HIPAA Resources

PHI Disclosures for Minors Following a Divorce

Question

Welcome to a Bite-Size HIPAA® Q&A article, where we answer your questions about how HIPAA applies to your dental practice. We recently received the following question in our Bite-Size HIPAA® Q&A inbox. The writer says:

“I have some questions about who is entitled to receive the dental records of minor patients when there is a divorce. Do they need to have legal custody of the minor to get records, and is there a percent of custody threshold? Is the right to the records in any way tied to which parent is providing the dental insurance coverage or paying the bill?”

Is It PHI?

This is definitely a common question I hear, so thanks for sending it in. Let’s see what the HIPAA law has to say about disclosing a minor’s records to parents and step-parents after a divorce. Our first step is always to ask if the information requested is considered protected health information? Here, the answer is clearly yes. The patients’ name along with any details regarding an appointment or treatment are indeed considered PHI, so HIPAA is applicable.

Three Exceptions

Next, we need to figure out when HIPAA allows the disclosure. Remember our basic rule is that you cannot disclose PHI without patient authorization, unless there is a specific permitted disclosure rule that applies. The permitted disclosure that applies to this question is the rule for disclosures to the patient: this rule states that you are allowed, and in most cases required, to disclose a patient’s PHI to them or to their personal representative whenever they request it. So then, the question we really need to answer here is how does HIPAA define a personal representative?

The HIPAA Law

In section 164.502(g), the HIPAA law states a personal representative is anyone who has the legal authority to act on behalf of an individual in making health care decisions, and providers are required to treat a personal representative as if they were the patient when it comes to HIPAA access rights and consents. So, the key thing to check and document is whether the person asking for information has the legal authority to make healthcare decisions for the patient. You should request the legal document granting the right and place a copy in the patient’s chart. For divorced parents, this would be a copy of the divorce decree or custody agreement, and you want to see who has legal custody of the child, which may be different than who has physical custody.

If the parents have joint legal custody, then they are each a personal representative and have full rights to the information. Additionally, they each would have the right to consent to further disclosure to other parties, so one parent could give consent to disclose PHI to their new spouse (the child’s step-parent) and the other parent could not block the disclosure. Just be sure to document these consents clearly in the chart in case one parent complains about you sharing information with somebody the other parent authorized you to share it with.

The second part of the question asked if the right to access information was in any way tied to which parent is providing the dental insurance coverage or paying the bill. The answer to this is mostly “no”. There are some other permitted disclosure rules that could give you some leeway to release PHI to a family member who is paying the bill, but this disclosure would be limited to only the information directly related to the payment. We go into this in more detail in our PHI permitted disclosures section in Bite-Size HIPAA®.

Summary

To summarize - you are required to treat a patient’s personal representative as if they were the patient when it comes to HIPAA access rights and consents. HIPAA defines a personal representative as anyone who has the legal authority to make healthcare decisions for a patient. For divorced parents, look to the divorce decree to determine who has legal custody and record this information in the patient’s chart.

Have a HIPAA Question?

If you have a HIPAA question related to the day-to-day operations of your dental practice, feel free to send it my way. My email address is todd(at)bitesizehipaa(dot)com. I can’t promise I’ll be able to get to every question submitted – but I’ll do my best to find the most applicable ones to address in future Bite-Size HIPAA® Q&As.

Todd Baker

Todd Baker, JD, CIPP

HIPAA & Privacy Attorney

Todd Baker is a uniquely qualified attorney with extensive experience regarding the intersection of HIPAA and technology. Todd earned his undergraduate degree in business at Boise State University and completed his law degree at the University of Virginia School of Law.

Content Tags

HIPAA education, compliance, and accountability created specifically for dental practices.

If you haven’t made HIPAA a priority yet, start today. Give us a little bit of your time and we’ll teach you about the HIPAA law, why it exists, and how ‐if done right ‐you can protect your patients and your practice from a variety of very real threats that inherently exist in today’s dentistry.