
	HIPAAdvisory > HIPAAregs > Modified Final Privacy Rule

Standards for Privacy of Individually Identifiable Health Information

B. Section 164.502--Uses and Disclosures of Protected Health Information: General Rules

3. Parents as Personal Representatives of Unemancipated Minors ¹

¹ Throughout this section of the preamble, "minor" refers to an unemancipated minor and "parent" refers to a parent, guardian, or other person acting in loco parentis.

December 2000 Privacy Rule

The Privacy Rule is intended to assure that parents have appropriate access to health information about their children. By creating new Federal protections and individual rights with respect to individually identifiable health information, parents will generally have new rights with respect to the health information about their minor children. In addition, the Department intended that the disclosure of health information about a minor child to a parent should be governed by State or other applicable law.

Under the Privacy Rule, parents are granted new rights as the personal representatives of their minor children. (See Sec. 164.502(g).) Generally, parents will be able to access and control the health information about their minor children. (See Sec. 164.502(g)(3).)

The Privacy Rule recognizes a limited number of exceptions to this general rule. These exceptions generally track the ability under State or other applicable laws of certain minors to obtain specified health care without parental consent. For example, every State has a law that permits adolescents to be tested for HIV without the consent of a parent. These laws are created to assure that adolescents will seek health care that is essential to their own health, as well as the public health. In these exceptional cases, where a minor can obtain a particular health care service without the consent of a parent under State or other applicable law, it is the minor, and not the parent, who may exercise the privacy rights afforded to individuals under the December 2000 Privacy Rule. (See Sec. 164.502(g)(3)(i) and (ii), redesignated as Sec. 164.502(g)(3)(i)(A) and (B)).

The December 2000 Privacy Rule also allows the minor to exercise control of protected health information when the parent has agreed to the minor obtaining confidential treatment (see Sec. 164.502(g)(3)(iii), redesignated as Sec. 164.502(g)(3)(i)(C) in this final Rule), and allows a covered health care provider to choose not to treat a parent as a personal representative of the minor when the provider is concerned about abuse or harm to the child. (See Sec. 164.502(g)(5).)

Of course, a covered provider may disclose health information about a minor to a parent in the most critical situations, even if one of the limited exceptions discussed above apply. Disclosure of such information is always permitted as necessary to avert a serious and imminent threat to the health or safety of the minor. (See Sec. 164.512(j).) The Privacy Rule adopted in December 2000 also states that disclosure of health information about a minor to a parent is permitted if State law authorizes disclosure to a parent, thereby allowing such disclosure where State law determines it is appropriate. (See Sec. 160.202, definition of "more stringent.") Finally, health information about the minor may be disclosed to the parent if the minor involves the parent in his or her health care and does not object to such disclosure. (See Sec. 164.502(g)(3)(i), redesignated as Sec. 164.502(g)(3)(i)(A), and Sec. 164.510(b)). The parent will retain all rights concerning any other health information about his or her minor child that does not meet one of the few exceptions listed above.

March 2002 NPRM

After reassessing the parents and minors provisions in the Privacy Rule, the Department identified two areas in which there were unintended consequences of the Rule. First, the language regarding deference to State law, which authorizes or prohibits disclosure of health information about a minor to a parent, fails to assure that State or other law governs when the law grants a provider discretion in certain circumstances to disclose protected health information to a parent. Second, the Privacy Rule may have prohibited parental access in certain situations in which State or other law may have permitted such access.

The Department proposed changes to these standards where they did not operate as intended and did not adequately defer to State or other applicable law with respect to parents and minors. First, in order to assure that State and other applicable laws that address disclosure of health information about a minor to his or her parent govern in all cases, the Department proposed to move the relevant language about the disclosure of health information from the definition of "more stringent" (see Sec. 160.202) to the standards regarding parents and minors (see Sec. 164.502(g)(3)). This change would make it clear that State and other applicable law governs not only when a State explicitly addresses disclosure of protected health information to a parent but also when such law provides discretion to a provider. The language itself is also changed in the proposal to adapt it to the new section.

Second, the Department proposed to add a new paragraph (iii) to Sec. 164.502(g)(3) to establish a neutral policy regarding the right of access of a parent to health information about his or her minor child under Sec. 164.524, in the rare circumstance in which the parent is technically not the personal representative of his or her minor child under the Privacy Rule. This policy would apply particularly where State or other law is silent or unclear.

