HIPAA for Minors: Parental Access to Medical Records

HIPAA for minors is one of the more complicated rule sets for compliance professionals to understand. Teams have to balance parents’ rights, minors’ privacy, state consent rules, custody disputes, and safety concerns.

In December 2025, the Office for Civil Rights (OCR) issued a Dear Colleague letter on the HIPAA Privacy Rule and parental access for minors’ medical records. The letter highlights improper denials of parental access and frames parental access as an enforcement priority.

For privacy and compliance officers, this is a clear signal. Parental access workflows related to HIPAA for minors need a fresh review.

This article breaks down how HIPAA treats parental access for minors’ medical records and what that means for your practice.

Does the HIPAA Privacy Rule Treat Parents as Personal Representatives for Minors?

The HIPAA Privacy Rule sets national standards for how covered entities use, disclose, and protect protected health information (PHI). It also gives individuals rights over their health information, including the right of access.

HIPAA allows a “personal representative” for minors to exercise those rights. Under HHS’s guidance on personal representatives, a person who has authority under applicable law to make health care decisions for minors must generally be treated as that individual for HIPAA purposes, subject to specific exceptions.

For an unemancipated minor, HIPAA usually defers to a parent or legal guardian. This is reflected in 45 C.F.R. § 164.502(g).

HIPAA does not define who counts as a parent or guardian for a minor. It defers to state laws or other relevant laws on who has the authority to make their care decisions. That is why you cannot interpret HIPAA in isolation from your jurisdiction’s consent and minor custody rules.

What this means for compliance:

• Make sure your policies explicitly define when a parent is treated as a personal representative for a minor.
  
• Align that HIPAA definition with a current, legal-reviewed summary of state consent and minor custody rules.
  
• Ensure access, denial, and appeal procedures cross-reference that definition so staff do not improvise.

When Do Parents Have a Default Right to Access a Minor’s Medical Records Under HIPAA?

Most of the time, parents have a default right under HIPAA to access their minor child’s records. HHS’s FAQ on personal representatives and minors explains that the Privacy Rule generally allows a parent to access their child’s medical records as the child’s personal representative, as long as that access is not inconsistent with state or other applicable law.

In practice, this usually includes the right to:

• Inspect their child’s medical records.
  
• Receive a copy, including an electronic copy, of records in the child’s designated record set.
  
• Direct the provider to send a copy to a third party under HHS’s right of access guidance.

For compliance teams, this default is the starting point. Staff should assume parents with decision-making authority generally do have access, unless a specific HIPAA exception or state law applies.

What Are the Top Fines Related to HIPAA for Minors?

The rules around HIPAA for minors can feel abstract until they show up in an OCR press release. These enforcement actions sit inside the broader HIPAA landscape you manage every day.

For a wider view of how access, exchange, and disclosure errors turn into penalties, explore our guides on HIPAA Compliance and Medical Records Exchange and HIPAA ROI Compliance Fundamentals.

Here are three examples where parental access issues around a minor’s medical records led to HIPAA settlements.

Children’s Hospital & Medical Center (CHMC) – $80,000

Children’s Hospital & Medical Center in Omaha, a pediatric provider, paid $80,000 to resolve a potential HIPAA Right of Access violation. This occurred after a parent complained that she could not obtain her deceased minor daughter’s full medical record.

According to the OCR settlement notice for CHMC, the hospital provided only part of the requested information. The hospital then took more than six months to supply the remaining records, which were stored in another division.

Paradise Family Dental – $25,000

B. Steven L. Hardy, D.D.S., LTD, doing business as Paradise Family Dental in Las Vegas, paid $25,000 after OCR found a potential HIPAA Right of Access violation involving a mother’s requests for her own and her minor child’s records.

OCR’s Paradise Family Dental resolution page explains that the mother submitted multiple record requests between April and December 2020. The practice did not provide the records until December 31, 2020, more than eight months after the initial request.

David Mente, MA, LPC – $15,000

In 2023, OCR announced a $15,000 settlement with Pennsylvania psychotherapist David Mente, MA, LPC. The OCR resolution agreement for Mente describes a 2017 HIPAA complaint alleging that Mente refused to provide a father with access to his three minor children’s PHI.

OCR provided technical assistance, but a second complaint in 2018 reported continued failure to provide the records.

These cases show that when parents act as personal representatives for their minor children, delays, partial responses, or unnecessary barriers to access can cause HIPAA enforcement issues.

When Are Parents Not Treated as a Minor’s Personal Representative Under HIPAA?

HIPAA includes several narrow exceptions where a parent is not treated as a minor’s personal representative for certain PHI. These exceptions usually involve sensitive services or situations where someone other than the parent controls care.

For compliance officers, these exceptions mark the highest-risk scenarios for OCR complaints, inconsistent staff decisions, and portal misconfigurations.

When Can a Minor Consent to Care Control Related Records Under HIPAA?

In many states, minors can consent to some services on their own. Depending on state law, examples can include:

• Sexually transmitted infection (STI) testing and treatment.
  
• Contraception or pregnancy-related services.
  
• Some behavioral health or substance use services.

When a minor is allowed under state law to consent to a service without a parent and does so, HIPAA generally treats the minor, not the parent, as the decision-maker for PHI related to that episode of care. 

In those circumstances, the parent is not the minor’s personal representative for that subset of information under HIPAA.

The exception is narrow. It usually applies only to PHI related to that specific care, not the entire record. Parents still have access rights to other information, such as vaccines, well-child visits, imaging, and non-sensitive labs.

