The HIPAA Privacy Rule and Parental Access to Minor Children’s Medical Records

The Health Resources and Services Administration (HRSA) has updated its terms and conditions in the Notice of Award (NOA) and Notice of Look-Alike Designation documentation. There is now language outlining the new terms and conditions of the grant (or designation) acceptance:

“Before any minor receives medical, dental, behavioral health, or other services at a HRSA-supported health center, the health center must obtain consent from the parent or legal guardian in accordance with any applicable state or federal laws. This applies to all forms of care, including treatment, preventive services, and counseling. It also includes services related to sensitive topics such as sexual identity or reproductive health. State, federal, and local laws that govern parental consent and notification already apply, and health centers must follow them at all times as a condition of receiving Health Center Program funds.”

On December 3, 2025, the U.S. Department of Health & Human Services (HHS) and the Office of Civil Rights (OCR) released a memo, “Re: The HIPAA Privacy Rule and Parental Access to Minor Children’s Medical Records”.

HHS/OCR is reminding providers that, under HIPAA, parents are generally treated as a minor child’s “personal representative,” meaning parents usually have a right to access their child’s medical records and protected health information (PHI). OCR noted it has seen situations where parents are being blocked from access more than HIPAA requires, and it is signaling increased enforcement attention.

At the same time, HIPAA has long recognized important exceptions: when state law allows a minor to consent to certain care on their own (or when a court orders it, or when the parent agrees to a confidentiality arrangement), the parent may not be the personal representative for that specific care, and access can be limited for that subset of the record. State laws vary greatly in this area.

If you’re already obtaining consents on minor patients, the main new implication from HHS/OCR is not “stop doing that,” but “make sure your record-access and portal workflows match the legal consent rules.” Parents generally must be given access to non-confidential portions of a minor’s record, while state law minor-consent services (notably sexually-transmitted infections (STI), sexual identity care, counseling, and reproductive-health-related care) may justify limiting parental access for those specific services when the minor consents. It is important to review these updates with your health center’s legal counsel as well.

The information provided in this blog post is for general informational and educational purposes only and is not intended to be, and should not be construed as, legal advice. Although RegLantern LLC seeks to provide accurate and timely information regarding healthcare, legal, and confidentiality topics, laws and regulations vary by jurisdiction and may change over time, and the information in this post may not reflect the most current legal developments. RegLantern LLC expressly disclaims all liability with respect to actions taken or not taken based on the contents of this blog post. If you need legal advice regarding your specific situation, please consult your organization’s legal counsel or a qualified healthcare attorney.