Overview of Public Comments

The following discussion provides an overview of the public comment received on this proposal. Additional comments received on this issue are discussed below in the section entitled, "Response to Other Public Comments."

The Department received a number of comments on the proposed changes to the parents and minors provisions of the Privacy Rule. Many commenters, particularly health care providers involved in provision of health care to minors, requested that the Department return to the approach under the Privacy Rule published in December 2000, because they believed that the proposed approach would discourage minors from seeking necessary health care. At a minimum, these commenters suggested that the Department clarify that discretion to grant a parent access under the proposal is limited to the covered health care provider that is providing treatment to the minor.

Supporters of the proposal asserted that the Department was moving in the right direction, but many also advocated for more parental rights. They asserted that parents have protected rights to act for their children and that the Privacy Rule interferes with these rights.

There were also some commenters that were confused by the new proposal and others that requested a Federal standard that would preempt all State laws.

Final Modifications

The Department will continue to defer to State or other applicable law and to remain neutral to the extent possible. However, the Department is adopting changes to the standards in the December 2000 Privacy Rule, where they do not operate as intended and are inconsistent with the Department's underlying goals. These modifications are similar in approach to the NPRM and the rationale for these changes remains the same as was stated in the NPRM. However, the Department makes some changes from the language that was proposed, in order to simplify the provisions and clarify the Department's intent.

There are three goals with respect to the parents and minors provisions in the Privacy Rule. First, the Department wants to assure that parents have appropriate access to the health information about their minor children to make important health care decisions about them, while also making sure that the Privacy Rule does not interfere with a minor's ability to consent to and obtain health care under State or other applicable law. Second, the Department does not want to interfere with State or other applicable laws related to competency or parental rights, in general, or the role of parents in making health care decisions about their minor children, in particular. Third, the Department does not want to interfere with the professional requirements of State medical boards or other ethical codes of health care providers with respect to confidentiality of health information or with the health care practices of such providers with respect to adolescent health care.

In order to honor these differing goals, the Department has and continues to take the approach of deferring to State or other applicable law and professional practice with respect to parents and minors. Where State and other applicable law is silent or unclear, the Department has attempted to create standards, implementation specifications, and requirements that are consistent with such laws and that permit States the discretion to continue to define the rights of parents and minors with respect to health information without interference from the Federal Privacy Rule.

The Department adopts two changes to the provisions regarding parents and minors in order to address unintended consequences from the December 2000 Privacy Rule and to defer to State and other law. The first change is about disclosure of protected health information to a parent and the second is about access to the health information by the parent. Disclosure is about a covered entity providing individually identifiable information to persons outside the entity, either the individual or a third party. Access is a particular type of disclosure that is the right of an individual (directly or through a personal representative) to review or obtain a copy of his or her health information under Sec. 164.524. This modification treats both activities similarly by deferring to State or other applicable law.

The first change, regarding disclosure of protected health information to a parent, is the same as the change proposed in the NPRM. In order to assure that State and other applicable laws that address disclosure of health information about a minor to his or her parent govern in all cases, the language in the definition of "more stringent" (see Sec. 160.202) that addresses the disclosure of protected health information about a minor to a parent has been moved to the standards regarding parents and minors (see Sec. 164.502(g)(3)). The addition of paragraphs (g)(3)(ii)(A) and (B) of Sec. 164.502, clarify that State and other applicable law governs when such law explicitly requires, permits, or prohibits disclosure of protected health information to a parent.

In connection with moving the language, the language is changed from the December 2000 Privacy Rule in order to adapt it to the new section. Section 164.502(g)(3)(ii)(A) states that a covered entity may disclose protected health information about a minor to a parent if an applicable provision of State or other law permits or requires such disclosure. By adopting this provision, the Department makes clear that nothing in the regulation prohibits disclosure of health information to a parent if, and to the extent that, State or other law permits or requires such disclosure. The Privacy Rule defers to such State or other law and permits covered entities to act in accordance to such law. Section 164.502(g)(3)(ii)(B) states that a covered entity may not disclose protected health information about a minor to a parent if an applicable provision of State or other law prohibits such disclosure. Again, regardless of how the Privacy Rule would operate in the absence of explicit State or other law, if such law prohibits the disclosure of protected health information about a minor to a parent, so does the Privacy Rule. The revision also clarifies that deference to State or other applicable law includes deference to established case law as well as explicit provisions in statutes or regulations that permit, require, or prohibit particular disclosures.

