Minor Records, Major Problems: Navigating Federal And State Mandates Regarding Parental Access To Children's Health Records

Key Takeaways:

• OCR is increasing enforcement around parental access to minors' health information, emphasizing that parents are generally entitled to access their child's PHI under HIPAA.
• Patient portal configurations are under scrutiny, as some systems may improperly block parental access by default.
• State laws regarding parental access rights are rapidly evolving.
• The stakes are high. Missteps can result in HIPAA violations, information-blocking financial disincentives and civil penalties.

Late last year, the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) issued a "Dear Colleague" letter reminding Health Insurance Portability and Accountability Act (HIPAA)-regulated entities that, under the HIPAA Privacy Rule, parents are typically the personal representatives of their unemancipated minor children and may exercise the child's rights under HIPAA, including the right to access their protected health information (PHI), unless a limited exception applies. According to OCR, this letter is in response to concerns that covered entities are improperly denying parental access or are requiring a minor's authorization prior to allowing parental access to PHI when neither state law nor HIPAA demanded it. OCR specifically highlighted concerns surrounding electronic access, suggesting that some covered entities may have electronic information systems, such as patient portals, whose default configurations impermissibly bar parental access to the minor child's PHI in conflict with the HIPAA Privacy Rule. Although concerns about parental access are not new, this letter – and a more recent statement on this enforcement priority issued this month – signals renewed enforcement interest by OCR in pediatric access practices. Additionally, a failure to provide requisite access may also be viewed as a violation of the 21st Century Cures Act's Information Blocking Rule (the "Information Blocking Rule"). At the state level, several states have recently passed laws or are taking enforcement actions related to parental access to minor-patient medical records, underscoring the importance of jurisdiction‑specific precision in how covered entities implement policies, training, documentation, and electronic health record (EHR) and patient portal configurations.

HIPAA and Minor Personal Representatives

HIPAA requires that covered entities treat an individual's personal representative as the individual for the purposes of the HIPAA Privacy Rule to the extent of the representative's authority under applicable law. This requirement generally means that a covered entity must treat parents, legal guardians or other persons acting in loco parentis (collectively, the "parent") of an emancipated minor as the minor's personal representative. However, HIPAA recognizes specific circumstances in which an unemancipated minor may exercise their rights under the HIPAA Privacy Rule and the parent is not treated as a personal representative regarding that episode of care, as the parent lacks authority over the minor's healthcare decisions. Under HIPAA, the parent is not considered the personal representative of a minor when:

1. The minor can and does consent: The minor consents to the service and no other consent is required under state or other applicable law.¹ While these laws vary by state, they tend to focus on care related to sensitive health conditions, such as STI/HIV testing and treatment, reproductive/contraceptive care, sexual assault services, mental/behavioral health and substance use treatment.
2. Court order: The minor receives care at the direction of a court or the court has appointed a person who is not the parent to make treatment decisions on behalf of the minor.²
3. Agreement to confidentiality: The parent agrees that the minor and provider may maintain a confidential relationship for a specific service, in which the scope of confidentiality governs access.³

Application of these exceptions is limited to a given service. The parent may still access all nonconfidential portions of their child's medical records. For example, if a provider asks the parent for permission to perform a gynecological exam on a 16-year-old minor confidentially and the parent agrees, then an exception applies to that episode of care. If, however, the minor returns for a consultation about birth control, then the parent may have access to information concerning this second episode of care, assuming another exception did not apply.

In addition, covered entities may, in the exercise of professional judgment, decline to treat a parent as the minor's personal representative if they reasonably believe the minor has been or may be subjected to abuse/neglect or if treating the parent as a representative could endanger the minor so that doing so is not in the minor's best interest.⁴

As outlined in OCR's letter, failing to provide parents with appropriate access to the medical records of their minor child may violate HIPAA. Healthcare providers who knowingly prevent parents from lawfully accessing their child's medical records may also be considered to have engaged in practices that the HHS Office of Inspector General considers information blocking in violation of the Information Blocking Rule.

The Information Blocking Rule prohibits healthcare providers from engaging in practices that the provider knows interfere with the access, exchange or use of electronic health information and knows to be unreasonable, unless the practice is required by law or a regulatory exception applies. If determined to have engaged in information blocking, healthcare providers face substantial financial disincentives, including the loss of status as a meaningful user of certified EHR technology for a performance period and therefore receipt of a zero score in the Promoting Interoperability performance category of the Medicare Merit-Based Incentive Payment System.

