Under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), understanding what is considered a “reasonable effort” when verifying the identity of a person requesting protected health information (“PHI”) is vital to compliance. Many covered entities are often left questioning what is a “reasonable effort” under HIPAA? Or further, is it appropriate to release PHI via telephone?
HIPAA requires a covered entity to take reasonable steps to verify the identity of an individual making a request for access. The Rule does not mandate any particular form of verification (such as obtaining a copy of a driver’s license), but instead leaves the type and manner of the verification to the discretion and professional judgment of the covered entity, so long as the verification processes and measures do not create barriers to or unreasonably delay the individual from obtaining access to her PHI.
45 C.F.R. § 164.514(h) provides that prior to any disclosure permitted, a covered entity must:
- Verify the identity of a person requesting PHI and the authority of any such person to have access to PHI, if the identity or any such authority of such person is not known to the covered entity; and
- Obtain any documentation, statements, or representations, whether oral or written, from the person requesting the PHI when such documentation, statement, or representation is a condition of the disclosure.
This means that a covered entity must verify the PHI and obtain any appropriate documents necessary to do so. Further, a covered entity may rely, if such reliance is reasonable under the circumstances, on documentation, statements, or representations that, on their face, meet the above requirements. This means covered entity employees are able to use their professional judgment, and will not be held liable if the representations seem reasonably reliable. If the covered entities’ professionals rely on the exercise of professional judgment in making a use or disclosure in accordance with other HIPAA regulations or acts in good faith, verifications requirements are considered fulfilled.
While the Privacy Rule allows covered entities to require that individuals request access PHI in writing and require verification of the identity of the person requesting access, a covered entity may not impose unreasonable measures on an individual requesting access that serve as barriers to or unreasonably delay the individual from obtaining access. For example, they may not require an individual:
- That is requesting a copy of medical record mailed to his/her home address to physically come to the doctor’s office to request access and provide proof of identity in person.
- To use a web portal for requesting access, as not all individuals may have access.
- To mail an access request, as this would unreasonably delay the covered entity’s receipt of the request and in turn, the individual’s access.
HIPAA does not mandate specific methods of identity verification. Accordingly, the covered entity has discretion to choose how it wants to verify the identity of someone who is requesting PHI. As long as the covered entity has reasonable processes in place to verify individuals requesting PHI, they are HIPAA compliant. While verification information may be easily picked up on the internet, it does not make the release of the PHI noncompliant with HIPAA. If a covered entity employee has reason to doubt a person’s identity, he or she should pursue other means of verification, provided that the other means of verification do not serve as a barrier to access.
Best Practices
As discussed above HIPAA does require caution to release PHI, but is flexible regarding how a covered entity should verify the data. The following is a list of circumstances and appropriate verification for each instance:
In Person
- Valid Photo ID, Driver’s License, or Passport
Mail/E-Mail
- Signature validation: Compare the signature on the mailed request with the patient’s signature on file in the EHR.
- Address verification: the mailing address or email address must match that provided by the patient previously and listed in the EHR.
- Requests to send records to someone other than the patient must be in writing and signed by the patient.
Phone
- If the request is from the patient, request the patient’s full name and at least two other identifiers out of the following list:
- Patient’s date of birth, address, emergency contact name, phone number, last 4 digits of their SSN.
- Request a recent date of service or invoice number for billing questions.
- If an individual makes a request as a legal representative or on behalf of a minor, be sure that there is evidence of the relationship and that the requesting individual has authority as the minor’s representative. For example, you could verify that the child is on the parent’s health insurance plan as a dependent or by requesting a copy of the minor’s birth certificate.
- If doubt persists, call the patient back using the phone number listed in the EHR.
- When the request is made over the phone to mail records, the records should be sent to the address in the EHR. Requests to send records to someone other than the patient must be in writing and properly validated, preferably with the patient’s signature.
Please note, if a teen has consented to his or her own care and has not consented to disclosure to a parent, those records cannot be released to the parent.
This blog post is designed to provide general information on pertinent legal topics. The statements made are provided for educational purposes only. This blog does not provide legal advice. This blog does not create an attorney-client relationship between you and Smith + Malek, PLLC. If you want to create an attorney-client relationship and have specific questions regarding the application of the law to your own circumstances, you should contact our office.