Privacy Officer's Roundtable

As you know, physician clinics frequently receive calls from patients asking for appointment dates, lab results, etc. We are in the process of re-evaluating our processes of validating identity before sharing PHI. What have you found to be a best-practice? Currently our EHR isn't capable of assigning a 4-digit PIN code of HIPAA password for the caller to provide. All ideas are welcome!

------------------------------
Alex Moseley CHPC,MBA
Privacy Coordinator
Via Christi Health
Wichita,KS
------------------------------

We have the same issue as a health plan when our members call.  We confirm identity by requesting the caller to confirm his/her DOB and last four of the SSN.  I think you can use any one or two identifiers that the client/patient has readily accessible.  While, yes, someone could still be "impersonating" the individual, we can only do what is reasonable.

------------------------------
Maura McGrath
Chief Compliance & Privacy Officer
Amida Care
New York,NY

Original Message:
Sent: 12-11-2015 10:49 AM
From: Alex Moseley
Subject: validating identity over the phone

As you know, physician clinics frequently receive calls from patients asking for appointment dates, lab results, etc. We are in the process of re-evaluating our processes of validating identity before sharing PHI. What have you found to be a best-practice? Currently our EHR isn't capable of assigning a 4-digit PIN code of HIPAA password for the caller to provide. All ideas are welcome!

------------------------------
Alex Moseley CHPC,MBA
Privacy Coordinator
Via Christi Health
Wichita,KS
------------------------------

Hi Alex,

We instruct all associates (we operate in mostly a call center environment) to verify two factors of PHI and normally utilize last four digits of SSN and DOB.  This works well, though we have found that repeat callers get agitated because "they already did that."  We remind them that the process is for their protection and that seems to ease the pain a little.

------------------------------
Jenny Roman
Privacy Officer
Human Arc Corp
Cleveland,OH

Original Message:
Sent: 12-11-2015 10:49 AM
From: Alex Moseley
Subject: validating identity over the phone

As you know, physician clinics frequently receive calls from patients asking for appointment dates, lab results, etc. We are in the process of re-evaluating our processes of validating identity before sharing PHI. What have you found to be a best-practice? Currently our EHR isn't capable of assigning a 4-digit PIN code of HIPAA password for the caller to provide. All ideas are welcome!

------------------------------
Alex Moseley CHPC,MBA
Privacy Coordinator
Via Christi Health
Wichita,KS
------------------------------

Original Message------

Hi Alex,

We instruct all associates (we operate in mostly a call center environment) to verify two factors of PHI and normally utilize last four digits of SSN and DOB.  This works well, though we have found that repeat callers get agitated because "they already did that."  We remind them that the process is for their protection and that seems to ease the pain a little.

------------------------------
Jenny Roman
Privacy Officer
Human Arc Corp
Cleveland,OH
------------------------------

Hi Tim,

When we make outbound calls, we ask for the patient/member and if they answer, we follow the same protocol.  We identify who we are and say they were referred to us by their hospital and health plan, but before we go into any specifics, we ask them for the last four digits of their SSN and their DOB.  If another family member/household member answers the phone, we ask that the patient/member returns the call, but do not disclose any specific/identifying information about the person.

Hope this helps!

Jenny

------------------------------
Jenny Roman
Privacy Officer
Human Arc Corp
Cleveland,OH

Original Message:
Sent: 12-16-2015 11:14 AM
From: Timothy May
Subject: validating identity over the phone

How are you handling outbound calls?

 

Thank you,

 

Tim

 

 

Timothy May

Compliance Supervisor

Privacy/Security Officer

UFCW & Employers Trust, LLC

Toll Free: (800)552-2400 ext. 7574       1000 Burnett Ave., Ste. 110

Direct:     (925) 746-7574                    Concord, CA  94520

Fax:         (925) 746-7549     

Email: tmay@ufcwtrust.com

 

CONFIDENTIALITY NOTICE:  This e-mail, including attachments, may include confidential and/or proprietary information, and may be used only by the person or entity to which it is addressed.  If the reader of this e-mail is not the intended recipient or his or her authorized agent, the reader is hereby notified that any dissemination, distribution or copying of this e-mail is prohibited.  If you have received this e-mail in error, please notify the sender by replying to this message and delete this e-mail immediately. You may also notify the sender by calling 1-800-552-2400.