Hugh Chatham Memorial Hospital recently used photo biometrics to prevent healthcare fraud.
One form of healthcare fraud seen in emergency departments at hospitals around the country is individuals attempting to commit identity theft in order to obtain prescription medication. With approximately 8.76 million people in the U.S. abusing prescription medicationand the lion’s share of those medications coming from a doctor’s prescription, medical facilities are proactively stepping up their efforts to implement stronger patient identification safeguards to ensure that the problem is addressed. After all, many patients may not understand the health dangers and risks of someone stealing your identity and inaccurate health data being attributed to your medical record – it is extremely dangerous and could result in serious injury, even death should a clinician act on incorrect protected health data (PHI) in your medical record.
Just how bad is the problem of prescription drug abuse in the U.S.? Consider the fact that every day in the United States, 44 people die as a result of prescription opioid overdose. Fortunately, there are tools available to catch identity fraud at the point-of-service in hospitals before harm is done.
Using Photo Biometrics to Deter Healthcare Fraud
Hugh Chatham Memorial Hospital implemented the RightPatient® patient identity management solutionusing photo biometrics to help support patient safety, eliminate duplicate medical records, and prevent and deter medical identity theft. Recently, a patient arrived at the Hugh Chatham Memorial Hospital emergency room seeking treatment for an injury that according to the patient had just occurred in the prior hour. The patient signed in under a fraudulent name, date of birth, address, invalid marital status, a disconnected phone number, invalid employment status, fraudulent emergency contact, and an invalid social security number. The patient proceeded with registration, and signed all admission paperwork under the fraudulent information.
Hugh Chatham Memorial Hospital recently used photo biometrics to prevent healthcare fraud.
During the registration process, the registration clerk used the RightPatient® photo biometrics solution to enroll the patient since this was (according the patient) the first time they had ever been to the hospital. The RightPatient® system worked just as it was designed, sending the registration clerk an alert that indicated the patent had been previously enrolled and that their biometric credentials had already been linked to another unique electronic medical record, providing the medical record number the patient had been registered under.
The clerk was then able to access the medical record the patient had been previously registered under and after review, Hugh Chatham was able to see other visits for that same day in other clinic/practice locations. A decision was made to contact local authorities.
Thanks to the RightPatient® software and the efforts of this staff member, Hugh Chatham Memorial Hospital was able to securely identify the patient, avoid duplicate medical records, prevent identity theft and associated healthcare costs, and help maintain a safe environment for patients.
Conclusion
Encouraging healthcare facilities to implement safeguards that ensure accurate patient authentication through technologies such as photo biometrics has been our mission since we founded RightPatient®. We will continue to share our success stories with others to help educate and inform in the overall effort to remove fraud and increase patient safety in healthcare.
Have a story on how the use of biometrics prevented a potential case of healthcare fraud? Please share it with us in the comments!
The explosion of mHealth apps and patient portals for PHI access demands more modern patient and clinician identification technologies than user names and passwords.
The following guest post was submitted by Michael Trader, President and Co-Founder of RightPatient®
The rise of digital health tools for PHI access
Encouraging patients to take a more active and engaged role in their healthcare has been a key focus of healthcare providers in the wake of Meaningful Use requirements. What began as an industry mission with specific benchmarks and goals has since manifested into the actual use of myriad digital tools and platforms that are educating, engaging, and working to empower patients to increase accountability and responsibility for their own health and, when applicable, the health of their families. In fact, a recent HIMSS survey on how mobile apps and portals improve patient engagement indicated that on the provider side:
73% of organizations used app-enabled patient portals to increase consumer participation in their overall health and wellness goals as well as meet relevant Stage 2 and Stage 3 Meaningful Use requirements under the Medicare and Medicaid EHR Incentive Programs.
Nearly half of those polled stated that “implementation of mobile services for access to information is a high priority at their organization.” Additionally, more than half – 57 percent – indicated that their facility implements a mobile technology policy, which often has a focus on mobile health security capabilities.
About one-third of polled healthcare organizations stated that they provide “organizational-specific apps” to the patient community.
