Identity Proofing (IDP): Why It’s Essential to Patient and Prescriber Safety
People steal digital identities at an alarming rate, with Medical Identity Theft being a key target. Medical Identity Theft is when someone steals or uses your personal information (like your name, Social Security number, or Medicare number) to submit fraudulent claims to Medicare and other health insurers without your authorization. Medical identity theft can disrupt your medical care and wastes millions of taxpayer dollars.
As consumers, we should always protect our personal information, check medical bills and statements, and report any questionable charges or fraud. For businesses like doctors, hospitals, surgery centers, and other healthcare entities that handle personal information for patients, Identity Proofing is key to mitigating fraud, which, according to The Institute of Medicine, costs the U.S. healthcare system more than $75 billion annually.
What is Identity Proofing?
Identity Proofing is the process by which a Credential Service Provider (CSP) collects, validates, and verifies information about a person.
According to the NIST Special Publication 800-63-3 Digital Identity Guidelines:
“Identity proofing establishes that a subject is who they claim to be. Digital authentication establishes that a subject attempting to access a digital service is in control of one or more valid authenticators associated with that subject’s digital identity. For services in which return visits are applicable, successfully authenticating provides reasonable risk-based assurances that the subject accessing the service today is the same as that which accessed the service previously.
Digital identity presents a technical challenge because this process often involves proofing individuals over an open network, and always involves the authentication of individual subjects over an open network to access digital government services. The processes and technologies to establish and use digital identities offer multiple opportunities for impersonation and other attacks.”
Why is ID Proofing necessary?
A digital identity is the unique representation of a person engaged in any online transaction. A digital identity is always unique in the context of a digital service but does not necessarily need to uniquely identify the subject in all contexts. In other words, accessing a digital service may not mean that the subject’s real-life identity is known. Identity Proofing ensures the digital identity of an individual and the individual are one and the same – and not someone pretending to be someone else online.
What elements are required in ID Proofing?
The National Institute of Standards and Technology’s NIST Special Publication 800-63-3, Digital Identity Guidelines calls for collecting and assessing multiple pieces of user-asserted evidence to make an identity-proofing decision. These changes have been made because of the continuous compromise of personally identifiable information (PII), including elements such as name, SSN, and physical address.
Click for the HHS.gov list of acceptable documentation that can be used to verify a consumer’s identity. Each document includes an image example, if available, and criteria to help verify the document. A consumer can provide proof of his or her identity by submitting any one of the Tier 1 documents or a combination of the Tier 2 documents detailed in the table.
How can you ensure you are compliant with ID Proofing?
The Department of Health and Human Services has a number of resources available on their Cybersecurity Guidance site for providers to ensure they are compliant with not only ID proofing but other cyber security protections. HIPAA-regulated entities that adopt cybersecurity best practices and comply with the requirements of the HIPAA (Health Insurance Portability & Accountability Act) Security Rule will be better protected against security incidents and data breaches.
Yet compliance with ID Proofing is not just a cyber security issue. According to a recent article from The HIPAA Journal:
“With new HIPAA regulations in 2023, including the addition of Personal Health Applications,
– an application used by an individual to access their health records – healthcare organizations will be required to inform individuals about the privacy and security risks of sending their PHI (Protected Health Information) to a third-party application, which is not required to have safeguards mandated by HIPAA. Healthcare providers are likely to have to develop their own patient warnings to ensure patients are made aware of the risks. A change has also been made which allows patients to orally request a copy of their PHI be sent to a third party.
The new HIPAA regulations will allow patients to inspect their PHI in person and take notes and photographs. That too will create challenges, as patients will need to be allowed to inspect their PHI privately, and care will need to be taken to ensure they are not photographing PHI that they are not authorized to obtain – either their own or the PHI of others. HIPAA-covered entities will need to determine how best to provide that information.”
Providers must ensure that ID proofing happens online and in person to protect consumer identities.
How does DoseSpot help?
At DoseSpot, we build in provider protections for our ePrescribing software like:
Required Identity Proofing for EPCS Prescribing
Clinicians must complete the Identity Proofing (IDP) and EPCS Two Factor Authentication (TFA) process before sending prescriptions for controlled substances. Our seamless ID Proofing software automatically submits identity proofing through Experian Precise ID. The completion of this process is for their own safety and protection against fraudulent ePrescriptions.
When the Identity Proofing software is launched, Experian will return a collection of financial-based questions and answers. The clinician must successfully answer three (and sometimes four) questions to complete the operation.
Common Error Checking
The ID Proofing software automatically submits identity proofing to Experian and identifies any errors that need to be addressed. Using a national credit bureau to complete the identity-proofing process will not affect your personal credit rating or score and should not be reflected in your credit history. The only information DoseSpot receives and stores is the date the IDP was completed and passed, and the reference number used during the Two-Factor Setup.
Halting the IDP Process When Flagged
There are multiple reasons why an individual may not pass the initial identity-proofing process. DoseSpot takes prescriber and patient safety and security very seriously and acts with caution. When IDP fails, start with your EHR/EMR or patient management system to verify that all information entered is correct. Opening a support ticket for the provider who has been denied may be necessary.
Monitoring Prescribing Behavior While Providing High-Quality Healthcare
All 50 states and the District of Columbia allow the ePrescribing of controlled and non-controlled substances, and more than 90% of pharmacies can receive ePrescriptions. Of course, this includes the larger retail pharmacy groups such as CVS, Walgreens, Walmart, and other grocery chains, also mail-order pharmacies.
Mandatory steps must be taken to prescribe controlled substances; if not completed, your patients must wait for needed medications and therapies. ePrescribing software has many advantages that save time, improve patient safety, and provide better tracking to monitor prescribing behavior.
Check out our Services and Integrations to learn how you can get started with DoseSpot.