“Don’t Tell My Mom”: A Guide to HIPAA Compliance for Minor Patients

What are your obligations to disclose or withhold your minor patients’ sensitive health information? 

(Updated September 1, 2021)

“Don’t tell my mom!” The babysitter who just saw a kid steal an extra piece of chocolate might give into this plea. After all, it was some candy; the secret is unlikely to harm anyone. In healthcare, however, things are different. 

When a minor patient asks you to “keep this between us,” abiding by your patient’s wishes is anything but simple. Generally, HIPAA offers no protection to minors and requires healthcare providers to release a minor patient’s medical records to the child’s parent or guardian upon request. However, as with most things, there are exceptions to this rule. 

If you treat minor patients in your healthcare practice, read on to understand your HIPAA-related obligations.

What is HIPAA?

The Health Insurance Portability and Accountability Act (HIPAA) was passed in 1996 to:

• Protect patients’ confidential health information;
• Allow American workers and their families to continue or transfer their health insurance coverage when they change jobs;
• Reduce healthcare fraud and abuse; and
• Create an industry-wide standard for healthcare billing and other processes.

HIPAA’s Privacy Rule creates national standards to protect patients’ individually identifiable health information, which it refers to as protected health information (PHI). PHI is any information that relates to:

1. the individual’s past, present, or future physical or mental health or condition; 
2. The provision of healthcare to the individual; or
3. The past, present, or future payment of health care to the individual,

when there is a reasonable basis to believe it identifies the individual. In other words, health information, if coupled with common identifiers such as the patient’s name, address, or birthdate, must be kept secret. 

Fundamentally, the Privacy Rule exists to create a trusting environment between patients and their doctors. Ideally then, patients will feel comfortable seeking care and openly communicating with their treatment teams. Thus, the Privacy Rule significantly limits when a healthcare professional can release patient information. A clinician cannot disclose PHI unless the patient consents or an exception applies.

Permitted PHI Disclosures.

Under some circumstances, HIPAA allows for the release of PHI. In these situations, rule-makers acknowledge that the benefits of releasing protected information may outweigh the drawbacks. Permitted disclosures include those that:

• Prevent imminent harm. A healthcare provider may release PHI as necessary to prevent a serious imminent threat to the health or safety of a person or the public. However, the provider should disclose the minimum amount of information necessary and only disclose PHI to someone capable of reducing the risk of harm, such as the target of the harm or law enforcement personnel. 
• Facilitate treatment, payment, and healthcare operations. A provider can disclose PHI for treatment and payment. For example, a physician can discuss a patient’s treatment with other treatment team members or release PHI to train employees. 
• Are required by law, including specific state regulations or court orders that mandate disclosure of PHI. 

How Does HIPAA Apply to Minors?

Generally,  anyone under eighteen is considered a minor and cannot legally exercise their rights under HIPAA. Instead, HIPAA considers the minor’s parent or guardian to be their “personal representative.” The Privacy Rule authorizes a personal representative to exercise the minor’s HIPAA rights on their behalf. Thus, for the most part, parents have access to their minor children’s medical records, and turning over a minor’s confidential health information to a parent is generally not a violation of HIPAA laws.

Beyond gaining access to PHI, parents and guardians have the full range of HIPAA rights. For instance, a parent or guardian of a minor patient can receive notices regarding the release of the minor patient’s PHI, authorize disclosures of PHI to third parties, and make other healthcare decisions on behalf of the patient. Essentially, the parent or guardian steps into the patient’s shoes to exercise a patient’s considerable rights under HIPAA.

When Should Providers Not Treat a Minor as a Minor?

As discussed above, parents and guardians of minors typically have the same rights as the minor patient. However, this is not always the case.

In some circumstances, releasing the minor patient’s medical records to a parent or guardian would violate HIPAA. These exceptions recognize that sometimes there is an enhanced interest in keeping minor’s health data private, even from mom and dad.

Below are a few circumstances when HIPAA would not consider a minor’s parents or guardians to be their HIPAA representative: 

The minor can consent to care under applicable state law.

Here, the minor is considered the decision-maker. As such, their parents are not entitled to their health information.

