privacy rights of (HIPAA)
The general principle
used by HIPAA's Privacy Rule
is a simple one: if a person has a right to make a health
care decision, then he/she has the right to control information
associated with that decision.
have the right to make health care decisions for their children
and so are by default considered the personal
representatives for decisions about protected
health information (PHI) access, use and disclosure for
unemancipated minors. This
would also be true in the case of a guardian or other individual
acting in loco parentis. However, minors as they grow
older have varying degrees of "emancipation" for
health care decision-making, and so, with that, comes control
over PHI associated with those decisions
general rule of parental/personal representative control for
minors' PHI is subject to three important general exceptions:
- when state law
does not require consent of a parent/personal representative
before a minor can obtain a particular form of treatment
(e.g., HIV testing, mental health services), the minor controls
information associated with that treatment;
- when a court
determines or other law authorizes someone other than the
parent to make treatment decisions for a minor, that other
person or entity controls the information associated with
the controlled treatment (it may in some cases be the minor
him- or herself);
- when a parent/personal
representative agrees to a confidential relationship between
a health care provider and a minor, the personal representative
does not have access to information associated with that
agreement (unless the minor permits it).
Even in these "exceptional"
situations, however, state laws which specifically address
disclosure of health information about a minor to a parent/personal
representative preempt HIPAA, regardless of whether they prohibit,
mandate or allow discretion about a disclosure. While HIPAA
generally allows preemption
by state privacy laws only where they are "stricter,"
this is an area of almost total deference.
This last point
is worth restating, since it has been a particularly contentious
topic: state law preempts federal law on the issues of parents'
vs. minors' access to and control of information, as long
as it is clear. When "state or other law is silent or
unclear concerning parental access to the minor’s [PHI],
a covered entity has discretion to provide or deny a parent
with access to the minor’s health information, if doing
so is consistent with state or other applicable law, and provided
the decision is made by a licensed health care professional
in the exercise of professional judgment."
As would be expected,
there are also general exceptions to the "parental control"
rule for the safety of the minor:
a provider has a "reasonable belief" that a child
has been, or may be, subject to abuse
or neglect, or that providing information to a parent/personal
representative could endanger the minor, the provider may
choose not to disclose;
- more generally,
a provider may withhold information from a parent/personal
representative if "in the exercise of professional
judgment," it is decided that "it is not in the
best interest of the individual to treat the person as the
individuals personal representative."
Note that the Bush
administration has taken an officially neutral, "pro-state"
(and unofficially "pro-parent") stance in attempting
to structure these rules and resolve potential points of disagreement:
- to "make
it clear that state and other applicable law governs not
only when a state explicitly addresses disclosure of protected
health information to a parent but also when such law provides
discretion to a provider"; and
- to stress that
a provider may use his/her professional judgment to disclose
health information to a parent, even in cases that otherwise
meet an exception, as "necessary to avert a serious
and imminent threat to the health or safety of the minor."
Note, as regards
the second of these, that the same risk considerations could
lead a provider to make a decision to withhold information
from a parent.
these provisions are obviously focused on the young, they
can equally well be applied to the other end of the age spectrum.
For example, if a health care provider reasonably believes
that disclosing information about an incompetent elderly individual
to the individual’s personal representative would endanger
that individual, HIPAA permits the provider to decline to
make such disclosure.