HIPAA Compliance Strategies

Featured Health Business Daily Story March 17, 2010

HIPAA Covered Entities Face Complex Challenges With Medical Records of Minors 

Reprinted from REPORT ON PATIENT PRIVACY, the industry's most practical source of news on HIPAA patient privacy provisions.

By Nina Youngstrom, Managing Editor (nyoungstrom@aishealth.com)

A New Jersey mother was so determined to get her son’s substance-abuse treatment records from a Washington, D.C., hospital that she hired a lawyer and threatened a court order. The hospital’s story is one of many complex power struggles embroiling covered entities, parents and children’s medical records.

MedStar Health, which has nine hospitals in D.C. and Maryland, received the demand for the medical records from a New Jersey lawyer representing the mother of an 18-year-old treated for substance abuse, says Donnetta Horseman, MedStar’s privacy officer. The lawyer argued that according to New Jersey law, the mother was entitled to her son’s medical records without authorization because he was still a college student and therefore not yet emancipated. “Emancipation,” however, occurs at a certain age or under certain conditions in each state, and is not related to factors such as college enrollment.

Don’t Underestimate the Power of Parents

“The mom felt so strongly about it that she was prepared to get a court order granting access to her son’s medical records under the theory that the boy was still in college,” Horseman says. MedStar decided that, if it were going to release the PHI to the mother, she would need a court order from a D.C. court. But MedStar had to investigate whether the mother had any legal leg to stand on. It turned out that New Jersey is like other states when it comes to medical-record confidentiality: The parent or guardian is the authorized representative for children under age 18, unless the minor has a condition such as substance abuse or pregnancy, for which minors take control of their treatment and medical records at an age specified by each state. “But this person was an adult under state law and the mom was still trying to say he was a minor,” Horseman says.

The New Jersey drama was an object lesson in the importance of being “extremely knowledgeable” about the state laws that affect your organization, she notes. Because HIPAA defers to state laws on parental access to minors’ PHI, privacy officers need to be armed and ready to grapple with the challenges they may face in this arena.

“Just because a lawyer requested the information doesn’t necessarily mean the lawyer was right. You have to go through your state law and verify based on the facts of whether information can be disclosed. It isn’t always cut and dried,” Horseman says.

Privacy officers also advise the use of mechanisms on the front end to minimize hassles over minors’ medical records. For example, at registration, it’s a good idea to ask minors whether or not they generally want PHI to be released to their parents, says Frank Ruelas, compliance and privacy officer at Maryvale Hospital in Phoenix and the architect of HIPAA Boot Camp. “An ounce of prevention is worth a pound of cure,” he contends.

Consent Results in Control of Access

HIPAA’s approach to minors and PHI may be one of the clearest in theory, but its application can get tricky. HIPAA defers to state laws, which generally allow parents access to their children’s medical records until they’re 18 — with some exceptions. When it comes to obtaining birth control and treatment for pregnancy, sexually transmitted diseases (STDs), HIV, substance abuse and mental health issues, minors can obtain treatment without parental consent when they reach ages set by their own state laws. And if minors can consent to their own treatment, they can control access to their own medical records, Ruelas says.

“As soon as you consent, you control access,” says Patricia Wynne, privacy officer for NHS Human Services, a behavioral health company. “Consent and access go hand in hand.” That’s become the mantra: The ability to consent means the ability to decide who views your PHI.

States vary when it comes to the age that a minor is deemed old enough to consent to treatment, and the age of consent is specific to the medical condition (e.g., pregnancy versus substance abuse).

Some states don’t define a minor by age in terms of these sensitive medical conditions. In Virginia, “minors have the right to consent to treatment [in these areas], but the state doesn’t give an age,” says Neschla McCall, compliance director and chief privacy officer for Inova Health System in Falls Church, Va. Given the lack of a bright line, “we don’t allow parents access to that part of the [child’s] medical records.”

Employees of hospitals or other covered entities are not permitted to look up their child’s PHI in electronic medical records and it doesn’t matter whether the child is age three or 16, or whether the parent is interested in strep throat or STDs, McCall says. Employees with children who are treated at Inova must make a formal request for medical records like any other mother or father, McCall says. That way, in the areas where minors control their PHI (e.g., pregnancy, substance abuse), the parent must have their child’s permission or Inova can’t turn over the medical records.

The reason for the blanket policy, McCall says, is that electronic medical record applications “can’t tell whether the 14-year-old child came for a pregnancy test or a flu shot,” she says. The only exception is for parents involved in the child’s care as part of their job at Inova, “but that’s not the norm.”

EMRs Help Deal With Nuances

In some ways, however, EMR systems may make it easier to “adhere to the nuances of what can be disclosed to a parent based on state law,” says Philadelphia attorney Brad Rostolsky, with Reed Smith. With paper records, a few redactions of PHI relating to treatment for STDs or substance abuse may not be adequate to protect a consenting minor whose mother has a sharp eye. “It could become blatantly obvious from the redaction that something was held back, which could be a problem under state law,” he says. “It could cause uncomfortable conversations between parent and provider.”

But EMR systems could have an additional checkpoint to ensure the medical-records technician removes all remnants of PHI relating to treatment in areas where minors control their consent and access, Rostolsky says.