Each state has its own rules. In Illinois, for example, parental consent is not required under Illinois consent and confidentiality laws when a minor child has been emancipated. Moreover, in California, a minor age fifteen or older can consent to medical care if they live separate from their parents and manage their own financial affairs.

In short, if a minor can legally consent to treatment without the consent of a parent or guardian, then HIPAA recognizes their right to privacy.

The parent or guardian consents to patient-provider confidentiality.

A parent can authorize a confidential relationship between the minor patient and the healthcare provider. This exception is based on the idea of informed consent and defers to the parent’s discretion. Note, though, the parent or guardian has the power to revoke this limitation.

Abuse, domestic violence, or neglect.

The law recognizes that sometimes, a healthcare professional reasonably believes a minor is, or may be, subject to abuse, domestic violence, or neglect. In these situations, the provider has the discretion to withhold information from the parents or guardians.

Court discretion.

If a minor patient obtains care at the court’s discretion or by a person appointed by the court, then the court or court-appointed individual becomes the patient’s representative.

State law denies a parent’s access.

Sometimes, a specific state’s law otherwise denies a parent’s right to access the information. Conversely, If state law permits expansive parental access, a parent may still have access to PHI, even if one of the above exceptions applies. State law can override HIPAA.

These are just a sample of the situations in which a healthcare provider may not release a minor patient’s medical records to the parent or guardian. Doing so would constitute a HIPAA violation and consequently subject the provider to penalties for legal non-compliance.

Behavioral Health and HIPAA.

Confidentiality is paramount in mental health. For treatment to be effective, the patient must be able to disclose their thoughts, feelings, urges, and behaviors without the fear of judgment or punishment. Otherwise, the therapist will have nothing to work with, and the patient will be unlikely to improve. 

Nonetheless, mental health confidentiality laws for minors generally mirror those of physical medical treatment. That is, the law presumes that a minor patient’s parent or guardian is their treatment representative. As such, the adults are the ones consenting to the minor’s treatment and have a right to review the full medical record.  

But remember, state laws generally override federal laws. Because the right to confidentiality usually follows the right to consent for treatment, if a state allows a minor to consent to mental health treatment, that minor can likely control their parents’ access to their treatment records. 

In Michigan, for instance, a minor who is fourteen years or older can consent to outpatient mental health treatment. Therefore, a fifteen-year-old who decides to see a therapist for anxiety has decision-making authority. Neither the mother nor father is their personal representative. Thus, HIPAA does not provide the parents with the right to the minor patient’s PHI. 

Relevant Exceptions in Behavioral Health.

Moreover, mental health providers should consider other relevant HIPAA exceptions. As noted above, providers have the discretion to withhold PHI from a minor’s parents if they reasonably believe that the minor is the subject of abuse or neglect. In these situations, the law recognizes that a child’s safety and well-being may outweigh a parent’s right to be informed. 

In addition, given the importance of privacy in mental health, many parents may willingly consent to their child’s confidentiality to increase the effectiveness of the therapy. Howver, therapists should note, that the parent may limit or revoke this confidentiality agreement.  

Finally, psychologists and therapists do not have to disclose psychotherapy notes to either a minor patient or that patient’s parents or guardians. HIPAA defines psychotherapy notes as notes written by a mental health professional while analyzing the contents of a conversation during a therapy session. They contain subjective impressions and help the therapist think through, evaluate, and plan the patient’s treatment. Unlike progress notes, they do not contain references to specific treatment interventions or medications prescribed.

HIPAA recognizes that psychotherapy notes are more likely to contain sensitive information that may harm the patient or deteriorate the therapist-patient relationship. As a result, these notes can be kept secret — even from parents.    

COVID-19 and Minors’ Privacy Rights.

The Centers for Disease Control and Prevention recently recommended that all individuals age twelve years and older obtain COVID-19 vaccines. But what if a minor patient and their parents disagree on vaccination? What if, say, a child wants the vaccine, but mom and dad want him to avoid it?

Again, the answer depends on the state. In five jurisdictions — Alabama, the District of Columbia, Oregon, Rhode Island, and South Carolina — minors can independently consent to COVID vaccination. As a result, HIPAA also allows them to keep their decision confidential from their parents or guardians. In some states, like Washington, providers may waive parental consent. If they do, then the parents are not the minor’s treatment representative, and the provider must allow the minor to keep their medical records confidential. 

