Identity Management

  Last week, I attended the ONC Symposium on Patient Matching for Prescription Drug Monitoring Programs (PDMPs) and conversations with pharmacy stakeholders confirmed that momentum is growing for an industry-wide solution to the patient matching challenge. Recent legislative movements could see a removal of the ban on federal funding for a universal patient identifier (UPI), while within the industry, we now have a range of exciting collaborations and innovative solutions on the table to help improve patient identity management. As someone who works closely with pharmacy leaders, PDMP administrators, health IT experts and standards organizations, I’m optimistic about what patient matching technology could mean for the pharmacy world. Here’s why. When life doesn’t match health events In today’s healthcare system, patients move through several facilities and services, seeing multiple doctors, pharmacists, nurses and other clinicians. In between those interactions, life happens. A patient might move to a new house. Get married. Have kids. Relocate to a different state. Maybe they visited Pharmacy A for their medications while living in San Francisco, but delivered their first child in Hospital B, after moving to Los Angeles with a new surname and different address. How does the health service know this is the same person? Who is keeping track? Patients with similar names can have their records combined, while data entry errors lead to the same patient having multiple unmatched records. The ONC itself has found that 10-20% of patients may not be correctly matched to their entire medical record within an organization, rising to 50-60% when data is shared between organizations. For pharmacists, the fact that nearly 80% of prescriptions are delivered electronically means the opportunities for data entry errors to creep in is worryingly high. How can they be sure that the prescription they’re holding is for the patient across the counter? A prescription in the wrong hands could be fatal. PDMP facilitators face the same problem when trying to improve patient match rates for the proper tracking of opioids. Since the data comes from various sources, often formatted differently and not always including required fields, PDMPS are forced to do the best they can with what they have. To further complicate the issue, states across the U.S. do not have a common, underlying method of uniquely identifying patients to be able to exchange information across state PDMPs. While PDMPs establish central repositories of prescribing and dispensing records of medications classified as controlled substances that can be accessed online by authorized individuals and agencies—individual state PDMPs vary in required prescribing information and in data submission time, usually with a week or more of delay. An additional challenge exists since not all programs share their data with other state PDMPs, preventing information exchange and reducing the effectiveness of the programs. The answer is to have a single, complete picture of each patient that can be accessed by all relevant organizations in the healthcare ecosystem – but how close are we to achieving true interoperability? Why EMPIs aren’t the answer The common solution historically has been  to use an enterprise master patient index (EMPI) to link all versions of a patient’s record within a health eco-system (such as in a pharmacy, a physician’s office, or a PDMP). The problem is these usually rely on limited historical and demographic information, which may have gaps or errors that end up being replicated in any service using the EMPI. A universal patient identifier that integrates patient information from reliable health, credit and consumer data sources can give pharmacies and other providers a much more comprehensive view of their patients than traditional matching approaches. Referential matching technology, as recommended by Pew researchers, uses unique identifiers and third-party data to provide continuous updates to the master patient index, so you know you’re giving the right prescription to the right person. Collaborating for better patient matching solutions One example of how this is already being used to link patient prescription data at scale is in Experian Health’s collaboration with the National Council for Prescription Drug Programs (NCPDP), which sets the standards for the digital exchange of pharmacy-related healthcare information. Lee Ann Stember, President of the NCPDP, says: “We needed a single, unified and accurate view of the patient that could address the patient safety and business issues that plague our healthcare system.” To this end, we’ve teamed up to create a patient matching solution that provides a framework for establishing a unique patient identifier across the entire US healthcare network. This is a vendor-neutral, cost-effective solution that lets providers exchange information efficiently and accurately. There’s less chance of a prescription being given to the wrong patient and causing unwanted and even fatal interactions. In August 2018, NCPDP working groups approved the UPI as a standard field. This means the UPI may be used by other partners to improve the accuracy of patient data exchange. The PDMP Reporting Standard was among those identified as suitable for communicating the UPI. With this standard, pharmacies will be able to submit the UPI directly to PDMPs so that patients can be matched using the UPI instead of probabilistic or manual processes. A UPI can help states who share data improve their matching because it is a real-time solution that will feed into the management of controlled substance prescriptions across state lines, creating better visibility into interstate prescriptions and more importantly improving patient safety. The current lack of transparency into controlled substances—who is filling, when they are filling, how often they are filling, etc.—is feeding the national opioid epidemic which is taking a significant human and capital toll. Working towards an industry-wide solution Our strategic alliance with NCPDP was inspired by a shared desire to leverage data for the common good. We want to give more providers the opportunity to benefit from this UPI solution, to help address some of the patient safety challenges facing the healthcare industry. That’s why Experian Health is offering access to our Universal Identity Manager (UIM) Batch product for no charge. This tool strips out duplicates in your patient data and gives you a UPI that can be used across different health entities, enabling secure information exchange. It can even provide updated demographic information using the United States Postal Service CASS address standardization. Given the advances already made in trialling innovative solutions for the secure and accurate exchange of prescription data, the pharmacy industry is well-placed to lead the way in adopting more comprehensive and reliable patient matching frameworks. As we know, better data means better care. More accurate patient matching not only improves patient safety, but allows for better care coordination, financial savings and greater operational efficiency. — Find out more about how the Universal Identity Manager and other identity management solutions can help pharmacies improve patient matching. Matt McGrath is Vice President of Pharmacy Strategy and Solutions at Experian Health. 

