Healthcare by Specialty May 30, 2026 8 min read

OCR Is Now Targeting Parental Access to Children's Records. Here Is What Pediatric Practices Need to Check.

By Sam Cherkaoui, CIPP/US Certified Data Privacy Advisor

Quick Answer

Default rule: Under 45 CFR 164.502(g), parents are the personal representative of their unemancipated minor child and have the same HIPAA access rights as the patient.
Three narrow exceptions: Access can be restricted only when (1) the minor consented to care without parental consent under state law, (2) a court order specifies otherwise, or (3) professional judgment finds parental access would harm the minor (suspected abuse cases).
2026 enforcement priority: OCR Director Paula Stannard issued a Dear Colleague letter putting pediatric providers on notice and confirmed OCR will pursue civil monetary penalties for parental access violations.
EHR setting risk: Blanket adolescent confidentiality settings that block parents for all patients ages 12-17, applied outside the three documented exceptions, create Right of Access violations even with no policy intent to block parents.
Audit checklist: Review EHR access control settings, the minor records request workflow at the front desk, and chart documentation for any restriction (each restriction should cite which of the three exceptions applies).

OCR Director Paula Stannard confirmed it in 2026: parental access to children’s medical records is now an enforcement priority. If noncompliance is identified, OCR will use every civil remedy available, including civil monetary penalties.

Most pediatric practices do not realize they may already have a problem. The issue is not usually a practice policy that expressly blocks parents. The issue is an EHR setting that was configured for adolescent confidentiality and is restricting access more broadly than HIPAA allows.

Quick Answer: What HIPAA Requires on Parental Access

Parents are generally the personal representative of their minor child under 45 CFR §164.502(g) and have the same HIPAA rights as the patient.
There are three narrow exceptions where a minor’s records can be kept from a parent. Outside those exceptions, parental access is required.
OCR issued a formal “Dear Colleague” letter in late 2025 putting pediatric providers on notice and making this a 2026 enforcement target.
Many EHR platforms have adolescent confidentiality settings that restrict parental access more broadly than HIPAA permits.

This post explains what HIPAA actually requires, where the three narrow exceptions are, why EHR configurations are creating compliance gaps in practices that have no intention of blocking parents, and what you should audit today if your practice serves minor patients anywhere in Texas or another state with aggressive privacy enforcement.

What HIPAA Says About Parental Access

Under 45 CFR §164.502(g), a patient’s personal representative has the same rights to that patient’s protected health information as the patient has. Parents are generally the personal representative of their unemancipated minor child. That means a parent can request and receive the child’s medical records, lab results, visit notes, prescription history, and any other PHI in the designated record set.

The right is not discretionary. It is not a courtesy. It is not something the practice weighs against its own judgment about whether sharing the information seems like a good idea. HIPAA creates an affirmative obligation to provide access, and OCR enforces it as one.

The Right of Access enforcement initiative has now produced more than 50 completed actions. The penalties for denying access range from a few thousand dollars for isolated failures to $70,000 or more for practices that charged impermissible fees or repeatedly delayed or refused access. You can estimate exposure for your own practice size with our HIPAA penalty calculator. Adding parental access violations to that enforcement machinery is a significant expansion for any practice serving children.

What Are the Three Exceptions?

45 CFR §164.502(g)(3)(i) creates three specific circumstances where a covered entity may, but is not required to, treat a parent as the personal representative of a minor child.

Exception 1: The minor consented to care and consent of a parent was not required under applicable law. If state law permits a minor to consent to certain types of care without parental involvement, and the minor exercised that right, the provider may choose not to disclose that care to the parent. Common examples include some types of reproductive health care, substance use treatment in states with strong confidentiality protections for minors, and mental health care in certain circumstances. The key word is may. HIPAA does not require the provider to withhold the information. It gives the provider discretion.

Exception 2: A court has ordered that the parent not be treated as the personal representative. This is straightforward. If a court order specifies that a parent does not have access to a child’s medical information, follow the court order and document it in the record.

