Does HIPAA Apply to Minors?
The privacy standards of HIPAA apply to minors inasmuch as a minor’s health information is subject to the same Privacy Rule protections as an adult’s health information and must be secured in the same way against threats to its confidentiality, integrity, and availability. However, there are differences in the application of HIPAA rights when an individual is an unemancipated minor.
A common cause of confusion about how the standards of HIPAA apply to minors relates to consent for health care. The reason for the confusion is that clause (3)(i) of the privacy standard relating to personal representatives (§164.502(g)) states:
“If under applicable law a parent, guardian, or other person acting in loco parentis has authority to act on behalf of an individual who is an unemancipated minor in making decisions related to health care, a covered entity must treat such person as a personal representative under this subchapter with respect to Protected Health Information.”
Some sources interpret this clause of §164.502(g) to mean that parents, guardians, and others who can represent an unemancipated minor have the authority to make decisions about a minor’s health care under HIPAA. This is not the case.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
This clause instructs covered entities – and business associates when applicable – to transfer the unemancipated minor’s HIPAA rights “with respect to Protected Health Information” to the parent, guardian, or other personal representative.
What are Minor’s HIPAA Rights?
Minor’s HIPAA rights are the same as individual’s HIPAA rights. However, under HIPAA, personal representatives of a minor can exercise the minor’s HIPAA rights on their behalf – unless a circumstance exists that pre-empts §164.502(g). The HIPAA rights are:
Uses and disclosures of PHI for which an authorization is required (§164.508)
Under this standard, personal representatives must authorize a use or disclosure of a minor’s PHI that is not otherwise required or permitted by the Privacy Rule.
Uses and disclosures requiring an opportunity to agree or object (§164.510)
When an opportunity to agree or object to a use or disclosure of PHI exists, a personal representative can agree or object on the minor’s behalf.
Notices of Privacy Practices for Protected Health Information (§164.520)
When a minor first receives health care at a healthcare facility, the personal representative – rather than the minor – must be given the Notice of Privacy Practices.
Rights to request privacy protection for PHI (§164.522)
Personal representatives can request that a minor’s PHI is not used or disclosed except when the use of PHI is required in an emergency, or a disclosure is required by law.
Access of individuals to Protected Health Information (§164.524)
Other than in specific circumstances, personal representatives have the right to request access to – or a copy of – a minor’s PHI maintained in a designated record set.
The right to request amendments of PHI (§164.526)
Personal representatives also have the right to request amendments to a minor’s PHI maintained in one or more designated record sets when errors or omissions exist.
The right to request an accounting of disclosures (§164.528)
In the same way as individuals can request an accounting of disclosures, personal representatives can also request an accounting of who a minor’s PHI has been disclosed to.
As well as the above Privacy Rule rights, individuals also have the right to be notified when PHI is disclosed impermissibly, or unsecured PHI is accessed without authorization. In the event a minor’s unsecured PHI is disclosed impermissibly or accessed without authorization, the breach notification should be sent to the personal representative.
Circumstances that Pre-Empt §164.052(g)
There are many circumstances in which a personal representative may be unable to exercise a minor’s HIPAA rights on their behalf. These include (but are not limited to):
- When a court order or state law prohibits a personal representative acting on behalf of a minor.
- When a disclosure to a personal representative is considered not in the best interests of the minor.
- When an agreement exists for a minor to make decisions on their own behalf as an emancipated minor.
- When a medical circumstance allows a minor to request privacy protections for PHI disclosed to a healthcare provider.
Medical circumstances most often include when a minor seeks contraceptive services, STI treatments, or prenatal care. Minors can also consent to uses of PHI under the Emergency Medical Treatment and Labor Act (EMTALA); and, depending on state laws, it may also be possible for a minor to request privacy protections for PHI disclosed during SUD treatments.
Does HIPAA Apply to Minors? Conclusion
There is no doubt HIPAA applies to minors and that the PHI of minors must be protected from impermissible disclosures and unauthorized access in the same way as the PHI of adults must be protected. What may cause confusion is how does HIPAA apply to minors in respect of decisions about health care and the application of the minor’s HIPAA rights.
HIPAA has no jurisdiction about whether an unemancipated minor can make decisions about health care. Minor “consent” depends on state laws, the nature of health care being provided, and healthcare providers’ professional judgement. In the context of does HIPAA apply to minors, the only concern for healthcare providers should be when does §164.502(g) apply, and when does it not apply.
Covered entities who are unsure about when to transfer an unemancipated minor’s HIPAA rights “with respect to Protected Health Information” to a personal representative are advised to seek professional compliance advice, develop clear policies on this section of the Privacy Rule, and provide HIPAA training on the policies to all relevant members of the workforce.