One important facet in the goal to improve patient engagement is providing easier and faster access to personal health information (PHI). Manifested through Meaningful Use Stage 2, the benchmark is stated as:
The idea is for healthcare providers to reach beyond traditional means of accessing PHI (think in person visits) and adopt digital health tools for easier, faster, and more convenient ways of accessing this data (think patient portals and provider mHealth apps). In concept, increasing the availability of tools and platforms to access PHI is a good thing — it caters to increasing patient demand to offer greater PHI accessibility through resources that offer more convenience and are in lockstep with the rise of the digital health movement. However, the explosion of digital tools for PHI access carries an inherent risk that patient identities will be compromised, stolen, or shared leading to a sharp increase in fraud and medical ID theft that poses a direct threat to not only patient safety and provider medical error liability, but also to the rising cost of healthcare. Not to mention the fact that the rising use of digital tools to access PHI compromises patient data integrity which is critical to maintain because of the ripple effect it has on the ability to provide accurate care along the continuum and the confidence it represents to successfully participate in health information exchanges (HIEs).
Keep in mind that each time a perpetrator commits healthcare fraud or medical ID theft, the fallout of legal fees, settlement costs, and expenses to restore an identity are passed down to ALL patients in the form of higher fees for medical services. Therefore, collectively there is a pressing need to ensure that adoption of stricter and more secure methods of patient identification must run parallel to the rise in digital tools and platforms for safe access to PHI. Otherwise, patients may not be as willing to use these tools for fear of medical ID theft or unlawful access to their PHI data which directly compromises their safety, security, and privacy.
Monetary damages are only the tip of the iceberg for healthcare organizations when discussing the impact of fraud and medical ID theft. It was been well documented that reputation can be negatively effected when patients perceive or a data breach confirms that healthcare providers are not taking the necessary action to increase PHI access security.
How can we correlate an increase in quality patient engagement with secure PHI access? Patient engagement is, without a doubt, a key linchpin to the success of healthcare’s triple aim. Simply stated, it is not possible for the healthcare industry to achieve the goals of lower costs, an enhanced patient experience, and improving population health in the absence of strong and sustainable patient engagement.
Securing PHI access for higher levels of patient engagement
Scour the internet for articles that cover patient willingness to use digital health IT tools to access PHI and you will discover that despite the industry wide effort to adopt tools that provide more convenient and faster access to medical data, few patients are actually doing so. In fact, a recent survey revealed that just 21% of respondents said they use the Web to access their health data. Meanwhile, 10% said they use e-mail and 40% view the data in person.
The reason behind patient unwillingness to use mHealth tools and portals for PHI access runs the gamut from dissatisfaction with mobile health applicationsto challenges in finding and using instructions, data inaccuracy, and device malfunctions or data syncing issues. Furthermore, issues related to poor mHealth app and portal securityhave hampered more widespread adoption of these tools and stoked patient fears that their privacy could be compromised by using them.
Setting aside those with opinions that privacy can never exist in the healthcare industry, the link between patient confidence and trust that their identities and PHI are protected when using mHealth apps or patient portals is palatable and has a direct effect on their willingness to use these tools as part of their overall care.
First, it’s important to distinguish the difference between “privacy” and “security” as it applies to healthcare data. HIMSS does an excellent job of breaking down the differences:
“Privacy” is the right of an individual to make choices with respect to the collection, use and disclosure of their data; “security” is the safeguards – physical, administrative and technological – used to protect the confidentiality, integrity and availability of the data. Because the challenges are many, there is a tendency to focus on “security” in mHealth. Patient privacy cannot be achieved without adequate data safeguards; however secure devices do not necessarily preserve patient privacy.
One of the largest impediments to widespread adoption of mHealth tools, portals, and other digital health platforms is inadequate mobile security policies that fail to take into account the necessity of adopting more modern patient identification tools that are commensurate to the data they protect. For example, most healthcare providers continue to use user name and passwords to protect patient identities when using mHealth tools and portals. While these may have once been permissible security protocols in the past, these identity verification methods are now considered antiquated and should be replaced. Even though user names and passwords have proven to no longer be secure enough to protect patient identities, almost all healthcare providers still rely on their use for mHealth apps and patient portals.