Exception 3: The provider, in the exercise of professional judgment, determines that treating the parent as a personal representative would not be in the best interest of the minor. This is the most commonly misapplied exception. It is narrow. It exists for situations involving suspected abuse or where sharing information with a parent would endanger the child. It is not a general authority to restrict parental access whenever the provider thinks the child should have privacy. Using it broadly, outside the specific circumstances it addresses, creates an OCR exposure.

Outside these three exceptions, parental access is required. Full stop.

Why Is OCR Prioritizing This Now?

The OCR enforcement action that triggered the Dear Colleague letter involved a Midwestern school that vaccinated a child against the parents’ wishes, ignoring a religious exemption submitted under state law. HHS Secretary Kennedy described the incident directly: “Today, we are putting pediatric medical professionals on notice: you cannot sideline parents.”

The enforcement priority reflects a broader shift in how the current HHS leadership views parental rights in healthcare. OCR is not limiting the enforcement action to schools or vaccination cases. The Dear Colleague letter was addressed to HIPAA-regulated entities broadly, and Director Stannard confirmed the agency will pursue civil monetary penalties for noncompliance.

For independent pediatric practices, family medicine offices, behavioral health providers serving adolescents, and school health clinics, this enforcement priority is not theoretical. OCR investigates in response to complaints. Parents who believe they were wrongly denied access to their child’s records now have a clear avenue to file a complaint, and a regulator that has publicly said it will pursue those complaints.

The EHR Configuration Problem

Most of the practices most at risk from this enforcement priority have not made a deliberate policy decision to block parents. They configured their EHR the way the implementation guide told them to, or the way the EHR vendor recommended, and moved on.

Many EHR platforms include adolescent confidentiality features that allow practices to restrict record access for patients within a certain age range. These features are useful when applied to the narrow circumstances HIPAA actually permits. They create compliance problems when they are applied broadly to all adolescent patients regardless of the specific circumstances involved.

Common configurations that create problems include blanket restrictions on parental access to all records for patients ages 12 to 17, automatic suppression of records related to any visit categorized under a sensitive topic, and portal settings that give adolescent patients the ability to block parental access at their own discretion without clinical oversight.

None of these configurations is inherently wrong. Each of them becomes wrong when it applies outside the three HIPAA exceptions for a specific, documented reason. If your EHR is preventing a parent from seeing records about a routine office visit for a 14-year-old because the patient age triggered an adolescent confidentiality setting, that is a HIPAA Right of Access violation waiting to become an OCR complaint.

What to Audit Today

For any practice serving minor patients, three areas warrant an immediate check.

Your EHR access control settings. Log in as a test parent or ask your EHR vendor to walk you through what a parent sees when requesting their child’s records through the portal. Is access restricted? If so, what triggers the restriction? Is the restriction limited to the specific circumstances HIPAA permits, or does it apply broadly by age category?

Your records request workflow for minors. When a parent calls or comes in and requests a copy of their minor child’s medical records, what does your front desk do? Do they know the HIPAA rules for when to fulfill the request and when an exception might apply? Is the decision left to individual staff judgment without any policy guidance?

Your documentation of any access restrictions you have applied. For any minor patient whose parent has been denied access or whose records have been restricted, you should have a written note in the chart documenting which exception applied and why. A restriction that is not documented is a restriction that cannot be defended in an OCR investigation.

If you are in Texas, note that the Texas Medical Privacy Act and the Texas Health and Safety Code have their own provisions on minor patient records that interact with HIPAA. Texas generally follows the federal framework for personal representative rights, but specific statutes address records related to mental health, substance use, and reproductive care. When a Texas-specific provision provides greater confidentiality protections than HIPAA, the Texas law controls. When federal HIPAA provides greater access rights, federal law controls. For more on the Texas overlay, see our guide to HIPAA compliance for solo practitioners in Texas. The interaction between these frameworks is a specific area worth reviewing with a privacy advisor if your practice treats adolescents in any of the sensitive categories.

