Legislative Commission on Data Practices and Personal Data Privacy
Discussion on the Minnesota Health Records Act and Federal HIPAA Privacy Rule
The Legislative
Commission on Data Practices met on June 13, 2018, to begin delving into
the complicated area of state and federal laws and rules governing the privacy
of health records. At the hearing, Commission members received background information on
the relevant state
and federal
laws and rules. The Commission Chair, Rep. Peggy Scott, stated the end goal in
having these discussions is to generate recommendations and a possible “middle
ground” for the full legislature to consider.
Going forward, the Commission will meet monthly through the
end of the year to continue these discussions. In July, Commission members will
receive additional background information before moving into hearing testimony
from stakeholders.
All of the Commission’s materials are available to
the public, including video
from the June 13 hearing on this topic.
Response Time for Requests from Data Subjects
In Advisory Opinion 18-005, a data subject asked if a county responded appropriately to
a data request when it failed to comply within ten business days. The
Commissioner concluded that Minn. Stat. § 13.04, subdivision
3, is clear: entities must comply with data subject requests within ten
business days. The request resulted in almost 3,000 emails and, as of the date
of the opinion, the County had failed to provide any emails to the data
subject. The Commissioner acknowledged the challenge in producing all of the data
within the strict time limit, but also noted that the statute does not allow
for additional time in mitigating circumstances.
Response Time for Requests from the Public
In Advisory Opinion 18-006, a
member of the public asked whether a University had violated the Data Practices
Act because it had not provided him with access to the data he requested
(public personnel data on three employees) as of the date of his opinion
request, which was two months after he asked for the data. In previous advisory
opinions, the Commissioner has stated that a prompt, reasonable response is
relative to the volume of data requested. Here, he opined that given the facts of this specific data request,
including the type and amount of data requested, the University’s response was
not timely.
Sealed Records and Background Checks
In Advisory Opinion 18-007, a City asked if it was required to provide access to a
sealed criminal record pursuant to 5 USC § 9101. The language in that
provision allows military recruiters to access certain records maintained by
state and local law enforcement when the expunged records remain available for
background checks. Here, the case against the subject of the records was
ultimately dismissed and therefore, because there were not any record of a
“conviction,” the records are not available for background checks
under Minn. Stat. § 609A.03. Therefore, the City could not
disclose the sealed records to the military recruiter.
Case Law Update
In a 5-4 decision, the U.S. Supreme Court ruled
that accessing historical cell phone location data without a warrant violates
the Fourth Amendment. Between 2010 and 2011, various individuals robbed
RadioShack and T-Mobile stores in Michigan and Ohio. The police arrested four
men, including the petitioner, in part because law enforcement connected
Carpenter to the crimes via cellphone location data records obtained from his
service provider. The records were obtained under the federal Stored Communications Act, which
permits prosecutors to obtain a court order for disclosure by merely providing
“specific and articulable facts showing there are reasonable grounds to
believe” that the data are relevant to a criminal investigation. The Court
held that the request constituted a Fourth Amendment search and thus required prosecutors to
obtain a search warrant to access the records and meet the higher
standard of demonstrating probable cause.
State v. Hammer, A17-1748 (Minn. Ct. App. June 11, 2018)
Appellant Hammer was terminated for cause by the Department of Corrections for violating various DOC policies, including ones related to electronic communications and personnel files. An arbitrator ultimately ordered that Appellant be reinstated, finding that the policy violations were not sufficient to warrant bypassing progressive discipline in favor of immediate discharge.
The court of appeals overturned the arbitrator's decision. The applicable DOC electronic communications policy prescribes discipline "up to and including discharge" for, among other things, illegal activity. During his employment Appellant had divulged to unauthorized co-workers information classified as private personnel data under Minn. Stat. § 13.43, such as one employee's likely suspension, and another employee's possible termination due to alcohol use. Because Minn. Stat. § 13.09 makes the willful violation of the Data Practices Act a misdemeanor, and provides that such a violation is just cause for dismissal of a public employee, the DOC's decision to terminate Appellant without progressive discipline was justified.
Plaintiff lost his Wisconsin driver's license at a Minnesota casino. The casino found the missing license and incorporated it into new-employee training, which Plaintiff claimed was a violation of the Drivers Privacy Protection Act (DPPA). The court dismissed the case for failure to state a claim. To implicate the DPPA, there must be a disclosure of a "motor vehicle record" as defined by the DPPA, and because a record must "pertain to the driver's license", the "record" must be something other than the license itself. Also, the casino and its employees did not access Plaintiff's license through the Wisconsin DMV, and so did not amount to a disclosure of "information originating from state department of motor vehicle records."
Stay tuned for another round of DPO Workshops this fall!
|