Schneider v. Children's Health Care
Annotate this Case
Justia Opinion Summary
Want to stay in the know about new opinions from the Minnesota Supreme Court?
Sign up for free summaries delivered directly to your inbox. Learn More ›
You already receive new opinion summaries from Minnesota Supreme Court. Did you know we offer summary newsletters for even more practice areas and jurisdictions? Explore them here.
The Supreme Court affirmed the decision of the court of appeals affirming the judgment of the district court concluding that federal regulations implementing the federal Health Insurance Portability and Accountability Act (HIPAA) is a "specific authorization in law" under Minn. Stat. 144.293, subd. 2(2), holding that the court of appeals did not err.
After Children's Health Care informed Appellants that their child's protected health information was disclosed to Children's institutionally-related foundation and its business associate for fundraising purposes Appellants sued, arguing that Children's violated the Minnesota Health Records Act, Minn. Stat. 144.291-.298. The district court granted summary judgment for Children's, concluding that the disclosure of the patient's health information was specifically authorized in law by federal regulations implementing HIPAA. The court of appeals affirmed. The Supreme Court affirmed, holding that the disclosure of the health information at issue was permitted by a "specific authorization in law," as that phrase is used in the Minnesota Health Records Act.
Download PDF
STATE OF MINNESOTA IN SUPREME COURT A22-0275 Court of Appeals Kelly Schneider, et al., on behalf of themselves and all others similarly situated, Hudson, C.J. Took no part, Procaccini, J. Appellants, vs. Filed: October 11, 2023 Office of Appellate Courts Children’s Health Care, d/b/a Children’s Hospital and Clinics, et al., Respondents. ________________________ A. L. Brown, Marcus L. Almon, Capitol City Law Group, LLC, Saint Paul, Minnesota, for appellants. Danyll W. Foix, Baker & Hostetler LLP, Washington, District of Columbia; and David A. Carney, Baker & Hostetler LLP, Cleveland, Ohio, for respondents. Mark R. Bradford, Alexander D. Klein, Bradford Andresen Norrie & Camarotto, Bloomington, Minnesota, for amicus curiae Minnesota Hospital Association. ________________________ SYLLABUS A federal regulation permitting the disclosure of health information for fundraising purposes is a “specific authorization in law” under the Minnesota Health Records Act, Minn. Stat. § 144.293, subd. 2(2) (2022). Affirmed. 1 OPINION HUDSON, Chief Justice. Appellants Kelly and Evarist Schneider II (the Schneiders) were informed by respondent Children’s Health Care (Children’s) that protected health information of their child, M.S., was disclosed by Children’s to its institutionally related foundation and its business associate for fundraising purposes. The Schneiders claimed that they had not given consent to Children’s to disclose M.S.’s health information for fundraising purposes, and they therefore sued Children’s for violating the Minnesota Health Records Act. See Minn. Stat. §§ 144.291–.298 (2022) (Minnesota Health Records Act). This case involves the interpretation of Minn. Stat. § 144.293, subd. 2(2), which prohibits the disclosure of protected health information without “specific authorization in law.” Children’s asserts that federal regulations implementing the federal Health Insurance Portability and Accountability Act (HIPAA) is a “specific authorization in law,” and subsequently point to a federal regulation permitting disclosure of protected health information for fundraising purposes. The Schneiders contend that the statutory language refers only to specific authorizations in Minnesota law. The district court agreed with Children’s interpretation, and the court of appeals affirmed. We agree with Children’s that the federal regulation at issue here is a “specific authorization in law” under Minn. Stat. § 144.293, subd. 2(2). We therefore affirm the decision of the court of appeals. 2 FACTS On September 8, 2020, the Schneiders received a letter from Children’s notifying them of a data breach of a third-party vendor. The letter explained that Children’s shares health information with its institutionally related foundation for fundraising purposes, and that the foundation contracts with Blackbaud, the third-party vendor, for database storage. The letter further explained that an unauthorized user had gained access to the foundation’s fundraising database at Blackbaud, and Children’s had “reason to believe” that the health information of M.S. had been compromised. The letter detailed the types of information that might have been compromised, including M.S.’s name, age, date of birth, dates and locations of treatment, names of treating clinicians, and health insurance status. The Schneiders claimed that they had not given consent to Children’s to disclose M.S.’s health information for fundraising purposes, and they therefore sued Children’s and its related foundation for violating the Minnesota Health Records Act, Minn. Stat. §§ 144.291–.298. 