|
|
 |
|
Section 6 Compliance Policies
Subject 6.2 Privacy Related
Policy 6.2.32 Verifying Identity and Authority of Individuals
Requesting Protected Health Information (PHI
|
06/15/04 -Originated
12/21/07 -Reviewed w/changes
-Reviewed w/o changes
Compliance -Author
|
Verifying Identity and Authority of Individuals Requesting Protected Health Information (PHI)
Definitions
|
Authority is used to define the individual who consents to have PHI released for purposes other than Treatment, Payment and Healthcare Operations (TPO).
|
Policy
|
UTMB, in an effort to comply with the Health Insurance Portability and Accountability Act of 1996 (HIPAA), maintains that patient information must be kept private and confidential.
To ensure that a patient’s confidentiality is maintained while still allowing for families, legal guardians, or friends to receive updated information on the patient’s condition, UTMB will verify identification of all individuals who have authorized access to information about the status of a patient in our care prior to releasing any information about the patient. The only exception to this is for information available in the facility directory, in accordance with IHOP Policy 6.2.4, Use and Disclosure for PHI for Patient Directories.
All supervisors are responsible for enforcing this policy. Individuals who violate this policy will be subject to the appropriate and applicable disciplinary process, up to and including termination or dismissal.
Violation of this policy may result in disciplinary action up to and including termination for employees; a termination of employment relationship in the case of contractors or consultants; or suspension or expulsion in the case of a student. Additionally, individuals may be subject to loss of access privileges and civil and/or criminal prosecution.
|
Verification Obligation
|
Prior to permitted or required disclosures of PHI reasonable measures to obtain verification of the identity of the person requesting PHI and the authority of any such person to have access to PHI must be verified including authorized legal representatives.
|
Verification Obligation, continued
|
Verification of an individual does not eliminate the need for a written authorization from the patient if it is specifically required. (See IHOP Policy 6.2.1 Use and Disclosure of PHI based on Patient Authorization).
This verification requirement applies to all permitted disclosures of PHI, including disclosures for treatment, payment, or health care operations except disclosures made to family members and others involved in the patient’s care, or notifications, which require providing the patient with an opportunity to agree or to object to the disclosure (See IHOP Policy 6.2.2 Use and Disclosure of PHI-to Family, Friends, for Individual Care and Notification Purposes).
Consult the Privacy Office before making any disclosures if there is uncertainty whether or not sufficient verification has been obtained.
|
Acceptable Methods of Verification
|
1. When the Requestor is the Patient
UTMB will take reasonable steps and exercise professional judgment to verify the identity of the individual making a request for access to his/her own PHI.
a. If the request is made in person, verification of identity may be accomplished by asking for photo identification (such as a driver’s license).
b. If the request is made over the telephone, verification may be accomplished by requesting identifying information such as social security number, birth date, and/or medical record number and confirming that this information matches what is in the patient’s record. Or, verification will occur through a call-back process using phone numbers documented in the patient record to validate the caller’s identity.
c. If the request is made in writing, verification may be accomplished by requesting a photocopy of photo identification
If a photocopy of the ID is not available, the signature on the written request must be compared with the signature in the Unit Medical Record (UMR). In addition, UTMB personnel may need to verify the validity of the written request by contacting
|
Acceptable Methods of Verification,
(cont’d)
|
the patient by telephone.
d If the request is made on the patient billing statement, verification may be accomplished through the fact that the patient has a copy of the bill. In this instance, the patient has sent in a copy of the bill with hand written notes and questions. When you respond to these requests for additional information, all correspondence must be in writing, addressed to the patient, and mailed to the patient’s address currently on record in Invision.
2. When the requestor is the Patient’s Legally Authorized Representative (Other than a Family Member)
Verification of identity may be accomplished by asking for photo identification (such as driver’s license) if the request is made in person. Once identity is established, authority in such situations may be determined by confirming the person is named in the medical record or in the patient’s profile in Invision as the person’s legally authorized representative. Or, if there is no person listed in the medical record as the patient’s legally authorized representative, authority may be established by the person presenting a copy of a valid power of attorney for health care or a copy of a court order appointing the person guardian of the person (or guardian ad litem) of the patient.
