Skip to main content

Unpacking HHS’s Announcement on Parental Consent, HIPAA, and Access to Medical Records

Categories
Health Information & Records, Public Health

Published: 12/10/25

Author:

On December 3, 2025, the Office of Civil Rights (OCR) within the United States Department of Health and Human Services (HHS) issued a statement (hereinafter, the “announcement”) on the agency’s interest in protecting parental rights when it comes to medical decision-making and accessing health records for their children. The announcement references a “Dear Colleague” letter that HHS published the same day about application and enforcement of the HIPAA Privacy Rule and compliance with applicable consent laws. HHS’s announcement and “Dear Colleague” letter did not change state or federal law but do provide important insight into how the agency interprets and intends to enforce existing law. This blog post unpacks the HHS announcement and “Dear Colleague” letter and explains what they mean for health and public health professionals.

HHS’s announcement has three components: (1) discussion of an investigation into an alleged violation of a state’s immunization law; (2) reiteration of existing HIPAA Privacy Rule requirements regarding access to medical records; and (3) notice of the agency’s plan to heighten enforcement around compliance with state and federal consent laws by entities that receive funds from HHS’s Health Resources and Services Administration (HRSA). Let’s review these components one at a time.

1. HHS’s Investigation into Alleged Violation of a State’s Immunization Law

In its announcement, HHS disclosed that the agency has launched an investigation into a Midwestern school that allegedly vaccinated a child without consent and in contradiction of a religious exemption that the child’s parents had submitted under state law. The announcement did not identify the school, state, or type of vaccine involved, but did note that the vaccine at issue was provided through the Vaccines for Children Program (VFC). The VFC provides access to childhood vaccines for families who might not otherwise be able to afford the cost of immunizing their children.

As HHS explained in its announcement, participation in the VFC program is contingent upon compliance with state laws that govern religious and other vaccine exemptions. Although HHS does not enforce state law, it can enforce compliance with VFC program requirements. At this time, it appears that HHS is still in the process of conducting its investigation and a determination has not yet been made about whether any state law and/or VFC policy was violated.

2. Reiteration of Existing HIPAA Requirements Regarding Access to Medical Records

HHS’s announcement references a “Dear Colleague” letter that was also issued by the agency on December 3, 2025. Federal agencies often use “Dear Colleague” letters to notify the public of an agency’s interpretation of the law. “Dear Colleague” letters therefore provide valuable insight into how a federal agency might approach its enforcement activities. It is important to note, however, that “Dear Colleague” letters cannot change existing state or federal laws.

In its December 3, 2025 “Dear Colleague” letter, HHS reminds covered entities and business associates of their obligations under the HIPAA Privacy Rule to ensure that an individual or that individual’s personal representative can access the individual’s protected health information (PHI) in accordance with the HIPAA regulations. In many instances, a child’s parent will be the child’s personal representative and hold the right of access to the child’s PHI. As the “Dear Colleague” letter explains, there are at least four scenarios in which a parent should not be treated as the child’s personal representative under HIPAA (see page two of the “Dear Colleague” letter for more information).

In this blog post, I want to focus on just one of the four scenarios identified by HHS in its letter and involving consent to health services by the minor (rather than a parent). Under 45 C.F.R. 164.502(g)(3)(A)(i), a parent is not the minor’s personal representative when the minor is accessing a health service on their own consent as permitted by law. North Carolina’s minor’s consent law (G.S. 90-21.5) allows minors with decisional capacity to give consent for and access limited types of care described in the statute. The concurrent consent of a parent, or other adult figure, is not required. What does this mean under the HIPAA provision referenced above? It means that a minor who consents to their own health care in accordance with North Carolina’s minor’s consent law is the party that gets to exercise the powers related to use and disclosure of the PHI that is related to the specific health service that the minor accessed on their own consent. Another state law, G.S. 90-21.4(b), also prohibits disclosure of information related to a minor’s consent encounter to a minor’s parent or parent-like figure, with limited exceptions.

