Privacy and security of health information is a basic expectation of patients. Despite the existence of federal and state laws safeguarding the privacy of health information, health information systems currently lack the capability to allow for protection of this information for minors. This policy statement reviews the challenges to privacy for adolescents posed by commercial health information technology systems and recommends basic principles for ideal electronic health record systems. This policy statement has been endorsed by the Society for Adolescent Health and Medicine.

State laws allow minors to consent for their health care on the basis of their status (eg, as an emancipated or mature minor or a pregnant or parenting teenager) and on the basis of the services they seek (eg, sexually transmitted infection [STI] diagnosis and treatment, contraception, pregnancy care, substance abuse counseling/treatment, or mental health care). If adolescents cannot trust that their health information will be both private and secure, they may not seek these services.1,6 State and federal laws provide protection of privacy when minors consent for their own health care; laws pertaining to such care vary depending on where the teenager resides.7 The American Academy of Pediatrics (AAP), along with other medical societies, encourages adolescents to discuss health issues with parents but has supported the right to adolescent privacy.8 

Privacy control of protected information specific to adolescent health has not been adequately addressed in the development of electronic health records (EHRs). Current federal rules related to the Health Information Technology for Economic and Clinical Health Act limit the discussion of privacy as it relates to the Health Insurance Portability and Accountability Act (HIPAA) and, thus, related criteria for certification of EHRs. Such criteria have no specific references to issues of adolescent privacy.9,10 Because electronic systems currently are unable to filter or compartmentalize health information consistent with current laws, states have been left to identify individual barriers to appropriate exchange of adolescent health information and to identify interim solutions.11 

A policy statement regarding use of personal health records (PHRs) published in 2009 by the AAP addressed the importance of protection of privacy. The AAP policy statement “Using Personal Health Records to Improve the Quality of Health Care for Children” stresses the importance of the development of the PHR as an extension of the EHR but also addresses the lack of privacy controls, which are necessary for adolescents to access care protected by state and federal laws.12 

Current health information technologies, including EHRs, PHRs, personally controlled health records, health information exchanges (HIEs), or other patient portals generally do not have the flexibility or the technical capacity to maintain or support policies that address the ability of minors to give their own consent for health care or to protect minors’ sensitive health care data.13 Privacy and trust between the adolescent and provider during the health care visit is complicated by requirements to document care in the record, bill for services, and communicate with the parent/guardian within the boundaries of applicable state laws.14,16 PHRs can improve access to health information, but to realize the benefits for teenagers, standards for developing and accessing the information within PHRs must include the ability to protect privacy and security issues for adolescents. The PHR must have the flexibility to meet the variation in the legal mandates of the state in which the teenager resides. These standards must also grant adolescents the ability to exclude parents or guardians from their PHRs when state law allows that they may consent for their own health care without parental consent on the basis of status (eg, as an emancipated or mature minor or as a parent) and on the basis of the services they seek (eg, diagnosis and treatment of STIs, contraception, substance abuse counseling and treatment, and mental health care).7,13,16 

Currently, most systems are not capable of allowing dual (or plural) consent to allow or restrict access to different portions of a patient’s electronic health information. Thus, adolescents who are minors cannot record legal consent to allow or disqualify their health information to be included in PHRs, PCRHs, and HIEs, because current technologies allow parents as the only parties who can provide informed consent. Specific challenges include:

  • Lack of standards for electronic medical technology regarding privacy issues and care for the adolescent patient where rights of minors are protected by state law or precedent court cases.

  • Lack of standards for electronic medical technology when states remain silent on the issue of care around sensitive area issues for the adolescent, and care is routinely provided to teenagers as mature minors.

  • Lack of standards for electronic medical technology regarding who has access to the medical record—that is, parent or legal guardian, adolescent, pediatrician, or other health care providers.

  • Lack of standards for electronic medical technology regarding protection of sensitive information, including laboratory test results, prescriptions, and other health data.

  • Lack of standards for electronic billing to prevent disclosure of protected information through the act of generating a bill. These standards might include making it possible to suppress the laboratory test name (eg, HIV test name, pregnancy test name) while still generating a bill. Without this ability, pediatricians and health care facilities may choose to forego billing to protect the adolescent’s privacy. This places the burden of care on the pediatrician or facility.

  • Lack of standards for protecting sensitive information when used for public health, research, or other uses separate from the care episode.

The AAP recommends the following basic principles for ideal EHR systems:

  1. The creation and implementation of criteria for EHR systems that meet privacy standards for adolescents, particularly in areas of care that are protected by federal and state laws.

  2. The creation and implementation of criteria for EHR systems that allow determination of who has access to, or who has the ability to control access to, the medical record either in total or in part. The “who” would need to accommodate any legally authorized physician, health care provider, guardian, or patient, including an adolescent or minor, and must be adaptable to change on the basis of the age and health care activity of the patient. Controlling access should also take into account the specific issues related to release of information (to other providers or secondary to subpoena) such that only the minimum necessary information pertinent to the request is released to protect the privacy of the adolescent.

