What Healthcare Organizations Need to Know About HIPAA, Minors and Privacy

The Health Insurance Portability and Accountability Act (HIPAA) has some specific requirements related to handling the protected health information (PHI) for minors and for the types of access that can be allowed to this information, even to parents and guardians. Many state-level laws also have requirements for restricting parental and guardian access to minors' PHI under certain conditions. With the commonplace practice of allowing individuals access to their account information via Internet applications, particularly among health insurance companies and pharmacies, it is important that covered entities consider the issues and impacts of providing access to the PHI of minors through such automated means as well as in person. However, there really is no guidance offered to covered entities (CEs) explaining ways to implement these restrictions.

The U.S. Department of Health and Human Services (HHS) has provided requirements restricting access to the PHI of minors. However, there really is no guidance offered to CEs explaining ways to implement these restrictions. Because of the subjective nature of regulatory text and actually putting such guidance into practice, it is important for organizations to know what is expected for compliance, document their decisions, and implement appropriate systems, applications, and procedures to support those decisions.

HIPAA, Minors, and PHI

Parents generally have the right to make healthcare decisions for their children, and so are, by default, considered the personal representatives for decisions about PHI access, use, and disclosure for unemancipated minors. 45 CFR § 164.502(g) of the Privacy Rule addresses the issues of parents obtaining access to their minor children's PHI. The key consideration is whether the parent is considered the "personal representative" of the child under HIPAA.

Clearly worded state laws preempt federal law on the issues of parents' versus minors' access to and control of information. However, when state or other applicable law is unclear concerning parental access to a minor's PHI, a covered entity has discretion to provide or deny a parent access to the minor's PHI if doing so is consistent with state or other applicable law, and provided the decision is made by a licensed healthcare professional in the exercise of professional judgment.

Because a parent or legal guardian typically has authority to make healthcare decisions about his or her minor child, the Privacy Rule generally considers the adult a "personal representative" with the right to obtain access to the minor's health information.

When Parents Are Not "Personal Representatives"

There are important exceptions to note for when a parent is not considered a minor's personal representative. Generally these include the following:

  • If a state, or other applicable, law does not require consent of a parent or other person before a minor can obtain a particular healthcare service, and the minor consents to the healthcare service, then the Privacy Rule does not consider the parent as the minor's personal representative. The minor can involve a parent in healthcare decisions if he or she so wishes to without giving up the right to control the related health information. The minor can also choose to have the parent be his or her personal representative. For example, if a state law provides a minor the right to consent to mental health treatment without the consent of his or her parent, and the minor obtains such treatment without the consent of the parent, the parent is not considered the minor's personal representative under the Privacy Rule for that specific treatment.
  • If a court determines, or other law authorizes, someone other than a parent to make treatment decisions for a minor, the parent is not considered the personal representative of the minor under the Privacy Rule for the specific situation. For example, a court might grant authority to an adult other than the parent to make specific types of healthcare decisions for a minor.
  • A parent can also agree that a confidential relationship can exist between the minor child and the physician, in which case the Privacy Rule would no longer consider the parent as the personal representative. For example, if a physician asks the parent of a 16-year-old if the physician can talk with the child confidentially about a medical condition and the parent agrees, the parent would not control, or even be able to access, the PHI that was discussed during that confidential conference.
  • When a physician reasonably believes in his or her professional judgment that the child has been or may be subjected to abuse or neglect, or that treating the parent as the child's personal representative could endanger the child, the physician may choose not to treat the parent as the personal representative of the child.

In addition to the general situations described, the Privacy Rule also stipulates that state laws will not be preempted if they specifically address disclosure of health information about a minor to a parent (see § 160.202).

Implications for Healthcare Organizations

So how do these requirements impact healthcare organizations? There are some significant and distinct issues all types of CEs must address. The following sections delineate the major issues involved, what CEs must consider, and possible actions to take.

Determining Who Can Access a Minor's PHI

Always document when a parent or legal guardian:

  • Has agreed to allow communications with a physician to be confidential
  • Has been determined by a physician to not be allowed access to a minor's PHI
  • Has legally been declined access to PHI by a minor

Typically, the determination of whether a parent or legal guardian can access a minor's PHI occurs at or before the time the minor receives medical treatment.

