In August 2002, a new federal rule took effect that protects the privacy of individuals' health information and medical records.1 The rule, which is based on requirements contained in the Health Insurance Portability and Accountability Act of 1996 (HIPAA), embodies important protections for minors, along with a significant degree of deference to other laws (both state and federal) and to the judgment of health care providers. These provisions represent a compromise between competing viewpoints about the importance of parental access to minors' health information and the availability of confidential adolescent health care services.
CONFIDENTIALITY FOR ADOLESCENTS
Over the past several decades, adolescents have gained many opportunities to receive confidential health care services, particularly for concerns related to sexual activity, pregnancy, HIV and other sexually transmitted diseases (STDs), substance abuse and mental health.2 From both a clinical and a public policy perspective, protection of confidentiality for adolescents has been based on recognition that some minors would not seek needed health care if they could not receive it confidentially, and that their forgoing care would have negative health implications for them as well as society.3
Concerns about privacy can prevent adolescents from seeking care.4 In two large nationally representative surveys, approximately a quarter of middle and high school students reported having forgone health care they needed.5 In one of these, a third of students who did not seek care reported that one of their reasons was "not wanting to tell their parents."6 The impact of privacy concerns when adolescents require specific services to address sensitive health issues is likely much higher. For example, half of single, sexually active females younger than 18 years surveyed in family planning clinics in Wisconsin reported that they would stop using the clinics if parental notification for prescription contraceptives were mandatory; another one in 10 reported that they would delay or discontinue use of specific services, such as services for STDs.7 Furthermore, only 1% of adolescent girls who indicated they would stop using family planning services reported that they would also stop having intercourse; the vast majority reported that they would continue to have sex, but use less effective contraceptive methods or none at a11.8
Privacy concerns also influence where adolescents go for health care,9 can deter them from communicating openly with providers,10 and can make them reluctant to accept services such as pelvic examinations and testing for STDs.11
Confidentiality protections for adolescent health care are reflected in the policies and ethical guidelines of a wide range of medical and health care professional organizations.12 They also are embodied in numerous state and federal laws that have great significance for the application of the HIPAA privacy rule to adolescents' health information.
PROVISIONS OF THE RULE
The HIPAA privacy rule* creates new rights for individuals to have access to their health information and medical records (referred to as "protected health information"), to obtain copies and to request corrections.13 It also specifies when an individual's authorization is required for disclosure of protected health information; authorization is generally not required for the use of the information and its disclosure for the purpose of treatment, payment or health care operations.14 The rule applies to health plans, health care providers and health care clearinghouses (which are all "covered entities"). The vast majority of health care professionals who provide care to adolescents are required to comply.
Under the HIPAA privacy rule, adolescents who legally are adults (aged 18 or older) and emancipated minors can exercise the rights of individuals; specific provisions address the protected health information of adolescents who are younger than 18 and not emancipated.15 Parents (including guardians and persons acting in loco parentis) are considered to be the "personal representatives" of their unemancipated minor children if they have the right to make health care decisions for them. As personal representatives, parents generally have access to their children's protected health information. In specific circumstances, however, parents may not be the personal representatives of their minor children.
Minors Acting as Individuals
A minor is considered "the individual" who can exercise rights under the rule in one of three circumstances. The first situation—and the one that is likely to occur most often—is when the minor has the right to consent to health care and has consented, such as when a minor has consented to treatment of an STD under a state minor consent law. The second situation is when the minor may legally receive the care without parental consent, and the minor or another individual or a court has consented to the care, such as when a minor has requested and received court approval to have an abortion without parental consent or notification. The third situation is when a parent has assented to an agreement of confidentiality between the health care provider and the minor, which occurs most often when an adolescent is seen by a physician who knows the family. In each of these circumstances, the parent is not the personal representative of the minor and does not automatically have the right of access to health information specific to the situation, unless the minor requests that the parent act as the personal representative and have access.
Parents' Access to Information
A minor who is considered "the individual" may exercise most of the same rights as an adult under the regulation, with one important exception. Provisions that are specific to unemancipated minors determine whether a parent who is not the minor's personal representative under the rule may have access to the minor's protected health information. On this issue, the HIPAA privacy rule defers to "state or other applicable law."
