HIPAA FAQ – Personal Representatives and Minors
No. The Privacy Rule does not address consent to treatment, nor does it preempt or change State or other laws that address consent to treatment. The Rule addresses access to, and disclosure of, health information, not the underlying treatment.
Generally, yes. Even though the parent did not consent to the treatment in this situation, the parent would be the child’s personal representative under the HIPAA Privacy Rule. This would not be so when the parent does not have authority to act for the child (e.g., parental rights have been terminated), when expressly prohibited by State or other applicable law, or when the covered entity, in the exercise of professional judgment, believes that providing such information would not be in the best interest of the individual because of a reasonable belief that the individual may be subject to abuse or neglect by the personal representative, or that doing so would otherwise endanger the individual.
State or other law determines who is authorized to act on an individual’s behalf, thus the Privacy Rule does not address how personal representatives should be identified. Covered entities should continue to identify personal representatives the same way they have in the past. However, the HIPAA Privacy Rule does require covered entities to verify a personal representative’s authority in accordance with 45 CFR 164.514(h).
Individuals may control their protected health information under the HIPAA Privacy Rule to the extent State or other law permits them to act on their own behalf. Further, even if an individual is deemed incompetent under State or other law to act on his or her own behalf, covered entities may decline a request by a personal representative for protected health information if the individual objects to the disclosure (or for any other reason), and the disclosure is merely permitted, but not required, under the Rule.
However, covered entities must make disclosures that are required under the Rule (i.e., disclosures to the Secretary under subpart C of part 160 regarding enforcement of the Rule, and to the individual under 45 CFR 164.524 and 164.528 with respect to the individual’s right of access to his or her protected health information and an accounting of disclosures, respectively). Consequently, with respect to the individual’s right of access to protected health information and for an accounting of disclosures, covered entities must provide the individual’s personal representative access to the individual’s protected health information or an accounting of disclosures upon the request of the personal representative, unless the covered entity, in the exercise of professional judgment, believes doing so would not be in the best interest of the individual because of a reasonable belief that the individual may be subject to domestic violence, abuse or neglect by the personal representative, or that doing so would otherwise endanger the individual. The Rule allows a specified time period before a covered entity must act on such a request; and during this interim period, an individual and his personal representative will have an opportunity to resolve any dispute they may have concerning the request.
May personal representatives access health information based on a non-health care power of attorney?
No. Except with respect to decedents, a covered entity must treat a personal representative as the individual only when that person has authority under other law to act on the individual’s behalf on matters related to health care. A power of attorney that does not include decisions related to health care in its scope would not authorize the holder to exercise the individual’s rights under the HIPAA Privacy Rule. Further, a covered entity does not have to treat a personal representative as the individual if, in the exercise of professional judgment, it believes doing so would not be in the best interest of the individual because of a reasonable belief that the individual has been or may be subject to domestic violence, abuse or neglect by the personal representative, or that doing so would otherwise endanger the individual.
With respect to personal representatives of deceased individuals, the Privacy Rule requires a covered entity to treat the personal representative as the individual as long as the person has the authority under law to act for the decedent or the estate. The power of attorney would have to be valid after the individual’s death to qualify the holder as the personal representative of the decedent.
Generally, no. The Rule defers to State and other laws that address the fitness of a person to act on an individual’s behalf. However, a covered entity does not have to treat a personal representative as the individual when it reasonably believes, in the exercise of professional judgment, the individual is subject to domestic violence, abuse or neglect by the personal representative, or doing so would otherwise endanger the individual.
Yes, an individual that has been given a health care power of attorney will have the right to access the medical records of the individual related to such representation to the extent permitted by the HIPAA Privacy Rule at 45 CFR 164.524.
However, when a physician or other covered entity reasonably believes that an individual, including an unemancipated minor, has been or may be subjected to domestic violence, abuse or neglect by the personal representative, or that treating a person as an individual’s personal representative could endanger the individual, the covered entity may choose not to treat that person as the individual’s personal representative, if in the exercise of professional judgment, doing so would not be in the best interests of the individual.
