Providers push back on new electronic medical-data mandate

A Minnesota law that took effect Jan. 1, 2015, requires health care providers to keep electronic records and connect them to an online health data network.

The change in law prompted Eagan resident Don Lee to switch doctors. He now sees a physician in St. Paul whose office keeps patient records only on paper.

“My medical records are pretty boring,” Lee told the House Civil Law and Data Practices Committee Tuesday. “That’s not the point. This stuff is none of anybody’s business.”

Rep. Peggy Scott (R-Andover), the committee chair, said the new law has wide-ranging negative ramifications, from making providers buy systems priced at $15,000 and up, to the potential for sensitive personal information to fall into the wrong hands.

Enacted in 2007 but not taking effect until last month, the law states “all hospitals and health care providers must have in place an interoperable electronic health records system.” Massachusetts is the only other state mandating such systems.

The statute also states that providers’ systems “must be connected to a state-certified health information organization either directly or through a connection facilitated by a state-certified health data intermediary.”

Twila Brase, president and co-founder of Citizens' Council for Health Freedom, said the law should change so patients and providers can opt out. She pledged her group would fight what she said were continuing efforts, referencing a bill introduced last session, to make Minnesota medical-data privacy law conform to the less-strict federal Health Insurance Portability and Accountability Act (HIPAA).

Eagan resident Don Lee, right, and Twila Brase, president and co-founder of Citizens' Council for Health Freedom, testify Feb. 17 during a presentation on “Protecting Medical Privacy in Minnesota.” Photo by Andrew VonBank

Brase also questioned whether hospitals and other providers are following state law regarding forms that let patients say no to the sharing of their personal health data. As an example, she showed one hospital’s consent form with one signature at the bottom instead of check boxes by each item as specified in statute. 

“You may not want your doctor to know that you went to a psychologist. You may not want your psychologist to know you have cancer,” Brase said. “There are just things you don’t want these folks to know.”

Insecurity of medical data shared and stored electronically was a theme at Tuesday’s hearing. One testifier, psychologist Stephen Huey, noted that the Legislature passed the 2007 law “well before data breaches were regularly in the news.”

A psychotherapist, Laraine Kurisko, said the potential for medical-data breaches threatened “the inviolate sanctity of the patient-therapist relationship. … Breaches of confidentiality were — in the past — considered the most heinous of ethical moral, and legal breaches, resulting in loss of licensure.”

Kurisko said the law puts her in “a terrible double bind in which I must betray either my clients’ privacy or the law — neither of which I can do.”

Manny Munson-Regala, assistant commissioner for strategic initiatives at the Department of Health, defended what he said were some of the law’s benefits: reducing the frequency of harmful prescription combinations; providing complete information with referral appointments; and allowing patients convenient access to their own records.

“Patients’ privacy here is Minnesota is more tightly protected than would the case under federal law. That also means their care here may be more fragmented, more redundant and potentially more costly,” Munson-Regala said. “Movement in one direction, to protect privacy … has implications for the ability to ensure that their care is coordinated, efficient and affordable.”

Munson-Regala didn’t have patience for providers who have had years to prepare for the change saying they were taken unaware. “I’m a little surprised that providers are surprised,” he said.

Fears about the law’s “interoperable” clause mandating doctors put patient records online are overblown, he said. “Interoperable means that the systems talk to each other, not that they are permanently linked. They act as a glorified conduit, [making] sure the transaction is secure [and] subject to consistent data protocols.”

Munson-Regala said the law has no penalty for non-compliance, making the mandate more of a “strongly worded recommendation.”

That wasn’t enough for psychologist Maryanne Lassegard, whose commentary from the audience prompted Scott to invite her to the testifier’s table.

“We don’t want to break the law,” Lassegard said. “We don’t want to be lying to our clients. We start every session with our clients talking about privacy and confidentiality. I don’t know when I’m telling them the truth anymore.”