"Yes, the Privacy Rule generally allows a parent to have access to the medical records about his or her child, as his or her minor child's personal representative when such access is not inconsistent with State or other law.There are three situations when the parent would not be the minor's personal representative under the Privacy Rule. These exceptions are:
However, even in these exceptional situations, the parent may have access to the medical records of the minor related to this treatment when State or other applicable law requires or permits such parental access. Parental access would be denied when State or other law prohibits such access. If State or other applicable law is silent on a parent's right of access in these cases, the licensed health care provider may exercise his or her professional judgment to the extent allowed by law to grant or deny parental access to the minor's medical information."
Under certain limited circumstances, a covered entity may deny an individual's request for access to all or a portion of the PHI requested. In some of these circumstances, an individual has a right to have the denial reviewed by a licensed health care professional designated by the covered entity who did not participate in the original decision to deny.
Unreviewable grounds for denial (45 CFR 164.524(a)(2)):
Reviewable grounds for denial (45 CFR 164.524(a)(3)). A licensed health care professional has determined in the exercise of professional judgment that:
Note that a covered entity may not require an individual to provide a reason for requesting access, and the individual's rationale for requesting access, if voluntarily offered or known by the covered entity or business associate, is not a permitted reason to deny access. In addition, a covered entity may not deny access because a business associate of the covered entity, rather than the covered entity itself, maintains the PHI requested by the individual (e.g., the PHI is maintained by the covered entity's electronic health record vendor or is maintained by a records storage company offsite).
If the covered entity denies access, in whole or in part, to PHI requested by the individual, the covered entity must provide a denial in writing to the individual no later than within 30 calendar days of the request (or no later than within 60 calendar days if the covered entity notified the individual of an extension). See 45 CFR 164.524(b)(2). The denial must be in plain language and describe the basis for denial; if applicable, the individual's right to have the decision reviewed and how to request such a review; and how the individual may submit a complaint to the covered entity or the HHS Office for Civil Rights. See 45 CFR 164.524(d).
If the covered entity (or one of its business associates) does not maintain the PHI requested, but knows where the information is maintained, the covered entity must inform the individual where to direct the request for access. See 45 CFR 164.524(d)(3).
The covered entity must, to the extent possible and within the above timeframes, provide the individual with access to any other PHI requested, after excluding the PHI to which the entity has a ground to deny access. See 45 CFR 164.524(d)(1). Complexity in segregating the PHI does not excuse the obligation to provide access to the PHI to which the ground for denial does not apply.
If the denial was based on a reviewable ground for denial and the individual requests review, the covered entity must promptly refer the request to the designated reviewing official. The reviewing official must determine, within a reasonable period of time, whether to reaffirm or reverse the denial. The covered entity must then promptly provide written notice to the individual of the determination of the reviewing official, as well as take other action as necessary to carry out the determination. See 45 CFR 164.524(d)(4).