45 CFR 164.502(g)
The HIPAA Privacy Rule establishes a foundation of Federally-protected rights which permit individuals to control certain uses and disclosures of their protected health information. Along with these rights, the Privacy Rule provides individuals with the ability to access and amend this information, and the right to an accounting of certain disclosures. The Department recognizes that there may be times when individuals are legally or otherwise incapable of exercising their rights, or simply choose to designate another to act on their behalf with respect to these rights. Under the Rule, a person authorized (under State or other applicable law, e.g., tribal or military law) to act on behalf of the individual in making health care related decisions is the individual’s “personal representative.” Section 164.502(g) provides when, and to what extent, the personal representative must be treated as the individual for purposes of the Rule. In addition to these formal designations of a personal representative, the Rule at 45 CFR 164.510(b) addresses situations in which family members or other persons who are involved in the individual’s health care or payment for care may receive protected health information about the individual even if they are not expressly authorized to act on the individual’s behalf.
How the Rule Works
General Provisions. Subject to certain exceptions, the Privacy Rule at 45 CFR 164.502(g) requires covered entities to treat an individual’s personal representative as the individual with respect to uses and disclosures of the individual’s protected health information, as well as the individual’s rights under the Rule.
The personal representative stands in the shoes of the individual and has the ability to act for the individual and exercise the individual’s rights. For instance, covered entities must provide the individual’s personal representative with an accounting of disclosures in accordance with 45 CFR 164.528, as well as provide the personal representative access to the individual’s protected health information in accordance with 45 CFR 164.524 to the extent such information is relevant to such representation. In addition to exercising the individual’s rights under the Rule, a personal representative may also authorize disclosures of the individual’s protected health information.
In general, the scope of the personal representative’s authority to act for the individual under the Privacy Rule derives from his or her authority under applicable law to make health care decisions for the individual. Where the person has broad authority to act on the behalf of a living individual in making decisions related to health care, such as is usually the case with a parent with respect to a minor child or a legal guardian of a mentally incompetent adult, the covered entity must treat the personal representative as the individual for all purposes under the Rule, unless an exception applies. (See below with respect to abuse, neglect or endangerment situations, and the application of State law in the context of parents and minors). Where the authority to act for the individual is limited or specific to particular health care decisions, the personal representative is to be treated as the individual only with respect to protected health information that is relevant to the representation. For example, a person with an individual’s limited health care power of attorney regarding only a specific treatment, such as use of artificial life support, is that individual’s personal representative only with respect to protected health information that relates to that health care decision. The covered entity should not treat that person as the individual for other purposes, such as to sign an authorization for the disclosure of protected health information for marketing purposes. Finally, where the person has authority to act on the behalf of a deceased individual or his estate, which does not have to include the authority to make decisions related to health care, the covered entity must treat the personal representative as the individual with respect to protected health information relevant to such personal representation (e.g., an executor of an estate has the right to access all of the protected health information of the decedent relevant to these responsibilities).1 State or other law should be consulted to determine the authority of the personal representative to receive or access the individual’s protected health information.
Who Must Be Recognized as the Individual’s Personal Representative. The following chart displays who must be recognized as the personal representative for a category of individuals:
|If the Individual Is:||The Personal Representative Is:|
|An Adult or
An Emancipated Minor
A person with legal authority to make health care decisions on behalf of the individual
Examples: Health care power of attorney
Exceptions: See abuse, neglect, and endangerment situations discussion below.
|An Unemancipated Minor||
A parent, guardian, or other person acting in loco parentis with legal authority to make health care decisions on behalf of the minor child
Exceptions: See parents and unemancipated minors, and abuse, neglect and endangerment situations discussion below.
A person with legal authority to act on behalf of the decedent or the estate (not restricted to persons with authority to make health care decisions)
Examples:Executor or administrator of the estate
Parents and Unemancipated Minors. In most cases under the Rule, a parent, guardian, or other person acting in loco parentis (collectively, “parent”) is the personal representative of the minor child and can exercise the minor’s rights with respect to protected health information, because the parent usually has the authority to make health care decisions about his or her minor child.
However, the Privacy Rule specifies three circumstances in which the parent is not the “personal representative” with respect to certain health information about his or her minor child. These exceptions generally track the ability of certain minors to obtain specified health care without parental consent under State or other laws, or standards of professional practice. In these situations, the parent does not control the minor’s health care decisions, and thus under the Rule, does not control the protected health information related to that care. The three exceptional circumstances when a parent is not the minor’s personal representative are:
- When State or other law does not require the consent of a parent or other person before a minor can obtain a particular health care service, and the minor consents to the health care service;
Example: A State law provides an adolescent the right to obtain mental health treatment without the consent of his or her parent, and the adolescent consents to such treatment without the parent’s consent.
- When someone other than the parent is authorized by law to consent to the provision of a particular health service to a minor and provides such consent;
Example: A court may grant authority to make health care decisions for the minor to an adult other than the parent, to the minor, or the court may make the decision(s) itself.
- When a parent agrees to a confidential relationship between the minor and a health care provider.
Example: A physician asks the parent of a 16-year-old if the physician can talk with the child confidentially about a medical condition and the parent agrees.
Regardless, however, of whether a parent is the personal representative of a minor child, the Privacy Rule defers to State or other applicable laws that expressly address the ability of the parent to obtain health information about the minor child. In doing so, the Privacy Rule permits a covered entity to disclose to a parent, or provide the parent with access to, a minor child’s protected health information when and to the extent it is permitted or required by State or other laws (including relevant case law). Likewise, the Privacy Rule prohibits a covered entity from disclosing a minor child’s protected health information to a parent, or providing a parent with access to such information, when and to the extent it is prohibited under State or other laws (including relevant case law).
In cases in which State or other applicable law is silent concerning parental access to the minor’s protected health information, and a parent is not the personal representative of a minor child based on one of the exceptional circumstances described above, a covered entity has discretion to provide or deny a parent with access under 45 CFR 164.524 to the minor’s health information, if doing so is consistent with State or other applicable law, and provided the decision is made by a licensed health care professional in the exercise of professional judgment.
Abuse, Neglect, and Endangerment Situations. When a physician or other covered entity reasonably believes that an individual, including an unemancipated minor, has been or may be subjected to domestic violence, abuse, or neglect by the personal representative, or that treating a person as an individual’s personal representative could endanger the individual, the covered entity may choose not to treat that person as the individual’s personal representative, if in the exercise of professional judgment, doing so would not be in the best interests of the individual. For example, if a physician reasonably believes that providing the personal representative of an incompetent elderly individual with access to the individual’s health information would endanger that individual, the Privacy Rule permits the physician to decline to provide such access.
1Note that the Privacy Rule does not apply to the health information of an individual who has been deceased for more than 50 years; thus, a personal representative need not authorize disclosures of the decedent’s health information nor does a personal representative have rights under the Privacy Rule with respect to such information.