Minnesota Healthcare Privacy Laws Explained: MHRA vs. HIPAA and Your Patient Rights

Minnesota Health Records Act Overview

The Minnesota Health Records Act (MHRA) is the state’s primary medical privacy law. It governs how healthcare providers, clinics, hospitals, and health plans in Minnesota create, use, store, and disclose “health records.” In this article, MHRA refers to the Minnesota Health Records Act—not the similarly named Minnesota Human Rights Act.

MHRA is built on a consent-first model: unless a specific statute allows a disclosure, a provider generally needs your written permission before releasing your health records. This standard is often stricter than federal rules and is designed to put you in control of your information.

Key themes include patient access and correction rights, detailed patient consent requirements, strong mental health record protections, and clear expectations for healthcare privacy enforcement. When MHRA is stricter than federal law, the stricter rule usually applies in Minnesota.

Who must comply

• Licensed healthcare providers and facilities that maintain health records.
• Health plans and certain intermediaries handling patient information.
• Business partners that receive records from a provider may also have duties via contract and other laws.

HIPAA Privacy Rule Fundamentals

The HIPAA Privacy Rule is a federal baseline that applies to covered entities—health plans, most healthcare providers that conduct electronic transactions, and healthcare clearinghouses—and to their business associates. It protects “protected health information” (PHI) and sets national standards for permitted uses and disclosures.

HIPAA allows PHI to be used and disclosed without written authorization for treatment, payment, and healthcare operations, and for specific public interest activities (for example, certain public health reporting, law enforcement requests, and court orders). When an authorization is required, HIPAA prescribes content elements and gives you the right to revoke it.

You have core HIPAA rights: to access copies of your PHI, request amendments, obtain an accounting of certain disclosures, request restrictions, and receive confidential communications. HIPAA also requires a Notice of Privacy Practices and adherence to the “minimum necessary” standard for most non-treatment uses.

Enforcement is handled by the U.S. Department of Health and Human Services’ Office for Civil Rights. HIPAA does not provide a private right of action; individuals cannot sue directly under HIPAA, although state laws like the MHRA may allow lawsuits.

Patient Rights under MHRA

MHRA reinforces your control over Minnesota health records and often surpasses HIPAA’s baseline. If MHRA is more protective than HIPAA, the Minnesota rule typically governs the provider in Minnesota.

Your core rights

• Access and copies: You can inspect and obtain copies of your medical records within a reasonable time. Reasonable, cost-based copy fees may apply, and electronic copies should be provided when feasible.
• Corrections: You can request that inaccurate or incomplete information be amended. Providers may add a statement of disagreement if they decline your request, and that statement travels with the record.
• Notice and consent: You are entitled to clear information about patient consent requirements and when your authorization is needed for disclosures.
• Accounting of disclosures: You can ask for a list of certain disclosures that occur without your authorization.
• Restrictions and confidential communications: You can request added limits on sharing and ask that communications be sent to a specific address or by a specific method.

Mental health record protections

MHRA provides heightened safeguards for mental health record protections. Clinical psychotherapy notes are treated with exceptional care and typically require distinct, specific authorization for disclosure. Sensitive segments—such as reproductive health, HIV-related information, genetic data, and substance use disorder records—may be further protected by other federal or state laws in addition to MHRA.

Consent Requirements for Health Records

Consent is central to Minnesota Health Records Act compliance. In many situations, a provider needs your signed authorization before releasing records to third parties, even when HIPAA might otherwise permit sharing.

Elements of a valid authorization

• Identity of the patient and the provider or facility releasing the records.
• Specific description of the information to be disclosed (not blanket, open-ended language).
• Purpose of the disclosure and to whom the disclosure may be made.
• Expiration date or event and your right to revoke the authorization in writing.
• Signature and date of the patient or authorized representative.

When consent may not be required

• Current treatment or care coordination among providers, especially in emergencies.
• Payment-related activities necessary to process claims and manage benefits.
• Public health reporting, oversight, and other disclosures required or expressly permitted by law or court order.

