OCR Reminds Regulated Entities of Obligation to Provide Parental Access to Children’s Medical Records
The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has issued a “Dear Colleague” letter reminding HIPAA-regulated entities of their obligations under the HIPAA Privacy Rule to provide parents with full access to their minor children’s medical records. OCR said it has become aware that there may be instances where the parents of minor children have been denied access to their children’s medical records to the extent required by the HIPAA Privacy Rule.
The HIPAA Privacy Rule gives patients rights with respect to their protected health information (PHI). Individuals, or their personal representatives, must be provided with a copy of their medical records and other PHI in a designated record set on request. The same right usually applies to the parents or legal guardians of minor children.
“If under applicable law a parent, guardian, or other person acting in loco parentis has authority to act on behalf of an individual who is an unemancipated minor in making decisions related to health care, a covered entity must treat such person as a personal representative under [the HIPAA Rules], with respect to [PHI] relevant to such personal representation…” explained OCR director Paula M. Stannard in the Dear Colleague letter.
Parents usually have the right to make healthcare decisions about their minor children and are generally considered to be the personal representatives of their unemancipated minor children. As such, a parent can exercise their minor child’s right to access PHI under the HIPAA Privacy Rule, except in limited circumstances.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
OCR explained that there are only three narrow exceptions when a parent is not considered the personal representative of their minor child, and if any of these circumstances apply, then providing the parent with a copy or access to their minor child’s PHI is not permitted and would be a HIPAA violation. Each of these three scenarios typically only applies to limited types of health care services, such as mental health care.
- When the child consents to health care, and the consent of the parent is not required under state or other applicable law.
- When the child obtains health care at the direction of a court, or a person appointed by the court.
In these two scenarios, the parent is not considered to be the child’s personal representative with respect to that specific health care.
- When, and to the extent that, the parent agrees that the child and the health care provider may have a confidential relationship
OCR explained that in this situation, the scope of the parental agreement to the confidential relationship determines the degree to which the parent is considered the personal representative of the child with respect to the PHI maintained by the healthcare provider.
A healthcare provider may choose not to provide a parent with a copy or access to some or all of their minor child’s medical records or other PHI if, in their professional judgment, the child may have been subject to domestic violence, abuse, or neglect, or if treating the parent as the child’s personal representative could endanger the child. In such cases, an individualized, patient-specific professional determination is required.
Stannard said that OCR is making parental access to children’s medical records an enforcement priority, and if noncompliance is identified, OCR will use all civil remedies available, including civil monetary penalties, to ensure compliance with this requirement of the HIPAA Privacy Rule.
The letter was issued in response to an investigation launched by OCR following a complaint that a Midwestern school illegally vaccinated a child with a federally provided vaccine, without the parents’ consent, by ignoring a religious exemption submitted under state law.
“Today, we are putting pediatric medical professionals on notice: you cannot sideline parents,” said HHS Secretary Robert F. Kennedy, Jr. “When providers ignore parental consent, violate exemptions to vaccine mandates, or keep parents in the dark about their children’s care, we will act decisively. We will use every tool at our disposal to protect families and restore accountability.”
OCR has also instructed the Health Resources and Services Administration (HRSA) to add a new grant requirement. All funding recipients are required to comply with all applicable federal and state parental-consent laws for any services or care provided to minors at HRSA-supported health centers as a condition of receiving Health Center Program funds.
HRSA will be writing to all health centers that receive grants to advise them of their obligations. Specifically, “Before a minor receives medical, dental, behavioral health, or other services at a HRSA-supported health center, the center must obtain consent from a parent or legal guardian in accordance with applicable state or federal law,” explained HRSA. “This requirement applies to all forms of care, including treatment, preventive services, counseling, and services involving sensitive topics such as sexual identity or reproductive health.”
