Requiring Consent vs. Waiving Consent for Medical Records Research: A Minnesota Law vs. the U.S. (HIPAA) Privacy Rule

The use of medical records in research can yield information that is difficult to obtain by other means. When such records are released to investigators in identifiable form, however, substantial privacy and confidentiality risks may be created. These risks become more common and more serious as medical records move to an electronic format. In 1996, the state of Minnesota enacted legislation with respect to consent requirements for the use of medical records in research. This legislation has been widely criticized because--it is claimed--it creates an unnecessary impediment to research. In this article, we show that these arguments rest upon misinterpretation and/or misrepresentation of the 1996 legislation. A consent requirement had actually been present in Minnesota since 1976 (though codified in a patient rights statute rather than a privacy statute). The 1996 law does not require specific consent, as often claimed, but rather only a general authorization. The campaign against the Minnesota legislation appears to have been motivated by concern with respect to the then impending federal privacy rule. The HIPAA rule, as enacted, is in fact less stringent with respect to consent than the Minnesota consent law. On the other hand, the Minnesota consent law has not been effectively applied or enforced. As we change the way we manage sensitive medical information, new efforts are needed to provide protection against the confidentiality risks in research. Patient consent is an important tool in this regard. New instrumentalities are needed to solicit and document consent.