Verifying identity for disclosures
HIPAA Weekly Advisor, April 26, 2002
Want to receive articles like this one in your inbox? Subscribe to HIPAA Weekly Advisor!
Q: What are we required to do, if anything, to verify the identity of a person seeking disclosure of protected health information?
A: If the staff member handling the request does not know the person seeking the information, that employee must verify the identity of a person requesting protected health information (PHI) and the person's authority to have access to the information.
It is not necessary to verify the person's identity if the only information disclosed is contained in the facility or patient information directory.
When the person requesting the PHI is a public official, an employee must verify the identity of the requester by examining reasonable evidence, such as a written statement of identity on agency letterhead, an identification badge, or similar proof of official status. Similarly, he or she must verify the legal authority supporting the request by examining reasonable evidence, such as a written request provided on agency letterhead that describes the legal authority for requesting the release.
Providers must establish and use written policies and procedures that outline how to verify the identity and authority of the requestor, when the covered entity does not know the person requesting the PHI. For example, staff should ask for a photo identification to verify the identity of a former patient asking to view his or her records.
The verification requirements apply only to disclosures of protected health information, not to uses.
Editor's note: Brought to you by attorneys Marty Baxter and Gretchen McBeathat Bricker and Eckler, LLP (http://www.bricker.com/hipaa) and The Quality Management Consulting Group, Ltd. (http://www.qmcg.com). E-mail: mbaxter@bricker.com or gmcbeath@bricker.com.
Want to receive articles like this one in your inbox? Subscribe to HIPAA Weekly Advisor!
Related Products
Most Popular
- Articles
-
- Q/A: Volume requirement for reporting hydration services
- Featured blog post: Nurses face felony charges after reporting physician to the Texas Medical Board
- Catch up on what's new with injections and infusions
- Identify potential Medicaid RAC target areas
- HIPAA Q&A: Level of encryption needed for email
- Topic: CMS, OESS post new security compliance review information, checklist
- Capturing all necessary codes for IUD insertion and removal can be challenging
- What does case-mix index mean to you?
- OB services: Coding inside and outside of the package
- QA:Coding multiple initial infusions
- E-mailed
-
- Q/A: Volume requirement for reporting hydration services
- Featured blog post: Nurses face felony charges after reporting physician to the Texas Medical Board
- HIPAA Q&A: Level of encryption needed for email
- Q&A: Follow CMS' coding guidelines when using modifier -25
- What does case-mix index mean to you?
- Catch up on what's new with injections and infusions
- CMS has reformulated payments for some bilateral procedures
- New conflicts of interest create new challenges
- Q/A. One injection code or two?
- ED-to-inpatient transfers are flawed with safety gaps
- Searched