On the ground, implementation of these privacy laws can create some practical challenges. Providers who serve young people may find themselves with two types of records filed under a minor patient’s name: first, records related to care that the minor has received pursuant to their parent’s consent (e.g., care for a broken arm) and second, records related to any care that the minor has received on their own consent (which in North Carolina is limited to the types of services described in G.S. 90-21.5). For the first set of records, the parent is the minor’s “personal representative” under HIPAA and is therefore generally entitled to access the PHI in those records. The PHI in the second set of records- which pertain to care accessed on the minor’s own consent- should not be released to the minor’s parent without the minor’s permission.

Providers who practiced in the days before electronic medical record (EMR) systems became popular have told me that in the past, when they were faced with these two types of records for one minor patient, they might print a minor’s health records on two different colors of paper to distinguish between the records related to minor’s consent encounters and records related to care for which a parent gave consent. Today, advances in technology have enabled many providers to use EMR systems to maintain patient records. Unfortunately, some EMR systems do not include features that allow providers to easily segregate minor’s consent records and to prevent unauthorized access to those records by parents through, for example, a web-based patient portal.

In light of these technical limitations, some providers have taken a “flip the switch” approach to enabling access to a young person’s health information. What is the “flip the switch” approach? Here, a provider might adopt the practice of turning over access and control of a minor patient’s web-based patient portal over to the minor as soon as they turn a certain age (e.g., thirteen years old). This “flipping of the switch” is most often seen with web-based patient portals, which is how many people access their health information nowadays. When the “switch is flipped,” the parent loses access to the minor’s patient portal (unless the minor shares their credentials or otherwise allows the parent to view the portal).

This “flip the switch” approach is problematic and is flagged by HHS in its “Dear Colleague” letter as a potential violation of HIPAA. Specifically, this approach may be in tension with the HIPAA Privacy Rule’s requirements around the authority of an individual’s personal representative to access certain health records because it restricts parental access to a young person’s health records at a certain age, regardless of the content of those records. Protecting minor’s consent records from unauthorized disclosure to a young person’s parent is appropriate and required by both state law and HIPAA; however, blocking a parent’s access to their child’s other records may violate the parent’s right to access records related to health care for which the parent must be treated as the minor’s personal representative under HIPAA.

HHS’s “Dear Colleague” letter focuses on the authority of parents to access certain health records when the parent is the child’s personal representative under the HIPAA regulations.  It is worth noting, though, that the reverse of the approach I described above- that is, defaulting to parent-only access to a minor’s records and not enabling the young person’s access to records related to a minor’s consent encounter- would likely also run afoul of HIPAA. Here, the approach to privacy and record access wrongfully denies the minor of required access to records containing PHI related to health services that the minor lawfully accessed on the minor’s own consent.

Implementation of the HIPAA Privacy Rule as it relates to minor’s consent can be complex and may be further complicated by the lack of easy or built-in technical solutions within the EMR systems that so many providers use. Nevertheless, HHS has made it clear in its recent announcement and “Dear Colleague” letter that HIPAA compliance and ensuring appropriate parental access to children’s health records are agency priorities. The closing sentence in the HHS “Dear Colleague” letter reads: “OCR is making parental access to children’s medical records an enforcement priority and will use all civil remedies available, including civil money penalties, to ensure compliance with this Privacy Rule requirement.” HIPAA covered entities might consider taking this opportunity to review their policies and practices related to minors’ and parents’ access to PHI and consult with their EMR vendors, as necessary, about potential technical solutions to ensure they are following the law.

3. Notice of HHS’s Increased Focus on Compliance with Consent Laws for HRSA-Funded Entities

The last item addressed in HHS’s announcement and “Dear Colleague” letter was the agency’s expectation that entities receiving HRSA funding will comply with applicable state and federal laws that govern consent to care for minors. As with the other two components of HHS’s announcement, this third component does not trigger any change to state or federal law; instead, it highlights HHS’s interpretation of existing law and the agency’s enforcement priorities. The laws that govern consent to care for minors are typically found at the state, rather than federal, level. In North Carolina, most of our consent to care laws are found in G.S. Chapter 90, with a few exceptions. The state laws governing consent to care for minors are summarized in this chart that I developed in 2023 following the enactment of the Parents’ Bill of Rights.

