HIPAA and Parental Access to Medical Records: What Parents Can and Can't Access and When Consent Is Required

Product Pricing
Ready to get started? Book a demo with our team
Talk to an expert

HIPAA and Parental Access to Medical Records: What Parents Can and Can't Access and When Consent Is Required

Kevin Henry

HIPAA

March 03, 2026

7 minutes read
Share this article
HIPAA and Parental Access to Medical Records: What Parents Can and Can't Access and When Consent Is Required

Parental Rights to Minor's Medical Records

Under HIPAA, a parent or legal guardian is usually the minor’s personal representative. As a personal representative with legal authority, you generally have the same right the child would have to access Protected Health Information (PHI) and to make decisions about disclosure.

  • Request, inspect, or obtain copies of the child’s designated record set, including clinical notes and billing records.
  • Authorize disclosures of PHI to schools, camps, or other caregivers when needed for care coordination.
  • Communicate with clinicians about diagnoses, medications, and treatment plans, subject to any applicable limits described below.
  • Use patient portals or proxy access tools when offered, once your identity and custodial rights are verified.

Healthcare organizations typically verify your status with documents such as a birth certificate, guardianship papers, or court orders before granting access.

Exceptions to Parental Access

HIPAA and related laws recognize situations where a parent is not treated as the child’s personal representative or where access may be limited. These exceptions protect confidential relationships and the child’s safety or autonomy.

  • Minor consents to care: If state law lets a minor consent to specific services without a parent’s consent, the minor controls the PHI for that care. Common examples include STI testing and treatment, contraception, pregnancy-related care, certain mental health services, and substance use disorder services.
  • Agreed confidentiality: If you and the provider agree the minor may receive care under a confidential relationship, the provider can withhold those records from you.
  • Risk of harm or abuse: If the provider reasonably believes the child has been or may be subjected to abuse, neglect, or endangerment by a parent, or disclosure is not in the child’s best interest, access can be denied or limited.
  • Court orders and status changes: Emancipation, marriage, adoption, or court orders restricting parental rights can remove or limit access.
  • Special protections: Psychotherapy notes kept separately and substance use records protected under federal rules may have heightened restrictions regardless of parental status.

State Laws Affecting Access

HIPAA sets a national floor, but state laws can expand a minor’s ability to consent to care or impose stricter privacy rules. When state law is more protective of privacy, providers follow the more stringent standard.

  • Minor-consent statutes: Many states let minors independently consent to reproductive health, STI services, or outpatient mental health counseling; those records are typically controlled by the minor.
  • Notification or age thresholds: States differ on ages, parental notification rules, and what information can be shared without the minor’s permission.
  • Preemption and deference: HIPAA defers to state law to define who has legal authority and when a parent is a personal representative for specific services.
  • Documentation: Providers may request proof of legal authority before honoring access when custody orders or special state rules apply.

Parental Access to Adult Children's Records

When a child reaches the age of majority (usually 18), parents no longer have automatic access to medical records under HIPAA. Access requires the adult child’s permission or another recognized legal authority.

Ready to simplify HIPAA compliance?

Join thousands of organizations that trust Accountable to manage their compliance needs.

  • Authorization: Your adult child can sign a HIPAA authorization or designate you for proxy portal access.
  • Healthcare Power of Attorney: If your adult child names you in a Healthcare Power of Attorney or you are a court-appointed guardian, you are treated as the personal representative.
  • Involvement in care: When an adult child is incapacitated, providers may share relevant information with you based on professional judgment and your involvement in the child’s care.
  • Payment is not enough: Paying bills or carrying insurance does not, by itself, grant access to PHI without authorization or other legal authority.

Healthcare Provider's Discretion

HIPAA allows providers to use professional judgment when sharing information with family members involved in a patient’s care. This discretion applies to both minors (within the rules above) and adult patients.

  • Ask preferences: When feasible, providers should ask the patient—even a mature minor—about sharing information with a parent or caregiver.
  • Limit scope: Share only information relevant to the person’s involvement in care or payment.
  • Honor confidential relationships: Respect promises of confidentiality made to a minor when permitted by law.
  • Document decisions: Note rationales for granting or denying access and verify identities and custodial rights.

Parental Access in Custody Situations

Custodial rights matter. HIPAA looks to state law and court orders to decide who is a personal representative. A non-custodial parent often retains rights to access PHI unless a court order or specific law limits those rights.

  • Review orders: Providers typically require custody, guardianship, or protective orders to confirm who has decision-making authority.
  • Sole legal custody: If one parent holds sole legal custody or another parent’s rights are terminated, only the authorized parent may access records.
  • Disputed requests: When orders conflict or are unclear, providers may pause access while seeking clarification to protect the child’s safety and privacy.
  • Third parties: Foster parents or caregivers need documented legal authority before access is granted.

Consent to care and authorization to access PHI are related but distinct. If a minor can lawfully consent to a service, the minor generally controls PHI for that episode; if parental consent is required for care, parents usually control access as personal representatives.

  • Routine and preventive care: Parental consent is typically required; parents can access the related PHI.
  • Reproductive health, contraception, and STI services: Many states allow minors to consent; parental consent and access may be restricted to preserve confidentiality.
  • Mental health services: Some states permit minors to consent to outpatient counseling; parents may receive limited information (for safety or coordination) while detailed notes remain confidential.
  • Substance use disorder treatment: Federal rules provide extra protections; even when a parent is otherwise a personal representative, disclosures may require the minor’s written consent or a specific court order.
  • Emergencies: Providers may treat and disclose necessary information to parents to prevent serious harm, consistent with professional judgment and applicable law.

Conclusion

In short, HIPAA gives parents broad access as personal representatives but carves out clear exceptions for confidential relationships, safety concerns, and services minors can consent to under state law. Once a child becomes an adult, access requires authorization or other legal authority. When in doubt, confirm custodial rights and the specific state rules that apply.

FAQs.

When can parents access their minor child's medical records under HIPAA?

Parents with legal authority are generally treated as the child’s personal representative and may access the child’s PHI, authorize disclosures, and discuss treatment with providers. This default applies unless a specific exception or state law limits access for certain services.

What are the exceptions to parental access rights?

Access can be limited when a minor consents to particular services under state law, when a parent and provider agree to a confidential relationship, when disclosure could endanger the child or is not in the child’s best interest, or when court orders or special federal protections apply.

How do state laws influence parental access to medical records?

State minor-consent and privacy laws can be more protective than HIPAA. If a state lets minors consent to services like contraception, STI care, or certain mental health treatment, the minor typically controls the PHI for that care, and parental access may be restricted.

Parental consent is generally required when the parent must consent to the underlying care (for routine or preventive services). When a minor can lawfully consent to a specific service, parental consent to access those related records is usually not required and may be prohibited without the minor’s permission or a qualifying order.

Share this article

Ready to simplify HIPAA compliance?

Join thousands of organizations that trust Accountable to manage their compliance needs.

Related Articles