What is Verification of Identity and Authority Under the HIPAA Privacy Rule?

DISCLAIMER: The information provided in this article, other knowledge base articles, and the Compliancy Group website do not, and are not intended to, constitute legal advice; instead, all information, content, and materials in the Knowledge Base and on the Compliancy Group website are for general informational purposes only.  

The HIPAA Privacy Rule has a "verification of identity and authority" requirement. 

Under this requirement, covered entities must implement policies and procedures that are reasonably designed to verify the identity and authority of persons requesting PHI, and must follow these policies and procedures.

Under this requirement, a covered entity must generally verify the identity of a person requesting PHI from it, and must verify the authority of that person to have access to that PHI -  if the identity or authority is not already known to the covered entity.

To verify identity is to verify that a person is who he or she claims to be. If, for example, an individual with whom a covered entity has not previously communicated requests access to PHI, the provider must verify that the person is who he or she claims to be before PHI can be disclosed to that individual. (Assuming any required patient authorization is also obtained.)

To verify authority is to verify that a person who is requesting a disclosure has the authority to make such a request. Under HIPAA, a personal representative may generally access the PHI of an adult or emancipated minor person he or she serves as a representative for. What might constitute proof that someone has the authority to act as a personal representative? Proof that the representative has the legal authority to make healthcare decisions about the individual.  Examples of proof may include a copy of a healthcare power of attorney, documentation of a court-appointed legal guardianship, or a general power of attorney or durable power of attorney that includes the power to make healthcare decisions. 

In addition to verifying identity and authority, covered entities must obtain, from persons seeking disclosure of PHI, such documentation, statement, or representation, as may be required under the HIPAA Privacy Rule or desired as a best practice (and not prohibited by law), prior to a disclosure.

What Proof of Identity is Required?

The Privacy Rule does not mandate that any one type of information be furnished to verify identity. The method of identity verification a covered entity should use depends on how the request for PHI is made. Individuals (other than the patients) who make an in-person request for access to PHI may verify their identity by presenting a valid photo ID, driver’s license, or passport. A covered entity may require an individual who makes a request by mail to do so on an official letterhead containing the person's address, along with the person's signature. In such cases, a provider should verify the provider should verify that the return address on the envelope matches the address on the letterhead. 

When a patient requests in-person access to his or her own PHI, and that patient's physical appearance is not already known to the covered entity (say, because the one treatment the patient had received was audio-only telehealth), the provider may require the patient to present a valid photo ID, driver’s license, or passport. When a patient mails a request for access, the provider should validate the signature on the request. This is done by comparing the signature on the mailed request with the patient’s signature that is already on file. When a patient mails the request, the provider should validate the return address. That address should match the address the patient has previously provided. If a patient submits an email request for access to PHI, the provider must ensure the email address matches the email address currently on file.

If a patient requests access to PHI by phone, a provider may ask the patient to provide his or her name, and at least two other identifiers from the following list: 

1. Patient’s date of birth
2. Address 
3. Emergency contact name
4. The last four digits of the patient’s SSN

What Proof of Authority is Required?
The proof of authority a provider should seek depends upon the status of the person claiming authority. Take the case of an unemancipated minor. The personal representative of an emancipated minor is generally a parent, guardian, or other person acting in loco parentis ("acting in place of the parent") with legal authority to make health care decisions on behalf of the minor child

If an individual makes a request for PHI, claiming to be the personal representative, the provider should obtain evidence that the person has the authority to act as a personal representative. The provider may do this, for example, by verifying that the minor is on the parent’s health insurance plan as a dependent, or by requesting a copy of the minor’s birth certificate.

How Much Effort Must a Covered Entity Make to Verify Identity or Authority?
The general rule for verification of identity or authority, when the requester or their authority is not known to the provider, is: the provider should make a reasonable effort to determine that the protected health information is being sent to the correct person (identity) and a reasonable effort to determine that this person is the entity authorized to receive it (authority).

Are there Special Rules for Verification of Identity When Disclosure of PHI is Sought by a Public Official?

The Privacy Rule permits providers to rely on a representation of a public official as to his or her identity, if such reliance is reasonable under the circumstances. 

For a provider to be justified in relying on this representation, the public official must make the request:

1. In person by presenting an agency identification badge, other official credentials, or other proof of government status; or
2. In writing on the appropriate government letterhead.

If a person acting on behalf of a public official is making the request, the provider may ask that person to provide a written statement on appropriate government letterhead that the person is acting under the government’s authority. The provider may ask for other evidence of the person’s status as someone acting on behalf of the government. Other evidence includes a contract for services, a memorandum of understanding, or a purchase order that establishes that the person is acting on behalf of the public official.

Are there Special Rules for Verification of Authority When Disclosure of PHI is Sought by a Public Official?

An organization may rely on the following, if reliance is reasonable under the circumstances:

1. A written statement of the legal authority under which the information is requested, or, if a written statement would be impracticable, an oral statement of such legal authority.
2. A request made pursuant to legal process, warrant, subpoena, order, or other legal process issued by a grand jury or a judicial or administrative tribunal is presumed to constitute legal authority.