Can Parents Access a Minor Child’s Medical Records Under HIPAA?
Executive summary
HIPAA generally allows a parent to access a minor child’s medical records because, in most circumstances, a parent is treated as the child’s “personal representative” for HIPAA purposes, meaning the parent stands in the shoes of the child and can exercise the child’s HIPAA rights, including the right of access.
That general rule has sharp, legally defined boundaries. Under 45 CFR § 164.502(g)(3), a parent is not the personal representative for PHI related to a specific health care service when (i) the minor can consent to that service under applicable law and does so, (ii) the minor obtains the service by court direction or a court-appointed decision-maker, or (iii) the parent agrees to a confidential relationship between the minor and provider for that service.
Even when a parent is (or is not) the personal representative, HIPAA defers to “State or other applicable law” that expressly permits, requires, or prohibits parental access. Where state law is silent and the parent is not the personal representative under one of the exceptions, HIPAA permits a licensed health care professional to decide, using professional judgment and consistent with other applicable law, whether to give the parent access.
Operationally, the hardest part for small clinics is not the concept. It is implementing “partial access” correctly: parents may be entitled to most of the record while being excluded from specific encounter-related information governed by minor-consent or confidentiality rules. OCR has explicitly warned that it is seeing improper denials of parental access and that it is making parental access an enforcement priority, including use of civil money penalties.
Informational note: This report is for informational purposes only and does not constitute legal advice.
Legal framework under HIPAA
The governing structure is the interaction between two rules: the personal representative rule in 45 CFR § 164.502(g) and the right of access rule in 45 CFR § 164.524.
Under § 164.502(g)(1), covered entities must treat a personal representative as the individual for HIPAA purposes (with specific exceptions), and the scope of that treatment is limited to PHI relevant to the representation. The OCR guidance explains this operationally: the personal representative “stands in the shoes” of the individual and can exercise the individual’s HIPAA rights, including the right of access, but only within the scope of authority granted under applicable law.
Under § 164.524, the “individual” has the right to inspect and obtain a copy of PHI about them in the designated record set, subject to defined exclusions and denial rules. Because a personal representative is treated as the individual (within scope), parental access disputes frequently become right-of-access compliance disputes: timelines, partial grants, written denials, and review/appeal mechanics.
OCR’s December 3, 2025 Dear Colleague letter makes two points that matter for clinics running portals and modern EHR workflows. First, OCR says it has become aware of situations where parents are denied access or where providers require minors to “authorize” parental access in circumstances where applicable law does not require that, and it characterizes those denials as potentially violating the Privacy Rule. Second, OCR states that covered entities should work with business associates facilitating electronic access (for example, EHR or patient portal vendors) to ensure parental electronic access is configured “to the full extent required” by the Privacy Rule.
When a parent is a personal representative and when not
The default rule
For an unemancipated minor, if under applicable law the parent has authority to make health care decisions for the child, the covered entity must treat the parent as the child’s personal representative with respect to PHI relevant to that representation. OCR repeats this plainly in its parental access FAQ: the Privacy Rule generally allows a parent to access records as the child’s personal representative when such access is not inconsistent with State or other law.
The three minor-specific exceptions
HIPAA specifies three situations where the parent is not the personal representative for a particular health care service (and therefore not entitled to access PHI related to that service on that basis). These are the same three exceptions OCR highlights in its FAQ, its general personal representative guidance, and the 2025 Dear Colleague letter.
First, when the minor consents to a health care service and no other consent is required by law, and the minor has not requested the parent be treated as the personal representative for that service, the minor controls HIPAA rights for PHI pertaining to that service.
Second, when someone other than the parent is authorized by law to consent to the health service for the minor and provides such consent, including a court or a court-appointed person, the parent is not the personal representative for PHI pertaining to that health care service.
Third, when a parent assents to an agreement of confidentiality between the provider and the minor for a health care service, the parent is not the personal representative with respect to PHI pertaining to that health care service, to the extent of that confidentiality agreement.
A practical nuance OCR emphasized in the Dear Colleague letter is that these exceptions are typically limited to specific types of services. A parent may be excluded from PHI tied to the specific confidential service, yet still be the personal representative for most of the child’s other care and records.
Emancipation and custody orders
HIPAA treats “adults and emancipated minors” differently. If under applicable law a person has authority to act on behalf of an adult or emancipated minor in making health care decisions, the covered entity must treat that person as the personal representative with respect to PHI relevant to that representation. In other words, emancipation is not a HIPAA-defined status, it is a state-law status that changes who has health care decision authority.
