As noted in section II.E. above, for many permitted disclosures the covered entity would be responding to a request for disclosure of protected health information. For most categories of permitted disclosures, when the request for disclosure of protected health information is from a person with whom the covered entity does not routinely do business, we would require the covered entity to verify the identity of the requestor. In addition, for certain categories of disclosures, covered entities would also be required to verify the requestor’s legal authority to make the request.
Under § 164.514, a covered entity would be required to give individuals access to protected health information about them (under most circumstances). The covered entity would also be required to take reasonable steps to verify the identity of the individual making the request for access. We do not propose to mandate particular identification requirements (e.g., drivers licence, photo ID, etc), but rather would leave this to the discretion of the covered entity.
Covered entities would be required to verify both the identity of persons requesting protected health information and their authority for requesting such information when the request is from a person with whom the covered entity does not routinely do business and the disclosure would be permitted by the following subsections of § 164.510: under § 164.510(b) for public health, under § 164.510(c) for oversight, under § 164.510(e) to coroners and medical examiners, under § 164.510(f) for law enforcement, under § 164.510(g) for governmental health data systems, under § 164.510(m) for special classes, and for disclosures required by other laws under § 164.510(n). Covered entities would be required to verify the identity of the requester by examination of reasonable evidence, such as a written statement of identity on agency letterhead, an identification badge, or similar proof of official status. Similarly, covered entities would be required to verify the legal authority supporting the request by examination of reasonable evidence, such as a written request provided on agency letterhead that describes the legal authority for requesting the release. Unless § 164.510 explicitly requires written evidence of legal process or other authority before a disclosure may be made, a public official’s proof of identity and the official’s oral statement that the request is authorized by law would be presumed to constitute the required reasonable evidence of legal authority. Where § 164.510 does require written evidence of legal process or authority, only the required written evidence will suffice.
We considered specifying the type of documentation or proof that would be acceptable, but decided that the burden of such specific regulatory requirements on covered entities would be unnecessary. Therefore, we propose only a general requirement for reasonable verification of identity and legal authority.
In § 164.522, we would require disclosure to the Secretary for purposes of enforcing this regulation. When a covered entity is asked by the Secretary to disclose protected health information for compliance purposes, the covered entity should verify the same information that it would verify for any other law enforcement or oversight request for disclosure.
In some circumstances a person or entity acting on behalf of a government agency may make a request for disclosure of protected health information under these subsections. For example, public health agencies may contract with a nonprofit agency to collect and analyze certain data. In such cases the covered entity would be required to verify the requestor’s identity and authority through examination of reasonable documentation that the requestor is acting on behalf of the government agency. Reasonable evidence would include a written request provided on agency letterhead that describes the legal authority for requesting the release and states that the person or entity is acting under the agency’s authority, or other documentation, including a contract, a memorandum of understanding, or purchase order that confirms that the requestor is acting on behalf of the government agency.
For disclosures permitted under § 164.510(k) for emergency circumstances and under § 164.510(l) to next-of-kin, legal authority for the request would not be an issue. Therefore covered entities would only be required to verify the identity of the person requesting the disclosure. Where protected health information is requested by next-of-kin, covered entities would be required to make reasonable verbal attempts to establish the identity of the person making the request. Written proof would not be required. Covered entities could rely on prior acquaintance with the next-of-kin; verbal verification of identity would not be required at each encounter. Where protected health information is requested in an emergency, the covered entity would similarly not be required to demand written proof that the person requesting the protected health information is legally authorized. Reasonable reliance on verbal representations would be appropriate in such situations.
When another person is acting as the individual through power of attorney or other legal authority, covered entities would also be required to make reasonable attempts to ascertain that the person making the request has the necessary legal authority or relationship in order to make the disclosure. For example, a health care provider could require a copy of a power of attorney, or could ask questions to determine that an adult acting for a young child has the requisite relationship to the child.
Most disclosures under § 164.510(i) are routine transactions with banking and other financial institutions. As noted above, for routine transactions there would be no verification requirements. However, should such financial institution make a special request for information in addition to the information routinely provided for payment purposes (e.g., pursuant to a fraud or similar investigation), the covered entity would be required to obtain reasonable evidence of the identity of the person requesting the information.
The conditions for disclosures for judicial and administrative proceedings and research are discussed in § 164.510 (d) and § 164.510(j), respectively. Conditions for permitted disclosures under § 164.510(h) for facility directories include no verification requirements.