My Patient is a Minor: A Guide to Parent’s Rights vs. the Minor’s Rights to PHI (45 CFR 164.502(g)(3))

Executive Summary

HIPAA’s Privacy Rule includes specific provisions that govern the delicate balance between a parent’s right to access their child’s protected health information (PHI) and a minor’s right to confidentiality in certain healthcare situations. Section 164.502(g)(3) allows minors to control their own PHI under particular conditions, especially when state law gives them the right to consent to treatment without parental involvement. For small practices, especially pediatric, adolescent, and behavioral health clinics, it’s essential to know when a parent is not automatically entitled to access PHI. This guide helps small providers navigate these complex scenarios while remaining compliant with HIPAA and applicable state laws.

Introduction

In most clinical interactions involving minors, parents or guardians are involved in the decision-making process and expect access to all health information. However, HIPAA recognizes that there are situations where minors have independent rights over their own medical records.

Section 164.502(g)(3) of the HIPAA Privacy Rule outlines when a minor—not their parent or guardian—has the authority to control access to their PHI. This distinction becomes especially important in areas like reproductive health, behavioral therapy, substance use treatment, or when state laws allow minors to consent to care on their own.

This guide provides a practical breakdown of what the regulation means, when it applies, and how small practices can comply without violating privacy or alienating families.

Understanding § 164.502(g)(3): Minor's Control Over PHI icon

Understanding § 164.502(g)(3): Minor's Control Over PHI

The regulation states:

“If under applicable law a minor may consent to health care services, and the minor has consented to such health care, the minor shall have the rights of an individual with respect to protected health information relating to such care.”

In simpler terms, if a minor has the legal right to consent to treatment, they also control the PHI related to that treatment. The parent or guardian may not access it unless:

  • The minor authorizes it
  • The law explicitly permits or requires disclosure
  • There’s a compelling reason, such as risk of harm or a court order
When a Parent Has Access vs. When a Minor Has Control icon

When a Parent Has Access vs. When a Minor Has Control

Scenario Parent Access? Minor Control? Notes
Routine pediatric checkup Yes No Parent is personal representative
Treatment for STI where minor consents No Yes Depends on state law
Behavioral health treatment with minor consent Usually No Yes Check state-specific mental health laws
Emergency care Yes No PHI generally shared with parent post-treatment
Substance use disorder treatment (federally funded) Strictly No Yes Also governed by 42 CFR Part 2
Abortion services (where state law allows minor consent) No Yes Federal privacy protections reinforced by HIPAA
When State Law Governs the Outcome icon

When State Law Governs the Outcome

HIPAA defers to state laws in determining when a minor may consent to care. If the state permits a minor to consent to certain types of treatment, then the parent does not automatically have the right to access those records.

Examples of services where state law often allows minor consent:

  • Contraceptives and pregnancy care
  • STI testing and treatment
  • Mental health services
  • Substance abuse treatment
  • HIV testing

If state law is silent, HIPAA defaults to allowing parents access.

Three Situations Where the Minor Controls PHI icon

Three Situations Where the Minor Controls PHI

  1. Minor Consents to Care Under State Law
    If a minor legally consents to a specific treatment, they control the PHI related to that treatment. Parents may not access it unless the minor authorizes it or the law requires disclosure.
  2. A Court or Law Grants the Minor Decision-Making Authority
    This includes:
    • Emancipated minors
    • Minors married under state law
    • Minors in military service
    These individuals are treated as adults for HIPAA purposes and control all of their PHI.
  3. The Parent Agrees to the Minor’s Confidential Relationship with the Provider
    When a parent signs off on a treatment plan that includes confidentiality (e.g., counseling or therapy), they have implicitly waived their access rights to that specific PHI.

Case Study: Denial of Access to Adolescent PHI

A 16-year-old patient visited a primary care clinic for depression and anxiety. The provider referred her to a local therapist for confidential behavioral counseling under a state law that allows minors to consent to mental health treatment at age 14.

