Article 4 min

Know Your Patient – Verifying Patient Identity for Compliance and Fraud Prevention

Know Your Patient
Know Your Patient

The health care industry is massive and complex, and it deals with highly sensitive personal information. Therefore, it is crucial to properly collect and manage identity information in order to verify patient identity for compliance regulations (such as HIPAA), prevent medical identity theft and meet other Know Your Patient requirements.

Know Your Patient is a catch-all phrase that correlates to financial industries’ Know Your Customer requirements, which involve careful identity verification and due diligence procedures. While there are obvious parallels, such as strict regulatory requirements and the risk of fraud, the health industry has a significantly more complex service delivery environment. Health care relies on multiple parties, each with different data requirements, to provide care for a patient. One patient, with one illness, might require the services of a doctor, pharmacy, laboratory, specialist, hospital, care agency, government institution, insurer and more.

Each party of the health care journey needs to know the identity of the patient to make sure they are treating the right person. And, as health information is so private and sensitive, they need to make sure that the information is kept confidential and shared only with the identified person and appropriate health care providers. Keeping the correct records connected with the correct identity is fundamental to effective health treatment and recovery.

Use case #1 — verifying patient identity for HIPAA

As an example, in the U.S. there are numerous state, federal and industry-specific compliance regulations for verifying patient identity such as HIPAA, HITECH and CLIA.

The Health Insurance Portability and Accountability Act (HIPAA) established a set of national standards for handling patient data. HIPAA is designed to allow for the effective creation and flow of electronic records while maintaining proper controls over the integrity and use of those records.

Any company that deals with protected health information (PHI) needs to make sure that they have proper privacy protections in place to safeguard patient data in all forms including raw data, emails, test results and documentation. These protections include security measures, usage policies, access controls, record-keeping requirements and communication protocols.

There are standard verification requirements for any PHI disclosure. In part:

Except with respect to disclosures under §164.510, verify the identity of a person requesting protected health information and the authority of any such person to have access to protected health information under this subpart, if the identity or any such authority of such person is not known to the covered entity;

There are numerous situations described, but note that “for most disclosures, verifying the authority for the request means taking reasonable steps to verify that the request is lawful under this regulation.” In this era of massive data breaches and privacy lawsuits, smart health care practitioners and institutions will protect their, and their patients’, information and interests.

Use case #2 — preventing medical identity theft

The cost for proper health care is potentially exorbitant, especially if not covered by insurance. This cost creates a significant incentive for medical identity theft: the illegal access and use of a patient’s personally identifiable information (PII) to obtain medical treatment, services or goods.

According to one U.S. study, in 2017 there were over 300 medical/health care breaches, potentially exposing 171 million personal medical records. While regular ID thefts often make the news, the average cost to a victim is $55. Compare that to an average victim cost of $13,500 for a medical ID theft and the scope of the misdeed becomes more apparent. Victims face potential loss of insurance coverage, damage to their credit history and even criminal charges due to prescription drug activity.

Use case #3 — reducing inaccurate medical information

Perhaps the most problematic issue is inaccurate and potentially life-altering information being put on someone’s medical record. As medical records are meant as a comprehensive and permanent account of a person’s health care history, they are very difficult to change. Under HIPAA, “the right to request an amendment does not apply to medical information not created by the provider or insurer currently maintaining or using the information.” Thus, inaccurate information entered by a third party might not ever be changed.

Ensuring accurate identity at the start of service would help protect patients and help avoid losses due to fraudulent claims and mis-billing.

Improving patient identification across the industry

There are many uses for proper patient identification along the health care journey. As digital health care initiatives become more sophisticated and prevalent, there’s more need to perform effective online identity verification. From telemedicine sessions to online pharmacies, onboarding new patients to changing insurance coverage, quick and seamless identity processes are a way to improve the patient experience, help ensure compliance and prevent fraudulent use.