Medical Records and the Law

240 CHAPTER 6: ACCESS TO HEALTH INFORMATIONthey are. State laws provide little guidance as to what actions constituteadequate verification, but the Privacy Rule prescribes specific steps toverify identity.Under the Privacy Rule, a covered entity is required as a general ruleto verify the identity of anyone requesting PHI, unless the covered entityalready knows the requester’s identity and the requester’s authorityto have access to the PHI. 625 Thus, a physician who knows his or herpatient is not required to verify the patient’s identity or authority to accessthe patient’s PHI. Verification is not required for disclosures ofPHI to facility directories or to family members and others involved inthe patient’s care. (See the discussion of these disclosures earlier in thischapter.)Before a covered entity may disclose PHI in certain circumstances,the Privacy Rule requires the person requesting PHI to make representationsor provide documentation. For example, a law enforcement officialseeking PHI in connection with a law enforcement activity mustrepresent, among other things, that the PHI is needed to determinewhether a crime has been committed. In these instances, the coveredentity must obtain the representation or documentation and may relyupon it if, on its face, the representation or documentation meets therequirements of the Rule and if that reliance is reasonable. 626 As a generalrule, therefore, covered entities should not rely on any representationor documentation that is in some way suspicious. If any doubtexists, it is better to err on the side of protecting the confidentiality ofhealth information, even if that means seeking the intervention of asenior manager of or legal counsel for the covered entity.When public officials or their agents request PHI, special rulesapply.The Privacy Rule permits covered entities to rely upon any of thefollowing to verify identity:• A badge or other official credentials presented personally• A request presented on appropriate government letterhead• If the disclosure is to an agent of a public official, a written statementon appropriate government stationery that the requester isacting under the government’s authority, or a contract or other documentationsubstantiating the requester’s status 62762545 C.F.R. § 164.514(h)(1)(i).62645 C.F.R. § 164.514(h)(2).62745 C.F.R. § 164.514(h)(2)(ii).