Paubox blog: HIPAA compliant email made easy

HIPAA compliant patient identity verification

Written by Kirsten Peremore | December 29, 2023

Accurately identifying patients when receiving a request to access patient records allows healthcare providers to link medical information correctly to each individual, minimizing the risk of unauthorized data access. This emphasizes the importance of patient identity verification to ensure HIPAA compliance and protect patient rights.

See also: What are HIPAA Right of Access provisions?

 

The principle of reasonable verification 

The HIPAA guidelines require entities to verify the identity of individuals requesting access to Protected Health Information (PHI) by implementing reasonable verification methods. The verification process should be proportionate to the potential risks involved. It should be decided based on professional judgment and discretion, considering the specific context of each request.

The goal is to balance the need for security against the right of individuals to access their health information without unnecessary barriers or delays. For instance, the verification process for in-person requests might differ from those made electronically, reflecting the varying levels of risk and practicality in different scenarios. By adopting this principle, HIPAA aims to ensure that PHI is accessed securely and only by authorized individuals, while also preventing the implementation of overly burdensome verification procedures that could impede access to necessary healthcare information. 

 

Methods to ensure HIPAA-Compliant Identity Verification for Right of Access request

  • Request identification: Start with the basic step of requesting a valid form of identification from the patient. This can be a government-issued photo ID, such as a driver's license or passport. For online verification, ask for digital copies of these documents.
  • Use verification questions: Implement a set of questions that only the patient will likely know the answers to. These can include date of birth, home address, the last four digits of their Social Security Number, or details about their recent healthcare encounters.
  • Verification over the phone: If a patient calls, use a combination of personal information verification and security questions. Training staff on how to effectively and securely handle telephonic verification is crucial.
  • Follow up with email or SMS confirmation: After a patient accesses their PHI, especially online, send a confirmation message via email or SMS. This step ensures that the patient is aware of the access and can report any unauthorized activity.

 

How does the method of request impact the method of verifying patient identity?

For in-person requests, healthcare providers typically ask for a government-issued photo ID, such as a driver's license or passport, and may also use verification questions about the patient’s personal information. This direct interaction allows for a more straightforward and immediate verification process. In contrast, for phone requests, the verification relies heavily on knowledge-based methods, like asking for the patient's personal information. These methods require careful handling to maintain security over the phone depending heavily on thorough staff training. 

For electronic requests through patient portals or email, the process often involves digital methods of verification, such as secure login credentials, two-factor authentication, or email confirmation. This electronic verification might include sending a code to the patient’s registered phone or using HIPAA compliant email, which they must enter to gain access. In cases where a patient uses a web portal, the system might have pre-set security questions or require biometric verification if the technology is available. The choice of verification method thus actively adapts to the nature of the request. 

See also: How to train healthcare staff on HIPAA compliance