Kelly Schneider, on behalf of themselves and all others similarly situated v. Children's Health ...

STATE OF MINNESOTA

IN SUPREME COURT

A22-0275

Court of Appeals Hudson, C.J.
Took no part, Procaccini, J.
Kelly Schneider, et al., on behalf of themselves
and all others similarly situated,

Appellants,

vs. Filed: October 11, 2023
Office of Appellate Courts
Children’s Health Care,
d/b/a Children’s Hospital and Clinics, et al.,

Respondents.
________________________

A. L. Brown, Marcus L. Almon, Capitol City Law Group, LLC, Saint Paul, Minnesota, for
appellants.

Danyll W. Foix, Baker & Hostetler LLP, Washington, District of Columbia; and

David A. Carney, Baker & Hostetler LLP, Cleveland, Ohio, for respondents.

Mark R. Bradford, Alexander D. Klein, Bradford Andresen Norrie & Camarotto,
Bloomington, Minnesota, for amicus curiae Minnesota Hospital Association.

________________________

SYLLABUS

A federal regulation permitting the disclosure of health information for fundraising

purposes is a “specific authorization in law” under the Minnesota Health Records Act,

Minn. Stat. § 144.293, subd. 2(2) (2022).

Affirmed.

1
 OPINION

HUDSON, Chief Justice.

Appellants Kelly and Evarist Schneider II (the Schneiders) were informed by

respondent Children’s Health Care (Children’s) that protected health information of their

child, M.S., was disclosed by Children’s to its institutionally related foundation and its

business associate for fundraising purposes. The Schneiders claimed that they had not

given consent to Children’s to disclose M.S.’s health information for fundraising purposes,

and they therefore sued Children’s for violating the Minnesota Health Records Act. See

Minn. Stat. §§ 144.291–.298 (2022) (Minnesota Health Records Act).

This case involves the interpretation of Minn. Stat. § 144.293, subd. 2(2), which

prohibits the disclosure of protected health information without “specific authorization in

law.” Children’s asserts that federal regulations implementing the federal Health Insurance

Portability and Accountability Act (HIPAA) is a “specific authorization in law,” and

subsequently point to a federal regulation permitting disclosure of protected health

information for fundraising purposes. The Schneiders contend that the statutory language

refers only to specific authorizations in Minnesota law. The district court agreed with

Children’s interpretation, and the court of appeals affirmed.

We agree with Children’s that the federal regulation at issue here is a “specific

authorization in law” under Minn. Stat. § 144.293, subd. 2(2). We therefore affirm the

decision of the court of appeals.

2
 FACTS

On September 8, 2020, the Schneiders received a letter from Children’s notifying

them of a data breach of a third-party vendor. The letter explained that Children’s shares

health information with its institutionally related foundation for fundraising purposes, and

that the foundation contracts with Blackbaud, the third-party vendor, for database storage.

The letter further explained that an unauthorized user had gained access to the foundation’s

fundraising database at Blackbaud, and Children’s had “reason to believe” that the health

information of M.S. had been compromised. The letter detailed the types of information

that might have been compromised, including M.S.’s name, age, date of birth, dates and

locations of treatment, names of treating clinicians, and health insurance status.

The Schneiders claimed that they had not given consent to Children’s to disclose

M.S.’s health information for fundraising purposes, and they therefore sued Children’s and

its related foundation for violating the Minnesota Health Records Act, Minn. Stat.

§§ 144.291–.298. 1

Children’s moved to dismiss the case, arguing that the Minnesota Health Records

Act allows for disclosure when there is a “specific authorization in law.” See Minn. Stat.

§ 144.293, subd. 2(2). To that end, Children’s pointed to federal regulations implementing

HIPAA (HIPAA Privacy Rule). 45 C.F.R. §§ 160.101–552, 164.102–106, 164.500–534

(2022). The HIPAA Privacy Rule allows a hospital to disclose health information to a

1 The Schneiders also sought to certify the complaint as a class action, with the class
including “persons who had their health records released by Defendant Children’s Health
Care to Defendant Children’s Foundation during the relevant liability period.”

