Subdivision 1. Applicability. MNsure is a state agency for purposes of the Minnesota Government Data Practices Act and is subject to all provisions of chapter 13, in addition to the requirements contained in this section.
Subd. 2. Definitions. As used in this section:
(1) "individual" means an individual according to section 13.02, subdivision 8, but does not include a vendor of services; and
(2) "participating" means that an individual, employee, or employer is seeking, or has sought an eligibility determination, enrollment processing, or premium processing through MNsure.
Subd. 3. General data classifications. The following data collected, created, or maintained by MNsure are classified as private data on individuals, as defined in section 13.02, subdivision 12, or nonpublic data, as defined in section 13.02, subdivision 9:
(1) data on any individual participating in MNsure;
(2) data on any individuals participating in MNsure as employees of an employer participating in MNsure; and
(3) data on employers participating in MNsure.
Subd. 4. Application and certification data. (a) Data submitted by an insurance producer in an application for certification to sell a health plan through MNsure, or submitted by an applicant seeking permission or a commission to act as a navigator or in-person assister, are classified as follows:
(1) at the time the application is submitted, all data contained in the application are private data, as defined in section 13.02, subdivision 12, or nonpublic data as defined in section 13.02, subdivision 9, except that the name of the applicant is public; and
(2) upon a final determination related to the application for certification by MNsure, all data contained in the application are public, with the exception of trade secret data as defined in section 13.37.
(b) Data created or maintained by a government entity as part of the evaluation of an application are protected nonpublic data, as defined in section 13.02, subdivision 13, until a final determination as to certification is made and all rights of appeal have been exhausted. Upon a final determination and exhaustion of all rights of appeal, these data are public, with the exception of trade secret data as defined in section 13.37 and data subject to attorney-client privilege or other protection as provided in section 13.393.
(c) If an application is denied, the public data must include the criteria used by the board to evaluate the application and the specific reasons for the denial, and these data must be published on the MNsure website.
Subd. 5. Data sharing. (a) MNsure may share or disseminate data classified as private or nonpublic in subdivision 3 as follows:
(1) to the subject of the data, as provided in section 13.04;
(2) according to a court order;
(3) according to a state or federal law specifically authorizing access to the data;
(4) with other state or federal agencies, only to the extent necessary to verify the identity of, determine the eligibility of, process premiums for, process enrollment of, or investigate fraud related to an individual, employer, or employee participating in MNsure, provided that MNsure must enter into a data-sharing agreement with the agency prior to sharing data under this clause; and
(5) with a nongovernmental person or entity, only to the extent necessary to verify the identity of, determine the eligibility of, process premiums for, process enrollment of, or investigate fraud related to an individual, employer, or employee participating in MNsure, provided that MNsure must enter into a contract with the person or entity, as provided in section 13.05, subdivision 6 or 11, prior to disseminating data under this clause.
(b) MNsure may share or disseminate data classified as private or nonpublic in subdivision 4 as follows:
(1) to the subject of the data, as provided in section 13.04;
(2) according to a court order;
(3) according to a state or federal law specifically authorizing access to the data;
(4) with other state or federal agencies, only to the extent necessary to carry out the functions of MNsure, provided that MNsure must enter into a data-sharing agreement with the agency prior to sharing data under this clause; and
(5) with a nongovernmental person or entity, only to the extent necessary to carry out the functions of MNsure, provided that MNsure must enter a contract with the person or entity, as provided in section 13.05, subdivision 6 or 11, prior to disseminating data under this clause.
(c) Sharing or disseminating data outside of MNsure in a manner not authorized by this subdivision is prohibited. The list of authorized dissemination and sharing contained in this subdivision must be included in the Tennessen warning required by section 13.04, subdivision 2.
(d) Until July 1, 2014, state agencies must share data classified as private or nonpublic on individuals, employees, or employers participating in MNsure with MNsure, only to the extent such data are necessary to verify the identity of, determine the eligibility of, process premiums for, process enrollment of, or investigate fraud related to a MNsure participant. The agency must enter into a data-sharing agreement with MNsure prior to sharing any data under this paragraph.
Subd. 6. Notice and disclosures. (a) In addition to the Tennessen warning required by section 13.04, subdivision 2, MNsure must provide any data subject asked to supply private data with:
(1) a notice of rights related to the handling of genetic information, pursuant to section 13.386; and
(2) a notice of the records retention policy of MNsure, detailing the length of time MNsure will retain data on the individual and the manner in which it will be destroyed upon expiration of that time.
(b) All notices required by this subdivision, including the Tennessen warning, must be provided in an electronic format suitable for downloading or printing.
Subd. 7. Summary data. In addition to creation and disclosure of summary data derived from private data on individuals, as permitted by section 13.05, subdivision 7, MNsure may create and disclose summary data derived from data classified as nonpublic under this section.
Subd. 8. Access to data; audit trail. (a) Only individuals with explicit authorization from the board may enter, update, or access not public data collected, created, or maintained by MNsure. The ability of authorized individuals to enter, update, or access data must be limited through the use of role-based access that corresponds to the official duties or training level of the individual, and the statutory authorization that grants access for that purpose. All queries and responses, and all actions in which data are entered, updated, accessed, or shared or disseminated outside of MNsure, must be recorded in a data audit trail. Data contained in the audit trail are public, to the extent that the data are not otherwise classified by this section.
The board shall immediately and permanently revoke the authorization of any individual determined to have willfully entered, updated, accessed, shared, or disseminated data in violation of this section, or any provision of chapter 13. If an individual is determined to have willfully gained access to data without explicit authorization from the board, the board shall forward the matter to the county attorney for prosecution.
(b) This subdivision shall not limit or affect the authority of the legislative auditor to access data needed to conduct audits, evaluations, or investigations of MNsure or the obligation of the board and MNsure employees to comply with section 3.978, subdivision 2.
(c) This subdivision does not apply to actions taken by a MNsure participant to enter, update, or access data held by MNsure, if the participant is the subject of the data that is entered, updated, or accessed.
Subd. 9. Sale of data prohibited. MNsure may not sell any data collected, created, or maintained by MNsure, regardless of its classification, for commercial or any other purposes.
Subd. 10. Gun and firearm ownership. MNsure shall not collect information that indicates whether or not an individual owns a gun or has a firearm in the individual's home.
History: 2013 c 9 s 8; 2013 c 108 art 1 s 67
Copyright ©2024 LegalFix. All rights reserved. LegalFix is not a law firm, is not licensed to practice law, and does not provide legal advice, services, or representation. The information on this website is an overview of the legal plans you can purchase—or that may be provided by your employer as an employee benefit or by your credit union or other membership group as a membership benefit.
LegalFix provides its members with easy access to affordable legal services through a network of independent law firms. LegalFix, its corporate entity, and its officers, directors, employees, agents, and contractors do not provide legal advice, services, or representation—directly or indirectly.
The articles and information on the site are not legal advice and should not be relied upon—they are for information purposes only. You should become a LegalFix member to get legal services from one of our network law firms.
You should not disclose confidential or potentially incriminating information to LegalFix—you should only communicate such information to your network law firm.
The benefits and legal services described in the LegalFix legal plans are not always available in all states or with all plans. See the legal plan Benefit Overview and the more comprehensive legal plan contract during checkout for coverage details in your state.
Use of this website, the purchase of legal plans, and access to the LegalFix networks of law firms are subject to the LegalFix Terms of Service and Privacy Policy.