This page addresses follow-up questions and additional information pertinent to our webinar
Release of Information: Advanced Scenarios and Hot Topics.
** The coding information and guidance are valid at the time of publishing. Learners are encouraged to research
subsequent official guidance in the areas associated with the topic as they can change rapidly.

Q:  Do the minor consent laws only apply to sensitive diagnoses, or is the scope broader than that?

A:  Minor consent laws most often relate to specific types of services, particularly those considered “sensitive” – such as sexual and reproductive health, mental health care, substance use treatment, or testing and treatment for sexually transmitted infections. However, the scope isn’t always limited to these specific services. In some states, minors may also consent to services like immunizations or general health screenings, depending on the state statute. These laws vary widely by state, so it’s essential to do your research and ensure your resources are up to date.

The National Center for Youth Law maintains an excellent resource which summarizes each state’s laws: Minor Consent and Confidentiality: A Compendium of State and Federal Laws

Q:  What documentation must be included to meet HIPAA’s Satisfactory Assurances process when responding to a subpoena for medical records without patient authorization?

A:  Under the HIPAA Privacy Rule (§164.512(e)), medical records may be disclosed in response to a subpoena without patient authorization only if the covered entity receives “satisfactory assurances” that reasonable efforts have been made to notify the individual whose information is requested.

These assurances must include written documentation showing that the requesting party has:

1. Contacted the individual in writing;
2. Informed the individual of the request and provided details on how to object;
3. Allowed a reasonable time for the individual to object (the “objection period” starts on the date of notification).

The documentation accompanying the subpoena must clearly demonstrate that these steps were completed and that the individual either did not object or that any objection was resolved (such as by court order).

Important: While HIPAA provides a federal baseline, state laws may impose additional requirements — including mandating patient authorization regardless of the HIPAA process. Always review and comply with applicable state law to determine whether authorization is required in your specific jurisdiction.

Here’s a helpful reference from HHS’s HIPAA For Professionals website: https://www.hhs.gov/hipaa/for-professionals/faq/706/what-satisfactory-assurances-must-a-covered-entity-receive-before-it-responds-to-a-subpoena/index.html

Q: I have a follow-up question to the first scenario you reviewed. If the son is still on his mother’s insurance plan, can the provider release his records to her under treatment, payment, and operations (TPO)?

A: Generally, no — the provider should not release the adult child’s records to the parent without the patient’s written authorization, even if the request is for a TPO purpose. Once a child reaches the age of majority (typically 18), they control access to their protected health information under HIPAA, regardless of who is paying for the care or holds the insurance policy.

This can be confusing because under the Affordable Care Act, young adults can remain on a parent’s insurance plan until age 26. However, being a dependent on an insurance plan does not override the adult child’s HIPAA privacy rights. A parent may still receive insurance communications (like Explanation of Benefits, or EOBs), unless the adult child requests a confidential communication directly to themselves — a right granted under HIPAA. However, the insurer is not always required to grant the request, unless the individual states that the disclosure could endanger them.

Important: Some state laws may offer even stronger privacy protections for adult children, particularly around reproductive health, mental health, or substance use. Covered entities should always check applicable state law before making a disclosure.

Looking for additional information on this topic?