Special categories

• Psychotherapy notes: Typically require a separate, more specific authorization.
• Substance use disorder records: Often subject to additional federal protections that demand explicit consent for most disclosures.
• Minor-consented services: If a minor lawfully consents to certain services, disclosures of those specific records may require the minor’s authorization.

Enforcement and Penalties under MHRA

MHRA supports robust healthcare privacy enforcement at the state level. Providers that mishandle Minnesota health records can face multiple consequences.

• Private right of action: You may be able to sue for violations of the Minnesota Health Records Act and seek damages and other relief.
• Regulatory enforcement: State authorities and professional licensing boards can investigate, impose discipline, and require corrective action.
• Criminal exposure: Intentional, unauthorized access or disclosure may trigger criminal liability under applicable state laws.
• Contractual and operational impacts: Violations can lead to breach remediation, patient notification duties, and tightened compliance obligations.

Differences Between MHRA and HIPAA

• Consent standard: MHRA generally requires patient consent for many disclosures where the HIPAA Privacy Rule would permit sharing without an authorization (for treatment, payment, and operations). This makes MHRA stricter in day-to-day practice.
• Scope and definitions: HIPAA protects PHI held by covered entities and business associates; MHRA regulates health records maintained by Minnesota providers and plans, sometimes capturing scenarios HIPAA does not reach.
• Enforcement: HIPAA lacks a private right of action; MHRA allows private lawsuits, a key difference for individuals seeking remedies.
• Mental health protections: Both recognize heightened sensitivity, but MHRA often layers additional requirements for mental health record protections and other sensitive data.
• Preemption: HIPAA sets a federal floor. In Minnesota, the stricter rule—often MHRA—controls, unless a federal requirement specifically preempts state law.
• Government records: HIPAA applies only to covered entities; many Minnesota government records are instead governed by the Minnesota Data Practices Act.

Applicability of HIPAA to Minnesota Government Entities

HIPAA applies to Minnesota government entities only when they are covered entities or business associates. Examples include a state Medicaid program, a county-operated clinic that bills electronically, or a public hospital. These entities must follow HIPAA and, where stricter, the Minnesota Health Records Act.

Many other public bodies—agencies, boards, and non-covered county departments—are primarily governed by the Minnesota Data Practices Act (also called the Minnesota Government Data Practices Act). Some may be “hybrid entities,” where only the healthcare component is subject to HIPAA. If a public body serves as a business associate to a HIPAA-covered provider, a business associate agreement and HIPAA safeguards apply to that work.

Summary

In Minnesota, you benefit from both HIPAA’s national standards and MHRA’s strong, consent-driven protections. Know your rights to access and correct records, expect clear patient consent requirements before most disclosures, and rely on state-level healthcare privacy enforcement—including a private right of action—when rules are broken.

FAQs.

What are the key differences between MHRA and HIPAA?

HIPAA sets a federal floor and often permits disclosures for treatment, payment, and operations without written authorization. MHRA is typically stricter, requiring consent for many disclosures and offering a private right of action so you can sue for violations. When MHRA is more protective, Minnesota providers generally must follow the state rule.

How does Minnesota law protect mental health records?

MHRA provides enhanced mental health record protections, often requiring specific, written authorizations before disclosure and recognizing special sensitivity for psychotherapy notes. Other categories—like substance use disorder, HIV-related, and genetic information—may receive additional layered protections under state and federal law.

What rights do patients have to access and correct their medical records?

You have the right to inspect and get copies of your records within a reasonable time, to request amendments of inaccurate or incomplete information, to receive an accounting of certain disclosures, and to ask for restrictions and confidential communications. If a provider declines an amendment, your statement of disagreement must be included with the record.

Can patients sue for health privacy violations under Minnesota law?

Yes. Unlike HIPAA, the Minnesota Health Records Act allows a private right of action. If your Minnesota health records are mishandled in violation of MHRA, you may bring a lawsuit seeking damages and other appropriate relief, in addition to any regulatory enforcement that may occur.