3
related foundation or business associate for fundraising purposes without patient consent,

see 45 C.F.R. § 164.514(f)(1) (2022). The district court denied Children’s motion, holding

that although the federal regulations were a specific authorization in law under the

Minnesota Health Records Act, it was not clear on a motion to dismiss posture that

Children’s had complied with the privacy notice requirements under the HIPAA Privacy

Rule.

Children’s later moved for summary judgment, which the district court granted.2

The district court reiterated its earlier conclusion that Children’s disclosure of M.S.’s health

information was specifically authorized in law by the HIPAA Privacy Rule. The district

court also found that there was no dispute between the parties that Children’s had provided

the required privacy notices under the HIPAA Privacy Rule.

The court of appeals affirmed. See Schneider v. Children’s Health Care,

980 N.W.2d 827 (Minn. App. 2022). The court of appeals first rejected the Schneiders’

argument that the Minnesota Health Records Act permits disclosure of protected health

information only when specifically authorized by Minnesota law. Id. at 831. The court of

appeals held that the Minnesota Health Records Act’s use of “specific authorization in law”

referred to Minnesota and federal law, which includes the HIPAA Privacy Rule. Id.

The Schneiders further cited a federal regulation that requires a “more stringent”

state law to trump the provisions of the HIPAA Privacy Rule. But the court of appeals held

that the Minnesota Health Records Act was not “more stringent” as it relates to the

2 The district court granted summary judgment before deciding class certification.

4
disclosure of health information for fundraising purposes. Id. at 833. And the court of

appeals rejected the Schneiders’ argument that Children’s interpretation of the Minnesota

Health Records Act would result in an unconstitutional delegation of legislative power to

federal regulators. Id. at 831–32.

We granted the Schneiders’ petition for review to determine whether the Minnesota

Health Records Act’s reference to a “specific authorization in law” includes the fundraising

exception in the HIPAA Privacy Rule.

ANALYSIS

A.

Whether the disclosure of M.S.’s health information was permitted by a “specific

authorization in law” turns on the interpretation of that phrase in the Minnesota Health

Records Act. This is an issue of statutory interpretation, which we review de novo.

Cocchiarella v. Driggs, 884 N.W.2d 621, 624 (Minn. 2016). This case also comes to us

from the district court’s grant of summary judgment, which we likewise review de novo.

Larson v. Nw. Mut. Life Ins. Co., 855 N.W.2d 293, 299 (Minn. 2014). Summary judgment

is appropriate when there is no genuine issue as to any material fact and the moving party

is entitled to judgment as a matter of law. Senogles v. Carlson, 902 N.W.2d 38, 42

(Minn. 2017); see also Minn. R. Civ. P. 56.01.

B.

Answering the question of whether the Minnesota Health Records Act’s reference

to a “specific authorization in law” in Minn. Stat. § 144.293, subd. 2(2), includes the

federal HIPAA Privacy Rule as Children’s argues, first requires an explanation of what the

5
HIPPA Privacy Rule and the Minnesota Health Records Act provide and how they relate.

The HIPAA Privacy Rule implements HIPAA’s directive that the federal government

promulgate regulations protecting the privacy of individuals’ medical records and health

information. See S.C. Med. Ass’n v. Thompson, 327 F.3d 346, 348–49 (4th Cir. 2003)

(summarizing Congress’s passage of HIPAA and the promulgation of the HIPAA Privacy

Rule). The HIPAA Privacy Rule became effective in 2001 after notice-and-comment

rulemaking, id., and therefore the HIPAA Privacy Rule carries the “force and effect” of

federal law. See Perez v. Mortg. Bankers Ass’n, 575 U.S. 92, 96 (2015) (citation omitted)

(internal quotation marks omitted).