As children become eligible for vaccines, many wonder if schools, camps, or other programs can ask about vaccination status. Can such a private medical question violate HIPAA?

The answer is no. First, HIPAA applies only to covered entities such as healthcare providers and their business associates, not camp counselors or teachers. Second, asking questions is unlikely to be an issue. Indeed, HIPAA does not prohibit anyone from inquiring about someone’s medical record.  Asking a camper or student — or their parents or guardian — to release PHI voluntarily is very different from releasing that information to an unauthorized third party. 

In summary, although there remains some uncertainty about which entities can mandate vaccines, there is clarity on the right to ask about vaccination status. As a general rule, questions do not violate HIPAA.  

(See our related video on COVID-19 and HIPAA.)

What are the Penalties for HIPAA Non-compliance?

Sometimes minors, especially older minors, may beg and plead to keep their medical information confidential from their parents. However, unless your healthcare attorney has determined that a legal exception applies to the situation, you must release medical records to parents and guardians of minors when requested.

When a minor patient asks you to ignore the law and abide by their wishes, set aside your goodwill and stick with the law. The penalties for HIPAA non-compliance, including the failure to provide records to authorized parties, can be hefty. Depending on the type and severity of the violation, fines can range from $100 to $50,000 per incident, with a maximum fine of $1.5 million per year. In addition to fines, non-compliance can also result in criminal charges that result in jail time. 

Consult a HIPAA Compliance Attorney.

HIPAA compliance laws are numerous and complex, yet extremely important. Not only is HIPAA compliance essential to protect your patients, but also to avoid penalties. If you need help with HIPAA compliance, and you operate a healthcare practice or business in one of the states where we are licensed, reach out to us.

This blog is made for educational purposes and is not intended to be specific legal advice to any particular person. It does not create an attorney-client relationship between our firm and the reader. It should not be used as a substitute for competent legal advice from a licensed attorney in your jurisdiction.

The American Data Privacy and Protection Act Legislation (ADPPA) in Healthcare

In Congress, there’s bipartisan concern about Americans’ data privacy. A proposed federal law to address these concerns will likely affect how you handle patient data.

Read More

Patient Photos on Social Media

So, you want to share patient photos on your social media. What are some things you should consider first?

Read More

Email and Social Media Disclaimers for Health Professionals

Does a disclaimer really do anything to protect you from liability?

Read More

TikTok Takeover: Legal Considerations for Posting Healthcare Videos

Do you want to educate the public or promote your healthcare practice on TikTok? Before you post, keep these legal issues in mind.

Read More

HIPAA Right of Access: What It Means When Your Patient Is a Couple

Patients have a right to review their health records. Meanwhile, health information should not be disclosed to unauthorized persons. So how do you ensure access and privacy when records include information about more than one individual?

Read More

HIPAA in the Waiting Room

How do you maintain compliance with the HIPAA Privacy Rule in a crowded, bustling waiting room? We discuss the issues.

Read More

Can I Record Patient Telephone Calls and Visits?

It’s easier than ever to record phone conversations with patients. But is it legal to do so? We discuss the considerations.

Read More

Business Associate Agreement (BAA) Basics

When do you need a business associate agreement (BAA)? Are there situations in which you should decline to enter into one? Learn what it means when you sign the dotted line.

Read More

Responding to Mental Health Emergencies: Legal Considerations

When a patient is having an active mental health emergency, what are your obligations? What does the law allow? We address some common questions.

Read More

Navigating Red Flag Laws Under HIPAA

Some states permit healthcare providers to petition the court for the removal of a patient’s firearms. How can a provider do this without violating HIPAA’s Privacy Rule?

Read More

Sources of Liability in Telemedicine

Telehealth can introduce new types of risk for your medical practice. Know what to look for so that you can take steps to reduce your liability.

Read More

Does HIPAA Apply to You? You Might Not Be Compliant.

“HIPAA doesn’t apply to me.” We hear it all the time. But are you willing to bet your practice’s future on that assumption? We discuss the basics, including the most commonly overlooked aspects of the law.

Read More