Verify Identity and Authority: Avoid the "Spouse" Trap

Under HIPAA, covered entities are required to verify both the identity and authority of individuals requesting access to Protected Health Information (PHI). The standard in 45 CFR § 164.514(h) helps prevent unauthorized disclosures, especially in settings where verbal or written requests may appear routine. For small healthcare practices, understanding the distinction between verifying identity and authority is essential to implementing safeguards without disrupting workflow. This article provides practical guidance, including case examples and risk prevention strategies.

It’s common for a receptionist or medical assistant to receive requests for patient records, sometimes from a patient’s family member, other times from an insurance company, law enforcement officer, or legal firm.

But how do you know that the person making the request:

• Is who they say they are, and

• Has the right to access that patient’s PHI?

Under HIPAA, assuming good faith is not enough. Covered entities must take reasonable steps to verify both identity and authority, especially when the person is unknown or the disclosure involves sensitive data.

Verification failures are treated by OCR as an identifiable compliance risk that must be addressed through organizational safeguards. Covered entities are expected to recognize unauthorized disclosure risks arising from phone, fax, and third-party requests and implement mitigation measures such as scripts, escalation protocols, and workforce training. When verification weaknesses are known or foreseeable but not addressed, OCR frequently characterizes the failure as a systemic control deficiency rather than an isolated error, increasing enforcement exposure.

What Does 45 CFR § 164.514(h) Require?

HIPAA’s standard requires that before any disclosure of PHI:

1. Identity must be verified if the person is not already known to the entity.

2. Authority must be verified if the disclosure is based on the requester’s legal power or role.

3. The verification must be reasonable based on the context and the type of request.

This verification applies whether the request is made in person, by phone, by fax, or electronically.

Verification of identity and authority under § 164.514(h) does not eliminate the obligation to apply the minimum necessary standard under § 164.514(d). Even when authority is properly verified, disclosures must still be limited to the minimum amount of PHI necessary to accomplish the stated purpose. OCR enforcement actions frequently cite over-disclosure following valid verification, particularly where entire medical records were released without documented justification.

Verification of authority requires confirmation not only that authority exists, but that it covers the specific information requested. Legal instruments such as powers of attorney, guardianship orders, or court documents may limit access to certain categories of information or purposes. OCR enforcement actions frequently cite disclosures that exceeded the scope of documented authority, even where authority was otherwise valid.

Identity

This is confirmation of whom the individual is. It applies when the person is not already known to the entity or the staff receiving the request.

Acceptable proofs:

• Government-issued photo ID

• Institutional ID badge

• Business letterhead and callback verification

• Electronic credentials (e.g., secure portal login)

Authority

Authority refers to the legal or official capacity to access PHI.

Examples of authority:

• Legal guardianship over a minor

• Power of attorney

• Executor of an estate

• Subpoena or court order

• Public health or law enforcement authority

The entity must confirm that the requester is legally permitted to receive the data requested.

At a small internal medicine practice, a seemingly routine phone call turned into a costly compliance failure. A staff member received a call from a woman who confidently identified herself as the wife of an established patient. She asked for his recent lab results, and without hesitation or verification, the staff member provided the information.

What the practice didn’t know was that the patient and the caller had been separated for months. When the patient later discovered that his private medical information had been disclosed without his consent, he filed a formal complaint with the Office for Civil Rights (OCR).

What the Investigation Revealed:

• Failure to verify identity: The staff member made no effort to confirm the caller’s identity or relationship to the patient.

• No authorization on file: There was no documentation indicating the patient had granted permission for his spouse to receive protected health information (PHI).

• Lack of procedural safeguards: The practice had no formal policy, script, or checklist to guide staff in handling telephone requests for sensitive health information.

Consequences and Corrective Measures:

OCR determined that the practice had violated HIPAA’s Privacy Rule, specifically its requirements for safeguarding PHI and verifying requesters. The breach also triggered liability under applicable state privacy laws, heightening the severity of the infraction.

As part of the enforcement resolution:

• All staff underwent retraining on patient verification protocols

• The practice was required to develop written procedures for phone communications involving PHI

• A corrective action plan was submitted and approved by OCR

• The incident was documented as part of the clinic’s compliance history, which may impact future audits or complaints

When OCR identifies failures related to § 164.514(h), resolution agreements typically require implementation of written verification procedures, workforce retraining with documented completion, and ongoing monitoring of disclosure practices. Corrective action plans frequently include mandatory audit logs, reporting periods ranging from one to three years, and formal attestations of compliance. Sustained documentation and oversight are emphasized over one-time remediation.

Lesson:

Verbal familiarity does not equal legal authority. Assuming someone’s right to access health information, without verification or documented patient consent, is a direct violation of HIPAA.

Every phone call involving PHI must follow a script or policy that includes identity verification, confirmation of authorized access, and documentation. It takes only a moment of misplaced trust to compromise a patient’s privacy and expose your practice to penalties.

Phone Requests

• Call back to the number on record for the patient.

• Never disclose PHI on inbound calls without verification.

• Use identity-verification scripts for consistency.

Faxed or Mailed Requests

• Require request on official letterhead.

• Confirm legitimacy with a callback to listed number.

• If patient authorization is included, verify signature validity.

Electronic Requests

• Use secure patient portals or encrypted email channels.

• Do not accept screenshots or casual email as sufficient verification.

• Require two-factor authentication for unknown third-party requests.

Can I rely on a faxed letter from a lawyer requesting records?

Only if the lawyer’s identity is confirmed, and they provide a valid HIPAA authorization or court order. Always verify through call-back to the law firm listed.

Is a parent always allowed access to a minor’s records?

Not always. If the minor has legal authority over their care (e.g., emancipated, receiving reproductive or mental health care), the parent may not have access without the minor’s authorization.

Can a receptionist verify identity verbally over the phone?

Not by itself. Callbacks to numbers on file or confirmation through other reliable methods are required before disclosing any PHI.

How should we document identity verification?

Best practice is to log the method of verification in the patient record or PHI request log. For example: “Caller verified by callback to patient’s number on file on 7/25/25 at 10:45 a.m.”

• 45 CFR § 164.514(h) – Verification Requirements

• OCR HIPAA Privacy Rule Summary

• HHS Guidance on Personal Representatives

HIPAA doesn’t require perfection, but it does demand reasonable effort to verify both identity and authority. Especially for small practices, skipping verification steps can lead to serious regulatory and reputational harm.

To stay compliant:

• Use written policies and scripts for staff

• Document verification actions in patient records

• Be skeptical of verbal-only requests

• Train staff regularly on evolving threats (e.g., social engineering)

Verifying identity and authority isn’t just a bureaucratic step; it’s a safeguard that protects patients, your practice, and the integrity of healthcare as a whole.To further strengthen your compliance posture, consider using a HIPAA compliance regulatory tool. These platforms help track and manage requirements, provide ongoing risk assessments, and keep you audit-ready by identifying vulnerabilities before they become liabilities, demonstrating a proactive approach to regulators, payers, and patients alike.