If a state or other law explicitly requires information to be disclosed to a parent, the rule allows a health care provider to comply with that law and to disclose the information. If a state or other law explicitly permits, but does not require, information to be disclosed to a parent, the rule allows a provider to exercise discretion to disclose or not. If a state or other law prohibits disclosure of information or records to a parent without the minor's consent, the rule does not allow a provider to disclose without the minor's permission. If state or other law is silent on the question of parents' access, a provider or health plan has discretion to determine whether to grant access to a parent who requests it. Although some comments on the proposed rule suggested that this decision should be made by the treating provider, the rule does not require this. In most situations of direct clinical care, it would be desirable for the treating provider to make determinations about access to a minor's protected health information. Where this is not feasible or appropriate, such as when health plans receive requests for records, the rule stipulates that at a minimum the determination must be made by a licensed health care professional exercising professional judgment.
Special Privacy Protections
Two important provisions of the HIPAA privacy rule allow minors who are treated as "individuals" to request special privacy protections. First, these minors may request that health care providers and health plans communicate with them in a confidential manner: by e-mail rather than by phone, or at a place other than their home, for example.16 Also, they may request limitations on disclosure of information for treatment, payment or health care operations that could ordinarily occur without their authorization,17 although the extent to which providers and plans are required to honor such requests varies by the type of request and to whom it is made. These requests may be particularly important when a minor believes that disclosure of information would result in specific danger.18
The privacy rule allows a health care provider or health plan not to treat a parent as a minor's personal representative, given a reasonable belief that the parent has subjected or may subject the minor to domestic violence, abuse or neglect, or that treating the parent as the personal representative could endanger the minor. The provider or plan must also decide that it is not in the minor's best interest to treat the parent as the personal representative.19 In addition, the rule allows a licensed health care professional to deny a parent who is a personal representative access to a minor's protected health information if, in the professional's judgment, access would likely cause substantial harm to the minor or someone else.20 Finally, it allows a provider or health plan to disclose a minor's protected health information in order to prevent or diminish an imminent threat to the health and safety of a person or the public.21 These provisions apply to adults as well as minors but have different implications for minors, specifically with respect to disclosure of information to parents.
The final 2002 HIPAA privacy rule evolved from one issued in December 2000.† Throughout the public debate over and review of the original version and proposed modifications, a broad array of medical and health care professional groups strongly supported the rule's maintaining confidentiality protections for minors.?22 The final version reflects compromise and a balance among competing views. It gives minors somewhat less control over parents' access to their health information than the original version did, and gives providers and health plans greater discretion regarding parental access to minors' health information, particularly when state or other law is silent or unclear. However, on the question of parents' access to information that has traditionally been considered confidential when minors themselves consented to the services, the Department of Health and Human Services (the federal agency that promulgated the rule) deferred to state or other law, and to "professional practice with respect to adolescent health care."23 The rule thus keeps intact a body of law that has been in place for decades, while leaving the door open for that law to change.
The compromise struck in the HIPAA privacy rule on minors' rights leaves health care providers and health plans with a series of important questions regarding the relationship between the rule and the "state and other appli-cable laws" to which it refers. Many such laws are critically important to determining how the rule will be implemented. These include state minor consent, medical records and health privacy laws; the Federal Educational Rights and Privacy Act (FERPA), Title X of the Public Health Service Act and Medicaid.
State Minor Consent Laws
Every state has laws that allow minors to give their own consent for some kinds of health care—including emergency, general health, contraceptive, pregnancy-related, HIV or other STD, substance abuse and mental health care. Every state also has some laws that allow minors to consent for care if they are emancipated, mature, living apart from their parents, pregnant, parents, high school graduates or older than a certain age. Many of these laws have been in place for several decades. The HIPAA privacy rule defers to them.24
Adolescents and the professionals who provide their health care have long expected that when an adolescent is allowed to give consent for health care, information pertaining to it will usually be considered confidential. The language of the statutes themselves sometimes supports this understanding. Many minor consent laws contain explicit provisions regarding the disclosure of information to parents. Some do not allow disclosure without the minor's permission. Others leave the decision about disclosure to the physician's discretion. Very few mandate disclosure.25 Some minor consent laws are silent on the question of parents' access to the information. In those cases, unless state or other law addresses parents' access, the HIPAA rule gives discretion to the provider or health plan to decide whether a parent who requests access should have it; the decision must be made by a licensed health care professional.
