HIPAA Policy Section 4.10: Verification of Requestor’s Identity and Authority
Prior to any Disclosure of an Individual’s PHI (other than a Notification Disclosure or a Disclosure in response to a threat to health or safety), System shall verify, as reasonable under the circumstances, the identity of the person requesting the PHI and the authority of such person to have access to PHI, to the extent such person’s identity and/or authority is relevant to whether such Disclosure is permissible under this Policy and to the extent such person’s identity and/or authority is not already known to the Privacy Officer or the Contact Person.
4.10(1) General requirements.
- Verification must be completed as required by this Policy before any Disclosure takes place.
- Verification may be based upon the identification of the Privacy Officer or a person that is employed by System provided that the person has no personal involvement in the request or the outcome of the request of the PHI.
- Documentation presented in support of verification will be presumed to be valid. For example, a state driver’s license, an employee identification badge issued by System, a United States Passport or other photo identification issued by a local, state or federal governmental agency; a written document on appropriate government letterhead; or, a warrant, subpoena, order, or other legal process issued by a grand jury or a judicial or administrative tribunal shall be accepted at face value unless circumstances clearly place the validity of the document into question.
- The Privacy Officer may approve any other method of verification provided that the Privacy Officer documents the approval and method of verification in a signed writing prior to the Use or Disclosure.
4.10(2) Verification of a Requesting Public Official
Verification of a person’s status as a public official identity may include, but is not limited to:
- if responding to a telephone request, calling back the requestor through a number obtained from an official directory or the letterhead for a known place of business or receipt of a Facsimile containing a written statement on appropriate government letterhead;
- if the request is in writing, the request is on the appropriate government letterhead;
- if the request is in person, presentation of an agency identification badge or other official credential sufficient to identify the Individual and the Individual’s capacity; or
- if the Disclosure is to a person acting on behalf of a public official (e.g., a non- profit agency contracting with a public health agency to collect and analyze data), a written statement on appropriate government letterhead that the person is acting under the government’s authority or other documentation of agency, such as a contract for services, memorandum of understanding, or purchase order, that establishes that the person is acting on behalf of the public official plus sufficient proof of the Individual’s identity.
4.10(3) Verification of a Requesting Individual
Verification of a person’s status as an Individual requesting his own Individual PHI may include, but is not limited to:
- presentation of a employee identification badge issued by System, a valid photo identification issued by a local, state or federal governmental agency such as a driver’s license or U.S. passport;
- if the request is to OEB, presentation of a plan identification card issued to the Individual by a plan offered by OEB;
- the ability to provide three or more non-public informational items from a record kept by System as to that Individual;
- requests made via institutional e-mail if the employee must use a secure password to access their e-mail program to send the e-mail; or
- recognition of an Individual based on personal knowledge.
Verification must be documented and he verification retained before any Use or Disclosure requiring verification is made:
- in the case of a verification by a person as described in Section 4.10(1)(b), a statement signed by the person describing the basis of his or her knowledge of the Individual’s identity, the date and the person’s office and phone number at System; provided that if an employee providing the identification is at a location away from the System staff accepting the verification, the statement must be received at System’s office by facsimile before any Use or Disclosure is made;
- in the case of a verification by a telephone call back to a caller, a notation of all names of Individuals involved in the call, the number used for the call back and the source of the number; or
- in all cases involving physical documentation, if feasible, retention of the original including any documentation made pursuant to Section 4.10(1)(d); or if retention of the original is not feasible (such as in the case of a license or ￼￼ badge), a copy of any and all items or document presented for verification purposes.
4.10(5) Verification by Business Associates
Business Associates of OEB, other than a System office that is part of the Health Care Component or another governmental entity, shall perform verification using verification methods approved by System consistent with this Policy.
45 CFR §164.514(h)