In general, HIPAA does not give family members the right to access patient records, even if that family member is paying for healthcare premiums, unless the patient is a minor, a spouse, or has designated them as a personal representative.
However, there are several exceptions and circumstances in which patient data can be shared with family members or other individuals.
According to the HHS website, an individual’s personal representative is someone authorized under written permission from the individual, State, or other applicable law to act on behalf of the individual in making health care related decisions and having access to PHI. The HIPAA Privacy Rule requires covered entities to treat a personal representative as they would the patient themselves, particularly around uses and disclosures of the patient’s protected health information.
Whether or not spouses, same-sex spouses, and family members can act as an individual’s personal representative is governed by state laws, which can vary from state to state (see below). The HIPAA Privacy Rule looks to these state laws to determine if loved ones have the authority to act on behalf of the individual as a personal representative.
For example in Oregon (and many other states), the individual has the right to designate a personal representative of their choosing. That person can be a family member but it doesn’t have to be; an individual may opt to choose anyone they would like to have access to their data. Or a personal representative could be state-assigned in the case of un-emancipated minors. The personal representative can access an individual’s PHI as if they were the individual. Therefore, they have access to that individual’s rights under HIPAA.
Parental Rights to Data Concerning Children
Different state laws give parents different rights with respect to their children’s data. If a child is a minor, a parent will most likely have access to their child’s medical data. However, a parent paying for healthcare for their child who is NOT a minor does not automatically have the rights to this information.
If a child is in the foster-care system, the state may assign the child a personal representative in lieu of the parent. In this case, a parent would not have access to their children’s data. Additionally, if a mental health or medical professional has reasonable belief, using professional judgement, that a child has been or may be subjected to domestic violence, abuse, or neglect, they may choose not to treat a parent as a personal representative to avoid endangering the child.
Mental Health of Minors
Under HIPAA, mental health professionals are required to maintain confidential therapeutic relationships with patients, including those that are children. However, throughout treatment, therapists will communicate with patients and underage patients about the limits of confidentiality when the safety of the patient or another person is at risk. Mental health professionals are required to notify parents of minors or social services if there is suspected, perceived, or potential harm to a child, disabled person, or elderly person.
A mental health care provider may disclose health information to a minor’s parents or guardian if:
- It is clinically appropriate and in the minor’s best interests;
- The minor must be admitted to a detoxification program; or
- The minor is at risk of committing suicide and requires hospital admission.
If a patient discloses information to the therapists that triggers their obligations as a mandated reporter, the therapist will likely inform the patient at that time that they will have to report the information. It is not mandatory that therapists inform the patient. However, if it is in the best interest of the patient to inform them, then the therapist will do so per their professional judgment. All mandated reports should be documented in the patient’s record.
Similarly to parents of minors, a spouse will mostly likely have access to their spouse’s medical data under the HIPAA Privacy Rule. One can ensure access by providing written permission to their healthcare provider designating their spouse as their personal representative, but oftentimes a spouse will be informed of patient data with verbal permission by the patient or professional judgement by the healthcare provider.
According to the HHS website, under the Privacy Rule, “if a state provides legally married spouses with health care decision making authority on behalf of one another, a covered entity is required to recognize the lawful spouse of an individual as the individual’s personal representative without regard to the sex of the spouses.”
Healthcare Related Circumstances
In cases where healthcare is being actively administered (such as in a healthcare clinic), or in an emergency situation, a healthcare professional may use their professional judgement to disclose information to relevant individuals.
According to the HHS, the HIPAA Privacy Rule allows Covered Entities to share PHI with family members, friends, or other persons in the following circumstances:
- If the patient is present and agrees to the disclosure or does not object.
- If, based on professional judgment, the Covered Entity can reasonably infer that the patient does not object.
- If the information is relevant to the involvement of an individual in the patient’s care or payment for health care.
- If the patient is incapacitated or in an emergency circumstance and the Covered Entity believes it would be in the best interest of the patient.
For example, if a patient brings a friend to their wisdom tooth removal appointment, and this friend will help them recover from the procedure, the healthcare provider can reasonably infer that the patient does not object to their friend having information about the tooth extraction or anesthetic that the patient received.
- In general, HIPAA does not give family members the right to access patient records, unless the patient is a minor, a spouse, or has designated them as a personal representative.
- In cases where healthcare is being actively administered generally, or in an emergency situation, a healthcare professional may use their professional judgement to disclose information to relevant individuals.
- Different state laws give parents different rights with respect to their children’s data. If a child is a minor, a parent will most likely have access to their child’s medical data.
If you are unsure whether a particular scenario is allowed or permitted by HIPAA give Gazelle Consulting a call at (503) 389-5666 or contact a healthcare attorney. (I’ll let you in on a little secret, I know which one is cheaper!)