3. Person is Known to the Records Custodian.
If the records custodian has knowledge of the identity of the person requesting the disclosure, this knowledge satisfies the verification requirement and no additional procedures are required. Examples satisfying the “knowledge” standard are:
a. routine communications between health care providers where existing relationships have been established;
b. knowledge of the requestor’s place of business, address, phone or fax number; or
c. knowledge of the specific person making the request.
4. Reliance on Documentation, Statements, or Representations.
If a disclosure is conditioned on the requesting party presenting certain documentation, statements or representations, UTMB may
|
Acceptable Methods of Verification, (cont’d)
|
reasonably rely on the written submission for verification, if the writings, on their face, meet the applicable requirements for the disclosure. For example, verification for a disclosure pursuant to an IRB waiver may be the same statement required to document the waiver (i.e. a statement identifying the IRB, the date of the approval, and the signature of the IRB chairperson).
5. Professional Judgment.
The verification requirements may be based on professional judgment in the following situations:
a. In emergency situations, if UTMB exercises professional judgment in making a use or disclosure; and
b. For disclosures to avert a serious threat to health or safety, if UTMB acts on a good faith belief in making the disclosure.
6. Special Rules for Verification of Public Officials.
a. Verification of Identity.
UTMB may rely on any of the following to verify identity when the disclosure of PHI is to a public official or a person acting on behalf of the public official:
i. If the request is made in person, presentation of an agency identification badge, other official credentials, or other proof of government status;
ii. If the request is in writing, the request is on the appropriate government letterhead; or
b. If the disclosure is to a person acting on behalf of a public official (e.g., a public health agency contracting with a nonprofit agency to collect and analyze data), a written statement on appropriate government letterhead that the person is acting under the government's authority or other evidence.
iii. or documentation of agency, such as a contract for services, memorandum of understanding, or purchase order, that establishes that the person is acting on behalf of the public official.
|
Acceptable Methods of Verification, (cont’d)
|
c Verification of Authority.
UTMB may rely on any of the following to verify authority when the disclosure of PHI is to a public official or a person acting on behalf of the public official:
i. A written statement of the legal authority under which the information is requested, or, if a written statement would be impracticable, an oral statement of the legal authority;
ii. If a request is made pursuant to legal process, warrant, subpoena, order, or other legal process issued by a grand jury or a judicial or administrative tribunal, it is presumed to constitute legal authority.
7. Other Methods
UTMB records custodian may use any other method of verification that, in the department’s discretion, is reasonably calculated to verify the identity of the person making the request. Some acceptable means of verification include, but are not limited to:
a. requesting to see a photo ID
b. requesting a copy of a power of attorney
c. confirming personal information with the requestor such as date of birth, policy number or social security number
d. questioning a child’s caretaker to establish the relationship with the child
e. calling the requestor back through a main organization switchboard rather than a direct number
|
Emergency Situations
|
In emergency situations where a threat to safety of a person or the public is imminent, disclosure to prevent or lessen a serious or imminent threat to health or safety may be made by UTMB to a person reasonably able to prevent or lessen the threat or to law enforcement authorities without having first to comply with the verification requirements of this policy. In such situations, the verification requirements will be presumed to be met so long as UTMB acted in good faith in making the disclosures. Good faith will be presumed if the UTMB staff member had actual knowledge or relied in good faith on a credible representation by a person with apparent knowledge or authority in determining that the disclosure is necessary to avert the threat.
|
Effect of Verification
|
Satisfaction of verification requirements does not allow an otherwise unlawful or impermissible disclosure of PHI.
Satisfaction of verification requirements under this Policy does not eliminate the need to meet any more stringent state laws that establish additional verification requirements for a particular disclosure.
|
Documentation
|
If documentation, statements or representations are required from the requestor as a condition of the disclosure, the records custodian making the disclosure will maintain the documentation, statements, or representations, whether oral or written, for no less than six (6) years from the date of the document, statement or representation.
|
Reporting Requirements
|
All disclosures for purposes other than treatment, payment, or healthcare operations must be accounted for in accordance with IHOP Policy 6.2.28, Accounting for PHI Disclosures.
All staff members are required to report any violations of this policy to their supervisors or to the Privacy Office in accordance with IHOP Policy 6.1.5, Reporting and Investigating Allegations of Privacy Violations.
|
|
|