After two sessions, the patient’s father requested full access to therapy notes, citing his status as her legal guardian. The clinic, unclear about the law, provided him with detailed session documentation.

The patient later filed a complaint with the state’s medical board, and the therapist’s employer received an OCR compliance review. It was determined that the clinic had violated the teen’s rights under HIPAA and applicable state law.

The clinic was required to:

  • Update its minor consent and disclosure policies
  • Implement a verification and approval protocol
  • Train all front-desk and clinical staff on minor privacy laws

Lesson learned: Even well-meaning disclosures to parents can violate HIPAA if minor consent laws are not followed.

How to Stay Compliant in Minor PHI Scenarios

  1. Know Your State’s Minor Consent Laws
    Keep a reference chart of your state’s statutes regarding:
    • Age of consent for reproductive, mental health, and substance use care
    • Emancipation laws
    • Exceptions for school-based or emergency care
    Resources: Guttmacher Institute and State Health Policy Portals
  2. Ask During Intake if the Minor Is Seeking Confidential Care
    Include questions such as:
    • Are you requesting confidential services?
    • Do you understand your rights under state law?
    • Have your parents or guardians given consent or waived their right to access?
    Use signed acknowledgment forms where appropriate.
  3. Train Staff on Parental Access Limitations
    Front desk, billing, and nursing staff should be trained on:
    • When they can share information with parents
    • How to handle requests when minors are legally in control
    • What to document when a minor requests confidentiality
  4. Use Role-Based Access in Your EHR System
    If your electronic health record system allows, segment notes related to minor-consented services to prevent unintentional access or inclusion in general visit summaries.
  5. Document Everything
    When denying a parent access, make sure to:
    • Cite the specific HIPAA provision and relevant state law
    • Document the reason and who approved the denial
    • Retain signed minor consent and waiver forms

Sample Policy Language for Small Practices

“This practice follows HIPAA’s minor consent provisions and applicable state law regarding disclosures of PHI to parents or guardians. When a minor legally consents to treatment under state law, they will be granted control of their related PHI. Parents may be denied access when disclosure would violate HIPAA or conflict with the minor’s legal rights.”

Common Pitfalls and How to Avoid Them

  • Pitfall: Assuming Universal Parental Access
    Mistake: Believing parents always have rights to their child's medical records.
    Solution: Create a state-specific matrix of minor consent laws and train staff to recognize when minors can legally consent to care. Include intake questions that identify confidential service requests.
  • Pitfall: Insufficient Staff Training
    Mistake: Staff unintentionally disclose PHI due to poor training.
    Solution: Provide annual training using real scenarios. Emphasize discretion and the "minimum necessary" standard, especially for sensitive visits.
  • Pitfall: Over-Reliance on EHR Defaults
    Mistake: EHR systems or portals automatically give parents access to all minor records.
    Solution: Work with your EHR vendor to implement granular controls. Lock confidential notes when needed, and define clear policies for portal access by minors.
  • Pitfall: Poor Documentation
    Mistake: Failing to log the legal basis when denying parental access or protecting minor confidentiality.
    Solution: Use standard templates to record the law applied, the rationale, and who approved the decision.
  • Pitfall: Misunderstanding Parental Consent to Confidentiality
    Mistake: Not clearly documenting when a parent agrees to confidential care for their child.
    Solution: Get a written, explicit acknowledgment from the parent and review it with them to avoid future disputes.

Regulatory and Trusted Resources

Final Takeaways and Recommendations

When treating minors, small practices must strike a careful balance between involving families and respecting a young person’s legal right to confidentiality. HIPAA’s § 164.502(g)(3) ensures that minors who are legally able to consent to care are also empowered to control access to their PHI.

To stay compliant:

  • Know your state’s consent laws
  • Update intake and disclosure policies
  • Train staff to recognize minor-controlled PHI
  • Segment sensitive records in your EHR
  • Document decisions and legal references in every case

Understanding these rules protects both your patients and your practice from legal risk and promotes trust with adolescent patients seeking confidential care.

Compliance should be invisible.

Here’s how we made it that way

Compliance Assessment Score