The U.S. Department of Health and Human Services (HHS) Office of Civil Rights (OCR) released new guidance this month providing clarification regarding individuals’ right under HIPAA to access their own Protected Health Information (PHI). The guidance from OCR did not provide any new rules, but rather focused on providing greater clarity to healthcare providers as a result of obstacles to consumers uncovered by HHS studies and enforcement efforts.
The guidance addressed a broad range of topics regarding individual consumer access to PHI, but largely focused on process including requests for access and provision of access. The “Requests for Access” section of the guidance specifically addresses identity verification (although simultaneously acknowledging a lack of clarity and direction regarding methods of verification within the Privacy Rule). In addition to the requirements of the privacy rule, this section also addresses the identity verification requirements of the HIPAA security rule.
The “Unreasonable Measures” section of the guidance makes a notable distinction between methods of requesting access to PHI that may be permitted, but cannot be required by healthcare providers. Within this section HHS specifically notes that consumers cannot be required to come to a healthcare provider’s office to provide proof of identity.
While this new guidance still leaves plenty of room for interpretation, it does make it clear that all healthcare providers must have a process in place for remotely verifying identity. While remote verification of identity is frequently associated with the access of PHI through Web portals, this requirement extends to requests by phone (where requests by phone are permitted), and requests by writing. The IdentiFlo Management Platform can provide healthcare providers with the necessary capabilities to perform identity verification remotely for any of these request types.