by law.

To Avert a Serious Threat to Health or Safety
The HIPAA Privacy Regulation allows you to disclose PHI, without patient consent, for the purpose of health and safety. State law may have a different provision for handling this situation or may not allow such a disclosure to occur without patient consent.

Expected Impact [High]
The federal regulation allows disclosures to prevent or to lessen a serious and imminent threat to the health or safety of a person, or the public under some conditions. The state law allows such disclosure only in a medical emergency, when unable to obtain the patient’s consent due to the patient’s condition or the nature of the medical emergency.

NOTE: Follow familiar state regulations for emergency disclosures.

State Law Citation
Minnesota Statutes 144.335 subd. 3a(b)(1)
Highlight of State Provision
A provider may disclosure a record for a medical emergency when the provider is unable to obtain the patient’s consent due to the patient’s condition or the nature of the medical emergency.

Military and Veterans
The HIPAA Privacy Regulation allows you to disclose PHI, without patient consent, as required by military command authorities of the Department of Veterans Affairs. State law may have a different provision for handling this situation or may not allow such a disclosure to occur without patient consent.

Expected Impact [Medium]
The principal state health privacy statute governing providers does not appear to address non-consensual disclosures for this type of activity. Other laws may be relevant.

NOTE: We are not sure what to tell you because the principal state health privacy law is silent. Check with other authorities and proceed with caution.

Worker’s Compensation
The HIPAA Privacy Regulation allows you to disclose PHI, without patient consent, for worker’s compensation programs. State law may have a different provision for handling this situation or may not allow such a disclosure to occur without patient consent.

We have been unable to find any state statutes for this section.

Public Health Risks
The HIPAA Privacy Regulation allows you to disclose PHI, without patient consent, for public health activities, which are listed in this category. State law may have a different provision for handling this situation or may not allow such a disclosure to occur without patient consent.

Public Health Activities

Expected Impact [Medium]
The principal state health privacy statute governing providers does not appear to address non-consensual disclosures for this type of activity. Other laws may be relevant.

NOTE: Most public health disclosures that were lawful before HIPAA are likely to still be permissible. The federal regulation on public health disclosures is very broad. State law seems to be somewhat more limited. You might want to consult other authorities to be sure.

State Law Citation
Minnesota Statutes 144.335 subd. 3a(a)
Highlight of State Provision
A provider may not release a patient’s health records to a person without a signed and dated consent from the patient or the patient’s legally authorized representative authorizing the release, unless law specifically authorizes the release.

Victims of Abuse, Neglect or Domestic Violence

Expected Impact [Medium]
The principal state health privacy statute governing providers does not appear to address non-consensual disclosures for this type of activity. Other laws may be relevant.

NOTE: We are not sure what to tell you because the principal state health privacy law is silent. Check with other authorities and proceed with caution.

Health Oversight Activities
The HIPAA Privacy Regulation allows you to disclose PHI, without patient consent, for certain health oversight activities. State law may have a different provision for handling this situation or may not allow such a disclosure to occur without patient consent.

Expected Impact [Medium]
The federal regulation allows the disclosure without consent or encryption. The state law is more restrictive and requires that patient identifiers be encrypted upon receipt of the data.

NOTE: The federal regulation allows broad disclosures for health oversight. Other state laws may also authorize similar disclosures. Check with other authorities to make sure about routine disclosures. There may be other law that does not mandate encryption in all circumstances.

State Law Citation
Minnesota Statutes 144.335 subd. 3b
Highlight of State Provision
The state law provides that release of health records to the commissioner of health or the health data institute does not need patient consent, if patient identifiers are encrypted upon receipt of the data.

Lawsuits and Disputes
The HIPAA Privacy Regulation allows you to disclose PHI, without patient consent, for lawsuits and disputes. State law may have a different provision for handling this situation or may not allow such a disclosure to occur without patient consent.

Judicial and Administrative Proceedings

Expected Impact [Medium]
The principal state health privacy statute governing providers does not appear to address non-consensual disclosures for this type of activity. Other laws may be relevant.

NOTE: We are not sure what to tell you because the principal state health privacy law is silent. Check with other authorities and proceed with caution.

Law Enforcement
The HIPAA Privacy Regulation allows you to disclose PHI, without patient consent, for certain law enforcement issues. State law may have a different provision for handling this situation or may not allow such a disclosure to occur without patient consent.

Expected Impact [Medium]
The principal state health privacy statute governing providers does not appear to address non-consensual disclosures for this type of activity. Other laws may be relevant.

NOTE: We are not sure what to tell you because the principal state health privacy law is silent. Check with other authorities and proceed with caution.

