HHS Office for Civil Rights Focuses on Parents’ Rights to Children’s Medical Records

Recently, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR)[i] issued a “Dear Colleague” letter reminding health care providers that federal law requires them to provide parents access to their minor children’s health information.[ii] 

Under the HIPAA Privacy Rule, an individual, and his or her personal representative, have the right to access the individual’s medical records and protected health information (“PHI”). A personal representative is a person with authority under applicable law to make health care decisions for the individual. A parent is the personal representative of their minor child if the parent has the authority to make health care decisions for the minor under applicable law. Therefore, in most cases, parents will have the right to access their minor children’s medical records.

There are exceptions, however. The Privacy Rule specifies three situations in which a minor’s parent will not be the child’s personal representative with respect to the PHI:

1. When the minor consents to a health care service and the consent of the parent is not required under applicable law for that health care service.
2. When the minor obtains health care at the direction of a court or a person appointed by the court.
3. When the parent agrees that the minor and the health care provider may have a confidential relationship.

In these three situations, the parent is not the minor’s personal representative with respect to the PHI covered by the exception. The OCR clarifies that the parent is still the minor’s personal representative with respect to any PHI that is not related to the exception, and so can access any of the minor’s other medical records. For example, if a minor has the right under state law to consent to mental health treatment, and no parental consent is required, the parent would not be the personal representative for purposes of the mental health treatment to which the minor child consented. Therefore, the parent could not access records related to that mental health treatment. The parent would still be the child’s personal representative for any other health care services and would be entitled to access records for any other services.

The Privacy Rule also allows a provider, in the exercise of professional judgment, to decide not to treat a minor’s parent as the personal representative if the provider reasonably believes that the minor has been, or may be subjected to, domestic violence, abuse, neglect, or that treating the parent as the personal representative could endanger the minor. 

The OCR cites instances in which health care providers have denied parents access to their minor child’s records or required the minor to authorize parental access before granting access to parents. If the parent is the minor’s personal representative, this violates the Privacy Rule’s access requirements. The OCR urges covered entities and business associates that facilitate access to records on behalf of covered entities to review their policies and procedures and proactively make any necessary changes to ensure compliance with the Privacy Rule. The letter specifically calls attention to default configurations of electronic information systems (such as patient portals) that result in the improper denial of parents’ rights to access their minor children’s PHI, and states that covered entities and their business associates should ensure that electronic systems are properly configured to allow parents to access their children’s PHI.

According to the letter, the OCR is making parental access to their children’s medical records an enforcement priority, and will use all civil remedies available, including civil money penalties, to ensure compliance. In addition, a press release issued concurrently with the letter states that the OCR is initiating compliance reviews of a number of large health care providers to ensure that parents receive timely access to their children’s health information.[iii] 

In light of the OCR’s announced enforcement focus on parental access to their children’s medical records, covered entities and business associates should review their policies and procedures with respect to parental access, including electronic access, and make any necessary updates. If you have questions about complying with parental access requirements or other HIPAA requirements, please contact your Dinsmore health care law attorney.