For custody and guardianship, the rule is also “authority under applicable law.” OCR’s guidance stresses that the scope of the personal representative’s authority derives from the authority under law to make health care decisions, and if the authority is limited to particular decisions, access rights track that scope. This is why clinics often need to review custody orders or guardianship documents rather than relying on identity alone. HIPAA itself does not spell out how you identify personal representatives; OCR notes that state or other law determines who is authorized, so HIPAA does not prescribe a single identification method.
Abuse, neglect, and endangerment override
Separate from the three minor-specific exceptions, § 164.502(g)(5) allows a covered entity to elect not to treat a person as a personal representative if the entity reasonably believes the individual has been or may be subjected to domestic violence, abuse, or neglect by that person, or that treating that person as the personal representative could endanger the individual, and the covered entity decides, in professional judgment, that it is not in the individual’s best interests to treat the person as the personal representative. OCR repeatedly emphasizes that this is an individualized, patient-specific professional determination.
Reconciling HIPAA with state minor-consent and confidentiality laws
HIPAA does not create minors’ rights to consent to treatment. OCR says explicitly that the Privacy Rule does not address consent to treatment and does not preempt or change state laws about consent to treatment. Instead, HIPAA uses state law to determine who has authority to make health care decisions and therefore who controls access to PHI for the relevant service.
Practically, the hard cases arise for “minor-consent services” where state law allows minors to obtain certain services without parental consent, often to promote access to sensitive care. OCR’s framework is that if a service falls into a minor-consent category under applicable law (and the minor consents), the parent is not the personal representative with respect to PHI for that service. OCR’s Dear Colleague letter gives an explicit example: where state law permits a 16-year-old to consent to STI treatment without parental consent, the provider might be able to deny the parent access to PHI related to that STI treatment depending on the state law, but the provider may not deny the parent access to PHI unrelated to that particular care.
State laws vary substantially by topic and mechanism. For reproductive health, state policy summaries show that many states allow minors to consent to contraceptive services in at least some circumstances, while a subset has limited or no explicit policy. For STI services, policy summaries indicate broad minor access permissions may exist across states, but the details, prerequisites, and confidentiality rules differ. For mental health privacy, peer-reviewed analysis highlights state-by-state variability in adolescent privacy laws, including differences in consent rights and confidentiality protections across behavioral health categories.
Substance use disorder treatment adds an extra layer: federal confidentiality rules under 42 CFR Part 2 can be more stringent than HIPAA for federally assisted SUD treatment programs, and those rules have special minor provisions keyed to state law on minor capacity to consent. For example, 42 CFR § 2.14 provides that if a minor has legal capacity under state law to apply for and obtain SUD treatment, the minor alone may give Part 2 consent for disclosures; where state law requires parental consent to treatment, Part 2 generally requires both the minor and the parent to consent to disclosures.
Table A: Common minor-consent areas and typical HIPAA access outcomes
Care areaWhy structured differentlyTypical HIPAA personal representative status for the parentTypical access outcome and clinic boundaryPrimary sourcesGeneral pediatric care (vaccines, injuries, routine visits)Parents typically have decision authority under state law for unemancipated minorsParent is generally the personal representativeParent generally has access to PHI in the designated record set, subject to standard access exceptions and state-law limitsSTI testing and treatmentMany states permit minors to consent to STI services; confidentiality often emphasizedParent may not be personal representative for PHI pertaining to that STI service if minor consent appliesParent access may be limited to exclude the STI encounter, while other PHI remains accessible; denial cannot be expanded to unrelated PHIContraception and other reproductive health servicesState minor-consent laws vary widely across services and conditionsParent may not be personal representative for PHI pertaining to the specific minor-consent reproductive serviceClinic often needs segmentation to avoid disclosing confidential encounter details in portals, billing, and record exports, while still honoring parent access to non-confidential careOutpatient mental health counselingState laws may permit minor consent to some mental health services; confidentiality obligations vary; safety concerns are commonParent not personal representative for PHI tied to the confidential service if one of the exceptions applies; provider may also decline PR status under abuse/neglect/endangermentAccess decisions may depend on (a) whether parent is PR for that service, (b) state-law permissions or prohibitions, and (c) professional judgment pathways OCR has published for minors’ mental healthSubstance use disorder treatment at a Part 2 programPart 2 can create stricter disclosure rules than HIPAA and includes special minor rules keyed to state lawParent PR status under HIPAA may be limited for specific services; Part 2 may further restrict disclosures even when HIPAA would allowIn Part 2 contexts, clinics must apply Part 2 as the more stringent rule where applicable, including consent requirements and minor-specific disclosure rules
The key reconciliation principle is that “parent access” is not a yes/no property of the chart. It is frequently “yes for most records, no for a defined subset,” and OCR has explicitly warned against workflows that require minor authorization for parental access when state law does not require it.
