Commentary

HHS Reminds Hospitals: Let Parents Access Their Children’s Medical Records

  • By Do No Harm Staff
  • December 4, 2025

Earlier this year, Do No Harm published a report examining how parental access to their children’s medical records has been undermined by hospitals. The report also identifies the ways in which health records technology has been used to shield children’s health information from their parents. 

For instance, major electronic health record system provider Oracle Health sets age 13 as the default protected status age, enabling providers to hide important health information from children’s parents.

As Do No Harm’s report notes, these restrictions pose enormous problems, as they could conceal harmful medical interventions such as so-called “gender-affirming care” from parents. Indeed, many gender activists who practice in the “Adolescent Medicine” subspecialty even advocate for limiting parental access to children’s medical records.

And what’s more, these restrictions are not in line with the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule that governs access to personal health information.

Now, the Department of Health and Human Services (HHS) Office for Civil Rights issued a Dear Colleague letter this week reminding hospitals and other HIPAA-related entities of their obligations under the rule.

And according to the Daily Wire, HHS “was first made aware of ‘Adolescent Medicine’ and its dangers through a report issued by ‘Do No Harm.’”

“[P]arents, as the personal representative of their minor children, may be denied access to their minor children’s medical records, or a covered entity may be requiring minor children to authorize parental access before such access will be granted, when no such requirement exists under applicable law and, thus, under the Privacy Rule,” the letter states. “Denial of access in those circumstances may be a violation of the Privacy Rule.”

The letter reiterates the three limited situations in which a child’s parent is not eligible to access their personal health information:

  1. When the child consents to health care and the consent of the parent is not required under state or other applicable law. In this situation, the parent is not the child’s personal representative with respect to PHI related to that health care
  2. When the child obtains health care at the direction of a court, or a person appointed by the court. In this situation, the parent is not the child’s personal representative with respect to PHI related to that health care.
  3. When, and to the extent that, the parent agrees that the child and the health care provider may have a confidential relationship. In this situation, the scope of the parent’s agreement to the confidential relationship determines the degree to which the parent is the child’s personal representative for purposes of PHI maintained by that health care provider.

The letter goes on to state that, absent these exceptions and other conditions imposed by state law, hospitals may not prevent parents from accessing their child’s medical records.

“Providing parents who are their children’s personal representatives with easy access to their children’s PHI empowers parents to be more in control of decisions regarding their children’s health and well-being,” the letter states.

Do No Harm applauds HHS’s attention to this important issue. It’s essential that parents be able to access such crucial health information about their child. Preventing them from doing so infringes upon their core parental rights.