45 CFR 164.502(g) (Download a copy in PDF)
The HIPAA Privacy Rule establishes a foundation of Federally-protected rights which permit individuals to control certain uses and disclosures of their protected health information. Along with these rights, the Privacy Rule provides individuals with the ability to access and amend this information, and the right to an accounting of certain disclosures. The Department recognizes that there may be times when individuals are legally or otherwise incapable of exercising their rights, or simply choose to designate another to act on their behalf with respect to these rights. Under the Rule, a person authorized (under State or other applicable law, e.g., tribal or military law) to act on behalf of the individual in making health care related decisions is the individual’s “personal representative.” Section 164.502(g) provides when, and to what extent, the personal representative must be treated as the individual for purposes of the Rule. In addition to these formal designations of a personal representative, the Rule at 45 CFR 164.510(b) addresses situations in which persons are involved in the individual’s health care but are not expressly authorized to act on the individual’s behalf.
How the Rule Works General Provisions
Except as otherwise provided in 45 CFR 164.502(g), the Privacy Rule requires covered entities to treat an individual’s personal representative as the individual with respect to uses and disclosures of the individual’s protected health information, as well as the individual’s rights under the Rule. The personal representative stands in the shoes of the individual and has the ability to act for the individual and exercise the individual’s rights. For instance, covered entities must provide the individual’s personal representative with an accounting of disclosures in accordance with 45 CFR 164.528, as well as provide the personal representative access to the individual’s protected health information in accordance with 45 CFR 164.524 to the extent such information is relevant to such representation. In addition to exercising the individual’s rights under the Rule, a personal representative may also authorize disclosures of the individual’s protected health information. In general, the scope of the personal representative’s authority to act for the individual under the Privacy Rule derives from his or her authority under applicable law to make health care decisions for the individual. Where the person has broad authority to act on the behalf of a living individual in making decisions related to health care, such as a parent with respect to a minor child or a legal guardian of a mentally incompetent adult, the covered entity must treat the personal representative as the individual for all purposes under the Rule, unless an exception applies. (See below with respect to abuse, neglect or endangerment situations, and the application of State law in the context of parents and minors). Where the authority to act for the individual is limited or specific to particular health care decisions, the personal representative is to be treated as the individual only with respect to protected health information that is relevant to the representation. For example, a person with an individual’s limited health care power of attorney regarding only a specific treatment, such as use of artificial life support, is that individual’s personal representative only with respect to protected health information that relates to that health care decision. The covered entity should not treat that person as the individual for other purposes, such as to sign an authorization for the disclosure of protected health information for marketing purposes. Finally, where the person has authority to act on the behalf of a deceased individual or his estate, which does not have to include the authority to make decisions related to health care, the covered entity must treat the personal representative as the individual for all purposes under the Rule. State or other law should be consulted to determine the authority of the personal representative to receive or access the individual’s protected health information.
Who Must Be Recognized as the Individual’s Personal Representative
The following displays who must be recognized as the personal representative for a category of individuals:
If the Individual Is: An Adult or An Emancipated Minor
The Personal Representative Is: A person with legal authority to make health care decisions on behalf of the individual
Examples: Health care power of attorney Court appointed legal guardian General power of attorney
If the Individual Is: An Unemancipated Minor
The Personal Representative Is: A parent, guardian, or other person acting in loco parentis with legal authority to make health care decisions on behalf of the minor child
Exceptions: See parents and minors discussion below.
If the Individual Is: Deceased
The Personal Representative Is: A person with legal authority to act on behalf of the decedent or the estate (not restricted to health care decisions)
Examples: Executor of the estate Next of kin or other family member Durable power of attorney
Parents and Unemancipated Minors
The Privacy Rule defers to State or other applicable laws that address the ability of a parent, guardian, or other person acting in loco parentis (collectively, “parent”) to obtain health information about a minor child. In most cases under the Rule, the parent is the personal representative of the minor child and can exercise the minor’s rights with respect to protected health information, because the parent usually has the authority to make health care decisions about his or her minor child. Regardless of whether a parent is the personal representative, the Privacy Rule permits a covered entity to disclose to a parent, or provide the parent with access to, a minor child’s protected health information when and to the extent it is expressly permitted or required by State or other laws (including relevant case law). Likewise, the Privacy Rule prohibits a covered entity from disclosing a minor child’s protected health information to a parent, or providing a parent with access to, such information when and to the extent it is expressly prohibited under State or other laws (including relevant case law). Thus, State and other applicable law governs when such law explicitly requires, permits, or prohibits the disclosure of, or access to, the health information about a minor child. The Privacy Rule specifies three circumstances in which the parent is not the “personal representative” with respect to certain health information about his or her minor child. These exceptions generally track the ability of certain minors to obtain specified health care without parental consent under State or other laws, or standards of professional practice. In these situations, the parent does not control the minor’s health care decisions, and thus under the Rule, does not control the protected health information related to that care. The three exceptional circumstances when a parent is not the minor’s personal representative are:
- When State or other law does not require the consent of a parent or other person before a minor can obtain a particular health care service, and the minor consents to the health care service; Example: A State law provides an adolescent the right to obtain mental health treatment without the consent of his or her parent, and the adolescent consents to such treatment without the parent’s consent.
- When a court determines or other law authorizes someone other than the parent to make treatment decisions for a minor; Example: A court may grant authority to make health care decisions for the minor to an adult other than the parent, to the minor, or the court
- When a parent agrees to a confidential relationship between the minor and the physician. Example: A physician asks the parent of a 16-year-old if the physician can talk with the child confidentially about a medical condition and the parent agrees.
Even in these exceptional circumstances, where the parent is not the “personal representative” of the minor, the Privacy Rule defers to State or other laws that require, permit, or prohibit the covered entity to disclose to a parent, or provide the parent access to, a minor child’s protected health information. Further, in these situations, if State or other law is silent or unclear concerning parental access to the minor’s protected health information, a covered entity has discretion to provide or deny a parent with access to the minor’s health information, if doing so is consistent with State or other applicable law, and provided the decision is made by a licensed health care professional in the exercise of professional judgment.
Abuse, Neglect, and Endangerment Situations
When a physician or other covered entity reasonably believes that an individual, including an unemancipated minor, has been or may be subjected to domestic violence, abuse or neglect by the personal representative, or that treating a person as an individual’s personal representative could endanger the individual, the covered entity may choose not to treat that person as the individual’s personal representative, if in the exercise of professional judgment, doing so would not be in the best interests of the individual. For example, if a physician reasonably believes that disclosing information about an incompetent elderly individual to the individual’s personal representative would endanger that individual, the Privacy Rule permits the physician to decline to make such disclosure.
Please review the Frequently Asked Questions about the Privacy Rule.
OCR HIPAA Privacy December 3, 2002 Revised April 3, 2003
Back to Top