Minnesota Health Records Act and HIPAA: Clinic Compliance Guide

Minnesota medical clinics must satisfy HIPAA plus the Minnesota Health Records Act (HRA, Minn. Stat. §§ 144.291–144.298), which governs patient access, disclosure restrictions, and breach notification independently. The HRA predates HIPAA and emphasizes affirmative patient consent more broadly than HIPAA’s treatment-payment-operations framework — which means your HIPAA program alone does not satisfy Minnesota law.

The Minnesota Health Records Act

The HRA at Minn. Stat. § 144.291 establishes a comprehensive framework for patient health record access and disclosure. It applies to providers of healthcare — any person who furnishes health care services including physicians, hospitals, clinics, and group practices — and to third parties who receive health records.

Patient access rights under the HRA

Minn. Stat. § 144.292(2) grants patients the right to access health records maintained by providers, including the right to review, inspect, and copy records. The statute requires the provider to furnish the requested records within 30 days of receiving the request. Unlike HIPAA’s 30-day window with a 30-day extension for off-site records, the HRA does not provide for extension. If your clinic needs more than 30 days to fulfill a records request, you must communicate proactively with the patient about the status of the request. You cannot take an additional 30 days as a matter of right under Minnesota law.

The HRA also sets fee limits for copies. Minn. Stat. § 144.292(6) caps charges for paper copies and electronic records at statutory maximums, which may be lower than what a clinic might charge under HIPAA’s cost-based fee standard at 45 CFR § 164.524(c)(4). Minnesota clinics must apply whichever fee cap is more protective of the patient.

Disclosure restrictions under the HRA

Minn. Stat. § 144.293 governs disclosure of health records to third parties. The statute requires patient consent for most disclosures — a framework that in several respects is more restrictive than HIPAA’s TPO exception, which permits disclosure without individual authorization for treatment, payment, and healthcare operations.

Under the HRA, disclosure without patient consent is permitted for:

• Treatment purposes, when the provider receiving the records is directly involved in the patient’s care
• Payment purposes, when disclosure is to a payer responsible for paying for the services
• Healthcare operations purposes, subject to specific limitations that in some cases are more restrictive than HIPAA’s definition of healthcare operations
• Specific mandated reporting purposes

The HRA explicitly addresses that even within the treatment exception, disclosure to a provider not directly involved in current care requires patient authorization. This is stricter than HIPAA, which permits treatment disclosures broadly. When your clinic shares records with a consulting physician outside the immediate treatment team, you need the patient’s authorization or a specific HRA exception — a HIPAA TPO justification is not enough.

Mental Health Record Protections Under the HRA

Minn. Stat. § 144.292 includes specific provisions for mental health records. Patients have the right to access their mental health records with certain limitations — for example, providers may deny access to specific portions of records if doing so would have a substantial adverse effect on the patient’s health or safety, but the overall right of access remains strong.

Disclosure of mental health records is governed by the general HRA consent requirements with additional constraints. The HRA interacts with other Minnesota mental health statutes, including the civil commitment provisions at Minn. Stat. § 253B.23, which govern records related to civil commitment proceedings and impose confidentiality requirements on those records.

Minnesota mental health professionals are also subject to the Minnesota Mental Health Practice Act at Minn. Stat. § 148B et seq., which creates licensing obligations and practice standards that include confidentiality requirements in the therapeutic relationship. A clinic providing mental health services under licensed professionals must comply with both the HRA disclosure framework and the licensing statute confidentiality requirements.

HIV/AIDS Confidentiality: Minn. Stat. § 144.4172

Minnesota’s HIV confidentiality law, at Minn. Stat. § 144.4172 et seq., classifies HIV test results and related information as private data on individuals. The statute restricts disclosure to a narrow set of authorized recipients.

Under Minn. Stat. § 144.4174, disclosure of HIV test results without written informed consent from the patient is permitted only in specifically enumerated circumstances, including:

• To healthcare providers with a direct treatment relationship with the patient and a need to know for treatment purposes
• To the Minnesota Commissioner of Health for epidemiological surveillance
• To first responders who experienced a significant exposure event, through a specific court process
• As specifically required by court order

The treatment-provider exception is narrower than HIPAA’s TPO framework. If your clinic wants to share an HIV-positive patient’s status with a referring specialist, you must confirm that the specialist has a direct treatment relationship and documented need to know — not merely that the referral is for treatment purposes.

Violation of the HIV confidentiality statute carries civil liability, and Minnesota’s human rights statutes also protect against discrimination based on HIV status. The combination of confidentiality law and anti-discrimination law makes HIV-related records one of the highest-risk categories for Minnesota clinics.

Substance Use Disorder Records

Minnesota clinics providing substance use disorder treatment must comply with both federal 42 CFR Part 2 — the federal confidentiality regulation for federally assisted substance use disorder treatment programs — and the Minnesota HRA. Under the HRA, alcohol and drug abuse treatment records require patient authorization consistent with both the HRA and 42 CFR Part 2. Because 42 CFR Part 2 is substantially more restrictive than HIPAA’s Privacy Rule, these records represent a category where federal law, not just HIPAA, imposes the strictest restrictions.

Minnesota Breach Notification: Minn. Stat. § 325E.61

Minnesota’s breach notification statute at Minn. Stat. § 325E.61 requires any entity that maintains personal information about a Minnesota resident to notify affected individuals in the most expedient time possible and without unreasonable delay following discovery of a breach. Minnesota does not specify a maximum number of days, unlike states that set 30-day or 45-day ceilings.

For HIPAA-covered breaches involving Minnesota residents, HIPAA’s 60-day ceiling is the absolute outer limit for HIPAA notification purposes. Minnesota’s “expedient” standard means you should aim to notify affected individuals well before 60 days whenever practically feasible. Document the full timeline from discovery to notification to demonstrate compliance with that standard.

Minnesota requires notification to affected individuals and, in some circumstances, to consumer reporting agencies, but does not require routine AG notification for breaches below a specific threshold. Clinics should monitor Minnesota AG guidance for any updated notification expectations.

Action Items for Minnesota Clinics

Update record access procedures to 30-day non-extendable deadline. Minnesota’s HRA does not permit the 30-day extension that HIPAA allows. Build record access response workflows that target fulfillment within 30 calendar days of any patient request.

Review disclosure authorization procedures for treatment-coordination disclosures. The HRA requires patient authorization for disclosures to providers not directly involved in current care. Review whether your referral and care coordination procedures comply with this requirement — a standard HIPAA TPO justification may not satisfy the HRA.

Implement HIV-specific disclosure controls. Build a specific disclosure review step for any record containing HIV test results or HIV-related information. Train staff that Minnesota law requires written consent or a specific statutory exception for HIV disclosures.

Verify fee caps for record copies. Compare your current copy fees against Minn. Stat. § 144.292(6) maximums. Apply the lower of the Minnesota cap or HIPAA’s cost-based fee standard.

Update breach response documentation. While Minnesota does not set a specific maximum-day deadline, document your breach response timeline carefully to demonstrate the “most expedient time” standard was satisfied. See HIPAA breach notification templates for a response framework.

For a foundational review of HIPAA’s administrative safeguards that underpin Minnesota compliance, see HIPAA administrative safeguards. For managing vendor relationships and BAAs that intersect with HRA vendor disclosure requirements, see how small clinics track vendor BAAs.

PHIGuard supports Minnesota clinics in maintaining the policy documentation, audit trails, and breach response timelines that HIPAA and HRA compliance requires — with current plan details published on the pricing page. See PHIGuard’s compliance tools or review pricing.