“We need to make a copy of your driver’s license,” insisted the young front desk assistant at the doctor’s office. “Why?” asked the reluctant gray-haired patient. “Well, this is just something we are required to do for HIPAA,” responded the assistant. “Really? What if I do not let you?” the patient huffed.

Who is right? All too often today, we hear responses in health care settings that “we must do this,” or “we are required to do that,” or the dreaded “HIPAA makes us do this.” Unfortunately, quite a few of these seemingly mandated legal requirements are merely myths, HIPAA myths, if you will. (HIPAA refers to the federal Health Insurance Portability and Accountability Act.) Laws like HIPAA were well-meant, but given the complexity of the regulations that make up HIPAA, there can be quite a bit of confusion about what to do and what not to do. So, what to do?

Well, the first rule of thumb is to review the actual statute or regulation that supposedly calls for the required action. An example of required action would be posting a notice of your office’s privacy practices (see, e.g., 45 Code of Federal Regulations, Section 164.520). Do not simply implement a policy in your office because someone else is doing it that way. If you have a difficult time, however, locating what is called primary legal authority, call your trade association and ask them to help you (you could call your legal advisor, we love to hear from clients, but your association may have that information handy without ticking time on a legal clock).

The next thing to do is inject a healthy dose of common sense into your policies especially when a patient may be asked to do something. And, notably, consider the patient’s perspective when you are about to require them to help you comply with a law. Here, let’s use the driver’s license as an example. A driver’s license contains a fair amount of personal information along with the usually unflattering photograph. There is the patient’s home address, the license number, a rough approximation of height and weight (most of us fudge a little, right?), and even more intimate details like date of birth, medical restrictions such as use of eyeglasses, organ donor status, and your signature. Personal stuff. So, you probably should have a better sense now that the seemingly innocuous request to photocopy that personal document may be met with the huffing and some puffing by the now disgruntled patient.

Okay, back to the first rule of thumb, are you required by a statute or regulation to photocopy a driver’s license? Short answer says, no. What? No? But, what about HIPAA? This scenario actually may not be a real HIPAA myth but an identity theft protection myth (obviously not as quotable, in a legal literature sense, as the term “HIPAA myth”). A few years back, the Federal Trade Commission (FTC) threatened that physicians would have to develop identity theft protection compliance plans under a regulatory program known as the Red Flags Rule. One of the requirements there would have been for a doctor’s office to verify the identity of the person presenting in the office. How do you do that? Check a driver’s license or other photo identification. The regulations did not require making a photocopy of the identification, but many folks probably assumed that was a simple way to check off compliance with verifying the patient was who they said they were. Is the Red Flags Rule law for physician practices? No, not at this time, and likely not any time too soon, if ever. The FTC backed off its decision to require physicians to comply with the rule largely due to legal action by the American Medical Association and the passage of clarifying legislation by Congress. Many doctor offices, however, did start implementing pieces of an identity theft protection program. For offices that have been duped by misuse or outright fraud of health insurance cards, having a procedure in place to verify the patient’s identity made sense. That process still makes sense today.

Legally, though, putting a photocopy of a driver’s license in a file could create more issues in the long run. Why? In addition to federal laws regarding the privacy and security of protected health information (i.e., HIPAA), there may be state legal requirements about privacy and identity protection issues too. For example, in Oregon, there is a law that addresses protection of personal information (see, Oregon Revised Statutes 646A.600). Both a driver’s license number and the identification card are included in the definition of “personal information” that must be safeguarded by a business that maintains that information in its files. There is a legal requirement to notify the person regarding any breach of that information, and there could be penalties assessed up to $1,000 for each violation of the state law.

So what about the request to photocopy a driver’s license? While there is no legal prohibition against photocopying a license and most patients probably do not think about the request too deeply, the decision about how to proceed does come down to a legal risk assessment along with some common sense and public relations consideration.

From a legal perspective, putting more personal information in your files such as a photocopy of a driver’s license does increase legal risk especially if that the information falls into the wrongs hands. Be mindful of federal and state reporting requirements too if there is a breach of that information. Providers accept that risk anyway with protected health information under HIPAA, so adding more information may not be a burdensome risk to accept. From a common sense and public relations perspective though, a patient should not be made to feel like their privacy is being invaded any more than is necessary. Yes, they are consenting to treatment and to telling their health care provider intimate details about their medical history. As for other private information like a driver’s license, think about whether you want to absolutely require a copy versus just spot checking the id, and noting that it was checked. Also, if a picture of a patient is desired for recordkeeping, rather than maintaining the driver’s license copy in the file, consider taking your own picture without all that other personal information.

In closing, as with all HIPAA myths, the law could change. Someday perhaps a definitive identification process will be legally mandated in the health care setting. If you hear about that, what will you do? If your response is to ask to see the statute or regulation, well done, and class dismissed.