How to verify new accounts against a known persons database?

Question

I need to (try to) solve the problem of new account creation for a patient portal for a medical records system (electronic health record). That is, a way to activate a patient online and match her against her medical chart.

Let's assume that most patients will not have an email address listed among the data that I already have. If I want to allow a prospective patient to submit a bunch of demographics information, and then if it matches, receive an activation code, is there an alternative to sending that code to whatever email address the prospective patient provides? Because I might know all of the info for another person (i.e. an estranged spouse or a neighbor who doesn't shred their garbage) and then give my own email address (which can't be verified).

Short of having the prospective patient come into the doctor, or receive snail mail, to verify her identity (the problem I'm trying to solve) is there any way these types of verifications can be done?

(I am posting this here as suggested in a comment when I posted it to webmasters.stackexchange)

Answer 1

This is what I'm hearing you say: You have a medical facility with computerized records for the full set of patients. You want to allow web users to try and set up accounts with a one-to-one mapping between actual patient and their own records. Your goal is to allow this to be done online without resorting to out-of-band methods such as snail mailing account information or requiring an office visit.

There's two questions here:

1. Can you one-to-one match a user against their patient record based on what they know?
2. Can you trust verification based purely on what they know?

The answer to both tends to be "not really." Because patients may use different names or variations (I've got paper trails as both 'Greg' and 'Gregory'), there may be name mismatches. Adding in things like birthdate helps, but is still not collision-proof. And you probably have multiple patients with the same name - I've worked with so many Jennifer Chens over the years it isn't funny.

...which is why your set of patient records all have some form of unique patient ID, hopefully unique to your facility or umbrella medical group. If the user knows that, they can just type that in. But in many cases they won't know it or have it handy. At best, it may show up on paperwork they receive in the mail... but that goes back to what you wanted to avoid.

Finally, nothing a user knows can be trusted to be private. I'm not legally allowed access to my wife's medical data, but I know everything you could possibly ask to identify her. And in this day and age it isn't impossible to find out that level of detail about strangers.

I think you'll find that the standard in this area is to send snail mail out with an initial password. I've signed up for some medical (insurance) related sites where that was how it worked. The snail mail to the address of record is treated as a trusted second form of authentication, although of course, it isn't really. As you pointed out, it's easy enough for a family member or even stranger to intercept that mail.

Given that you're talking about medical records, you need to be careful to avoid the more culpable forms of improper access ("I know John's birthday, so I can get into his medical records"). That may mean resorting to snail mail, which reduces culpability if not exposure.

Answer 2

Based on the feedback you provided via comments, those being so far:

@blunders we might have way more phone #s than email, and I'm having a report generated.

and

@blunders No, I believe a good deal of patients would have a phone number in the chart. Home number more likely than cell/text number.

So, let me see if I'm able to dig myself out of the hole I made... :-)

First let me say, I know ZERO about HIPAA, though I did a quick Google for "HIPAA authentication" and while there appear to be general standards, there also appear to be no implementation specifications; or at least that I was able to find.

My take is that a patient is giving an address and phone number knowing that these channels of communication maybe used to pass medical information to them.

In real life if a nurse calls a number on chart, and the person answering says they're that person, the nurse will tell the person answering the phone the information they intended to only give the authorized person per HIPPA. On the same note, if the nurse discovers an issue with the phone number in the chart and is unable to reach the person by phone, they'll send out a notice to the address on file; opening up the chance that an unauthorized person will break postal laws, and open the information sent via mail to the address on file.

So, going on that, but again not knowing anything about HIPPA laws, case law, etc. related to authentication requirements my suggestion would be to use the number on record as the/an authentication layer done real-time knowing an end user just requested a code be given to that number that's on record in the database, either by SMS or an automated voice system.

A rough flow off the top of my head for a phone-to-web authentication system would be:

• The end user attempts to create an account.
• They enter the phone number(s) they believe are already tied to their records.
• The system checks to see if those numbers are in the database.
• If the numbers are not in the system, the user is told the other options; mail, in person, etc.
• If the numbers are in the system, the user is asked if they'd like a call or a text message sent to the number already in the system.
• The system excutes the request and the user gets the code via an inbound call/SMS to the phone they requested.
• Then the end user enters the code into a form on site site that's expecting the code from that IP/cookie session, and is validated as having access to the number on file.

