Kelly SCHNEIDER, et al., on behalf of themselves and all others similarly situated, Appellants, v. CHILDREN'S HEALTH CARE, d/b/a Children's Hospital and Clinics, et al., Respondents.
Appellants Kelly Schneider and Evarist Schneider II challenge the summary-judgment dismissal of their claim against respondents Children's Healthcare, d/b/a Children's Hospital and Clinics (the hospital), and its institutionally related foundation, Children's Health Care Foundation (the foundation), for violating the Minnesota Health Records Act (MHRA) when the hospital disclosed protected health information about their child to the foundation without appellants’ consent. Because the MHRA permits disclosure of health information with “specific authorization in law,” and a federal regulation implementing the Health Insurance Portability and Accountability Act of 1996 (HIPAA) specifically authorizes disclosure of the type of health information at issue here for fundraising purposes without patient consent, we hold, as a matter of law, that respondents did not violate the MHRA. We therefore affirm.
The material facts are undisputed. Appellants learned that the hospital had disclosed certain health information about their child to the foundation for fundraising purposes when appellants were informed of a security breach involving the foundation's fundraising database. Appellants claim that they did not consent to the hospital's disclosure of their child's health information to the foundation. Appellants filed a complaint alleging that respondents violated the MHRA, Minn. Stat. §§ 144.291-.34 (2020), in connection with the disclosure.
Respondents moved to dismiss appellants’ complaint, arguing that it failed to state a claim because the MHRA permits disclosures specifically authorized in law and a federal HIPAA regulation specifically authorizes a hospital to disclose health information to a related foundation for fundraising purposes without patient consent. The district court denied the motion, concluding that, while the federal regulation—45 C.F.R. § 164.514(f) (2020)—constitutes a specific authorization in law under the MHRA, the question of whether the hospital had complied with the federal regulation by giving the requisite HIPAA privacy notice was not resolvable on the motion to dismiss.
Respondents later moved for summary judgment. The district court granted that motion, concluding that the undisputed evidence establishes that the hospital complied with the HIPAA privacy-notice requirement 1 and that the disclosure was permitted by the federal regulation and, by extension, the MHRA.
Does the MHRA permit the disclosure of health records without a patient's consent when disclosure is specifically authorized in a federal regulation implementing HIPAA that allows for disclosure for fundraising purposes?
Appellate courts review a district court's grant of summary judgment de novo to determine “whether there are genuine issues of material fact and whether the district court erred in its application of the law.” Montemayor v. Sebright Prods., Inc., 898 N.W.2d 623, 628 (Minn. 2017) (quotation omitted). A reviewing court views the evidence in the light most favorable to the party against whom summary judgment was granted. Id. (quotation omitted).
At the heart of this case is section 144.293, subdivision 2, of the MHRA. It states:
A provider, or a person who receives health records from a provider, may not release a patient's health records to a person without:
(1) a signed and dated consent from the patient or the patient's legally authorized representative authorizing the release;
(2) specific authorization in law; or
(3) a representation from a provider that holds a signed and dated consent from the patient authorizing the release.
Respondents argue that the disclosure of the health information here was permitted under the second clause, which allows release with a “specific authorization in law,” because the disclosure was authorized in federal regulatory law. Specifically, respondents rely on the HIPAA regulation allowing a health care provider to use or disclose to a business associate or to an institutionally related foundation the type of limited health information at issue here “for the purpose of raising funds for its own benefit” without the patient's consent. 45 C.F.R. § 164.514(f)(1). Appellants counter that “specific authorization in law” refers only to Minnesota law, not federal law, and that Minnesota law does not authorize the disclosure.
To resolve this dispute, we must interpret the phrase “specific authorization in law.” We review the interpretation of a statute de novo. See Cocchiarella v. Driggs, 884 N.W.2d 621, 624 (Minn. 2016). The purpose of statutory interpretation is “to ascertain and effectuate the intention of the legislature.” Minn. Stat. § 645.16 (2020). When the meaning of the statute is unambiguous, the plain language of the statute controls. State v. Pakhnyuk, 926 N.W.2d 914, 920 (Minn. 2019). To determine the plain meaning of a statute, we construe words according to their common and ordinary meaning and the rules of grammar. See id. We do not examine the disputed statutory language in isolation but rather read and interpret the provisions of the statute as a whole. See id. If the plain language of the statute is subject to more than one reasonable interpretation, then the statute is ambiguous. Id. In that case, we may use canons of construction to resolve the ambiguity. See id.
