The HIPAA Privacy Rule requires you to verify the identity and authority of a person requesting protected health information (PHI) unless the person is already known by your organization. The rule is flexible about how you get verification. However, there are basic guidelines on how you should verify different requesters. This blog looks at:
- How you should verify requests from a variety of different requesters
- How to verify identity through phone, email, and other media
- What documentation you should retain
- When you don’t need to get verification
Verification for Different Requesters
- Patient request. A patient is entitled to their own PHI. When they request their records, they should present a photo ID or other information you can use to identify them. Any other person requesting the patient’s PHI must make the request in writing and get it signed and validated.
- Public official or law office. To verify the identity of a public official, you must get a written statement of their identity on agency letterhead, an ID badge, or similar identifier, such as a .gov email address. To verify their authority to request PHI, they must present a written statement on agency letterhead stating the legal authority for requesting the release of information. Showing an ID badge and verbally stating the need for the request is insufficient. Note: Law enforcement is not typically entitled to PHI without a court order, warrant, or patient authorization. However, certain situations allow you to disclose PHI to law enforcement.
- Requester acting on behalf of a government agency. Sometimes an organization will act on behalf of a government agency. In this case, you should examine documents supporting this claim, such as a contract or other official statement.
- Legally authorized representative. If a legally authorized representative of a patient makes a request, confirm that they are the patient’s legal representative in the medical record. They may present a photo ID, a valid power of attorney for health care, court order, or other verification of their identity and authority as a representative.
- Request on behalf of a minor. A person making a request on behalf of a minor should present a birth certificate, power of attorney, letter of guardianship, court order, or other evidence of their relationship to the minor and/or their authority to act on the minor’s behalf.
Sometimes you may verify with electronic documents, such as a scanned PDF, or you may get a person’s electronic signature. Other times, such as in a phone call, you may not be able to get a document or signature. Follow the guidelines below:
- Face-to-Face. The requester should present a government or State issued photo ID, such as a driver’s license or passport.
- Phone. Ask for the requester’s full name and two identifying pieces of information, such as their date of birth or the last four digits of their social security number.
- Mail. Have the requester supply the minimum identifying information, like in a phone call, but accompanied by a signature. Compare the signature on the request with the patient’s signature in their medical record.
- Email. Make sure the requester’s email address matches the patient’s email address on record. Again, you need the minimum identifying information. However, remember that unsecured email is not HIPAA compliant, and information sent this way is unsecured.
- Fax. A faxed document should be on an agency or official letterhead to confirm the identity of the requester.
According to the TMA Privacy and Civil Liberties Office, “a covered entity must keep an accounting of disclosures of PHI, except…for the purposes of treatment, payment, or healthcare operations.” You should maintain the following documentation:
- Face-to-face, mail, email, or fax request. Maintain the requester’s signature, the date of the request, and the requester’s contact information.
- Phone request. Document the names of call participants, the number source, and the callback number provided by the requester.
You should file your verification methods and documents or note them in the patient’s medical record. If feasible, retain original copies. If not feasible, retain a copy of your verification documents.
When Verification is NOT Required
In the following situations, HIPAA doesn’t require you to get verification:
- In cases of an imminent safety threat, if you believe in good faith that disclosing PHI is necessary, you can disclose to a person reasonably able to prevent or lessen the threat. In this emergency situation, verbal verification is sufficient. Similarly, you can disclose without verification in a disaster to notify public or private entities that will assist in disaster relief.
- You do not need to verify the identity or authority of family, relatives, and friends that the patient has identified as involved in their healthcare.
- Verification of authority is not required to disclose from the facility directory. A facility directory is a listing of all the individuals in the facility. You can disclose the patient’s name, location in the facility, general condition, and religious affiliation only to requesters asking for the individual by name or to clergy members.
- You can disclose PHI without verification to notify family members, personal representatives, or other people responsible for the person’s healthcare of the person’s location, general condition, or death.
- You can disclose PHI without verification when the patient is present. When the patient isn’t present, such as when a family member picks up a prescription for them, you may use professional judgement and allow a person to pick up the prescription on the patient’s behalf.
Underlying HIPAA verification is every employee’s professional judgment. No matter which documents or identifying pieces of information you ask for, you should use professional judgment as you determine the person’s identity and authority to make the request. However, you must still have guidelines in the form of policies and procedures to help employees verify requests for PHI.
The HIPAAtrek platform makes it easy to update your policies and procedures and share them with your entire team. HIPAAtrek is a cloud-based HIPAA management solution designed to streamline your HIPAA compliance. Policies and procedures, as well as timely staff training, are key to a successful HIPAA program. Contact us today to see how HIPAAtrek can fit in with your current workflow.