This article presents a legal overview of privacy and autonomy considerations related to children in the context of health information technology adoption and use. All uses of health-related technologies take place within a legal framework that guides health care generally; the privacy laws and autonomy principles long predate health information technology and can be expected to shape its design and use. Furthermore, it is a legal tenet that technology advances shape the law, and this can be expected as health information technology use evolves. Most laws related to health care, medical practice, and the right to privacy are state-based and subject to high variability. As the health information revolution increasingly eliminates the importance of geographic boundaries to health care, interstate tensions can be expected to grow. Health information privacy law is even more complex in the case of children, because the relationship between privacy law and children is itself complex. The law considers minor children to be deserving of special protection against harm and risk exposure, and this concern extends to privacy. Regardless of whether minors can shield health information from parents, it is clear that parents and children have the power to control the flow of information to and among entities. Although information protections may pose a higher standard where information about children is concerned, this fact should not overshadow the extent to which information can be used under existing legal principles. Over time, as the security and safety of information sharing are established, the law may yet evolve to permit a freer flow of information.
This article presents a legal overview of privacy and autonomy considerations related to children in the context of health information technology (HIT) adoption and use. Although US law has focused on health information privacy for more than a century, the introduction of HIT has triggered renewed interest because of its potential to transform the quality, accessibility, and utility of health information.
As with all technological innovation, advances in HIT unfold within the complex legal atmosphere in which medical care takes place. As a result, it is essential to understand the legal principles that guide health care for children. Furthermore, it is a general tenet in health law that technology alters legal principles over time. Therefore, it can be expected that, as medical practice custom slowly begins to embrace and use HIT on a widespread basis, underlying legal considerations also may evolve.
The general legal considerations associated with the transformation of health information have been discussed elsewhere,1 and it is already possible to see the early legal effects of HIT adoption, particularly with respect to efforts to foster HIT diffusion through legal incentives, such as the establishment of legal “safe harbors” for the donation of HIT-related software to physicians.2 An enduring challenge, however, is how to resolve the conflicts that arise when the desire for greater amounts of more-accessible information confronts the equally strong desire for information privacy, especially in the case of information whose unauthorized disclosure could cause injury and stigma.3
Much health care law is state-based and thus subject to high variability. As the health information revolution increasingly eliminates the importance of geographic boundaries to health and health care, tensions involving state-based law can be expected to grow.4
The issue of health information privacy takes on an added dimension where children are considered, because the law's relationship with children is complex. The law considers minor children to be deserving of special protection against harm and risk exposure. The law also expects that parents, guardians, or the state, acting in the role of parent, will make decisions on children's behalf and with their welfare as the central focus. Although information-sharing may be key to child safety and protection, there also is a strong impetus to protect children from harms resulting from the disclosure of information. Furthermore, under certain circumstances, minor children possess autonomy over certain types of health care decisions and, by extension, the information that results from those decisions. Controversies over children's legal right to control health information have already emerged, regarding both the existence of any right and state-to-state variations in rights.5
CONSENT TO TREATMENT AND DISCLOSURE OF TREATMENT INFORMATION: EVOLUTION OF HEALTH INFORMATION LAW AND MINORS
A broad range of federal and state laws are relevant to any discussion of health information and children's rights, including federal and state constitutions, statutes and implementing administrative regulations and policies, and judicial “common law,” the bedrock of the US legal system. The power to control health information can be thought of as a logical extension of the right to privacy and autonomy in health care decision-making. The basis of these privacy expectations is found in the common law, although a constitutional basis for the right to privacy is now nearly universally acknowledged. Common law, which represents the most explicit legal basis for privacy rights, provides for parental/guardian deference in the case of medical decision-making involving minor children. Therefore, in treating a minor child, a health care provider must obtain the informed consent of the adult empowered to make health care decisions on the child's behalf. By extension, adults have control over the information that results from health care.
