UAMS ADMINISTRATIVE GUIDE
|SUBJECT:||VERIFICATION OF IDENTITY POLICY|
The following terms have the same meaning as the terms defined in the HIPAA regulations:
Disclosure means the release, transfer, providing access to, or divulging of Protected Health Information in any manner outside of UAMS.
Protected Health Information (PHI) means information that is part of an individual’s health information that identifies the individual or there is a reasonable basis to believe the information could be used to identify the individual, including demographic information, and that (i) relates to the past, present or future physical or mental health or condition of the individual; (ii) relates to the provision of health care services to the individual; or (iii) relates to the past, present, or future payment for the provision of health care services to an individual. This includes PHI which is recorded or transmitted in any form or medium (verbally, or in writing, or electronically). PHI excludes health information maintained in educational records covered by the federal Family Educational Rights Privacy Act and health information about UAMS employees maintained by UAMS in its role as an employer.
UAMS Workforce means physicians, employees, volunteers, residents, students, trainees, visiting faculty, and other persons whose conduct, in the performance of work for UAMS, is under the direct control of UAMS, whether or not they are paid by UAMS.
Prior to disclosing any Protected Health Information, UAMS will verify the identity and authority of all individuals requesting Protected Health Information, including access to or a copy of Protected Health Information, if the identity or authority of such individuals is not known.
A. General -- Verification of Identity/Authority: If the identity or authority of a person requesting PHI is not known to the UAMS workforce member responding to the request, the identity and authority of that person shall be verified prior to providing any PHI.
B. How to Verify Identity: Prior to disclosing any PHI, and if identity of the person requesting PHI is not known, the UAMS workforce will request information to verify the identity of the requesting party, such as the person’s valid driver’s license with a photograph. To verify identity of public officials, see “Identity of Public Officials” section of this Policy.
C. How to Verify Authority: The UAMS workforce will obtain any documentation, statements, or representations, whether oral or written, from the person requesting the PHI when the authority of the person to receive the PHI is not known
For Example: Prior to disclosing PHI to a person claiming to have legal authority to act on behalf of a patient, UAMS will request a copy of the document appointing the person with such legal authority, such as a Durable Power of Attorney including healthcare decisions, a Health Care Proxy appointing a person to make healthcare decisions for the patient, a court order appointing a Guardian for the patient, a court order appointing an Administrator or Executor or Personal Representative (or similar title) of the Estate of a deceased person.
D. Examples for Verifying Identity and Authority when it is not known to you: Individual departments should develop procedures for verifying identity and authority that are tailored to their specific work areas. The following are examples that may be used to verify identity and authority:
1. If the requestor is a patient: Only the identity of the patient needs to be verified, such as a combination of full name and date of birth, and last four digits of Social Security number or other demographic information checked against documentation in our system.
2. If the requestor is a family member: Their name, relationship to the patient and the ability to provide specific identifying information regarding the patient may be used to verify identity. To verify authority to obtain patient information, check for documentation in the patient’s record regarding their authority to receive information about the patient. If no such documentation, you may ask for the patient to call back to provide verbal permission to speak with the family member or ask for a copy of the document establishing the authority.
3. If the requestor is a UAMS Employee: Viewing their UAMS I.D. Badge or obtaining their name, phone number and department or UAMS billing number and determining the purpose of the request for information.
4. If the requestor is a non-UAMS provider or other covered entity: Their name, phone number and organization’s name plus the ability to provide specific identifying information regarding the patient, and the purpose for the request, such as for treatment or payment . When in doubt call the number back or ask them to fax a written request on company letterhead.
E. Identity of Public Officials: UAMS may rely, if such reliance is reasonable under the circumstances, on any of the following to verify identity when the disclosure of PHI is to a public official or a person acting on behalf of the public official:
1. If the request is made in person, presentation of an agency identification badge, other official credentials, or other proof of government status; or
2. If the request is in writing, the request is on the appropriate government letterhead; or
3. If the disclosure is to a person acting on behalf of a public official, a written statement on appropriate government letterhead that the person is acting under the government's authority or other evidence or documentation of agency, such as a contract for services, memoranda of understanding, or purchase order, that establishes that the person is acting on behalf of the public official.
