38
Here's a script you can send to your state legislators and governor:
I demand a state medical privacy law at least as strong as the Minnesota Health Records Act (Minnesota Statutes 144.291-.298). Here are seven types of disclosures that HIPAA permits without patient consent or knowledge, but which generally require patient consent in Minnesota:
- Disclosures of health information for treatment purposes, unless consent is not possible due to a medical emergency.
- Disclosures of health information to other providers for healthcare operations purposes. [Note: healthcare operations includes over 60 nonclinical activities, including business activities. According to Federal Register, Vol. 75, No. 134, July 14, 2010 (see pages 40872, 40906, 40907, 40911), your medical data can be shared with over 2.2 million entities, including 1.5 million business associates, without your consent or knowledge.]
- Disclosures of health information to payers for payment purposes.
- Disclosures of health information to outside researchers for medical research purposes. [That's right, non-consensual medical research is explicitly allowed by HIPAA, but greatly limited in Minnesota.]
- Consent of a patient’s authorized family or legal representative for disclosures of health information to funeral directors.
- Disclosures of health information for military or national security purposes unless the disclosure is specifically required by federal law.
- Disclosures of health information for law enforcement purposes, unless the disclosure is in response to a valid court order or warrant. [That's right, under HIPAA, medical providors are permitted to share sensitive health data without a warrant.]
Source: Mayo Clinic's Notice of Privacy Practices (link: https://www.primarycareondemand.mayoclinic.org/notice-privacy-practices)
Minnesota is the only state to have a comprehensive medical privacy law stronger than HIPAA. [State] should be the second.