Denials, partial denials, and required notices
When the parent is the minor’s personal representative for the PHI being requested, the clinic is operating inside the § 164.524 right-of-access framework. That framework is strict on timelines and on the mechanics of denial.
A covered entity must act on an access request no later than 30 days after receipt, with a single permitted extension of up to 30 additional days if, within the original time limit, the entity provides a written statement of the reasons for the delay and the date by which it will complete its action.
If access is denied in whole or in part, the entity must provide a timely written denial in plain language that includes the basis for denial, any applicable review rights (and how to exercise them), and a description of how the individual may complain to the covered entity and to the Secretary, including contact information. If only part of the requested PHI may be withheld, the entity must still, to the extent possible, provide access to the rest.
The denial grounds that matter most for parental access disputes fall into three buckets.
First, some information is excluded from the access right entirely, including psychotherapy notes and information compiled in reasonable anticipation of, or for use in, a legal proceeding. For mental health records, OCR’s mental health guidance emphasizes that psychotherapy notes are excluded from the right of access, even for the individual’s personal representative, while mental health information in the medical record is generally accessible to a parent who is the minor’s personal representative.
Second, there are reviewable denial grounds based on professional judgment, including where access is reasonably likely to endanger life or physical safety, or where the request is made by the individual’s personal representative and a licensed professional determines that providing access to that personal representative is reasonably likely to cause substantial harm to the individual or another person. When denial is based on a reviewable ground, the individual has a right to have the denial reviewed by a licensed professional designated by the covered entity who did not participate in the original decision to deny, and the entity must follow the reviewer’s determination. OCR’s right-of-access guidance further clarifies that the “endangerment” basis is limited to life or physical safety and does not extend to expected psychological or emotional distress.
Third, there are situations where the parent is not the personal representative for that PHI because the PHI pertains to a minor-consent service, court-directed service, or confidentiality agreement, or because the entity elects not to treat the parent as the personal representative due to abuse/neglect/endangerment concerns. In those scenarios, the clinic should not treat the request as a normal personal-representative access request for that PHI. OCR guidance indicates that state law may still permit or require access, or prohibit it; if state law is silent and the parent is not the PR under an exception, professional judgment by a licensed health professional becomes relevant.
In practice, clinics should anticipate that the child may need to be treated as the “individual” for PHI associated with minor-consent services, and the clinic’s communications and record-keeping should reflect that, including documenting the basis for limiting parental access and ensuring the minor’s access rights (when applicable) are respected.
Defensible clinic workflow, decision tools, and templates
A defensible workflow needs to treat parental access as a controlled release process, not an ad hoc customer service interaction. OCR’s personal representative guidance and its decision tools for minors’ mental health emphasize a decision sequence: determine whether the parent is the personal representative, identify whether state law permits, requires, or prohibits access, and incorporate professional judgment only where the rules actually allow it.
A practical workflow for small clinics should be built around three invariants.
The first invariant is authority verification. OCR emphasizes that personal representative status derives from authority under state or other law to make health care decisions, which in custody, guardianship, and emancipation contexts requires actual documentation and scope checks.
The second invariant is segmentation logic. OCR’s Dear Colleague letter warns against denying parental access more broadly than permitted. The clinic must be able to separate out PHI tied to minor-consent services and deny only what is legally protected, while granting access to unrelated PHI to which the parent is entitled as personal representative.
The third invariant is documented decision-making. Under § 164.524, denials must be written and contain specific elements; and the regulation requires documenting designated record sets subject to access and the titles of persons/offices responsible for processing access requests, with documentation retention governed by § 164.530(j). Section 164.530(j)(2) requires retaining required documentation for six years from creation or the date last in effect, whichever is later.