  3. The creation and implementation of criteria for EHR systems that allow adolescents to record their consents and authorizations for care or treatment according to privacy rules and laws (by using the HL-7 Child Health Profile DC.1.3.3 standard).17 

  4. The creation and implementation of criteria for EHR systems to allow the explicit and specific consent of the adolescent for release of specific protected health information. Authorization to access the most sensitive parts of an EHR is most definitive if made by this explicit consent.

  5. Flexibility of these standards that allow for protection of privacy for diagnoses and associated laboratory test results, prescriptions, problem lists, and ultimately, any documentation/note that contains confidential data. This requirement is the most difficult to attain and control. These standards must also allow an entire visit to be marked as private and not viewable by anyone but those to whom the adolescent has given appropriate permission.

  6. Certified EHR systems that meet privacy standards that are consistent with state laws.

  7. EHR systems that are able to flag data that are being imported or exchanged between health entities (hospitals, clinics, emergency departments, other physician offices, health networks or exchanges) so that the information can be reviewed and placed in a confidential area of the EHR if appropriate.

  8. EHR systems that are able to apply local (state) and federal privacy and confidentially rules when assembling aggregate data to prevent identification of individuals by unauthorized parties (HL-7 Child Health Profile DC.2.6.1).17 

  9. Billing systems associated with EHR systems that have the ability to suppress billing to the parent, guardian, or other legally authorized representative when an adolescent or minor seeks care for health issues that are delivered within the context of general visits and protected under state or federal statutes.

Privacy and security of health information is a basic expectation of patients. The HIPAA Privacy Rule provides federal protections for personal health information held by covered entities and gives patients an array of rights with respect to that information. The HIPAA Security Rule specifies a series of administrative, physical, and technical safeguards for covered entities to use to ensure the protection of privacy, integrity, and availability of electronic protected health information. These protections focus on breaches of security and rarely address the needs of minors or adolescents, who routinely have health care provided under their parent’s supervision. These issues apply equally to other populations including young adults who still live with their parent or guardian as well as for adult populations, and we believe that the recommendations have broader applicability beyond adolescents.

Although HIPAA rules defer to state law regarding minors with “exceptional circumstances” (eg, adolescents seeking care for STIs) and gives the minor and not the parent the right to this protected health information, the rules have not led to commercial health information technology systems having the capability to protect this information.

This policy addresses the basic needs related to privacy issues that must be protected within commercial health information technology systems. Protection must include the ability to consent for care, consent for release of information associated with care, and prevent inadvertent disclosure through billing activities or electronic aggregation of data for quality improvement, research, public health reporting, or other use. Continued lack of privacy protection in EHRs risks diminishing adolescent access to care, potentially resulting in higher adolescent pregnancy and STI (including HIV) rates, and unraveling significant gains that have been achieved. Even if these technical capacities exist in software, the privacy and security of the adolescent’s health care will require educating pediatricians and staff to the specific issues outlined in this policy. This policy statement has been endorsed by the Society for Adolescent Health and Medicine.

Margaret J. Blythe, MD

Mark A. Del Beccaro, MD

Margaret J. Blythe, MD, Chairperson

William P. Adelman, MD

Cora C. Breuner, MD, MPH

David A. Levine, MD

Arik V. Marcell, MD

Pamela J. Murray, MD, MPH

Rebecca F. O’Brien, MD

Loretta E. Gavin, PhD, MPH – Centers for Disease Control and Prevention

Rachel J. Miller, MD – American College of Obstetricians and Gynecologists

Jorge L. Pinzon, MD – Canadian Pediatric Society

Benjamin Shain, MD, PhD – American Academy of Child and Adolescent Psychiatry

Karen S. Smith

Mark Del Monte, JD

Mark A. Del Beccaro, MD, Chairperson

Joseph H. Schneider, MD, MBA, Immediate Past Chairperson

Stuart T. Weinberg, MD, Vice Chairperson

Gregg M. Alexander, DO

Willa Hendricks Drummond, MD

Anne B. Francis, MD

Eric G. Handler, MD, MPH

Timothy D. Johnson, DO, MMM

George R. Kim, MD

Michael Leu, MD, MS, MHS

Eric Tham, MD, MS

Alan E. Zuckerman, MD

Eugenia Marcus, MD

Aleksey Tentler, MD – Section on Medical Students, Residents and Fellowship Trainees

William Zurhellen, MD – Physicians EHR Coalition

Jennifer Mansour

AAP

American Academy of Pediatrics

EHR

electronic health record

HIE

health information exchange

HIPAA

Health Insurance Portability and Accountability Act

PHR

personal health record

STI

sexually transmitted infection

This document is copyrighted and is property of the American Academy of Pediatrics and its Board of Directors. All authors have filed conflict of interest statements with the American Academy of Pediatrics. Any conflicts have been resolved through a process approved by the Board of Directors. The American Academy of Pediatrics has neither solicited nor accepted any commercial involvement in the development of the content of this publication.

