A hospital employee in Colorado hands a stack of lab results to a man standing at the front desk. He says he's the patient's father. No ID check. No written authorization reviewed. No documentation of the interaction. Three weeks later, the patient — a 28-year-old woman — files a complaint with the Office for Civil Rights. She never authorized her father to receive those results. That single handoff kicks off an investigation, and the organization discovers it has no written verification procedures at all.
This is exactly the kind of scenario that makes HIPAA verification requirements so critical. Before you release protected health information to anyone — a patient, a family member, another provider, a government agency — you must verify both who they are and whether they have the authority to access the PHI they're requesting. Skip either step, and your organization is exposed.
What Are HIPAA Verification Requirements, Exactly?
Under the HIPAA Privacy Rule at 45 CFR § 164.514(h), a covered entity must verify the identity and authority of any person requesting PHI — if that person's identity or authority is not already known to you. This applies to disclosures made without patient authorization, such as those for treatment, payment, health care operations, or disclosures required by law.
There are two distinct verification checks your staff must perform:
- Identity verification: Confirming the person is who they claim to be. This could be a government-issued photo ID, a callback to a known phone number, or an established relationship with the individual.
- Authority verification: Confirming the person has the legal right or organizational authority to access the specific PHI they're requesting. A valid authorization form, a court order, a subpoena, or a statutory basis all qualify.
Both checks must happen before PHI leaves your hands. Not after. Not "when we get around to it." Before.
The Gap Between Policy and Practice
I've reviewed compliance programs at dozens of organizations, and here's what I consistently find: most have a verification policy buried in a binder somewhere. Almost none have trained their front-line staff on how to actually execute it.
Your receptionist might know to ask for a driver's license when a patient picks up records. But does she know what to do when a police officer walks in and demands a patient file? Does the nurse on the night shift know how to handle a phone call from someone claiming to be a patient's attorney?
These aren't hypothetical questions. They come up constantly. And when your workforce doesn't have clear, practiced procedures, they default to the path of least resistance — which usually means handing over PHI without proper verification.
Phone Requests Are the Weakest Link
In-person requests at least give you a visual cue. Phone requests strip that away entirely. Someone calls your billing department claiming to be a patient and asking for an account balance. How does your staff verify that caller's identity?
Strong organizations use callback procedures, patient-selected PINs, or knowledge-based authentication questions tied to information that isn't easily guessable. Weak organizations rely on a caller reciting a date of birth — information that's widely available through data breaches and public records.
If your phone verification process starts and ends with "date of birth and last four of Social," you have a problem. Those data points are not secrets anymore.
When Verification Isn't Required
The rule includes a practical carve-out. If you already know the identity and authority of the requester, you don't need to re-verify every single time. Your long-time referring physician who calls about a mutual patient? You know who she is. A patient standing in front of you with a wristband in your ED? Identity is established.
But "I recognized the voice" is not a verification method. And "they knew the patient's name" doesn't prove anything. Document why you considered the identity and authority already known. If you can't explain it later, you didn't verify.
The $4.3 Million Lesson From MD Anderson
The University of Texas MD Anderson Cancer Center learned a brutal lesson about PHI safeguards. OCR imposed a $4.3 million civil monetary penalty after multiple breaches involving unencrypted devices. While the core issue was ePHI encryption, the investigation exposed systemic gaps in how the organization controlled access to and disclosure of patient data — including weak verification practices around who could access what.
That's the thing about OCR investigations. They rarely stop at the initial complaint. Once investigators start pulling threads, they find every gap in your compliance program. Weak verification procedures give them another thread to pull. You can read about OCR's enforcement results on the HHS resolution agreements page.
Building a Verification Process That Actually Works
Policies are necessary but insufficient. Here's what I tell every organization I work with:
1. Write Role-Specific Procedures
Your front desk staff, your HIM department, your nurses, and your billing team all handle verification differently because they encounter different scenarios. Write procedures specific to each role. A one-size-fits-all policy creates confusion.
2. Create a Verification Matrix
Build a simple reference chart that your staff can tape next to their monitors. It should answer: Who is requesting PHI? What documentation do I need? Who do I escalate to if I'm unsure? Cover the most common scenarios — patient in person, patient by phone, family member, law enforcement, attorney, other provider, health plan.
3. Train on Refusal
This is the hardest part. Your staff need explicit permission and training to say no. When someone pushes back — "I'm his wife, just give me the records" — your team needs to know that refusing an unverified request is not rude. It's required. Our course Accessing Records: If It's Not Your Job, It's a Breach walks through exactly these scenarios, including the ones that feel uncomfortable.
4. Drill Incident Response
When someone does release PHI without proper verification, your team needs to act fast. That's a potential breach, and the clock starts ticking on your risk assessment and notification obligations under HHS breach notification rules. Our First 60 Minutes: Incident Response training gives your workforce a step-by-step playbook for those critical early moments.
Third Parties Your Staff Forgets to Verify
Most organizations focus verification training on patient requests and family members. But some of the highest-risk scenarios involve people your staff rarely encounters:
- Medical couriers: Someone shows up to pick up records or specimens. Are they who they say they are? Is the courier company authorized by the receiving provider? Our HIPAA Training for Medical Couriers addresses this specific gap.
- Law enforcement: Officers can request PHI under certain conditions, but they must meet specific criteria under the Privacy Rule. A badge alone is not sufficient authority for every type of request.
- Public health authorities: Legitimate public health requests have a legal basis. But your staff still needs to verify that the person contacting you actually represents the agency they claim to represent.
- Business associates and subcontractors: Just because an IT vendor has a BAA doesn't mean every employee of that vendor can access every system. Verify the individual and the scope of their authority.
How Do You Verify Identity for HIPAA Disclosures?
To verify identity for HIPAA disclosures, covered entities must confirm both the identity and the authority of the person requesting PHI before releasing it. Acceptable methods include reviewing government-issued photo identification, using callback procedures for phone requests, verifying written requests on official letterhead against known contact information, or relying on a pre-existing relationship where identity is already established. The specific method should match the risk level of the disclosure. All verification steps should be documented.
Documentation: The Part Everyone Skips
You verified the requester's ID. You confirmed their authority. You released the appropriate minimum necessary information. Great. Did you document any of it?
If OCR comes knocking two years from now, your staff won't remember that Tuesday afternoon phone call. Your documentation will be the only thing standing between you and a finding of noncompliance. Record what was requested, who requested it, how identity and authority were verified, what was disclosed, and when.
This doesn't have to be elaborate. A simple log or a note in the patient's record works. But it has to exist.
Your Verification Process Is Only as Strong as Your Last Training
Staff turn over. Procedures change. New threat vectors emerge. If your workforce hasn't been trained on HIPAA verification requirements in the last twelve months, your process has already degraded. The people answering your phones today may not be the same people who attended training last year.
Make verification training part of your annual HIPAA workforce training cycle. Make it scenario-based. Make it specific to the roles your people actually perform. And make it clear that verification isn't optional — it's a regulatory requirement with real consequences when it fails.
Browse our full HIPAA training catalog to find courses built for the real situations your team faces every day.