How to Verify the Identity and Authority of a Person Requesting PHI (45 CFR § 164.514(h))

Under HIPAA, covered entities are required to verify both the identity and authority of individuals requesting access to Protected Health Information (PHI). The standard in 45 CFR § 164.514(h) helps prevent unauthorized disclosures, especially in settings where verbal or written requests may appear routine. For small healthcare practices, understanding the distinction between verifying identity and authority is essential to implementing safeguards without disrupting workflow. This article provides practical guidance, including case examples and risk prevention strategies.

It’s common for a receptionist or medical assistant to receive requests for patient records, sometimes from a patient’s family member, other times from an insurance company, law enforcement officer, or legal firm.

But how do you know that the person making the request:

• Is who they say they are, and

• Has the right to access that patient’s PHI?

Under HIPAA, assuming good faith is not enough. Covered entities must take reasonable steps to verify both identity and authority, especially when the person is unknown or the disclosure involves sensitive data.

What Does 45 CFR § 164.514(h) Require?

HIPAA’s standard requires that before any disclosure of PHI:

1. Identity must be verified if the person is not already known to the entity.

2. Authority must be verified if the disclosure is based on the requester’s legal power or role.

3. The verification must be reasonable based on the context and the type of request.

This verification applies whether the request is made in person, by phone, by fax, or electronically.

Identity

This is confirmation of whom the individual is. It applies when the person is not already known to the entity or the staff receiving the request.

Acceptable proofs:

• Government-issued photo ID

• Institutional ID badge

• Business letterhead and callback verification

• Electronic credentials (e.g., secure portal login)

Authority

Authority refers to the legal or official capacity to access PHI.

Examples of authority:

• Legal guardianship over a minor

• Power of attorney

• Executor of an estate

• Subpoena or court order

• Public health or law enforcement authority

The entity must confirm that the requester is legally permitted to receive the data requested.

At a small internal medicine practice, a seemingly routine phone call turned into a costly compliance failure. A staff member received a call from a woman who confidently identified herself as the wife of an established patient. She asked for his recent lab results, and without hesitation or verification, the staff member provided the information.

What the practice didn’t know was that the patient and the caller had been separated for months. When the patient later discovered that his private medical information had been disclosed without his consent, he filed a formal complaint with the Office for Civil Rights (OCR).

What the Investigation Revealed:

• Failure to verify identity: The staff member made no effort to confirm the caller’s identity or relationship to the patient.

• No authorization on file: There was no documentation indicating the patient had granted permission for his spouse to receive protected health information (PHI).

• Lack of procedural safeguards: The practice had no formal policy, script, or checklist to guide staff in handling telephone requests for sensitive health information.

Consequences and Corrective Measures:

OCR determined that the practice had violated HIPAA’s Privacy Rule, specifically its requirements for safeguarding PHI and verifying requesters. The breach also triggered liability under applicable state privacy laws, heightening the severity of the infraction.

As part of the enforcement resolution:

• All staff underwent retraining on patient verification protocols

• The practice was required to develop written procedures for phone communications involving PHI

• A corrective action plan was submitted and approved by OCR

• The incident was documented as part of the clinic’s compliance history, which may impact future audits or complaints

Lesson:

Verbal familiarity does not equal legal authority. Assuming someone’s right to access health information, without verification or documented patient consent, is a direct violation of HIPAA.

Every phone call involving PHI must follow a script or policy that includes identity verification, confirmation of authorized access, and documentation. It takes only a moment of misplaced trust to compromise a patient’s privacy and expose your practice to penalties.

Phone Requests

• Call back to the number on record for the patient.

• Never disclose PHI on inbound calls without verification.

• Use identity-verification scripts for consistency.

Faxed or Mailed Requests

• Require request on official letterhead.

• Confirm legitimacy with a callback to listed number.

• If patient authorization is included, verify signature validity.

Electronic Requests

• Use secure patient portals or encrypted email channels.

• Do not accept screenshots or casual email as sufficient verification.

• Require two-factor authentication for unknown third-party requests.

Can I rely on a faxed letter from a lawyer requesting records?

Only if the lawyer’s identity is confirmed, and they provide a valid HIPAA authorization or court order. Always verify through call-back to the law firm listed.

Is a parent always allowed access to a minor’s records?

Not always. If the minor has legal authority over their care (e.g., emancipated, receiving reproductive or mental health care), the parent may not have access without the minor’s authorization.

Can a receptionist verify identity verbally over the phone?

Not by itself. Callbacks to numbers on file or confirmation through other reliable methods are required before disclosing any PHI.

How should we document identity verification?

Best practice is to log the method of verification in the patient record or PHI request log. For example: “Caller verified by callback to patient’s number on file on 7/25/25 at 10:45 a.m.”

• 45 CFR § 164.514(h) – Verification Requirements

• OCR HIPAA Privacy Rule Summary

• HHS Guidance on Personal Representatives

HIPAA doesn’t require perfection, but it does demand reasonable effort to verify both identity and authority. Especially for small practices, skipping verification steps can lead to serious regulatory and reputational harm.

To stay compliant:

• Use written policies and scripts for staff

• Document verification actions in patient records

• Be skeptical of verbal-only requests

• Train staff regularly on evolving threats (e.g., social engineering)

Verifying identity and authority isn’t just a bureaucratic step; it’s a safeguard that protects patients, your practice, and the integrity of healthcare as a whole.To further strengthen your compliance posture, consider using a HIPAA compliance regulatory tool. These platforms help track and manage requirements, provide ongoing risk assessments, and keep you audit-ready by identifying vulnerabilities before they become liabilities, demonstrating a proactive approach to regulators, payers, and patients alike.