HIPAA/CA: When information is subject to HIPAA and California law, HIPAA and California law say that parents generally have a right to inspect their minor child’s health and mental health records when the parents consented to the care.66 However, there are exceptions. A few such exceptions are listed here:
1. Minor Consent: Certain records, such as records related to services minors consented to or could have consented to, are not automatically available to parents.67 For example, records regarding pregnancy or birth control services provided to a minor cannot be disclosed to parents without the minor’s written authorization.68 Minor Consent Laws in Additional Resources lists the rules regarding parent ability to access minor consent related health records.
2. Court Order Limiting Access: There may be court orders in place that remove legal custody from a parent or limit the parent’s right to access their child’s health information.
3. Discretion of Provider to Withhold Information: Both HIPAA and California law give a health care professional discretion to withhold the child’s health record from the parent where the “health care provider determines that access to the patient records requested . . . would have a detrimental effect on the provider’s professional relationship with the minor patient or the minor’s physical safety or psychological well-being.”69
Depending on the types of services provided by a clinic or provider, it is important to consult legal counsel regarding other applicable laws and exceptions.
FERPA: When health information is part of an education record subject to FERPA, FERPA says that parents of a student under age 18 may access their child’s education record.70 “Parent” includes a parent, guardian or person acting in the role of parent.71 The only exception is if a court order explicitly limits a parent’s right to access the record. In California, each school district is required to have procedures in place to grant requests by parents to access student records. Schools must provide access to student records no later than five business days after the date of the request, not including some school breaks.72 If a school believes release of information may put a student at risk, then the school should contact school district legal counsel for advice before any release.
HIPAA/CA: Yes, in several cases when the information is subject to HIPAA and CMIA. A provider may share if a HIPAA/CA-compliant authorization is in place. (See Requirements for Release of Information Forms in Additional Resources.) In addition, both HIPAA and California law allow a health care provider to share a patient’s medical information with another health care provider “for purposes of diagnosis or treatment of the patient.”73 This exception allows, but does not require, disclosure. Other rules, such as ethical guidelines or clinic policy, may also limit a provider’s choice to use this exception. And, HIPAA limits providers from sharing psychotherapy notes without written client authorization.74
Under California law, “medical information” is defined as ““any individually identifiable information, in electronic or physical form, in possession of or derived from a provider of health care, health care service plan, pharmaceutical company, or contractor regarding a patient’s medical history, mental or physical condition, or treatment.”75
FERPA: Yes, if a FERPA-compliant authorization to release information is in place. (See Requirements for Release of Information Forms in Additional Resources.)
HIPAA/CMIA: Yes if a HIPAA/CA law-compliant authorization is in place.
FERPA: Yes in several situations. The provider can release if a FERPA-compliant release form is in place. In addition, an exception in FERPA allows school staff to share information with “school officials” in the same educational agency who have a “legitimate educational interest” in the information. The term “school official” includes school staff, such as teachers, counselors, principals, and school nurses. A school or district may define this term more broadly in its school policies so that it also includes outside consultants, contractors or volunteers to whom a school has outsourced a school function if certain conditions are met.76 The school official must have a “legitimate educational interest” in the information. This phrase has been defined to mean that the school official needs the information to perform his or her official duties.77 FERPA requires schools to include in their annual notices to parents a statement indicating whether the school has a policy of disclosing information from the education file to school officials, and, if so, which parties are considered school officials for this purpose and what the school considers to be a “legitimate educational interest.”78
HIPAA/CMIA: Yes. HIPAA and California law allow a health care provider to disclose otherwise protected health information in order to avert a serious threat to health or safety. Specifically, HIPAA says that a provider may disclose information, consistent with applicable law and ethical principles, if the provider in good faith believes the disclosure:
- is necessary to prevent or lessen a serious and imminent threat to the health or safety of a person or the public; and
- is to a person or persons reasonably able to prevent or lessen the threat, including the target of the
There is a presumption that a provider acted in good faith in making such a disclosure if the provider’s belief is based on actual knowledge or in reliance on a credible representation by a person with apparent knowledge or authority.79 Therapists are permitted to disclose psychotherapy notes without authorization under emergency circumstances.80
Under California law, a therapist may disclose medical information as necessary to prevent or lessen a threat to the health or safety of a reasonably foreseeable victim or victims. Exactly when and to whom such information can be disclosed will depend on which California law the therapist is providing services under. For example, if the therapist is subject to CMIA, disclosure of information may be to any person reasonably able to prevent or lessen the threat, including the target of the threat.81 Therapists should consult their own legal counsel for more information and guidance on which California confidentiality law applies to their records. Providers also should consult their ethical and licensing rules for applicable guidance, such as guidance on when the Tarasoff duty to warn may apply.
FERPA: Yes. FERPA authorizes disclosures to “appropriate parties” if “knowledge of the information is necessary to protect the health or safety of the student or other individuals.”82 This exception allows disclosure in response to a specific situation that poses an imminent danger. The release may occur “if the agency or institution determines, on a case-by-case basis, that a specific situation presents imminent danger or threat to students or other members of the community, or requires an immediate need for information in order to avert or diffuse serious threats to the safety or health of a student or other individuals.”83
“In making [this] determination”, FERPA goes on to say, “an educational agency or institution may take into account the totality of the circumstances pertaining to a threat to the health or safety of a student or other individuals. If the educational agency or institution determines that there is an articulable and significant threat to the health or safety of a student or other individuals, it may disclose information from education records to any person whose knowledge of the information is necessary to protect the health or safety of the student or other individuals. If, based on the information available at the time of the determination, there is a rational basis for the determination, the Department will not substitute its judgment for that of the educational agency or institution in evaluating the circumstances and making its determination.”84
Providers also should consult their ethical and licensing rules for applicable guidance, such as guidance on when the Tarasoff duty to warn may apply.
HIPAA/CMIA: Under California’s Child Abuse and Neglect Reporting Act, mandated reporters85 of child abuse must make a report to child protective services or law enforcement whenever they have knowledge of or observe a child in their professional capacity whom they know or reasonably suspect has been the victim of child abuse or neglect.86 If information protected by HIPAA and CMIA is relevant to making that report, the information still must be disclosed to CPS or law enforcement.87 This does not mean that the information loses its confidentiality protections. While relevant information must be disclosed to CPS or law enforcement, disclosure to anyone else or for any other reason still must comply with HIPAA and CMIA.
FERPA: Under California’s Child Abuse and Neglect Reporting Act, mandated reporters88 of child abuse must make a report to child protective services or law enforcement whenever they have knowledge of or observe a child in their professional capacity whom they know or reasonably suspect has been the victim of child abuse or neglect.89 If information protected by FERPA is relevant to making that report, the information still must be disclosed to CPS or law enforcement. This does not mean that the information loses its confidentiality protections. While relevant information must be disclosed to CPS or law enforcement, disclosure to anyone else or for any other reason still must comply with FERPA.