Nonprofit, nonpartisan journalism. Supported by readers.


Your medical records are leaving town, and some privacy and health advocates aren’t happy about it

Your health care information is heading to Maine.

And when it comes back, you won’t recognize it, because it won’t be yours anymore.

It will be encrypted, analyzed and crunched to the hilt so state health officials can learn a little something about the way medical services are delivered in Minnesota.

The Minnesota Department of Health is in charge of this venture, known as “Encounter Data Collection.” It’s part of the state’s new health care reform laws passed in the waning hours of last year’s legislative session.

State health officials say your medical data will provide the raw material needed to find ways to empower consumers, increase quality and reduce the cost of Minnesota’s health care system. Health care spending in Minnesota increased 60 percent from $19 billion in 2000 to nearly $31 billion in 2006.

The reason the data are going all the way to Maine, apparently, is because the Maine Health Information Center was considered the most qualified vendor. According to Minnesota Department of Health officials, the company in Maine has decades of experience and the capacity to handle the job above and beyond the two other entities that applied for the $1.2 million data contract. The other applicants were Ingenix, a subsidiary of United Health,  and an unnamed coalition led by the University of Minnesota.

Some privacy and health care advocates are not happy about this data collection “reform” and want the program scrapped or, at the very least, the data kept in the state.

Getting to know all about you
The kind of data to be sent to Maine is already being collected and stored by your health care plan or third-party administrator, the entities that pay out claims for self-insured companies.

That data include such items as the insured’s name, age, ZIP code, the date a patient went to the hospital or clinic, the doctor’s name, the diagnosis, treatments and medication details.

Jim Golden, the Minnesota Health Department’s director of health policy, says the patient’s name and address will be “de-identified” — i.e., encrypted — so that each individual data record is essentially anonymous to the person handling it in Maine.

“This is done with state-of-the-art techniques,” says Golden. “It’s one-way encryption. There is no key to un-encrypt it, no way to go the other way.”

After the Maine company “cleans” the data, Golden says, it will be sent to another vendor (yet to be hired) for analysis and the creation of a “provider peer grouping” system — a combination of cost, quality, and standards-of-care measures, also commonly referred to as best practices, or evidence-based medicine.

“This type of system for ranking and evaluating cost and quality is going on right now in health plans,” says Golden. “But all the plans do it slightly differently, with different emphases on what data to use and how to look at quality.”

Assistant Health Commissioner Scott Leitz says that Minnesotans right now are not getting the best value for their health-care dollar, noting that individual out-of-pocket expenses have more than doubled from $221 in 2000 to $619 in 2007.

In the case of diabetes, for example, Leitz says research shows that only one of every six diabetics in the state is getting the best care he or she needs to manage the disease.

“We have an opportunity to close the gap between what we know is best practices and what’s actually being delivered in the system,” he says.

Leitz says handing over peer grouping responsibilities to the state will make the process more transparent, fair, and standardized, and will lead to lower costs for patients and a higher standard of care.

Julie Brunner is executive director of the Minnesota Council of Health Plans, which represents the state’s nonprofit health plans. H her organization supports a move toward statewide peer grouping, but she doesn’t think the state needs to go all the way to Maine to get the job done.

“We’re 100 percent behind more transparency in the system. No question,” says Brunner. “But there’s a different way to do this that keeps the data inside the health plan. It could be aggregated in exactly the same way in every plan, then submitted to a group outside the plan [but still in Minnesota].”

Brunner also says she’s not convinced the state needs to collect demographic information (name, age, sex, ZIP code) — also called “eligibility data” — for peer grouping.

“The addition of eligibility data increases what the [health] plans have to send to [Maine],” says Brenner. “And privacy advocates have raised huge questions regarding the gathering of this data.”

No “opting out”
Rep. Mary Liz Holberg, R-Lakeville, long has been an advocate for privacy and oversight of public records. The lawmaker pushed unsuccessfully last session for an “opt-out” provision in the health-care reform package.

Rep. Mary Liz Holberg

Rep. Mary Liz Holberg

Consequently, the state does not need your permission to gather this data, so all Minnesotans with health insurance (93 percent of the population) will be taking part in the data collection.

“I believe that right now the whole system is tilted to benefit access without permission, says Holberg. “I don’t know where this is going long term. It’s kind of like a pendulum swinging process. As we move toward more electronic records, the public will become more aware of the pitfalls and problems, and it should swing back a bit. But, right now, I don’t think the public is very aware of what’s happening. There’s also a large segment of the population who doesn’t care. I can respect that.”

The group sounding the loudest alarm against data collection is the Citizens’ Council on Health Care, which advocates for the right to a confidential doctor-patient relationship. Twila Brase, a former RN and public health nurse, is the group’s president.

