Q&A: ROI verification

Q. If we receive a release of information request from an attorney on behalf of a patient, is it acceptable to respond to the request without seeking verification from the patient on whose behalf the information is being requested?

A. The attorney should submit a HIPAA-compliant authorization signed by the patient or his or her legal representative. You should be able to verify the signature on the authorization by comparing it to a signature you have on file for this patient (such as a signed consent form). If you doubt the authenticity of the signature, it would be reasonable to contact the patient or his or her legal representative to verify the signature on the authorization form.

Editor's note: This question was answered by Mary D. Brandt, MBA, RHIA, CHE, CHPS for Briefings on HIPAA. Brandt is a healthcare consultant specializing in healthcare regulatory compliance and operations improvement. She is also an advisory board member for BOH. This information does not constitute legal advice. Consult legal counsel for answers to specific privacy and security questions. Opinions expressed are those of the author and do not represent HCPro or ACDIS.