Over the decades, however, courts have carved out important legal exceptions. Moreover, in a reflection of the democratic process, many state legislatures have abrogated statutorily (ie, displaced) common law for certain types of health care or child populations. Together, these judicial or statutory exceptions recognize children as independent of their parents, thus adding to the law's complexity and variability.
Common law and state statutes now recognize 3 distinct types of legal approaches to broadening the power of children to consent to care and to control health information.6 The first approach builds on 2 legal doctrines, that is, the “mature minor” and the “emancipated minor.” The second approach reflects a doctrine known as parens patriae. The third approach permits exceptions to the parental consent rule for specific types of treatments sought by minors, particularly treatments related to reproductive and behavioral health, especially treatment for substance use.
Mature and Emancipated Minors
The evolution of the consent doctrine shows clear movement toward permitting minors to consent to treatment without parental involvement in certain situations. In many jurisdictions, physicians are permitted to treat minors in accordance with their wishes if they are deemed mature minors by a court. Rarely has the mature minor doctrine been applied to children younger than 16 years of age, but it allows a court to permit a minor to choose if personal choice is deemed to be in his or her best interests.7 This doctrine most commonly appears in the “judicial bypass option” in the case of minor girls seeking abortion without parental notification. Although the mature minor doctrine has not assumed constitutional proportions outside the abortion context, courts in most jurisdictions seem to recognize the doctrine as either a common law principle or the result of express statutory authority.6
Many states also have enacted medical emancipation statutes that recognize as legally emancipated certain groups of minors, such as those who are married, on active military duty, self-supporting and not living at home, pregnant, or parents or have been declared judicially emancipated. The emancipated minor doctrine recognizes the decisional rights of certain groups of minors 16 years of age or older.8 Whether full or only partial emancipation is recognized is a matter of state law, and there is considerable variation in both state statutes and judicial interpretation of state law.
Common law and states' own inherent police powers recognize the power of government to protect the interests of minor children to advance public health and welfare. For example, the establishment of compulsory provider immunization-reporting statutes and the creation of a registry to record (and, under certain conditions, to disclose) information about children's immunization status represent an exercise of the parens patriae doctrine. A distinct question, however, is whether parents could be compelled to immunize their children or to disclose information. Virtually all states condition school entry on immunization status, with limited grounds for parental refusal. Even where there may be a right to refuse treatment, however, states can demand disclosure of children's immunization status.
Minor Consent Rights Tied to Certain Conditions
The law has evolved to include certain condition-specific applications of the emancipated minor or mature minor doctrines, by permitting children to consent to certain types of necessary care that could be deterred as a result of parental notification. Such services include the evaluation, diagnosis, and treatment of drug and/or alcohol abuse; family planning, abortion, and treatment of pregnancy and related services; treatment for sexual assault; and treatment of mental health problems, sexually transmitted diseases (STDs), and HIV/AIDS. The provision of emergency care to minor children without parental consent also is permitted.
Although minor consent to treatment is a common law concept and every state, to some degree, has enacted legislation furthering minor consent, the laws vary according to factors such as age, the ability to give informed consent, the nature of the services covered, provider type, and conditions under which parents must ultimately be notified and given access to the child's medical records.9 Even as the concept of minor consent has evolved, the explicit issue of who has access to the information resulting from the treatment of a mature or emancipated minor remains less clear. In other words, the fact that a minor can consent to certain treatments does not automatically confer privacy status to that information. In this respect, the law remains unsettled and evolving.
Although patient autonomy over treatment is closely linked to the right to control health information, the right to consent to care does not automatically confer the legal right to control the flow of health information. Many states separate the 2 concepts as a matter of law.10 In some states, and for specific types of care, a minor's legal right to consent explicitly encompasses the right to protect medical information.11 In other states, parental access to information falls within the judgment of the treating health professional. In still other states, a minor's parent or legal representative may be given full access to all pertinent medical information.