Healthcare providers should specifically send such documentation to applicable healthcare insurers, pharmacies, clearinghouses, and any other business associate that might provide access to the PHI in any form to the insured.

Healthcare payers, pharmacies, clearinghouses, and business associates with responsibilities for PHI should specifically request that healthcare providers offer notification for when parents or legal guardians are not considered as personal representatives and should not have access to a minor's PHI. Do not assume that the healthcare provider will automatically send you such notifications.

The general principle used by the HIPAA Privacy Rule is: If a person has a right to make a healthcare decision, he/she has the right to access and control information associated with that particular decision.

Establishing Procedures to Limit Access to Minors' PHI

CEs must establish procedures to ensure access restrictions are checked prior to giving access to a minor's PHI. This can prove to be problematic within online systems because, typically, the primary contact for an insured's family policy is a parent or legal guardian. CEs providing online access to PHI, such as within claims or prescription systems, must consider how to address two primary situations:

  • A newly insured with existing restrictions
  • An existing insured with a new restriction

The challenges and issues to tackle for restricting parents and legal guardians from a minor's PHI include:

  • Communicating the restrictions to the personnel who manage the access rights to PHI
  • Establishing a way within the applications, systems, and databases to flag the minors who have parental and guardian restrictions for accessing their PHI
  • Preventing access to a minor's claim information containing PHI—such as medicines prescribed, physical symptoms, and so on—from parents and legal guardians
  • Preventing access to a minor's prescription information from being given to parents and legal guardians

Establishing Technology to Limit Access to Minors' PHI

Once the issues and procedures have been identified for limiting minors' PHI access, technology must then be modified to support the procedures. Such updates can present some significant challenges, such as the following:

  • Modifying existing applications and systems to restrict access to specific fields within the policy of an insured family
  • Modifying existing database structures to be able to provide access to specific fields within an insured's policy record
  • Establishing a separate user ID and password for the minor to access PHI to prevent the parent or guardian from obtaining access
  • Communicating the separate user ID and password to the minor without revealing it to the parents and guardians when they live at the same address There are several combinations of possible solutions to consider:
  • Using federated identity management solutions to limit access within applications to the fields within the records of each insured
  • Restricting access to the specific minor's fields within the insured's records and then creating a separate ID and password to allow access to those fields
  • Creating copies of minors' PHI and storing it in separate records away from the parents, then deleting those corresponding fields within the insured's records; a separate application, or application option, would then need to be created to provide special access to the minors' PHI
  • Communicate the minor's ID and password either directly over the telephone or send it by registered mail requiring the minor to sign for this information

Some CEs have chosen to notify the healthcare provider and minor that the current applications cannot restrict access to the minor's PHI to prevent the subscriber owner (the parent or legal guardian) from getting access to the information. This does not solve the problem of preventing access but might potentially limit the liabilities and negative impact of not limiting access to minors' PHI. This option should be very carefully discussed with the CE's legal counsel, as well as any other option being considered.

Making Personnel Aware of Restrictions to Minors' PHI

The best procedures, plans, and technology in the world will be ineffective if not communicated to the personnel that must follow and use them. Personnel must be told what to do in situations in which parental and guardian access to minors' PHI is restricted. IT must be told the goals for these restrictions so that they can effectively build the access controls into applications, systems, and databases.

As with any information related to information security and privacy, training and awareness must be ongoing. Simply publishing the information once is not effective. Organizations need to provide periodic reminders through intranet Web sites, memos, email messages, posters, presentations, and other communications channels. Procedures and standards for supporting this special type of access requirement must be clearly documented and included with the rest of the organization's procedures and standards. Communication and documentation are also vital if you ever find yourself in a legal dispute and must demonstrate you have effective policies and procedures in place.

If you do not clearly and continuously communicate your policies, procedures, and standards and explain how they impact the organization, they will be ineffective, both within your organization and within a court of law.