Massachusetts Minor Medical Records Access Laws: A Guide for Parents and Teens

Access Rights of Parents and Guardians

The general rule under HIPAA

As a parent or legal guardian, you are typically treated as your child’s personal representative under HIPAA. That means you can access your child’s Protected Health Information (PHI) and request copies of medical records when you have authority to make health decisions for the minor.

When parents do not have automatic access

• If a minor is permitted by Massachusetts Minor Consent Laws to consent to a specific service and does so, the minor controls access to those related records. In these cases, providers treat the teen as the “individual” for HIPAA purposes.
• If a parent has agreed to a confidential relationship between the provider and the minor for a specific service, the provider may withhold those particular records from the parent.
• In rare endangerment situations, a provider can limit disclosures to protect the minor.

Non-custodial parent access

Massachusetts law generally preserves a non-custodial parent’s right to access a child’s academic, medical, hospital, and other health records unless a court order restricts access for safety or other reasons. That right, however, does not override specific confidentiality protections that apply when a minor legally consents to care.

Minor Consent and Confidentiality

Services minors may consent to on their own

• Emergency examination and treatment when delay would endanger life, limb, or mental well‑being.
• If certain status conditions apply: the minor is married, divorced, or widowed; is a parent; is in the armed forces; is pregnant or believes they are pregnant; or is living apart and managing their own finances.
• Diagnosis or treatment related to a disease defined as dangerous to public health, and HIV prevention for sexually active minors.

When a minor consents under these rules, Medical Record Confidentiality is strong: records are confidential between the minor and the clinician and cannot be disclosed without the minor’s written consent or a proper judicial order. If the provider reasonably believes a minor’s life or limb is endangered, they must notify a parent or guardian and inform the minor of that notification.

Abortion care

• Minors 16 or 17 years old may consent to abortion care without parental consent.
• Minors under 16 need consent from a parent/guardian or a judicial authorization (bypass).
• Consent forms for abortion are kept confidential, with specific retention rules noted below.

Medical Records Retention Requirements

How long records must be kept

• Physicians: Keep records for at least seven years from the last patient encounter; for minors, keep at least seven years or until the patient turns 18, whichever is longer.
• Hospitals and licensed clinics: Keep patient records for at least 20 years after discharge or final treatment. Certain raw tracings (for example, EKGs or fetal monitoring strips) have shorter minimums, but narrative reports must remain with the record.
• State mental health facilities (DMH-licensed): Keep patient records for a minimum of 20 years after the record is closed due to discharge, death, or last service.
• Abortion consent forms: The performing clinician must retain the signed consent form for seven years.

Facilities must protect PHI during storage and destruction, and some entities must notify the Department of Public Health before destroying records after the retention period.

Access by Schools and Public Health Authorities

Schools and FERPA

Health information kept by K–12 schools is generally an “education record” under FERPA, not HIPAA. Authorized school personnel may access the student health record when needed to perform official duties. You can request copies of your student’s record, and schools must keep logs of access.

School access to immunization proof

School nurses and registration officials may obtain a student’s immunization records directly from health care providers—without parental consent—when needed to enforce school-entry requirements, after making a good‑faith effort to get the records from the parent or guardian.

Public Health Surveillance

Massachusetts public health authorities receive required reports of diseases dangerous to public health to prevent and control outbreaks. Personally identifiable information in those reports is confidential and accessible only to personnel with a need to know for investigation, control, and prevention activities.

Legal and Law Enforcement Access Provisions

Court-ordered disclosure and subpoenas

Providers may disclose PHI in response to a court or administrative order. For subpoenas and similar requests without a court order, federal privacy rules require additional steps, such as notifying the patient or seeking a protective order, and disclosures must be limited to what is reasonably necessary. These are permissions, not blanket requirements, and stricter state or federal rules can further limit release.

Law enforcement requests

HIPAA permits limited disclosures to law enforcement in specific circumstances (for example, to comply with certain legal process, to locate a suspect or missing person, or to report a crime on the premises). Providers must release only the minimum necessary information and must honor stricter protections that apply to certain record types.

Substance use disorder records

Records from federally regulated substance use disorder programs carry extra protection. Disclosures for investigations or prosecutions generally require a specific court order in addition to legal process, and redisclosure is tightly restricted.

Immunization registry records

Immunization data in the Massachusetts Immunization Information System (MIIS) is not a public record, is shielded from subpoena and court order, and cannot be used as evidence in any proceeding. Access is limited to authorized recipients for defined purposes.

Special Provisions for Mental Health and Substance Use Treatment

Mental Health Treatment Authorization

• Voluntary inpatient admission: A person who has attained age 16 may apply for voluntary admission to a mental health facility without parental consent. Parents or guardians may apply on behalf of a minor as permitted by law.
• Records and confidentiality: DMH-licensed facilities must maintain records for at least 20 years and protect privacy. In certain situations, parents’ access can be limited to protect the minor’s well‑being or due to program‑specific confidentiality rules.

Substance use disorder care

• Consent: Minors ages 12–17 may consent to hospital and medical care related to the diagnosis or treatment of drug dependency when two physicians find the minor is drug dependent, and parental consent is not required for that care.
• Confidentiality: Substance use treatment information is subject to heightened federal confidentiality rules, which strictly limit disclosures and redisclosures absent the minor’s consent or a qualifying court order.

Immunization Records Access

Who can see MIIS records

• Authorized recipients include treating health care providers and their staff, elementary and secondary school nurses and registration officials who require proof of immunization for enrollment and disease control, local boards of health, certain state programs, and health plans for quality improvement.
• Designated Department of Public Health staff may access MIIS information for any purpose authorized by law.

Your rights regarding MIIS

• You or your child’s legally authorized representative can request copies of the immunization record and ask to correct errors.
• You may file an objection to data sharing within MIIS. If you object, the record remains in the registry but is viewable only by the provider that entered the information and the Department of Public Health; other authorized users (including schools) will not be able to see it in MIIS and may seek records from you or your provider instead.

FAQs

Can minors in Massachusetts access their own medical records?

Yes, for services they are legally allowed to consent to on their own (for example, certain sexual and reproductive health services, emergency care, specified public health conditions, some substance use treatment, and abortion for ages 16–17). In those situations, the teen controls access to related PHI. For other care, a parent or guardian usually acts as the minor’s personal representative.

What are the age requirements for minor consent to mental health treatment?

At age 16 or 17, a minor may apply for voluntary admission to a mental health facility without parental consent. For outpatient counseling and other services, consent typically comes from a parent or guardian unless a specific statute or program rule allows the youth to consent or a provider applies a mature‑minor standard in limited circumstances. Providers still must safeguard Medical Record Confidentiality appropriate to the service provided.

How long must physicians retain minor medical records?

Physicians must retain records for at least seven years from the last patient encounter or until the patient turns 18, whichever period is longer. Hospitals and DMH‑licensed facilities follow longer retention minimums (generally 20 years).

Can schools access minor immunization records without parental consent?

Yes. School nurses and registration officials may obtain a student’s immunization records directly from health care providers—without parental consent—when necessary to meet school immunization requirements, after first attempting to obtain the records from the parent or guardian. Schools and school nurses may also view records in the MIIS when permitted; if a family has filed a MIIS data‑sharing objection, the school will request records from the family or the provider instead.