minors, privacy rights of (HIPAA)

The general principle used by HIPAA's Privacy Rule is a simple one: if a person has a right to make a health care decision, then he/she has the right to control information associated with that decision.

Parents generally have the right to make health care decisions for their children and so are by default considered the personal representatives for decisions about protected health information (PHI) access, use and disclosure for unemancipated minors. This would also be true in the case of a guardian or other individual acting in loco parentis. However, minors as they grow older have varying degrees of "emancipation" for health care decision-making, and so, with that, comes control over PHI associated with those decisions

Accordingly, the general rule of parental/personal representative control for minors' PHI is subject to three important general exceptions:

  • when state law does not require consent of a parent/personal representative before a minor can obtain a particular form of treatment (e.g., HIV testing, mental health services), the minor controls information associated with that treatment;
  • when a court determines or other law authorizes someone other than the parent to make treatment decisions for a minor, that other person or entity controls the information associated with the controlled treatment (it may in some cases be the minor him- or herself);
  • when a parent/personal representative agrees to a confidential relationship between a health care provider and a minor, the personal representative does not have access to information associated with that agreement (unless the minor permits it).

Even in these "exceptional" situations, however, state laws which specifically address disclosure of health information about a minor to a parent/personal representative preempt HIPAA, regardless of whether they prohibit, mandate or allow discretion about a disclosure. While HIPAA generally allows preemption by state privacy laws only where they are "stricter," this is an area of almost total deference.

This last point is worth restating, since it has been a particularly contentious topic: state law preempts federal law on the issues of parents' vs. minors' access to and control of information, as long as it is clear. When "state or other law is silent or unclear concerning parental access to the minor’s [PHI], a covered entity has discretion to provide or deny a parent with access to the minor’s health information, if doing so is consistent with state or other applicable law, and provided the decision is made by a licensed health care professional in the exercise of professional judgment."

As would be expected, there are also general exceptions to the "parental control" rule for the safety of the minor:

  • if a provider has a "reasonable belief" that a child has been, or may be, subject to abuse or neglect, or that providing information to a parent/personal representative could endanger the minor, the provider may choose not to disclose;
  • more generally, a provider may withhold information from a parent/personal representative if "in the exercise of professional judgment," it is decided that "it is not in the best interest of the individual to treat the person as the individual’s personal representative."

Note that the Bush administration has taken an officially neutral, "pro-state" (and unofficially "pro-parent") stance in attempting to structure these rules and resolve potential points of disagreement:

  • to "make it clear that state and other applicable law governs not only when a state explicitly addresses disclosure of protected health information to a parent but also when such law provides discretion to a provider"; and
  • to stress that a provider may use his/her professional judgment to disclose health information to a parent, even in cases that otherwise meet an exception, as "necessary to avert a serious and imminent threat to the health or safety of the minor."

Note, as regards the second of these, that the same risk considerations could lead a provider to make a decision to withhold information from a parent.

While these provisions are obviously focused on the young, they can equally well be applied to the other end of the age spectrum. For example, if a health care provider reasonably believes that disclosing information about an incompetent elderly individual to the individual’s personal representative would endanger that individual, HIPAA permits the provider to decline to make such disclosure.

See also:


   © 2002-2006 Contributing authors and University of Miami School of Medicine