Verifying identity before disclosure

Checking identity prevents accidental disclosure, fraud, coercion and errors in the record. Do it routinely, respectfully and in proportion to the request.

Some patients may be annoyed by security questions, especially if they call often or are well known to staff. A brief explanation helps - say that checks protect their privacy and keep their record accurate.

Match the check to the risk

Local policy should specify which checks are required for different actions. Booking a routine appointment normally needs less verification than disclosing test results, changing contact details, discussing safeguarding concerns or dealing with a third-party caller.

Be more cautious when a caller asks for information to be sent to a new number or email, requests changes to contact details, asks for online access, claims urgency, or reacts angrily to checks.

Be careful with familiar patients

Long-serving staff and small communities can make checks awkward. Familiarity is not a substitute for the process. A wrong assumption can reveal private information or update the wrong record.

If a patient is distressed, has limited English, has communication needs or cannot answer routine questions, follow the alternative identity-check route in local policy rather than lowering standards informally.

Third-party callers need two checks

• Identify the patient: confirm the request applies to the correct record.
• Identify the caller: establish who they are and why they are calling.
• Check authority: confirm consent, proxy access, parental responsibility, legal authority or another approved basis.
• Limit disclosure: even authorised callers may only be entitled to specific information.

Safe identity checking

Identity checks protect confidentiality; knowing details about a patient does not automatically authorise disclosure.