All policy statements from the American Academy of Pediatrics automatically expire 5 years after publication unless reaffirmed, revised, or retired at or before that time.

1
Reddy
DM
,
Fleming
R
,
Swain
C
.
Effect of mandatory parental notification on adolescent girls’ use of sexual health care services.
JAMA
.
2002
;
288
(
6
):
710
714
[PubMed]
2
Britto
MT
,
Tivorsak
TL
,
Slap
GB
.
Adolescents’ needs for health care privacy.
Pediatrics
.
2010
;
126
(
6
). Available at: www.pediatrics.org/cgi/content/full/126/6/e1469
[PubMed]
3
Marks
A
,
Malizio
J
,
Hoch
J
,
Brody
R
,
Fisher
M
.
Assessment of health needs and willingness to utilize health care resources of adolescents in a suburban population.
J Pediatr
.
1983
;
102
(
3
):
456
460
[PubMed]
4
Klein
JD
,
McNulty
M
,
Flatau
CN
.
Adolescents’ access to care: teenagers’ self-reported use of services and perceived access to confidential care.
Arch Pediatr Adolesc Med
.
1998
;
152
(
7
):
676
682
[PubMed]
5
Ford
CA
,
Millstein
SG
,
Halpern-Felsher
BL
,
Irwin
CE
 Jr
.
Influence of physician confidentiality assurances on adolescents’ willingness to disclose information and seek future health care. A randomized controlled trial.
JAMA
.
1997
;
278
(
12
):
1029
1034
[PubMed]
6
Thrall
JS
,
McCloskey
L
,
Ettner
SL
,
Rothman
E
,
Tighe
JE
,
Emans
SJ
.
Confidentiality and adolescents’ use of providers for health information and for pelvic examinations.
Arch Pediatr Adolesc Med
.
2000
;
154
(
9
):
885
892
[PubMed]
7
English A, Bass L, Boyle AD, Eshragh F. State Minor Consent Laws: A Summary. 3rd ed. Chapel Hill, NC: Center for Adolescent Health & the Law; 2010
8
Society of Adolescent Medicine.
Protecting adolescents: ensuring access to care and reporting sexual activity and abuse: Position Paper of the American Academy of Family Physicians, the American Academy of Pediatrics, the American College of Obstetricians and Gynecologists, and the Society for Adolescent Medicine.
J Adolesc Health
.
2004
;
35
(5):
420
423
9
Department of Health and Human Services, Office of the Secretary. 45 CFR Part 170 RIN 0991-AB58. Health information technology: initial set of standards, implementation specifications, and certification criteria for electronic health record technology: interim final rule. Available at: http://edocket.access.gpo.gov/2010/pdf/E9-31216.pdf. Accessed February 7, 2012
10
Department of Health and Human Services, Office of the Secretary. 45 CFR Part 170 RIN 0991-AB59. Establishment of the Temporary Certification Program for Health Information. Available at: http://edocket.access.gpo.gov/2010/pdf/2010-14999.pdf. Accessed February 7, 2012
11
New York eHealth Collaborative, Privacy & Security Minor Consent Tiger Team. Barriers to the exchange of pediatric health information. New York, NY: New York eHealth Collaborative; July 2010. Available at: http://nyehealth.org/images/files/File_Repository16/pdf/white%20paper%20final%20072110%20clean%20version.pdf. Accessed February 7, 2012
12
Council on Clinical Information Technology
.
Policy Statement—Using personal health records to improve the quality of health care for children.
Pediatrics
.
2009
;
124
(
1
):
403
409
[PubMed]
13
Bourgeois
FC
,
Taylor
PL
,
Emans
SJ
,
Nigrin
DJ
,
Mandl
KD
.
Whose personal control? Creating private, personally controlled health records for pediatric and adolescent patients.
J Am Med Inform Assoc
.
2008
;
15
(
6
):
737
743
[PubMed]
14
McKee
MD
,
Rubin
SE
,
Campos
G
,
O’Sullivan
LF
.
Challenges of providing confidential care to adolescents in urban primary care: clinician perspectives.
Ann Fam Med
.
2011
;
9
(
1
):
37
43
[PubMed]
15
Gold RB. Unintended consequences: how insurance processes inadvertently abrogate patient confidentiality. Guttmacher Policy Rev. 2009;
12
(
4
):12–16
16
Protecting confidential health services for adolescents & young adults: strategies & considerations for health plans. National Institute for Health Care Management Foundation Issue Brief. Washington, DC: National Institute for Health Care Management; May 2011. Available at: www.nihcm.org/images/stories/NIHCM-Confidentiality-Final.pdf. Accessed February 7, 2012
17
Health Level 7 International. HL-7 Child Health Functional Profile Version 1.0 – Pediatric Data Standards Special Interest Group. Final Version 1.0 (May 20, 2007). Ann Arbor, MI: Health Level 7 International; 2007