1 Children’s moved to dismiss the case, arguing that the Minnesota Health Records Act allows for disclosure when there is a “specific authorization in law.” See Minn. Stat. § 144.293, subd. 2(2). To that end, Children’s pointed to federal regulations implementing HIPAA (HIPAA Privacy Rule). 45 C.F.R. §§ 160.101–552, 164.102–106, 164.500–534 (2022). The HIPAA Privacy Rule allows a hospital to disclose health information to a The Schneiders also sought to certify the complaint as a class action, with the class including “persons who had their health records released by Defendant Children’s Health Care to Defendant Children’s Foundation during the relevant liability period.” 1 3 related foundation or business associate for fundraising purposes without patient consent, see 45 C.F.R. § 164.514(f)(1) (2022). The district court denied Children’s motion, holding that although the federal regulations were a specific authorization in law under the Minnesota Health Records Act, it was not clear on a motion to dismiss posture that Children’s had complied with the privacy notice requirements under the HIPAA Privacy Rule. Children’s later moved for summary judgment, which the district court granted.2 The district court reiterated its earlier conclusion that Children’s disclosure of M.S.’s health information was specifically authorized in law by the HIPAA Privacy Rule. The district court also found that there was no dispute between the parties that Children’s had provided the required privacy notices under the HIPAA Privacy Rule. The court of appeals affirmed. See Schneider v. Children’s Health Care, 980 N.W.2d 827 (Minn. App. 2022). The court of appeals first rejected the Schneiders’ argument that the Minnesota Health Records Act permits disclosure of protected health information only when specifically authorized by Minnesota law. Id. at 831. The court of appeals held that the Minnesota Health Records Act’s use of “specific authorization in law” referred to Minnesota and federal law, which includes the HIPAA Privacy Rule. Id. The Schneiders further cited a federal regulation that requires a “more stringent” state law to trump the provisions of the HIPAA Privacy Rule. But the court of appeals held that the Minnesota Health Records Act was not “more stringent” as it relates to the 2 The district court granted summary judgment before deciding class certification. 4 disclosure of health information for fundraising purposes. Id. at 833. And the court of appeals rejected the Schneiders’ argument that Children’s interpretation of the Minnesota Health Records Act would result in an unconstitutional delegation of legislative power to federal regulators. Id. at 831–32. We granted the Schneiders’ petition for review to determine whether the Minnesota Health Records Act’s reference to a “specific authorization in law” includes the fundraising exception in the HIPAA Privacy Rule. ANALYSIS A. Whether the disclosure of M.S.’s health information was permitted by a “specific authorization in law” turns on the interpretation of that phrase in the Minnesota Health Records Act. This is an issue of statutory interpretation, which we review de novo. Cocchiarella v. Driggs, 884 N.W.2d 621, 624 (Minn. 2016). This case also comes to us from the district court’s grant of summary judgment, which we likewise review de novo. Larson v. Nw. Mut. Life Ins. Co., 855 N.W.2d 293, 299 (Minn. 2014). Summary judgment is appropriate when there is no genuine issue as to any material fact and the moving party is entitled to judgment as a matter of law. Senogles v. Carlson, 902 N.W.2d 38, 42 (Minn. 2017); see also Minn. R. Civ. P. 56.01. B. Answering the question of whether the Minnesota Health Records Act’s reference to a “specific authorization in law” in Minn. Stat. § 144.293, subd. 2(2), includes the federal HIPAA Privacy Rule as Children’s argues, first requires an explanation of what the 5 HIPPA Privacy Rule and the Minnesota Health Records Act provide and how they relate. The HIPAA Privacy Rule implements HIPAA’s directive that the federal government promulgate regulations protecting the privacy of individuals’ medical records and health information. See S.C. Med. Ass’n v. Thompson, 