As discussed in our prior health law update, New Limits on Minor Consents in Idaho, effective July 1, 2024, parents generally will have the right to access the medical records of their unemancipated minor children subject to very limited exceptions. A parent who is denied access may sue the provider for damages and fees.1
The Parents’ Right in Medical Decision-Making Act (“the Act”). In addition to requiring that providers obtain parental consent to treat unemancipated minors,2 the Act states:
No health care provider or governmental entity shall deny a minor child’s parent access to health information that is:
(a) In such health care provider’s or governmental entity’s control; and
(b) Requested by the minor child’s parent.3
“Parent” is defined as “a biological parent of a child, an adoptive parent of a child, or an individual who has been granted exclusive right and authority over the welfare of a child under state law.”4 “Health care provider” is defined as:
(i) A physician, health care practitioner, or other individual licensed, accredited, or certified to perform health care services or provide counseling consistent with state law, or any agent or third-party representative thereof; or
(ii) A health care facility or its agent.5
“Health information” is defined broadly as:
information or data, collected or recorded in any form or medium, and personal facts of information about events or relationships that relates to:
(i) The past, present, or future physical, mental, or behavioral health or condition of an individual or member of the individual’s family;
(ii) The provision of health care services to an individual; or
(iii) Payment for the provision of health care services to an individual.6
The Act does contain several exceptions. First, it only applies to unemancipated minors.7 Second, parental access may be denied if such access “is prohibited by a court order.”8 And, third, a provider may deny parental access if “[t]he parent is a subject of an investigation related to a crime committed against the child, and a law enforcement officer requests that the information not be released to the parent.”9 Significantly, both elements must be satisfied: (i) an ongoing criminal investigation, and (ii) a law enforcement request. In that regard, the Idaho exception to parental access is narrower than the corresponding HIPAA exception discussed below. Significantly, the Idaho Act “is intended to supersede any current provisions of Idaho law that may otherwise conflict with the Act.”10 Thus, those Idaho laws that have for years allowed minors to consent to their own healthcare and, by either implication or effect, allowed providers to deny parental access will no longer be effective July 1, 2024. Importantly, it appears that under the Act and unless an exception applies, parents will have access to any health information relating to their minor child whether or not the care was rendered before or after July 1, 2024, even if the care was rendered under a promise of confidentiality at the time.
HIPAA. The federal HIPAA privacy rule generally defers to state law when addressing parental access to records. The relevant rule states:
If, and to the extent, permitted or required by an applicable provision of State or other law, including applicable case law, a covered entity may disclose, or provide access in accordance with § 164.524 to, protected health information about an unemancipated minor to a parent, guardian, or other person acting in loco parentis.11
However, that general rule is subject to several important exceptions. First, the rule allows a provider to decline to treat a minor patient’s personal representative as the patient and, by extension, deny them access to the patient’s records if:
[a] parent, guardian, or other person acting in loco parentis assents to an agreement of confidentiality between a covered health care provider and the minor with respect to such health care service.12
Second, § 164.502(g)(5) allows a provider to deny parental access if disclosure would endanger the patient. Specifically, HIPAA states:
Implementation specification: Abuse, neglect, endangerment situations. Notwithstanding a State law or any requirement of this paragraph to the contrary, a covered entity may elect not to treat a person as the personal representative of an individual if:
(i) The covered entity has a reasonable belief that:
(A) The individual has been or may be subjected to domestic violence, abuse, or neglect by such person; or
(B) Treating such person as the personal representative could endanger the individual; and
(ii) The covered entity, in the exercise of professional judgment, decides that it is not in the best interest of the individual to treat the person as the individual’s personal representative.13
This exception is broader than the Idaho exception: no investigation or law enforcement request is required.
Third, under the general HIPAA rule, parental access may be granted “in accordance with § 164.524.”14 Section 164.524(a) contains a number of exceptions to access by the patient or their personal representatives. In addition to certain others,15 patients and, by extension, their parents or other personal representatives do not have a right to access:
- Records that are not maintained in the patient’s designated record set,16 ie., records that are not “[u]sed, in whole or in part, by or for the covered entity to make decisions about individuals”;17
- Information that was obtained by the provider under a promise of confidentiality and the access requested would be reasonably likely to reveal the source of the information;18
- Psychotherapy notes;19
- Information compiled in reasonable anticipation of or use in civil, criminal, or administrative action or proceeding;20 or
- Records of a correctional institution providing care to a minor under certain circumstances.21
In addition, subject to the patient’s right to have the decision reviewed,22 § 164.524 allows a provider to deny access to the patient or their personal representative if:
- “A licensed health care professional has determined, in the exercise of professional judgment, that the access requested is reasonably likely to endanger the life or physical safety of the individual or another person”;23
- The information requested references a person (other than a healthcare provider) and “a licensed health care professional has determined, in the exercise of professional judgment, that the access requested is reasonably likely to cause substantial harm to such other person”;24 or
- “The request for access is made by the individual’s personal representative and a licensed health care professional has determined, in the exercise of professional judgment, that the provision of access to such personal representative is reasonably likely to cause substantial harm to the individual or another person.”25
Again, the HIPAA exceptions are broader than those under the Idaho Act.
