The general principle used by HIPAA is a simple one: if a person has a right to make a health care decision, then he/she has the right to control information associated with that decision.
Parents generally have the right to make health care decisions for their children and so are by default considered the personal representatives for decisions about protected health information (PHI) access, use and disclosure for unemancipated minors. This would also be true in the case of a guardian or other individual acting in loco parentis. However, minors as they grow older have varying degrees of "emancipation" for health care decision-making, and so, with that, comes control over PHI associated with those decisions
Accordingly, the general rule of parental/personal representative control for minors' PHI is subject to three important general exceptions:
when state law does not require consent of a parent/personal representative before a minor can obtain a particular form of treatment (e.g., HIV testing, mental health services), the minor controls information associated with that treatment;
when a court determines or other law authorizes someone other than the parent to make treatment decisions for a minor, that other person or entity controls the information associated with the controlled treatment (it may in some cases be the minor him- or herself);
when a parent/personal representative agrees to a confidential relationship between a health care provider and a minor, the personal representative does not have access to information associated with that agreement (unless the minor permits it).
Even in these "exceptional" situations, however, state laws which specifically address disclosure of health information about a minor to a parent/personal representative preempt HIPAA, regardless of whether they prohibit, mandate or allow discretion about a disclosure. While HIPAA generally allows preemption by state privacy laws only where they are "stricter," this is an area of almost total deference.