In most instances, HIPAA rules apply for adults and minors. That’s to say, the federal regulation sets the bar. HIPAA treats minors as adults when it comes to privacy rights if they’ve reached the age of informed consent except when state laws say otherwise. Some state laws permit or require disclosure to parents or guardians regardless.
For example, in Oregon, minors reach the age of informed consent at age 15, with exceptions. Those are: Parents or guardians can receive information on the minor up to age 18, unless the minor gets married or has been emancipated. Oregon law trumps HIPAA in those cases.
To understand some of the broader implications, it helps to know that covered entities determine what makes up an individual medical record (aka designated record set, or DRS). So when a parent or guardian wants access to a minor’s record, they have it (unless state law trumps it). Oh, and divorce doesn’t change that ability get a copy of a minor’s medical record.
Minor privacy rights can vary according to the medical issue, as well. For instance, privacy rights as related to alcohol and chemical dependency diagnosis and treatment, which falls under the most stringent federal privacy laws. In these cases, the most strict law prevails when it comes to privacy or access to their PHI, which includes minors if they’ve reached the age of informed consent.
In some states, like Oregon, there are exceptions. For example, although the Oregon age of informed consent is 15, when it comes to:
- outpatient mental health, alcohol and chemical dependency treatment, the age of informed consent is 14
- HIV/AIDS information and STDs, the age of informed consent is from birth
- Birth control, the age of informed consent is from birth
So when logic doesn’t apply, but the law does, what do you do? Be sure that you understand all of the ramifications of a minor’s privacy rights under both HIPAA and your state laws. That means not only must you train and re-train staff in that understanding, but you also need to pay close attention to your legislature’s activities. Document disclosures and authorizations and know what your liability is related to either.
Chris Apgar, CISSP delivers training webinars on regulations and best practices related to HIPAA, HITECH and cybersecurity issues. To learn how Apgar & Associates privacy and security expertise can help your organization, give us a call at 503.384.2538.
