What is HIPAA and the Importance of HIPAA Verification
Healthcare workers and other professionals that deal with the health-related information of others rely on multiple laws and regulations to keep patient records safe. One of the most important of these governing statutes is the Health Insurance Portability and Accountability Act (HIPAA), which is essentially an abbreviated form of the full title: Public Law 104-191. The Act was signed into law on August 21, 1996 and established numerous standards and initiatives related to the healthcare industry.
Its primary purpose was to protect the privacy, confidentiality, and security of health information recorded by healthcare providers, business associates, and any other covered entities as they relate to the healthcare system. In the years that have followed, the legality of HIPAA has been upheld in court on multiple occasions after patients and others challenged its constitutionality on the grounds that it is a violation of HIPAA to maintain patient information for healthcare providers that receive government funding. Critics also speak out against the Act because the penalties for violations are viewed as being severely harsh and draconian. The Government has pursued huge fines that extend into the millions of dollars on occasion. In 2015 alone, total fines handed down under HIPAA were $28 million, an amount that reflects the growing numbers of HIPAA actions that are being filed with the Department of Health and Human Services (DHHS).
Despite the critics and concerns from others, however, the information at the heart of HIPAA, called protected health information (PHI), is assumed to be highly sensitive medical information that should be kept confidential. PHI includes all personally identifiable information that relates to the physical or mental health of a person, the provision of care for the person, or the payment for the provision of the care. Examples of PHI include:
While a patient’s own information can – and should – be kept in a personal file for reference, under HIPAA that same information may not be shared with anyone else without the express consent of the patient themselves . In other cases, the status of an individual could be a public knowledge; for example, for individuals stricken with a highly contagious disease, all information about their current health would be considered public and available to just about anyone. But the privacy of that information must still be protected.
Healthcare providers, when considering information about health status, tend to think in terms of the risk to other people. This is not always the only consideration because patient confidentiality is also a concern, for example, if someone handled a confidential information request and later began to think more critically about that information, such as when a patient gets insurance coverage for a particular condition. In this case, the information may be public, but it is still confidential enough to draw some scrutiny. If requested without proper verification, PHI can be released to unauthorized people who could misuse the information.
Verification is one of the key concepts of HIPAA that was examined during a case called United States vs. Boles that was considered by the U.S. Court of Appeals for the 6th Circuit. The case involved the conviction of a man who was charged with a crime that he committed to pay medical expenses for his wife and himself. One of his primary defenses was that the husband received his wife’s medical records through a local dentist who he claims provided them pursuant to a request. The government did not provide the required verification of the individual making the request to the dentist office. As a result, the District Court judge ruled that a supplemental search warrant must be executed for the information and the original conviction was overturned. Under HIPAA, it is critical to obtain proper verification before submitting a request for PHI, because otherwise the government’s intention to meet the verification requirements will not be realized.
An Overview of HIPAA Verification Requirements
As a covered entity or business associate, you’re obligated by HIPAA and its implementing regulations to verify the identity of individuals requesting PHI. HIPAA doesn’t specify the exact requirements for verification and provides a general rule regarding verification.
Under the general rule, covered entities and business associates are required to verify the identity of persons requesting PHI, but the extent to which identification is verified depends on the requesting person’s relationship to the individual whose PHI is requested. In other words, there are three categories of requests for access to PHI:
The HIPAA Privacy Rule specifies exactly how a covered entity or business associate must verify the identity of the requester for each different type of access. Under the HIPAA Privacy Rule, the following procedures are required before disclosing either an individual’s PHI or the PHI of the individual’s deceased relative:
HIPAA requires the use of these procedures prior to disclosing an individual’s PHI if the individual is not the person making the request. The HIPAA Privacy Rule also requires that identification be verified if the disclosure or use is being done on behalf of a business associate or contractor of the covered entity.
Failure to implement the verification procedures where HIPAA requires them could result in dire consequences for the covered entity or business associate (or any other entity) under the state laws and/or federal laws.
How to Verify Identity Under HIPAA
In traditional healthcare settings, it’s fairly straightforward for healthcare providers to conduct identity verification — patients give photo ID at the time of check-in and are on their way. However, given the rise of telehealth services and the broader adoption of the technology, HIPAA covered entities have had to adapt to the complexities presented with remote identity verification.
At the present point in time, there are six methods that a HIPAA covered entity can use when it comes to verify a patient’s identity:
Back in 1996, when the original HIPAA Rule was developed, the National Standards had no requirement to verify patient identity at the time that services were provided. The digital age has changed all that. As patients increasingly interact with providers via smartphones and video conferencing in the cloud, methods of verifying identities are becoming a bit more creative.
HIPAA does allow covered entities to develop solutions customized to their particular needs. Unsurprisingly, we’ve seen a few vendors come out with KYC solutions tailored to the healthcare sector. There are also commercial services aimed at specific needs such as age verification to protect healthcare companies from irresponsible drug sales and other age-restricted goods and services.
Telehealth services have been at the forefront of some really creative new products. A UK company called IdCheck changes the verification process into something as simple as snapping a quick selfie while holding up your driver’s license. They say their solution is super accurate, capturing the basic facial features needed to help stop facial spoofing while speeding up identification when compared with manual procedures.
