ST. PAUL, Minn. (CN) — The Minnesota Supreme Court on Wednesday rejected parents’ arguments that a nonprofit hospital should be required to obtain consent before a patient’s health data is used for fundraising purposes.
Instead, the state's highest court found an exemption for fundraising under the federal Health Insurance Portability and Accountability Act (HIPAA) applies in spite of a state law prohibiting many health information disclosures.
Chief Justice Natalie Hudson found that the HIPAA exemption qualifies as a “specific authorization in law” for the disclosure of health records under the Minnesota Health Records Act (MHRA), affirming a Minnesota Court of Appeals decision to the same effect. Parents of a patient at Minnesota’s Children’s Hospital and Clinics who sued the hospital and its related foundation, therefore, did not need to give consent for the hospital to give their child’s information to the foundation.
“The text of the HIPAA privacy rule recognizes that states might enact their own privacy laws governing protected health information,” Hudson wrote, noting that it includes exceptions to preemption for laws which, like the MHRA, create more stringent protections for patient data. The MHRA states that health care providers and those who receive records from them “may not release a patient’s health records to a person” except under its own list of exceptions, one of which allows for disclosure with a “specific authorization in law.”
The parents, Kelly and Evarist Schneider, sued the hospital after learning late in 2020 that the foundation’s fundraising database, stored by a third-party vendor, had been subject to a data breach. Their child’s name, age, date of birth, and treatment details were all potentially compromised.
The Schneiders sought to certify their complaint as a class action including other patients whose health records were released to the foundation, but the trial court granted the hospital summary judgment before addressing class certification. The Minnesota Court of Appeals affirmed.
The case came before the state Supreme Court for oral arguments in June, with the Schneiders’ attorney, St. Paul litigator A.L. Brown, arguing that the more stringent requirements of MHRA triggered HIPAA’s “reverse preemption” clause, and that the Minnesota law’s preexistence of HIPAA meant that state lawmakers could not have been considering federal law when writing the “specific authorization” exemption.
“If Children’s wanted to do exactly what it did, all it had to do was ask,” Brown said at oral arguments. “It’s that simple.”
Children’s Hospital’s attorney David Carney argued at that time that MHRA hadn’t been more specific than HIPAA on issues of fundraising, and therefore didn’t fit the reverse-preemption mold even if its “specific authorization” exception didn’t apply.
“We have all of these specific rules within MHRA itself,” he told the court at that time. “There’s not one with respect to fundraising.”
In her opinion, Hudson found that “contrary to the Schneiders’ assertion, the statute plainly encompasses law that is binding in Minnesota — that is, Minnesota and federal law. And because the HIPAA privacy rule is a federal regulation with the ‘force and effect’ of federal law… the fundraising exception in the HIPAA privacy rule is plainly a ‘specific authorization in law.’”
Children's Hospital made a brief statement on the case Wednesday. "Children's Minnesota is deeply committed to protecting patient privacy," the statement said. "This Supreme Court decision provides needed clarity for Minnesota health care providers to best serve their patients. Children's Minnesota will continue to comply with all privacy laws and regulations."
Brown declined to comment Wednesday afternoon.
Subscribe to Closing Arguments
Sign up for new weekly newsletter Closing Arguments to get the latest about ongoing trials, major litigation and hot cases and rulings in courthouses around the U.S. and the world.