What Happens If OCR Investigates

A parental access complaint investigation will follow the same structure as any other Right of Access investigation. OCR will request your Notice of Privacy Practices, your policies on access by personal representatives, any records related to the specific complaint, and evidence that you provided or denied access in the manner described. Our guide to the first 72 hours after an OCR investigation letter walks through the response timeline in detail.

If your practice applied a documented exception that falls within the three HIPAA categories, and you can show the documentation, the investigation is likely to close without penalty. If your practice denied access because an EHR setting restricted it automatically and there is no documented exception in the record, you are in a more difficult position.

The Right of Access enforcement actions OCR has published reflect a consistent pattern. Practices that can demonstrate a good-faith compliance effort, even an imperfect one, tend to resolve cases with voluntary corrective action and no civil monetary penalty. Practices that cannot produce any documentation of how they handle access requests, or that have policies directly at odds with what HIPAA requires, tend to settle for substantially more.

OCR made 50 Right of Access enforcement actions before adding parental access to its target list. The enforcement machinery is built and running. The question for any pediatric practice right now is whether your EHR settings, your staff training, and your chart documentation are where they need to be before a parent files a complaint. A focused privacy exposure review can identify these gaps before OCR does.

Not sure how your EHR handles parental access?

NPA works with small healthcare practices in Texas and other states to audit EHR configurations, update access policies, and document HIPAA compliance. CIPP/US certified, straightforward pricing.

Book a Consultation

Last updated: May 30, 2026. This article reflects OCR’s stated enforcement priorities as of Q2 2026. State-specific provisions, including Texas mental health and reproductive health confidentiality statutes, interact with the federal HIPAA framework. Consult a qualified privacy advisor for guidance specific to your practice’s patient population.

Frequently Asked Questions

Do parents have a legal right to their child's medical records under HIPAA?

Yes. Under 45 CFR §164.502(g), parents are generally the personal representative of their unemancipated minor child and have the same HIPAA access rights as the patient. There are three narrow exceptions where a provider may restrict parental access, but outside those specific circumstances, parental access is required, not discretionary.

When can a healthcare provider deny a parent access to their child's records?

HIPAA permits a provider to restrict parental access in three specific situations: (1) the minor consented to the care under applicable law without requiring parental consent; (2) a court order specifies the parent should not be treated as a personal representative; or (3) the provider determines in professional judgment that sharing with the parent would not be in the child's best interest, such as in suspected abuse situations. Outside these three circumstances, access must be provided.

Can an EHR system create a HIPAA violation for parental access?

Yes. Many EHR platforms include adolescent confidentiality settings that restrict parental access by patient age. When those settings apply to all adolescent patients rather than to specific documented circumstances falling within HIPAA's three exceptions, they can create Right of Access violations even when the practice has no policy intent to block parents.

Why is OCR targeting parental access to children's records in 2026?

OCR Director Paula Stannard confirmed in 2026 that parental access to children's medical records is an enforcement priority following a complaint about a school that vaccinated a child without parental consent. OCR issued a Dear Colleague letter to all regulated entities and stated it will use civil monetary penalties to enforce compliance.

What should a pediatric practice in Texas do to prepare for this enforcement priority?

Texas pediatric practices should audit three things: EHR access control settings to confirm parental access is not blocked outside HIPAA's three exceptions, the records request workflow for minor patients to ensure staff apply consistent documented criteria, and the chart documentation for any restriction applied to confirm the applicable HIPAA exception is noted. Texas-specific statutes on mental health and reproductive health records interact with the federal HIPAA framework and should be reviewed for adolescent patient populations.

Last updated: May 30, 2026. This article reflects current US HIPAA and state privacy law enforcement practice. NPA is not a law firm; for case-specific legal advice, consult licensed counsel in your jurisdiction.

Need help with HIPAA compliance or US data privacy law?

NPA helps small healthcare practices and small to mid-sized businesses build and maintain audit-ready compliance programs. CIPP/US certified. Houston-based, serving practices nationwide.