Table B: Workflow checklist with exact fields and retention rules
Workflow stageWhat staff must determineExact fields to record in the access logEscalation triggersRetention anchorIntake and identityWho is requesting access and to which child/recordsRequest date/time; requester name; relationship claimed; child identifiers; scope requested (entire chart vs dates); preferred delivery method; staff intake initialsRequester is not a parent, or parent is not on file; conflicting guardianship claimsRetain HIPAA-required documentation at least 6 years per § 164.530(j)(2)Authority verificationWhether requester has legal authority under applicable law to make health care decisions for the minor (or limited authority)Verification method (ID type, documentation type); custody/guardianship documents reviewed; scope of authority (medical decision-making, specific services); emancipation indicator if applicableDivorce or custody dispute; “no access” restraining orders; unclear or conflicting documentsSame as aboveService-category screeningWhether requested information includes minor-consent or confidential services to which parental PR status may not applyEncounter tags implicated: STI, contraception/pregnancy care, mental health counseling, SUD treatment, other sensitive categories; whether minor consented; whether parent consent requiredAny sensitive-service category, especially where state minor-consent laws are likely to applySame as aboveState-law mappingWhether state or other law permits, requires, or prohibits parental access for the relevant PHI categoryState-law basis field: “required,” “permitted,” “prohibited,” or “silent”; citation reference used (internal policy map, counsel memo, statute reference); who confirmedState law unclear; inconsistent internal policy; multi-state practice; out-of-state minorSame as aboveSafety and professional judgmentWhether PR status should be declined due to abuse/neglect/endangerment, or whether professional judgment discretion is available in state-law silent scenariosSafety concern indicator; summary of factual basis; licensed professional decision-maker; decision rationale; scope limited; review dateAny abuse/neglect/endangerment concern; adolescent safety risk; coercive parent behaviorSame as aboveResponse executionProvide access, partial access, or denial, within timelines and with correct noticeDate completed; form/format delivered; parts withheld and rationale; if denied, attach denial letter; if reviewable denial, document review process; communication copiesDenial in whole or part; request nearing 30-day deadline; portal configuration prevents partial access30-day action deadline, one 30-day extension allowed with written notice; denial content requirements
This workflow aligns with OCR’s published decision tools for minors’ mental health, which explicitly route decisions through “Is the parent the personal representative,” “Does state law address access,” “Is access prohibited,” and “professional judgment” only where appropriate.
Sample denial notice language with required HIPAA elements
A denial notice must be plain language, timely, and include key elements such as the basis for denial, review rights if applicable, and complaint instructions with contact information. A clinic template should therefore include: a short statement of what is being denied, a short statement of why (for example, “not the personal representative for PHI related to [service category] under applicable law” or “psychotherapy notes are excluded from the access right”), and instructions for how the requester can seek review if the denial is reviewable, plus complaint pathways.
If the denial is based on a reviewable ground (for example, denying a personal representative because providing access is likely to cause substantial harm), the notice should include the review process, including that the reviewer must be a licensed professional who did not participate in the original denial decision.
Enforcement risk and operational controls to prevent mistakes
OCR has made “parental access” explicitly a compliance focus. In the December 2025 Dear Colleague letter, OCR states it is making parental access an enforcement priority and will use all civil remedies available, including civil money penalties, to ensure compliance. The letter’s factual premise is that OCR is seeing parents denied access improperly, including situations where providers require minors to authorize parental access when applicable law does not require it.
Separately, OCR’s Right of Access enforcement initiative demonstrates that OCR does enforce access rights and that personal representatives are within scope. A 2025 OCR press release on a right-of-access enforcement action states that the Privacy Rule requires that individuals or their personal representatives have timely access within 30 days, with the possibility of one 30-day extension, and describes enforcement actions tied to failures to provide timely access. This does not prove OCR has already brought a parental-access-to-minors case under the 2025 letter, but it does establish (a) demonstrated OCR appetite to enforce access rights generally, and (b) OCR’s publicly stated intent to focus on parental access specifically. Any specific enforcement case uniquely about parental portal access post-letter was not identified in the primary OCR enforcement database during this research, so it remains unspecified.
Operationally, the most reliable controls are the ones that reduce “all-or-nothing” access failures.
Role-based access controls should ensure only trained staff can process minor records access and apply state-law segmentation logic. OCR’s materials emphasize that whether a parent is a personal representative depends in part on state law and on the specific service category, which is not a role for untrained front desk improvisation.
Consent capture controls should record, at the point of care, whether the visit was minor-consent, whether the parent consented, and whether a confidentiality agreement exists for a service, because those facts directly drive § 164.502(g)(3) outcomes.