It is common practice for federal grant terms to require that recipients comply with applicable state and federal law as a condition of the funding. In its announcement and “Dear Colleague” letter, HHS explained that the agency will be sending out additional information that more specifically asserts the agency’s expectation that recipients of HRSA funding comply with applicable state and federal laws governing consent to care for minors. Across North Carolina, HRSA dollars help support numerous programs that provide health care to people who are geographically isolated and economically or medically vulnerable. Recipients of these funds include many community health centers and as well as local health departments, among others. Although these organizations are not subject to any new legal requirements as a result of HHS’s recent announcement and “Dear Colleague” letter, they may be under increased scrutiny related to their adherence to the laws that determine who may be authorized to consent to health services for a minor.

Conclusion

As previously explained in this post, HHS’s announcement and “Dear Colleague” letter did not trigger or reflect a change in state or federal law. Instead, both documents serve as guidance about how HHS interprets and intends to enforce existing federal law and compliance with federal funding policy (which may require that funding recipients comply with their applicable state law, too).

Of particular importance is HHS’s forthcoming heightened focus on parental access to their child’s health records when such access is required under law, including the HIPAA Privacy Rule. Now is a good time for health professionals serving minors to review their policies around record access, particularly if they recognize their own organization’s practices in the description of the “flip the switch” approach to record access mentioned earlier in this post. Entities that must comply with HIPAA can consult their Privacy Officers and/or their attorneys for advice on ensuring compliance with state and federal law. North Carolina health and public health professionals are also always welcome to contact me for legal technical assistance on questions about HIPAA and our state laws governing consent to care for minor patients.

Health Information & Records

Final Update on the 2024 HIPAA Final Rule Regarding Reproductive Health

Author:
09/12/25
Child Welfare

Medical Appointments, Consents, and Children in DSS Custody

Author: and
04/15/24
Public Health

New SOG Bulletin: Consent to Care for Minor Patients: An Update on the Legal Landscape After S.L. 2023-106, Part III

Author:
01/10/24

Coates’ Canons NC Local Government Law

Unpacking HHS’s Announcement on Parental Consent, HIPAA, and Access to Medical Records

Published: 12/10/25

Author:

On December 3, 2025, the Office of Civil Rights (OCR) within the United States Department of Health and Human Services (HHS) issued a statement (hereinafter, the “announcement”) on the agency’s interest in protecting parental rights when it comes to medical decision-making and accessing health records for their children. The announcement references a “Dear Colleague” letter that HHS published the same day about application and enforcement of the HIPAA Privacy Rule and compliance with applicable consent laws. HHS’s announcement and “Dear Colleague” letter did not change state or federal law but do provide important insight into how the agency interprets and intends to enforce existing law. This blog post unpacks the HHS announcement and “Dear Colleague” letter and explains what they mean for health and public health professionals.

HHS’s announcement has three components: (1) discussion of an investigation into an alleged violation of a state’s immunization law; (2) reiteration of existing HIPAA Privacy Rule requirements regarding access to medical records; and (3) notice of the agency’s plan to heighten enforcement around compliance with state and federal consent laws by entities that receive funds from HHS’s Health Resources and Services Administration (HRSA). Let’s review these components one at a time.

1. HHS’s Investigation into Alleged Violation of a State’s Immunization Law

In its announcement, HHS disclosed that the agency has launched an investigation into a Midwestern school that allegedly vaccinated a child without consent and in contradiction of a religious exemption that the child’s parents had submitted under state law. The announcement did not identify the school, state, or type of vaccine involved, but did note that the vaccine at issue was provided through the Vaccines for Children Program (VFC). The VFC provides access to childhood vaccines for families who might not otherwise be able to afford the cost of immunizing their children.

As HHS explained in its announcement, participation in the VFC program is contingent upon compliance with state laws that govern religious and other vaccine exemptions. Although HHS does not enforce state law, it can enforce compliance with VFC program requirements. At this time, it appears that HHS is still in the process of conducting its investigation and a determination has not yet been made about whether any state law and/or VFC policy was violated.