Appellants argue that the plain language and context of the phrase “specific authorization in law,” as well as common sense, make clear that the legislature intended to permit only disclosures authorized in Minnesota law, not in federal law. They observe that the MHRA prohibits disclosures except as “specified in subdivisions 2 to 9 and sections 144.294 and 144.295” of the Act, Minn. Stat. § 144.293, subd. 1, and that those sections do not include the word “federal.” Appellants state that this ends the analysis.
But the statutory language cited by appellants permits disclosures pursuant to subdivision 2, and subdivision 2 permits disclosures specifically authorized in law. The absence of the word “federal” in subdivision 2 does not plainly mean that federal law is excluded and that only Minnesota law applies. In fact, such an interpretation of subdivision 2 would require us to modify the phrase at issue to read “specific authorization in Minnesota law.” We cannot add language that the legislature has omitted. See Hibbing Taconite Co., J.V. v. Comm'r of Revenue, 958 N.W.2d 325, 330-31 (Minn. 2021).
Appellants contend, though, that Minnesota caselaw requires the legislature to be explicit when it intends to incorporate federal law. They point to Hutchinson Tech., Inc. v. Comm'r of Revenue, 698 N.W.2d 1 (Minn. 2005). Hutchinson involved statutory interpretation of Minnesota tax law governing foreign sales corporations, which specifically referenced “federal taxable income” for calculating Minnesota taxable income. 698 N.W.2d at 9. The supreme court concluded that, while Minnesota had expressly incorporated federal taxable income as the starting point for calculation of Minnesota taxable income, “that does not mean that all related provisions of federal tax law have been incorporated into state law.” Id. at 11. Hutchinson is distinguishable from the case at hand because it did not involve a general “authorization in law” phrase but instead interpreted a Minnesota statute that explicitly incorporated federal law only at some points. Thus, Hutchinson does not require that we interpret “specific authorization in law” to exclude federal law.
Appellants also argue that respondents’ interpretation of section 144.293, subdivision 2, has no limiting principle because it would result in the statute incorporating not just federal law but also the law of any other state. The argument is unconvincing. By permitting disclosures with “specific authorization in law,” the statute plainly refers to applicable law that authorizes disclosure in Minnesota. Unlike HIPAA, another state's medical privacy law would not apply in Minnesota.
Appellants also cite the presumption against federal preemption, a canon of construction, in support of their interpretation. But we do not apply the canons of construction when the language is plain. See Pakhnyuk, 926 N.W.2d at 920 (observing that the canons may be applied when a statute is ambiguous). In any event, the decision to permit disclosures specifically authorized in federal law—in this case by a HIPAA regulation—is a decision by the Minnesota legislature; it does not equate to federal preemption of a state law.
Appellants also argue that we must interpret section 144.293, subdivision 2, to mean only Minnesota law to avoid an unconstitutional result. Specifically, appellants contend that, if “specific authorization in law” includes the HIPAA regulation regarding disclosure for fundraising purposes, the Minnesota legislature has unconstitutionally delegated its legislative power to federal regulators. We disagree.
Under the Minnesota Constitution, the powers of government are divided into separate legislative, executive, and judicial branches. Minn. Const. art. 3, § 1. The nondelegation principle has its roots in the doctrine of the separation of powers and holds that the legislature “cannot delegate purely legislative power to any other body, person, board, or commission.” Lee v. Delmont, 228 Minn. 101, 36 N.W.2d 530, 538 (1949) (deciding that administrative rules relating to the qualifications of barbers did not represent an unconstitutional delegation of power).
To argue that the nondelegation principle applies here, appellants rely on Wallace v. Comm'r of Tax'n, 289 Minn. 220, 184 N.W.2d 588 (1971). In Wallace, the Minnesota legislature had defined “gross income” as the “adjusted gross income as computed for federal income tax purposes.” 184 N.W.2d at 590 (quoting Minn. Stat. § 290.01, subd. 20 (1961)). Following enactment of the Minnesota statute, the federal law was changed to impose a 30-day waiting period before sick pay could be excluded from gross income. Id. at 589-91. The supreme court held that the Minnesota law adopted the federal law as it existed at the time that the Minnesota statute was adopted, not federal law as it was subsequently amended. Id. at 593. The supreme court invoked the nondelegation principle, id. at 591, and observed that that principle is expressed in the Minnesota Constitution, “which states in part: ‘The power of taxation shall never be surrendered, suspended or contracted away,’ ” id. (quoting Minn. Const. art. 9, § 1).
