HIPAA Authentication and the Privacy Rule
To authenticate something is to prove or verify its identity. Both the HIPAA Privacy Rule and the HIPAA Security Rule have authentication requirements. Under the HIPAA Privacy Rule, providers must authenticate, or verify, the identity of someone requesting access to PHI. The subject of HIPAA authentication, in relation to the Privacy Rule, is discussed below.
HIPAA Authentication and the Privacy Rule
Under the HIPAA Privacy Rule, a provider, before disclosing PHI to someone who requests it, must verify that person’s identity and authority. This rule applies when that person’s identity or authority are not already known to the provider. If, for example, a patient’s employer, with whom the provider has not previously communicated, requests access to PHI, the provider must verify that the employer is who he or she claims to be, and that the employer has authority to access protected health information.
The type of identity verification the provider must use depends upon how the request for PHI is made. Individuals, other than patients, who make an in-person request for access to PHI may verify their identity by presenting a valid photo ID, driver’s license, or passport. In the case of an individual who makes a request by mail, the covered entity may require that an individual who mails a request, does so on official letterhead, with the person’s signature. The provider should verify that the mailing address is in fact accurate.
When a patient requests in-person access to his or her own PHI, the provider may require the patient to present a valid photo ID, driver’s license, or passport. When a patient mails a request for access, the provider should validate the signature on the request. This is done by comparing the signature on the mailed request with the patient’s signature that is already on file. When a patient mails the request, the provider should validate the return address. That address must match the address the patient has previously provided. If a patient submits an email request for access to PHI, the provider must ensure the email address matches the email address currently on file.
If a patient requests access to PHI by phone, a provider may ask the patient to provide his or her name, and at least two other identifiers out of the following list:
- Patient’s date of birth
- Address
- Emergency contact name
- Last four digits of the patient’s SSN
If an individual makes a request as a legal representative or on behalf of a minor, the provider should obtain evidence of the minor-representative (e.g., parent or custodian) relationship. The provider should obtain evidence that the requesting representative has the authority as a representative. The provider may do this by verifying that the minor is on the parent’s health insurance plan as a dependent, or by requesting a copy of the minor’s birth certificate.
HIPAA Authentication and Unreasonable Measures
While the Privacy Rule allows providers to require verification of the identity of the person requesting access, a provider may not impose unreasonable HIPAA authentication measures on an individual requesting access. HIPAA authentication measures that serve as barriers to obtaining access, or that unreasonably delay someone from obtaining access, may violate the HIPAA Privacy Rule.
Examples of HIPAA authentication measures that a provider may not impose include requiring an individual:
- Who requests that a copy of his or her medical record be mailed to his/her home address, to physically come to the doctor’s office to request access and provide proof of identity in person;
- To use a web portal for requesting access; or
- To mail access requests, as opposed to permitting in-person, fax, or electronic requests.
HIPAA Authentication and Public Officials
The Privacy Rule permits providers to rely on a representation of a public official as to his or her identity, if such reliance is reasonable under the circumstances.
For a provider to rely on this representation, the public official must make the request:
- In person by presenting an agency identification badge, other official credentials, or other proof of government status; or
- In writing on the appropriate government letterhead.
If a person acting on behalf of a public official is making the request, the provider may ask that person to provide a written statement on appropriate government letterhead that the person is acting under the government’s authority. The provider may ask for other evidence of the person’s status as someone acting on behalf of the government. Other evidence includes a contract for services, memorandum of understanding, or purchase order that establishes that the person is acting on behalf of the public official.