Secure PHI access requires modern patient and clinician ID technology
If healthcare providers expect patients to adopt mHealth tools and patient portals as a more convenient way to access PHI, the implementation of stronger and more secure identification technology is critical. Most healthcare security experts agree that due to the large amount of PHI data moving across provider locations via mHealth apps and patient portals, stronger security is needed to prevent data breaches if a patient’s identity is compromised. Plus, the increasing complexity of mHealth apps and their distinct ability to sync PHI data across multiple devices raises important questions about how to properly protect patient privacy to ensure HIPAA compliance for these new tools.
Securing PHI access is not limited to patient interactions with mHealth tools or patient portals however. A sound strategy to secure mobile and remote access to this sensitive data is required not only for patients, but also for any clinician that has access to mobile technologies. A 2014 HIMSS Analytics Mobile device study reported that:
…approximately one-quarter of US hospitals (28 percent) reported that smartphones are in use at their organization. On average, 169 devices are deployed per hospital. In comparison, 24 percent of US hospitals reported that tablet computers are in use at their organization, with an average of 37 devices deployed per hospital. (source – https://capsite.himssanalytics.org/assets/Uploads/2014-Mobile-Essentials-Brief-TOC12914.pdf)
Healthcare organizations must plan to implement a technology that has the flexibility to be used for secure patient and clinician identification, usually through a strategic combination of a strong single sign-on (SSO) platform to establish strict identification checks and provide a concrete audit trail of data access history with an enterprise-wide patient ID solution to secure remote access to PHI from mHealth apps and patient portals. The modern identification technology of choice for many healthcare providers to meet the rising demand for tighter security to access PHI is biometrics.
Lack of a strong PHI access policy can also have a negative impact on provider reputation. In a recent report on medical identity theft by The Ponemon Institute, 79% of patients surveyed said it is “very important” for healthcare providers to ensure the privacy of health records and allow them to have direct control of their health records.
Why biometrics?
The HIPAA Privacy Rule requires healthcare organizations to secure remote access to PHI data as a safeguard for patient privacy and to eliminate data breaches that can lead to fraud and medical identity theft. Once considered secure identification criteria, user names and passwords are now considered antiquated and unable to offer strong protection to secure PHI access largely due to the fact that:
Most patients don’t want to worry about memorizing a complex password and thus default to using a simplistic password that’s easily guessable.
Most patients use the same password for many accounts, resulting in one key that unlocks dozens (or hundreds) of doors.
Most patients don’t even keep their passwords in secret. Everything from Netflix accounts to bank accounts to web accounts to video game accounts are often shared between friends, family members, and even strangers.
The use of biometrics for individual identification poses a much more secure and flexible technology to address the pressing need for healthcare to adopt stricter PHI access security protocols. Why?
We have written extensively about the applicability of biometric patient identification to improve patient safety in healthcare. Biometrics relies on identifying patients and clinicians by who they are, rather than what they have (ID badges) or what they know (user names, passwords) which can be more easily stolen or shared. Biometric identification technology is a more secure method to identify patients in self-driven interactions by allowing them to use the camera or microphone on their smartphone or tablet and use facial or voice recognition biometrics for accurate authentication. Biometrics offers more flexibility and convenience because it has the ability to be implemented at patient touchpoints where user name and password entry would be cumbersome and inappropriate — home health settings for example.
The use of biometrics for identification also offers a concrete PHI access audit trail, a more accurate tracking mechanism than user names or passwords which can easily be shared and often skew analytics because it’s impossible to determine the actual individual using the credentials. This is important because litigation often relies on these audit trails used in the defense of medical identity theft or healthcare fraud claims.
Conclusion
Participation in portals and the use of mHealth and other mobile apps to access PHI is a key catayst to increase patient engagement in healthcare. Patients must have the confidence in their healthcare provider that their PHI is easily accessible and protected with the strongest authentication security on the market that ensures their privacy and safety. User names and passwords are no longer sufficient authentication credentials to meet the expanding need to offer a more flexible, scalable, and more secure identification technology for mHealth apps and patient portals.
Equally important is protecting clinician access to sensitive PHI data. Protocols must be implemented that abandon user names and passwords in favor of technologies such as biometrics that are more secure, less susecptible to being stolen or shared, and leave a concrete PHI data access audit trail.
