Parents sue after Minnesota hospital blocks access to child's records

A hospital's policy of cutting off parental MyChart access when children turn 12 has triggered a federal lawsuit, an OCR complaint, and a formal Dear Colleague letter to the entire healthcare industry.

What happened

Shaun and Katherine Johnson have filed suit against Fairview Health Services in Minnesota after the hospital blocked their access to their 15-year-old daughter's medical records through the MyChart patient portal when she turned 12. According to the Center for Individual Rights (CIR), the non-profit public interest law firm representing the family, the Johnsons' daughter was diagnosed with mosaic Turner syndrome at age 11, a rare chromosomal condition requiring lifelong cardiac monitoring. Fairview's policy terminates parental MyChart proxy access for children aged 12 and over unless the child agrees to a private interview with hospital staff and consents to restoring access. The Johnsons declined to subject their daughter to an unsupervised interview and were refused full access. When they submitted a formal records request under HIPAA's Right of Access, they received a partial copy three weeks later that lacked medical images, which Fairview only provides through MyChart, making it inadequate for ongoing cardiac care management. The lawsuit seeks a declaratory judgment and permanent injunction requiring Fairview to provide unrestricted parental access to the child's records.

Going deeper

CIR filed an initial complaint with HHS OCR in early 2025 alleging Fairview's blanket policy violated HIPAA's Privacy Rule, which grants parents the right to access their minor children's protected health information (PHI) except in narrowly defined circumstances. According to the HHS OCR complaint, OCR responded, confirming that parents are permitted access to their minor child's records under HIPAA and recommended filing a second complaint if access was not restored. When access remained blocked six weeks later, CIR filed a second complaint, which remains pending. OCR subsequently issued a "Dear Colleague" letter to the broader healthcare community confirming that, absent special circumstances, providers may not impose additional limitations on parental access to minor children's medical records beyond what HIPAA permits. Fairview's policy is based on its interpretation of the Minnesota Health Records Act, which gives minors aged 12 to 17 the right to control access to records related to pregnancy, STDs, physical or sexual abuse, and substance abuse. CIR argues that federal law preempts the state interpretation Fairview is applying, and that none of the Minnesota statutory exceptions cover the cardiac monitoring records at issue.

What was said

Shaun Johnson stated in comments published by the Center for Individual Rights, "When your child is diagnosed with a serious condition, every appointment, test result, and next step matters. Instead of allowing us to manage her care through the normal MyChart system, Fairview forced us into a delayed, inadequate, and burdensome workaround." CIR Litigation Director Caleb Kruckenberg stated, "A hospital cannot apply state law to lock parents out of their own child's medical records. Federal law is supreme. Our federalist system is built to better protect individual rights in this case, the parental right to supervise and participate in a minor child's medical care."

In the know

The OCR "Dear Colleague" letter prompted by this case carries significance beyond the Johnsons' situation. When OCR issues guidance to the healthcare community in response to a complaint, it signals the agency considers the practice at issue to be sufficiently widespread to warrant proactive industry notification. MyChart proxy access restrictions for minors are applied across dozens of health systems nationwide using variations of the same age-based policy structure Fairview uses. According to Fairview's own medical records policy page, the hospital provides full proxy access for children aged 0 to 11, partial proxy access for ages 12 to 17 excluding the state law categories, and full proxy access for that age group only with the child's explicit consent. If courts or OCR enforce the Johnsons' position broadly, health systems across the country will need to reassess MyChart access configurations for pediatric patients.

The big picture

The case sits at the intersection of two distinct compliance obligations that pull in different directions. HIPAA grants parents broad access to their minor children's PHI. State minor consent laws protect adolescents' privacy in specific sensitive health categories. The question the lawsuit forces into court is which framework governs when the two conflict and whether a hospital can use a state law exception as the basis for a blanket access restriction that goes further than the state law itself requires. For healthcare compliance officers managing patient portal configurations, the outcome will have direct operational implications. A ruling that federal preemption applies broadly could require health systems to restore full parental proxy access for minors in categories beyond the narrow HIPAA exceptions, while a ruling for Fairview could confirm that state law exceptions can justify wider access restrictions than HIPAA's text alone would support.

FAQs

What does HIPAA say about parental access to a minor child's medical records?

HIPAA's Privacy Rule generally treats a parent or legal guardian as the personal representative of a minor child, granting them the right to access the child's PHI. Exceptions apply when the minor consents to care and the parent is not required to consent, when a court has granted the minor authority over their own health decisions, or when a provider determines that releasing information to the parent would endanger the child.

Why does the Minnesota Health Records Act create a conflict with HIPAA here?

Minnesota law gives minors aged 12 and over the right to control access to records involving pregnancy, STDs, abuse, and substance use. Fairview extended that principle into a blanket policy requiring child consent for all parental proxy access. CIR's argument is that applying the state exception categorically to all records not just the sensitive categories Minnesota law covers goes beyond what state law requires and conflicts with HIPAA's broader parental access right.

What is a "Dear Colleague" letter from OCR and what does it mean?

OCR issues Dear Colleague letters to provide industry-wide guidance on how it interprets HIPAA requirements. The letter prompted by this case confirms that providers may not add restrictions on parental access beyond what HIPAA expressly permits. While not legally binding in the way a regulation is, Dear Colleague letters signal OCR enforcement priorities and are widely followed by covered entities.

Why does the inability to access medical images through MyChart matter specifically?

Fairview only provides medical images electronically through the MyChart portal. The paper records request the Johnsons submitted returned text records but not images, which are essential for monitoring their daughter's cardiac condition. The gap between what the paper process provides and what the portal provides is what makes the access restriction clinically consequential rather than merely inconvenient.

What does this case mean for other health systems using age-based MyChart access restrictions?

Any health system that applies a blanket policy cutting off or restricting parental proxy access for minors above a certain age should review whether that policy goes beyond what HIPAA and applicable state law actually require. If the lawsuit or a pending OCR investigation results in enforcement guidance, health systems with similar configurations will face pressure to revise their patient portal access policies.