The HIPAA Privacy Rule generally prohibits a covered entity from disclosing

protected health information unless such a disclosure is authorized by the HIPAA Privacy

Rule. 45 C.F.R. § 164.502(a) (2022). Relevant here, the HIPAA Privacy Rule authorizes

the disclosure of certain protected health information for fundraising purposes (the

fundraising exception):

[A] covered entity may use, or disclose to a business associate or to an
institutionally related foundation, the following protected health information
for the purpose of raising funds for its own benefit, without an authorization
meeting the requirements of § 164.508:

(i) Demographic information relating to an individual, including name,
address, other contact information, age, gender, and date of birth;
(ii) Dates of health care provided to an individual;
(iii) Department of service information;
(iv) Treating physician;
(iv) Outcome information; and
(v) Health insurance status.

6
45 C.F.R. § 164.514(f)(1). To take advantage of the fundraising exception, a health care

provider must provide notice to patients of potential fundraising communications in the

provider’s federally mandated privacy notice. Id., § 164.514(f)(2)(i) (2022). In each

fundraising communication to a patient, the notice must also provide the patient “with a

clear and conspicuous opportunity to elect not to receive any further fundraising

communications.” Id., § 164.514(f)(2)(ii) (2022). 3

The text of the HIPAA Privacy Rule recognizes that states might enact their own

privacy laws governing protected health information. The HIPAA Privacy Rule contains

a general preemption rule, along with numerous exceptions. The general rule provides that

“[a] standard, requirement, or implementation specification adopted under this subchapter

that is contrary to a provision of State law preempts the provision of State law.” 45 C.F.R.

§ 160.203 (2022). One of the exceptions, however, is that the HIPAA Privacy Rule’s,

provisions do not preempt a “provision of State law relat[ing] to the privacy of individually

identifiable health information” that is “more stringent than a standard, requirement, or

implementation specification” of the HIPAA Privacy Rule. Id., § 160.203(b). A provision

of state law is “[m]ore stringent” when it, for example, “provides greater privacy protection

for the individual who is the subject of the individually identifiable health information” or

“provides requirements that narrow the scope or duration, increase the privacy protections

afforded (such as by expanding the criteria for), or reduce the coercive effect of the

3 The Schneiders do not dispute that they received the notices required by 45 C.F.R.
§ 164.514(f)(2).

7
circumstances surrounding the express legal permission” required for disclosure.

45 C.F.R. § 160.202 (2022).

Minnesota is such a state that enacted its own privacy law regarding the disclosure

of protected health information. The Minnesota Health Records Act generally provides

that “[a] provider, or a person who receives health records from a provider, may not release

a patient’s health records to a person” unless an exception applies. Minn. Stat. § 144.293,

subd. 2. One of those exceptions, which is the subject of the dispute in this case, allows

disclosure when there is a “specific authorization in law.” Id., subd. 2(2).

C.

With this background, we turn to the question of whether the disclosure of M.S.’s

health information was permitted by a “specific authorization in law,” as that phrase is used

in the Minnesota Health Records Act. When interpreting a statute, we first determine

whether the text of the statute is ambiguous. Mittelstaedt v. Henney, 969 N.W.2d 634,

638–39 (Minn. 2022). We do not examine the statutory language in isolation, but rather

we interpret the language in context of the statute as a whole. Moore v. Robinson Env’t,

954 N.W.2d 277, 280–81 (Minn. 2021). We construe nontechnical words and phrases

according to their plain and ordinary meanings, Staab v. Diocese of St. Cloud, 813 N.W.2d

68, 72 (Minn. 2012), and we “often look to dictionary definitions to determine the plain

meanings of words,” Larson, 855 N.W.2d at 301. The plain language of the statute controls

when the statute is unambiguous. Cocchiarella, 884 N.W.2d at 624.

The Schneiders and Children’s contest the scope of the phrase “specific

authorization in law” in the Minnesota Health Records Act. The Schneiders contend that

8
the word “law” in Minn. Stat. § 144.293, subd. 2(2), plainly refers only to Minnesota law.

Children’s argues that the plain meaning of “law” in Minn. Stat. § 144.293, subd. 2(2),

encompasses a federal regulation like the fundraising exception in the HIPAA Privacy

Rule. The Schneiders counter that Children’s interpretation would have no limiting

principle and would ostensibly allow the law of other states to serve as a “specific

authorization in law.” By examining the statutory language in context, as we must, see

Moore, 954 N.W.2d at 280–81, we reject the Schneiders’ arguments and conclude that

Children’s interpretation accords with the plain and ordinary meaning of the statutory text.