The second change, regarding access to protected health information, also reflects the same policy as proposed in the NPRM. There are two provisions that refer to access, in order to clarify the Department's intent in this area. The first is where there is an explicit State or other law regarding parental access, and the second is where State or other law is silent or unclear, which is often the case with access.

Like the provisions regarding disclosure of protected health information to a parent, the final Rule defers to State or other applicable law regarding a parent's access to health information about a minor. The change assures that State or other applicable law governs when the law explicitly requires, permits, or prohibits access to protected health information about a minor to a parent. This includes deference to established case law as well as an explicit provision in a statute or regulation. This issue is addressed in paragraphs (g)(3)(ii)(A) and (B) of Sec. 164.502 with the disclosure provisions discussed above.

In addition to the provision regarding explicit State access laws, the Department recognizes that the Privacy Rule creates a right of access that previously did not exist in most States. Most States do not have explicit laws in this area. In order to address the limited number of cases in which the parent is not the personal representative of the minor because one of the exceptions in the parents and minors provisions are met (see Sec. 164.502(g)(3)(i)(A), (B), or (C)), the Department adds a provision, Sec. 164.502(g)(3)(ii)(C), similar to a provision proposed in the NPRM, that addresses those situations in which State and other law about parental access is not explicit. Under this provision, a covered entity may provide or deny access to a parent provided that such discretion is permitted by State or other law. This new paragraph would assure that the Privacy Rule would not prevent a covered entity from providing access to a parent if the covered entity would have been able to provide this access under State or other applicable law. The new paragraph would also prohibit access by a parent if providing such access would violate State or other applicable law.

It is important to note that this provision regarding access to health information about a minor in cases in which State and other laws are silent or unclear will not apply in the majority of cases because, typically, the parent will be the personal representative of his or her minor child and will have a right of access to the medical records of his or her minor children under the Privacy Rule. This provision only applies in cases in which the parent is not the personal representative under the Privacy Rule.

In response to comments by health care providers, the final modifications also clarify that, the discretion to provide or deny access to a parent under Sec. 164.502(g)(3)(ii)(C) only may be exercised by a licensed health care professional, in the exercise of professional judgment. This is consistent with the policy described in the preamble to the NPRM, is similar to the approach in the access provisions in Sec. 164.524(a)(3), and furthers the Department's interest in balancing the goals of providing appropriate information to parents and of assuring that minors obtain appropriate access to health care. This decision should be made by a health care professional, who is accustomed to exercising professional judgment. A health plan may also exercise such discretion if the decision is made by a licensed health care provider.

The Department takes no position on the ability of a minor to consent to treatment and no position on how State or other law affects privacy between the minor and parent. Where State or other law is unclear, covered entities should continue to conduct the same analysis of such law as they do now to determine if access is permissible or not. Because the Privacy Rule defers to State and other law in the area of parents and minors, the Department assumes that the current practices of health care providers with respect to access by parents and confidentiality of minor's records are consistent with State and other applicable law, and, therefore, can continue under the Privacy Rule.

Parental access under this section would continue to be subject to any limitations on activities of a personal representative in Sec. 164.502(g)(5) and Sec. 164.524(a)(2) and (3). In cases in which the parent is not the personal representative of the minor and State or other law does not require parental access, this provision does not provide a parent a right to demand access and does not require a covered entity to provide access to a parent. Furthermore, nothing in these modifications shall affect whether or not a minor would have a right to access his or her records. That is, a covered entity's exercise of discretion to not grant a parent access does not affect the right of access the minor may have under the Privacy Rule. A covered entity may deny a parent access in accordance with State or other law and may be required to provide access to the minor under the Privacy Rule.

These changes also do not affect the general provisions, explained in the section "December 2000 Privacy Rule" above, regarding parents as personal representatives of their minor children or the exceptions to this general rule, where parents would not be the personal representatives of their minor children.

