Skip to content. | Skip to navigation

Personal tools

Home > Health System Policies > HIPAA > Verification for Release of Patient Information

document HPA-005 : Verification for Release of Patient Information

This policy is migrated from the Medical Center and TCH manuals, and is intended to facilitate compliance across the Health System with HIPAA requirements regarding information to be verified before patient information can be released.

File Attachment Downloads

view  |  PDF document icon HPA-005 Verification for Release of Patient InformationFINAL.pdf — PDF document, 637 KB (653025 bytes)

  1. effective date:

    March 1, 2020
  2. content:

    Applies To:                       

    The Medical Center, the School of Medicine, the School of Nursing, Claude Moore Health Sciences Library, Transitional Care Hospital, the Health system Development Office/UVA Health Foundation (“Health System Development Office”), and the University of Virginia Physicians Group (“UPG”) (for purposes of this policy, individually an “Entity” or collectively the “Entities”).                                                                 

    Reason for Policy:          

    To facilitate compliance with HIPAA requirements regarding verification of identification and authority of a person requesting Protected Health Information.                                               

    Definition of Terms:      

    Team Members – All persons providing clinical, educational, research, administrative, or other services within or for the benefit of the Health System regardless of  Employer.                                                         

    Policy Statement:           

    If the identity and authority of a person requesting information about a patient are not known, Team Members shall apply best common practice safeguards in verifying the identity of persons requesting information about patients. The verification procedures set out below are consistent with the Health Insurance Portability and Accountability Act (HIPAA) requirements.[1]               


    1.  Verification Information

    To verify a person’s identity as the patient or as a family member or friend involved in the patient’s care, Team Members shall first obtain the following information from the person making the inquiry:

      1. Patient’s legal first and last name, plus
      2. One of the following items: date of birth, medical record number or other documentation which sufficiently verifies the patient’s identity.
      3. For CarePartner program participants, the patient’s first and last name as recorded in the patient’s electronic medical record, and CarePartner security code[2] must be provided for verification. 

    2.   Outpatient Appointments

    Team Members may provide the time and location of a patient’s outpatient appointment to help the patient with travel arrangements or other care coordination. Additional verification is required before providing information about appointments in OB/GYN and Infectious Disease clinics. Team Members receiving inquiries about these clinic appointments shall verify the caller’s identity by requesting items 1.a. and 1.b. and two of the items in 1.c. above.  

    Inquiries from callers who cannot provide this verification information shall be relayed to the clinics, where Team Members will seek permission from the patient before releasing information to the caller. 

    Operators /Patient Information Team Members who receive telephone call requests for specific information regarding when a patient may be picked up after an outpatient appointment shall call the clinic, whose Team Members will check with patients about their desire to release this information.        

    3.  Speaking with Family Members or Friends

    Health care providers may speak with family members and friends of a patient about the patient’s condition, beyond directory information (name and location), if the patient has indicated that this is permissible. If the patient is not present to be consulted or is incapacitated, providers may, if they determine it is in the patient’s best interest, give family members and friends involved in the patient’s care information that is directly relevant to their involvement.  In such circumstances, the information shared shall be limited to the minimum necessary information, see also HPA-002 “Minimum Use and Disclosure of Protected Health Information. “See also MCP 0092 “Release of Patients’ Protected Health Information.”

    4.  Medical Records Requests from Patient, Family or Friends

    Copies of the medical record may be provided to the patient or to an authorized representative[3] as described in Medical Center Policy 0092 “Release of Patients’ Protected Health Information”; TCH Policy 0092 “Release of Patients’ Protected Health Information”;    UPG Policy Release of Protected Health Information.

    5.  Billing Information Requests

    Patients seeking to discuss a bill shall be asked to provide verification information as in section 1 above.  Family members or friends seeking to discuss a patient’s bill on the patient’s behalf shall verify their identities and involvement in the patient’s care as specified in section 1 above. After completing verification, the account representative may discuss the bill amount, dates of service, and related third party payments. Additional information and copies of itemized bills may be given to the patient’s authorized representative as described in Medical Center Policy  0092 “Release of Patients’ Protected Health Information”, TCH Policy 0092 “Release of Patients’ Protected Health Information, and  UPG Policy Release of Protected Health Information)  either in person or via mail addressed to the patient at the patient’s address. The account representative may verify the caller’s status as an authorized representative by contacting Health Information Services.

    6.  Physician Inquiries

    When an outside physician’s office calls for information about a patient, Team Members shall take reasonable steps to verify the physician’s role in the patient’s care, such as asking for the patient’s name, address, and date of birth or by making a call back. Written requests from physicians’ offices shall be on office letterhead and contain sufficient information about the patient to verify the physician’s role in the patient’s care. Written requests for the entire medical record shall be forwarded to Health Information Services.

    7.  Inquiries from Government Agencies or Government Officials

    Requests from government agencies for information about a patient shall be directed to Health Information Services. Requests from individual government officials for information about a patient may be directed to Health Information Services. HIS shall document each such request, and any resulting record release, in the patient’s EMR.. If the inquiry is the result of a patient complaint, the request shall be addressed in accordance with Medical Center Policy No. 0070 “Patient Complaints and Grievances”, or TCH Policy No. 0070 “Patient Complaints and Grievances” as applicable.  For patients seen in UPG clinics, if an inquiry is made by the Department of Health, pursuant to Sections 32.1-36 and 32.1-37 of the Code of Virginia and 12 VAC 5-90=80 and 12 VAC 5-90-90 of the Board of Health Regulations for Disease Reporting and Control, UPG will make reports according to the Virginia Reportable Disease List.  For inquiries made by Child or Adult Protective Services about patients seen in a UPG clinic, UPG licensed staff will disclose such information as required by the applicable licensing board of each staff member.  

    8.  Law Enforcement

    Calls from law enforcement regarding more than directory information about a patient shall be forwarded to the Medical Center Office of Patient Safety and Risk Management.  For UPG Clinics, UPG staff will release basic information to law enforcement officials, including the appointment date/time and the names of individuals who accompanied the patient. If law enforcement has been alerted by a 911 call regarding a serious and imminent threat to public safety at a UPG Clinic, UPG Clinic Team Members may provide law enforcement authorities with the minimum information concerning clinic patients which may be necessary for response to, or investigation of, such threat.


    Related Information:    


    Approved by/Date:        

    Executive Vice President for Health Affairs/February 2020

    Health System Leadership/February 2020

    Health System Policy Committee/February 2020


    Revision History: N/A


    [1] This Policy does not apply to the release of directory information on inpatient location in the Medical Center. Such disclosure is governed by Health System Policy HPA-004 “Requests for Restriction of Patient Information”.

    [2] Upon admission, the patient’s Care Partner, if one is identified, is provided a security code which is the last 4 digits of the account number

    [3] Patient’s “authorized representative” may be used interchangeably with such terms as “legal representative”, “surrogate decision maker”, “healthcare agent” and “legally authorized agent” appearing in other Medical Center policies, unless noted in the policy.

  3. signature(s):

    K. Craig Kent, MD
    Executive Vice President for Health Affairs, University of Virginia

    signature date: