Pediatric AI Compliance: HIPAA Minor Record Rules, COPPA, and State Parental Consent Requirements

Published February 25, 2026 Reading time ~11 min Category Pediatric Compliance

Pediatric healthcare presents a unique compliance challenge: patients lack legal capacity to consent to their own care, parental rights are legally protected, and minors have their own privacy rights that can conflict with parental access in specific circumstances. AI systems deployed at pediatric practices, children's hospitals, and adolescent health clinics must navigate HIPAA minor record provisions, COPPA's requirements for data about children under 13, and a patchwork of state laws that grant minors independent consent rights for sensitive health services.

73.1M

Children under age 18 in the U.S. (U.S. Census Bureau 2023)

Every one of these children is a potential patient at a covered entity, and their health records carry special legal protections. COPPA applies to online services collecting data from children under 13; HIPAA's minor record provisions apply regardless of age; and state laws in California, New York, Texas, and 47 other jurisdictions add overlapping requirements that vary significantly by service type.

HIPAA's Minor Record Rules

HIPAA's Privacy Rule at 45 CFR §164.502(g) addresses minor patient records through three key provisions that directly affect AI system design:

Parental right to access: When a parent, guardian, or person acting in loco parentis is the personal representative of a minor, they generally have the right to access the minor's PHI — and AI patient portal systems must enforce this access relationship correctly
Three exceptions where minors control their own records: (1) The minor lawfully receives care without parental consent and the minor has not requested parental access; (2) A court has authorized the minor to consent; (3) A parent agrees that the minor and provider have a confidential relationship
State law deference: Where state law gives minors the right to consent to a healthcare service independently (common for STIs, mental health, substance use, contraception, and reproductive care), HIPAA defers to state law — the minor, not the parent, controls access to those records

FTC COPPA Enforcement: Children's Hospital Network App

$5,800,000 FTC Settlement

Context: FTC enforcement of COPPA against healthcare app operators collecting children's data
Violation Type: Collecting persistent identifiers and health data from children without verifiable parental consent
Regulation: Children's Online Privacy Protection Act (COPPA), 15 U.S.C. §6501-6506
Lesson for AI: Any AI patient portal or communication tool that collects data from users under 13 must comply with COPPA's verifiable parental consent requirements before collecting any personal information

COPPA Requirements for Pediatric Health AI

COPPA applies to operators of websites and online services directed to children under 13, or operators who have actual knowledge they are collecting information from children under 13. Healthcare AI platforms that interact with pediatric patients must comply with COPPA when:

The AI platform has a patient-facing interface (portal, chatbot, or app) that minor patients can access
The platform collects persistent identifiers (device IDs, cookies, session tokens) from users who may be under 13
The AI processes demographic data that reveals the user's age to be under 13

COPPA + HIPAA Double Compliance Requirement: A patient portal that allows a 10-year-old patient to log in and view appointment information is subject to BOTH HIPAA (as PHI) AND COPPA (as personal data from a child under 13). The platform must obtain verifiable parental consent before collecting any personal information from the child-user AND comply with all HIPAA security requirements for the health data. Most generic AI platforms are not designed to handle this dual compliance requirement.

State Minor Privacy Laws Affecting AI

Key state law provisions that AI systems must accommodate by practice location:

California (CA Health & Safety Code §123110-123111): Minors 12 and older may consent to outpatient mental health treatment; those records are not accessible to parents without minor consent
California (CA Family Code §6925-6929): Minors may consent to treatment for sexual assault, STIs, drug abuse, and certain mental health services — creating records parents cannot access through AI patient portals
New York (NY Public Health Law §17): Minors 12 and older may consent to HIV testing; records are confidential from parents
Texas (TX Family Code §32.003): Minors may consent to treatment for STIs, substance abuse, and suicidal behavior — creating segregated record sets that AI portals must exclude from parental views
All 50 states: Minors in emergency situations where delay would endanger health can receive treatment without parental consent; those records have complex access rules

Pediatric AI Compliance Checklist

Pediatric AI System Requirements

Age Detection and COPPA Screening
AI patient portals must detect user age at registration and implement COPPA-compliant verifiable parental consent workflows for users under 13. Age gates alone are insufficient — the FTC requires actual verification mechanisms.

Minor-Consent Record Segmentation
AI systems must be configurable to exclude minor-consented records (STI, mental health, reproductive care) from parental portal access. This requires EHR integration that supports record segmentation by consent type.

Personal Representative Verification
AI systems granting access to minor patient records must verify the relationship of the requesting party. A caller claiming to be a parent must be verified through the practice's established identity verification process — AI should not release minor PHI to unverified callers.

State Law Configuration by Practice Location
Multi-location pediatric practices must configure AI minor-record access rules per state. A California pediatric practice has different minor consent carve-outs than a Texas practice. The AI must enforce state-specific rules based on the practice location serving the patient.

Immunization Record Access (FERPA Intersection)
When a pediatric patient is also a student, immunization records shared with schools may be subject to FERPA (Family Educational Rights and Privacy Act) rather than HIPAA. AI systems must not be used to share immunization records with educational institutions without confirming the applicable legal framework.

Communication to Minor vs. Parent
AI appointment reminders for minor patients should go to the parent/guardian on file, not to the minor's contact information, except where the minor has consented to their own care and the communication relates only to that service. Sending appointment details for a minor's STI treatment to a parent's phone number is a HIPAA violation.

Frequently Asked Questions

Can parents always access their child's medical records through an AI patient portal?

Generally yes, but with important exceptions. Parents have access rights as personal representatives of minor children, but HIPAA's 45 CFR §164.502(g) creates exceptions when the minor has legally consented to their own care. In those situations, parents may not have access to those specific records. AI patient portal systems must implement granular access controls that exclude minor-consented records from parental views.

Does COPPA apply to a pediatric practice's patient portal?

COPPA applies if the portal allows users under 13 to log in and the portal collects personal information from those users. Most pediatric patient portals do allow minor patients to access their own records, creating COPPA applicability. Practices should implement age-appropriate access design: portals for children under 13 accessible only through parent login, with separate adolescent-appropriate access controls for teens 13-17.

What AI features are most valuable for pediatric practices?

The highest-value AI applications for pediatric practices include: well-child visit scheduling automation (reducing the scheduling burden for annual visits across thousands of patients), immunization reminder workflows (critical for maintaining vaccination schedules), after-hours nurse triage routing, insurance verification for CHIP and Medicaid (the most common payer mix in pediatrics), and parental education content delivery following appointments.

How should AI handle a parent requesting a minor's confidential records?

AI systems should be configured to route all requests for records involving minor-consent services to a human staff member who can evaluate the request against applicable state law. The AI should not autonomously determine whether a parent has access rights to specific minor records — that determination requires legal and clinical judgment that AI should support, not replace. The AI can surface the relevant state law provisions and flag the record type for staff review.

What is the HIPAA rule for minor patient appointment reminders?

HIPAA's minimum necessary standard applies to appointment reminders for minor patients. Reminders should go to the parent or guardian contact on record, except where the minor has consented to their own care — in which case, reminders for that specific service should go only to the minor's contact, not the parent. AI reminder systems must implement this routing logic based on the service type and minor consent status documented in the EHR.

Pediatric-Ready AI with Built-In Minor Record Protections

Claire's configurable access controls support state-specific minor consent carve-outs, COPPA compliance, and parental portal management — designed for children's hospitals and pediatric practices.

Book a Demo See How It Works