Privacy and security of health information is a basic expectation of patients. Despite the existence of federal and state laws safeguarding the privacy of health information, health information systems currently lack the capability to allow for protection of this information for minors. This policy statement reviews the challenges to privacy for adolescents posed by commercial health information technology systems and recommends basic principles for ideal electronic health record systems. This policy statement has been endorsed by the Society for Adolescent Health and Medicine.
State laws allow minors to consent for their health care on the basis of their status (eg, as an emancipated or mature minor or a pregnant or parenting teenager) and on the basis of the services they seek (eg, sexually transmitted infection [STI] diagnosis and treatment, contraception, pregnancy care, substance abuse counseling/treatment, or mental health care). If adolescents cannot trust that their health information will be both private and secure, they may not seek these services.1,–6 State and federal laws provide protection of privacy when minors consent for their own health care; laws pertaining to such care vary depending on where the teenager resides.7 The American Academy of Pediatrics (AAP), along with other medical societies, encourages adolescents to discuss health issues with parents but has supported the right to adolescent privacy.8
Privacy control of protected information specific to adolescent health has not been adequately addressed in the development of electronic health records (EHRs). Current federal rules related to the Health Information Technology for Economic and Clinical Health Act limit the discussion of privacy as it relates to the Health Insurance Portability and Accountability Act (HIPAA) and, thus, related criteria for certification of EHRs. Such criteria have no specific references to issues of adolescent privacy.9,10 Because electronic systems currently are unable to filter or compartmentalize health information consistent with current laws, states have been left to identify individual barriers to appropriate exchange of adolescent health information and to identify interim solutions.11
A policy statement regarding use of personal health records (PHRs) published in 2009 by the AAP addressed the importance of protection of privacy. The AAP policy statement “Using Personal Health Records to Improve the Quality of Health Care for Children” stresses the importance of the development of the PHR as an extension of the EHR but also addresses the lack of privacy controls, which are necessary for adolescents to access care protected by state and federal laws.12
Statement of the Problem
Current health information technologies, including EHRs, PHRs, personally controlled health records, health information exchanges (HIEs), or other patient portals generally do not have the flexibility or the technical capacity to maintain or support policies that address the ability of minors to give their own consent for health care or to protect minors’ sensitive health care data.13 Privacy and trust between the adolescent and provider during the health care visit is complicated by requirements to document care in the record, bill for services, and communicate with the parent/guardian within the boundaries of applicable state laws.14,–16 PHRs can improve access to health information, but to realize the benefits for teenagers, standards for developing and accessing the information within PHRs must include the ability to protect privacy and security issues for adolescents. The PHR must have the flexibility to meet the variation in the legal mandates of the state in which the teenager resides. These standards must also grant adolescents the ability to exclude parents or guardians from their PHRs when state law allows that they may consent for their own health care without parental consent on the basis of status (eg, as an emancipated or mature minor or as a parent) and on the basis of the services they seek (eg, diagnosis and treatment of STIs, contraception, substance abuse counseling and treatment, and mental health care).7,13,16
Currently, most systems are not capable of allowing dual (or plural) consent to allow or restrict access to different portions of a patient’s electronic health information. Thus, adolescents who are minors cannot record legal consent to allow or disqualify their health information to be included in PHRs, PCRHs, and HIEs, because current technologies allow parents as the only parties who can provide informed consent. Specific challenges include:
Lack of standards for electronic medical technology regarding privacy issues and care for the adolescent patient where rights of minors are protected by state law or precedent court cases.
Lack of standards for electronic medical technology when states remain silent on the issue of care around sensitive area issues for the adolescent, and care is routinely provided to teenagers as mature minors.
Lack of standards for electronic medical technology regarding who has access to the medical record—that is, parent or legal guardian, adolescent, pediatrician, or other health care providers.
Lack of standards for electronic medical technology regarding protection of sensitive information, including laboratory test results, prescriptions, and other health data.
Lack of standards for electronic billing to prevent disclosure of protected information through the act of generating a bill. These standards might include making it possible to suppress the laboratory test name (eg, HIV test name, pregnancy test name) while still generating a bill. Without this ability, pediatricians and health care facilities may choose to forego billing to protect the adolescent’s privacy. This places the burden of care on the pediatrician or facility.
Lack of standards for protecting sensitive information when used for public health, research, or other uses separate from the care episode.
Basic Principles for Ideal EHRs, PHRs, Personally Controlled Health Records, and HIEs (Collectively EHR Systems) for Adolescents
The AAP recommends the following basic principles for ideal EHR systems:
The creation and implementation of criteria for EHR systems that meet privacy standards for adolescents, particularly in areas of care that are protected by federal and state laws.
The creation and implementation of criteria for EHR systems that allow determination of who has access to, or who has the ability to control access to, the medical record either in total or in part. The “who” would need to accommodate any legally authorized physician, health care provider, guardian, or patient, including an adolescent or minor, and must be adaptable to change on the basis of the age and health care activity of the patient. Controlling access should also take into account the specific issues related to release of information (to other providers or secondary to subpoena) such that only the minimum necessary information pertinent to the request is released to protect the privacy of the adolescent.
