The Health Insurance Portability and Accountability Act (HIPAA), passed in 1996, is arguably the single-most important patient privacy law in the United States.
Designed to protect patient medical records and protected health information from improper access and use, its requirements have reshaped the way healthcare providers approach recordkeeping and data sharing.
Of course, medical records must sometimes be shared, and certain parties are entitled to access those records. The question is: What steps does HIPAA require an organization to take to verify the identity and authority of the requester before granting access to the records?
Below, we take a closer look at what protected health information is, how HIPAA verification works, and the verification requirements for different types of requesters.
What is protected health information (PHI)?
Protected health information (PHI) refers to health information protected by HIPAA.
PHI is defined as individually identifiable health information that is transmitted or maintained by an entity covered under HIPAA. The following 18 identifiers are considered “personally identifiable” under HIPAA:
- Dates, other than year, related to an individual or their care (e.g. birth date, date of admission, discharge date)
- Phone numbers
- Fax numbers
- Email addresses
- Social Security number
- Medical record number
- Health plan beneficiary number
- Account number
- Certificate or license numbers (such as driver’s license number)
- Vehicle identifiers, including license plate numbers and serial numbers
- Device identifiers and serial numbers
- Web URLs that contain digital identifiers
- IP addresses
- Fingerprints and voiceprints
- Photographic images (not limited to the individual’s face)
- Any other uniquely identifiable characteristics
Examples of PHI include a patient’s medical history, test results, medical scans, billing information, appointment scheduling, phone records, and other communications from a healthcare provider.
What is HIPAA verification?
HIPAA verification refers to the process of verifying an individual’s identity in order to ensure that they have the legal right to access PHI. In cases where the requester is not the patient themselves, HIPAA verification also involves verifying that the requester has the authority to access the information in question.
The law requires covered entities to verify the identity and authority of the party requesting PHI. However, it does not require covered entities to implement any specific types of identity verification. Organizations are allowed to exercise their own reasonable judgment and discretion in designing their HIPAA verification processes.
As such, HIPAA verification can include a combination of government ID verification, document verification, database verification, selfie verification, and other techniques, depending on the situation.
HIPAA verification can take place in either an in-person or remote setting. Verifications increasingly occur through web portals and mobile applications as more healthcare providers and other covered entities move to meet patients online.
Verification for different requesters
Although organizations can tailor the HIPAA verification process to what works for them, it should vary depending on the requestor and how they submit their PHI request.
It’s also important to note that in each of the cases discussed below, covered entities are required to retain records of all PHI disclosures for a minimum of six years. This includes retaining a record of any information collected as a part of the verification process, as well as copies of any documents or photos collected.
When a patient requests access to their own PHI, verification typically includes collecting the individual’s government-issued ID — such as a driver’s license or passport — along with other identifying information, such as the last four digits of their Social Security number and their date of birth.
Of course, it’s important to note that driver’s licenses can be lost or stolen, and sensitive information like birthdays and SSNs can be obtained illicitly. If verification is taking place digitally, you may choose to leverage additional verification methods as an added layer of security:
- Document verification: You may ask the patient to upload a relevant document, such as their health insurance card, that can be cross-checked with documents on record.
- Database verification: Conducting a database check — for example, by submitting a driver’s license for AAMVA verification — can be an effective way of identifying forgeries.
- Selfie verification: Requiring a patient to upload a selfie, which can be cross-checked against the photo in their ID, can help corroborate identities and thwart a bad actor who may be trying to use a stolen ID.
Because a patient is always entitled to access their own PHI, there is no need to verify the individual’s authority, once their identity has been verified.
Legally authorized representatives
If the requester is claiming to be the patient’s legally authorized representative, their identity must first be verified. This can be accomplished using the same methods described above.
Once the individual’s identity has been verified, their authority to access the patient’s PHI must be verified. This can be accomplished in a number of ways, including:
- Checking the patient’s medical records to see who they have listed as their legally authorized representative.
- Requesting the individual to provide a copy of a valid power of attorney for the patient’s healthcare (or a court order appointing the individual as guardian of the patient).
- Verifying that the individual is the patient’s next of kin.
If a public official is requesting access to a patient’s PHI, their identity must be verified as noted above. Then, their status as a government official must be verified. This can be accomplished in a number of ways, such as requiring the individual to:
- Submit the request or statement on agency or government letterhead.
- Present their agency-issued identification, such as a badge or other credentials.
- Provide identifying information which can be tied to a government agency, such as a .gov email address.
In order to verify a public official’s authority, they may provide a written statement on agency or government letterhead speaking to the legal authority that allows them to receive the patient’s PHI.
When is HIPAA verification not required?
It’s important to note that there are certain situations in which verification is not required under HIPAA. This includes in cases where:
- A patient’s life or health may be in imminent danger
- A patient’s has previously indicated that certain friends or family are involved in making decisions about their healthcare
- A patient is listed in your facility directory
- You are notifying a patient’s family member or medical representative of their location, general health condition, or death
- The patient is present and gives consent
Persona and HIPAA verification
Identity verification is an essential component of HIPAA compliance. Without adequate verification processes in place, your organization runs the risk of accidentally disclosing a patient’s PHI to individuals who should not access it. This leaves you open to the possibility of legal action from the affected individuals, as well as regulatory action.
Here at Persona, we understand the critical importance of securing patient health information against inappropriate access. That’s why HIPAA compliance is at the core of our identity verification platform, and why it informs each of our solutions — from how we handle PII storage to our verification solutions to our case management product to Graph, our link analysis solution, and more. The platform was also built with flexibility in mind, allowing you to tailor your Know Your Patient (KYP) and patient verification processes. We’ll even store PII information for you so that you can focus on what you do best — providing care to your patients.
Interested in learning more? See how we helped an online prescription service deploy identity verification to stay compliant with HIPAA and other regulations.
Ready to get started? Request a demo today.