“Law” refers to “a binding custom or practice of a community.” Law, Webster’s

Third New International Dictionary 1279 (2002). Other definitions of “law” similarly

describe its binding nature on members of a particular community. See Law, New Oxford

American Dictionary 965 (2001) (defining law as “the system of rules that a particular

country or community recognizes as regulating the actions of its members and may enforce

by the imposition of penalties”); Law, Black’s Law Dictionary (8th ed. 2004) (defining law

as “[t]he regime that orders human activities and relations through systematic application

of the force of politically organized society”). These definitions suggest that the reference

to “law” in Minn. Stat. § 144.293, subd. 2(2), refers to binding law in Minnesota. It goes

without saying that the law that is “binding,” “enforce[able],” and has “force” in Minnesota

is Minnesota and federal law. Cf. Musta v. Mendota Heights Dental Ctr., 965 N.W.2d 312,

321–22 (Minn. 2021) (looking solely to Minnesota and federal law to determine what law

is binding in the preemption context).

9
 The context in which the word “law” is used in Minn. Stat. § 144.293, subd. 2(2),

bolsters this conclusion. The “law” in Minn. Stat. § 144.293, subd. 2(2), must

“specific[ally] authoriz[e]” an exception to the general prohibition on disclosing protected

health information. The only law that has the recognized or proper authority to displace or

provide an exception to generally governing Minnesota law is another Minnesota law and

federal law. See Musta, 965 N.W.2d at 321 (recognizing that federal law can displace

Minnesota law through the U.S. Constitution’s Supremacy Clause). Stated differently, if

a law is not binding or operative in Minnesota, it cannot authorize an exception to the

Minnesota Health Records Act’s prohibition on disclosing protected health information in

Minnesota. 4

Thus, contrary to the Schneiders’ assertion, the statute plainly encompasses law that

is binding in Minnesota—that is, Minnesota and federal law. And because the HIPAA

Privacy Rule is a federal regulation with the “force and effect” of federal law, Perez,

575 U.S. at 96 (citation omitted) (internal quotation marks omitted), the fundraising

exception in the HIPAA Privacy Rule is plainly a “specific authorization in law” under

Minn. Stat. § 144.293, subd. 2(2).

4 This conclusion disposes of the Schneiders’ argument that the court of appeals’
interpretation of Minn. Stat. § 144.293, subd. 2(2), would permit the Minnesota Health
Records Act to incorporate specific authorizations from the law of other states. The law of
other states is not binding or operative in Minnesota. See Oliver v. State Farm Fire & Cas.
Ins. Co., 939 N.W.2d 749, 753 (Minn. 2020) (recognizing that judicial decisions of other
states—that is, the law of other states—are not binding in Minnesota). Simply put, the law
of other states is not the law in Minnesota. The Minnesota Health Records Act therefore
does not incorporate specific authorizations found in other states’ laws, but only the law
that is binding in Minnesota.

10
 Despite the statute’s plain language, the Schneiders argue that we have required the

Legislature to explicitly reference a federal law incorporated into a state statute. For this

proposition, the Schneiders cite Hutchinson Technology, Inc. v. Commissioner of Revenue,

698 N.W.2d 1 (Minn. 2005), and Willmus ex rel. Willmus v. Commissioner of Revenue,

371 N.W.2d 210 (Minn. 1985). Neither case establishes the broad rule of statutory

interpretation for which the Schneiders advocate.

In Hutchinson, we were tasked with determining the state franchise tax liability of

a corporation. 698 N.W.2d at 8–9. State law provided that a corporation’s federal taxable

income was the starting point for calculation of its state franchise tax liability. Id. at 9.

State law also permitted a corporation’s franchise tax liability to be reduced by certain fees

received from a foreign sales corporation. Id. The tax court concluded that because state

franchise tax law referenced federal tax law at some points, the calculation of fees should

follow the federal formula for such calculations. Id. at 10.

