Minor Patient Records and Parental Access Under HIPAA

HIPAA rules for minor patients sit on top of state law about who can consent to care, and the combination creates real operational complexity for any clinic that treats adolescents. The starting point is straightforward: a parent is usually the personal representative of a minor child. The exceptions and overlays are what trip practices up.

Default rule: parent as personal representative

Under 45 CFR 164.502(g)(1), a person who has authority under applicable law to make health care decisions for an individual is the individual’s personal representative under HIPAA. For most minors, that means a parent or legal guardian. As personal representative, the parent has the same rights as the patient: to receive notice of privacy practices, to access records, to request amendments, to authorize disclosures, and to file complaints.

This is the rule clinics encounter most often. A parent calls to ask about a child’s appointment, requests a copy of immunization records, or signs the authorization to send records to a new pediatrician. In each case, the parent is acting as the patient under HIPAA.

Three exceptions where the minor controls the records

45 CFR 164.502(g)(3) carves out three situations where the parent is not treated as the personal representative for purposes of the specific care at issue. In each, the minor controls access to and disclosure of the related records.

The three exceptions are:

• The minor consented to the care, and no other consent is required by law, even if the parent could have also consented. This typically applies to categories of care that state law allows minors to consent to, such as STI testing, contraception, mental health services, or substance use treatment.
• The minor obtained the care at the direction of a court or a person appointed by the court, or the care was provided to a minor with parental notification but against the parent’s expressed wishes, where state law permits.
• The parent, guardian, or person acting in loco parentis assented to an agreement of confidentiality between the provider and the minor.

These exceptions apply only to the specific records related to the qualifying care, not to the entire chart. A 16-year-old who consents to STI testing under state law gets sole control of those visit records, but the parent remains personal representative for the routine sports physical the same teen had two months earlier.

State law variations

HIPAA does not decide when minors can consent to care. That is a state law question, and it varies. Most states allow minors to consent to certain categories of sensitive care, including STI services and outpatient mental health treatment, but the ages and conditions differ. Some states give parents access to all minor records regardless of who consented; some explicitly protect minor confidentiality in the same categories.

Two practical principles help:

• HIPAA defers to state law on minor consent capacity. If state law is silent or expressly leaves the question to the provider, HIPAA gives the provider discretion to grant or deny parental access.
• Where state law is more protective of patient privacy than HIPAA, state law generally controls.

Because the answer depends on the state, the type of care, and the age of the minor, every practice that sees adolescents needs a policy that maps these cases to local law. Memory and judgment alone are not enough.

Emancipated minors and special situations

Emancipated minors are treated as adults under HIPAA. The same is generally true for minors who have legally married, are members of the armed forces, or have otherwise been declared emancipated under state law. Documentation of emancipated status should be retained in the chart.

The EOB problem

The most common confidentiality failure with adolescent care is not in the chart at all. It is in the insurance Explanation of Benefits that the carrier mails or posts to the policyholder, who is usually the parent. An EOB that lists “STI screening” or “mental health visit” can disclose information the minor consented to confidentially.

Practices have a few options to manage this:

• Provide care without billing the minor’s insurance, where the patient can pay or where Title X or other public funding is available
• Use the alternative confidential communications right under 45 CFR 164.522(b) for the practice’s own communications, while recognizing that this provision binds the practice but not the health plan
• Counsel adolescents and their families about the EOB risk before sensitive services are rendered, so the patient can make an informed choice
• Use state confidential communications laws where they exist, which in some states extend to insurer EOBs

None of these are complete solutions. A documented intake conversation about communications preferences is the floor.

Practical policies

A workable policy for a small clinic that sees minors usually includes:

• A patient registration step that flags the patient as a minor and prompts capture of the parent or guardian’s contact information
• A review at intake of which categories of confidential adolescent care your state permits
• An EHR configuration that allows tagging of confidential visits or notes so the front desk does not inadvertently release them through routine ROI
• Staff training on how to handle parent calls about confidential services, with a script that does not confirm or deny the existence of those services
• A documented process for handling release of information requests where some records are confidential and others are not

Where to go next

For the broader patient access framework, see our article on HIPAA authorization vs. consent. The HIPAA basics hub collects the rest of the foundational topics. PHIGuard’s HIPAA compliance platform helps small clinics build and document the policies that pediatric and adolescent care require.