If you are somehow related to the healthcare industry, you must have heard about the HIPAA Privacy, Security, Breach Notification, and Omnibus Rules. The fundamentals of HIPAA compliance is also probably something you are well aware of.
Overall, these healthcare regulations are strict and challenging to meet. They require rigorous access controls, data privacy, identity checks, and other procedures.
To help the covered entities and businesses become regulatory compliant, we want to discuss one of the HIPAA cornerstones – identity verification.
Verification of identity under HIPAA is mandatory every time someone requests access to protected health information (PHI). Although there is a vague understanding of what is “reasonable effort” to check the identity, in most cases, healthcare organizations use address data validation as one of the verification stages.
That’s why today, we will talk about how to use address checks for verification of identity under HIPAA. Read on to learn:
- What do you need to know about HIPAA compliance?
- The key provisions of HIPAA
- How address verification helps to meet the requirements of HIPAA
- Inkit for HIPAA compliant address verification and processing
What Do You Need to Know About HIPAA Compliance?
HIPAA is the Health Insurance Portability and Accountability Act of 1996 developed to control healthcare information flow and protect confidential data from fraud and theft. Thus, HIPAA compliance is compliance with the provisions of this law.
The HIPAA act covers any organizations or businesses that process personal health information, including health plans, health care clearinghouses, and health care providers. Compliance with the law is regulated by the US Department of Health and Human Services (HHS), also known as the Health Department.
The Key Provisions of HIPAA to Become HIPAA Compliant
Since 1996, HIPAA has been amended several times with the Security Rule Amendment of 2003, the Privacy Rule Amendment of 2003, the Breach Notification Rule of 2009, the Final Omnibus Rule of 2013. As a result, it has become a combination of multiple requirements that regulate the healthcare industry.
Here is a brief overview of the HIPAA requirements, its amendments, and rules to be HIPAA compliant:
- Every covered entity or business associate with access to personal health information must implement technical, physical, and administrative safeguards to protect the integrity of the data. The technician safeguards include network encryption, access control, ePHI (electronic protected health information) identification, activity logs and audit controls, as well as automated log off on devices. Physical safeguards are facility access controls, workstations’ use management, mobile data policies to remove patients’ personal data, and hardware inventory. Administrative safeguards are systematic risk assessment and management, security training for employees, contingency plan building and testing, restriction of third-party access, and security incidents reporting.
- According to The HIPAA Privacy Rule Amendment of 2003, to become HIPAA compliant, the covered entities and businesses have to provide patients with the right to obtain a copy of their PHI, examine and correct it. This rule also required to respond to patient access requests within 30 days, issue Notices of Privacy Practices that describe PHI’s use and provide privacy training to personnel.
- A HIPAA compliant organization is required to notify people in case of a protected health data breach. It’s necessary to inform both patients and the HHS Department. If more than 500 records are compromised, you will have to notify the media. If less than 500, it’s necessary to submit a small-scale hack form on the OCR website.
Many of the listed requirements include verification of identity under HIPAA as one of the stages. To provide a person with access to personal health information, software, or devices, you will have to check who they are. Address verification is an effective way to do that. Besides, you will need addresses to send print breach notiﬁcation messages to patients. Address verification is the only right way to ensure the accuracy of these communications and stay HIPAA compliant.
More about address verification of identity under HIPAA in the next section.
How Address Verification Helps to Meet the Requirements of HIPAA
To be HIPAA compliant, organizations must put a reasonable effort into verification of identity under HIPAA. Although the healthcare law doesn’t specify what regulators consider as “the reasonable effort,” the covered entities and businesses use best industry practices to avoid HIPAA violations.
Address verification is one of the ways to verify the identity under HIPAA.
Generally, patients’ address verification is used in three prominent cases:
- When a patient shares their documents in person.
Patients are requested to provide a valid photo ID, driver’s license, and/or passport. These documents also indicate the holder’s address, among other details such as name, surname, and date of birth. Address verification enables healthcare organizations to ensure that the person requesting protected health information has the right to access it and remain HIPAA compliant.
- When a patient and a healthcare organization communicate through direct mail.
To complete verification of identity under HIPAA, covered entities and businesses can match an individual’s mailing address with the data on file in the EHR. Another option based on address verifications requirements is signature validation. In this case, the signature of the request mailed to the patient is compared with their signature on the documents stored in the EHR. Such address verification allows healthcare providers to protect PHI from unauthorized access and prevent HIPAA violations.
- When a patient contacts a healthcare organization by phone.
If the request is made over the phone, the covered entities and businesses have to request the patient’s full name and two other personal identifiers, such as the date of birth and address, for example. This information is sufficient to run a verification of identity under HIPAA. In case a patient calls and asks a healthcare provider to deliver PHI records by mail, they must be sent to the address recorded in the EHR. A request to send the information to another person must be in writing and validated with the patient’s signature.
If you want to optimize your team’s work and simplify HIPAA compliance, consider automating address verification. Since a healthcare organization handles hundreds of requests per day, manual address processing would be a terrible waste of time.
Modern software allows you to check physical addresses and verify their validity automatically. Such tools can be smoothly integrated with your EHR and other internal systems to automatically run workflows. As soon as a patient’s request is recorded, the software will match the provided data with the information on file and complete verification of identity under HIPAA.
Inkit for HIPAA Compliant Address Verification and Processing
Inkit is widely used across industries to implement address verification and data security necessary for regulatory compliance. Healthcare providers can benefit from it, along with financial services, utility companies, and other regulated organizations.
What makes it so unique?
Inkit is a multi-functional platform that covers different aspects of regulatory compliance. It connects to the USPS database for automated address verification, standardizes, and autocompletes addresses. After ordering the data, Inkit can generate custom documents (e.g., requests, notifications, bills) and deliver them to patients based on triggers. You will be able to automatically send messages in case of data breaches, ask for a signed request, and more.
Inkit securely processes all personal health information, so it’s easy to verify identity under HIPAA.
You can become HIPAA compliant and start verifying the identity of patients with Inkit now. Just contact our team to get the demo.