Disclosure of Protected Health Information
We reorganize the provision regarding verification of identity of individuals requesting protected health information to improve clarity, but we retain the substance of requirements proposed in the NPRM in § 164.518(c), as follows.
The covered entity must establish and use written policies and procedures (which may be standard protocols) that are reasonably designed to verify the identity and authority of the requestor where the covered entity does not know the person requesting the protected health information. The knowledge of the person may take the form of a known place of business, address, phone or fax number, as well a known human being. Where documentation, statements or representations, whether oral or written, from the person requesting the protected health information is a condition of disclosure under this rule or other law, this verification must involve obtaining such documentation statement, or representation. In such a case, additional verification is only required where this regulation (or other law) requires additional proof of authority and identity.
The NPRM proposed that covered entities would be permitted to rely on the required documentation of IRB or privacy board approval to constitute sufficient verification that the person making the request was a researcher and that the research is authorized. The final rule retains this provision.
For most disclosures, verifying the authority for the request means taking reasonable steps to verify that the request is lawful under this regulation. Additional proof is required by other provisions of this regulation where the request is made pursuant to § 164.512 for national priority purposes. Where the person requesting the protected health information is a public official, covered entities must verify the identity of the requester by examination of reasonable evidence, such as a written statement of identity on agency letterhead, an identification badge, or similar proof of official status. Similarly, covered entities are required to verify the legal authority supporting the request by examination of reasonable evidence, such as a written request provided on agency letterhead that describes the legal authority for requesting the release. Where § 164.512 explicitly requires written evidence of legal process or other authority before a disclosure may be made, a public official's proof of identity and the official's oral statement that the request is authorized by law are not sufficient to constitute the required reasonable evidence of legal authority; under these provisions, only the required written evidence will suffice.
In some circumstances, a person or entity acting on behalf of a government agency may make a request for disclosure of protected health information under these subsections. For example, public health agencies may contract with a nonprofit agency to collect and analyze certain data. In such cases, the covered entity is required to verify the requestor's identity and authority through examination of reasonable documentation that the requestor is acting on behalf of the government agency. Reasonable evidence includes a written request provided on agency letterhead that describes the legal authority for requesting the release and states that the person or entity is acting under the agency's authority, or other documentation, including a contract, a memorandum of understanding, or purchase order that confirms that the requestor is acting on behalf of the government agency.
In some circumstances, identity or authority will be verified as part of meeting the underlying requirements for disclosure. For example, a disclosure under § 164.512(j)(1)(i) to avert an imminent threat to safety is lawful only if made in the good faith belief that the disclosure is necessary to prevent or lessen a serious and imminent threat to the health or safety of a person or the public, and to a person reasonably able to prevent or lessen the threat. If these conditions are met, no further verification is needed. In such emergencies, the covered entity is not required to demand written proof that the person requesting the protected health information is legally authorized. Reasonable reliance on verbal representations are appropriate in such situations.
Similarly, disclosures permitted under § 164.510(a) for facility directories may be made to the general public; the covered entity's policies and procedures do not need to address verifying the identity and authority for these disclosures. In § 164.510(b) we do not require verification of identity for persons assisting in an individual's care or for notification purposes. For disclosures when the individual is not present, such as when a friend is picking up a prescription, we allow the covered entity to use professional judgment and experience with common practice to make reasonable inferences.
Under § 164.524, a covered entity is required to give individuals access to protected health information about them (under most circumstances). Under the general verification requirements of § 164.514(h), the covered entity is required to take reasonable steps to verify the identity of the individual making the request. We do not mandate particular identification requirements (e.g., drivers licence, photo ID), but rather leave this to the discretion of the covered entity. The covered entity must also establish and document procedures for verification of identity and authority of personal representatives, if not known to the entity. For example, a health care provider can require a copy of a power of attorney, or can ask questions to determine that an adult acting for a young child has the requisite relationship to the child.
In Subpart C of Part 160, we require disclosure to the Secretary for purposes of enforcing this regulation. When a covered entity is asked by the Secretary to disclose protected health information for compliance purposes, the covered entity must verify the same information that it is required to verify for any other law enforcement or oversight request for disclosure.
Use of Protected Health Information
The proposed rule's verification requirements applied to any person requesting protected health information, whether for a use or a disclosure. In the final regulation, the verification provisions apply only to disclosures of protected health information. The requirements in § 164.514(d), for implementation of policies and procedures for 'minimum necessary' uses of protected health information, are sufficient to ensure that only appropriate persons within a covered entity will have access to protected health information.