One of the more common questions that I get from Premium Members and others who have a free HIPAA question is regarding minors’ rights of access to PHI. It is either “What right does a minor have under HIPAA to claim his or her own privilege to deny access to PHI under HIPAA?” or its corollary, “If the minor does not want parents or others to have access to his or her records, can the provider refuse to provide the records to the parents?” This question is often not an easy one to answer because both HIPAA and state law play a role in the issue.

The rights of parents (natural, adopted, guardians, and others having parental rights) to authorize access to their children’s protected health information (“PHI”) are covered in the section of HIPAA regulations governing the rights of .personal representatives, 45 C.F.R. 164.502(g). A personal representative is a person authorized under applicable law (generally, state law) to make health care decisions on an individual’s behalf. (Thus, an attorney is not ordinarily a personal representative except to the extent the attorney has been hired to get access and, thus, is an agent of a personal representative under HIPAA). With few exceptions, a covered entity must accord a personal representative the same rights as would be accorded the individual with regard to access to records, 45 C.F.R. 164.502(g)(2). In most cases, parents (or guardians or those acting in loco parentis, holders of a valid health care power of attorney, and/or the executor or administrator of the estate of a deceased minor) will be considered personal representatives of a minor or an unemancipated child, and therefore, in most cases, parents can exercise the right of access to the medical record on the child’s behalf. 45 C.F.R. 164.502(g)(3).

A number of exceptions to this general rule exist, however, depending on your state’s laws:

• Minor’s right to seek independent treatment: The Privacy Rule permits the minor to exercise control over his or her own records if, under applicable state law, he or she did obtain or could obtain the health care for which the records are being sought without the requirement of parental consent, and if the minor did not ask for the parent to be treated as a personal representative, 45 C.F.R. 502(g)(3)(i). Thus, if state law permits a minor to seek reproductive health treatment without parental authority, the minor can exclude parents from seeing, for example, her records and from authorizing access to the records even if the parents have consented to the treatment. If the minor could have legally received the treatment solely on the basis of his or her consent, the fact that the parents did consent to the treatment does not necessarily entitle them to see or authorize access to the records,
• To be consistent with the saying that HIPAA is the Health Lawyers Full Employment Act, this exception has an exception. If a specific state law (including case law) permits or precludes disclosure of PHI about a minor to a parent, guardian, or other person acting in loco parentis, then HIPAA defers to the state law, 45 C.F.R.(g)(3)(ii)(A) and (B). It is also true, however, that, if state law explicitly prohibits parental access, HIPAA will not be interpreted to trump the child’s privacy of relevant records,
• Professional judgment that parents should not be allowed access to the records: When a licensed health care professional, in the exercise of professional judgment, determines that the access is reasonably likely to result in death or serious bodily injury to the individual or to another or to reveal the source of information obtained in confidence, the parents (and others listed above) should not be allowed access to the records. 45 C.F.R.164.502(g)(3)(ii)(C).

After a divorce, access to a child’s PHI is typically explicitly given to parents in state statutes relating to the rights of divorced parents. Typically, the divorced parent that may exercise this access right is a custodial one.

Other federal statutes also restrict release of records to parents. For examples, if the child has received treatment for alcohol abuse or substance abuse, 42 U.S.C.290dd (2003) may prevent the facility from releasing treatment records to the child’s parents.

Note that, whatever the authority for granting access to a personal representative, the Privacy Rule requires covered entities to verify the identity and authority of a person requesting PHI, if not known to the covered entity. See 45 C.F.R. § 164.514(h). The Privacy Rule allows for verification in most instances in either oral or written form, although verification does require written documentation when such documentation is a condition of the disclosure. Examples of such verification include a divorce decree proving legal or joint custody (although a more limited disclosure for family members and friends who are involved in the child’s care exists), a birth certificate, an adoption decree, letters of administration of a deceased child who does not have a will, letters testamentary appointing an executor of a decedent’s estate, and the like. Such verification does not have to prove the relationship beyond just making it probable that the relationship exists. The burden is on the person requesting the access to meet the verification requirement. When in doubt, legal review may be necessary.

If this issue comes up often in your practice, you may want to address it in your Notice of Privacy Practices.