Minnesota Building Unlawful Health Surveillance System

While it is understandable that health officials want COVID-19 data during this outbreak, they cannot legally build the hospital surveillance system they’re building. For that they need a state law that actually lets them do it. They simply don’t have one. - Twila Brase

Twila Brase

Under cover of COVID-19, the Minnesota Department of Health (MDH) is building a permanent hospital-based surveillance system. On April 2, Jan Malcolm, Minnesota Commissioner of Health, sent a “Notification Letter” to every Minnesota hospital ordering them to send MDH “near real-time pre-diagnostic data” on all their patients, not just COVID-19 patients

Commissioner Malcolm, who is offering grants to fund these expensive interfaces, has ordered hospitals to connect their electronic medical record systems to a government contractor, which will regularly receive patient data, sift through it, and send it to MDH. To be clear, Commissioner Malcolm wants a direct link to the medical records of all hospitalized patients, starting sometime in May 2020.

Once established, MDH says this surveillance system will likely be used for other purposes long after the COVID-19 crisis: 

At this time, MDH is focusing only on COVID-19 syndromic surveillance. It may be possible to use this approach in the future . . . Other conditions MDH might want to expand to after COVID-19 are trends in drug overdoses, traumatic brain injury, spinal cord injury, vaping-related lung injury, or other current or emerging public health threats.” 

Malcolm justifies her order using a 1973 state statute (a law passed by the legislature) that provides a general description of her duties as the commissioner of health (Section 144.05). In a related Q&A document posted on its website, MDH also claims a state health department research statute authorizes data collection on all hospitalized patients without patient consent as long as MDH encrypts patient identifiers (144.293, subd.7). But surveillance is not research.

Then, in an attempt to strengthen these weak statutory claims, the department says HIPAA’s data-sharing provision for public health means MDH doesn’t need consent. Specifically, the department says Minnesota’s current patient-consent statute does not apply—even though the statute, called the Minnesota Health Records Act (MHRA – Section 144.293) prohibits the release of medical record information without patient consent

MDH says data can be shared without consent because the MHRA has an exception to consent if there is a “specific authorization in law.” The department says the federal HIPAA law is such a law. But this is not true.

First, in Minnesota statutes, the word “law” does not mean “any law” – it means “state law.” That’s why in numerous other sections of Minnesota Statues, when legislators want to reference federal law, they write “federal law.” For example, consider Section 13.05, which governs how state agencies can collect, use and share the data they hold. Of two provisions written next to each other, the first allows use and sharing if specifically authorized by “state, local, or federal law.” The second allows use and sharing to “carry out a function assigned by law.”

If “law” is defined as “any law” including federal law (like Commissioner Malcom alleges), privacy in Minnesota would also be subject to the state laws of the other 49 states. Moreover, the Tenth Amendment would no longer protect states from federal overreach. Congress could pass a federal law and states would have to submit.

By design or not, MDH’s assertion sets a dangerous precedent that may be used to unravel many years of successful efforts by citizens, legislators and our organization to keep patient consent requirements in Minnesota law. Health plans, large business groups, and researchers, which have repeatedly tried to repeal the MHRA, could easily use MDH’s assertion to claim that they too are under the permissive, no-consent-required, federal “HIPAA standard” (45 CFR 164.512), not Minnesota’s consent requirements. However, real state privacy laws, like the MHRA, supersede HIPAA. The protective Minnesota privacy law must be followed, not HIPAA. 

While it is understandable that health officials want COVID-19 data during this outbreak, they cannot legally build the hospital surveillance system they’re building. For that they need a state law that actually lets them do it. They simply don’t have one.

On April 29, CCHF sent a letter to Commissioner Malcolm asking her to immediately rescind the Notification Letter. We’ve also created a petition for Minnesotans (and others who receive treatment in Minnesota) to sign. Minnesota Governor Tim Walz needs to hear from citizens who oppose the unlawful reporting, collection and analysis of their confidential medical information.

Follow this link to SIGN THE PETITION TODAY.

_______________________

Twila Brase is President and Co-founder of the Citizens’ Council for Health Freedom, a national, patient-centered, free-market, health policy organization located in Saint Paul, Minnesota. Twila founded The Wedge of Health Freedom (jointhewedge.com) and authored the four-time award-winning book: Big Brother in the Exam Room: The Dangerous Truth About Electronic Health Records (BigBrotherintheExamRoom.com)

 

CCHF