327 F.3d 346, 348–49 (4th Cir. 2003) (summarizing Congress’s passage of HIPAA and the promulgation of the HIPAA Privacy Rule). The HIPAA Privacy Rule became effective in 2001 after notice-and-comment rulemaking, id., and therefore the HIPAA Privacy Rule carries the “force and effect” of federal law. See Perez v. Mortg. Bankers Ass’n, 575 U.S. 92, 96 (2015) (citation omitted) (internal quotation marks omitted). The HIPAA Privacy Rule generally prohibits a covered entity from disclosing protected health information unless such a disclosure is authorized by the HIPAA Privacy Rule. 45 C.F.R. § 164.502(a) (2022). Relevant here, the HIPAA Privacy Rule authorizes the disclosure of certain protected health information for fundraising purposes (the fundraising exception): [A] covered entity may use, or disclose to a business associate or to an institutionally related foundation, the following protected health information for the purpose of raising funds for its own benefit, without an authorization meeting the requirements of § 164.508: (i) (ii) (iii) (iv) (iv) (v) Demographic information relating to an individual, including name, address, other contact information, age, gender, and date of birth; Dates of health care provided to an individual; Department of service information; Treating physician; Outcome information; and Health insurance status. 6 45 C.F.R. § 164.514(f)(1). To take advantage of the fundraising exception, a health care provider must provide notice to patients of potential fundraising communications in the provider’s federally mandated privacy notice. Id., § 164.514(f)(2)(i) (2022). In each fundraising communication to a patient, the notice must also provide the patient “with a clear and conspicuous opportunity to elect not to receive any further fundraising communications.” Id., § 164.514(f)(2)(ii) (2022). 3 The text of the HIPAA Privacy Rule recognizes that states might enact their own privacy laws governing protected health information. The HIPAA Privacy Rule contains a general preemption rule, along with numerous exceptions. The general rule provides that “[a] standard, requirement, or implementation specification adopted under this subchapter that is contrary to a provision of State law preempts the provision of State law.” 45 C.F.R. § 160.203 (2022). One of the exceptions, however, is that the HIPAA Privacy Rule’s, provisions do not preempt a “provision of State law relat[ing] to the privacy of individually identifiable health information” that is “more stringent than a standard, requirement, or implementation specification” of the HIPAA Privacy Rule. Id., § 160.203(b). A provision of state law is “[m]ore stringent” when it, for example, “provides greater privacy protection for the individual who is the subject of the individually identifiable health information” or “provides requirements that narrow the scope or duration, increase the privacy protections afforded (such as by expanding the criteria for), or reduce the coercive effect of the The Schneiders do not dispute that they received the notices required by 45 C.F.R. § 164.514(f)(2). 3 7 circumstances surrounding the express legal permission” required for disclosure. 45 C.F.R. § 160.202 (2022). Minnesota is such a state that enacted its own privacy law regarding the disclosure of protected health information. The Minnesota Health Records Act generally provides that “[a] provider, or a person who receives health records from a provider, may not release a patient’s health records to a person” unless an exception applies. Minn. Stat. § 144.293, subd. 2. One of those exceptions, which is the subject of the dispute in this case, allows disclosure when there is a “specific authorization in law.” Id., subd. 2(2). C. With this background, we turn to the question of whether the disclosure of M.S.’s health information was permitted by a “specific authorization in law,” as that phrase is used in the Minnesota Health Records Act. When interpreting a statute, we first determine whether the text of the statute is ambiguous. Mittelstaedt v. Henney, 969 N.W.2d 634, 638–39 (Minn. 2022). We do not examine the statutory language in isolation, but rather we interpret the language in context of the statute as a whole. Moore v. Robinson Env’t, 954 N.W.2d 277, 280–81 (Minn. 2021). We construe nontechnical words and phrases according to their plain and ordinary meanings, Staab v. Diocese of St. Cloud, 813 N.W.2d 68, 72 (Minn. 2012), and we “often look to dictionary definitions to determine the plain meanings of words,” Larson, 855 N.W.2d at 301. The plain language of the statute controls when the statute is unambiguous. Cocchiarella, 884 