A Guide to the "Personal Representative" Standard: Disclosing PHI to Parents, Guardians, and Executors (45 CFR 164.502(g))
Executive Summary
HIPAA’s "personal representative" standard grants certain individuals the legal right to access a patient’s protected health information (PHI). These may include parents, legal guardians, healthcare proxies, or estate executors. For small healthcare practices, especially those with limited administrative staff, understanding when and how to disclose PHI to a personal representative is critical to maintaining compliance with 45 CFR 164.502(g). This article breaks down the regulation, outlines key scenarios (minors, adults, deceased patients), explores lawful exceptions, and provides a real-life case study to help small practices navigate one of HIPAA’s more nuanced disclosure standards confidently and correctly.
Introduction
In day-to-day operations, small healthcare practices frequently receive requests for patient records from family members, legal guardians, or estate administrators. While many of these requests are legitimate, HIPAA requires that disclosures be limited
strictly to individuals with legal authority, referred to as “personal representatives” under 164.502(g). Missteps in handling these disclosures, especially in cases involving divorced parents, adolescent
care, or deceased patients, can lead to privacy violations, audits, and reputational harm.
This guide will help you determine who qualifies as a personal representative, what documentation is required, how to respond in difficult situations, and how to train your staff to apply the standard safely and legally.
Understanding the Personal Representative Standard
The HIPAA Privacy Rule defines a personal representative as someone authorized under state or applicable law to make healthcare decisions on behalf of an individual. This person has the same right to access PHI as the individual themselves, unless an exception applies. Covered entities must verify the status of the personal representative and ensure the scope of authority matches the request before disclosing any PHI.
There are three primary categories where the personal representative standard becomes relevant.
1. Adults and Emancipated Minors
Covered entities must treat any individual with legal authority such as a healthcare power of attorney or court-appointed guardian as the personal representative for an adult or emancipated minor. This includes:
- Health proxies
- Durable medical power of attorney holders
- Court-appointed legal guardians
The PHI disclosure must align with the scope of authority granted by law or court order.
2. Unemancipated Minors
For patients under the age of majority, HIPAA generally defers to state law. In most cases:
- A parent or legal guardian is considered the personal representative.
- If a minor has the legal right to consent to their own care, then the parent may not be entitled to access PHI. This commonly applies in cases involving reproductive health, substance use treatment, or behavioral health.
- A court order revoking parental rights removes that parent’s representative status.
Practices should evaluate each case based on the patient’s age, state laws, and care context.
3. Deceased Individuals
PHI remains protected under HIPAA for 50 years after a person’s death. During that time, a personal representative, typically the executor of the estate or a court-appointed administrator, has the right to access PHI for purposes such as:
- Managing estate affairs
- Settling outstanding medical bills
- Filing insurance claims
Requesting appropriate legal documentation is essential before disclosing any posthumous information.
Exceptions to the Personal Representative Rule
There are circumstances where a covered entity is not required to treat an individual as a personal representative under HIPAA, including:
- Potential harm: If the provider believes the individual has subjected the patient to domestic violence, abuse, or neglect, and believes that disclosing the PHI could cause further harm.
- Best interest judgment (minors): In some states, providers may exercise discretion to withhold PHI from a parent if it serves the best interests of the minor.
- Limited legal scope: If a representative’s authority only covers certain matters (e.g., billing only), disclosure must be limited accordingly.
All such decisions must be thoroughly documented in the patient’s file with legal justification and signatures from compliance leadership if available.
Real-Life Case Study: A Dispute over Parental Access
In a recent case, a small pediatric clinic faced a serious HIPAA compliance issue involving the disclosure of a minor’s behavioral health records. The incident began when a divorced father submitted a request for access to his 15-year-old daughter’s counseling
records, claiming joint custody and asserting that he was acting in her best interest. Unaware of any legal barriers, the clinic released the requested records to the father without further verification.
However, the situation was far more complex. The mother, who held sole legal custody, filed a formal complaint with the U.S. Department of Health and Human Services (HHS) days later. She explained that the child had independently
sought treatment for self-harm, as permitted under state law, which allowed minors of a certain age to access mental health services without parental consent. By releasing the records, the clinic had potentially violated both HIPAA
and state-specific confidentiality protections for minors.
The Office for Civil Rights (OCR) conducted an investigation and concluded that the clinic had failed to verify the custody arrangement and had not properly assessed the minor’s right to privacy under applicable laws. To resolve
the matter, the clinic entered into a voluntary corrective action plan that included revising its patient intake and verification processes, retraining all relevant staff on minor consent and disclosure rules, and submitting compliance
reports for a six-month monitoring period.
This case illustrates the importance of understanding the intersection of HIPAA, state laws, and custody arrangements before releasing any health information involving minors.
Lesson learned: Always request legal documentation and confirm rights before disclosing PHI, even to a biological parent.
How to Stay Compliant with § 164.502(g)
Develop a Verification Policy
Implement a policy that requires written documentation for any personal representative request. Acceptable proof may include:
- Power of attorney
- Guardianship paperwork
- Letters of testamentary
- Custody orders
Train your team to verify each request based on the relationship, legal document, and reason for access.
Define Boundaries in Your Policies
Update your Notice of Privacy Practices (NPP) to clearly define your approach to personal representatives. Include:
- Who qualifies under your policy
- How to submit proper documentation
- What rights are limited by law or situation
Train Staff on Complex Scenarios
Use real-life examples in training sessions. Discuss how to handle:
- Divorced parents requesting child records
- Step-parents without legal authority
- Estate administrators requesting access
- Adolescent patients receiving confidential treatment
This prepares front office and clinical staff to navigate difficult conversations calmly and lawfully.
Document Every Disclosure Decision
Create a disclosure log for requests involving personal representatives. Record:
- The requestor’s name and relationship
- Documents provided
- Whether access was granted or denied
- Rationale and who approved the action
This protects your practice in case of an audit or future dispute.
Sample Personal Representative Verification Log
| Date | Requestor | Patient | Type of Authority | Documentation Provided | Access Granted? | Notes |
|---|---|---|---|---|---|---|
| 6/1/2025 | M. Garcia (Parent) | Luis Garcia | Legal guardian | Custody agreement | Yes | Child under 12 |
| 6/3/2025 | S. James (Executor) | Anna James | Letters of testamentary | Court docs received | Yes | Access to final billing |
| 6/6/2025 | D. Taylor (Father) | Jordan Taylor | None provided | None | No | Awaiting proof of custody |
Regulatory and Authority References
Final Takeaways and Recommendations
The personal representative standard in HIPAA is a vital protection that ensures patients’ rights are respected while still allowing legal access when appropriate. Small practices must apply these rules carefully, especially in nuanced cases involving
minors, mental health, or deceased individuals.
To ensure compliance:
- Require documentation
- Train your staff
- Document all actions taken
- Seek legal clarification when needed
Taking a consistent, policy-driven approach to verifying personal representatives will protect your practice and your patients, no matter how complex the request.