HIPPA Interferes with Parental Rights – a HIPAA Train Wreck

Posted on  September 25, 2015


A few months ago, I came across a number of articles regarding Washington state schools placing IUDs in girls as young as the sixth grade without their parents’ knowledge through a Medicaid program known as “Take Charge.” The story received considerable media play. I do not wish to get into either the necessity or the propriety of this story, although it is ironic that Middle and High school students can’t get a Coca Cola or candy bar at local public schools. My interest was (and still is) how this situation plays out with respect to both the Federal and State laws.

I believe that in the final analysis, based on prevailing law, not only was the IUD placement without parental knowledge or consent within the law, the startling part is that if this issue was disclosed to a parent without the consent of the minor (child) it might very well be in violation of the law. The analysis is somewhat complicated but I will try to break it down into human bites.

The first step is the Federal law regarding the privacy of patient records. Typically, Federal law supersedes State law, and therefore, we would only have to address the Federal law. The Omnibus Rule, however, allows for the stricter of Federal or State law with respect to patient privacy.

Under § 160.203 (“General rule and exceptions”), the protections afforded under the HIPAA Privacy Rule preempt the provisions of State law, except if certain conditions are met.  One of those conditions, as set forth in § 160.203(b), is that “[t]he provision of State law relates to the privacy of individually identifiable health information and is more stringent than a standard, requirement, or implementation specification adopted under [the Privacy Rule]”.

Under § 160.202 (“Definitions”), the term “more stringent” means, in comparing the State law and a provision of the Privacy Rule, a State law that meets one or more of certain criteria, which includes, a State law that, “[w]ith respect to any other matter, provides greater privacy protection for the individual who is the subject of the individually identifiable health information.  (See, § 160.202(6)).

We have established that to the extent that State law is more stringent with respect to protecting the privacy rights of the patient, the State law of Washington comes into play.

The general age of  majority in the state of Washington is 18 (as set forth in RCW 26.28.010), however there are specific exceptions, one of which is birth control services in which case, a minor’s consent is sufficient for confidential care, and the parent/guardian’s consent is not required, nor must the parent/guardian be notified. In fact, this rule holds true at any age. (RCW9.02.100(2)

It is apparent that Washington State law (at least as understood by the schools) interprets the reproductive privacy law to mean that anyone, including the child, has a fundamental right to choose or refuse birth control.

To round out the picture totally, the law further states that “if the patient is a minor and is authorized to consent to healthcare without parental consent under Federal and State law, only the minor may exercise the rights of the patient under this chapter as the information pertaining to healthcare to which the minor lawfully consented.” (RCW 70.02.130 (1))

The sum total of all of this information is that arguably in the state of Washington, a child of any age can allow for the placement of an IUD without parental knowledge or consent, and it is only the child that can consent to the release of that information from the medical practitioner to the parent/guardian. Presumably, a parent might ask for the child’s medical records, or the child might be brought to the doctor because of bleeding or any other symptom that is a consequence of an IUD, and the medical practice is prohibited from releasing this information to the parent without the consent of the child.  One can only wonder what the medical staff is supposed to tell the parents of an 11-year- old.

It would logically follow that if the medical provider, or his/her staff, in fact communicated the fact that the child had an IUD, it would be a breach under HIPAA.

I will leave it to the readers to decide if this situation makes any sense, what goals are achieved, and if this is just another example of the effects of unintended consequences.

Irrespective of anyone’s personal belief, this situation, at a minimum, underscores the fact that even when emphasis is placed on compliance with HIPAA, individual State laws must be complied with and both doctors and their staffs (as well as business associates) must be aware of operative State laws.

What do you think?


Bookmark This Page

Leave a Reply

Your email address will not be published.