Using PHI to confirm a patient ID is not a HIPAA violation if you have authorization to access to the PHI being used, if the confirmation of patient IDs is one of your functions within a covered entity, and if the purpose for using PHI to confirm a patient ID qualifies as a treatment, payment, or health care operation under §164.506 of the HIPAA Privacy Rule.
There are multiple scenarios in which a healthcare professional may be asked to confirm a patient ID. In some of these scenarios, the only way to confirm a patient ID is by comparing an identifying name, number, characteristic, or code against personally identifiable information maintained in a designated record set alongside Protected Health Information (PHI).
Provided the healthcare professional has the authorization to access the PHI being used to ID the patient, and the confirmation of patient IDs falls within their job description, it is not a HIPAA violation if the purpose of confirming a patient ID qualifies as a treatment, payment, or health care operation. However, in other circumstances, whether the use of PHI is a HIPAA violation is a fact specific determination.
Factors that Determine a HIPAA Violation
For purposes other than health care operations, the factors that determine whether using PHI to confirm a patient ID is a HIPAA violation include who is asking for confirmation of a patient’s ID, if the use of PHI to ID the patient is prohibited by §164.502(a)(5) of the HIPAA Privacy Rule, and whether the patient has requested privacy protections for uses and disclosures of PHI.
If an individual requesting confirmation of a patient ID is not a member of the covered entity’s workforce or does not have a direct treatment relationship with the patient, it may be permissible to use PHI to confirm a patient ID if the individual requires the information for a purpose permitted by §164.512 of the HIPAA Privacy Rule – for example, for a public health activity.
However, if an individual is requesting confirmation of a patient ID to identify a patient who has sought reproductive health care, it is a HIPAA violation to use PHI to confirm the patient’s ID unless the individual provides an attestation that the PHI will not be further used or disclosed to conduct an investigation into the patient or to impose criminal, civil, or administrative liability on the patient.
If In Doubt, Escalate the Request
With regards to patients who have requested privacy protections, healthcare professionals must be very careful not to violate HIPAA inadvertently. If asked to confirm a patient ID for a patient who has requested privacy protections, the best response is to escalate the request to a supervisor because responding “I can’t confirm the patient’s ID because they have requested privacy protections” could be interpreted as a positive identification.
Indeed, if there is ever any doubt that a use or disclosure of PHI for any purpose is a HIPAA violation, it is always best to escalate requests to a higher authority. It is not possible to explain every possible scenario during HIPAA training and healthcare professionals are advised never to take shortcuts with HIPAA compliance due to the risk of an impermissible disclosure that jeopardizes the confidentiality and integrity of a patient’s PHI.