Are You Scanning Your Patients Driver’s Licenses?
Do you know that scanning a driver’s license to mine a patient’s personal information can cost you $5000? New Jersey has a law that addresses privacy concerns when a third party scans someone’s identification card. The Personal Information and Privacy Protection Act (PIPPA) took effect on October 1, 2017.
Primarily, PIPPA limits the circumstances under which you can scan a customer’s identification card to obtain data. It also outlines how retailers and service providers should handle any information extracted from an individual’s identification card through scanning.
However, the Act doesn’t say anything about looking at someone’s identification card to verify their identity or age.
Identification Card and Scanning
Let’s explain the meaning of ‘identification card’ and ‘scanning’ to understand PIPPA better.
PIPPA defines an identification card as any card issued in New Jersey, another state, or the District of Columbia for identification purposes. It may also be a card supplied to allow its holder to operate an automobile.
- Driver’s license
- Probationary driver’s license
- Non-driver photo identification card
Under PIPPA, scanning means accessing an identification card’s barcode or other machine-readable parts to interpret the holder’s electronically-encoded information.
When Can You Scan an Identification card?
PIPPA outlines instances when a service provider or retailer can scan a client’s identification card. You can do so strictly for the following seven purposes:
Identity Verification During Transactions
You may scan a patient’s identification card to confirm its authenticity or to verify that the person presenting it is the legitimate owner. This exception only applies when:
- Someone uses a payment method other than cash
- A customer requests an exchange or refund
- Someone returns an item
Age Verification in Certain Transactions
Do you offer age-restricted products? You can scan a customer’s driving license to confirm they are of the recommended age to receive your services.
You may want to be sure that the requested refunds and product exchanges in your practice are genuine. If you use a fraud protection system, you can scan a customer’s identification card before approving such requests.
It’s in your best interest to know the correct details of another party before entering into a contract with them. PIPPA allows you to scan another person’s identification card when establishing or cementing a contractual relationship.
Compliance with Legal Requirements
The state or federal law might require you to record, transmit, or retain some information. You can scan a person’s driver’s license if necessary to comply.
Consumer Information Transmission within the Law
Federal laws like the Fair Debt Collection Practices Act and Fair Credit Reporting Act may allow some third parties to access consumer information.
You can scan an individual’s identification card to submit their data to a financial institution, debt collector, or consumer reporting agency if the law allows.
The Health Insurance Portability and Accountability Act (HIPAA) dictates how healthcare practices should record, store, or transmit patient data. You may scan a patient’s driving license to meet HIPAA regulations.
Restrictions on Scanned Information
While you can scan a patient’s driver’s license for the reasons described above, there are restrictions on the data you can extract.
What Data Can You Collect?
PIPPA allows you only to collect the following information about an identification card’s owner:
- Date of birth
- Identification card number
If you run a medical practice, you cannot extract further information from a patient’s driver’s license. The prohibited details include the individual’s photograph, eye color, height, weight, organ-donor status, and driving license restrictions.
Driver‘s License Data Storage Restrictions
If you scan an identification card to verify a person’s identity or age, you cannot retain the data you access whatsoever. PIPPA permits you only to view the data, nothing more.
A retailer or service provider can keep information obtained from an identification card for other permitted purposes. If you choose to do so, you have to store the data securely.
Should there be a security breach on the information, you must promptly report it to the State Police under the Department of Law and Public Safety.
You must also inform the affected persons, pursuant to section 12 of P.L.2005. PIPPA doesn’t expressly limit the period you can retain someone’s identification card details.
Personal Information Distribution
You can only distribute information gathered from a driving license or other identification documents for the reasons outlined in paragraphs 3 through 7. That is:
- To prevent fraud
- To establish or maintain a contract
- When the law requires you to do so
Never sell or share information mined from an identification card with third parties for marketing, promotional, and advertising purposes.
Penalty for PIPPA Violations
The Attorney General’s Office can sue entities that violate consumer rights under the provisions of PIPPA. Individuals have a limited window to pursue justice through private suits.
If you violate PIPPA provisions, the Attorney General’s Office can collect $2,500 from you for the first violation. Each subsequent offense attracts a civil penalty of $5,000.
The law collects these penalties in a civil action through a summary proceeding. Additionally, an individual who feels aggrieved due to a PIPPA violation can recover damages by bringing an action to Superior Court.
Implications of PIPPA on Your Practice
Many retailers and service providers scan or swipe customer identification cards to determine whether they are authentic or not. The practice is also useful in verifying customer identities when using credit cards and controlling fraudulent merchandise return practices.
If you still scan state-issued ID cards or driver’s licenses in your practice in New Jersey, you might unknowingly violate PIPPA. As you have seen, one violation can set you back up to $5,000.
Avoid such predicaments by overhauling your identification card scanning policies and procedures. Don’t scan a patient’s driver’s license unless you have to satisfy one of the PIPPA-permitted purposes.
Most importantly, evaluate the information you collect from patient identification cards to ensure you’re compliant with PIPPA. Store such data securely to prevent unauthorized access or misuse.
Get Healthcare Technology for Compliance
Would you like to heighten data collection, transmission, and storage in your medical facility? MATHE provides various healthcare technologies to help your practice stay compliant with HIPAA ad PIPPA.
Contact us for data top security tips from experts.
With over 35 years in the business of supporting and implementing technology for the SME market, and 6 years previously in Corporate IT and Voice. I have seen a great deal of change. The only common thread is I have always focused on the Business Wise application of Technology. We always try to look 5 years ahead of the current technology to make sure our clients are on the right track to meet current and future needs.