Therefore, the power to consent to medical care and the power to control access to health information resulting from care represent related but distinct legal questions. State laws may permit or compel parental notification or the disclosure of information to third parties, even as they confer on minors the right to consent to some or all medical treatment. Furthermore, each form of treatment and information may entail different legal standards. For example, state law may provide total privacy protections (for both treatment and information) for abortion but compel disclosures for other forms of treatment (eg, treatment of mental illness). Similarly, laws may vary in the extent to which mature or emancipated minors or their parents may withhold treatment information under laws providing for the reporting and disclosure of personal health information.
As HIT adoption has spurred the reexamination of laws pertaining to health information privacy, some states have begun to enact specific legislation separating consent to treatment from the issue of privacy. At least 3 states, namely, California, Montana, and Washington, have adopted health privacy laws that explicitly give minors authority over their own medical records when they have the legal right to consent to care.10 New York law specifies that parents may not access the medical records of their minor child who has obtained an abortion or treatment for a STD; in Colorado, health care providers may not be compelled to release a minor's medical records related to testing or treatment for STDs or drug addiction.12
These states are the exceptions. Although few states mandate disclosure, most minor consent laws are silent or unclear on the question of parental or governmental access to the information. In those cases, as discussed below, the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule accords considerable discretion to health care professionals to determine the extent of disclosure to parents or to governmental authorities.
FEDERAL LAW AND HEALTH INFORMATION IN THE CONTEXT OF MINORS
HIPAA Privacy Rule
Undoubtedly, the best-known law in the area of health information privacy is the Privacy Rule promulgated under HIPAA.13 The Privacy Rule, designed to establish an information privacy legal framework for HIT, attempts to reconcile privacy concerns with information exchange. Provider custom and practice are the principles that undergird HIPAA, which creates a federal “floor” of privacy protections14 while preserving more-stringent state laws.15,16 Furthermore, HIPAA does not displace other federal laws and therefore must be considered in relation to other statutes and rules.
The Privacy Rule applies to “covered health care entities” (ie, health care professionals, health plans, and other types of providers or information clearinghouses) who engage in the electronic transmission of health information for treatment, payment, and health care operations.17 The rule extends its safeguards to protected health information (PHI), consisting of personally identifiable information.
The Privacy Rule permits covered entities to use and to disclose PHI for treatment, payment, and health care operations without the need for individual written permission. That is, HIPAA creates a “general consent” standard that permits disclosures unless they are prohibited under more-stringent state or federal laws. In this regard, the rule recognizes professional traditions and ethical obligations, by permitting covered entities to obtain written permission to use and to disclose health information for these core purposes as part of their own privacy policies. Therefore, a health professional may elect not to disclose certain information, even if HIPAA would permit the disclosure (as a practical matter, such an election may be impossible if insurers condition payment on disclosure). HIPAA does not prescribe the form or manner of consent. When disclosure does take place, the rule applies a “minimum necessary” standard to measure its reasonableness,18 although the standard does not apply to requests for or disclosures of PHI for treatment purposes.19
In the case of covered entities, the Privacy Rule is broadly permissive where disclosure of health information for treatment, payment, or health care operations are concerned. In the absence of more-stringent state laws, for example, a physician could, when treating a minor child, adopt a disclosure policy and share information with the minor's parents. Outside of these purposes, with their permissive exceptions, the rule requires that entities obtain specific written permission (authorization) from patients that must satisfy explicit content and format requirements. For example, a summer jobs program could not obtain information on a minor from a physician without specific written consent.
The Privacy Rule expressly defers to state law regarding questions of health information privacy in the case of minor children (as defined by the state).20 Furthermore, federal guidance15 creates a presumption in favor of parental disclosure in the absence of explicit state law to the contrary, providing that silence in state law would be interpreted as according health care providers the discretion to disclose PHI to parents. The rule bars disclosure to third parties, such as health agencies, schools, and social welfare agencies, without specific consent.
