FB pixel

Remote identity proofing for online Medicaid, public assistance applications a mixed bag

Remote identity proofing for online Medicaid, public assistance applications a mixed bag
 

The Center on Budget and Policy Priorities (CBPP) said this week that those states which have not implemented Remote Identity Proofing (RIDP) for individuals applying for Medicaid and other government assistance probably should put off doing so “until more accessible alternatives are available.”

“States that have already implemented identity proofing should make it an optional step in the process and consider removing it in the future,” said CBPP Digital Services Analyst Symonne Singleton. “Agencies can mitigate risk through other business practices, such as accessing available data sources to confirm identity. Striking the balance between security and ease of access will allow more applicants and enrollees to receive the public benefits to which they are entitled.”

Meanwhile, taxpayers are being bilked of more than $100 billion a year to Medicare and Medicaid fraud, according to estimates from the National Health Care Anti-Fraud Association (NCAA). In 2022, the US Department of Health and Human Services Inspector General said CMS needed to improve Medicaid managed care organizations’ identifications …”

CMS itself says that “beneficiary-related fraud may include identity theft and Medicare/Medicaid card sharing; using, buying, or selling multiple cards; providing false information to qualify for Medicare/Medicaid; collusion with, or kickbacks from, providers; and drug diversion.”

In July 2023, HCA Healthcare announced that the personal identification data of roughly 11 million of its patients in 20 states had been exposed in a breach. The company said “the exposed files contained patient name, city, state, zip code, email, telephone number, date of birth, gender, service date, location and, in some instances, the date of next appointment.”

As of August 2024, only 11 states’ Medicaid agencies require applicants to verify their identity and to secure their online access to accounts and Medicaid programs. Ten states require identity proofing to submit online applications.

The US Centers for Medicare & Medicaid Services (CMS), however, does not require state agencies to implement identity proofing, but CMS does require state-based health care marketplaces and state Medicaid and Children’s Health Insurance Programs (CHIP) agencies to perform identity proofing as part of the online applications for agents and broker marketplace registration.

RIDP is a required service for new Health Insurance Portability and Accountability Act (HIPAA) Eligibility Transaction System (HETS) users. CMS uses Experian to remotely perform identity proofing, which CMS says “is a mission critical CMS system.”

HETS is the Electronic Data Interchange (EDI) application that enables Medicare providers, suppliers, and their authorized representatives to request Medicare beneficiary eligibility data and receive a response in real-time for the purposes of preparing an accurate Medicare claim, determining beneficiary liability, and/or determining beneficiary eligibility for specific services.

CMS is responsible for administering the federal health insurance marketplace established under the Affordable Care Act, known as Healthcare.gov. Through this marketplace, individuals may apply for health coverage programs, such as Medicaid, which CMS jointly administers with the states. Individuals may also use Healthcare.gov to apply for private health insurance coverage, known as qualified health plans, for which individuals may qualify for federal income-based financial subsidies.

Still, Singleton said, Medicare, CHIP, and other public assistance agencies that do not currently use RIDP for users and new beneficiary applicants “should resist implementing it, particularly given that industry standards like the National Institute for Standards and Technology (NIST) guidelines are shifting. Instead, agencies and clients would benefit from revisiting implementation once more equitable options become available. If an agency has already implemented RIDP, the identity proofing step should be optional.”

Singleton further wrote that state “agencies that conduct a risk assessment and determine that RIDP may be required should pause to investigate which attributes of their online process pose the significant risk. Alternative approaches may be available that do not require identity proofing but allow the agency to communicate effectively with users without the risk of sharing sensitive information.”

Singleton added that “identity proofing can unnecessarily burden clients and prevent eligible people from accessing benefits. These burdens often fall heaviest on populations that are already marginalized, including people of color, people who are immigrants, and victims of identity theft.”

Conversely, a new report from the Center for Digital Government, State of Digital Identity, said “most people want to conduct their business with state governments online, and state agencies are steadily increasing the number of digital services they provide to the public. Yet, too many agencies use outdated online identity verification methods that are susceptible to fraud.”

NIST and the White House both have issued guidelines, as well as presidential executive orders, which can assist state agencies determine whether identity proofing is the right direction for them. Federal and state legislation, meanwhile, increasingly is putting the onus on state public assistance providers to ensure their online systems are secure.

