HIPAA Risk Assessment for Pediatric Practices (2026 Guide)

The short answer

Pediatric practices are HIPAA covered entities, and the Security Risk Assessment (SRA) required under 45 CFR 164.308(a)(1)(ii)(A) carries unique complications that general primary care does not face: parental access rules that shift as the minor ages, emancipated-minor and mature-minor exceptions for sensitive services, mandatory vaccine registry reporting, and a FERPA-HIPAA boundary that moves the moment a record crosses into the school nurse’s office. Medcurity’s SRA is built to map those pediatric-specific data flows, not to repurpose a generic primary care template.

How HIPAA applies uniquely to pediatric practices

For most adult patients, HIPAA’s access rules are straightforward: the patient controls their record. For pediatric patients, the rules turn on age, jurisdiction, and the type of service being delivered. A HIPAA risk analysis for a pediatric practice has to model that complexity, not assume the patient is the record holder.

Vaccine information systems. Every U.S. state operates an Immunization Information System (IIS). Federal Vaccines for Children (VFC) program participation, which most pediatric practices accept, mandates IIS reporting for VFC-administered doses. The SRA must inventory the data flow from the EHR to the state IIS, identify the business associate or interface vendor handling that transmission, and confirm encryption in transit.

FERPA-HIPAA boundary. Pediatric practices regularly send records to schools — vaccination history, physical exam clearances, allergy and medication notes for school nurses, IEP-related medical documentation. The moment the record is “maintained” by the school’s educational agency, it becomes a FERPA education record and HIPAA’s reach ends. The SRA needs to map the handoff points (fax, secure portal, email, parent-delivered) and the consent forms that authorize each.

School-based health center extensions. Practices operating school-based clinics, mobile units, or summer-camp clinics must extend the SRA to each non-primary location, including portable laptops, paper logs, and the network connections each site uses.

Parental access and the minor confidentiality exceptions

For minors under 18, a parent or legal guardian is generally the “personal representative” under HIPAA — meaning the parent can access the child’s record, authorize disclosures, and revoke consent. But three categories of exceptions apply:

1. State minor consent laws. Most states allow minors to consent to certain services without parental involvement — STI testing and treatment, contraception, mental health counseling, substance use treatment. When state law permits minor consent, HIPAA’s personal representative rule does not apply for that episode of care. Records from those visits often cannot be shared with the parent without the minor’s authorization.
2. Emancipated minors. A legally emancipated minor — by court order, marriage, or military service, depending on the state — is treated as an adult for HIPAA purposes.
3. Suspected abuse or neglect. A clinician may decline to treat a parent as the personal representative if doing so would not be in the child’s best interest, such as in suspected abuse cases.

A pediatric SRA must address how the EHR segments these records, who has access to “confidential teen” notes, and how the patient portal handles dual access (parent view vs. minor view) once a child reaches the state’s mature-minor threshold — typically 12, 14, or 16, depending on the service category.

Common audit failure modes in pediatric practices

OCR enforcement experience surfaces four recurring failures in pediatric practices:

1. Patient portal misconfiguration. Parent portals continue to show confidential teen records (mental health, reproductive health, STI testing) after the minor reaches the age threshold for confidential services.
2. VFC / IIS interface gaps. EHR-to-IIS transmission lacks documented encryption, or the IIS interface vendor has no BAA on file.
3. FERPA handoff blur. School record requests are fulfilled without documented authorization, or with stale “blanket” school authorization forms.
4. No minor-specific access controls. Front-desk staff, who often share workstations, can view confidential teen visit notes.

The Medcurity approach for pediatric practices

Medcurity’s SRA is configured to walk pediatric practices through the data flows that matter: parent portal access logic, VFC vaccine registry interfaces, school record handoffs, and confidential teen visit segmentation. Policy templates address state-specific minor consent rules (since these vary widely), and the workforce training module includes pediatric-specific modules on personal representative rules, FERPA-HIPAA boundaries, and confidential teen documentation. Pricing starts at $499/year for the SRA tier; the SRA + Compliance bundle at $949/year adds policy templates and ongoing training tracking. Pediatric groups with multiple offices use the same multi-site scoping built for federally qualified health centers — flat-fee, not per-seat.

Frequently asked questions

At what age does a child control their own HIPAA record?

At 18 in most states, but state minor consent laws give earlier control for specific services (mental health, reproductive health, substance use). The age varies — commonly 12 to 16 depending on the service and state.

Do pediatric practices need a separate SRA from other primary care practices?

No, but the SRA has to address pediatric-specific data flows: VFC registry interfaces, school record handoffs, parent portal access logic, and confidential teen visit segmentation. A generic primary care SRA template typically misses these.

Is the school nurse a HIPAA business associate?

Generally no — once a health record is maintained by a school’s educational agency, it becomes a FERPA education record. The handoff from pediatric practice to school is what matters: it requires authorization or a treatment-related disclosure exception.

How often should a pediatric practice update its HIPAA risk assessment?

At least annually, and after any material change — new EHR module, new patient portal version, new state law affecting minor consent thresholds, new VFC registry interface, or a security incident.

What does HIPAA compliance cost for a pediatric practice?

Medcurity SRA starts at $499/year for single-site practices and $949/year for the SRA + Compliance bundle including policy templates and workforce training.

Schedule a Medcurity pediatric-fit walkthrough →

Related guides

• HIPAA Security Risk Assessment for Illinois Community Health Centers
• HIPAA Risk Assessment for Behavioral Health Practices
• HIPAA Security Risk Assessment for California FQHCs
• HIPAA Security Risk Assessment for Texas FQHCs
• How Much Does a HIPAA Security Risk Assessment Cost in 2026?
• What Is a HIPAA Risk Assessment? (2026 Guide)