UAMS may rely, if such reliance is reasonable under the circumstances, on documentation, statements, or representations that, on their face, reflect that the requesting party has authority to obtain the information.
F. Authority of Public Official: UAMS may rely, if such reliance is reasonable under the circumstances, on any of the following to verify authority when the disclosure of PHI is to a public official or a person acting on behalf of the public official:
1. A written statement of the legal authority under which the information is requested, or, if a written statement would be impracticable, an oral statement of such legal authority; or
2. If a request is made pursuant to a warrant, order, or other legal process issued by a grand jury or a judicial or administrative tribunal, the legal authority may be presumed to exist, and the UAMS workforce must obtain a copy of the document and contact the UAMS Office of General Counsel.
G. Exceptions to Verification of Identity/Authority Requirements:
1. Patient Directory: UAMS is not required to verify the identity or authority of a person prior to disclosing information from the Patient Directory, as long as the patient has not opted out of the Patient Directory. If the patient has not opted out of the Patient Directory, the information which may be disclosed is limited to the patient’s location in the facility and a one-word general statement of the patient’s condition, and this information may be shared with any person who identifies the patient by name. See the “UAMS, 3.1.20 Release of Patient Directory Information Policy” for more information.
2. When Patient Has Signed Authorization Form and PHI is to be Mailed: When a patient has provided to UAMS a signed Authorization form (original or a copy) requesting release of his/her PHI to another party, and UAMS is mailing the PHI to the name and address stated in the Authorization Form, UAMS is not required to verify the identity or authority of the party designated by the patient to receive the information. (Note: The Authorization must contain the elements required by HIPAA, or the UAMS Authorization for Release of Information Form attached to the UAMS Use and Disclosure of PHI and Medical Records Policy, 3.1.28, must be used.)
3. When Patient Has Signed Authorization Form and PHI is to be Released Over the Phone or Picked Up, Verify Identity, but Not Authority: When a patient has provided to UAMS a signed Authorization Form (original or a copy) requesting release of his/her PHI to another party, and UAMS is to release the information over the phone, or the information is to be picked up by the designated party, UAMS is not required to verify the authority of the party designated by the patient to receive the information. The authority of that person is created by virtue of the patient designating the person in the Authorization Form. However, the identity of the person must be verified to confirm that the person requesting the PHI by phone or in person is the same person who is named in the patient’s authorization form.
For example: UAMS may request to see a valid driver’s license with the person’s picture to verify their identity. (Note: The Authorization Form must contain the elements required by HIPAA, or the UAMS Authorization for Release of Information form attached to the UAMS Use and Disclosure of PHI and Medical Records Policy must be used.)
4. Verifying Identity/Authority of Family/Friends Involved in Care When Patient Present: As long as the patient’s identity is known, UAMS workforce are not required to verify the identity or authority of person that the patient identifies as being a member of the patient’s family, a friend or other person directly involved in the patient’s care, and the patient is present on the phone or in person when the identification is made.
For example: If a family member calls for PHI, and the patient is present during the phone call and informs the UAMS workforce member on the phone that UAMS can share the PHI being requested with the family member, UAMS is not required to verify the identity or authority of the family member at that time. In this circumstance, UAMS would verify that it is the patient who is on the phone, but would not need to verify the identity or authority of the family member. See UAMS Use and Disclosure of PHI and Medical Records Policy, 3.1.28 regarding disclosures to family/friends involved in patient’s care for more information.
If the friend or family member claims to be a legal representative or otherwise has some type of legal authority to act on behalf of the patient in the patient’s absence, this is a different situation, and UAMS will refer to the Use and Disclosure of PHI and Medical Records Policy regarding legal representatives, and also refer to the “Verification of Authority” Section C of this Policy.