The HIPAA Privacy Rule and Minors

Generally, a parent or guardian of a minor child is regarded as what the HIPAA Privacy Rule calls the “personal representative” of the minor child. Per the HIPAA Privacy Rule, a personal representative is authorized to exercise the HIPAA rights of the individual whom he or she represents, on that person’s behalf. Therefore, a parent who is a personal representative can exercise a minor’s HIPAA Privacy Rule rights with respect to protected health information (PHI), consistently with state law. 

HIPAA Minors

In addition, personal representatives have the right to exercise other HIPAA Privacy Rule rights, such as providing written authorization for disclosure of PHI. The HIPAA Privacy Rule also gives a personal representative the general right to make medical decisions on the minor’s behalf. 

What if a Parent is Not the Minor’s Personal Representative Under the HIPAA Privacy Rule?

The HIPAA Privacy Rule specifies three circumstances under which the parent is not the “personal representative” with respect to certain health information about his or her minor child. 

These exceptions generally track the ability of certain minors to obtain specified health care without parental consent under state law, or standards of professional practice. 

In these situations, the parent does not control the minor’s health care decisions, and therefore under the HIPAA Privacy Rule, does not control the protected health information (PHI) related to that care. The three circumstances when a parent is not the minor’s personal representative are:

  • When state or other law does not require the consent of a parent or other person before a minor can obtain a particular health care service, and the minor consents to the health care service.
    • Example:  A state law provides an adolescent the right to obtain mental health treatment without the consent of his or her parent, and the adolescent consents to such treatment without the parent’s consent.
  • When someone other than the parent is authorized by law to consent to the provision of a particular health service to a minor and provides such consent.
    • Example:  A court may grant authority to make health care decisions for the minor to an adult other than the parent, to the minor, or the court may make the decision(s) itself.
  • When a parent agrees to a confidential relationship between the minor and a health care provider.
    • Example:  A physician asks the parent of a 16-year-old if the physician can talk with the child confidentially about a medical condition and the parent agrees.

What Role Does State Law Play?

The HIPAA Privacy Rule does not contravene state laws that expressly address the ability of parents to obtain health information about minors.

For example, regardless of whether a parent is the personal representative of a minor child, the HIPAA Privacy Rule permits a covered entity to disclose to a parent, or provide the parent with access to, a minor child’s protected health information, when and to the extent it is permitted or required by state law. If state law allows access, the HIPAA Privacy Rule does.

Likewise, the HIPAA Privacy Rule prohibits a covered entity from disclosing a minor child’s protected health information to a parent, or providing a parent with access to such information, when and to the extent it is prohibited under state law. If state law prohibits disclosure, HIPAA does as well.

Can a Covered Entity Refuse to Regard a Person as a Personal Representative?

When a physician or other covered entity reasonably believes that an individual, including an unemancipated minor, has been or may be subjected to domestic violence, abuse, or neglect by the personal representative, or that treating a person as an individual’s personal representative could endanger the individual, the covered entity may choose not to treat that person as the individual’s personal representative, if in the exercise of professional judgment, doing so would not be in the best interests of the individual

For example, if a physician reasonably believes that providing the personal representative of an incompetent elderly individual with access to the individual’s health information would endanger that individual, the HIPAA Privacy Rule permits the physician to decline to provide such access.

Compliancy Group Simplifies HIPAA Compliance

Compliancy Group was founded to help simplify the HIPAA compliance challenge. We give healthcare organizations everything they need to address the full extent of the HIPAA regulations.

Our ongoing support and web-based compliance app, The Guard™, gives healthcare organizations the tools to address the law so they can get back to confidently running their business.

Find out how Compliancy Group has helped thousands of organizations like yours Achieve, Illustrate, and MaintainTM their HIPAA compliance!