Medical identity theft is a growing concern for healthcare organizations in the digital age. In 2017, healthcare data breaches accounted for 24% of all data breaches, rising to 29% in 2018. In just 12 months, the total number of personal medical records exposed jumped from 5.3 million to 9.9 million. In fact, healthcare data breaches tend to expose many more individual records than other industries. For example, according to the Identity Theft Resource Center, 43.9% of breaches in the first half of 2019 were in business, while only 36.9% were in healthcare. But for healthcare, this meant exposing a staggering 77.4% of all records left vulnerable to identity theft, compared to just 9.5% by business breaches. The potential impact of a healthcare data breach seems to be further-reaching than in other fields. At the same time, healthcare is slightly behind other industries when it comes to data security. Financial services have a two-decade head start to refine their anti-fraud strategies. This, coupled with the fact that medical identities are worth 20 to 50 times more to fraudsters than financial identities, means medical identity theft is increasingly appealing to criminals. It’s a big concern, but healthcare organizations can use data to fight data theft. When you’re armed with the right information, you can put in place the right strategy to protect your patients. What is medical identity theft? Medical identity theft is when someone uses another person’s health-related identifying information without them knowing. This could include their name and address, Social Security number, health records, or insurance information. Fraudsters can use this information to access medical services without paying, submit false insurance claims, or buy drugs. They pretend to be someone else to access services illegally. In addition, that personal information could be used for other kinds of identity fraud or blackmail. What are the consequences of medical identity theft? Karly Rowe, Vice President New Product Development, Identity & Care Management Product at Experian Health, says: “For patients, the impact of having their personal information stolen, and then possibly used to make false claims in their name, can be hugely violating. When someone’s record becomes overlaid with a thief’s record, this can have massive consequences for that person’s future treatment. It’s a major stress to sort out – both administratively and financially. And for organizations, there’s obviously the reputational hit. The relationship between provider and patient is based on trust. When you fail to secure your patients’ most personal information, you risk losing that trust for good.” It’s also a major cost. Medical fraud in the U.S. is estimated to cost somewhere between $80 billion and $230 billion, with the cost to individual providers and payers coming in at around $2 million per breach. To tackle the problem, healthcare organizations are stepping up their security practices across the board. A HIMSS survey, in partnership with Experian Data Breach Resolution, reported that data security strategies have improved. Ninety-two percent of those asked had performed a formal risk analysis, and more than half had increased their patient data security budget. A number of organizations also teamed up to form the Medical Identity Fraud Alliance, to mobilize the industry to tackle the problem. Still, there’s a ways to go. 3 ways to leverage data insights to prevent medical identity theft Protecting patient data calls for a data-based solution. Here are three ways to leverage consumer data and technology to protect your patients and keep their information safe: Resolve patient identities. Accurate patient data is the cornerstone of data management. If your records aren’t entirely reliable to begin with, keeping them safe and secure will be much harder. Put preventative measures in place to minimize the risk of duplicates and errors. Assigning a Universal Patient Identifier (UPI) will let you follow the entire patient journey, so you have a complete, accurate and secure picture of each patient. Protect patient identities. Patient portals allow people to access their health information from their personal devices. It’s convenient and can improve engagement and health outcomes. Unfortunately, they can also become vulnerable to breaches by data thieves. You have to make it easy for patients to use portals, but difficult for fraudsters to get their hands on that personal data. As patient portals gain popularity, you must have the right technology in place to validate and protect patient identities. Automating patient enrollment with a tool like Precise ID® can help authenticate patient identities from the start using identity-proofing, fraud management and device recognition. Enrich patient identities. With data insights, you can check that your patient is who they say they are the moment they arrive in reception. Using the broadest and most trustworthy datasets, identity verification solutions make constant checks, so you have a single, accurate and 360° view of each patient. Not only is this ‘golden record’ the cornerstone of patient care and experience, it’ll let your staff update patient data during intake without manual corrections. Medical records contain some of the most sensitive personal information, so it’s vital to safeguard it with the strongest security that exists. — Download this free eBook to learn how to evolve today's patient matching technologies or find out more about how to protect your patient data and prevent medical identity theft.