The Privacy Rule also distinguishes between emancipated and unemancipated minors regarding disclosure to third parties, consistent with the common law tradition.21 Emancipated minors, like adults, must be given access to their health information and medical records, as well as the ability to obtain copies and to request corrections. For unemancipated minors, the rule provides for parental control of information flow.
HIPAA also creates 3 express situations in which a minor's privacy considerations prevail: (1) when the minor has the right to consent to health care and has consented; (2) when the minor may lawfully receive care without parental consent and the minor, another individual, or a court, has consented to the care; or (3) when a parent has agreed to a confidentiality agreement between the health care provider and the minor child, which occurs most often when the treating physician has a professional relationship with the family.9
In a departure from the rule's general deference only to more-stringent state law, revisions to the rule in 2003 permit less-stringent state laws to control, thereby providing parents access to minors' health information that would seem to be prohibited under the rule. Where state law explicitly requires parental disclosure of health information, the rule requires compliance with state law. To the extent that HIPAA permits providers to adhere to their own, more-protective customs, to date there has been no test of whether a provider, facing a compulsory state disclosure law, could claim a federally protected custom of nondisclosure.
The Privacy Rule includes 2 additional important provisions related to the privacy of minors that accords them considerable discretion. First, minors may request that their provider or health plan communicate with them confidentially, such as by e-mail or at a place other than home.22 Second, minors may request limitations on disclosure of information for treatment, payment, or health care operations that otherwise would ordinarily occur without specific authorization.23 These requests may be particularly important when a minor thinks that disclosure of information could be dangerous.9
The legal obligations of health professionals using e-mail may act as an additional deterrent to e-mail communications, however. Pediatricians must ensure that minor patients have a legal right to release or to have access to specific health information and that messaging is secure and accurate.24 Although solutions to these technically complex issues exist, such services may not yet be widespread.
The rule allows covered entities to deny a parent or personal representative access to a minor's PHI if, in the health professional's judgment, access would likely cause harm to the minor or to someone else.9 Whether this express authority would allow a provider to overcome a specific state disclosure law has not yet been tested. In addition, the rule permits a provider or health plan to disclose a minor's PHI to prevent or to diminish an imminent threat to the health and safety of a person or the public.9,25
It is important to note that HIPAA creates no privately enforceable federal right to privacy, although HIPAA standards regarding the handling of personal health information may be highly relevant in litigation related to privacy breaches. In effect, the rule establishes a standard of practice against which conduct could be measured in litigation under other legal theories.
Title X of the Public Health Service Act
Title X of the Public Health Service Act provides grants to support the provision of confidential family planning services, while encouraging parental involvement.26 Federal regulations promulgated in the 1980s attempted to overturn the statutory confidentiality guarantee for minors by mandating parental notification for unemancipated minors seeking contraception from federally funded family planning clinics, with limited exceptions in cases involving STDs or in which a provider deemed that parental notification would lead to patient harm. The regulations were struck down as ultra vires (ie, beyond the power of the Secretary to promulgate),27 as were subsequent efforts by ≥1 state to refuse to make Medicaid payments to Title X providers unless the state's parental notification and consent laws were honored.28
Since its 1965 enactment, federal Medicaid law has prohibited the disclosure of information related to applicants and enrollees unless the disclosure is related directly to program administration.29,30 The language of the statute parallels the HIPAA Privacy Rule, but the Centers for Medicare and Medicaid Services has never clarified whether Medicaid privacy standards parallel those established under HIPAA. States seem to vary widely in how stringently they interpret the Medicaid privacy statute, particularly with respect to the requirement for specific consent for disclosure in cases in which HIPAA's general consent standard would apply. No specific exception to the disclosure prohibition has been established for the exchange of health information through health information systems but, over the years, federal practice has been to permit considerable electronic data exchange of PHI for treatment, payment, and health care operations.