Changes to State Laws Further Complicate Compliance

Even if a parent is not the minor's personal representative, the HIPAA Privacy Rule follows state or other laws that specifically govern parental access to a minor child's health information, and we have seen several states enact such laws in recent years, including Alabama, California, Idaho, Kentucky, Tennessee, Texas, Washington and West Virginia.⁵ Where state or other applicable law, including relevant case law, requires or permits that a parent be provided with access to the health information of their minor child, the HIPAA Privacy Rule permits a covered entity to provide such access. Conversely, if state or other applicable laws prohibit disclosure, the HIPAA Privacy Rule requires the covered entity to withhold the minor's PHI from the parent to the extent specified by those laws.⁶ In both cases, the state law requirement applies, regardless of whether the parent is considered the minor's personal representative under HIPAA with respect to this information. Simply put, a parent may have the right under state law to access the minor's medical information related to an episode of care even if the minor was permitted under state law to independently consent to such care. Further complicating compliance, because the parent is not considered the personal representative of the minor (despite having access due to an explicit right under state law), the parent may not exercise the other rights normally afforded under the HIPAA Privacy Rule regarding such information (e.g., the right to request a restriction on the use or disclosure of that information). Entities may face a dilemma: Taking an overly restrictive approach to parental access risks violating state medical access laws, while an overly permissive stance may result in unlawful disclosures of the health information of their minor patients.

The consequences of violations of such state-specific requirements can be substantial – including civil and criminal penalties for impermissibly granting or restricting parental access – and several states, including California, Idaho and Washington, provide individuals with a private right of action.⁷ Moreover, states have already begun taking enforcement actions. On Dec. 10, 2025, Texas Attorney General Ken Paxton filed a lawsuit against leading EHR vendor Epic Systems Corp., alleging that the company's EHR software is preconfigured to remove parents' access to their minor children's records in violation of Tex. Health & Safety Code § 183.006. Earlier this year, Paxton entered into an agreement with an Austin clinic to settle allegations that the clinic's practices surrounding parental access to minor records violated Tex. Health & Safety Code § 183.006.

The Importance of a Jurisdiction-Specific Approach

For covered entities, OCR's Dear Colleague letter and recent state regulatory activity underscore the importance of ensuring that their practices surrounding parental access align with both HIPAA and applicable state law so that they consistently grant access when required and just as consistently withhold or segment information when exceptions or state law limits apply. Failing to do so risks improper denials or unlawful disclosures and enforcement action by regulators as well as the possibility of financial disincentives for engaging in the practice of information blocking. Key areas include:

• Policies and procedures: Review policies and procedures to confirm they accurately align with applicable local laws. This is particularly important for entities operating in multiple states. A one‑size‑fits‑all policy can cause over‑disclosure in restrictive states and under‑disclosure in expansive states.

• Patient portal and proxy access management: Review current configurations surrounding age‑based rules (e.g., reduced parental proxy access for ages 12-17, how sensitive encounters are tagged and segmented) and minor‑granted proxies for sensitive services to confirm current settings comply with applicable law.

For Legal Advice

Entities do not have to navigate this shifting legal landscape alone. Our Healthcare Privacy and Compliance team has experience in advising healthcare organizations and others on HIPAA compliance, policy development and incident response and can help clients address the intricate issues surrounding the HIPAA Privacy Rule and parental access to PHI.

Footnotes

1. 45 C.F.R. § 164.502(g)(3)(i)(A) (2024).

2. 45 C.F.R. § 164.502(g)(3)(i)(B) (2024).

3. 45 C.F.R. § 164.502(g)(3)(i)(C) (2024).

4. 45 C.F.R. § 164.502(g)(5) (2024).

5. Examples include Ala. Code § 22-8-12, Idaho Code § 32‑1015, Ky. Rev. Stat. Ann. § 422.355, Tenn. Code Ann. § 36‑8‑103, Tex. Health & Safety Code § 183.006 and W. Va. Code § 16‑29‑3.

6. For examples, see Cal. Health & Safety Code §§ 123110 and 123115 and RCW § 70.02.130.

7. Cal. Civ. Code § 56.36, Idaho Code § 32‑1015 and RCW § 70.02.170, Idaho Code § 32‑1015.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.