  Medical identity theft is a growing problem for the healthcare industry: nearly 15.1 million patient records were compromised in 2018, an increase of nearly 270% on the previous year. While providers are busy rolling out patient portals and electronic medical records to better serve consumers, criminals are sneaking through the cracks to steal patient data and profit from vulnerable health systems. The rapid rise in medical identity theft is partly explained by the fact that it goes undetected for much longer than other types of identity theft, giving criminals more time to use stolen personal information for financial gain. It’s also a lot more lucrative. Medical identities can be used to access treatment and drugs, make fraudulent benefits claims and even create fake IDs to buy and sell medical equipment. This can be devastating for victims, both emotionally and financially. Unlike credit card theft, where victims aren’t considered financially liable, 65% of people who fall prey to medical identity fraudsters are left with hospital bills running into the tens of thousands. The compromised medical record is tough to reconcile, jeopardizing future medical treatment. For providers, a data breach can mean significant reputational damage and loss of trust, and huge financial consequences – each breach costs an average of $2.2 million. But what’s most alarming for providers is that more than half of data breaches originate within the organization. Unfortunately, many providers lack sufficient security protocols and detection tools to safeguard the data they’re holding. The good news is that the tools exist to help you protect your patient data. What can healthcare providers learn from other industries about identity protection? Banking and financial services have pioneered identity protection over the last twenty years, and healthcare can learn a lot by looking at what’s worked in those industries. For consumers, using digital technology to pay your bills, book flights and buy pretty much anything is the norm, all with reassuringly quick fraud detection and resolution. Healthcare has been a little slower to embrace digitization in this way. Despite the opportunities, fears around security, privacy and inconveniencing patients have stalled efforts to transform outmoded processes. Drawing on two decades of innovations in other fields, fast-paced technological developments mean many of the early challenges around implementing safe and secure patient portals have been overcome. 6 strategies to keep patient data safe Here are six smart ways to ensure your organization has done everything possible to safeguard patient data.     Tell your patients how you’re keeping their data safe Patient trust is at the heart of a successful patient-provider relationship. Share the steps your organization is taking to secure patient information, so patients feel reassured and confident in using their portal. Data security should be a key strand in your patient engagement messaging.     Verify patient identities to protect access to medical records To avoid HIPAA violations, it’s critical to ensure you’re giving access to the right patient. Secure log-in monitoring and device intelligence can help you confirm that the person trying to log in is who they say they are. When something doesn’t add up, identity proofing questions can be triggered to provide an extra check. In an exciting new development, the healthcare industry is also starting to see the use of biometrics to supplement existing identity-proofing solutions. Just as you might use facial recognition to unlock your smartphone, there are now ways to authenticate your healthcare consumers’ identity using the same technology.     Automate patient portal enrollment You want your portal to be as secure as possible, but not at the expense of your patients’ time and effort. An automated enrollment process can eliminate the hassle of long, complicated set-ups and reduce errors at the same time.       Arm your organization with a multi-layered security strategy There is no silver bullet for protecting patient information—it will require various tools. A robust data security strategy will be multi-layered, including device recognition, identity proofing and fraud management.     Educate staff on security threats and warning signs Data breaches aren't all malicious – human error is a massive component, from mailing personal data to the wrong patients, to accidentally publishing data on public websites or leaving a laptop behind after getting off the subway. Training staff on the potential pitfalls will help them help you in protecting confidential patient information.     Develop a robust device strategy ‘Bring Your Own Device’ arrangements (BYOD) are convenient for staff and patients, but personal devices need to be secured when accessing patient information across the network. Make sure your teams, patients and visitors are aware of how to log-on securely to WiFi and follow best practice to keep data safe. In a climate of ‘doing more with less’, healthcare leaders are turning to other industries to find ways to boost quality of care and streamline operational efficiency. Automation, digitization and consumer-centric approaches make good business sense across the board, but they’re sensible investments for your data security strategy too. Investing in secure patient identities is a way to prevent painful and unnecessary losses down the line – and it’s what patients have come to expect. ⁠— Find out what more you could do to shore up your data security and prevent medical identity theft.