In recent years, the Centers for Medicare and Medicaid Services have attempted to modernize Medicaid's state data collection and reporting activities through the Medicaid Information Technology Architecture framework and initiative.31 This framework is intended to ensure that information is available to those who “need to know” without compromising principles of privacy and confidentiality. Because federal Medicaid laws would have a preemptive effect on state laws (unlike with HIPAA, there is no preservation of more-stringent state laws), it is possible that, in the case of minors covered by Medicaid, certain disclosures would be lawful that otherwise would be prohibited by HIPAA.
Medicaid privacy standards have been interpreted as strict. For example, federal courts have prohibited the seizure of abortion records involving Medicaid enrollees.32 Furthermore, federal Medicaid law could not be interpreted as depriving Medicaid-enrolled minors of their constitutional judicial bypass rights.
Federal Grants for the Provision of Alcohol and Substance Abuse Treatment
Federal laws contain a broad prohibition against disclosure of patient information by federally assisted entities engaged in the provision and funding of programs for the prevention, treatment, and management of alcohol and substance abuse.33 This special law, which requires specific consent for disclosure, was designed to encourage people to seek out and to remain in treatment without fear of prosecution by law enforcement and the government. Therefore, the law is powerfully preemptive, not only of lesser state laws but also of HIPAA's general consent standard. Certain exceptions apply to this prohibition, including medical emergencies, research activities, audit and evaluation activities, information related to child abuse or neglect required under state law, and situations in which the provider views the child's life as being threatened, the child is considered incapable of making a rational disclosure decision, and parental communication may reduce the threat.34 Federal privacy rules also permit disclosure to parents only if the minor cannot make a rational decision regarding whether to inform his or her parents.
Federal Educational Rights and Privacy Act
The Federal Educational Rights and Privacy Act (FERPA), originally enacted in 1974, gives parents access to the educational records of their unemancipated minor children, including any health information contained in those records. The law also gives parents the right to control the disclosure of the data. As with other federal laws addressing privacy of health information, FERPA coexists with HIPAA, and its more-specific provisions would control where the 2 laws are inconsistent. Furthermore, as with HIPAA, FERPA creates no privately enforceable federal rights.35
FERPA broadly defines the concept of an education record to include all records, documents, and folders containing information related directly to a student. However, information contained in the records of school-based clinics, where adolescents often go with an expectation of confidentiality, typically would not be considered to be part of a student's education record. These records are controlled by HIPAA, rather than FERPA.36
When a student attains age 18, the federal right of access and the power to control disclosure under FERPA are transferred from parent to minor. FERPA recognizes specific exceptions to its disclosure consent standard, including disclosure of law enforcement records, disclosure under directory information after notification of intent, disclosure in a health or safety emergency, and disclosure in a state's juvenile justice system.8
A significant balancing act comes into play when minors' privacy rights are considered. Under common law and state statutes, the fact that a minor can consent to treatment without parental approval is not automatically dispositive of the separate question of whether a minor can control the privacy of such information with respect to parents or third parties, whether that information is in paper or electronic format. State and federal law have evolved to create certain health information privacy rights, particularly in the case of highly sensitive treatments whose disclosure could compromise a minor's safety or willingness or ability to seek care. However, the law also recognizes the right of parents to health information access, and recent reforms in HIPAA seem to strike a balance in favor of such access, even where state laws may provide greater levels of protection.
Regardless of whether minors can shield health information from parents, it is clear that parents and children have the power to control the flow of information to entities other than those involved in treatment, payment, and health care operations. In fact, the treatment, payment, and health care operation standards established under HIPAA encompass the vast majority of information uses contemplated under HIT. Even if parents or minors have the power to shield the flow of personal information from non–health care-related uses and settings, this fact should not be permitted to overshadow the extent to which appropriately collected and managed health information can be used to measure child health, to test the quality of care, or to measure progress in improving child health outcomes.