Other State Law
For adults, the HIPAA privacy rule defers to state laws that provide stronger privacy protections than the federal rule, but if state laws provide weaker protection, the federal rule controls. For minors, on the question of parental access to information, the rule defers to state laws unless they are silent or unclear. Many states have enacted laws concerning privacy of health information and medical records, although not all address disclosure of information to parents when minors have consented to the care.26 At least three states—California, Montana and Washington—have adopted health privacy laws that explicitly give minors authority over their own information and records when they have the legal right to consent to care.27
Any information that is governed by FERPA is explicitly exempt from the HIPAA rule's definition of protected health information.28 In general, under FERPA, parents have access to the education records of their unemancipated minor children, including any health information contained in those records.29 Thus, important questions of interpretation arise when health care is delivered in a school-based health clinic or by a school nurse, or when professionals working in a school have extensive communications about a student's health.
In any specific situation, determining whether the relevant information and records are covered by FERPA or the HIPAA privacy rule requires careful analysis. Most often, however, information that is in the records of a school-based health center, where adolescents often turn with an expectation of confidentiality, is not part of a student's education record. If that is the case, the health center's records would not be subject to FERPA; they would likely be covered by HIPAA.30
Title X and Medicaid
For more than 30 years, the federal Title X legislation has required that confidential services be available to adolescents as well as adults in Title X-funded family planning programs.31 While this protection has been the subject of legislative debate, regulatory challenge and litigation throughout its history, it remains in federal law today and has been modified only to the extent of encouraging, not mandating, family involvement.32 Similarly, Medicaid beneficiaries, including minors, are entitled to receive family planning services, and confidentiality protections apply.33 Courts have invalidated mandates for disclosure to parents when minors receive family planning services through Title X or Medicaid.34 The HIPAA rule defers to this legislation and relevant court decisions.
Numerous decisions of the U.S. Supreme Court and other courts recognize that the constitutional right of privacy protects minors as well as adults. These decisions support minors' right to receive contraception without parental consent, even in a state that does not have a law explicitly allowing them to do so, and even if they are not Medicaid beneficiaries or patients at Title X-funded clinics. In these circumstances, a minor would be considered "the individual" under the HIPAA privacy rule.
Dozens of state statutes (most of which are being enforced) require parental consent or notification when a minor seeks an abortion, usually with a "judicial bypass" alternative that allows her to obtain an abortion without parental knowledge or consent. In a state requiring parental consent, if the minor does not use the bypass and allows consent to be obtained from her parents, she will not be considered the individual under the HIPAA rule. If she uses the bypass option, or is in a state that requires parental notification but not consent, the minor will be considered "the individual."35
Clinicians providing adolescent health care must implement the changes required by the HIPAA privacy rule in all settings.36 They also must be aware of the aspects of the rule that apply to unemancipated minors and must understand how to provide health care within this context.37 This requires the following:
• Health care professionals must be knowledgeable about state minor consent laws, including any provisions regarding disclosure of information to parents.
• Health care professionals must be knowledgeable about any state laws regarding privacy of health information and medical records, including provisions pertaining to disclosure of information to parents, particularly when minors may legally give their own consent for care.
• When state and other laws are silent or unclear, health care professionals must be prepared to exercise professional judgment and grant or deny parents' requests for information about care for which minors may legally consent.
• Health care professionals must be aware that the HIPAA privacy rule grants legal significance to agreements with parents that favor their adolescents' receiving at least some health care on a confidential basis. The rule provides that in such situations, the minor generally assumes the rights to control access to information and records of the care (subject to state and other laws' provisions about parents' access).
• Health care professionals must clarify the location of health information obtained during delivery of care in school-based health centers. If the information becomes part of a student's education record, it is likely covered by FERPA, which gives parents access to the record.