“Build it and they will come” might work for 1980s movie characters, multinational coffee franchises and beloved sports teams, but it’s not a great engagement strategy for most consumer-facing organizations – especially in healthcare. Take patient portals, for example. Giving your patients a way to access their health records can help improve their health outcomes, increase compliance with care plans, and create a more positive healthcare experience overall. But do your customers know the portal exists? Do they know how it could serve them? Do they trust it? You’ve built it, but how many patients are actually logging on? In 2017, over half the US population had access to a patient portal. Around half of those people used it at least once in the previous year. Of those who didn’t, 59% said it was because they didn’t feel they needed to access an online medical record, and 25% were worried about privacy and security. This tells us two things: If healthcare providers want to increase the number of patients using their portal, they need to proactively communicate the benefits to those patients, and healthcare providers could do more to reassure patients they take portal security seriously. If patients discover that using the portal is better than not using it, and that they can do so securely, they will be more likely to log on. You can address both in your patient engagement and marketing strategies. Perhaps the better mantra is: “if you solve their problem and tell them about it, they will come”. Balancing portal security and patient convenience Your patient portal is more than just a platform for patients to access test results, sort out bills or schedule appointments. It’s a way to nurture the patient-provider relationship. And at its heart, that relationship is about trust. One way to build trust is to ensure your portal meets the strictest of security measures without creating an excessive admin burden for patients. You can do this with a security strategy that layers up several protective measures to help you tackle common areas of vulnerability, including weak ID verification, over-reliance on password-protection, and failure to encrypt sensitive data. A few practical ways to keep your patient portal secure include: using ID verification when someone signs up for the portal using device intelligence and identity proofing when a user signs in to the portal deploying extra security checks where the risk of identity fraud is higher putting systems in place to flag and respond to security breaches as fast as possible. A solution like PreciseID® can help you take care of your patients’ privacy and security behind the scenes. They’ll see just enough to reassure them that you’re taking their security seriously, without any protracted log-in process that puts them off using the portal altogether. Marketing your patient portal so more patients benefit from it Solving your patients’ concerns about security is just one route to boosting portal utilization. Another important way to ensure more patients use and benefit from the patient portal is to actively encourage them to access their online records regularly. Research suggests individuals who are encouraged to use their online medical record by their provider are almost twice as likely to access it, compared to those who weren’t actively encouraged. So how do you convince your patients of the benefits of regularly logging on? That it’s not just a convenient way to manage their medical journey, but could result in better health? The answer lies in consumer data – the lifestyle, demographic, psychographic and behavioral information that gives you a fuller understanding of what drives your patients. Experian Health’s ConsumerView data analytics can capture insights that let you reach out to your consumers with the right message, in the right way, at the right time.  Do they live a busy lifestyle? Reassure them that the portal can save them time. Are there lifestyle factors that may hinder their adherence to medication? Encourage them to use the portal to make sure their prescriptions are up to date. If you discover your consumers are big social media users, you might target your portal engagement campaign through those channels. Equally, if a consumer doesn’t have any social media accounts, there would be no point investing in Facebook ads. Personalization makes your patients feel taken care of, leading to greater trust, loyalty and satisfaction. Increase patient portal engagement today In the wake of consumerism and IT transformation across many other industries, a tailored and digitally secure healthcare service is a must.  “Consumers now expect to be provided with a turnkey, individual experience that is fast and seamless,”  said Kristen Simmons, Experian Health’s senior vice president of strategy and innovation. Your patient portal must be seen to provide a valuable and secure service. While there’s a way to go to increase the number of patients making full use of portals, the tools exist to support healthcare providers’ engagement goals. Learn more about how your organization can leverage consumer insights to improve patient retention and engagement. 