2. Reiteration of Existing HIPAA Requirements Regarding Access to Medical Records

HHS’s announcement references a “Dear Colleague” letter that was also issued by the agency on December 3, 2025. Federal agencies often use “Dear Colleague” letters to notify the public of an agency’s interpretation of the law. “Dear Colleague” letters therefore provide valuable insight into how a federal agency might approach its enforcement activities. It is important to note, however, that “Dear Colleague” letters cannot change existing state or federal laws.

In its December 3, 2025 “Dear Colleague” letter, HHS reminds covered entities and business associates of their obligations under the HIPAA Privacy Rule to ensure that an individual or that individual’s personal representative can access the individual’s protected health information (PHI) in accordance with the HIPAA regulations. In many instances, a child’s parent will be the child’s personal representative and hold the right of access to the child’s PHI. As the “Dear Colleague” letter explains, there are at least four scenarios in which a parent should not be treated as the child’s personal representative under HIPAA (see page two of the “Dear Colleague” letter for more information).

In this blog post, I want to focus on just one of the four scenarios identified by HHS in its letter and involving consent to health services by the minor (rather than a parent). Under 45 C.F.R. 164.502(g)(3)(A)(i), a parent is not the minor’s personal representative when the minor is accessing a health service on their own consent as permitted by law. North Carolina’s minor’s consent law (G.S. 90-21.5) allows minors with decisional capacity to give consent for and access limited types of care described in the statute. The concurrent consent of a parent, or other adult figure, is not required. What does this mean under the HIPAA provision referenced above? It means that a minor who consents to their own health care in accordance with North Carolina’s minor’s consent law is the party that gets to exercise the powers related to use and disclosure of the PHI that is related to the specific health service that the minor accessed on their own consent. Another state law, G.S. 90-21.4(b), also prohibits disclosure of information related to a minor’s consent encounter to a minor’s parent or parent-like figure, with limited exceptions.

On the ground, implementation of these privacy laws can create some practical challenges. Providers who serve young people may find themselves with two types of records filed under a minor patient’s name: first, records related to care that the minor has received pursuant to their parent’s consent (e.g., care for a broken arm) and second, records related to any care that the minor has received on their own consent (which in North Carolina is limited to the types of services described in G.S. 90-21.5). For the first set of records, the parent is the minor’s “personal representative” under HIPAA and is therefore generally entitled to access the PHI in those records. The PHI in the second set of records- which pertain to care accessed on the minor’s own consent- should not be released to the minor’s parent without the minor’s permission.

Providers who practiced in the days before electronic medical record (EMR) systems became popular have told me that in the past, when they were faced with these two types of records for one minor patient, they might print a minor’s health records on two different colors of paper to distinguish between the records related to minor’s consent encounters and records related to care for which a parent gave consent. Today, advances in technology have enabled many providers to use EMR systems to maintain patient records. Unfortunately, some EMR systems do not include features that allow providers to easily segregate minor’s consent records and to prevent unauthorized access to those records by parents through, for example, a web-based patient portal.

In light of these technical limitations, some providers have taken a “flip the switch” approach to enabling access to a young person’s health information. What is the “flip the switch” approach? Here, a provider might adopt the practice of turning over access and control of a minor patient’s web-based patient portal over to the minor as soon as they turn a certain age (e.g., thirteen years old). This “flipping of the switch” is most often seen with web-based patient portals, which is how many people access their health information nowadays. When the “switch is flipped,” the parent loses access to the minor’s patient portal (unless the minor shares their credentials or otherwise allows the parent to view the portal).

This “flip the switch” approach is problematic and is flagged by HHS in its “Dear Colleague” letter as a potential violation of HIPAA. Specifically, this approach may be in tension with the HIPAA Privacy Rule’s requirements around the authority of an individual’s personal representative to access certain health records because it restricts parental access to a young person’s health records at a certain age, regardless of the content of those records. Protecting minor’s consent records from unauthorized disclosure to a young person’s parent is appropriate and required by both state law and HIPAA; however, blocking a parent’s access to their child’s other records may violate the parent’s right to access records related to health care for which the parent must be treated as the minor’s personal representative under HIPAA.

