Oklahoma State University Center for Health Sciences
OSU-CHS Centernet

Security Policies & Procedures

Section 15 - Person or Entity Authentication


Title: Person or Entity Authentication Policy: SEC-15.01
Category: HIPAA Compliance Authority: 45 CFR §
HIPAA Section:
Standard: Person or Entity Authentication Responsibility: Health Care Components
Effective Date: 04/20/2005
Download a printable PDF of this policy
Approved by: OSU Legal Counsel Revised: 7/1/2013

To verify the persons/entities requesting access to ePHI are authorized.


OSU will implement procedures to verify that a person or entity seeking access to electronic protected health information is the one claimed.  §164.312(d)

PHI, whether written or electronic, will not be accessed or released without verification of an outsider’s identity and authority to receive or access the requested PHI.
  1. OSU will take reasonable steps to verify an outsider’s identity prior to release of PHI if the outsider is not known to OSU staff.  Acceptable documentation includes a driver’s license, student ID, requiring the outsider to provide certain personal information such as a date of birth or insurance ID number.  For vendor access to ePHI, acceptable verification includes provision of account number and/or key words identified by the HIPAA Compliance Office.
  2. OSU will take reasonable steps to verify an outsiders authority to have access to a patient’s PHI if it is not known whether the outsider has such authority.  For instance, it may be required to determine the existence of a power of attorney or marital status.
  3. It is not necessary to verify identity of an outsider seeking directory information.
  4. It is not necessary to verify the identity of any person involved in the current health care of the patient, such as a family member or other relative, close friend or any other person identified in a documented manner by the patient.  Examples include but are not limited to:
    • Blood relative
    • Spouse
    • Boyfriend/girlfriend
    • Domestic partner
    • Neighbor
    • Colleague

Such disclosures to the above persons should be made upon the exercise of professional judgment, and every instance is different.

  1. A public official or someone acting on the official’s behalf may ask for PHI.  In these cases, OSU will rely on the following items to verify the identity of the requestor, if such request is made in person:
    • Agency ID
    • Official credentials
    • Other proof of government/agency status, (letter on letterhead)
  • If the request is made in writing, OSU will rely on the following items to verify the identity of the requestor:
    • Appropriate government/agency letterhead
    • A written statement on the appropriate letterhead that the person making the request is acting under the government’s authority
    • Other confirmatory or legal documentation
  1. If a public official or someone acting on the official’s behalf requests disclosure of PHI, OSU may rely on the following:
    • A warrant, subpoena or court order issued by a grand jury or judicial official
    • A written statement on government letterhead describing the legal authority under which the request is made
    • The good faith statement by the official that the information is needed to avert risk of the health or safety of a person or the public.

OSU employee(s) or agent utilizing any system that contains PHI will have unique logon credentials issued.  The Okey account will be unique, as will the logon to the software systems.

If anyone has reason to believe that the person logging in is not the person to whom the unique credentials were issued are to immediately notify IT and the HIPAA Compliance Office.

Any employee or agent of OSU using someone else’s logon credentials with or without the knowledge of the other person will face sanctions.
In order to receive an Okey account, one must provide a valid driver’s license and Social Security Card, or other forms of valid identification

top of page top


OSU-CHS on Facebook OSU-CHS on Twitter OSU Medicine on You Tube