“When a person’s name or other identifying information is used without that person’s knowledge or consent to obtain medical services or goods, or to submit false insurance claims for payment, that’s medical identity theft,” NHCAA has said, adding that “medical identity theft frequently results in erroneous information being added to a person’s medical record, or even the creation of an entirely fictitious medical record in the victim’s name.”

“Untangling the web of deceit spun by perpetrators of medical identity theft can be a grueling and stressful endeavor,” and “the effects of this crime can plague a victim’s medical and financial status for years to come,” NHCAA said.

“The significant increase in identity fraud prompts a sense of urgency for the health care sector to enable themselves with the tools needed to resist the most complex fraudsters. Select fraud detection and identity verification providers can help health care organizations get ahead of scammers, which is important now more than ever with digital transformation evolving so rapidly in this industry,” Blair Cohen founder and president of AuthenticID, an identity proofing and fraud prevention technology company, wrote in Medical Economics.

Blair said the health care industry should “leverage advanced AI identity verification and machine learning models to detect dubious or unusual behavior that might indicate a data breach.” He noted that “the demand for health care data has increased” because “stolen health information is twenty to fifty times more valuable than financial data. The incredible volume of information and transactions in health care leaves many opportunities for first-party and third-party fraud – false claims and billing fraud, payment fraud, medical identity theft – all impact system vulnerability.”

Andras Cser, vice president and principal analyst, security and risk management, at Forrester Research, told Healthcare IT News “there are strategic steps that healthcare provider organizations can take today to help thwart the medical identity theft of patients,” like “better identity verification based on Equifax, Experian, TransUnion, and LexisNexis identity verification and knowledge-based authentication.”

Cser said “two-factor authentication and stronger authentication can be installed for insurer portals. And there can be a decreased reliance on the Social Security number for authentication and identification.”

In 2019, the Government Accountability Office chastised CMS for having “no plans to reduce or eliminate knowledge-based verification for remote identity proofing,” adding that until CMS “takes steps to eliminate its use of knowledge-based verification, “the individuals they serve will remain at increased risk of identity fraud.” Last year CMS provided a plan with timeframes to move towards eliminating the use of knowledge-based verification in its online identity verification processes,” which GAO said better positions the agency “to strengthen its remote identity verification practices, thereby reducing the risk of identity fraud for its customers.”

Still, Singleton expressed that, “while effective government services need to maintain security by assessing risks to clients and the government, agencies should consider whether identity proofing mitigates those risks and evaluate its potential negative impact on clients’ access to benefits. In most cases, they will likely conclude that identity proofing should not be required for Medicaid applications.”

She added: “Identity proofing often relies on technologies that have significant shortcomings due to data breaches and well-documented racial bias. As a result, identity proofing often imposes unnecessary burdens on clients without guaranteeing a more technologically secure service.”

Related Posts

Article Topics

 |   |   |   |   |   | 

Latest Biometrics News

 

Mitek unveils multilayered GenAI fraud detection to stop PAD, injection attacks

Mitek Systems has launched what it calls the first multilayered solution to the growing challenge posed by generative AI for…

 

Authsignal teams with Mattr on terminal to bind palm biometrics with mDLs

New Zealand-based Authsignal has announced the launch of a new palm biometrics terminal, developed in collaboration with Mattr and Qualcomm,…

 

UK grapples with border biometrics expansion and delays

The UK Home Office has provided key updates on its electric border management initiatives during a Justice and Home Affairs…

 

FBI looking at biometric matching algorithms for NGI, issues RFI

The U.S. Federal Bureau of Investigation’s (FBI) Criminal Justice Information Services (CJIS) in Clarksburg, West Virginia issued a Request for…

 

Bhutan charts a digital future with blockchain, bitcoin, and national digital ID

The Kingdom of Bhutan is leveraging digital assets and strategic investments to propel its national development agenda, integrating blockchain technology…

 

Digital ID can help Sri Lanka expand tax base: Deloitte

Sri Lanka seems to be caught in a chicken-and-egg situation regarding its development of digital ID as its ministry sets…

Comments

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Most Viewed This Week

Featured Company

Biometrics Insight, Opinion

Digital ID In-Depth

Biometrics White Papers

Biometrics Events