N.W.2d at 624. The Schneiders and Children’s contest the scope of the phrase “specific authorization in law” in the Minnesota Health Records Act. The Schneiders contend that 8 the word “law” in Minn. Stat. § 144.293, subd. 2(2), plainly refers only to Minnesota law. Children’s argues that the plain meaning of “law” in Minn. Stat. § 144.293, subd. 2(2), encompasses a federal regulation like the fundraising exception in the HIPAA Privacy Rule. The Schneiders counter that Children’s interpretation would have no limiting principle and would ostensibly allow the law of other states to serve as a “specific authorization in law.” By examining the statutory language in context, as we must, see Moore, 954 N.W.2d at 280–81, we reject the Schneiders’ arguments and conclude that Children’s interpretation accords with the plain and ordinary meaning of the statutory text. “Law” refers to “a binding custom or practice of a community.” Law, Webster’s Third New International Dictionary 1279 (2002). Other definitions of “law” similarly describe its binding nature on members of a particular community. See Law, New Oxford American Dictionary 965 (2001) (defining law as “the system of rules that a particular country or community recognizes as regulating the actions of its members and may enforce by the imposition of penalties”); Law, Black’s Law Dictionary (8th ed. 2004) (defining law as “[t]he regime that orders human activities and relations through systematic application of the force of politically organized society”). These definitions suggest that the reference to “law” in Minn. Stat. § 144.293, subd. 2(2), refers to binding law in Minnesota. It goes without saying that the law that is “binding,” “enforce[able],” and has “force” in Minnesota is Minnesota and federal law. Cf. Musta v. Mendota Heights Dental Ctr., 965 N.W.2d 312, 321–22 (Minn. 2021) (looking solely to Minnesota and federal law to determine what law is binding in the preemption context). 9 The context in which the word “law” is used in Minn. Stat. § 144.293, subd. 2(2), bolsters this conclusion. The “law” in Minn. Stat. § 144.293, subd. 2(2), must “specific[ally] authoriz[e]” an exception to the general prohibition on disclosing protected health information. The only law that has the recognized or proper authority to displace or provide an exception to generally governing Minnesota law is another Minnesota law and federal law. See Musta, 965 N.W.2d at 321 (recognizing that federal law can displace Minnesota law through the U.S. Constitution’s Supremacy Clause). Stated differently, if a law is not binding or operative in Minnesota, it cannot authorize an exception to the Minnesota Health Records Act’s prohibition on disclosing protected health information in Minnesota. 4 Thus, contrary to the Schneiders’ assertion, the statute plainly encompasses law that is binding in Minnesota—that is, Minnesota and federal law. And because the HIPAA Privacy Rule is a federal regulation with the “force and effect” of federal law, Perez, 575 U.S. at 96 (citation omitted) (internal quotation marks omitted), the fundraising exception in the HIPAA Privacy Rule is plainly a “specific authorization in law” under Minn. Stat. § 144.293, subd. 2(2). This conclusion disposes of the Schneiders’ argument that the court of appeals’ interpretation of Minn. Stat. § 144.293, subd. 2(2), would permit the Minnesota Health Records Act to incorporate specific authorizations from the law of other states. The law of other states is not binding or operative in Minnesota. See Oliver v. State Farm Fire & Cas. Ins. Co., 939 N.W.2d 749, 753 (Minn. 2020) (recognizing that judicial decisions of other states—that is, the law of other states—are not binding in Minnesota). Simply put, the law of other states is not the law in Minnesota. The Minnesota Health Records Act therefore does not incorporate specific authorizations found in other states’ laws, but only the law that is binding in Minnesota. 4 10 Despite the statute’s plain language, the Schneiders argue that we have required the Legislature to explicitly reference a federal law incorporated into a state statute. For this proposition, the Schneiders cite Hutchinson Technology, Inc. v. Commissioner of Revenue, 698 N.W.2d 1 (Minn. 2005), and Willmus ex rel. Willmus v. Commissioner of Revenue, 371 N.W.2d 210 (Minn. 1985). Neither case establishes the broad rule of statutory interpretation for which the Schneiders advocate. In Hutchinson, we were tasked with determining the state franchise tax liability of a corporation. 