How Do Court-Ordered or Agency-Directed Services Affect Parental Access?

Sometimes a court or a government agency directs or authorizes a minor’s care, such as:

• Court-ordered counseling or treatment as part of a juvenile matter.
  
• Services required by a child welfare or protective services agency.

When a court or agency has authority to make health care decisions for specific services, the parent may not be the minor’s personal representative under HIPAA for PHI related to that care. Instead, the court or agency may control access for that portion of the record.

This does not mean parents automatically lose access to everything. It means parental rights may be limited for PHI associated with court- or agency-directed services.

What If a Parent Agrees to Confidential Care Between a Minor and a Provider?

A parent can agree to a confidential relationship between the minor and the provider under HIPAA. For example, a parent might say, “I want my teenager to be able to talk freely. You do not have to tell me everything from these sessions.”

HIPAA permits the provider to treat the parent as not the minor’s personal representative for PHI within the scope of that confidential relationship. The boundaries should be clear:

• Which provider or service is involved.
  
• Which types of information the parent has agreed not to see.
  
• Any time or context limits on that agreement.

Providers should document the agreement in the record so HIM, front desk, and portal support teams can apply it consistently.

What About Abuse, Neglect, or Safety Concerns?

HIPAA also includes a safety valve for situations involving abuse, neglect, or serious risk for minors. 

Under 45 C.F.R. § 164.524 and related provisions, a covered entity may decide not to treat a person as a personal representative if it reasonably believes the individual has been or may be subjected to domestic violence, abuse, or neglect by that person, or that treating the person as a personal representative could endanger the individual, and the decision is consistent with the individual’s best interests.

In these cases, organizations should have clear internal workflows for:

• A clinician or qualified professional exercises professional judgment on whether treating the parent as a personal representative would endanger the child.
  
• The reason for not treating the parent as a personal representative is documented in the record.
  
• Required or permitted reports to child protective services or other authorities are made when appropriate.

How Can Parents Get Their Minor Child’s Medical Records Under HIPAA?

Parents often ask, “What do I actually need to do to get my child’s records?” Clear guidance here reduces confusion for families and staff.

Here is a simple process you can share with parents and build into your workflows:

1. Start with the medical records or HIM department.
   Direct parents to the medical records, health information management, or patient records department. Many organizations also accept requests through a secure portal.
   
2. Be specific about what records are needed.
   Encourage parents to specify the child’s name, date range, and the type of information they need, such as visit notes, labs, imaging reports, or vaccination records.
   
3. Submit the request and document the details.
   Covered entities may require specific HIPAA authorization forms, as long as those requirements do not create unreasonable barriers or delays.
   
4. Understand timelines and limits.
   HIPAA generally requires covered entities to act on an access request within 30 days, with one 30-day extension available in limited situations. Some states require faster responses. Sensitive services that local law assigns to the minor may be withheld even when a parent requests “all records.”
   
5. Escalate concerns to the privacy officer or compliance team.
   If parents believe a denial is incorrect, they can ask which specific HIPAA or state rule is being applied and request review by privacy or compliance.

For compliance and HIM leaders, parental access is where policy, technology, and human judgment collide. When requests run through email, fax, and ad hoc tracking, it’s challenging to apply the right rule every time or prove you did.

How Does ChartRequest Help Providers Stay HIPAA Compliant During Minor Medical Records Requests

ChartRequest helps close that gap by turning parental medical records requests into a structured, auditable process:

• Guided digital intake for parents
  Parents follow a clear online workflow that captures who they are, their relationship to the child, what records they need, and how they want them delivered. That reduces incomplete requests and back-and-forth communication.
  
• Configurable rules for age, service type, and jurisdiction
  Requests are evaluated against configurable rules that reflect your minor-consent matrix, state or Tribal requirements, and internal policies. Staff see consistent prompts instead of re-interpreting HIPAA and state law on every call.
  
• Role-based access and standardized ROI workflows
  ChartRequest routes requests to the right team with consistent steps for identity verification, scope validation, approvals, and denials. Role-based access ensures only appropriate staff see and act on sensitive records.
  
• Audit-ready logs for OCR and internal review
  Every request, decision, turnaround time, and denial reason is logged in a structured way. Compliance can pull reports by requester type, location, service line, or reason for denial when preparing for audits or investigating complaints.

If you want to see what this looks like in practice, schedule a personalized consulation to review your current workflows, identify risk points, and explore how standardized ROI processes can support compliant parental and minor access at scale.

Frequently Asked Questions About Minors’ Medical Records Under HIPAA

Do parents always have the right to see their minor child’s medical records under HIPAA?

Most of the time, yes. When a parent has legal authority to make health care decisions for a minor, HIPAA generally treats that parent as the child’s personal representative with access rights, unless a narrow exception applies. Many complaints arise when staff apply those exceptions too broadly or inconsistently, so clear policy language and scenario-based training are essential.

At what age can a minor control some of their own medical records under HIPAA?

HIPAA does not set a single age. It defers to state law on when minors can consent to specific services without a parent, such as STI testing, contraception, or certain mental health treatment. When that happens, the minor often controls access to PHI related to those services, even though the parent remains the personal representative for most other care.

What can parents do if they believe access to their minor child’s medical records was wrongly denied under HIPAA?

Parents can ask for a written explanation, request review by your privacy or compliance officer, and clarify which HIPAA or state rule is being applied to deny access to the minor’s medical records. If the issue is not resolved, they may file a HIPAA complaint with OCR.