These changes adopted in this Rule provide States with the option of clarifying the interaction between their laws regarding consent to health care and the ability of parents to have access to the health information about the care received by their minor children in accordance with such laws. As such, this change should more accurately reflect current State and other laws and modifications to such laws.

Response to Other Public Comments

Comment: Some commenters urged the Department to retain the approach to parents and minors that was adopted in December 2000. They claimed that the NPRM approach would seriously undermine minors' willingness to seek necessary medical care. Other commenters advocated full parental access to health information about their minor children, claiming that the Privacy Rule interferes with parents' rights.

Response: We believe the approach adopted in the final Rule strikes the right balance between these concerns. It defers to State law or other applicable law and preserves the status quo to the greatest extent possible.

Comment: Health care providers generally opposed the changes to the parents and minors provisions claiming that they would eliminate protection of a minor's privacy, and therefore, would decrease the willingness of adolescents to obtain necessary health care for sensitive types of health care services. They also argued that the NPRM approach is inconsistent with State laws that give minors the right to consent to certain health care because the purpose of these laws is to provide minors with confidential health care.

Response: Issues related to parents' and minors' rights with respect to health care are best left for the States to decide. The standards regarding parents and minors are designed to defer to State law in this area. While we believe that there is a correlation between State laws that grant minors the authority to consent to treatment and confidentiality of the information related to such treatment, our research has not established that these laws bar parental access to such health information under all circumstances. Therefore, to act in a manner consistent with State law, the approach adopted in this Final Rule is more flexible than the standards adopted in December 2000, in order to assure that the Privacy Rule does not preclude a provider from granting access to a parent if this is permissible under State law. However, this new standard would not permit activity that would be impermissible under State law.

Some State or other laws may state clearly that a covered entity must provide a parent access to the medical records of his or her minor child, even when the minor consents to the treatment without the parent. In this case, the covered entity must provide a parent access, subject to the access limitations in the Privacy Rule at Sec. 164.524(a)(2) and (3). Other laws may state clearly that a covered entity must not provide a parent access to their minor child's medical records when the minor consents to the treatment without the parent. In this case, the covered entity would be precluded from granting access to the parent. If the State or other law clearly provides a covered entity with discretion to grant a parent access, then the covered entity may exercise such discretion, to the extent permitted under such other law.

If State law is silent or unclear on its face, then a covered entity would have to go through the same analysis as it would today to determine if such law permitted, required, or prohibited providing a parent with access to a minor's records. That analysis may involve review of case law, attorney general opinions, legislative history, etc. If such analysis showed that the State would permit an entity to provide a parent access to health information about a minor child, and under the Privacy Rule, the parent would not be the personal representative of the minor because of one of the limited exceptions in Sec. 164.502(g)(3)(i), then the covered entity may exercise such discretion, based on the professional judgment of a licensed health care provider, to choose whether or not to provide the parent access to the medical records of his or her minor child. If, as the commenters suggest, a State consent law were interpreted to prohibit such access, then such access is prohibited under the Privacy Rule as well.

Comment: One commenter asserted that the Privacy Rule inappropriately erects barriers between parents and children. Specifically, the commenter stated that Sec. 164.502(g)(5) delegates to private entities government power to decide whether a child may be subjected to abuse or could be endangered. The commenter also stated that the access provisions in Sec. 164.502(g)(3) would erect barriers where State law is silent or unclear.

Response: The Department does not agree that the Privacy Rule erects barriers between a parent and a minor child because the relevant standards are intended to defer to State law. Health care providers have responsibilities under other laws and professional standards to report child abuse to the appropriate authorities and to use professional discretion to protect the child's welfare in abuse situations. Similarly the Privacy Rule permits (but does not require) the provider to use professional discretion to act to protect a child she believes is being abused. If the Privacy Rule were to mandate that a provider grant a parent access to a medical record in abuse situations, as the commenter suggests, this would be a change from current law. In addition, the Privacy Rule does not allow a denial of parental access to medical records if State or other law would require such access.

Comment: Commenters continue to raise preemption issues. A few commenters called for preemption of all State law in this area. Others stated that there should be one standard, not 50 standards, controlling disclosure of protected health information about a minor to a parent and that the NPRM approach would burden regional and national health care providers. Others urged preemption of State laws that are less protective of a minor's privacy, consistent with the general preemption provisions.