HHS’s “Dear Colleague” letter focuses on the authority of parents to access certain health records when the parent is the child’s personal representative under the HIPAA regulations.  It is worth noting, though, that the reverse of the approach I described above- that is, defaulting to parent-only access to a minor’s records and not enabling the young person’s access to records related to a minor’s consent encounter- would likely also run afoul of HIPAA. Here, the approach to privacy and record access wrongfully denies the minor of required access to records containing PHI related to health services that the minor lawfully accessed on the minor’s own consent.

Implementation of the HIPAA Privacy Rule as it relates to minor’s consent can be complex and may be further complicated by the lack of easy or built-in technical solutions within the EMR systems that so many providers use. Nevertheless, HHS has made it clear in its recent announcement and “Dear Colleague” letter that HIPAA compliance and ensuring appropriate parental access to children’s health records are agency priorities. The closing sentence in the HHS “Dear Colleague” letter reads: “OCR is making parental access to children’s medical records an enforcement priority and will use all civil remedies available, including civil money penalties, to ensure compliance with this Privacy Rule requirement.” HIPAA covered entities might consider taking this opportunity to review their policies and practices related to minors’ and parents’ access to PHI and consult with their EMR vendors, as necessary, about potential technical solutions to ensure they are following the law.

3. Notice of HHS’s Increased Focus on Compliance with Consent Laws for HRSA-Funded Entities

The last item addressed in HHS’s announcement and “Dear Colleague” letter was the agency’s expectation that entities receiving HRSA funding will comply with applicable state and federal laws that govern consent to care for minors. As with the other two components of HHS’s announcement, this third component does not trigger any change to state or federal law; instead, it highlights HHS’s interpretation of existing law and the agency’s enforcement priorities. The laws that govern consent to care for minors are typically found at the state, rather than federal, level. In North Carolina, most of our consent to care laws are found in G.S. Chapter 90, with a few exceptions. The state laws governing consent to care for minors are summarized in this chart that I developed in 2023 following the enactment of the Parents’ Bill of Rights.

It is common practice for federal grant terms to require that recipients comply with applicable state and federal law as a condition of the funding. In its announcement and “Dear Colleague” letter, HHS explained that the agency will be sending out additional information that more specifically asserts the agency’s expectation that recipients of HRSA funding comply with applicable state and federal laws governing consent to care for minors. Across North Carolina, HRSA dollars help support numerous programs that provide health care to people who are geographically isolated and economically or medically vulnerable. Recipients of these funds include many community health centers and as well as local health departments, among others. Although these organizations are not subject to any new legal requirements as a result of HHS’s recent announcement and “Dear Colleague” letter, they may be under increased scrutiny related to their adherence to the laws that determine who may be authorized to consent to health services for a minor.

Conclusion

As previously explained in this post, HHS’s announcement and “Dear Colleague” letter did not trigger or reflect a change in state or federal law. Instead, both documents serve as guidance about how HHS interprets and intends to enforce existing federal law and compliance with federal funding policy (which may require that funding recipients comply with their applicable state law, too).

Of particular importance is HHS’s forthcoming heightened focus on parental access to their child’s health records when such access is required under law, including the HIPAA Privacy Rule. Now is a good time for health professionals serving minors to review their policies around record access, particularly if they recognize their own organization’s practices in the description of the “flip the switch” approach to record access mentioned earlier in this post. Entities that must comply with HIPAA can consult their Privacy Officers and/or their attorneys for advice on ensuring compliance with state and federal law. North Carolina health and public health professionals are also always welcome to contact me for legal technical assistance on questions about HIPAA and our state laws governing consent to care for minor patients.

This blog post is published and posted online by the School of Government for educational purposes. For more information, visit the School’s website at www.sog.unc.edu.

Coates Canons
© 2009 to present. School of Government at the University of North Carolina at Chapel Hill.
All rights reserved.