Have questions about the use of biometrics for patient identification in healthcare? Feel free to leave a comment or question below.
It’s probably unfair to say that the recent UCLA Medical Center data breach that potentially exposed the personal health information (PHI) of 4.5 million patients was a wake up call for the healthcare industry to implement tighter data security protocols. In fact, it wasn’t a wake up call at all.
Healthcare data breaches have proliferated over the last five plus years, and the Health and Human Services (HHS) public “wall of shame” list of healthcare data breaches involving 500 or more individuals is…well….let’s just say a tad crowded. Since HHS began the list in 2009, 1,265 breaches exposing the records of nearly 135 million people have made the list. Ouch. The UCLA data breach isn’t groundbreaking news, it is simply another chapter in the long novel of healthcare data breaches that have placed millions of patients at risk by exposing their PHI and in some cases, social security numbers and personal demographic information.
The recent UCLA data breach is a strong reminder that healthcare organizations should consider the use of biometrics such as facial or voice recognition to protect patient PHI on mobile devices and patient portals.
The UCLA breach also foreshadows rising demand for tighter security protocols to protect PHI from unauthorized access on patient portals, mobile devices, and other new touchpoints. This rise of additional patient touchpoints to access PHI has vaulted establishing tighter security controls into the spotlight beyond traditional means of authentication. History has shown that username/password-based security is inadequate on mobile devices, yet healthcare organizations continue to adopt technology that uses this method to authenticate patients. Considering the high stakes to protect patient PHI, the UCLA data breach wasn’t a wake up call – it moved the needle to protect patient PHI to Defcon 1.
The HIPAA Privacy Rule mandates that healthcare organizations secure remote access to PHI data as a safeguard for patient privacy and to eliminate data breaches that can lead to fraud and medical identity theft. The introduction of touchpoints such as patient portals and mobile devices changes the dynamic of protecting patient PHI because it demands adopting strategies that include using modern patient identification systems yet many healthcare organizations continue to rely on antiquated security solutions.
Healthcare organizations must now consider patient identification systems that can address accurate authentication at each and every touchpoint along the care continuum, far beyond simply implementing technology that covers patient ID at office visits.
Implementing accurate patient identification when accessing PHI from mobile devices and patient portals must balance strong security with convenience and speed, which is why technologies such as facial and voice biometrics are gaining popularity. The use of biometrics to protect patient PHI is a smart investment, especially if healthcare organizations deploy a solution that offers the flexibility to be used during hospital/office visits and on each and every touchpoint a patient now has the ability to utilize as a means to access health data. Biometric patient identification solutions offer stronger security than user names and passwords and have proven to be more efficient and convenient by eliminating the need and frustration to remember multiple login credentials.
As we experience a sharp rise in patient driven interactions within the healthcare system that offer more avenues for criminals and hackers to access PHI, it is critical that healthcare organizations implement modern identification solutions that have the ability to better protect this information. Biometrics to protect patient PHI is quickly gaining attention as a security solution that can serve this need. Although it’s impossible to determine whether or not biometrics could have helped prevent hackers from obtaining access to protected patient PHI in the UCLA data breach, the use of this technology can help to offer a secure layer of protection that can deter hackers from even attempting to try.
A patient has their photo captured with an iris recognition camera at a hospital that has deployed biometrics for patient identification.
Excellent article in Fortune magazine today written by Laura Shin that addresses the topic of healthcare data breaches and whether or not the increasing use of biometrics for patient identification will add a layer of protection to help thwart hackers in the future and eliminate medical identity theft and healthcare fraud.
We are grateful that Laura included us in her research for the article, mentioning our work with implementing iris biometrics for patient identification at Novant Health’s Clemmons Medical Center location and a specific case of when a father brought his son into their facility, pointing out that: Read more
https://www.rightpatient.com/wp-content/uploads/2015/02/Iris-Scanning2.jpg12001392John Traderhttps://www.rightpatient.com/wp-content/uploads/2021/04/RightPatient-Logoup.pngJohn Trader2015-02-10 19:42:272015-03-05 09:08:44Fortune Magazine Article Highlights Growing Use of Biometrics for Patient Identification
