Minnesota Department of Administration Advisory Opinion 17-004

 

This is an opinion of the Commissioner of Administration issued pursuant to Minnesota Statutes, section 13.072 (2016). It is based on the facts and information available to the Commissioner as described below.

Facts and Procedural History:

Steven Hanke, attorney for the City of Duluth, requested an advisory opinion regarding the classification of data the City maintains.

The City provided the following summary of the facts:

The City of Duluth operates a self-insurance pool, referred to as the Duluth Joint Powers Enterprise Trust, for the City’s group health insurance plan. The plans cover eligible current employees, retired employees, and their dependents. The City’s collective bargaining agreement [sic] contain specific health insurance plan design requirements in regards to covered procedures, prescription drug pricing, monthly premium cost sharing, and so forth. The collective bargaining agreements also require retired employees and their qualified dependents to obtain Medicare Part A and B coverage if they are eligible.

The City of Duluth contracts with HealthPartners Administrators, Inc., as third-party administrator of the City’s self-insured group health plan. HealthPartners Administrators, Inc. sends City plan participants correspondence (several examples attached) soliciting information from Plan participants.

The City believes that the data collected by HealthPartners Administrators, Inc. constitutes “government data” because it is being collected to perform a government function: administration of the City's self-insured health plan for its eligible employees, retirees, and their dependents.

Thus, the City believes that HealthPartners Administrators, Inc. is subject to Minnesota Statutes, section 13.05, subdivision 11(a). The City also believes the data in question are private, and therefore, per Minnesota Statutes, section 13.04, subdivision 2, HealthPartners Administrators, Inc. must give a Tennessen Warning notice when it collects the data listed on the above-referenced questionnaires and forms.


Issues:

Based on the opinion request, the Commissioner agreed to address the following issues:

  1. Are the data collected by the third-party administrator of the City of Duluth’s self-insured group health plan "government data" under Minnesota Statutes Section 13.02, subdivision 7?
  2. If the answer to Issue 1 is yes, are the data classified as private data on individuals under Minnesota Statutes section 13.02, subdivision 12?
  3. If the answer to Issue 2 is yes, must the City or its third-party administrator provide a Tennessen warning notice prior to obtaining the data, per Minnesota Statutes section 13.04, subdivision 2?

Discussion:

Pursuant to Minnesota Statutes, section 13.03, government data are public unless otherwise classified.

When a government entity contracts with a private person to perform any of its functions, data related to performance of the contract are subject to the requirements of Minnesota Statutes, Chapter 13, and the private person must comply with those requirements as if it were a government entity. (Minnesota Statutes, section 13.05, subdivision 11.)

Minnesota Statutes, section 13.43, classifies data on individuals who are current or former employees of a government entity. Subdivision 2 lists the types of personnel data that are public and subdivision 4 classifies most other types of personnel data as private. It also classifies "data pertaining" to an employee’s dependents as private.

Issue 1. Are the data collected by the third-party administrator of the City of Duluth’s self-insured group health plan "government data" under Minnesota Statutes Section 13.02, subdivision 7?

"Government data" are defined in Minnesota Statutes, section 13.02, subdivision 7, as “all data collected, created, received, maintained or disseminated by any government entity regardless of its physical form, storage media or conditions of use.

The City's third-party administrator collects and maintains the data in question to carry out the function of administrating the City’s self-insured group health plan. Under section 13.05, subdivision 11, it must comply with the Data Practices Act as if it were a government entity in carrying out its duties related to the contract. Thus, the data are government data.

Issue 2. If the answer to Issue 1 is yes, are the data classified as private data on individuals under Minnesota Statutes section 13.02, subdivision 12?

As noted above, data on public employees and their dependents are classified under section 13.43. The data collected on the forms that are used to administer the City’s self-insured health plan are private per section 13.43, subdivision 4, because they are data on employees/former employees that are not explicitly classified as public under subdivision 2, or are data on dependents.

Issue 3. If the answer to Issue 2 is yes, must the City or its third-party administrator provide a Tennessen warning notice prior to obtaining the data, per Minnesota Statutes section 13.04, subdivision 2?

When a government entity collects private or confidential data about an individual from that individual, the entity is required to provide a notice, commonly referred to as a Tennessen warning. (Minnesota Statutes, section 13.04, subdivision 2.) This notice must contain the following: (a) the purpose and intended use of the data; (b) whether the individual can refuse or is legally required to provide the requested data; (c) what the consequences are of supplying or not supplying the data; and (d) the identity of other persons or entities outside of the collecting agency authorized by state or federal law to receive the data.

The Commissioner previously has opined that if an entity does not give an individual a Tennessen warning notice when required, or if an entity’s notice is inadequate, the entity cannot store, use, or disclose any of the data it collected from the individual. (Minnesota Statutes, section 13.05, subdivision 4.) (See also Advisory Opinions, 95-028, 02-045, 07-009, and 13-011.)

In order to administer the City’s self-insurance plan, its third-party administrator collects private data from eligible City employees, retirees, and their dependents. As noted above, the third-party administrator must comply with the Data Practices Act as if it were a government entity, and therefore it must provide a Tennessen warning notice prior to obtaining private data from those individuals.

Finally, at least one of the forms the City submitted asks for Social Security Numbers (SSN). The Commissioner previously has opined that when an entity collects an individual’s SSN, federal law imposes some additional notice requirements. (See Advisory Opinions 01-040, 04-020, and 04-048.)


Opinion:

Based on the facts and information provided, the Commissioner’s opinion on the issues is as follows:

  1. Data collected by the third-party administrator of the City of Duluth’s self-insured group health plan are “government data” by operation of Minnesota Statutes, section 13.05, subdivision 11 and under section 13.02, subdivision 7.
  2. The data are classified as private data on individuals under Minnesota Statutes section 13.43, subdivision 4.
  3. The City’s third-party administrator must provide a Tennessen warning notice prior to obtaining the data, per Minnesota Statutes sections 13.05, subdivision 11, and 13.04, subdivision 2.


Signed:

Matthew Massman
Commissioner

Dated: May 5, 2017


PDF