Patient identity is the backbone of the healthcare system. However, when patient records are mismatched, overlaid, or incomplete, it can lead to serious and wide-ranging consequences. Patients may receive incorrect drugs or treatments, while clinical staff face increased workloads trying to locate missing information and overcome delays. Billing teams may issue statements with incorrect amounts or send them to the wrong address. Moreover, data breaches expose providers to both financial and legal vulnerabilities. It's a wicked problem. And it's an expensive one – a survey by Patient ID Now found that healthcare organizations spend an average of $1.3 million per year attempting to resolve the issues. Identity management involves multiple individuals, teams and systems that are constantly changing. Solutions can be hard to pin down in such a dynamic environment. While there's no single cause, understanding the contributing factors is the key to preventing mismatched patient records to ensure safe, effective and efficient patient care. Common causes of mismatched patient records Misidentification occurs for several reasons. Some of the most common operational pitfalls include the following: The patient is linked to the wrong record during registration. Queries result in multiple or duplicate patient records, or no record at all. Time pressure means staff are forced to work quickly and may miss important details. Insufficient training and awareness mean staff aren't following identity management protocols properly (in one evaluation of 60 patient transfers, not one transfer was carried out according to the hospital's patient identification policy). Identity management protocols are non-existent or substandard. Inefficient information-sharing between departments leads to gaps or duplication in patient records with no easy way to verify patient details. Over-reliance on DIY solutions fails to deliver robust, lasting results. Human error – staff may accidentally enter the wrong details into the patient's record. Beyond the operational factors, patients themselves play a role in misidentification. Usually this is inadvertent: they may give a slightly different version of their name or address than the one listed in their record. Sometimes it is deliberate, when patients submit false information to access treatment or medication that may be otherwise unavailable to them. Most errors do not occur because providers or patients are being careless. Patient data is complex and changing: people change their name, address or contact details many individuals share the same names and birthdates (one Houston-based health system reported 2833 patients called Maria Garcia, 528 of whom had the same date of birth) data can be formatted in different ways, so one person's details look like they belong to different people. To add to the challenge, the volume of data being created, accessed and exchanged within and between health systems is increasing exponentially, complicated by greater use of remote devices. It's no surprise that organizations have an average of 10 members of staff devoted to patient identity resolution. How to avoid and fix mismatched patient records The most effective way to manage and match patient data would be with a national unique patient identifier. This would assign a bespoke code to each patient that would follow them throughout their healthcare journey, ensuring the integrity and security of their data. Healthcare organizations (including Experian Health) have advocated for such an approach for many years, though federal funding currently remains out of reach. In the absence of a national UPI, healthcare organizations must rely on alternative solutions. Many use traditional matching tools, such as an enterprise-level master patient index or manual verification processes. However, these tools are often a feeble response to the challenges associated with the “4 Vs” of big data – volume, variety, velocity and veracity – which make patient records so difficult to manage. Experian Health's Patient Identity Management solutions help providers build a more connected data ecosystem, using universal patient identifiers. This approach creates the most complete view of patients from reliable health, credit and consumer data sources, to reduce the risk of mismatched records. Universal Identity Manager spans hospitals, health systems and pharmacy organizations, processing more than 550 million health records. Integrating patient information from sources beyond an organization's own enterprise-level data makes it possible to accurately match, manage and protect patient data, and root out the causes of misidentification before it occurs. Prevent patient misidentification with proactive identity management solutions According to the Patient ID Now survey, just under half of healthcare organizations are planning to implement new identity management processes and solutions in the next 12 months. Alongside a more robust software solution, providers should also cultivate a culture that encourages proactive risk assessment, rather than waiting until after a serious mistake occurs before acting. With the right workflows, training and identity matching software in place, patient misidentification is preventable. Learn more about how to address the most common causes of patient misidentification with patient identity management solutions.

Since the Health Insurance Portability and Accountability Act (HIPAA) heralded the mainstreaming of electronic medical records over two decades ago, healthcare organizations have been slowly making the shift from paper-based patient information to online records. Digital records are more efficient, no doubt, but the transition hasn't been smooth. There are challenges and risks in managing and protecting patient data online. With patient information flowing through multiple systems, devices and facilities, it can be extremely difficult to guarantee the accuracy and freshness of the data. Patients move to a new house, change their name or switch doctors. They may go for years without any interaction with the healthcare system. How can hospitals and other providers be sure that the records they hold are correct for each patient who walks through the door? Incorrect patient matching is a major source of revenue leakage for many providers, with around a third of claims denied on the basis of inaccurate patient identification. When it costs $25 to rework a claim and around $1,000 for each mismatched pair of records, that's a lot of lost revenue. In 2017, the total lost revenue for the average hospital was around $1.5 million. Clearly this a financial headache for providers, but it's also a major patient safety issue. How can patients get the right treatment at the right time, if their physician is looking at an out-of-date record, or