HIPAA's confidentiality rules are challenging enough to apply in a typical patient scenario, with an adult patient making his or her own health care decisions. When third parties such as parents of adolescent patients are involved, privacy considerations become even more complex. Physicians must consider not only federal and state laws but also ethical issues.

The AMA Code of Medical Ethics Opinion 2.2.1 discusses the responsibility physicians have to engage minor patients in the decision-making process at a developmentally appropriate level, even if the minor cannot consent to care on his or her own. Opinion 2.2.2 explains the delicate tightrope physicians must walk when an unemancipated minor requests confidential treatment. In these circumstances, physicians are encouraged to educate the patient on situations in which parents or guardians must be notified (e.g., if involving them would be necessary to avert significant harm to the patient or others) and explore the patient's reason for not involving them. Physicians should encourage the patient to talk to a parent or guardian if they are able, and may even offer to facilitate the conversation.

If the adolescent patient still does not want to involve a parent or guardian, the physician should consider the following questions to ensure the patient's privacy is protected, along with parental rights.

CAN THE ADOLESCENT CONSENT TO CARE INDEPENDENTLY?

Generally, the parent or legal guardian of a minor must consent to the child's health care service. In these circumstances, the parent “owns” the child's medical record information until the child reaches the age of majority or becomes emancipated. This means medical record information can be shared with the parent or guardian before, during, and after visits. There are some exceptions, however. Emancipated and married minors can consent to their own health care, and their parent or legal guardian does not have the right to any information related to the minor's care without the minor's permission. Additionally, some state laws permit unemancipated minors to consent to receive certain types of services on their own, such as reproductive, substance abuse, or mental health services. The Guttmacher Institute provides a summary of minors' consent laws by state.

When minors can consent to care on their own, the minor “owns” the medical information related to those services and the minor must give permission to share the information with anyone else, including a parent or legal guardian. Obtaining permission can be as simple as giving the minor an opportunity to agree or object to your sharing the information, such as when the minor and parent are both present during a visit or when a parent involved in care or payment for care calls the office for information about the minor. Documenting this consent does not need to be overly formal. For example, stating that the mother was in the exam room for the visit with the patient can demonstrate that the mother has the minor's permission to be involved in his or her care.

IS THE ADOLESCENT ON THE PARENTS' INSURANCE?

Even if an adolescent patient can consent to care independently, a parent may still learn about health care services through other means, such as insurance statements. If the services are billed to the parents' insurance, they will likely receive an explanation of benefits stating that services were provided to the patient and may even be able to tell what kind of services were provided. Minor patients should be informed of this and given the opportunity to pay out of pocket for the services to restrict the disclosure from their insurer and, consequently, their parents or to request privacy protection from their insurer.¹

With the Affordable Care Act allowing young adults to stay on their parents' health insurance until they turn 26, concerns about the lack of health insurance confidentiality have grown. A handful of states, including California, Colorado, Washington, Oregon, and Maryland, have taken steps to strengthen HIPAA's health insurance confidentiality protections such as requiring insurers to honor patients' confidentiality requests, particularly if they involve sensitive services.

DOES THE PATIENT HAVE A SPECIAL SITUATION?

A parent's rights to a minor's health information can vary under several special situations:

Consent agreements. In some cases, a parent may allow another individual to consent to care for a minor child. Some state laws allow relatives, such as grandparents, to provide consent in certain situations, such as for vaccinations. In these circumstances, the parent remains the minor's personal representative and retains rights to the minor's health information.

Divorce or separation. When parents separate or divorce, rights to their minor children's health information depend on the terms of their separation agreement or divorce decree. These agreements can vary widely. In some cases, one parent is given rights to make health care decisions while another parent is responsible for maintaining health insurance coverage. One or both parents may be given the right to copies of their children's medical records. Some agreements may grant legal custody to one parent and only physical custody to the other. Each of these scenarios presents unique implications for the privacy of children's health information. Parents with only physical custody (whether complete, joint, or partial) may have had their legal authority to make health care decisions for their children severed. In those circumstances, only the parent with legal custody maintains the legal right to consent to care, and only that parent can receive health information about his or her children. If needed, practices should obtain copies of any court-approved separation agreements, divorce decrees, and plans for custody to help identify the respective rights of parents.

Foster care. Children in foster care require special consent and privacy considerations. Although this area is highly dictated by state law, generally the state's department of social services can consent to health care for a child in the foster system. Typically, the state agency tries to involve the biological parents in health care decision-making if feasible but can make independent health care decisions if necessary through a consent executed by the biological parents. Practices are encouraged to obtain copies of these medical consents.

WHAT INFORMATION IS ACCESSIBLE BY PROXY IN THE PATIENT PORTAL?

Many practices have invested in portals where patients can securely communicate with their physicians and other care providers and view basic health information or test results. Parents or guardians may request access to their minor child's records through these systems.

HIPAA requires that practices verify the identity and authority of a requestor before giving access to protected health information.² When a person seeks access to his or her own record, this process is fairly straightforward. Patients provide an email address and receive a message with a link they can follow to verify their identity and establish an account within the portal. But verifying identity and authority is more complicated when an adult requests access to a minor's record within the portal. For example, the adult would need to confirm he or she is a biological parent or legal guardian of the child and has authority to access the information because there is no separation agreement, divorce decree, or other legal document preventing access to the child's health information.

Each system can be configured differently, so practices should contact their portal vendor or their organization's IT staff to discuss how to grant proxy access to parents or guardians while preserving confidentiality for services minors can consent to on their own. For example, appointment scheduling, email communication with the practice, medications, lab results, and immunizations may be helpful for parents to access. However, certain information within these areas may need to be restricted. Minors receiving pregnancy tests, screenings for sexually transmitted infections, or prescriptions for mental health conditions or birth control, for which they legally consented on their own, need assurance that, if they desire to keep certain information confidential, it will not be made available to their parents through the portal.

Because many states permit minors to consent to certain services on their own prior to reaching the age of majority, health information associations often recommend health care organizations limit parental access to children's information at a predefined time. For example, if a state allows minors to begin consenting to certain services at age 14, a practice might begin limiting parental access to health information 30 days prior to the child's 14th birthday.³

IT'S COMPLICATED

While answering these four questions can help you discern who is entitled to what information regarding a minor patient, protecting adolescent privacy can still be complicated due to the relationships involved — parent-child, doctor-patient, and doctor-parent. Managing these relationships will require good listening skills, negotiation skills, empathy, and effective communication. Becoming familiar with your state laws governing minors' ability to consent to treatment and their impact on patient privacy is also critical, along with ensuring that staff are educated on these considerations. When in doubt, erring on the side of caution can help you avoid a privacy predicament.