When requests for the disclosure of protected health information are received from any person outside of the UW HCC or the UW ACE, such individual’s identity and authority must be verified prior to making the disclosure whenever such identity and/or authority of the person is unknown to the staff person receiving the request. Identity refers to who the person is; authority refers to the basis upon which the person claims to have access to the protected health information. Knowledge of a requester may take the form of a known or recognized person, organization, or business, or it may be a known phone number, fax number, or mailing address.
When the Requester is the Patient
Verification of identity may be accomplished by asking for photo identification (such as a driver’s license) if the request is made in person. If the request is made over the telephone or in writing, verification may be accomplished by requesting identifying information such as address, telephone number, birth date, and/or medical record number and confirming that this information matches what is in the patient’s record.
When the Requester is the Patient’s Legally Authorized Representative
Verification of identity may be accomplished by asking for photo identification (such as driver’s license) if the request is made in person. Once identity is established, authority in such situations may be determined by confirming the person is named in the medical record as the person’s legally authorized representative. Or, if there is no person listed in the medical record as the patient’s legally authorized representative, authority may be established by the person presenting a copy of a valid power of attorney for health care or a copy of a court order appointing the person guardian of the person (or guardian ad litem) of the patient. If patient has no health care power of attorney and no guardian, authority may be established by following the applicable hospital or clinic policy establishing when next-of-kin becomes the legally authorized representative.
When the Requester is a Public Official (e.g., law enforcement officers, state or federal surveyors, medical examiners, coroners)
If the request is made in person, verification of the identity of a public official should be accomplished by the presentation of an agency identification badge, other official credentials or other proof of government status. If the request is made in writing, verification of identity will be accomplished if the request is made on the appropriate government letterhead.
Authority of the public official to have access to protected health information should be established by a written statement from the public official of the legal authority under which the information is requested (or, if a written statement is impracticable, an oral statement of such authority).
Note that local law enforcement officials (e.g., city police, county sheriff) are not generally entitled to protected health information without a court order or written patient authorization. There are exceptions for reporting and investigation of child abuse/neglect and for reporting gunshot wounds, certain other wounds and burns to local law enforcement officials. When in doubt about the authority of local law enforcement officials to obtain protected health information, contact with the UW–Madison Office of Legal Affairs or the UW HIPAA Privacy Officer.
A police officer unknown to staff members requests protected health information. The officer’s identity may be established by presentation of his/her badge and the officer’s authority to have access may be established by the officer’s written (or oral) statement of the legal authority under which the information is requested, such as investigation of suspected child abuse (which, under state law, permits a police officer access to protected health information without patient authorization).
Procedures for verifying the identity and/or authority of other unknown requesters of protected health information will vary according to the circumstances. For example, if a person who is not known or recognized presents a written authorization by the patient as the basis for obtaining protected health information, the person should be requested to present identification to verify that he/she is the person named in the authorization to receive the protected health information. If there are any questions concerning if and/or how to verify identity or authority in particular circumstances, contact the UW–Madison Office of Legal Affairs, the UW HIPAA Privacy Officer, or the applicable privacy coordinator.
Consequences for Noncompliance
Failing to comply with this policy may result in discipline for the individual(s) responsible for such noncompliance.
Further, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) is responsible for enforcing the HIPAA Privacy and Security Rules, and an individual’s noncompliance may result in institutional noncompliance and/or an investigation by OCR. OCR attempts to resolve investigations by obtaining voluntary compliance and entering into corrective action plans and resolution agreements. Failure to comply with HIPAA or cooperate with OCR in an investigation may result in civil and/or criminal penalties.