EHR segmentation and portal configuration controls are now a first-order compliance issue. OCR explicitly instructs covered entities to modify default electronic configurations, or work with business associates, so that parents who are personal representatives have electronic access to the full extent required, and warns that improper portal defaults that deny parental access may violate the Privacy Rule. At the same time, OCR’s framework requires withholding PHI tied to minor-consent services where state law prohibits disclosure, which means systems must support both parent access and selective withholding.
Staff training should specifically teach “scope slicing”: denying access to an STI encounter does not justify denying access to the child’s unrelated vaccination record, and OCR singled out that type of overbroad denial as improper.
Vendor governance matters because patient portals and EHRs are commonly operated by business associates, and OCR’s letter explicitly tells covered entities to work with those vendors to ensure access configurations comply.
Short decision flow clinicians can follow
If you want something clinicians can run in their head in under a minute, OCR’s own minor mental health decision tools are the best model: first determine whether the parent is the personal representative for the specific information, then apply state-law permissions/prohibitions, then use professional judgment only where HIPAA allows it.
Expressed as a short, operational rule: treat the parent as the personal representative by default for the child’s PHI, carve out PHI tied to minor-consent or court-directed or agreed-confidential services (plus safety exceptions), and never block access to unrelated PHI as a shortcut.
Sources
Primary HIPAA rules and OCR guidance
45 CFR § 164.502 (personal representatives, minors exceptions, abuse/neglect/endangerment)
https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-E/section-164.502
45 CFR § 164.524 (right of access, timelines, denial requirements, reviewable denial to personal representatives)
https://www.govinfo.gov/content/pkg/CFR-2022-title45-vol2/pdf/CFR-2022-title45-vol2-sec164-524.pdf
45 CFR § 164.530(j) (retention period for required documentation)
https://www.law.cornell.edu/cfr/text/45/164.530
OCR Dear Colleague letter: The HIPAA Privacy Rule and Parental Access to Minor Children’s Medical Records (Dec 3, 2025)
https://www.hhs.gov/sites/default/files/ocr-letter-hipaa-privacy-rule-and-parental-access-to-minor-childrens-medical-records.pdf
OCR FAQ 227: Does the HIPAA Privacy Rule allow parents the right to see their children’s medical records?
https://www.hhs.gov/hipaa/for-professionals/faq/227/can-i-access-medical-record-if-i-have-power-of-attorney/index.html
OCR Guidance: Personal Representatives (includes parents/minors discussion and state-law deference)
https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/personal-representatives/index.html
OCR Fact Sheet: Am I my child’s “personal representative” under HIPAA?
https://www.hhs.gov/sites/default/files/am-i-my-childs.pdf
OCR Mental Health Guidance PDF: HIPAA Privacy Rule and Sharing Information Related to Mental Health
https://www.hhs.gov/sites/default/files/hipaa-privacy-rule-and-sharing-info-related-to-mental-health.pdf
OCR Decision Tool: When can parents access information about their minor child’s mental health treatment?
https://www.hhs.gov/sites/default/files/minors-hipaa-decision-tool.pdf
OCR Infographic: When may a mental health professional use professional judgment to decide whether to share a minor patient’s treatment information with a parent?
https://www.hhs.gov/sites/default/files/minor-professional-judgment-infographic.pdf
OCR Mental and Behavioral Health hub (curated links; last reviewed Jan 28, 2026)
https://www.hhs.gov/hipaa/for-professionals/special-topics/mental-health/index.html
Right of access enforcement pattern (OCR press release example)
https://www.hhs.gov/press-room/ocr-settles-with-concentra.html
Substance use disorder additional rules
42 CFR § 2.14 (minor patients under 42 CFR Part 2)
https://www.ecfr.gov/current/title-42/chapter-I/subchapter-A/part-2/subpart-B/section-2.14
State-law variability sources (illustrative, not legal advice)
Guttmacher Institute: Minors’ Access to STI Services (policy summary)
https://www.guttmacher.org/state-policy/explore/minors-access-sti-services
Guttmacher Institute: Minors’ Access to Contraceptive Services (policy summary)
https://www.guttmacher.org/state-policy/explore/minors-access-contraceptive-services
Pediatrics (AAP journal): State-by-State Variability in Adolescent Privacy Laws (2022)
https://publications.aap.org/pediatrics/article/149/6/e2021053458/187003/State-by-State-Variability-in-Adolescent-Privacy