This case is different from Wallace. The MHRA is not a tax law, and the Minnesota constitutional provision cited by the Wallace court does not apply. Further, by allowing disclosures without consent when there is a “specific authorization in law,” the legislature has not delegated its legislative power; rather, it has exercised its legislative power to make the policy choice of permitting disclosure of health records when specifically authorized by laws regarding health information. See Minn. Stat. § 144.293, subd. 2.
Moreover, even if Wallace applied, that case includes an exception to the nondelegation principle for statutes that “are auxiliary in nature and seek to achieve uniformity in implementation of national programs and policies.” Wallace, 184 N.W.2d at 592. It is sensible to conclude that the legislature intended to permit health-care providers to follow federal medical privacy law when it does not conflict with Minnesota law. See Minn. Energy & Econ. Dev. Auth. v. Printy, 351 N.W.2d 319, 351-52 (Minn. 1984) (rejecting a Wallace challenge to a Minnesota statute defining “eligible small businesses” to incorporate by reference the definition of that term contained in federal small-business-administration regulations because there were “good reasons to coordinate federal and state” law); Minn. Recipients All. v. Noot, 313 N.W.2d 584, 587 (Minn. 1981) (rejecting a Wallace challenge to a Minnesota statute using federal regulations to calculate aid payments under Aid to Families with Dependent Children (AFDC) in part because “[i]t would be unworkable and illogical to lock the state's AFDC program into federal regulations dating, in some cases, back to 1937” and because “[a]s a cooperative state-federal program, it is appropriate that when the state law incorporates federal regulations, it brings with that incorporation subsequent changes in the federal regulations”). Thus, the nondelegation principle does not compel us to interpret section 144.293, subdivision 2, to mean only specific authorization in Minnesota law.
Lastly, appellants assert a “reverse preemption” argument, arguing that Minnesota law trumps the HIPAA regulation and makes the hospital's disclosure a violation under state law. They rely on another HIPAA regulation that provides that, if a state law related to health-information privacy is more stringent than HIPAA or its regulations, then the more stringent state law applies. See 45 C.F.R. 160.203(b) (2020). Appellants argue that the MHRA is more restrictive than HIPAA because the MHRA does not allow disclosure of health information without consent for fundraising purposes.
But this argument assumes that the phrase “specific authorization in law” in section 144.293, subdivision 2, does not include the HIPAA regulation. Because, as discussed above, it does include that regulation, the MHRA is not more stringent than HIPAA. And appellants have not identified another provision in Minnesota law that would restrict the hospital's ability to disclose certain health information for fundraising purposes. Because Minnesota law is not more stringent than the HIPAA regulation, the reverse-preemption argument fails.
In sum, we hold that the plain meaning of section 144.293, subdivision 2, is that “specific authorization in law” includes the HIPAA regulation permitting disclosure for fundraising purposes.2
Because Minn. Stat. § 144.293, subd. 2, of the MHRA permits the disclosure of health information without a patient's consent as specifically authorized in the HIPAA regulation regarding disclosure for fundraising purposes, as a matter of law the hospital's disclosure to the foundation did not violate the MHRA and the district court did not err by granting summary judgment for respondents.
1. Appellants no longer dispute that the hospital complied with the privacy-notice requirement.
2. This conclusion accords with our previous decision in an unpublished opinion interpreting section 144.293, subdivision 2, stating that “[n]othing in the MHRA suggests that the specific authorization in law must emanate from the MHRA itself.” Accts. Receivable Servs., LLC v. Ojika, No. A16-1536, 2017 WL 1436086, at *5 (Minn. App. Apr. 24, 2017). In Ojika, we applied a different HIPAA regulation and ultimately remanded the case because the appellant—an entity subject to HIPAA—had not sufficiently shown that it had satisfied the HIPAA regulation. We therefore implicitly concluded that “specific authorization in law” includes HIPAA regulations. We now expressly so hold.
SMITH, TRACY M., Judge