Under the Privacy Rule, HIPAA covered entities (health care providers and health plans) are required to provide individuals, upon request, with access to their protected health information (PHI) in one or more “designated record sets” maintained by or for the covered entity.
Covered entities are also required to protect the individual’s PHI from unauthorized disclosure. How must a covered entity verify the identity of the individual requesting the PHI so as to comply with the Privacy Rule without at the same time violating it?
Recent guidance from the Office of Civil Rights (OCR) is somewhat helpful.
According the guidance, the Privacy Rule requires a covered entity to take “reasonable steps” to verify the identity of an individual requesting access (citing 45 CFR 164.514(h)). OCR confirms the Privacy Rule does not mandate the form of verification, but rather leaves the manner of verification to the professional judgment of the covered entity, provided the verification processes and measures “do not create barriers to or unreasonably delay the individual from obtaining access to her PHI”. OCR explains that verification may be oral or in writing and states that the type of verification depends on how the individual is requesting or receiving access. For instance, a person may request access in person, by phone, by fax or e-mail, or through a web portal hosted by the covered entity.
OCR suggests that standard request forms ask for basic information about the individual to enable the covered entity to verify the individual is the subject of the information requested. For those covered entities providing individuals with access to their PHI through web portals, the portals should be set up with appropriate authentication controls, as required by the HIPAA Security Rule (for instance password protection and required periodic password updates).
For individuals who may call requesting access to their PHI, good policy might require verification of the requestors date of birth, address, and perhaps the condition the individual was treated for.
Verifying the authority of an individual’s personal representative is determined under State law. In the next blog post, we will look at the law in New York on who is a qualified person for purposes of access to an individual’s medical records.