We disagreed, noting that “[w]hile it is true that Minnesota has incorporated federal

taxable income as the starting point for calculating Minnesota taxable income, that does

not mean that all related provisions of federal tax law have been incorporated into state

law.” Id. at 11. Rather, we explained that “[w]here the legislature intended to

incorporate federal tax law, it has done so explicitly.” Id. Because the state law provision

for the subtraction of fees made no reference to federal law, federal law was not

determinative of the fee calculation. Id.

The issue in Hutchinson was determining when and how various federal rules

applied in a state tax regime involving multiple statutes, some of which referenced federal

11
law. Id. at 8–12. Here, the issue is not how far federal law creeps into a complex state

regulatory regime replete with references to federal law; rather, all that is present here is a

single, broad state statutory provision that permits disclosure of health information under

a “specific authorization in law.” Minn. Stat. § 144.293, subd. 2(2). And because the plain

language of “law” encompasses federal laws like the fundraising exception found in the

HIPAA Privacy Rule, the Legislature has indeed made explicit its intent to incorporate

federal law in Minn. Stat. § 144.293, subd. 2(2).

Willmus also does not establish a broad rule requiring the Legislature to explicitly

reference a federal law incorporated into a state statute. In Willmus, a state law governing

capital gains taxes provided that the tax “ ‘shall be equal to 40 percent of the amount of the

taxpayer’s minimum tax liability for tax preference items pursuant to the provisions of

sections 56 to 58 and 443(d) of the Internal Revenue Code of 1954 as amended through

December 31, 1976.’ ” 371 N.W.2d at 212 (quoting Minn. Stat. § 290.091 (Supp. 1979)).

However, in 1978, Congress amended the Internal Revenue Code to provide that federal

obligations for capital gains tax would arise under section 55 of the Code rather than

under section 56. Id. The taxpayers in Willmus therefore claimed that they no longer had

Minnesota tax liability for capital gains because, per the change in federal law, they no

longer had any liabilities under sections 56 to 58 of the Internal Revenue Code. Id.

We rejected that argument, observing that “amendments in federal law are of no

effect on state statutory provisions” absent “affirmative action by the legislature.” Id. at

213. Instead, we held that the state tax must be computed using the taxpayer’s liability

under sections 56 to 58 of the Internal Revenue Code as it existed through December 31,

12
1976. Id. This result was particularly apt because the statute explicitly stated that it was

referencing federal law “as amended through December 31, 1976.” Id. (internal quotation

marks omitted).

The interpretative rule in Willmus dealt exclusively with the question of whether

amendments in federal law may alter state law referencing that federal law. But in this

case, neither party argues that the HIPAA Privacy Rule was amended, and that such an

amendment changes the meaning of the Minnesota Health Records Act. Willmus therefore

has no application to this case.

Finally, the Schneiders make a “reverse preemption” argument: that Minn. Stat.

§ 144.293 is “more stringent” than the fundraising exception in the HIPAA Privacy Rule

and therefore prevails over the HIPAA Privacy Rule. As noted above, the HIPAA Privacy

Rule provides that its provisions do not preempt a “provision of State law relat[ing] to the

privacy of individually identifiable health information” that is “more stringent than a

standard, requirement, or implementation specification” of the HIPAA Privacy Rule.

45 C.F.R. § 160.203(b). The Schneiders point to Minn. Stat. § 144.293, subd. 1 of the

Minnesota Health Records Act as being “more stringent,” which states that “[h]ealth

records can be released or disclosed as specified in subdivisions 2 to 9 and sections 144.294

and 144.295.” The Schneiders observe that the HIPAA Privacy Rule is not specified in

subdivisions 2 to 9 or sections 144.294 and 144.295, and thus conclude that the Minnesota

Health Records Act is more stringent than the fundraising exception in the HIPAA Privacy

Rule.

13
 This analysis is faulty because it assumes the conclusion that the HIPAA Privacy

Rule is not “specified in subdivisions 2 to 9 [or] sections 144.294 and 144.295.” See Minn.

