HRSA’s updated Notice of Award terms put fresh emphasis on something health centers have always had to get right: parental consent and access rules for minors’ care, as defined by applicable state and federal law. In a December 3, 2025 memo, HHS and the Office of Civil Rights reiterated that, under HIPAA, parents are generally a minor child’s “personal representative,” which usually gives them the right to access the child’s medical records and PHI—and OCR has signaled it is seeing providers restrict parental access more than HIPAA requires. At the same time, long-standing HIPAA exceptions still apply when state law allows a minor to consent to certain services, when a court orders it, or when a parent agrees to a confidentiality arrangement. The practical takeaway for HRSA-supported health centers isn’t to abandon minor consent processes, but to ensure record-access and patient portal workflows mirror the legal consent rules: parents should typically have access to non-confidential portions of the record, while minor-consent services may require limiting parental access to those specific services.

During the Health Center Operational Site Visit (OSV) process, there are a number of patient record samples that are requested by the HRSA review team. These requests for documentation cover chapters 4, 7, 8, and 10 in the HRSA Site Visit Protocol. This is a part of the preparation process that can take a great deal of time and it's important to understand what the HRSA reviewers are looking for.

In April of 2024, The Department of Health and Human Services (HHS) issued a Final Rule modifying the Standards for Privacy of Individually Identifiable Health Information under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH Act). The final rule was effective June 25, 2024, and health centers must be in compliance after December 23, 2024.

This new rule has raised questions with community health centers as to how it applies to Federally Qualified Health Centers (FQHCs) and their privacy practices.