698 N.W.2d at 8–9. State law provided that a corporation’s federal taxable income was the starting point for calculation of its state franchise tax liability. Id. at 9. State law also permitted a corporation’s franchise tax liability to be reduced by certain fees received from a foreign sales corporation. Id. The tax court concluded that because state franchise tax law referenced federal tax law at some points, the calculation of fees should follow the federal formula for such calculations. Id. at 10. We disagreed, noting that “[w]hile it is true that Minnesota has incorporated federal taxable income as the starting point for calculating Minnesota taxable income, that does not mean that all related provisions of federal tax law have been incorporated into state law.” Id. at 11. Rather, we explained that “[w]here the legislature intended to incorporate federal tax law, it has done so explicitly.” Id. Because the state law provision for the subtraction of fees made no reference to federal law, federal law was not determinative of the fee calculation. Id. The issue in Hutchinson was determining when and how various federal rules applied in a state tax regime involving multiple statutes, some of which referenced federal 11 law. Id. at 8–12. Here, the issue is not how far federal law creeps into a complex state regulatory regime replete with references to federal law; rather, all that is present here is a single, broad state statutory provision that permits disclosure of health information under a “specific authorization in law.” Minn. Stat. § 144.293, subd. 2(2). And because the plain language of “law” encompasses federal laws like the fundraising exception found in the HIPAA Privacy Rule, the Legislature has indeed made explicit its intent to incorporate federal law in Minn. Stat. § 144.293, subd. 2(2). Willmus also does not establish a broad rule requiring the Legislature to explicitly reference a federal law incorporated into a state statute. In Willmus, a state law governing capital gains taxes provided that the tax “ ‘shall be equal to 40 percent of the amount of the taxpayer’s minimum tax liability for tax preference items pursuant to the provisions of sections 56 to 58 and 443(d) of the Internal Revenue Code of 1954 as amended through December 31, 1976.’ ” 371 N.W.2d at 212 (quoting Minn. Stat. § 290.091 (Supp. 1979)). However, in 1978, Congress amended the Internal Revenue Code to provide that federal obligations for capital gains tax would arise under section 55 of the Code rather than under section 56. Id. The taxpayers in Willmus therefore claimed that they no longer had Minnesota tax liability for capital gains because, per the change in federal law, they no longer had any liabilities under sections 56 to 58 of the Internal Revenue Code. Id. We rejected that argument, observing that “amendments in federal law are of no effect on state statutory provisions” absent “affirmative action by the legislature.” Id. at 213. Instead, we held that the state tax must be computed using the taxpayer’s liability under sections 56 to 58 of the Internal Revenue Code as it existed through December 31, 12 1976. Id. This result was particularly apt because the statute explicitly stated that it was referencing federal law “as amended through December 31, 1976.” Id. (internal quotation marks omitted). The interpretative rule in Willmus dealt exclusively with the question of whether amendments in federal law may alter state law referencing that federal law. But in this case, neither party argues that the HIPAA Privacy Rule was amended, and that such an amendment changes the meaning of the Minnesota Health Records Act. Willmus therefore has no application to this case. Finally, the Schneiders make a “reverse preemption” argument: that Minn. Stat. § 144.293 is “more stringent” than the fundraising exception in the HIPAA Privacy Rule and therefore prevails over the HIPAA Privacy Rule. As noted above, the HIPAA Privacy Rule provides that its provisions do not preempt a “provision of State law relat[ing] to the privacy of individually identifiable health information” that is “more stringent than a standard, requirement, or implementation specification” of the HIPAA Privacy Rule. 45 C.F.R. § 160.203(b). The Schneiders point to Minn. Stat. § 144.293, subd. 1 of the Minnesota Health Records Act as being “more stringent,” which states that “[h]ealth records can be released or disclosed as specified in subdivisions 2 to 9 and sections 144.294 and 144.295.” The Schneiders observe that the HIPAA Privacy Rule is not specified in subdivisions 2 to 9 or sections 144.294 and 144.295, and thus conclude that the Minnesota Health Records Act is more stringent than the fundraising exception in the HIPAA Privacy Rule. 13 This