• Health care professionals must understand the requirements of Title X and Medicaid, which protect adolescents' access to confidential family planning services.
• Health care professionals must understand the constitutional privacy rights that protect minors' access to contraception and abortion. Clinicians providing abortions should make sure that minors understand that obtaining parental consent or seeking a judicial bypass will affect their ability to control abortion-related health information.
The privacy rule does not address many practical issues that affect clinicians' ability to provide confidential care for adolescents. Clinicians still must determine minors' capacity to give informed consent. Clinicians still need to screen for situations that will limit minors' ability to receive confidential care, such as physical or sexual abuse, and risk of homicide or suicide. Clinicians still face challenges concerning how to maintain their records when the parent has rights to obtain some of their adolescent's health information. Such challenges may arise less frequently in specialized settings, such as STD or family planning clinics, than in clinical settings where comprehensive health services are provided, such as private physicians' offices. Electronic medical records, over which physicians may have little control, add complexity to this issue.
Third-party reimbursement also creates challenges. Many adolescents are covered by public or private insurance, but some are unwilling or unable to use their coverage for contraceptive services, STD diagnosis and treatment, or other sensitive issues, because they worry that their parents will find out through the billing and insurance claims process. Although the HIPAA privacy rule provides a legal basis for a minor to request that providers and health plans restrict disclosure of their protected health information or that they communicate with the minor in a confidential manner,38 the effective implementation of these provisions requires the willing and active cooperation of both health care providers and third-party payers.
Finally, clinicians continue to face the challenge of conveying the protections and limitations of confidentiality to adolescent patients and their parents. They also still face the challenge of encouraging communication between adolescent patients and their parents in a way that is respectful of adolescents' need for privacy and the support that parents can provide.
HIPAA IN THE REAL WORLD
Each year, millions of adolescents seek family planning services and STD screening. Many are minors, are competent to give informed consent for health care and deny being at risk of physical or sexual abuse. Two critical issues affect how the HIPAA privacy rule applies in these situations: the state in which the minor is located and the type of site where the care is provided.
Private Practice Settings
Often an adolescent is seen at a private physician's office for routine health care (which should include testing for chlamydial infection if she is sexually experienced), concerns about STD symptoms or family planning services. If she is a minor, the STD screening is a service that she would be able to give her own consent for in every state, although the age limit varies. Title X, state law or constitutional principles also would permit her to give her own consent for family planning services. Moreover, her parent may have agreed to her receiving confidential care from the physician. In these situations, under the HIPAA privacy rule, the adolescent is considered an "individual." Should her parents at some point want access to information and records of her care, they would be entitled to access to information about most of the general care she has received—routine care for minor acute problems, immunizations, sports physicals—but whether they could access information about the STD screening and family planning would depend on state or other law. If the laws clearly prohibit disclosure without the minor's permission or give physicians discretion, they control. If the laws are silent or unclear, the rule gives physicians and other covered entities discretion on whether parents should have access to the medical records.
The most challenging issues in a private physician's office arise with respect to billing and third-party reimbursement. If the office has routinely sent bills home for the minor's care, some diligence will be required to ensure that information on the bill does not inadvertently disclose confidential information to the parents. Moreover, if the minor has health insurance coverage and wishes to use it to pay for the care, additional risks exist that disclosure will take place through the insurance claims process, when explanations of benefits are sent to the policyholder, usually a parent. The rule may minimize these risks if minors use the option of requesting restrictions on disclosure or confidential communications. Ultimately, however, effective implementation of confidential care for minors in a private physician's office depends on cooperation of the minor, the physician, and any health plan or insurer that is involved.
School-Based Health Centers
All school-based health centers require some form of consent from parents before a student who is a minor receives care. Often the parent need only sign a general consent form at the beginning of the school year. Many of these forms specify the services offered at the center, and many specify that services are confidential. However, in general, school-based health centers work hard to involve parents whenever that is possible and appropriate.