This work was supported in part by grants from the All Children's Hospital Foundation, the Pediatric Clinical Research Center of All Children's Hospital and the University of South Florida, and the Maternal and Child Health Bureau (grant R60 MC 00003-01).
- Accepted September 11, 2008.
- Address correspondence to Sara Rosenbaum, JD, Department of Health Policy, School of Public Health and Health Services, George Washington University, 2021 K St, NW, Suite 800, Washington, DC 20006. E-mail:
The authors have indicated they have no financial relationships relevant to this article to disclose.
- ↵Rosenbaum S, Borzi PC, Repasch L, Burke T, Benevelli JF. Charting the Legal Environment of Health Information. Washington, DC: George Washington University; 2005
- ↵71 Federal Register 45140 (2006)
- ↵Beckerman JZ, Pritts J, Goplerud E, Leifer JC, Borzi PC, Rosenbaum S. Health information privacy, patient safety, and health care quality: issues and challenges in the context of mental health and substance use. BNA Health Care Policy Rep.2008;16 (2):1– 13
- ↵Gostin LO. Public Health Law: Power, Duty, Restraint. Berkeley, CA: University of California Press; 2000
- ↵Landro L. Parents barred from teen health files. Wall Street Journal. August 24, 2005:D1
- ↵Phelps S, ed. Gale Encyclopedia of Everyday Law. Farmington Hills, MI: Gale Publishing; 2003
- ↵Pritts J, Goldman J, Hudson Z, Berenson A, Hadley E. The State of Health Privacy: An Uneven Terrain(A Comprehensive Survey of State Health Privacy Statutes). Washington, DC: Georgetown University; 1999
- ↵Gudeman R. Adolescent confidentiality and privacy under the Health Insurance Portability and Accountability Act. Youth Law News.2003;24 (3):1– 6
- ↵Dailard C. New medical records privacy rule: the interface with teen access to confidential care. Guttmacher Rep Public Policy.2003;6 (1):6– 7
- ↵45 CFR 160 and 164
- ↵Standards for Privacy of Individually Identifiable Health Information, Final Rule. 65 Federal Register 82,462, 82,464 (2000)
- ↵Health Insurance Portability and Accountability Act of 1996. PL 104–191 Sec 264(c)(2) (1996)
- ↵45 CFR §160.202
- ↵45 CFR §160.102(a), §164.500
- ↵45 CFR §§164.502(b), §164.508
- ↵45 CFR §164.514(d)(2)
- ↵National Abortion Federation v Ashcroft, WL 292079 (2004)
- ↵45 CFR §160.203
- ↵45 CFR §164.522(b)
- ↵45 CFR §164.522(a)
- ↵Gerstle R. E-mail communication between pediatricians and their patients. Pediatrics.2004;114 (1):317– 321
- ↵45 CFR §164.524 (a)(3)(iii)
- ↵42 USC §300
- ↵Planned Parenthood Federation of America v Heckler, 712 F2d 650 (DC Cir 1983)
- ↵Planned Parenthood Federation of America v Dandoy, 810 F2d 984 (10th Cir 1987)
- ↵42 USC §1396a(a)(7)
- ↵42 CFR §431.302
- ↵Centers for Medicare and Medicaid Services. Medicaid Information Technology Architecture (MITA): overview. Available at: www.cms.hhs.gov/MedicaidInfoTechArch. Accessed February 13, 2008
- ↵Open Society Institute. Demanding Women's Abortion Records: Narrowing Women's Reproductive Rights. New York, NY: Open Society Institute; 2004
- ↵42 USC §290dd-3
- ↵42 CFR Part 2, Subpart B §2.14
- ↵Gonzaga v Doe, 536 US 273 (2002)
- ↵Moore J, Wall A. Must schools comply with the HIPAA Privacy Rule? School Law Bull.2003;34 (1):1– 9
- Copyright © 2009 by the American Academy of Pediatrics