analysis is faulty because it assumes the conclusion that the HIPAA Privacy Rule is not “specified in subdivisions 2 to 9 [or] sections 144.294 and 144.295.” See Minn. Stat. § 144.293, subd. 1. The reference to “subdivision 2” is to the provision in the Minnesota Health Records Act permitting release of a patient’s health records if there is “specific authorization in law.” As explained in our analysis above, the fundraising exception in the HIPAA Privacy Rule is specified in subdivision 2 because it is a “specific authorization in law.” Minn. Stat. § 144.293, subd. 2(2). The plain language of Minn. Stat. § 144.293, subd. 2(2), defeats the Schneiders’ argument that the Minnesota Health Records Act is more stringent than the HIPAA Privacy Rule on this issue. The Schneiders next offer a slightly different version of their reverse preemption argument by contending generally that “the [Minnesota Health Records Act] is plainly more stringent law than HIPAA.” But that is not the relevant inquiry. Rather, we must ask whether “a provision of State law” is more stringent than a “standard, requirement, or implementation specification” of the HIPAA Privacy Rule. 45 C.F.R. § 160.203(b) (emphasis added). As the Supreme Court of Missouri has explained: The issue for this Court . . . is not whether or not HIPAA, as a general matter, is contrary to and more stringent than the entirety of a state’s laws on the privacy of a patient’s medical information. Rather, the issue is whether or not a specific provision of HIPAA is contrary to and more stringent than a specific provision of state law. State ex rel. Proctor v. Messina, 320 S.W.3d 145, 149 (Mo. 2010); see also Standards for Privacy of Individually Identifiable Health Information, 64 Fed. Reg. 59,918, 59,995 (Nov. 3, 1999) (codified at 45 C.F.R. pts. 160–64) (drafters of the HIPAA Privacy Rule explaining that the preemption analysis “appears to contemplate that what will be 14 compared are the State and federal requirements that are analogous, i.e., that address the same subject matter”). The Schneiders identify the fundraising exception as a specific provision of HIPAA, but they fail to identify a specific provision of the Minnesota Health Records Act that “provides greater privacy protection for the individual who is the subject of the individually identifiable health information” than the fundraising exception as it relates to the subject matter of disclosing health information for fundraising purposes. 45 C.F.R. § 160.202 (defining “[m]ore stringent”). That failure is fatal to their reverse preemption claim. 5 We recognize the Schneiders’ also raised a policy concern that interpreting “specific authorization in law” to include the HIPAA Privacy Rule’s fundraising exception could permit the importation of other HIPAA Privacy Rule exceptions into the Minnesota Health Records Act. But this policy concern “should be directed to the Legislature,” for we “must read this state’s laws as they are, not as some argue they should be.” State v. Carson, 902 N.W.2d 441, 446 (Minn. 2017) (citation omitted) (internal quotation marks omitted). In their briefing, the Schneiders argue that our interpretation of Minn. Stat. § 144.293, subd. 2(2), results in an unconstitutional delegation of legislative power by giving “federal regulators the authority to decide what constitutes an unauthorized disclosure under the [Minnesota Health Records Act].” Although the Schneiders properly raised this nondelegation argument before the court of appeals, they forfeited review of the argument before us by failing to raise the issue in their petition for review. Minn. Voters All. v. County of Ramsey, 971 N.W.2d 269, 275 n.3 (Minn. 2022); In re GlaxoSmithKline PLC, 699 N.W.2d 749, 757 (Minn. 2005). Additionally, the record does not reflect that the Schneiders ever notified the Attorney General of their constitutional challenge, as required by Minn. R. Civ. App. P. 144. Failing to comply with Minn. R. Civ. App. P. 144 also merits forfeiture of a constitutional challenge. See Theorin v. Ditec Corp., 377 N.W.2d 437, 440 n.1 (Minn. 1985). We therefore decline to address the Schneiders’ nondelegation argument. 5 15 CONCLUSION For the foregoing reasons, we affirm the decision of the court of appeals. Affirmed. PROCACCINI, J., not having been a member of the court at the time of submission, took no part in the consideration or decision of this case. 16
Some case metadata and case summaries were written with the help of AI, which can produce inaccuracies. You should read the full case before relying on it for legal research purposes.
This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.