Many school-based health centers offer family planning services and STD screening, and often students want and expect that care to be confidential. In every state, minors can legally consent for STD screening; the same is usually true for family planning. As a result, information about STD screening and family planning is in a different category from information about general health care—which the minor may not have the legal right to consent for under state law. Thus, if information about the minor's health and services received at the center is requested either by a parent or by other school personnel, the school-based health center must pay special attention to ensuring that information about family planning and STD screening is not unintentionally disclosed along with other medical records. This is also true if the student's parent has authorized disclosure of health information or medical records to others, such as a new school or a camp. To the extent that confidentiality concerns arise with respect to billing and third-party reimbursement linked to school-based clinics, the same general considerations apply as in a private physician's office.
Finally, school-based health centers may have to address suggestions from school personnel that their records are covered not by HIPAA, but by FERPA. This will rarely be true, as long as school-based health centers or their sponsoring agencies meet the privacy rule's definition of a "covered entity" and center staff are careful to enter protected information only into the health center's record and not into a student's general education records, where it would be accessible to parents under FERPA. Nevertheless, schools and school-based health centers need procedures for determining which records are governed by the requirements of which law and what those requirements mean for how the information can be used with the school. Information about family planning or STD screening in a school-based health center will almost never be accessible to the school, and will be accessible to parents only under specific provisions of state law.
Specialized Clinic Settings
Every day, adolescents seek family planning or STD services in clinics specifically designed to provide such care. The application of the HIPAA privacy rule in these settings may differ markedly from its application in private physician offices or school-based health centers. At Title X-funded family planning clinics, the confidentiality protections of Title X apply; thus, if a minor receives contraceptive or STD care, the services are confidential and the minor's permission is required for information to be disclosed to her parent. The issues may be slightly more complex in family planning or STD clinics not receiving Title X funds. If the minor is a Medicaid recipient, he or she is also entitled to receive confidential family planning services if the services are billed to Medicaid. (The same is true in other Medicaid provider sites, including private physician offices and school-based health centers.) However, once again, the variation in practice among Medicaid managed care plans and state Medicaid agencies with respect to the handling of confidential services on claim forms and benefit statements poses challenges.
Although the specific applications of the HIPAA privacy rule vary by state and within different clinical settings, there are common themes and questions, which will be resolved over time. Questions of overriding importance include the following:
• In what circumstances should health care professionals exercise any legal discretion they may have to disclose information about care for which an adolescent gave consent and that the adolescent sought with a desire for confidentiality protection? This question can be answered only in part by reference to law, and will be greatly informed by sound standards of ethics and clinical practice.
• When state and other laws are silent on the question of parents' access to information once a minor has consented to care (or the parent has agreed to allow the minor to receive confidential care), how and by whom will determinations be made about parents' requests for access to information or records? This question will have to be answered largely in the context of protocol development and systems review within provider sites and health plans.
• To what extent will minors be able to receive insurance coverage for services that would generally entitle them to confidentiality under state or other law? Answers to this question will depend on extensive discussion and planning among clinicians, health plans, health insurance companies, Medicaid agencies and others.
To the degree that willing providers and health plans address these questions in good faith with the desire to provide high-quality ethical care, to be flexible about their procedures and to honor adolescents' need for confidentiality, the HIPAA privacy rule provides an excellent basis for them to do so.
Overall, the HIPAA privacy rule requires some sweeping changes by entire health care systems in the handling of individuals' health information. The rule had the potential to make sweeping changes in adolescents' ability to access services on a confidential basis, but in the end left the status quo essentially intact. It acknowledges the validity and reaffirms the importance of the broad range of laws put in place over several decades that are supported by a strong body of research and reflected in the ethical codes and organizational policies of many health care professionals.
However, the rule also leaves both the states and Congress free to alter existing laws. Thus at the state or federal level, laws that have enabled adolescents to receive confidential care could be amended or repealed, and new laws addressing the privacy of adolescents' health information could be enacted. While this has always been true, the heightened attention to questions of confidentiality in adolescent care could lead to more activity in state legislatures or in Congress.
Some attempts have already been made to repeal minor consent laws that have been on the books for 30 years39 and to require parental notification for adolescents receiving STD care,40 which has long been considered a confidential service for minors in every state. So far, most such efforts have not succeeded, but it is not yet clear how state and federal laws and policies will evolve as implementation of the HIPAA privacy rule proceeds.