“Lots of people say, ‘I have nothing to hide in my medical records,'” says Brase. “And I say, ‘Have you looked? Do you know what’s in your medical record?’ “

Brase and her organization have fought previous attempts by the Health Department to collect health data going back to 1995 and again in 2002. Last session was the first time the data collection, tucked into the larger reform package, became law.

Brase argues that once the government has access to medical data, the Health Department or the Legislature could use it for whatever they want in the future.

“The real issue is control and who will make the decisions,” says Brase. “And the government will claim ownership of our private data and use it against us.”

The Health Department’s Jim Golden says the state has no nefarious plans for the data and says that patient privacy will be maintained through de-identification.

Who decides the standard of care?
Aside from concerns over individual privacy, Brase questions the Health Department’s very justification for the data collection.

She says provider peer grouping, or evidence-based medicine, appears to be positive because its goal is to treat individual patients using the best evidence/practices derived from analyzed clinical data. Brase, however, says evidence-based guidelines are typically conflicting, incomplete and complicated, making it difficult for providers to comply.

Brase warns that a statewide peer grouping system would result in rationing care and hurting patients. She expects the peer grouping system to limit types of care and steer patients only to doctors favored by the system.

“[Health Department officials] made it very clear their plan is to tier providers,” says Brase. “A small cadre of people will be looking at our data and deciding what is effective, what can and cannot be done.”

The Legislature has given the Health Department expedited rulemaking authority, which means it is exempt from having to hold public hearings in order to implement the data collection program.

This infuriates Brase and privacy advocates, who want more public awareness about the measure.

During two days of public comment last month on the data collection initiative, the Health Department received 562 emails and letters asking for a public hearing.

But Golden says there won’t be a public hearing as part of the rulemaking process.

“However,” says Golden. “I would say in many aspects of the reform package, including data collection, we’ve had public meetings with the health plans and providers about how we’ll be ranking them or how the data collection will be used and its limitations. We’ll continue to have those meetings. Anyone who wants to provide feedback or comments, they can.”

Golden says the Health Department’s new rule on data collection will be published by mid-March in the state register. Once published, the public has 30 days to comment on it. Golden says the program is scheduled to start this summer.

Marisa Helms can be reached at mhelms [at] minnpost [dot] com.

You can also learn about all our free newsletter options.

Comments (9)

  1. Submitted by Steve Titterud on 03/10/2009 - 12:03 pm.

    The idea above that there is a difference, from a privacy point of view, between this data being kept in MN or going to a vendor out-of-state is a real laugher! The physical location has ABSOLUTELY nothing to do with it.

    Mr. Golden speaks with a forked tongue. His assurances that a scheme of so-called “one-way encryption” will protect your identity is not only blowing smoke up somewhere it doesn’t belong, it begs the question:

    If you claim you are essentially destroying the data about names, why are you collecting name data in the first place?

    It would be an amateur data practice to INCLUDE data in a collection for which you have no intended use. You may be certain that Mr. Golden’s comment is at the very least misleading.

    Obviously, SOMEONE SOMEWHERE has an intended use for the information about your name. There is no other legitimate reason your name should be included in the collection.

    However, maybe there is an understandable reason the Goldens of this world don’t want to have a public hearing on this issue – it might lead to uncomfortable questions about what their real intentions are regarding the use of your name.

    It is SO disheartening to me to find the MN Dept. of Health engaging in this kind of deception.

  2. Submitted by Bernice Vetsch on 03/10/2009 - 12:18 pm.

    By law, our medical records belong to each of us — NOT to a state department of health or to an insurance company or even to our health care provider.

    The only persons storing OUR records in a computer should be our primary physician. The only time he or she should release those records to someone else is with your written permission.

    Looks to me like the persons to gain from this terrible idea are those who make their living by insuring us (as little as possible, judging by their nationwide cadre of 2 million or more employees who serve as denial specialists).

  3. Submitted by Mary Tambornino Tambornino on 03/10/2009 - 12:45 pm.

    I thought we had disposed of this cockeyed idea long ago. I did not count on what might be included “in the dead of night”.

    I agree with Steve Titterud: Why collect date you are not going to use and really do not need, such as name, age, sex and zipcodes in order to decide about how to provide health care.

    If we really are concerned about providing health care, we will determinedly pay attention to what we know. We know that most of the cost of health care is providing for “Access”; we also know that 50% of your health status is determined by behavior, and that we spend about 4% of our heallth care dollars on behaviors and about 88% on Access. I am not certain how the collection and crunching of health care data will affect, and change, those percentages.

    I am dismayed each time I am confronted with the fact that we have no behaviorists involved in helping us make changing personal behaviors so that sensible decisions about this huge, unwieldy and nonsensical “health system” can be made with all the information neccessary to make them.

