Patient privacy is just as important for children under the age of 18 as it is for adults. However, health care providers must follow certain stipulations under the HIPAA Privacy rule when handling the protected health information of these individuals.
How does the HIPAA Privacy Rule apply to minors?
Answer: Before a child reaches the age of majority, which is 18 years old in most states, he cannot legally exercise his rights granted by the HIPAA Privacy Rule. Minors’ parents or guardians act as personal representatives under special patient considerations. The most important thing to note is that the Privacy Rule grants parents access to their children’s medical records. As such, a health care provider handing over sensitive information about a patient under the age of 18 to his parent would not be in violation of the law.
Generally, covered entities should treat parents - and all personal representatives - as they would the individual whom the person represents. The guardians of minors have the same rights as the patient. As such, beyond granting access to the patient’s medical record, health care providers must also let these representatives know about the release of PHI, authorize disclosures and make decisions on the patient’s behalf.
There are certain circumstances in which a child’s parent is not his personal representative, and release of information to the parent in this situation would constitute a violation. According to the U.S. Department of Health and Human Services, a doctor should not consider a parent the personal representative when:
- A parent agrees that the minor and health care provider may have a confidential relationship.
- Parental consent for care is not required under law.
- A court provides direction for care or appoints an individual to care for the minor.
Additionally, as with all personal representatives, a doctor can use his discretion in determining whether passing on information to a parent would be beneficial to the patient. If the health care provider suspects the guardian neglects the child or subjects him to abuse, for example, the physician may refuse to continue treating the parent as a personal representative.
Penalties associated with noncompliance
Covered entities may be in violation of HIPAA and be subject to civil fees if they release PHI to a parent of an emancipated minor. At the same time, refusing to keep a parent informed when he serves as a minor’s personal representative would violate patient rights. It is important for health care providers to keep track of this type of information regarding children under the age of 18 to ensure HIPAA compliance.