Of all the new laws that went into effect on January 1, 2024, one in particular continues to cause confusion and concern regarding access to records of mental health recipients. Specifically, Public Act 103-0474, in part, amended the Mental Health and Developmental Disabilities Confidentiality Act by establishing a new category of persons entitled (upon request) to inspect and copy a recipient’s record or any part of the same.¹ The law now recognizes requests for access to records by “the personal representative under HIPAA, 45 CFR 164.502(g), of a recipient, regardless of the age of the recipient.”²

For context, access to certain records, such as those of a recipient between the ages of 12 and 17, have historically been afforded strict processes and protections, particularly when a recipient objects or when a therapist determines there are compelling reasons for a denial of access.³ However, this new law, ushered in by certain advocates, injects a broad new provision that carries implications for a wide variety of mental health recipients, especially those between the ages of 12 and 17 who have historically been assured they have some autonomy over their records.⁴ Indeed, the amendment upends some of these well-established frameworks and presents just as many questions as answers. The provision has already prompted several considerations for practitioners, which are set forth below. The ongoing issues from this new law are not merely academic, but will likely arise in everyday practice for therapists, providers, and those whom they serve.

Who Qualifies as a Personal Representative?

Under the new law, a personal representative may initiate a request to inspect or copy a recipient’s record.⁵ By its own language, the Illinois law for the descriptor of “personal representative” cites to HIPAA as well as the accompanying Code of Federal Regulations (“CFR”).⁶ Accordingly, practitioners should be mindful of any changes and commentary on HIPAA’s own consideration of the phrase and how it has evolved alongside caselaw. Currently, the cited provision in the CFR simply sets out that “a covered entity must, except as provided in paragraphs (g)(3) and (g)(5) of this section, treat a personal representative as the individual for purposes of this subchapter.”⁷ The Federal Register includes a fuller discussion of “personal representative” and its legislative development as a limited category: “[i]n general, under the final regulation, the ‘personal representatives’ provisions are directed at the more formal representatives, while [a separate rule provision] addresses situations in which persons are informally acting on behalf of an individual.”⁸ The same content from the Federal Regulation goes on to provide additional insight into the original purpose of the category by  relaying, “[w]e make disclosure to personal representatives mandatory to ensure that an individual's rights [] are preserved even when individuals are incapacitated or otherwise unable to act for themselves to the same degree as other individuals. If the covered entity were to have the discretion to recognize a personal representative as the individual, there could be situations in which no one could invoke an individual's rights under these sections.”⁹ Thus, the nuance that accompanies the cited provisions found in HIPAA is noticeably absent in this new Illinois framework. Meaning, the (arguably) broad provision now found in the Illinois framework for access is incongruent with the original design of its federal counterpart. Instead, Illinois appears to have conflated the CFR’s separate approach to informal requests (made by family members and related individuals) with the CFR’s other formal framework for “personal representatives”.¹⁰ The result is a broad and unwieldy state law.
Some state courts have previously contemplated and firmed up their region’s own law on this phrase and its relation to the CFR and HIPAA. For instance, a reviewing court in California noted, “[i]n substance, a personal representative is defined as a person who holds a healthcare power of attorney for an adult, a parent or guardian of a minor, or an executor or administrator of an individual's estate. Attorneys retained by an individual are not included in the definition of a personal representative.”¹¹ Other states have taken efforts to legislate their own definition of “personal representative” in similar frameworks and have corresponding state law that contemplates who is included in such a category.¹²

For now, Illinois law on this novel phrase remains tethered to HIPAA’s own statutory guidance (or lack thereof). Accordingly, the Federal Regulations may provide some insight and arguments for (or against) someone’s role as a “personal representative”. In any event, Illinois healthcare providers and their staff are now tasked with an unenviable role of sorting out a requesting party’s status and qualifications for each request. Moreover, as detailed next, providers should also consider applicable factors that may very well disqualify a person from being considered a “personal representative” in certain circumstances.

When May an Entity Elect Not to Treat a Person as a Personal Representative?

Because the new Illinois law for accessing records by a personal representative is anchored in the CFR and HIPAA’s definition of the same, practitioners and providers should heed the CFR’s own provisions that detail when a covered entity may elect not to treat a person as the personal representative of an individual.