The fact that minors have the ability to give consent — which may trigger their gatekeeper role over their own medical records for pregnancy, substance abuse and other sensitive conditions — won’t necessarily stop parents from demanding their child’s medical records. Parents may be incredulous that they are refused access without their child’s approval, which means a 13- or 15-year-old, for example, calls the shots. Who pays the bills is irrelevant, whether they are paid directly to the provider or through an insurance company. If a child seeks (and consents) to STD treatment at the family doctor, who bills the HMO or the parents directly, the PHI is still off-limits to the parents. “The parent says, ‘This is my child. I am paying for it.’ We have to notify the parent that a child controls access,” Wynne says. “There is a blow-up every time.” Sometimes minors treated at NHS facilities sign authorizations giving their parents access to the medical records; sometimes they don’t. “The goal is to protect the therapeutic relationship,” Wynne notes.

If the minor patient refuses access to his or her parents, they can file a petition with a state mental health hearing officer. The hearing officer must make a determination of what’s in the best interest of the minor, but usually won’t override the minor’s request for privacy, she says. But it can get tricky in the mental-health arena if the child is in crisis. Wynne says many states are trying to articulate amendments to the laws, particularly for situations in which the parent or guardian feels the minor is in critical need of treatment and won’t consent to mental health treatment.

Similarly, were a pregnant girl to be suicidal and the provider to perceive her to be in danger if the situation were not discussed with her parents, providers may be on safe ground if they share at least part of the medical records with the parents, Rostolsky says. “But you have to look to state law,” he emphasizes. No matter what, access is restricted to the minimum necessary PHI related to the goal of returning the patient to a stable medical condition, Wynne says.

Payment Process Can Create Problems

The confidentiality that state statutes afford minors in sensitive areas gets complicated by payment. Parents may learn the child received medical care behind their back through an explanation-of-benefits form from the insurer. “The parents will call the billing department and will want the details of services provided,” Horseman says. “They can tell there were services from the EOB but they can’t tell what they were. The mother may call, saying ‘Here’s my daughter’s date of birth and Social Security number,’ but if it’s an STD or pregnancy or some other area where the minor can consent to treatment under state law, you have to look at this from a completely different angle. A lot of confusion comes in.” Horseman says the reigning approach is to explain to the parents that, based on state law, they are not authorized to have that information, but if their child authorizes it, the hospital can give the parents the medical records.

When minors are emancipated, their parents relinquish any rights to any kind of PHI. Emancipation means minors are legal adults and may therefore make their own treatment and PHI access decisions. “Emancipation trumps all,” Rostolsky says. There’s also a de facto emancipation that doesn’t require any piece of paper from the court: childbirth, he says. State law usually dictates that when a minor has a baby, she controls her own records, Rostolsky says. “And it extends to the minor’s control over her own children.”

Marriage may also have the same effect. In many states, Rostolsky says, when minors marry, their parents lose the right to access their medical records without authorization. “If you get married, you’re automatically deemed emancipated,” he says.

Tips for Minimizing Problems With Minors

(1) Don’t rush to produce PHI for parents of minors given what’s at stake, Ruelas says. HIPAA allows some time to review and assemble medical records. “If mom or dad is foaming at the mouth, I say ‘Relax. There is a process that requires five to 10 working days’” under HIPAA, he says. Hospitals have to ensure they redact PHI pertaining to STDs, pregnancy, substance abuse, HIV and mental health if the minors are old enough to control access, unless the parents have an authorization. “If the child doesn’t want the mom or dad to get the medical records, they probably have a good reason, and we have to respect that,” Ruelas says.

(2) Hospitals should ask minors up front (at registration) whether it’s all right for the hospital to release their medical records to their parents, Ruelas says. If this is recorded on a computer, make sure you also get it in writing. But it requires audits to ensure that the minor’s wishes are being respected. Registration clerks may hear “no” but mistakenly type in “yes.” Ruelas did monthly audits, comparing what was typed in the computer (yes or no to releasing PHI to parents) against the signed authorization on file. The accuracy rate was above 95% at Maryvale Hospital, so Ruelas has dropped to quarterly audits. He also confirmed that there were no improper disclosures to parents of PHI in the sensitive areas where minors control access.

(3) Make sure minors’ PHI is segregated from the rest of the medical record if it relates to pregnancy, substance abuse, STDs and other areas where they control access, Rostolsky says. However, if the mom consented to the minor’s treatment, “she gets access to the medical records” unless otherwise specified by state law, he says.

(4) Always make sure the designated records-release person — probably in the health information management (HIM) department — handles medical records requests, says Greg Young, privacy and information security officer at Mammoth Hospital in California. He dealt with an incident in which a Mammoth Clinic front-desk person, at the request of a mother, made a copy of her 16-year-old child’s medical records. The mom should have been directed to the HIM department, but the front-desk person was trying to be courteous and helpful and assumed the parent was entitled to it, Young says. “There was a confidential conversation between the child and the doctor and the notes were in the chart. When the copy of the medical records was given to the parent, the parent saw it,” he says. This was a “rare event” at Mammoth, he adds. But it underscores the importance of driving home to employees that there should be no exceptions when it comes to the records-release policy, which requires requestors to fill out forms so their requests for PHI can be properly reviewed, Young notes.

Advertise With AIS

Privacy

Site Map