Verification of Callers Identity MTBC.pptx

PURPOSE The purpose of this Policy is to provide guidelines for callers who communicate with patients and respond to requests for the disclosure of PHI. POLICY This SOP will apply to all employees who communicate with patients. A caller’s identity must be verified prior to any release of PHI to said caller.

PROCEDURE Requests from or disclosures to an unidentified caller claiming to be a patient: If a caller states he/she is a patient and he/she is requesting PHI about himself/herself, the employee will not provide the PHI unless the employee has made reasonable efforts to positively verify the caller’s identity. Prior to disclosing PHI, the employee shall ask four specific “standard questions”. These questions include the following: Patient Account Number Patient’s date of birth Patient name Patient’s street address\Zip Patient’s Member ID Last four digits of SSN Even if the employee knows the patient and recognizes the voice on the telephone as being that of the patient, the employee will reconfirm the caller's identity by asking the specific “standard questions” mentioned above. If there is some doubt, the employee should place a return call to the patient using the telephone number documented in the patient's file rather than immediately disclosing the patient's PHI to the caller initiating the telephone conversation.

2. Requests from or disclosures to a caller who is not a patient. If the caller states he/she is an immediate family member (i.e., father, mother, child, sibling) of the patient and one of the following applies, the employee may disclose any and all PHI regarding the patient to the family member: (a) the patient (N.B. patient must answer the “standard questions”) provides verbal consent on the phone to MTBC permitting MTBC to disclose any and all PHI to said family member; or (b) the family member forwards MTBC an executed power of attorney or HIPAA authorization form. If “a” and “b” above do not apply, then the employee may continue the discussion with the family member; however, the discussion should be limited to either the intake of demographic information (i.e., family member provides new payer details or proper spelling of last name) of disclosure of balance details. The employee should not provide the family member with details regarding diagnoses or procedures.

3. Requests from or disclosures to a caller who is an Attorney, not a patient. If a person who is not a patient but is calling on behalf of the patient i.e. patient’s attorney or patient’s employer etc and requests to disclose or forward patient’s confidential information, the caller should not disclose any information unless he provides us HIPAA Authorization letter. a. Documenting disclosures made over the telephone. If PHI is disclosed to a caller, the employee will document the disclosure with the name and contact information (address and telephone number) of the caller, the date of the disclosure, a brief description of the PHI disclosed (e.g., Date of Service, financial information etc.) and a brief statement of the purpose of the disclosure (e.g., provide information for follow-up appointment, provide information for balance inquiry, etc.). Documentation regarding the release shall be preserved for six (6) years. 4 . Enforcement All employees of MTBC, NJ and MTBC, ISB are required to fully comply with the provisions of this policy. Anyone found to be in violation of this policy will be exposed to disciplinary action and penal consequences