On December 3, 2025, the Department of Health and Human Services’ Office for Civil Rights (OCR) issued a “Dear Colleague” letter addressing parental access to protected health information (PHI) of minors under the HIPAA Privacy Rule. For the first time, OCR explicitly asserts that parents must have access to all portions of a minor’s record through the patient portal that are not protected by state confidentiality laws (e.g., laws that permit a minor to consent to care without parental involvement). Further, OCR identifies parental access as an enforcement priority.
OCR issued the Dear Colleague letter after investigating a complaint that a Midwestern school vaccinated a child without parental consent despite a valid religious exemption. HHS used the incident to reinforce that parents must have access to their children’s PHI and that providers must comply with parental-access laws.
HIPAA Generally Supports Parental Access to PHI With Exceptions
Under HIPAA’s Privacy Rule, a parent or guardian is typically treated as the minor’s “personal representative,” which allows the parent to access the minor’s PHI unless an exception applies.
A parent is not entitled to a minor’s records when:
- The minor is allowed by law to consent to the healthcare service on their own, and no one else’s consent is legally required. Even if a parent also signs off, the minor is still the one legally in charge unless the minor asks for the parent to be treated as their representative;
- The minor can legally get the healthcare service without a parent’s permission, and someone with legal authority (the minor, a court, or another authorized person) provides the needed consent; or
- The parent agrees that the provider and the minor can have a confidential relationship for that specific healthcare service.
Generally, relevant state laws control whether parental access must be granted, limited, or denied. In other words, with respect to parental access, HIPAA defers to state law. Services provided under one of these exceptions are referred to as “confidential services.”
Restricted Portal Access May Now Implicate the Right of Access
Many practices have chosen to restrict parent access to patient portals in EHRs for adolescent patients to avoid disclosing records that may involve confidential services. Prior to this week, OCR has not called into question that common practice, which is designed to protect minors.
With the new OCR letter, providers should be aware that a parent complaint regarding lack of access to their child’s non-confidential records through the patient portal could trigger a Right of Access review. And because OCR has made this a new enforcement priority, such complaints are likely to attract attention.
In relevant part, the Dear Colleague letter states that:
With respect to electronic access to PHI, covered entities should work with any business associates involved in facilitating such access . . . to ensure that parents who are their children’s personal representatives have electronic access to their children’s PHI to the full extent required by the Privacy Rule. This includes establishing electronic access configurations to allow parents access to their children’s PHI in accordance with the Privacy Rule. For example, if the default configurations of electronic information systems that maintain a child’s PHI result in the improper denial of a parent’s right, as the child’s personal representative, to timely access the information, the covered entity should modify, or work with their business associate (if applicable) to modify, the default configurations to allow such access as required by the Privacy Rule. A covered entity that denies such access may be in violation of the Privacy Rule.
As is sometimes the case, OCR’s expectation may outpace the practical realities of many EHR systems. Many providers restrict parental access to all pre-teen and teen records precisely because separating confidential services information is difficult, or even impossible, within their current systems.
Practical Recommendation for Providers
Consider adopting the following approaches if your organization broadly limits parental access to a minor’s records based on age:
- To reduce the chances that a parent will complain to OCR about the lack of access through the portal, provide the requesting parent with all the non-confidential information regarding their child they request as quickly as possible (in fact generally prioritizing all parent requests because they cannot access through the portal would be ideal);
- Consider granting parents full EHR portal access and implement a process to keep information related to confidential visits inaccessible. We realize that this is easier said than done.
- If the EHR can maintain “psychotherapy notes” as defined under HIPAA, consider using that feature to store confidential services information but implement a system to ensure that other clinicians can access such information for treatment purpose, since properly maintained psychotherapy notes are generally not available to other clinicians.
- If not, work with your EHR vendor to create a visit type or other label that can be used to exclude those records from the EHR. Testing and training is crucial as inappropriate parental access to confidential services information could be incredibly damaging to the minor.
Bottom Line
OCR’s new interpretation places providers in a difficult position: while HIPAA continues to protect minors’ confidential services where state law allows it, OCR now expects providers to configure patient portals so that parents have electronic access to all non-confidential information. And it is making this issue an enforcement priority. For many organizations, this will require operational changes that their EHR systems are not currently equipped to handle.
Providers should begin evaluating their portal access practices, state law requirements, and technical capabilities. In the meantime, ensuring prompt parental access to non-confidential records will be essential to mitigating compliance risk and protecting the adolescents who rely on these privacy protections.