It was brought to the attention of the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) that healthcare providers may be violating HIPAA in certain instances where they deny parental access to a child’s medical records, or require the child to authorize the disclosure of their medical records to the parent before parental access is granted. In response, on December 3, OCR issued a new guidance letter to remind providers of their obligations to give parents access to a minor’s medical records.
Under HIPAA’s “right of access” rule, every individual, or a personal representative acting on behalf of the individual, has the right to access the individual’s medical records. HIPAA further provides that when a parent, guardian or other person acting with parental authority over an unemancipated minor has the authority to consent to health care on behalf of such minor, then such person must be treated as a personal representative of the minor under the “right of access” rule. The presumption is that a parent has authority to make healthcare decisions on behalf of their child and, therefore, a parent has a right to access their child’s medical records as their personal representative. There are three limited exceptions to this rule under HIPAA:
- When the child consents to their health care under state or other applicable law. In certain circumstances, state law or other applicable law may give the child the right to consent to their health care and parent consent is not required. In such circumstances, the parent would not qualify as a personal representative of the child with respect to that specific health care.
For example, several states (including New York) allow a minor to consent to health care related to sexually transmitted infections and parental consent is not required. If a minor receives such care for a sexually transmitted infection without parental consent and the parent subsequently requests access to the minor’s medical records, the portions of the record pertaining to the sexually transmitted infection should not be disclosed without the minor’s authorization. The other portions of the record should be disclosed to the parent, unless another exception applies.
- When the child has a court-appointed person that has authority to consent to the child’s health care. In such cases, the court-appointed person will be the child’s personal representative, and the parent will no longer qualify as the child’s personal representative for HIPAA purposes.
- When the parent agrees that the child and the healthcare provider may have a confidential relationship. The scope of the exception is determined by the scope of the parent’s agreement with respect to the child and the provider’s confidential information. In other words, the parent may agree that only certain aspects of the child’s care are confidential and only those aspects would fall under this exception.
There is another exception that generally applies to all personal representatives under HIPAA – that is, in the circumstances where the provider reasonably believes, in his or her professional opinion, that the child is subjected to domestic violence, abuse or neglect, or that the child could be endangered if their parent is given access to their medical records.
If none of the above exceptions applies, the provider cannot deny or limit a parent’s access to their child’s medical records under HIPAA. OCR also encourages covered entities to configure their electronic health record systems to give parents access to their child’s medical records electronically to promote more timely and efficient access.
The OCR guidance letter serves as an important reminder for covered entities to review their HIPAA policies with respect to parental access to records and ensure that they comply with the HIPAA rules and limited exceptions.
It is also important to review parental access rights on a case-by-case basis under applicable state laws. State laws always takes precedence over HIPAA if they impose more stringent requirements. When making determinations with respect to parental access to medical records, providers should document in the medical record their determination, the underlying facts and circumstances, and whether parental access was granted or denied (and the applicable exception for the denial).
Sign up to receive Rivkin Rounds at www.RivkinRounds.com.