First, those who would otherwise qualify as personal representatives can “assent to an agreement of confidentiality between a covered health care provider and the minor” with regard to health care services.¹³ Meaning, parents or guardians can yield their ability to invade such records by agreeing that the services between a provider and a minor are confidential. If a parent or guardian assents to an agreement of confidentiality between a minor and their provider, a covered entity may then provide or deny access to that parent or guardian, if such action is consistent with State (or other applicable law), and “provided that such decision [to provide or deny access] must be made by a licensed health care professional, in the exercise of professional judgment.”¹⁴ Put together, it is expected that, given the new law in Illinois on this issue, providers might now regularly seek written assent to an agreement of confidentiality from parents and guardians at the outset of services when minors are involved. Further, providers and practitioners should consider drafting language for such agreements that accommodate any foreseeable (or even unforeseeable) revocations or challenges to said agreements.

Second, even if a parent or guardian otherwise qualifies as a personal representative and seeks access to certain records of a minor, an additional analysis should occur wherein the provider determines whether to recognize that individual in their capacity as a personal representative. Specifically, the federal provisions set out several scenarios in which an entity may decide not to recognize someone as a personal representative in conjunction with a request for access to records:
Notwithstanding a State law or any requirement of this paragraph to the contrary, a covered entity may elect not to treat a person as the personal representative of an individual if:

(i)The covered entity has a reasonable belief that:

(A) The individual has been or may be subjected to domestic violence, abuse, or neglect by such person; or

(B) Treating such person as the personal representative could endanger the individual; and

(ii) The covered entity, in the exercise of professional judgment, decides that it is not in the best interest of the individual to treat the person as the individual’s personal representative.¹⁵

This statutory safeguard provides an entity multiple pathways for denying access to a putative personal representative. Accordingly, if confronted with a request by a purported personal representative, providers and their staff should consider whether a reasonable belief exists as to any of these elements. Such internal inquiry and reflection by the provider should contemplate not only whether there is a reasonable belief concerning prior instances of violence, abuse, or neglect associated with the requesting individual, but providers should also contemplate prospective harms associated with that same requesting party and the recipient of services. It is expected that some scenarios will be heavily fact-dependent and turn on a few central issues such as: whether an entity’s beliefs are reasonable (and why); what amounts to the “best interest” of a recipient as it relates to a request; or even what behavior or actions qualify as to mean “endanger” under the provision. Regardless, an analysis and consideration of whether to treat someone as a “personal representative” can only be achieved on a case-by-case basis and (ideally) with the involvement of those who are familiar with the recipient and their personal circumstances (in contrast to a keeper of records who may be unaware of or unfamiliar with the nuances of each matter).

Harmonizing the Current Statute and Its Contradictions

Another glaring issue under the new law is how it should be read alongside 740 ILS 110/4(a)(3)’s current language and protections for recipients between the ages of 12 and 17. For instance, existing law therein allows access to records for the “parent or guardian of a recipient who is at least 12 but under 18 years, if the recipient is informed and does not object or if the therapist does not find that there are compelling reasons for denying the access.”¹⁶ However, a dilemma arises when a requesting party (such as a parent), who also qualifies as a personal representative, makes a request to inspect a 16-year-old recipient’s records, for example.

Historically, providers would assess whether the recipient was informed and did not object or whether the therapist concluded that there were not any compelling reasons for denying the request.¹⁷ However, the new law (which follows directly in statutory sequence) specifically grants access to a personal representative for records of a recipient, regardless of their age. Furthermore, a separate issue arises in those instances where a parent does not qualify as a personal representative due to an entity’s reasonable belief of past neglect, but that same parent otherwise asserts that their request for certain information is instead in accordance with provisions of 740 ILCS 110/4(a)(3). Bedrock principles of statutory construction command that the provisions should be read in harmony, when possible. But again, the burden of demystifying this statutory quagmire may regularly fall upon everyday healthcare providers and well-meaning therapists.

Conclusion

Settled law may become unsettled. Similarly, established workflows, forms, and boilerplate analyses by providers that were once all-encompassing may require reconsideration and refinement. While this article highlights several known and expected issues with this new law, others abound. For instance, providers are sometimes contacted to enter a statement concerning new or disputed information associated with a record and the authority to do this is described as belonging to “any person entitled to access,”¹⁸ which may now include personal representatives who harbor unclear personal agendas. Overall, there are two likely paths ahead (not mutually exclusive) for clarity on these new statutory issues: litigation and legislation; for providers and their advisors, the latter should be a priority.

---

Matthew R. Davison is an attorney with the Monahan Law Group, LLC, in Chicago. The firm focuses its practice in mental health, confidentiality, guardianship, probate, and health care law. He may be contacted at mdavison@monahanlawllc.com.