Part 2, Chapter 7: Manual Exhibit 2-7-R
Policy and Procedure for Verification of Identity Prior to
Disclosure of Protected Health Information
- PURPOSE. To publish Indian Health Service (IHS) policy and procedure for verifying the identity or authority of any person requesting protected health information (PHI) prior to the disclosure of such PHI.
- AUTHORITY. 45 Code of Federal Regulations (CFR) 164.514(h)
- POLICY. All IHS facilities will verify the identity of any person requesting PHI and the authority of any such person to have access to the requested PHI, if the identity or such authority is not known to the IHS.
- DISCLOSURE. In all cases, any disclosure of PHI will be made in accordance with Manual Exhibit 2-7-D, “Policy and Procedure for the Use or Disclosure of Protected Health Information Pursuant to Authorization or Valid Written Request”; Manual Exhibit 2-7-K, “Policy and Procedure for Limiting the Use or Disclosure of Protected Health Information to the Minimum Necessary”; and Manual Exhibit 2-7-Q, “Policy and Procedure for Protected Health Information of Un-emancipated Minors.”
- Patient. A patient may request that PHI pertaining to him or her be released to themselves or others they specify.
- Guardians. Guardians may request the release of PHI on behalf of the patient.
- Representatives. Representatives of hospitals, clinics, and health centers may request the release of PHI.
- Law Enforcement Officials. Law enforcement officials and other individuals may request PHI of a patient.
- PROCEDURES. The following procedures shall be used to verify the identity of any person, entity, or organization requesting PHI.
- Request Made in Person by the Patient. If the identity of the patient requesting PHI is personally known to the responsible IHS staff member, the patient’s representation regarding their identity will be sufficient verification if it is reasonable under the circumstances. Otherwise, the patient’s identity shall be verified as follows upon completing the Form IHS-810.
(For Public and Federal access) http://www.forms.gov/ or http://www.ihs.gov/CIO/puf/ ; or
(For IHS staff only) http://intranet.hhs.gov/forms/
- Provide one piece of tangible identification (preferably picture I.D.), such as, the individual’s driver’s license, military identification card, tribal identification card, employment identification card/badge, passport, or alien registration card. If a patient is requesting his or her own PHI, the name on the identification must match the name of the patient whose record is being sought. If the patient’s name has been legally changed, evidence documenting the name change must be presented. Additionally, the patient shall provide particulars which can be verified by information already included in the record, such as place of birth, names of parents, an occupation, rank attained in Uniformed Services, or specific times the patient received medical treatment.
- If the patient cannot produce identification, in addition to providing the particulars noted above, they shall certify in writing that they are the individual who they claim to be, and they understand that the knowing and willful request for or acquisition of a record under false pretenses is a criminal offense under the Privacy Act and subject to a fine of not more than $5,000. (5 U.S.C. 552a)
- Request Made In Person by an Individual (Third-Party).
- If a request is made by a law enforcement official, the official must verify his or her identity by producing a badge, official identification, or some other identification that shows that the law enforcement official has the authority to accept the PHI on behalf of the law enforcement agency. The law enforcement official must also produce the law enforcement request or court order requesting the release of PHI if it is not already on file. See Manual Exhibit 2-7-T, “Policy and Procedure for the Disclosure of Protected Health Information to Law Enforcement Officials.”
- If a patient authorizes in writing (e.g., Form IHS 810 or valid written request) PHI to be disclosed to an attorney, and the attorney comes to the IHS facility in person to pick up the records, the attorney must present valid photo identification and authority (e.g., business card) that is consistent with the patient authorization regarding to whom the PHI may be disclosed. If a representative of the attorney comes in the attorney’s place, the representative must submit proof that the representative has authority to act on behalf of the attorney (e.g., agreement between a records company and an attorney). This provision also applies to patient authorizations to disclose PHI to an insurance company representative.
- If a patient authorizes (in writing) PHI to be disclosed to another individual (e.g., family member or friend), the individual must verify his or her identity with photo identification that matches the patient authorization to whom the PHI may be disclosed.
- Requests Made In Person by Parents, Legal Guardians or Other Personal Representative. An individual who makes a request for PHI on behalf of a minor, a person who is legally incompetent, or another individual, shall verify that he has authority to act by providing a copy of a birth certificate, a court order, or other competent evidence of the relationship or authority, e.g., health care power of attorney, in addition to verifying his own identity with photo identification (unless personally known to the IHS employee), unless the responsible IHS staff person can establish that evidence of the relationship or authority has previously been provided. The type of identification and any documentation of authority used will be documented on the completed Form IHS-810, e.g., “verified, Driver’s License.” The staff making the verification must initial and date the form.
- Request Made by Mail.
- If the patient is requesting PHI to be sent to them, verify that the name, address, particular information, and signature on the request are the same as those in the patient file. Maintain the request in the medical record and release the PHI.
- If the patient is requesting PHI to be sent to another individual verify the identity in accordance with B(1) above and release the information only to the name and address of the individual authorized to receive the PHI. Maintain the request in the medical record and release the PHI.
- If another individual requests (including requests by law enforcement, attorneys, or insurance company representatives) PHI of a patient, the requestor must include documentation of authority (e.g., law enforcement requests must be on letterhead, requests by attorneys must include a completed patient authorization verified in accordance with B(1) above).
Maintain the request in the medical record and release the PHI. See Manual Exhibit 2-7-T, “Policy and Procedure for the Disclosure of Protected Health Information to Law Enforcement Officials.”
- If there is any variation, the responsible IHS staff person shall obtain from the requestor an explanation and documentation in a form that complies with this Manual Exhibit. For example, a requestor who is a guardian must supply a birth certificate, a court order, or other competent evidence of the authority or relationship; a name change must be documented. The type of documentation provided and the date of request shall be noted in the patient medical record by the IHS staff member.
- Request by a Healthcare Provider.
- Telephone Request Made for Emergency Treatment Purposes.
- Obtain the provider’s name, facility name, location, and the telephone number of the requesting entity, and verify the identity of the requesting individual by telephoning the number provided.
- Document the call and the individual, who received the call on the provider’s behalf; this serves as identification verification.
- Document the information being sought or requested.
- Document the reason for the request.
- Provide only the PHI that the requesting entity indicates is necessary to be provided by telephone at that time. Provide the rest of the requested PHI by the same means as it would be provided to the requesting entity in a non-emergent circumstance.
Note: Do not withhold if the entire record is required for medical treatment purposes.
- Requests by Subpoena/Court Order. Process the request under the guidance provided below or consult with the IHS Area Health Information Management Consultant:
- Part 3, Chapter 3, "Health Information Management," Indian Health Manual.
- The IHS Privacy Act website under the heading of Privacy Act Medical Records System Questions/Answers, Miscellaneous Questions. The weblink is: http://www.ihs.gov/AdminMngrResources/PrivacyAct/
- The IHS Privacy Act Officer, Guidance on Competent Jurisdiction for Privacy Act Purposes and referral to the Area Health Record Consultant, Memorandum dated May 21, 2001.
Back To Top