HIPAA compliance for identity verification

Learn how to safeguard patient information and meet regulatory requirements.

An icon of a phone representing HIPAA compliance.
Read time:
Share this post
Table of contents
⚡ Key takeaways
  • Under HIPAA, covered entities must take reasonable measures to verify the identity of an individual before releasing protected health information (PHI).  
  • HIPAA compliance can take place in person or remotely.  
  • Verification methods should vary based on who is making the request.

The Health Insurance Portability and Accountability Act (HIPAA), passed in 1996, is arguably the single-most important patient privacy law in the United States. 

Designed to protect patient medical records and protected health information from improper access and use, its requirements have reshaped the way healthcare providers approach recordkeeping and data sharing.

Of course, medical records must sometimes be shared, and certain parties are entitled to access those records. The question is: What steps does HIPAA require an organization to take to verify the identity and authority of the requester before granting access to the records?

Below, we take a closer look at what protected health information is, how HIPAA verification works, and the verification requirements for different types of requesters. 

What is protected health information (PHI)?

Protected health information (PHI) refers to health information protected by HIPAA. 

PHI is defined as individually identifiable health information that is transmitted or maintained by an entity covered under HIPAA. The following 18 identifiers are considered “personally identifiable” under HIPAA:

  • Name
  • Address
  • Dates, other than year, related to an individual or their care (e.g. birth date, date of admission, discharge date) 
  • Phone numbers
  • Fax numbers
  • Email addresses
  • Social Security number
  • Medical record number
  • Health plan beneficiary number
  • Account number
  • Certificate or license numbers (such as driver’s license number)
  • Vehicle identifiers, including license plate numbers and serial numbers
  • Device identifiers and serial numbers
  • Web URLs that contain digital identifiers 
  • IP addresses
  • Fingerprints and voiceprints 
  • Photographic images (not limited to the individual’s face)
  • Any other uniquely identifiable characteristics

Examples of PHI include a patient’s medical history, test results, medical scans, billing information, appointment scheduling, phone records, and other communications from a healthcare provider.

What is HIPAA verification?

HIPAA verification refers to the process of verifying an individual’s identity in order to ensure that they have the legal right to access PHI. In cases where the requester is not the patient themselves, HIPAA verification also involves verifying that the requester has the authority to access the information in question. 

The law requires covered entities to verify the identity and authority of the party requesting PHI. However, it does not require covered entities to implement any specific types of identity verification. Organizations are allowed to exercise their own reasonable judgment and discretion in designing their HIPAA verification processes. 

As such, HIPAA verification can include a combination of government ID verification, document verification, database verification, selfie verification, and other techniques, depending on the situation. 

HIPAA verification can take place in either an in-person or remote setting. Verifications increasingly occur through web portals and mobile applications as more healthcare providers and other covered entities move to meet patients online.

Verification for different requesters

Although organizations can tailor the HIPAA verification process to what works for them, it should vary depending on the requestor and how they submit their PHI request. 

It’s also important to note that in each of the cases discussed below, covered entities are required to retain records of all PHI disclosures for a minimum of six years. This includes retaining a record of any information collected as a part of the verification process, as well as copies of any documents or photos collected.

Patient requests

When a patient requests access to their own PHI, verification typically includes collecting the individual’s government-issued ID — such as a driver’s license or passport — along with other identifying information, such as the last four digits of their Social Security number and their date of birth. 

Of course, it’s important to note that driver’s licenses can be lost or stolen, and sensitive information like birthdays and SSNs can be obtained illicitly. If verification is taking place digitally, you may choose to leverage additional verification methods as an added layer of security:

  • Document verification: You may ask the patient to upload a relevant document, such as their health insurance card, that can be cross-checked with documents on record.
  • Database verification: Conducting a database check — for example, by submitting a driver’s license for AAMVA verification — can be an effective way of identifying forgeries.
  • Selfie verification: Requiring a patient to upload a selfie, which can be cross-checked against the photo in their ID, can help corroborate identities and thwart a bad actor who may be trying to use a stolen ID.

Because a patient is always entitled to access their own PHI, there is no need to verify the individual’s authority, once their identity has been verified. 

Legally authorized representatives

If the requester is claiming to be the patient’s legally authorized representative, their identity must first be verified. This can be accomplished using the same methods described above.

Once the individual’s identity has been verified, their authority to access the patient’s PHI must be verified. This can be accomplished in a number of ways, including:

  • Checking the patient’s medical records to see who they have listed as their legally authorized representative.
  • Requesting the individual to provide a copy of a valid power of attorney for the patient’s healthcare (or a court order appointing the individual as guardian of the patient).
  • Verifying that the individual is the patient’s next of kin.