HIPAA Preemption. Although the Department of Health and Human Services (“HHS”) commentary to HIPAA privacy rule iterations over the years appears contradictory or ambiguous,26 it is relatively clear that the foregoing HIPAA exceptions to parental access were intended to preempt contrary state laws such as Idaho’s.
First, under its preemption regulations, HIPAA preempts “contrary” state law unless the state law is “more stringent” than HIPAA.27
Contrary … means:
(1) A covered entity or business associate would find it impossible to comply with both the State and Federal requirements; or
(2) The provision of State law stands as an obstacle to the accomplishment and execution of the full purposes and objectives of [the HIPAA privacy rule].
More stringent means, in the context of a comparison of a provision of State law and a standard, requirement, or implementation specification adopted under [the HIPAA privacy rule], a State law that meets one or more of the following criteria:
. . .
(6) ….provides greater privacy protection for the individual who is the subject of the individually identifiable health information.28
In this case, §§ 164.502(g)(5) and 164.524(a) create specific exceptions that have the effect of denying parental access to the protected health information of a minor patient, i.e., the individual who is the subject of the information. The Idaho law is contrary to those standards: one cannot comply with both the Idaho statute law granting parental access and HIPAA, which limits parental access in specified situations. HIPAA is more stringent in that it provides greater protection to the information of the individual who is the subject of the information, i.e., the minor patient. Thus, applying the preemption analysis to this case, HIPAA preempts the Idaho statute.
Second, the abuse or endangerment exception in § 164.502(g)(5) expressly states that it applies “[n]otwithstanding a State law or any requirement of this paragraph to the contrary,” thereby confirming HHS’s intent to preempt state laws to the extent there is a conflict, including the Idaho Act.
Third, in its 2000 and 2002 commentary to the HIPAA privacy rule, HHS acknowledged that “[g]enerally, parents will be able to access and control the health information about their minor children” (citing § 164.502(g)(3)), but “[t]he Privacy Rule recognizes a limited number of exceptions to this general rule,” including “when the parent has agreed to the minor obtaining confidential treatment (see § 164.502(g)(3). . . )” and “when the provider is concerned about abuse or harm to the child. (See § 164.502(g)(5).”29 Thus, under the final privacy rule, “[a] parent may be unable to obtain such information in limited circumstances, such as when . . . the treating physician suspects abuse or neglect or reasonably believes that releasing the information to the parent will endanger the child.”30
Fourth, HHS has reaffirmed the general rule and exceptions over the years. For example, the Office for Civil Rights website contains the following FAQs:
Can the personal representative of an adult or emancipated minor obtain access to the individual’s medical record?
Answer: The HIPAA Privacy Rule treats an adult or emancipated minor’s personal representative as the individual for purposes of the Rule regarding the health care matters that relate to the representation, including the right of access under 45 CFR 164.524…. [However,] [t]here is an exception to the general rule… Specifically, the Privacy Rule does not require a covered entity to treat a personal representative as the individual if, in the exercise of professional judgment, it believes doing so would not be in the best interest of the individual because of a reasonable belief that the individual has been or may be subject to domestic violence, abuse or neglect by the personal representative, or that doing so would otherwise endanger the individual. This exception applies to adults and both emancipated and unemancipated minors who may be subject to abuse or neglect by their personal representatives.31
Does the HIPAA Privacy Rule allow parents the right to see their children’s medical records?
Answer: Yes, the Privacy Rule generally allows a parent to have access to the medical records about his or her child, as his or her minor child’s personal representative when such access is not inconsistent with State or other law.