Equivi has taken things a step further and integrated various technologies to check authenticity and facial similarities. They are not a covered entity, but they have entered into Business Associate Agreements with several covered entities. Another option is a handheld device developed to authenticate a patient’s identity by evaluating their facial structure, voice recognition, fingerprints, and the palm of their hand. Observers of this technology expect it to be broadly adopted in the healthcare industry across the globe.
Finally, there are others who have solutions in the works that will be launched in the coming months. There are many possibilities, but it remains to be seen what HIPAA covered entities will adopt.
Current Issues with HIPAA Verifications
Despite the need for and value of some form of verification, hurdles to effective verification can deter healthcare facilities from greater implementation of PHI verification mechanisms. These challenges include technological issues, human error, the potential for disruption, and other associated privacy concerns.
Technological issues include both the cost of new systems, the time needed for staff training, and the consequences when these systems malfunction. For example, patients tend to be hindered by phone verification procedures, particularly when they have trouble immediately recalling the intricate details of their medical history, regardless of old the information is. Moreover, EMT and police officers irrespective of rank can be greatly discouraged by the inconvenience of verifying a code when responding to an emergency. Additionally, mistakes such as compromised passwords, stolen ID cards, and mis-stamped fingerprints occur with significant frequency that would undermine a facility’s hospitality in tending to emergency needs if not quickly addressed.
Further complicating matters , many procedures require more than one level of verification to ensure accuracy. For example, the United States Department of Defense uses DAC for two-factor authentication procedures. In the event of power surges or other outages, DACs require an ID card (first factor) and a PIN stored on a separate device (second factor). Thus, the total cost of verification may be very high.
Humans may also fail in ways that sabotage verification, by failing to follow procedures, hurrying through them with distractions, or even maliciously undermining them. Many people argue that difficulty and hassle diminish the likelihood that people will hospitalize themselves during emergencies. A study appearing in the April 2015 edition of Health Affairs found that 57.7% of a representative sample of Americans suffering chest pains did not go to the emergency room. A lack of verification paired with human tendencies to take shortcuts or to be overly aggressive, however, can discourage and interfere with HIPAA compliance.
How to Protect During the HIPAA Verification Process
Health care providers can improve their compliance with HIPAA verification requirements and expand their understanding of the requirements in three simple steps:
Develop a process for better verification. Healthcare providers should develop a verification process that meets the HIPAA verification requirements. They can do so by filling out the Verification business associate template provided as an attachment to this brief (the "BAT.") The BAT not only provides a form on which the provider can record information about the verification process, but also incudes a checklist of questions and information which the healthcare provider should obtain from a prospective business associate before HIPAA-covered information may be disclosed to the business associate. If a healthcare provider’s verification process does not include obtaining the information listed in the BAT, it should be amended to include that information.
Ensure that everyone is properly trained on the verification process. Healthcare providers should provide formal and practical training regarding HIPAA verification requirements to staff having contact with business associates, subcontractors and subcontractors’ subcontractors. Such training is likely to reduce the possibility of mistakes that arise because of inadequate training.
Conduct periodic checks to make sure that compliance is being maintained. Periodic checks regarding compliance with the verification policies and procedures established by healthcare providers are useful both in ensuring that such policies and procedures are followed (and therefore effective) and in further educating personnel having contact with third parties about the need for strict compliance.
HIPAA Trends and the New Landscape of Data Privacy
As healthcare technology continues to evolve, so do the methods used for HIPAA verification. Currently, many healthcare providers are leaning on multi-factor authentication to enhance their security, as well as biometrics in a limited capacity. These changes represent a shift from relying solely on individuals to verify an identity; rather, we will continue moving toward a more regulated, automated process. There are various different factors that can be used as a verification method. While not all healthcare providers currently utilize them, over time, they will be more commonplace and may reduce the need for various elements of the verification process. One of the most obvious and effective verification features is biometric technology, which can help ensure that only the right people have access to the data. Fingerprints and facial recognition can both be utilized to verify identity. This is less susceptible to fraud than merely using a pin or password because it is incredibly unlikely for a person to have the same thumbprint, and fraudulent attempts are much more likely to fail when face scannings are used. It is likely that we will move toward a model where biometric verification becomes the norm. This could be a great way to protect private information and reduce the likelihood of a healthcare provider facing litigation after a potential data breach. In addition to biometrics , artificial intelligence will also likely play a key role in HIPAA verification in the future. AI programs across industries are already helping organizations effectively manage and verify data. The good news is that these programs increasingly work on their own, meaning that they could do even more in the future. It is possible that biometrics and other verification measures would simply need to verify who was accessing private data, as the AI could handle the rest. There is significant potential for this technology not only to expedite the verification process but to also streamline healthcare recordkeeping. This could be a great way to address some of the major administrative restraints that healthcare providers now face. Like any industry, the healthcare sector is always looking for ways to improve the verification process. Ultimately, the aim is to make it more efficient, while also protecting patient data. Emphasizing artificial intelligence and biometrics could continue to have a positive impact on this process and help provide consumers with greater confidence.