worse, the record of a completely different patient? Good health outcomes rely on good data. Matching patient records: the old way Traditionally, healthcare providers might use a patient matching engine (an enterprise master patient index or EMPI) to identify patients and match up their records from different parts of the health system. These work by checking demographic data to compare the details on each record and combine the ones that are likely to refer to the same person. This can usually handle a simple change of name or address, but for anything more complex, it'll likely hit a roadblock. EMPIs are limited by their reliance on a single data source – the data that's visible to them in patient rosters. So what happens if that demographic data is wrong? What if there are typos or spelling mistakes? How do you differentiate between a misspelled name and a completely different person? Any errors in the data are inherited by the matched record, and as a result, EMPIs are often plagued by gaps, mistakes or outdated patient information. A new solution for patient matching: Universal Patient Identifiers A better solution is to combine the information in patient rosters with comprehensive reference and demographic data held by data companies such as Experian, to create a more complete picture of each patient. A universal patient identifier (UPI) can be assigned to each patient and stored in a master identity index, so that whenever and wherever they pop up in the health system, the referential matching technology knows exactly which data is theirs. When health systems implement UPIs, you can connect disparate data sets and have confidence in the fact that every new data point will be instantly checked and updated. You'll know that the Maria currently seeking diabetes treatment in Austin is the same Maria who was treated for asthma in Houston last year. You'll know that Thomas sometimes goes by Tom. You're far less likely to have a patient turn up at the pharmacist and be given a prescription that belongs to another patient with the same name. It's more efficient for clinical and admin staff, and copes more efficiently with patient mobility. Highlighting the importance of reliable patient matching technology, Karly Rowe, Vice President of Identity Management and Fraud Solutions at Experian Health says: "When you send us your patient demographic information, we will provide you with the insights and identifiers that you need to better manage your patient identities. The benefits are improved patient safety, better care coordination, better patient engagement, and overall driving better efficiencies and financial benefits." Not all reference data is created equal Of course, referential matching is only as good as the data it’s trying to match. Some vendors repurpose data matched for credit checks, using patients’ Social Security Numbers. But this data can be equally vulnerable to inaccuracies. Experian offers access to the industry’s broadest and most trustworthy datasets and provides ongoing monitoring to constantly check the accuracy of that data. Our healthcare-specific algorithm is finely tuned to meet the data needs of the healthcare industry, without any risky repurposing. With this in mind, ValleyCare Health System in California used Experian Health's Identity Verification solution to give patient access staff the freshest demographic information, including more accurate names and addresses, leading to a 90% reduction in undelivered mail. Janine Edwards, Patient Access Services Quality Assurance and Training Coordinator at ValleyCare told us: “Since implementing Identity Verification, we’ve improved the accuracy of patient demographic information throughout ValleyCare Health System. More valid data up-front means better revenue cycle results on the backend.” The entire health ecosystem relies on knowing who patients truly are. With the highest quality reference data and powerful unique patient identifiers, Experian goes beyond the limits of conventional methods to give providers the highest confidence in matching and managing patient identities. To start resolving your patient identities today, contact us to see how many duplicate records we can fix.

  The roll-out of patient portals has been a slow burn. While consumer finance, retail and other markets have given customers secure electronic access to their personal information for decades, healthcare has been playing catch-up. But thanks to regulatory pushes, such as the Promoting Interoperability and Meaningful Use programs and the Affordable Care Act, digitized health records are now the norm. Over half of healthcare consumers in the US use patient portals to access their health information at the click of a button – just as they do with their bank accounts or grocery deliveries. Aside from the convenience factor, research suggests that when patients have access to their health records through patient portals, they experience better health outcomes, greater satisfaction levels, and improved communication with their provider. There’s a higher chance of spotting errors. Adherence to medications is increased, and care becomes more accessible for some otherwise hard-to-reach patients. For providers, this sense of ownership, transparency and connection contributes to elevated consumer loyalty and engagement. As consumers embrace online portals to view their medical records and lab results, renew prescriptions, schedule appointments, and in some cases pay bills, they expect and assume their provider will keep that data secure. Providers must balance convenience and security. Unfortunately, some patients remain unconvinced of their providers’ ability to get this balance right. Patients worry about portal privacy and security Despite the upsides, a quarter of patients with access to online portals in 2017 chose not to access them because of worries about privacy and security. They’re right to be cautious: medical identities are said to be worth 20-50 times more than financial identities. It's no wonder identity thieves are increasingly targeting the healthcare industry. In 2018, the US Department of Health and Human Services’ Office for Civil Rights (OCR) reported 351 data breaches of 500 or more healthcare records, resulting in the exposure of more than 13 million patient records. Hackers are always on the lookout for vulnerabilities to exploit, with patient medical records, log-in credentials, passwords and other authentication credentials among their top five targets. Without adequate IT security, your prized patient engagement tools – like patient portals – can become an open door for hackers. As a provider, your job is to make it easy for patients to access and manage their own data, but hard for fraudsters to get their hands on sensitive data.