There are three situations when the parent would not be the minor’s personal representative under the Privacy Rule [including] [w]hen, and to the extent that, the parent agrees that the minor and the health care provider may have a confidential relationship. [In addition,] a provider may choose not to treat a parent as a personal representative when the provider reasonably believes, in his or her professional judgment, that the child has been or may be subjected to domestic violence, abuse or neglect, or that treating the parent as the child’s personal representative could endanger the child.32
More recently, in the 2021 proposed HIPAA rule, HHS acknowledged that “the Privacy Rule generally defers to state law with respect to the circumstances in … under which information may not be disclosed to parents” but “the Privacy Rule currently permits a covered entity to deny access to a personal representative suspected of abuse or neglect.”33 And finally, in its April 26, 2024, final rule on HIPAA and reproductive rights, HHS stated:
The Privacy Rule generally permits a parent to have access to the medical records about their child as their minor child’s personal representative when such access is consistent with state or other law, with limited exceptions. Additional information about how the Privacy Rule applies to minors can be found at 45 CFR 164.502(g) and on the OCR website.34
Conclusion. Effective July 1, 2024, the general rule in Idaho will be that parents are entitled to access the health information of their unemancipated minor children with very limited exceptions. Based on the HIPAA preemption rules, the express terms of the HIPAA privacy rule, and HHS’s commentary over the years, it appears relatively clear that HHS would interpret the HIPAA exceptions to parental access to continue to apply and preempt Idaho’s Parents’ Rights in Medical Decision-Making Act to the extent there is a conflict, including but not limited to situations in which the provider believes that disclosure would endanger the minor patient. With that said, there is no guarantee that parents, prosecutors, or courts will agree. Accordingly, providers should be very careful when applying any additional HIPAA exceptions to parental access given the potential for lawsuits under I.C. § 32-1015. Even if the provider wins, they may still incur the costs of defense. Providers should update their parental access policies and practices accordingly.
1 I.C. § 32-1015.
2 Id. at § 32-1015(3).
3 Id. at § 32-1015(5).
4 Id. at § 32-1015(1)(f).
5 Id. at § 32-1015(1)(b).
6 Id. at § 32-1015(1)(d).
7 The Act defines “minor child as “an individual under eighteen (18) years of age but does not include an individual who is an emancipated minor.” Id. at § 32-1015(1)(e).
8 Id. at § 32-1015(6)(a).
0 Id. at § 32-1015(6)(b).
10 SB1329 Statement of Purpose, available at https://legislature.idaho.gov/wp-content/uploads/sessioninfo/2024/legislation/S1329SOP.pdf.
11 45 C.F.R. § 164.502(g)(3)(ii)(A).
12 Id. at § 164.502(g)(3)(i)(C).
13 45 C.F.R. § 164.502(g)(5), emphasis added.
14 Id. at § 164.502(g)(3)(ii)(A).
15 See id. at § 164.524(a) for all the excepted records and associated conditions.
16 Id. at § 164.524(a)(1).
17 Id. at § 164.501, definition of “designated record set; see also https://www.hollandhart.com/hipaa-patient-access-and-designated-record-sets.
18 45 C.F.R. § 164.524(a)(2)(v).
19 Id. at § 164.524(a)(1)(i). For more information about psychotherapy notes, see https://www.hollandhart.com/hipaa-psychotherapy-notes-and-other-mental-health-records.
20 45 C.F.R. § 164.524(a)(1)(ii).
21 Id. at § 164.524(a)(2)(iii).
22 Id. at § 164.524(a)(4).
23 Id. at § 164.524(a)(3)(i).
24 Id. at § 164.524(a)(3)(ii).
25 Id. at § 164.524(a)(3)(iii).
26 In its 2000 and 2002 commentary, for example, HHS repeatedly emphasized that it “intended that the disclosure of health information about a minor child to a parent should be governed by State . . . law” (67 FR 53199) and that “the Privacy Rule does not allow a denial of parental access to medical records if State or other law would require such access.” (Id. at 53202; see generally id. at 53200-53202 and 65 FR 82500). When originally drafted, the proposed definition of “more stringent” stated, “nothing in this subchapter may be construed to preempt any State law to the extent that it authorizes or prohibits disclosure of protected health information about a minor to a parent, guardian, or person acting in loco parentis of such minor,” (65 FR 82800), but that phrase was removed from the 2002 version of the final rule in favor of the current structure in 164.502(g)(3). (67 FR 53200).
27 45 C.F.R. § 160.203.
28 Id. at § 160.202.
29 67 FR 53199-53200.
30 Id. at 53202; see also 65 FR 82556.
31 https://www.hhs.gov/hipaa/for-professionals/faq/221/can-adult-or-emancipated-minor-personal-rep-access-record/index.html,
32 https://www.hhs.gov/hipaa/for-professionals/faq/227/can-i-access-medical-record-if-i-have-power-of-attorney/index.html; see also https://www.hhs.gov/hipaa/for-professionals/faq/228/can-parents-get-information-about-emergency-treatment/index.html.
33 86 FR 6481.
34 89 FR 32996.