Parents who have minor children have legitimate concerns about their children’s health records as used, disclosed, and maintained by their health care providers, insurers, and those who work for those covered entities, such as transcription and billing services, among others. The people and organizations who perform such services are “business associates,” who now, as a result of the HITECH Act and the Omnibus Rule, must comply with HIPAA just as covered entities must.
When and under what circumstances can a parent get access to a child’s chart? When can the provider or health plan deny such access? Can the child deny the parent access? What about correcting or amending a chart? Which parents can exercise rights of access, correction, or amendment, and the like when they are divorced?
These are real, everyday issues that you can’t just shoot from the hip on unless you enjoy having a complaint investigated by the Office for Civil Rights of the Department of Health and Human Services. I have represented eight covered entities who were investigated as a result of a patient complaint, and although I was successful in getting all eight complaints dismissed, it was not without some anguish, effort, and money on the part of the covered entities.
First, state law, not HIPAA nor any other federal law, specifies who is a minor, usually by reference to an age that, once the minor has achieved it, he or she is an adult. State laws may also set an earlier date for qualifying as an emancipated minor who has an adult’s rights. Typically, for example, being married qualifies to emancipate a minor at an earlier age. Of course, that does not mean that a parent who has child who is brain-damaged or is otherwise incapable of making adult decisions cannot be appointed the child’s guardian even after the child is old enough to qualify as an adult under state law.
Second, unless the child is an adult by either age or emancipation, the child has no power (with a few exceptions under state law discussed below) to exercise his or her health information rights. Except in the situations discussed below, the parent (or guardian) exercises the minor’s rights on his or her behalf. If a twelve-year-old who was not emancipated (emancipation at that age would be very unlikely) asked to see a copy of his or her chart, I would recommend saying, “Let me run this by your (mother)(father)(guardian), and I’ll get back to you.” I would, however, recommend documenting the request and making sure that you consulted the parent or guardian. Then, if the parent were agreeable, I would process the request just like any other such request.
But what if it is a broken home? If the parents are separated, each has the ability to exercise the child’s rights on the child’s behalf in the absence of a court-order taking away that right. If divorced, only a custodial parent has the rights with regard to the child’s PHI. State law must be reviewed to determine what decrees take away the right. For example, in Missouri, in which the author has dealt with this issue, four types of custody exist with regard to divorced parents: no custody, physical custody (either joint or not), legal custody, and both physical and legal custody. Only legal custody permits the parent or parents having such custody to exercise the child’s rights with regard to health information. Before you permit a parent to exercise health information rights, you must see the divorce or custody decree and have it reviewed by your attorney. Make certain that you file a copy of the decree in the chart or appropriate HIPAA file.
So what if both one spouse and his or her ex have joint legal custody or simply joint custody in a state that does not have the separate category of legal custody and asks you not to give the other spouse access? The parent states that he or she is afraid that, if the other parent sees in the record that their daughter is on contraceptives or, God forbid, had an abortion, the other spouse is likely to commit grievous bodily injury on the youth. In this situation, HIPAA permits you to deny access if that access is reasonably likely to result in death or serious bodily injury to a named individual (in this case the minor patient) or the public. This ground could also be used if it was the minor who made the request—“Don’t tell my father that the doctor prescribed contraceptives because he has said many times that, if he finds out that I am on contraceptives, he will beat the snot out of me.” Again, if you deny access on this ground, make certain that the clinician agrees and that you document it.
But under what circumstances may the minor deny his or her parents access absent such a threat to a named individual or the public? Again, we have to look to state law. HIPAA preempts—that is, does away with—state and federal law that is inconsistent with HIPAA unless such law gives more privacy protection. Some state laws give minors’ more protection for reproductive issues. Because such a law would give more privacy protection to the minor than does HIPAA, it would “trump” HIPAA and be controlling. In your written Release of Information or Disclosure Policy you must spell out those protections so that you do not violate HIPAA and/or the state law.
The parent, either in a marriage in which both have custody or in a separation or divorce in which he or she has sufficient custody to make health care decisions, can and should exercise the minor’s other privacy rights in the minor’s best interests. These include, besides the right of access, the right to request correction or amendment of incomplete or inaccurate information in the chart, the right to request restriction on uses and disclosures of the information, and the right to alternate communications, such as “Don’t call me at home. Only call me on my cell.” A Long Island, New York, surgi-center suffered a $300,000 punitive damage award when it violated such a request and a nurse called the home number and gave the mother information concerning her daughter’s recent abortion, which resulted in the daughter being kicked out onto the street.
Minors have health information privacy rights that may be more crucial than those of their elders. If it gets out that the author was hospitalized overnight for what appeared to be a heart attack but it wasn’t, who cares (except him!). But if it gets out that his 19-year-old college freshman daughter had an abortion (God forbid, and I firmly believe that she is too good a girl for that to happen), it could be very damaging, especially in these days of social media. So write your Release of Information/Disclosure and related policies to protect the rights of parents and their offspring.