​​​​​​​​​​​​​​ ​​​​​​​How to keep patient portals secure The good thing about being somewhat late to the party is that healthcare organizations can learn from other industries in how they have tackled online security challenges without creating too much of a burden for consumers. Think about how consumers authenticate their accounts for financial services or even social media profiles. Typically, there's an email to verify they are who they say they are, or a two-factor authentication process with a code sent to their cell phone. Most patient portals don't have these layers of security. At Experian Health, we recommend a multi-layered solution incorporating device recognition (especially important as more users access portals via cell phones and tablets), identity proofing and fraud management. Here are some examples: Sign-up screening When someone enrolls in the portal, use identity proofing to ensure they are who they say they are. It’s particularly important to ask out-of-wallet questions, such as their city of birth, first car model, or previous address to make sure they’re not an imposter.     Log-in monitoring Device intelligence will help you confirm the patient is using a cell phone or tablet your system recognizes, to minimize the risk of someone else accessing their account. This technology will tell you if the device is associated with previous fraudulent activities or potentially impersonating multiple patients. If a device fails to meet the risk threshold, identity proofing questions can be used to verify the user’s right to access the account. Additional checks on risky requests Some patient portal activities, like downloading medical records and editing a patient’s profile, increase the risk. You’d want to add an extra layer of control here, such as additional out-of-wallet questions, to safeguard your patient’s data. Rapid response and damage containment Given the sensitivity and richness of medical data, an attack on the portal can be devastating for patients and costly for providers. In the event of an attack, providers can put in place early warning systems to flag up which patients have been compromised and trigger rapid response measures to shut down the attack and prevent the damage from spreading. Promote interoperability Physicians and care providers need to share information on patients in the course of providing good care. But how are they doing this? To keep that data secure and ensure it’s only seen by the right people, you can set up your systems to share data across different platforms in a safe and secure way. Underlying all of this is the need to reassure your patients that you can be trusted with their data. Victoria Dames, Senior Director of Product Management, Experian Health, explains: “Healthcare breaches are nothing new, and neither is hackers’ and identity thieves’ penchant for medical records. What is new, however, is the broad range of tools that organizations can now utilize to stop them from accessing that personal data. Give patients the peace of mind they deserve by taking advantage of up-to-date solutions that actually work in our ever-evolving tech climate.” Learn more about how protect patient portals and encourage more patients to enjoy the full benefits of their patient portal, knowing that their sensitive personal details are safe.

There’s no doubt that identity theft is a concern for any industry that handles sensitive customer information; health care is no exception. In 2017 alone, the U.S. Department of Health and Human Services reported 477 healthcare breaches. Together, they compromised nearly 5.6 million patient records. Without adequate IT security, everything that organizations use to improve patient engagement and the continuum of care – especially patient portals – becomes an open door for hackers. But how do we keep patient data secure without burdening patients? We asked Victoria Dames, Experian’s senior director of identity management, how the healthcare industry is evolving to solve for identity theft, as well as best practices all healthcare organizations can adopt to better meet this growing threat. In the world of healthcare, both patients and providers are understandably hyper-sensitive about the exchange and security of healthcare data. How is the industry arming itself to protect data? Are there any shifts you’ve witnessed in security practices over the past few years? Absolutely! The industry has quickly evolved into leveraging technology to share data between organizations and with their patients, but this does bring inherit risk. Criminals also took notice to this shift, and medical identity theft became one of the fastest growing types of identity theft with a roughly 22 percent annual growth. With this evolution, the industry has tightened up on data access, especially as it pertains to the patient. Over the last five years, we’ve seen the shift to enable technology to help identity-proof patients before granting them access to sensitive information. This used to be a manual process. What are some of the best practices healthcare organizations can adopt to limit instances of medical identity theft? First, organizations must understand where their access points are throughout their ecosystems. With 64 percent of patients citing a privacy issue as a key concern for accessing health information online, they should inform patients that they’re providing secure methods for access to their information. Additionally, healthcare organizations must evaluate how physicians access different types of data and portals. As healthcare caught up to electronic records and systems, portals for e-prescribing also arrived. Given the nature of this use case, providing a heightened NIST level of identity proofing is required. The key is to assess what level of identity proofing is needed at each entry point to keep balance on security and the end-user experience. When you look to the future of healthcare, what types of digital technologies and solutions do you see providers putting in place to prevent fraud and protect patient data? Technology moves quickly and so do we. Identity proofing has seen an acceleration in the use of biometrics at different points of entry throughout healthcare organizations, which strengthens our solution. We are starting to see the use of biometrics, similar to your phone face ID, used more broadly through healthcare in conjunction with existing identity-proofing solutions. Experian achieved the Kantara Initiative certification with adherence to the latest guidelines achieving NIST 800-63-3 IAL2 (National Institute of Standards and Technology Special Publication Digital Identity Guidelines 800-63-3 for Identity Assurance Level 2 (IAL2)). This reinforces our commitment to support clients in authenticating consumers, while balancing a positive experience. Learn more about Experian’s identity management solutions.

