One of the persistent questions we field on HIPAA compliance concerns how to verify the identity of a person requesting copies of a patient's record. The HIPAA Privacy Rule (specifically, 45 C.F.R. Section 164.514(h)) requires covered entities to verify a personal representative's authority to act on behalf of a patient, but the Privacy Rule defers to state law to establish who is a "personal representative" (subject to some restrictions involving patient safety). The answer to the FAQ on this subject posted on the HIPAA section of the CMS website states that "covered entities should continue to identify personal representatives as they have done in the past."
So, how exactly should a covered entity verify the authority of a personal representative? We know one facility that requires a notarized statement that the person claiming representative status is who they purport to be. To our way of thinking, this isn't good enough, in part because there is no disincentive to those determined to lie. After all, when was the last time you heard of someone being prosecuted for perjury?
For starters, let's consider minor patients. Parents presenting their minor children for treatment will have many documents indicating their parental status– a health care benefit card showing the minor as a dependent is an excellent one. Collecting a copy of the parent's picture identification and "pegging" it to the minor's chart might assist the provider, as these identification cards also contain a facsimile signature against which the provider can compare the signature on a request for records. In situations involving divorce or custodial disputes, our experience is that the parent with the decision-making authority (or the court order) is more than willing to share this authority (and the noncustodial parent's limitations) with providers. In contested cases, it might be wise to get a copy of the minor's birth certificate.
In the case of deceased patients, every state has a formal process by which the executor or administrator of the estate can be identified. Providers should insist on official documentation from the probate (or other) court evidencing this status. We have had clients prepare an information package (complete with probate court forms and maps with directions) to help family members obtain this status. The same rationale holds true for durable powers of attorney for health care – the provider should insist on having a copy of this document in the patient's chart before interacting with this person as the patient's authorized "representative."
Where formal procedures and documentation exist to grant or validate the status of a patient's personal representative, providers should attempt to obtain such documentation as the only acceptable proof of a requestor's legal status. In the absence of this appropriate documentation, one will never be certain that the release was made to a person with proper authority, and the provider is at risk.