The creation and implementation of criteria for EHR systems that allow adolescents to record their consents and authorizations for care or treatment according to privacy rules and laws (by using the HL-7 Child Health Profile DC.1.3.3 standard).17
The creation and implementation of criteria for EHR systems to allow the explicit and specific consent of the adolescent for release of specific protected health information. Authorization to access the most sensitive parts of an EHR is most definitive if made by this explicit consent.
Flexibility of these standards that allow for protection of privacy for diagnoses and associated laboratory test results, prescriptions, problem lists, and ultimately, any documentation/note that contains confidential data. This requirement is the most difficult to attain and control. These standards must also allow an entire visit to be marked as private and not viewable by anyone but those to whom the adolescent has given appropriate permission.
Certified EHR systems that meet privacy standards that are consistent with state laws.
EHR systems that are able to flag data that are being imported or exchanged between health entities (hospitals, clinics, emergency departments, other physician offices, health networks or exchanges) so that the information can be reviewed and placed in a confidential area of the EHR if appropriate.
EHR systems that are able to apply local (state) and federal privacy and confidentially rules when assembling aggregate data to prevent identification of individuals by unauthorized parties (HL-7 Child Health Profile DC.2.6.1).17
Billing systems associated with EHR systems that have the ability to suppress billing to the parent, guardian, or other legally authorized representative when an adolescent or minor seeks care for health issues that are delivered within the context of general visits and protected under state or federal statutes.
Privacy and security of health information is a basic expectation of patients. The HIPAA Privacy Rule provides federal protections for personal health information held by covered entities and gives patients an array of rights with respect to that information. The HIPAA Security Rule specifies a series of administrative, physical, and technical safeguards for covered entities to use to ensure the protection of privacy, integrity, and availability of electronic protected health information. These protections focus on breaches of security and rarely address the needs of minors or adolescents, who routinely have health care provided under their parent’s supervision. These issues apply equally to other populations including young adults who still live with their parent or guardian as well as for adult populations, and we believe that the recommendations have broader applicability beyond adolescents.
Although HIPAA rules defer to state law regarding minors with “exceptional circumstances” (eg, adolescents seeking care for STIs) and gives the minor and not the parent the right to this protected health information, the rules have not led to commercial health information technology systems having the capability to protect this information.
This policy addresses the basic needs related to privacy issues that must be protected within commercial health information technology systems. Protection must include the ability to consent for care, consent for release of information associated with care, and prevent inadvertent disclosure through billing activities or electronic aggregation of data for quality improvement, research, public health reporting, or other use. Continued lack of privacy protection in EHRs risks diminishing adolescent access to care, potentially resulting in higher adolescent pregnancy and STI (including HIV) rates, and unraveling significant gains that have been achieved. Even if these technical capacities exist in software, the privacy and security of the adolescent’s health care will require educating pediatricians and staff to the specific issues outlined in this policy. This policy statement has been endorsed by the Society for Adolescent Health and Medicine.
Margaret J. Blythe, MD
Mark A. Del Beccaro, MD
Committee on Adolescence, 2010–2011
Margaret J. Blythe, MD, Chairperson
William P. Adelman, MD
Cora C. Breuner, MD, MPH
David A. Levine, MD
Arik V. Marcell, MD
Pamela J. Murray, MD, MPH
Rebecca F. O’Brien, MD
Loretta E. Gavin, PhD, MPH – Centers for Disease Control and Prevention
Rachel J. Miller, MD – American College of Obstetricians and Gynecologists
Jorge L. Pinzon, MD – Canadian Pediatric Society
Benjamin Shain, MD, PhD – American Academy of Child and Adolescent Psychiatry
Karen S. Smith
Mark Del Monte, JD
Council on Clinical and Information Technology, 2010–2011
Mark A. Del Beccaro, MD, Chairperson
Joseph H. Schneider, MD, MBA, Immediate Past Chairperson
Stuart T. Weinberg, MD, Vice Chairperson
Gregg M. Alexander, DO
Willa Hendricks Drummond, MD
Anne B. Francis, MD
Eric G. Handler, MD, MPH
Timothy D. Johnson, DO, MMM
George R. Kim, MD
Michael Leu, MD, MS, MHS
Eric Tham, MD, MS
Alan E. Zuckerman, MD
Eugenia Marcus, MD
Aleksey Tentler, MD – Section on Medical Students, Residents and Fellowship Trainees
William Zurhellen, MD – Physicians EHR Coalition
This document is copyrighted and is property of the American Academy of Pediatrics and its Board of Directors. All authors have filed conflict of interest statements with the American Academy of Pediatrics. Any conflicts have been resolved through a process approved by the Board of Directors. The American Academy of Pediatrics has neither solicited nor accepted any commercial involvement in the development of the content of this publication.
All policy statements from the American Academy of Pediatrics automatically expire 5 years after publication unless reaffirmed, revised, or retired at or before that time.