Coroners, Health Examiners and Funeral Directors
The HIPAA Privacy Regulation allows you to disclose PHI, without patient consent, to coroners, health examiners and funeral directors. State law may have a different provision for handling this situation or may not allow such a disclosure to occur without patient consent.

Expected Impact [Medium]
The principal state health privacy statute governing providers does not appear to address non-consensual disclosures for this type of activity. Other laws may be relevant.

NOTE: We are not sure what to tell you because the principal state health privacy law is silent. Check with other authorities and proceed with caution.

National Security and Intelligence Activities
The HIPAA Privacy Regulation allows you to disclose PHI, without patient consent, for national security and intelligence activities. State law may have a different provision for handling this situation or may not allow such a disclosure to occur without patient consent.

Expected Impact [Medium]
The principal state health privacy statute governing providers does not appear to address non-consensual disclosures for this type of activity. Other laws may be relevant.

NOTE: We are not sure what to tell you because the principal state health privacy law is silent. Check with other authorities and proceed with caution.

Protective Services for the President and Others
The HIPAA Privacy Regulation allows you to disclose PHI, without patient consent, for protective services for the President and others. State law may have a different provision for handling this situation or may not allow such a disclosure to occur without patient consent.

Expected Impact [Medium]
The principal state health privacy statute governing providers does not appear to address non-consensual disclosures for this type of activity. Other laws may be relevant.

NOTE: We are not sure what to tell you because the principal state health privacy law is silent. Check with other authorities and proceed with caution.

Inmates
The HIPAA Privacy Regulation allows you to disclose PHI, without patient consent, for inmates. State law may have a different provision for handling this situation or may not allow such a disclosure to occur without patient consent.

Correctional Institution

Expected Impact [Medium]
The principal state health privacy statute governing providers does not appear to address non-consensual disclosures for this type of activity. Other laws may be relevant.

NOTE: We are not sure what to tell you because the principal state health privacy law is silent. Check with other authorities and proceed with caution.

Patient Rights

Right to Inspect and Copy
The HIPAA Privacy Regulation allows you to disclose PHI, without patient consent, for inmates. State law may have a different provision for handling this situation or may not allow such a disclosure to occur without patient consent.

Psychotherapy Notes

Expected Impact [Medium]
Psychotherapy notes may be withheld under both state law and the federal regulation, if they qualify as written speculation. Otherwise, the more limited exclusion in state law applies and psychotherapy notes cannot be withheld.

NOTE: Psychotherapy notes can be withheld if they meet the standards of both the federal regulation and state law. That means that the notes must qualify as written speculation under state law.

State Law Citation
Minnesota Statutes 144.335 subd. 2(b)(2)
Highlight of State Provision
State law allows a provider to exclude written speculations about the patient’s health condition, except that all information necessary for the patient’s informed consent must be provided.

Access Procedure

Expected Impact [Medium]
The federal regulation allows a patient to ask for a written request for access or for a copy of a medical record. State law does not require a written request for access to information, but a written request is required for a copy. State law does not allow a provider to ask for a written request before access, and state law appears to be applicable.

NOTE: You can ask for a written request from the patient who wants a copy, but not if the patient just wants to inspect the record.

State Law Citation
Minnesota Statutes 144.335 subd. 2(a) and (b)
Highlight of State Provision
Upon request, a provider shall provide to patient complete and current information possessed by that provider concerning any diagnosis, treatment and prognosis of the patient. This information should be in terms and language that the patient can reasonably be expected to understand. A provider must supply a copy of a record upon written request of the patient.

Right to Amend
The HIPAA Privacy Regulation allows patients to amend their PHI. There are, however, certain exceptions. The state law may have special provisions for patients to amend their records and may or may not have the same exceptions.

We have been unable to find any state statutes for this section.

Right to an Accounting of Disclosures
The HIPAA Privacy Regulation allows patients to request an accounting of disclosures of their PHI. The state law may have special provisions for patients to access this. We have been unable to find any state statutes for this section.

Right to Request Restrictions
The HIPAA Privacy Regulation allows patients to request restriction on their PHI. The state law may have special provisions for this issue.

We have been unable to find any state statutes for this section.

Right to Request Confidential Communications
The HIPAA Privacy Regulation allows patients to request confidential communication of their PHI. The state law may have special provisions for this issue.

We have been unable to find any state statutes for this section.

Other Uses of Health Information

Revocation
According to the HIPAA Privacy Regulation, any other disclosures of PHI not covered by this Notice requires patient authorization. A patient may revoke an authorization at any time. The state law may have special provisions for when patients are revoked.

We have been unable to find any state statutes for this section.