This article is a section taken from Minnesota Health Care Programs (MHCP), a part of the revisions and additions to the Minnesota Health Care Program Eligibility Policy Manual.

MHCP Data Privacy

Applications and other forms collect sensitive information on an individual that is needed to determine eligibility. Individuals can be harmed by the reckless disclosure of information about them, and, accordingly, there are significant penalties under both state and federal law for government agencies that violate laws designed to protect individuals and groups from such disclosure of information.

All Minnesota Health Care Programs (MHCP) application forms include a Notice of Privacy Practices. There is also a brochure on Information access and privacy (DHS-2667) that describes applicant and enrollee privacy rights.

Sharing of Information

State, county and tribal servicing agencies will only share information about applicants and enrollees as needed and as allowed or required by law.

Information sharing with providers

A provider can obtain the following information about MHCP enrollees without a release form from the enrollee:

  • Major program

  • Prepaid health plan

  • Spenddowns

  • Special transportation

  • Copay

  • Hospice

  • Waiver eligibility

  • Minnesota Restricted Recipient Program (MRRP)

  • Other health insurance coverage

  • Medicare coverage

  • Fee-for-service benefit limits

Long-term care providers can also obtain the following without a release form from an applicant or enrollee:

  • Confirmation that the person has applied for MA

  • Effective date of MHCP approval, denial or termination

Privacy Rights of Children

The Notice of Privacy Practices and the Minors section of the Minnesota Department of Human Services (DHS) Data Practices Manual describes what information may or may not be shared about children younger than age 18.

Safe at Home Address Confidentiality Program

The Safe at Home (SAH) Address Confidentiality Program helps survivors of violence by providing a substitute address for individuals and their children who move to a new location unknown to assailants or probable assailants. SAH participants can apply for MHCPs using their SAH address. The Minnesota Secretary of State, who administers this program, assures that participants receive their mail.

A person is not required to provide proof of participation in the SAH program. A court order is required to release a SAH participant’s information, including confirming or denying program participation.

Safe at Home program participants are granted good cause for not cooperating with medical support if they verify participation in the program with the ID card. SAH participants may also request and be granted good cause for late premium payments and for late submission or completion of renewals. See the MA Medical Support policy for more information.

MHCP enrollees participating in the Safe at Home program must notify their county, tribal or state servicing agency of their county of residence, but do not have to provide their address. Managed care enrollment and county of financial responsibility are determined by county of residence.

Immigration Information

Immigration information applicants and enrollees provide to state, county, and tribal servicing agencies are private. Immigration information is only used to determine MHCP eligibility. Immigration information is only shared when the law allows it or requires it, such as to verify identity. In most cases, applying for health coverage will not affect an applicant’s immigration status unless they are applying for payment of long-term care services. See the U.S. Immigration and Customs Enforcement (ICE), Clarification of Existing Practices Related to Certain Health Care Information website for more information.

People do not have to provide immigration information when they are:

  • Applying for Emergency MA (EMA) or MA for people receiving services at the Centers for Victims of Torture (MA-CVT)

  • Helping someone else apply

  • A pregnant woman living in the United States without the knowledge or approval of the United States Citizenship and Immigration Services (USCIS)

  • Not an applicant

Data Practices Violations

Willful violation of data privacy laws by a public employee is just cause for dismissal or suspension without pay. It is also a crime.

An individual affected by an agency’s violation of data privacy laws can seek several remedies under state and federal law. Applicants and enrollees may also file a lawsuit under the Minnesota Government Data Practices Act. They may also send a written complaint to the county, tribal or state servicing agency, the provider, or the federal civil rights office at:

U.S. Department of Health and Human Services
Office for Civil Rights, Region V
233 N. Michigan Avenue, Suite 240
Chicago, IL 60601
312-886-2359 (Voice)
800-368-1019 (Toll-Free)
800-537-7697 (TTY)
312-886-1807 (Fax)

If an applicant or enrollee thinks that DHS or MNsure has violated their privacy rights, they may send a written complaint to the U.S. Department of Health and Human Services at the address above or to:

Minnesota Department of Human Services – MNsure
Attn: Privacy Official
PO Box 64998
St. Paul, MN 55164-0998


The federal Health Insurance Portability and Accountability Act of 1996 (HIPAA), provides for the protection of individually identifiable health information that is transmitted or maintained in any form or medium. The privacy rules affect the day-to-day business operations of all organizations that provide medical care and maintain personal health information.

Applicants and enrollees are informed of their rights under HIPAA at application, renewal or any other time information is requested.

HIPAA also creates uniform methods to bill and share health information electronically between healthcare providers, payers and other organizations involved with health care delivery and payment.

State, county and tribal servicing agencies must follow HIPAA provisions as follows:

  • If a provision of the HIPAA privacy regulations conflicts with a state law, whichever offers more privacy protection governs.

  • If HIPAA and state law do not conflict, both state and federal privacy laws are followed.

Record Retention Policy

State, county and tribal servicing agencies maintain data in accordance with state and federal law. Information provided in an application for coverage is subject to the False Claims Act and may be retained for up to ten years. After the appropriate period, data is destroyed in a manner that prevents their contents from being determined, including the shredding of paper files and permanently removing electronic data to prevent the possibility of recovery. County servicing agencies must follow the County Human Services General Records Retention Schedule.

Data Review

MHCP applicants and enrollees may review private data that contain information about them. Both private and public data is shown to the subject of the data upon request.

Release of Information

An applicant or enrollee can complete the General Consent/Authorization for Release of Information (DHS-3549) to authorize the release of their information. In addition, they can authorize the release of their information to a Long Term Care Facility on the Long-Term Care/County Communication Form (DHS-3050).

Legal Citations

Code of Federal Regulations, title 45, section 310
Code of Federal Regulations, title 45, section 1210
Health Insurance Portability and Accountability Act, Public Law 104-191, 110 Stat. 1936 (1996)
Minnesota Rules, part 1205.1500
Minnesota Statutes, section 5B
Minnesota Statutes, section 13
Minnesota Statutes, section 138.17
Minnesota Statutes, sections 144.341 to 144.347
Minnesota Statutes, section 256B.056

CREDIT: The content of this post has been copied or adopted from the Minnesota Healthcare Programs Eligibility Policy Manual, originally published by the Minnesota Department of Human Services.

This is also part of a series of posts on Minnesota Healthcare Eligibility Policies.