Stat. § 144.293, subd. 1. The reference to “subdivision 2” is to the provision in the

Minnesota Health Records Act permitting release of a patient’s health records if there is

“specific authorization in law.” As explained in our analysis above, the fundraising

exception in the HIPAA Privacy Rule is specified in subdivision 2 because it is a “specific

authorization in law.” Minn. Stat. § 144.293, subd. 2(2). The plain language of Minn. Stat.

§ 144.293, subd. 2(2), defeats the Schneiders’ argument that the Minnesota Health Records

Act is more stringent than the HIPAA Privacy Rule on this issue.

The Schneiders next offer a slightly different version of their reverse preemption

argument by contending generally that “the [Minnesota Health Records Act] is plainly

more stringent law than HIPAA.” But that is not the relevant inquiry. Rather, we must ask

whether “a provision of State law” is more stringent than a “standard, requirement, or

implementation specification” of the HIPAA Privacy Rule. 45 C.F.R. § 160.203(b)

(emphasis added). As the Supreme Court of Missouri has explained:

The issue for this Court . . . is not whether or not HIPAA, as a general matter,
is contrary to and more stringent than the entirety of a state’s laws on the
privacy of a patient’s medical information. Rather, the issue is whether or
not a specific provision of HIPAA is contrary to and more stringent than a
specific provision of state law.

State ex rel. Proctor v. Messina, 320 S.W.3d 145, 149 (Mo. 2010); see also Standards for

Privacy of Individually Identifiable Health Information, 64 Fed. Reg. 59,918, 59,995

(Nov. 3, 1999) (codified at 45 C.F.R. pts. 160–64) (drafters of the HIPAA Privacy Rule

explaining that the preemption analysis “appears to contemplate that what will be

14
compared are the State and federal requirements that are analogous, i.e., that address the

same subject matter”). The Schneiders identify the fundraising exception as a specific

provision of HIPAA, but they fail to identify a specific provision of the Minnesota Health

Records Act that “provides greater privacy protection for the individual who is the subject

of the individually identifiable health information” than the fundraising exception as it

relates to the subject matter of disclosing health information for fundraising purposes.

45 C.F.R. § 160.202 (defining “[m]ore stringent”). That failure is fatal to their reverse

preemption claim. 5

We recognize the Schneiders’ also raised a policy concern that interpreting “specific

authorization in law” to include the HIPAA Privacy Rule’s fundraising exception could

permit the importation of other HIPAA Privacy Rule exceptions into the Minnesota Health

Records Act. But this policy concern “should be directed to the Legislature,” for we “must

read this state’s laws as they are, not as some argue they should be.” State v. Carson,

902 N.W.2d 441, 446 (Minn. 2017) (citation omitted) (internal quotation marks omitted).

5 In their briefing, the Schneiders argue that our interpretation of Minn. Stat.
§ 144.293, subd. 2(2), results in an unconstitutional delegation of legislative power by
giving “federal regulators the authority to decide what constitutes an unauthorized
disclosure under the [Minnesota Health Records Act].” Although the Schneiders properly
raised this nondelegation argument before the court of appeals, they forfeited review of the
argument before us by failing to raise the issue in their petition for review. Minn. Voters
All. v. County of Ramsey, 971 N.W.2d 269, 275 n.3 (Minn. 2022); In re GlaxoSmithKline
PLC, 699 N.W.2d 749, 757 (Minn. 2005). Additionally, the record does not reflect that
the Schneiders ever notified the Attorney General of their constitutional challenge, as
required by Minn. R. Civ. App. P. 144. Failing to comply with Minn. R. Civ. App. P. 144
also merits forfeiture of a constitutional challenge. See Theorin v. Ditec Corp.,
377 N.W.2d 437, 440 n.1 (Minn. 1985). We therefore decline to address the Schneiders’
nondelegation argument.

15
 CONCLUSION

For the foregoing reasons, we affirm the decision of the court of appeals.

Affirmed.

PROCACCINI, J., not having been a member of the court at the time of submission,

took no part in the consideration or decision of this case.

16