The healthcare industry is a common target for bad actors looking to access sensitive patient information, commit insurance or medical identity fraud, or wreak other types of havoc. That means healthcare organizations must be ever diligent in how they secure patient data and engage in identity management.
This reality has led many organizations to embrace the concept of Know Your Patient (KYP). But what exactly is KYP, and how does it help healthcare organizations mitigate fraud while safeguarding their patients’ PII?
Below, we define Know Your Patient, explain how it works, and walk through some common KYP use cases for healthcare organizations. We also provide tips you can use to launch a KYP program for your organization if you do not yet have one in place.
Editor’s note: While KYP can apply to both in-person and digital healthcare solutions, the bulk of this article is meant to apply to the digital health space.
What is Know Your Patient (KYP)?
Know Your Patient (KYP) is a derivative of Know Your Customer (KYC), which can be thought of as something like KYP’s older and more popular brother who’s often found down on Wall Street.
In order to reduce instances of money laundering and other financial crimes, financial institutions are required to verify the identity of each customer attempting to open an account (amongst other requirements). They must know that the customer is who they say they are, within a margin of reasonable doubt. Know Your Customer is also called identity verification and customer due diligence, among other terms.
With this in mind, Know Your Patient is simply the application of this concept to the healthcare space. It can be leveraged during patient onboarding, as well as at other key moments where a patient interacts with an organization.
How does KYP work?
Generally speaking, Know Your Patient works like this:
Initial verification: This typically occurs during new patient intake or onboarding. Patient information (such as their name, date of birth, Social Security number, and health insurance information) is collected. This information is then validated through one or more verification methods, such as government ID verification, database verification, document verification, and more.
Initial verification of a patient’s identity is especially important in preventing health insurance fraud, Medicare/Medicaid fraud, and other forms of medical identity theft.
Reverification: When a known patient interacts with your organization, their identity must be reverified to ensure that it’s them. This reverification can be accomplished using the same methods that were used to initially verify the patient’s identity (above). But in lower-risk situations, it might mean leveraging a more streamlined verification method. With selfie verification, for example, a patient would be asked to take and upload a selfie which would then be compared to a photo on record.
As with initial verification, reverification of a patient’s identity can help stop various types of medical fraud. It’s also an important part of protecting sensitive patient information under the requirements of HIPAA and related privacy laws.
Top use cases of Know Your Patient (KYP)
Patient identity verification and reverification, as a part of a Know Your Patient process, can be applied to many different use cases, including:
Digital patient onboarding for telehealth services
Traditionally, patient identity verification would take place in-office, before the patient was seen by the provider. The patient would provide certain information (name, date of birth, Social Security number, etc.), as well as their government-issued ID and physical insurance card, which would all be used to ensure the patient was who they said they were.
For modern companies operating in the digital health space, such as telehealth providers, patients are not seen in-office. This means when new patients are onboarded, their identities and insurance information must be verified digitally.
Thanks to the ubiquity of smartphone cameras, it’s relatively simple for a patient to take a photo of their driver’s license and insurance card and upload them for verification. Likewise, database verification can be used to rapidly confirm other information provided by the patient, such as their Social Security number. In future visits, the patient may simply be asked to upload a selfie, which can be compared to the photo ID on record.
Protecting sensitive patient data
Healthcare organizations are required to protect sensitive patient health information under HIPAA and related privacy regulations. This means it’s your responsibility to ensure that all patient data is only accessed by the appropriate parties — and not accidentally shared with other patients or, at worst, accessed or stolen by bad actors.
Identity verification as a part of your KYP process can help.
For example, imagine a patient wants to access their health record through your organization’s online web portal or app. While the fact that the user was able to log into their account and make the request might seem enough to prove their identity, it doesn’t account for the possibility that a bad actor may have gained access to and logged the account via an account takeover (ATO) attack.
The good news: Once you have verified a patient’s identity, you can reverify their identity at these high-risk moments relatively quickly — for example, by prompting the patient to upload a selfie or photo of their ID — to ensure that bad actors never gain access to sensitive data.
Preventing medical identity theft
If a bad actor gets their hands on a person’s health insurance card or information, it’s possible for them to use that information to get medical treatment, fill prescriptions, submit claims, purchase medical devices, and obtain other benefits. The same is true for Medicare and Medicaid recipients. And with almost 43,000 cases of medical identity theft reported in 2021 according to AARP, it’s a big and growing problem. The truth is, medical identity theft has the potential to financially ruin consumers.
And if false information from a bad actor’s fraudulent medical treatments gets into a legitimate patient’s health record, it could even lead to negative health outcomes for that patient in the future.
Imagine, for example, that a bad actor steals a patient’s health insurance information and uses it to receive a free physical examination under someone else’s name. During the appointment, the bad actor provides the doctor with a list of medications they are on. This list of medications is then added to the patient’s health record. Later, the legitimate patient goes to the doctor complaining of a condition. That doctor checks the medications list on record to ensure there will be no interactions, and then prescribes the patient a new medication. But because that medication list is actually from the bad actor, it is inaccurate — which means the doctor may inadvertently prescribe a medication that causes a negative interaction.
By incorporating identity verification into your KYP process, your organization can help play an important part in mitigating this potentially life-ruining form of fraud. And it doesn’t have to be complicated. Simply requiring a patient to upload a photo of their government-issued ID and insurance cards, and cross-checking that information against authoritative or issuing databases, can be extremely effective in stopping fraudsters in their tracks.
How to launch a Know Your Patient (KYP) program
Any healthcare organization operating digitally can benefit from implementing a Know Your Patient program. But what this program should look like will vary from business to business. That said, below are some tips you can use to start crafting your KYP program:
Determine which verification methods best suit your needs: You have many options when it comes to verification methods, including government ID verification, document verification, database verification, selfie verification, and more. Each of these methods works differently and is better suited to certain use cases. Before selecting any verification method, consider whether or not that option truly addresses your needs.
Consider leveraging multiple, complementary forms of verification: As mentioned above, different types of verification have their own unique strengths and weaknesses. Instead of relying entirely on a single type of verification, it’s often wise to leverage multiple verification methods that complement each other. For example, you might leverage government ID verification and document verification during patient intake, and then leverage selfie verification when a patient actually signs into their appointment to ensure that the right person is being treated.
Select a HIPAA-compliant IDV provider: Different identity verification platforms may hold different certifications. Some platforms may be HIPAA compliant, for example, while others are not. By selecting a HIPAA-compliant identity verification (IDV) partner, you can rest easy knowing that your patient data is fully protected as required under the law. Likewise, consider a provider who will collect and store PII for you so that you don’t have to worry about it whatsoever.
Keep patient experience in mind: Verifying your patients’ identities can help your organization reduce fraud, protect sensitive patient data, and realize other benefits. But it’s also important to think about the patient experience and ensure the process is as easy as possible while still being effective. After all, if a patient is accessing your service, they may be ill or in pain. Ensuring your IDV solution includes simple instructions and an easy-to-use interface can make all the difference for a patient in their time of need.
Here at Persona, we understand that Know Your Patient should never be one-size-fits-all. That’s why our Verifications solution offers a variety of different IDV methods — including government ID verification, database verification, document verification, and selfie verification — that you can choose from as you see fit. We also understand just how important data security is to you and your patients. Let us worry about storing and securing your patients’ PII so that you can worry about what you do best: providing care for your patients.
Interested in learning more? See how SimpleHealth uses identity verification to stay compliant with HIPAA and other regulations, or request a demo today.