HIPAA - Trusted Requestor Process

GUIDANCE (Jan. 2007)

TRUSTED REQUESTOR PROCESS

Instructions to Individuals Providing PHI to Requestors

Generally, to obtain protected health information ("PHI") for purposes other than for treatment and payment, a requestor must complete the PHI Request Form or present documentation from the IRB to the HIPAA Program Office for approval. The HIPAA Program Office will review the request, contact the requestor, if necessary, with questions, and then determine whether the PHI can be used and disclosed according to the HIPAA Privacy Rule. The HIPAA Program Office will communicate its decision to the requestor and to the individual providing the PHI.

PHI requests for treatment and payment purposes are not required to go through the "trusted requestor" process; however the use and disclosure of the PHI must comply with the HIPAA Privacy and Security Rules.

The below guidance should be followed when individuals (e.g. data administrators, HIM Department) receive requests for PHI:

Requests in Support of Research

1. When receiving PHI requests for research, a UC/UCMC faculty or staff member must include the IRB protocol approval letter and the PHI Request Form with the request. If requesting PHI of more than one patient, a list may be attached to the IRB Form. It is not necessary to provide copies of the Patient Authorization forms for each of the patients on the list. The IRB approval letter will create a "trusted requestor" and the person providing the PHI to the requestor will rely on the requestor to secure appropriate patient authorizations as detailed to the IRB.

Requests Received By Phone (other than research)

2. If an area receives a call requesting that PHI be released over the phone to a UC/UCMC faculty or staff member, the receiving staff should verify the identity and authority of the caller by asking for his/her name, phone number, supervisor's name and department, and the purpose of the data request. If, based on the information received and the receiving staff's professional judgment, the requestor is believed to have the authority to receive the information, then the receiving staff should fax the PHI Request Form to the requestor and ask that he/she complete and submit the form to the HIPAA Program Office for final review. Of course, health care providers treating the patient are entitled to that patient's health information for treatment purposes (no form is required). If there is any question about the requestor or the purpose of the request, the person receiving the call should contact the HIPAA Program Office for assistance.
3. If an area receives a call requesting that PHI be released by e-mail, fax, or report delivery, the person receiving the e-mail should verify the requestor's identity and authority per #2 above, fax or e-mail the PHI Request Form, and tell the requestor to submit a completed and signed PHI Request Form to the HIPAA Program Office for review.

Regardless of how the request is received, if the HIPAA Program Office approves the data request, it will e-mail its approval to the requestor and the individual providing the PHI. After which, the PHI can be compiled and sent to the requestor in accordance with the HIPAA Program Office's E-mail and/or faxing guidelines.

Requests Received By Fax or E-mail (other than research)

4. The individuals receiving the request should verify the requestor's identity and authority per #2 above, fax or e-mail the individual a copy of the PHI Request Form, and direct the individual to complete and forward the Form to the HIPAA Program Office for review.

If the HIPAA Program Office approves the data request, it will e-mail its approval to the requestor and the individual providing the PHI. After which, the PHI can be compiled and sent to the requestor in accordance with the HIPAA Program Office's E-mail and/or faxing guidelines.

Trusted Requestor Exemption ("pre-approved") List
Certain individuals frequently request PHI (e.g. patient records, reports, and extracts) in support of hospital operations fundamental to their job functions. Those individuals are not required to complete a PHI Request Form for PHI requests. Those individuals are included on the Trusted Requestor Exemption List. If you wish to be added to the list, please ask your supervisor to contact the HIPAA Program Office.

HIPAA Program Office fax number is 2-6278

Contact Information

Questions may be directed to the HIPAA Program Office at 4-9716.
Questions about authorization forms and permitted uses and disclosures may be directed to Marilyn Hanzal, Associate General Counsel, at 2-1057.
Questions about research may be directed to Millie Maleckar at 2-1472.

Back to Guidances