How Does the HIPAA Privacy Rule Apply to Minors?

There is no straightforward answer to how does the HIPAA Privacy Rule apply to minors because the Privacy Rule excludes emancipated minors from the standard relating to personal representatives. Furthermore, the difference between emancipated and unemancipated minors can be determined by a number of factors, including:

• State laws
• Marital status
• Military service
• Court orders
• Parental consent
• Loco parentis authorizations
• Medical circumstance
• Professional judgement

To understand why there is no straightforward answer to how does the HIPAA Privacy Rule apply to minors, it is necessary to review the standard relating to personal representatives (§164.502(g)). The standard itself is simple enough to understand inasmuch as it states:

“[a covered entity must] treat a personal representative as an individual for purposes of this subchapter”.

What this standard means is that, if a third party has the authority to act on behalf of an individual with regards to making decisions about health care, the third party assumes the same rights as the individual with respect to their protected health information (PHI).

In the context of how does the HIPAA Privacy Rule apply to minors, when a third party acts on behalf of an “unemancipated minor”, the third party (usually a parent or authorized guardian) is able to exercise the minor’s HIPAA rights as if they were their own.

This means (for example) a parent can request access to their child’s PHI, request amendments where errors exist, request an accounting of PHI disclosures, and request restrictions on what PHI is disclosed and who it is disclosed to.

However, this standard is full of conditions and exemptions – notwithstanding that HIPAA lacks a definition of what an unemancipated minor is. The conditions, exemptions, and lack of a definition make it difficult to answer how does the HIPAA Privacy Rule apply to minors.

The Difference between Unemancipated and Emancipated Minors

In most states, an unemancipated minor is a minor who is subject to the control, authority, and supervision of his or her parents or guardians until they become a legal adult at 18 years. Until this time, the HIPAA Privacy Rule does not apply to minors because their parents or guardians have the authority to make decisions about their health care and exercise the minor’s HIPAA rights.

However, if a minor functions as an adult before turning 18 years (or the state’s “age of majority”), they are considered to be emancipated minors. Such circumstances include if they are married, serve in the Armed Forces, have left the family home and are self-sustaining, or are declared emancipated by a court under a state’s Statute of Emancipation or mature minor case law.

When a minor is emancipated, the HIPAA Privacy Rule applies to minors in the same way as if the minors were adults. This means the minor’s parents no longer have the right to request access to their child’s PHI or exercise any other HIPAA rights on behalf of the minor. This not only applies to PHI from the date of emancipation, but to all PHI maintained about the minor since birth.

There are also some cases in which a minor can be partially unemancipated. These include when a minor is homeless, when a parent has given their authorization for a minor to make their own health care decisions, or when no parent is available in an emergency situation and a minor is given treatment options under the Emergency Medical Treatment and Labor Act (EMTALA).

In such circumstances, although a minor may be able to make their own health care decisions, their parents or guardians may still retain some control over who has access to PHI. For example, if a parent is incarcerated, they can authorize a person acting in loco parentis to be the minor’s personal representative with limited scope – i.e., to sign authorization forms on behalf of the minor.

How Does the HIPAA Privacy Rule Apply to Minors by Medical Circumstance?

It was mentioned that the personal representative standard is full of conditions and exemptions. These appear throughout the standard’s implementation specifications in language such as “If, and to the extent, permitted or required by an applicable provision of State or other law, including applicable case law [a minor may lawfully obtain health care without the consent of a parent].”

The language effectively allows states and courts to determine when a minor can lawfully obtain health care without the consent of a parent and whether the Privacy Rule applies to minors as an emancipated or unemancipated minor, or as a partially unemancipated minor in cases when a parent assents to an agreement of confidentiality between the minor and their healthcare provider.

Most states have passed legislation specifying the medical circumstances in which a minor can lawfully obtain health care without the consent of a parent and the age at which they can obtain it. However, these can vary considerably depending on the medical circumstance (i.e., STDs, pregnancy, SUDs, and/or “emotional disturbances”) and the professional judgement of the healthcare provider.

In some circumstances, state regulations stipulate when public health officials or parents must be informed of the minor’s diagnosis or treatment. In other circumstances, healthcare providers must notify a parent unless the notification is considered detrimental to the minor’s well-being. In these circumstances, the HIPAA Privacy Rule would apply to minors in respect of their treatment only.

The HIPAA Privacy Rule also gives healthcare providers the authority to withhold PHI about a minor from personal representatives if they believe the minor has been subjected to abuse or neglect by the personal representative or if they believe it is not in the best interests of the minor to reveal PHI to the personal representative (for example, if the PHI could be used to endanger the minor).

Summary – What Healthcare Providers Need to Consider When Treating Minors

In the context of how does the HIPAA Privacy Rule apply to minors, there are several things to consider when diagnosing or treating minors. The first is whether health care is being provided to an emancipated or unemancipated minor, and – if the latter – is parental consent necessary. (If the former, it may be necessary to obtain proof of emancipation – such as a wedding certificate).

If parental consent is necessary, the Privacy Rule will apply to the minor’s PHI unless a parent, guardian, or person acting in loco parentis has assented to an agreement of confidentiality – or unless the healthcare provider withholds PHI from the personal representative because, in the provider’s professional judgement, the disclosure of PHI could represent a risk to the minor.

It is also necessary to verify the identity of personal representatives not previously known to a healthcare provider (as required by §164.514(h)). To do this, it is recommended that providers request and maintain documentation establishing the individual’s parental or legal guardian status before examining a minor, and certainly before disclosing the minor’s PHI to an unverified person.

Finally, due to the number and variety of state regulations relating to when minors can obtain health care without the consent of a personal representative, it is important healthcare providers keep up to date with state requirements as well as those of HIPAA. Healthcare providers who are unsure of state and HIPAA requirements should seek professional legal and compliance advice.