No. Nothing in the Privacy Rule changes the way in which an individual grants another person power of attorney for health care decisions. State law (or other law) regarding health care powers of attorney continue to apply. The intent of the provisions regarding personal representatives was to complement, not interfere with or change, current practice regarding health care powers of attorney or the designation of other personal representatives. Such designations are formal, legal actions which give others the ability to exercise the rights of, or make treatment decisions related to, an individual. The Privacy Rule provisions regarding personal representatives generally grant persons, who have authority to make health care decisions for an individual under other law, the ability to exercise the rights of that individual with respect to health information.
The HIPAA Privacy Rule would defer to State or other applicable law that addresses the disclosure of health information to a parent about a minor child. If the minor child is permitted, under State law, to consent to such health care without the consent of her parent and does consent to such care, the provider may notify the parent when the State law explicitly requires or permits the health provider to do so. If State law permits the minor child to consent to such health care without parental consent, but is silent on parental notification, the provider would need the child’s permission to notify a parent.
The individual who is the subject of the protected health information can exercise all rights granted by the HIPAA Privacy Rule with respect to all protected health information about him or her, including information obtained while the individual was an unemancipated minor consistent with State or other law. Generally, the parent would no longer be the personal representative of his or her child once the child reaches the age of majority or becomes emancipated, and therefore, would no longer control the health information about his or her child. Of course, any individual can have a personal representative – which may include a parent – who can exercise rights on his or her behalf.
Yes, the Privacy Rule generally allows a parent to have access to the medical records about his or her child, as his or her minor child’s personal representative when such access is not inconsistent with State or other law.
There are three situations when the parent would not be the minor’s personal representative under the Privacy Rule. These exceptions are:
- When the minor is the one who consents to care and the consent of the parent is not required under State or other applicable law;
- When the minor obtains care at the direction of a court or a person appointed by the court; and
- When, and to the extent that, the parent agrees that the minor and the health care provider may have a confidential relationship.
However, even in these exceptional situations, the parent may have access to the medical records of the minor related to this treatment when State or other applicable law requires or permits such parental access. Parental access would be denied when State or other law prohibits such access. If State or other applicable law is silent on a parent’s right of access in these cases, the licensed health care provider may exercise his or her professional judgment to the extent allowed by law to grant or deny parental access to the minor’s medical information.
Finally, as is the case with respect to all personal representatives under the Privacy Rule, a provider may choose not to treat a parent as a personal representative when the provider reasonably believes, in his or her professional judgment, that the child has been or may be subjected to domestic violence, abuse or neglect, or that treating the parent as the child’s personal representative could endanger the child.
The HIPAA Privacy Rule treats an adult or emancipated minor’s personal representative as the individual for purposes of the Rule regarding the health care matters that relate to the representation, including the right of access under 45 CFR 164.524. The scope of access will depend on the authority granted to the personal representative by other law. If the personal representative is authorized to make health care decisions, generally, then the personal representative may have access to the individual’s protected health information regarding health care in general. On the other hand, if the authority is limited, the personal representative may have access only to protected health information that may be relevant to making decisions within the personal representative’s authority. For example, if a personal representative’s authority is limited to authorizing artificial life support, then the personal representative’s access to protected health information is limited to that information which may be relevant to decisions about artificial life support.
There is an exception to the general rule that a covered entity must treat an adult or emancipated minor’s personal representative as the individual. Specifically, the Privacy Rule does not require a covered entity to treat a personal representative as the individual if, in the exercise of professional judgment, it believes doing so would not be in the best interest of the individual because of a reasonable belief that the individual has been or may be subject to domestic violence, abuse or neglect by the personal representative, or that doing so would otherwise endanger the individual. This exception applies to adults and both emancipated and unemancipated minors who may be subject to abuse or neglect by their personal representatives.
The HIPAA Privacy Rule recognizes that a deceased individual’s protected health information may be relevant to a family member’s health care. The Rule provides two ways for a surviving family member to obtain the protected health information of a deceased relative.
First, disclosures of protected health information for treatment purposes—even the treatment of another individual—do not require an authorization; thus, a covered entity may disclose a decedent’s protected health information, without authorization, to the health care provider who is treating the surviving relative.
Second, a covered entity must treat a deceased individual’s legally authorized executor or administrator, or a person who is otherwise legally authorized to act on the behalf of the deceased individual or his estate, as a personal representative with respect to protected health information relevant to such representation.
Therefore, if it is within the scope of such personal representative’s authority under other law, the Rule permits the personal representative to obtain the information or provide the appropriate authorization for its disclosure.