A number of sites use phone verification and have FAQs on it. For example: Google and Craigslist ; though after a quick search was unable to find company that would have HIPAA oversight that uses phone verification to release records.

Also, guessing to start it'd be faster to outsource it to a service phone verification with an API, which again not knowing anything about HIPAA I'd think was fine as long as all they're doing is getting a number, passing the code back to you, and making the call.

Again, this is just me attempting to find a solution instead of just saying there is none. I'd welcome any and all feedback.

---

UPDATES BASED ON COMMENTS:

---

@blunders [...] As for phones, medical offices will generally not use phones for anything more specific than "please call us back" without requesting and receiving explicit approval to leave personal information in a voice mailbox. At least that's the case with the 2 or 3 of my family's doctors where the question has come up. And when you're at the point of clarifying phone permissions, you're at the point (physical, live voice) of giving them the login info that user3916 wants to pass anyway. – gowenfawr

My Reply:

@gowenfawr: [...] As for the "call us back"... when you call back, how do they even know it's you. My guess is they just do that as a professional form, than a level of authentication. – blunders

Answer 3

You could work on a Single Sign On protocol to initiate the account creation.

1. You record a card number into your system (this card shall have a secret password on it, potential with those "to scracth" areas on it to hide the password)
2. You send the card through the best authentication mode you can find (standard mail, face-to-face meeting, eventually you can communicate them their login by over the phone/email)
3. Client set-up her account using the provided credentials and is ask to change the password. If the card has been altered, the client must contact you to reject any account created/creation with that number. After any use of the password, it must be revoked to avoid a duplicate account to be created.

If that protocol can't be set up, you still have the possibility to let the client set up and account, trying to match her identity, but requesting confirmation to activate. Then she could ask for activation. At this point, you would call her from your in memory phone number to confirm her identity.

At last, the authentication relies on the strength of the link you can establish with your client for the first time. The weakest it is, the more probable usurpation can be.

Answer 4

This is an authentication problem. Though I need to brush up on my EHR, this is a hard problem to solve without a trusted party. The only possible solution I can think of, which would be really easy to do wrong, would be to do challenge/response on the information you already have.

For instance, someone wants to register with their user name/social security number and some other information. Based on information you already have about the person, they need to correctly answer a series of questions about themselves. Like if you've ever got your annual credit report, at the 3 bureau sites you have to select previous addresses and other PII information.

Once registered you would want to still send out snail mail to let them know their online account was activated to hopefully help mitigate the 'crazy-ex' situation. Though, I have to believe that situation is going to be low risk.

Anyway, what you know is still a factor of authentication and I would have to think it would be a lot more hassle than it's worth to set this up rather than something more traditional. Hopefully it gave you an option of how it can work. I'm sure someone can come up with a better one.

Answer 5

You are thinking about it wrong. You should not be granting electronic access to a medical file without patient consent. This is not just a question of a technical mechanism for authentication; there is a much more fundamental issue of patient consent. You are trying to solve a social problem with technology, which is often a mistake. You are trying to solve this through technical methods, but this is not primarily a technical problem. This is a social and legal problem, and it should be solved primarily through policy and procedural methods.

So, there are two steps. First, you need to get patient consent to activate electronic access to the patient's record. Then, you need to collect information sufficient to authenticate the patient.

The first step probably means that when the patient comes into your office for a visit, they will need to sign a form indicating consent to make the information accessible electronically. This should not be a burden for you; your patients probably already have to sign a bunch of forms when they come into your doctor's office, so why not just have them do this at the same time? Alternatively, if you never interact with your patient in person, probably you're having them mail you some signed forms, so why not add this to the form the patient signs and mails you?

Given that collecting consent requires an in-person interaction, or requires the patient to sign some form, collecting authentication information ought to be simple. Why not just add another field to the form asking them to provide their email address? Alternatively, if you do have their phone number but not their email address, it may be possible to bootstrap from the phone number through a call-back system: they get an email, they log into a website to request electronic access, they get an automated callback to their registered phone number, the automated phone call communicates to them a one-time-use time-limited personalized PIN that they type into the web page to authenticate themselves, and then they register a password to create their account on the website. However this may be trying too hard, and it may be simplest to just ask users to provide their email address on the form.

In short, I'm concerned that the way you have framed the question suggests that your approach does not adequately protect patient privacy and does not comply with accepted norms and standards in the medical industry regarding protection of personally identifiable medical information.