  4. Submitted by Amy Wilde on 03/10/2009 - 02:39 pm.

    Folks, this data is already owned by your health insurer and is accessed with frequency…and it is connected with your personal information.
    What is the motivation for your health insurer? Improved public health . . . or avoiding paying for the care of people with costly health conditions and figuring out whose policies to drop.
    I don’t think the MN Dept of Health is the bad guy here. By keeping their data “private” from the Dept of Health, health insurers hide what they really pay in medical care costs. The balance from your premiums is then available for bonuses for their high-level staff.
    Whether your insurance is through a private business (with your co-pays and premium share higher every year) or contracted to health plans through government subsidies (Medicaid, Medicare, MnCare), the public pays a high price for keeping this information hidden from everyone except the managed care organizations. Analyzing this data without identifying personal information attached (age, gender and geographic location are useful in identifying chronic problem areas) could actually shed light on wasteful health care spending and locations with serious public health conditions.

  5. Submitted by William Wallace on 03/10/2009 - 10:20 pm.

    For some reason, only certain fields are being encrypted. Your zip code is not being encrypted for some reason. Even the Minnesota abortion survey is required to remove zip code information, because some zip codes are so sparsely populated, that it is not difficult to figure out who had an abortion.

    The same should go for this, assuming it can’t be stopped altogether. All identifying information should be made double blind, with identifying information being stored in one location, and treatments to another.

    This is just another power grab by the government.

  6. Submitted by Tom Horner on 03/11/2009 - 02:12 pm.

    This discussion would be much more useful if it were supported by facts. Here are just a few:

    Shannon Brownlee, an award-winning journalist, is just one of many who, after exhaustive and independent research, estimate that the cost of unnecessary care and procedures is at least 20 to 30 cents of every health dollar. Identifying the procedures that work and those that simply waste dollars requires data.

    It is not true that behavior accounts for only 4% of health spending. While figures vary, it is indisputable that the leading causes of preventable death and disease are tobacco use, poor nutrition and lack of physical activity — all behavior in nature.

    The overwhelming majority of Minnesotans receive their health coverage through non-profit plans. While some executives of these plans are well paid, they are not receiving huge bonuses. As documented in their government filings and reported in multiple media, top health plan salaries for 2007 were less than $1.5 million, including benefits and retirement contributions. Hardly a pittance, but not out of line given the size of Minnesota’s health plans.

    Health care is complex enough without supposedly credible people making incredible claims.

  7. Submitted by Beth Sikkema on 03/11/2009 - 05:44 pm.

    One interesting thing – I’m a health care worker and also a patient in the system that employs me. I contacted out Health Information System people (medical records to those of us in the know for years) because I wanted to obtain a list of everyone who had accessed MY personal records within the past 6 months.

    I was refused this information by the health care system – a biggie in the TC – and was told that I could only have access to this if I could prove that I had a suspicion beyond a reasonable coubt that someone had accessed my records inappropriately.

    Seems to me that if these records belong to me – I should have a right to know who is accessing them….

    Disturbing to me. Not sure how to pursue with follow-up. any thoughts?

  8. Submitted by Steve Titterud on 03/11/2009 - 07:33 pm.

    Beth Sikkema: First, go directly to your organization’s HIPAA compliance officer (bypass medical records personnel and anyone else who might insert themselves), and request an “Accounting of Disclosures”, in writing.

    There are limits. See

    for a detailed listing of what’s included and excluded, based on the U. of M.’s policy interpretation of HIPAA rules. This bears a 2003 date, and I’m not actually certain if this is current, but it’s a good start. Maybe you could call the U. and ask them if this remains current policy.

    But read the list carefully. For example, “pursuant to an authorization” is excluded. If you’ve signed a document which grants your authorization to disclose information to a 3rd party, it appears this would not need to be disclosed to you.

    Another route to take is to find a business analyst in your organization who is required to know the full HIPAA rules to perform their job. Ask that person.

    Hope this helps…

  9. Submitted by Steve Titterud on 03/11/2009 - 08:21 pm.

    There is some interesting reading, related to a patient’s right to know about disclosures of personal health information (PHI), at

    It quotes the Association of Academic Health Centers in Feb. 2009, regarding a survey they did on the impact of the HIPAA privacy rule:

    “Accounting of Disclosures Is a Burden

    Many hospitals and institutions contend that accounting for disclosures is a burden even though it’s not clear that many actual requests are being made and fulfilled. Yet, simply preparing to respond to a request poses costs, the survey documented.

    The HIPAA privacy rule gives every patient the right to request a record of certain instances in which the institution shared (or disclosed) his or her PHI with another institution for the six years prior to the request,” the AAHC says.

    There are also monetary penalties, I believe, for failure to comply with a request for an Accounting of Disclosures – and they are significant.

Leave a Reply