In most situations, the patient has sole access to their medical records. Your records might even specify a few individuals with permission to access those records. However, some circumstances require that you grant an unlisted person access.
In such cases, you should apply HIPAA identity verification requirements before providing an unknown party access. HIPAA in medical billing especially requires careful handling as billing formation contains both medical and sensitive financial information. PracticeForces details how to use the verification requirements below.
What the Privacy Rule Says
The HIPAA Privacy Rule states that you must verify a person or organization’s identity and authority before allowing them to access a patient’s information. Some entities beyond the individual’s close circle may require access, often for legal or employment purposes.
- Examples of such entities include:
- Governmental agencies
- Legal representatives, such as an attorney
- Power of attorney or guardian
Who Else Can Request a Patient’s Information?
Typically, a patient will make you aware of any parties who have permission to access their information. These parties typically include immediate family members, spouses, or friends. Under some circumstances, the patient needs access but cannot be physically present to receive to do so.
As covered entities, medical practices can ensure HIPAA compliance by requesting and receiving certain pieces of information or proof of identity before relinquishing access.
You can perform identity verification through the following means:
- Email: Using a HIPAA-compliant email server, the requesting party communicates with your practice and provides necessary documentation.
- Phone call: Via phone call, the requesting party converses with your practice and provides information such as first and last name, social security number, and birth date.
- Face-to-face interaction: The requesting party visits your practice through an in-person representative. This representative brings all necessary documents.
- Fax: The requesting party uses official government letterhead to fax documents that confirm the party’s identification.
HIPAA identity verification requirements list the following items as acceptable forms of authorized proof:
- Proof of government status
- Photo ID
- A phone number for further contact
- Social security number or card
- Birth certificate
If a patient requests their information over the phone or by email, they should provide their birth date, current physical address, emergency contact information, and the last four numbers of their social security identification.
When Is HIPAA Identity Verification Not Necessary?
Verification is unnecessary when:
- The patient requests information in person
- Spouses, family, and friends identified by the patient as able to access
- Staff members involved with the patient’s medical treatment
- Any requesting parties asking in the presence of the patient and engaged in the conversation
The U.S. Department of Health and Human Services offers more information about HIPAA compliance for small practices.
Keep Up with HIPAA Identity Verification Requirements with PracticeForces
Stay on top of HIPAA identity verification requirements and breach notification rule requirements with solutions from PracticeForces. Our services extend beyond the average billing solutions. We can also assist you in staying HIPAA-compliant in all areas. Call 727-291-9217 with any service inquiries.