State of Minnesota
More about
Attorney General
Lori Swanson

Minnesota Attorney General's Office

1400 Bremer Tower
445 Minnesota Street
St. Paul, MN 55101

(651) 296-3353
(800) 657-3787

M - F 8 am - 5 pm

TTY:(651) 297-7206
TTY:(800) 366-4812

VII: Protecting Private Information



A number of federal laws and regulations restrict the ways that health plans, pharmacies, hospitals and other entities can use patients’ personal medical information. The most important of those laws is the Health Insurance Portability and Accountability Act of 1996, known as HIPAA. HIPAA is designed to provide a minimum standard of privacy protection for consumers across the United States, but it does not replace state laws that provide greater privacy protections. Most health care providers were first required to comply with the federal privacy standards in April, 2003. You may have noticed that your health care provider asked you to sign various notices and consent forms around that time. Here is a summary of some of the key HIPAA provisions:

  • Access to Medical Records. Under HIPAA, patients generally have the right to view and obtain copies of their medical records and request corrections if they identify errors and mistakes. Access to these records should be provided within 30 days, but the patient may be charged for the cost of copying and sending the records.

  • Notice of Privacy Practices. Patients must be provided with a notice about their privacy rights and how their personal medical information may be used.

  • Limits on Use of Personal Medical Information. HIPAA sets limits on how health plans and covered providers may use individually identifiable health information. It does not eliminate the sharing of such information, but it restricts the sharing to the minimum necessary to accomplish the intended purpose of the disclosure. Employees must be trained on new privacy procedures and each covered entity must designate a privacy officer.

  • Restrictions on Marketing.The final privacy rule sets some new restrictions and limits on the use of patient information for marketing purposes. Unfortunately, it appears the HIPAA restrictions on marketing are fairly weak and may not curb many unfortunate marketing practices, such as health plans hiring telemarketers to contact patients to sell them more health plan services.

  • Health Care Identity Theft.Because of concern about identity theft, Congress enacted the Fair and Accurate Credit Transaction (“FACT”) Act of 2003, which applies to financial institutions and other entities that accept payments over time. Under FACT, the Federal Trade Commission (“FTC”) has enacted a “Red Flag Rule” that requires covered entities, which can include health care companies that offer credit or deferred billing, to develop and implement a written identity theft prevention program. If you think that your private health information has been used for identity theft, you should contact the FTC as follows:

    FTC Identity Theft Data Clearinghouse
    600 Pennsylvania Avenue NW
    Washington, D.C. 20580

The United States Department of Health and Human Services Office for Civil Rights (“OCR”) has primary jurisdiction to oversee and enforce HIPAA. To obtain further information or to file a complaint regarding the privacy practices of a health plan or provider, contact the OCR as follows:

United States Department of Health & Human Services
Office for Civil Rights - Region Five
233 N. Michigan Avenue; Suite 240
Chicago, IL 60601
312-886-2359 or 866-627-7748



Minnesota has a number of state laws restricting the use and dissemination of personal health information by participants in the health care system. Some of these laws provide greater privacy protection than that granted under HIPAA. The general rule under Minnesota law is that a health care provider cannot share your health information with a third party unless you have given written consent or there is a law that authorizes the provider to share your information. Minnesota’s health privacy laws are complex, but the law requires providers to give patients notice of when a patient’s health records may be disclosed without the patient’s consent. This notice should be posted in the provider’s place of business or given to you. There are also government resources available to help you address your health privacy concerns. First, the Minnesota Department of Health regulates many health care facilities, such as hospitals and nursing homes, and health maintenance organizations (“HMOs”), such as Medica, Blue Plus, Preferred One and HealthPartners. If you believe that a health care facility or HMO may have violated your privacy rights, you can contact the Department of Health as follows:

Minnesota Department of Health
P.O. Box 64882
St. Paul, MN 55164-0882
651-201-5100 or 800-657-3916

Second, the Minnesota Department of Commerce regulates certain health plan companies and health insurance companies, such as Blue Cross Blue Shield of Minnesota. If you believe that an insurance company or health plan company may have violated your privacy rights, you can contact the Department of Commerce as follows:

Minnesota Department of Commerce
85 East Seventh Place, Suite 500
St. Paul, MN 55101

Finally, if your health privacy complaint involves an individual health care practitioner, or if you are otherwise unsure which state agency or board to contact about your concerns, you can contact the Attorney General’s Office at 651-296-3353 or 800-657-3787 and we will assist you in identifying the proper regulatory agency.



The Medical Information Bureau (“MIB”) is an organization that compiles a central database of medical information. Approximately 15 million Americans and Canadians are on file in the MIB’s computers. More than 750 insurance firms use the services of the MIB, primarily to obtain information about life insurance and individual health insurance policy applicants. You are entitled to a free medical record disclosure once a year. You can get a copy by calling the Medical Information Bureau toll-free at 866-692-6901. For other questions or to correct your report, write to:

Medical Information Bureau
50 Braintree Hill Park, Suite 400
Braintree, MA 02184-8734


Next page- IX: Questions About COBRA and Continuation Coverage