With respect to general treatment situations, a parent, guardian, or other person acting in loco parentis usually is the personal representative of the minor child, and a health care provider is permitted to share patient information with a patient’s personal representative under the Privacy Rule. However, section 164.502(g) of the Privacy Rule contains several important exceptions to this general rule. A parent is not treated as a minor child’s personal representative when:
- State or other law does not require the consent of a parent or other person before a minor can obtain a particular health care service, the minor consents to the health care service, and the minor child has not requested the parent be treated as a personal representative;
- someone other than the parent is authorized by law to consent to the provision of a particular health service to a minor and provides such consent; or
- a parent agrees to a confidential relationship between the minor and a health care provider with respect to the health care service.2 For example, if State law provides an adolescent the right to obtain mental health treatment without parental consent, and the adolescent consents to such treatment, the parent would not be the personal representative of the adolescent with respect to that mental health treatment information.
Regardless, however, of whether the parent is otherwise considered a personal representative, the Privacy Rule defers to State or other applicable laws that expressly address the ability of the parent to obtain health information about the minor child. In doing so, the Privacy Rule permits a covered entity to disclose to a parent, or provide the parent with access to, a minor child’s protected health information when and to the extent it is permitted or required by State or other laws (including relevant case law). Likewise, the Privacy Rule prohibits a covered entity from disclosing a minor child’s protected health information to a parent when and to the extent it is prohibited under State or other laws (including relevant case law). See 45 CFR 164.502(g)(3)(ii).
In cases in which State or other applicable law is silent concerning disclosing a minor’s protected health information to a parent, and the parent is not the personal representative of the minor child based on one of the exceptional circumstances described above, a covered entity has discretion to provide or deny a parent access to the minor’s health information, if doing so is consistent with State or other applicable law, and the decision is made by a licensed healthcare professional in the exercise of professional judgment. For more information about personal representatives under the Privacy Rule, see OCR’s guidance for consumers and providers.
In situations where a minor patient is being treated for a mental health disorder and a substance abuse disorder, additional laws may be applicable. The Federal confidentiality statute and regulations that apply to federally-funded drug and alcohol abuse treatment programs contain provisions that are more stringent than HIPAA. See 42 USC § 290dd–2; 42 CFR 2.11, et. seq.
Note: A parent also may not be a personal representative if there are safety concerns. A provider may decide not to treat the parent as the minor’s personal representative if the provider believes that the minor has been or may be subject to violence, abuse, or neglect by the parent or the minor may be endangered by treating the parent as the personal representative; and the provider determines, in the exercise of professional judgment, that it is not in the best interests of the patient to treat the parent as the personal representative. See 45 CFR 164.502(g)(5).