In a recent healthcare information technology survey, more than 40 percent of chief information officers identified patient matching as healthcare’s top IT concern. And though a quarter of the respondents admitted it wasn’t a current priority for their organizations, they did say that it very much should be. There’s no shortage of reasons why, but the most pressing is the need to reduce medical errors, which account for over 250,000 deaths in the United States every single year. Case in point: Seventeen percent of CIOs acknowledged that errors in matching data with the right medical identities have led directly to adverse outcomes for patients. The numbers speak for themselves: Healthcare organizations must find more effective ways to manage the data within their networks. That begins with building a robust medical database that not only hoses data, but also knows how to match it with the proper patients. How robust EMPIs streamline workflows An enterprise master patient index (EMPI) is a database that can help you clean up your data and eliminate duplicate and inaccurate records. It uses algorithms to match exact data elements among disparate records, as well as elements that fall within an acceptable range of possible compatibility. Using technology that can apply an algorithm of probabilistic and referential matching methodologies will allow healthcare organizations to expand beyond the limitations of conventional single methodology matching, as both probabilistic and referential matching techniques provide a higher degree of likeliness. The system assigns these data points to unique identities that follow patients throughout the organization. Any new data generated within the network is also attached to this identity, meaning physicians, specialists, pharmacists, and other members of the patient’s care team can access and update it as needed. EMPI support tools and unique patient identities are building blocks toward creating a healthcare ecosystem that’s truly interoperable. According to an April 2018 survey by Black Book, hospitals with an EMPI report “consistently correct patient identification at an overall average 93 percent of registrations and 85 percent of externally shared records among non-networked providers.” Unfortunately, not all healthcare systems possess the IT infrastructure to support these programs. And as long as some organizations fail to integrate similar platforms, providers won’t reap the benefits of industry-wide interoperability — and patients will continue to suffer. Whether it’s a frustrating billing mix-up, privacy breach, or a detrimental (or even fatal) misdiagnosis, many errors can be successfully prevented with an EMPI. Filling in the holes The goal of such a system should be to standardize data entry and access within each healthcare organization, as well as across the entire industry. Such a network could protect, govern, and match unique patient identities across every discipline and every aspect of their care continuum. But in order for the system to achieve these goals, you need to be sure you’re feeding it relevant, recent patient information. To ensure you have enough patient data to build an EMPI that accurately matches profiles, ask yourself these questions: 1. What kind of medical care have my patients received before this visit? When patients enter a new hospital, they’re given a brand-new identity, or patient number, that’s only relevant to that healthcare system. The identity you assign them within your own organization doesn’t provide any insight about what they’ve experienced before their current visit — and that’s the crux of the matter. When patient information is siloed within a specific system, you have no view of the patient’s medical history. But when it’s shared across systems and fed into a more dynamic and interoperable data management system, patients will ultimately receive better care. 2. Who are my patients when they’re not “patients”? It’s important to understand who patients are when they’re not in the hospital. Yes, they’re husbands and wives, mothers and fathers, brothers and sisters. But some could be physically fit, while others haven’t seen the inside of a gym in years. Some might get regular checkups, but others cannot afford to see a physician regularly. All of these traits factor into your patients’ identities. With a comprehensive EMPI, you can tie them together to understand the environmental and socioeconomic factors that influence your patients’ health. You can then identify what social determinants of health need to be addressed or could potentially influence the efficacy of certain treatments. 3. Can we identify patients without a picture ID? Biometrics such as fingerprints and iris scans are more secure forms of identification than a photo ID. They’ll not only make it easier to identify patients, but will also offer heightened security against fraud. That being said, even biometric identification isn’t 100 percent secure unless it’s part of a database, such as the EMPI, that accurately matches patient identities with relevant medical data. Accepting that the healthcare industry needs better data management and patient-matching strategies is the first step to realizing those goals. EMPIs have shown organizations the value in universal patient identities. Now, they simply need comprehensive databases that are robust enough to keep patient identities consistent across the entire healthcare ecosystem.