Page 68 - Privacy

Page 68 - Privacy_Program

P. 68

VERIFICATION OF ENTITIES REQUESTING PHI [DP161]
Back to Table of Contents

Scope: Enterprise
Distribution: Executive Leadership Team; Director of Information Technology, Privacy and Data Security; All Employees with
Access to Protected Health Information (includes Contractors, temporary employees and Interns)
Purpose: To ensure the organization discloses Protected Health Information only to authorized entities.
External Regulation or Standard: 45 C.F.R. §164.514 (h) ‐ verification requirements

Who is Statement Policy, Standard, or Procedure Statement
Responsible Number
Employees and others DP161.1 The organization will take necessary steps to verify the identity and legal
with Access to PHI authority of persons requesting disclosure of Protected Health Information (PHI).
Employees and others DP161.2 In verifying the identity and legal authority of a public official or a person acting
with Access to PHI on behalf of the public official requesting disclosure of PHI, the organization staff
may rely on the following, if such reliance is reasonable under the circumstances:
DP161.2a (a) documentation, statements, or representations that, on their face, meet the
applicable requirements for a disclosure of PHI;
DP161.2b (b) presentation of an agency identification badge, other official credentials, or
other proof of government status if the request is made in person;
DP161.2c (c) a written statement on appropriate government letterhead that the person is
acting under the government's authority;
DP161.2d (d) other evidence or documentation from an agency, such as a contract for
services, memorandum of understanding, or purchase order, that establishes
that the person is acting on behalf of the public official;
DP161.2e (e) a written statement of the legal authority under which the information is
requested;
DP161.2f (f) if a written statement would be impracticable, an oral statement of such legal
authority;
DP161.2g (g) a request that is made pursuant to a warrant, subpoena, order, or other legal
process issued by a grand jury or a judicial or administrative tribunal that is
presumed to constitute legal authority.
Employees and others DP161.3 The organization staff may rely on the exercise of professional judgment and
with Access to PHI follow the requirements of applicable state and other law in making the following
uses or disclosures of PHI:
DP161.3a (a) a use or disclosure to others for involvement in the individual's care; or
DP161.3b (b) a disclosure to avert a serious threat to health and safety.

Employees and others DP161.4 Staff will report to the area Chief and Director of Information Technology,
with Access to PHI Privacy and Data Security in a timely manner any discrepancies in the
verification of the identity or legal authority of an individual or entity
requesting PHI.
Employees and others DP161.5 Once it is determined that use or disclosure is appropriate, the organization staff
with Access to PHI with appropriate access clearance will access the individual’s PHI using proper
access and authorization procedures.
Employees and others DP161.6 The requested PHI will be delivered to the individual in a secure and confidential
with Access to PHI manner, such that the information cannot be accessed by employees or other
persons who do not have appropriate access clearance to that information.
Employees and others DP161.7 Staff with appropriate access will appropriately document the request and
with Access to PHI delivery of the PHI.

GES CONFIDENTIAL 64

63 64 65 66 67 68 69 70 71 72 73