Q&A: Discussing the care of non-dependent adult children with parents

Q: A patient recently told me she was surprised to learn from another physician at our facility that her adult child had been prescribed a particular medication for high cholesterol. Her child does not have any special needs and is not a dependent adult under her care. Is it a HIPAA violation for a provider to discuss the care of adult children with their parents? Would it be a violation if the child was a dependent adult?

A: It is a violation of HIPAA and a breach of unsecure PHI unless the patient has at least verbally stated he or she does not object to such a disclosure or the patient has signed an authorization permitting the physician to share the patient’s health information with the parent—or if such permission is implied, such as if an adult patient is accompanied to the exam room by a parent.

If an authorization was not signed by the patient or if an oral statement that the patient does not object to such disclosures was not given, the practice or hospital in this case should complete the four-factor risk assessment in accordance with the HIPAA Breach Notification Rule. Given the information was provided to the adult patient’s mother, it is likely that the disclosure would be considered a compromise of the patient’s PHI. That means the patient and OCR will likely need to be notified of the breach.

After a patient reaches the age of majority, providers can’t generally pass such information along to the adult child’s parents, with some exceptions. If, in the provider’s professional opinion, it’s necessary to communicate health information to a family member, there would need to be some justification, such as concern for the patient’s safety. However, a patient being prescribed high cholesterol medication is unlikely to fall into the category of an immediate threat that warrants family notification.

If a patient is deemed unable to make health decisions and a legal guardian is appointed to be involved in the patient’s care, the guardian becomes a personal representative of the patient. In such cases, HIPAA requires that covered entities treat the personal representative the same as the patient when it comes to accessing the patient’s health information. Covered entities should obtain a copy of the court order establishing the guardianship before disclosing any PHI to the guardian. The guardian could be another family member, a state agency, or someone else the court deems appropriate.

Editor’s note: This question was answered by Chris Apgar, CISSP, president of Apgar & Associates, LLC, in Portland, Oregon. He is also a BOH editorial advisory board member. This information does not constitute legal advice. Consult legal counsel for answers to specific privacy and security questions. Opinions expressed are those of the author and do not represent HCPro or ACDIS. Email your HIPAA questions to Associate Editor Heidi Samuelson at hsamuelson@hcpro.com.