The Health Insurance Portability and Accountability Act (HIPAA) has some specific requirements related to handling the protected health information (PHI) for minors and for the types of access that can be allowed to this information, even to parents and guardians. Many state-level laws also have requirements for restricting parental and guardian access to minors' PHI under certain conditions. With the commonplace practice of allowing individuals access to their account information via Internet applications, particularly among health insurance companies and pharmacies, it is important that covered entities consider the issues and impacts of providing access to the PHI of minors through such automated means as well as in person. However, there really is no guidance offered to covered entities (CEs) explaining ways to implement these restrictions.
The U.S. Department of Health and Human Services (HHS) has provided requirements restricting access to the PHI of minors. However, there really is no guidance offered to CEs explaining ways to implement these restrictions. Because of the subjective nature of regulatory text and actually putting such guidance into practice, it is important for organizations to know what is expected for compliance, document their decisions, and implement appropriate systems, applications, and procedures to support those decisions.
Parents generally have the right to make healthcare decisions for their children, and so are, by default, considered the personal representatives for decisions about PHI access, use, and disclosure for unemancipated minors. 45 CFR § 164.502(g) of the Privacy Rule addresses the issues of parents obtaining access to their minor children's PHI. The key consideration is whether the parent is considered the "personal representative" of the child under HIPAA.
Clearly worded state laws preempt federal law on the issues of parents' versus minors' access to and control of information. However, when state or other applicable law is unclear concerning parental access to a minor's PHI, a covered entity has discretion to provide or deny a parent access to the minor's PHI if doing so is consistent with state or other applicable law, and provided the decision is made by a licensed healthcare professional in the exercise of professional judgment.
Because a parent or legal guardian typically has authority to make healthcare decisions about his or her minor child, the Privacy Rule generally considers the adult a "personal representative" with the right to obtain access to the minor's health information.
There are important exceptions to note for when a parent is not considered a minor's personal representative. Generally these include the following:
In addition to the general situations described, the Privacy Rule also stipulates that state laws will not be preempted if they specifically address disclosure of health information about a minor to a parent (see § 160.202).
So how do these requirements impact healthcare organizations? There are some significant and distinct issues all types of CEs must address. The following sections delineate the major issues involved, what CEs must consider, and possible actions to take.
Always document when a parent or legal guardian:
Typically, the determination of whether a parent or legal guardian can access a minor's PHI occurs at or before the time the minor receives medical treatment.
Healthcare providers should specifically send such documentation to applicable healthcare insurers, pharmacies, clearinghouses, and any other business associate that might provide access to the PHI in any form to the insured.
Healthcare payers, pharmacies, clearinghouses, and business associates with responsibilities for PHI should specifically request that healthcare providers offer notification for when parents or legal guardians are not considered as personal representatives and should not have access to a minor's PHI. Do not assume that the healthcare provider will automatically send you such notifications.
The general principle used by the HIPAA Privacy Rule is: If a person has a right to make a healthcare decision, he/she has the right to access and control information associated with that particular decision.
CEs must establish procedures to ensure access restrictions are checked prior to giving access to a minor's PHI. This can prove to be problematic within online systems because, typically, the primary contact for an insured's family policy is a parent or legal guardian. CEs providing online access to PHI, such as within claims or prescription systems, must consider how to address two primary situations:
The challenges and issues to tackle for restricting parents and legal guardians from a minor's PHI include:
Once the issues and procedures have been identified for limiting minors' PHI access, technology must then be modified to support the procedures. Such updates can present some significant challenges, such as the following:
Some CEs have chosen to notify the healthcare provider and minor that the current applications cannot restrict access to the minor's PHI to prevent the subscriber owner (the parent or legal guardian) from getting access to the information. This does not solve the problem of preventing access but might potentially limit the liabilities and negative impact of not limiting access to minors' PHI. This option should be very carefully discussed with the CE's legal counsel, as well as any other option being considered.
The best procedures, plans, and technology in the world will be ineffective if not communicated to the personnel that must follow and use them. Personnel must be told what to do in situations in which parental and guardian access to minors' PHI is restricted. IT must be told the goals for these restrictions so that they can effectively build the access controls into applications, systems, and databases.
As with any information related to information security and privacy, training and awareness must be ongoing. Simply publishing the information once is not effective. Organizations need to provide periodic reminders through intranet Web sites, memos, email messages, posters, presentations, and other communications channels. Procedures and standards for supporting this special type of access requirement must be clearly documented and included with the rest of the organization's procedures and standards. Communication and documentation are also vital if you ever find yourself in a legal dispute and must demonstrate you have effective policies and procedures in place.
If you do not clearly and continuously communicate your policies, procedures, and standards and explain how they impact the organization, they will be ineffective, both within your organization and within a court of law.