HIPAA privacy & getting access to an adult child’s medical records
How can the personal representative of an adult or emancipated minor obtain access to that person’s medical record?
The HIPAA Privacy Rule treats an adult or emancipated minor’s personal representative as the individual regarding the health care matters that relate to the representation, including the right of access under 45 CFR 164.524. Likewise, an individual that has been given a health care power of attorney will have the right to access the medical records of the individual related to such representation to the extent permitted by the same rule.
The scope of access will depend on the authority granted to the personal representative by other law. If the personal representative is authorized to make health care decisions, generally, then the personal representative may have access to the individual’s protected health information regarding health care in general.
On the other hand, if the authority is limited, the personal representative may have access only to protected health information that may be relevant to making decisions within the personal representative’s authority.
For example, if a personal representative’s authority is limited to authorizing artificial life support, then the personal representative’s access to protected health information is limited to that information which may be relevant to decisions about artificial life support.
The HIPAA Privacy Rule establishes a foundation of federally-protected rights which permit individuals to control certain uses and disclosures of their protected health information.
Along with these rights, the rule provides individuals with the ability to access and amend this information, and the right to an accounting of certain disclosures.
The Department recognizes that there may be times when individuals are legally or otherwise incapable of exercising their rights, or simply choose to designate another to act on their behalf with respect to these rights. Under the rule, a person authorized (under state or other applicable law) to act on behalf of the individual in making health care related decisions is the individual’s “personal representative.”
How the HIPAA privacy rule works
Subject to certain exceptions, the privacy rule at 45 CFR 164.502(g) requires covered entities to treat an individual’s personal representative as the individual with respect to uses and disclosures of the individual’s protected health information, as well as the individual’s rights under the rule.
The personal representative stands in the shoes of the individual and has the ability to act for the individual and exercise the individual’s rights.
For instance, covered entities must:
provide the individual’s personal representative with an accounting of disclosures (in accordance with 45 CFR 164.528)
provide the personal representative access to the individual’s protected health information (in accordance with 45 CFR 164.524) to the extent such information is relevant to such representation.
In addition to exercising the individual’s rights under the rule, a personal representative may also authorize disclosures of the individual’s protected health information.
In general, the scope of the personal representative’s authority to act for the individual is based on his or her legal authority to make health care decisions for the individual. Where the person has broad authority to act on the behalf of a living individual in making decisions related to health care, such as is usually the case with a parent with respect to a minor child or a legal guardian of a mentally-incompetent adult, the covered entity must treat the personal representative as the individual for all purposes under the rule, unless an exception applies.
Where the authority to act for the individual is limited or specific to particular health care decisions, the personal representative is to be treated as the individual only with respect to protected health information that is relevant to the representation.
For example, a person with an individual’s limited health care power of attorney regarding only a specific treatment, such as use of artificial life support, is that individual’s personal representative only with respect to protected health information that relates to that health care decision. The covered entity should not treat that person as the individual for other purposes, such as to sign an authorization for the disclosure of protected health information for marketing purposes.
Finally, where the person has authority to act on the behalf of a deceased individual or his estate, which does not have to include the authority to make decisions related to health care, the covered entity must treat the personal representative as the individual with respect to protected health information relevant to such personal representation (e.g., an executor of an estate has the right to access all of the protected health information of the decedent relevant to these responsibilities).
State or other law should be consulted to determine the authority of the personal representative to receive or access the individual’s protected health information.
Who must be recognized as the individual’s personal representative?
The following chart displays who must be recognized as the personal representative for a category of individuals:
A person with legal authority to make health care decisions on behalf of the individual. Examples:
Health care power of attorney
Court appointed legal guardian
General power of attorney or durable power of attorney that includes the power to make health care decisions
Exceptions: See abuse, neglect, and endangerment situations discussion below.
An unemancipated minor
A parent, guardian, or other person acting in loco parentis with legal authority to make health care decisions on behalf of the minor child.Exceptions: See parents and unemancipated minors, and abuse, neglect and endangerment situations discussion below.
A person with legal authority to act on behalf of the decedent or the estate (not restricted to persons with authority to make health care decisions). Examples:
Executor or administrator of the estate
Next of kin or other family member (if relevant law provides authority)
Parents and unemancipated minors
In most cases, a parent, guardian, or other person acting in loco parentis (collectively, “parent”) is the personal representative of the minor child, and can exercise the minor’s rights with respect to protected health information, because the parent usually has the authority to make health care decisions about his or her minor child.
However, the privacy rule specifies three circumstances in which the parent is not the “personal representative” with respect to certain health information about his or her minor child. These exceptions generally track the ability of certain minors to obtain specified health care without parental consent under state or other laws, or standards of professional practice. In these situations, the parent does not control the minor’s health care decisions, and thus under the rule, does not control the protected health information related to that care. The three exceptional circumstances when a parent is not the minor’s personal representative are:
When state or other law does not require the consent of a parent or other person before a minor can obtain a particular health care service, and the minor consents to the health care service. (Example: A state law provides an adolescent the right to obtain mental health treatment without the consent of his or her parent, and the adolescent consents to such treatment without the parent’s consent.)
When someone other than the parent is authorized by law to consent to the provision of a particular health service to a minor and provides such consent. (Example: A court may grant authority to make health care decisions for the minor to an adult other than the parent, to the minor, or the court may make the decision/s itself.)
When a parent agrees to a confidential relationship between the minor and a health care provider. (Example: A physician asks the parent of a 16-year-old if the physician can talk with the child confidentially about a medical condition, and the parent agrees.)
Regardless, however, of whether a parent is the personal representative of a minor child, the privacy rule defers to state or other applicable laws that expressly address the ability of the parent to obtain health information about the minor child. In doing so, the privacy pule allows a covered entity to disclose to a parent, or provide the parent with access to, a minor child’s protected health information when and to the extent it is permitted or required by state or other laws (including relevant case law).
Likewise, the rule prohibits a covered entity from disclosing a minor child’s protected health information to a parent, or providing a parent with access to such information, when and to the extent it is prohibited under state or other laws (including relevant case law).
In cases in which state or other applicable law is silent concerning parental access to the minor’s protected health information, and a parent is not the personal representative of a minor child based on one of the exceptional circumstances described above, a covered entity has discretion to provide or deny a parent with access under 45 CFR 164.524 to the minor’s health information, if doing so is consistent with state or other applicable law, and provided the decision is made by a licensed health care professional in the exercise of professional judgment.
Abuse, neglect and endangerment situations
When a physician or other covered entity reasonably believes that an individual, including an unemancipated minor, has been or may be subjected to domestic violence, abuse, or neglect by the personal representative, or that treating a person as an individual’s personal representative could endanger the individual, the covered entity may choose not to treat that person as the individual’s personal representative, if in the exercise of professional judgment, doing so would not be in the best interests of the individual.
For example, if a physician reasonably believes that providing the personal representative of an incompetent elderly individual with access to the individual’s health information would endanger that individual, the privacy rule permits the physician to decline to provide such access.
Notice: This article was adapted from information from the US Department of Health & Human Services (Revised September 19, 2013) and the The National Cancer Institute. The information on this page is of a general nature and offered for informational purposes only; it is not offered as, and does not constitute, legal advice, and may not apply to any particular set of facts or circumstances. Visit the US Department of Health & Human Services website for detailed information about the HIPAA Privacy Rule, which protects the privacy of individually identifiable health information.