Response: The Department does not want to interfere with a State's role in determining the appropriate rights of parents and their minor children. The claim that the Privacy Rule introduces 50 standards is inaccurate. These State standards exist today and are not created by the Privacy Rule. Our approach has been, and continues to be, to defer to State and other applicable law in this area.

Comment: One commenter requested the Privacy Rule state that good faith compliance with the Privacy Rule is an affirmative defense to enforcement of contrary laws ultimately determined to be more stringent than the Rule, or that it provide specific guidance on which State laws conflict with or are more stringent than the Privacy Rule.

Response: The Privacy Rule cannot dictate how States enforce their own privacy laws. Furthermore, guidance on whether or not a State law is preempted would not be binding on a State interpreting its own law.

Comment: Some commenters remain concerned that a parent will not get information about a child who receives care in an emergency without the consent of the parent and that the provisions in Sec. 164.510(b) are not sufficient.

Response: As we have stated in previous guidance, a provider generally can discuss all the health information about a minor child with his parent, because the parent usually will be the personal representative of the child. This is true, under the Privacy Rule, even if the parent did not provide consent to the treatment because of the emergency nature of the health care. A parent may be unable to obtain such information in limited circumstances, such as when the minor provided consent for the treatment in accordance with State law or the treating physician suspects abuse or neglect or reasonably believes that releasing the information to the parent will endanger the child.

Comment: A couple of commenters were concerned that the provisions regarding confidential communications conflict with the Fair Debt Collection Practices Act (FDCPA), which allows collection agencies to contact the party responsible for payment of the debt, be it the spouse or parent (of a minor) of the individual that incurred the debt, and share information that supports the incurrence and amount of the debt. They feared that the Privacy Rule would no longer allow collection agencies to continue this practice.

Response: Our analysis of the relevant provisions of the Privacy Rule and the FDCPA does not indicate any conflicts between the two laws. An entity that is subject to the FDCPA and the Privacy Rule (or that must act consistent with the Privacy Rule as a business associate of the covered entity) should be able to comply with both laws, because the FDCPA permits an entity to exercise discretion to disclose information about one individual to another.

The FDCPA allows debt collectors to communicate with the debtor's spouse or parent if the debtor is a minor. The provisions of the FDCPA are permissive rather than required.

Generally, the Privacy Rule permits covered entities to use the services of debt collectors as the use of such services to obtain payment for the provision of health care comes within the definition of "payment." The Privacy Rule generally does not identify to whom information can be disclosed when a covered entity is engaged in its own payment activities. Therefore, if a covered entity or a debt collector, as a business associate of a covered entity, needs to disclose protected health information to a spouse or a parent, the Privacy Rule generally would not prevent such disclosure. In these cases where the Privacy Rule would permit disclosure to a parent or spouse, there should be no concern with the interaction with the FDCPA.

However, there are some circumstances in which the Privacy Rule may prohibit a disclosure to a parent or a spouse for payment purposes. For example, under Sec. 164.522(a), an individual has the right to request restrictions to the disclosure of health information for payment. A provider or health plan may choose whether or not to agree to the request. If the covered entity agreed to a restriction, the covered entity would be bound by that restriction and would not be permitted to disclose the individual's health information in violation of that agreement. Also, Sec. 164.522(b) generally requires covered entities to accommodate reasonable requests by individuals to receive communications of protected health information by alternative means or at alternative locations. However, the covered entity may condition the accommodation on the individual providing information on how payment will be handled. In both of these cases, the covered entity has means for permitting disclosures as permitted by the FDCPA. Therefore, these provisions of the Privacy Rule need not limit options available under the FDCPA. However, if the agreed-to restrictions or accommodation for confidential communications prohibit disclosure to a parent or spouse of an individual, the covered entity, and the debt collector as a business associate of the covered entity, would be prohibited from disclosing such information under the Privacy Rule. In such case, because the FDCPA would provide discretion to make a disclosure, but the Privacy Rule would prohibit the disclosure, a covered entity or the debt collector as a business associate of a covered entity would have to exercise discretion granted under the FDCPA in a way that complies with the Privacy Rule. This means not making the disclosure.