Public officials

If a public official is requesting access to a patient’s PHI, their identity must be verified as noted above. Then, their status as a government official must be verified. This can be accomplished in a number of ways, such as requiring the individual to:

  • Submit the request or statement on agency or government letterhead.
  • Present their agency-issued identification, such as a badge or other credentials.
  • Provide identifying information which can be tied to a government agency, such as a .gov email address.

In order to verify a public official’s authority, they may provide a written statement on agency or government letterhead speaking to the legal authority that allows them to receive the patient’s PHI. 

When is HIPAA verification not required?

It’s important to note that there are certain situations in which verification is not required under HIPAA. This includes in cases where:

  • A patient’s life or health may be in imminent danger
  • A patient’s has previously indicated that certain friends or family are involved in making decisions about their healthcare
  • A patient is listed in your facility directory
  • You are notifying a patient’s family member or medical representative of their location, general health condition, or death
  • The patient is present and gives consent

Persona and HIPAA verification

Identity verification is an essential component of HIPAA compliance. Without adequate verification processes in place, your organization runs the risk of accidentally disclosing a patient’s PHI to individuals who should not access it. This leaves you open to the possibility of legal action from the affected individuals, as well as regulatory action. 

Here at Persona, we understand the critical importance of securing patient health information against inappropriate access. That’s why HIPAA compliance is at the core of our identity verification platform, and why it informs each of our solutions — from how we handle PII storage to our verification solutions to our case management product to Graph, our link analysis solution, and more. The platform was also built with flexibility in mind, allowing you to tailor your Know Your Patient (KYP) and patient verification processes. We’ll even store PII information for you so that you can focus on what you do best — providing care to your patients. 

Interested in learning more? See how we helped an online prescription service deploy identity verification to stay compliant with HIPAA and other regulations.

Ready to get started? Request a demo today. 

Frequently asked questions

What is HIPAA compliance?

In order to be HIPAA compliant, a covered entity must meet the requirements established by the law. This largely revolves around ensuring that protected health information is adequately secure against inappropriate access. Verifying the identity and authority of an individual requesting access to PHI is a major component to HIPAA compliance.

What are the four HIPAA requirements?

While it is a single law, HIPAA actually consists of a number of different rules, each of which carries its own specific requirements. The HIPAA Privacy Rule, Security Rule, Breach Notification Rule, and Omnibus Rule are often cited as the most important requirements under the law.

The HIPAA Privacy Rule is the part of the law that specifically establishes confidentiality requirements for protected health information. The HIPAA Security Rule establishes the physical, technological, and administrative security standards an organization must have in place to secure PHI. The HIPAA Breach Notification Rule establishes requirements for how and when an organization must notify individuals if their PHI has been inappropriately accessed. The HIPAA Omnibus Rule establishes investigation procedures and penalties for organizations that do not comply with the law.

Other components of the law include the Transactions and Code Sets Rule and the Unique Identifiers Rule.

What types of information are not protected by HIPAA?

If health information is collected or created by a business or organization that is not considered a “covered entity” under the law, then it is not protected by HIPAA. Additionally, if health information has been stripped of all personal identifiers (a process known as de-identification) it is no longer considered PHI, and is no longer protected under HIPAA.

It is also important to note that there are certain instances where information that would normally be deemed PHI are not considered such. This includes when PHI is:

  • Collected/maintained in an education record covered by the Family Educational Rights and Privacy Act (FERPA)
  • Collected/maintained in an employment record held by a covered entity acting as an employer

Continue reading

Continue reading

Automate school account recovery requests with risk-based identity verification tools
Automate school account recovery requests with risk-based identity verification tools

Automate school account recovery requests with risk-based identity verification tools

Learn how online identity verification can help you automate and simplify your school’s account recovery process.

Guide to KYB in banking
Guide to KYB in banking

Guide to KYB in banking

A strong Know Your Business (KYB) program is the best way for banks and financial institutions to protect against fraud and other financial crimes.

How to detect ghost students and prevent student aid fraud
How to detect ghost students and prevent student aid fraud

How to detect ghost students and prevent student aid fraud

Online identity verification can help schools stop ghost students who steal student aid funds and disrupt classes.

What is Protected Health Information (PHI)?

What is Protected Health Information (PHI)?

Learn what protected health information (PHI) is, who’s subject to HIPAA laws around PHI, what identifiers fall under PHI, and more.

Top healthcare data breach statistics of 2023

Top healthcare data breach statistics of 2023

The healthcare sector is one of the most targeted industries by cybercrime. See some of the stats.

Know Your Patient (KYP): How to mitigate healthcare fraud

Know Your Patient (KYP): How to mitigate healthcare fraud

KYP is a necessary measure of protection for all sectors of the healthcare space. Learn more.

Ready to get started?

Get in touch or start exploring Persona today.