Are You Scanning Your Patients Driver’s Licenses?

Do you know that scanning a driver’s license to mine a patient’s personal information can cost you $5000? New Jersey has a law that addresses privacy concerns when a third party scans someone’s identification card. The Personal Information and Privacy Protection Act (PIPPA) took effect on October 1, 2017.

Primarily, PIPPA limits the circumstances under which you can scan a customer’s identification card to obtain data. It also outlines how retailers and service providers should handle any information extracted from an individual’s identification card through scanning.

However, the Act doesn’t say anything about looking at someone’s identification card to verify their identity or age.

Identification Card and Scanning

Let’s explain the meaning of ‘identification card’ and ‘scanning’ to understand PIPPA better.

Identification card

PIPPA defines an identification card as any card issued in New Jersey, another state, or the District of Columbia for identification purposes. It may also be a card supplied to allow its holder to operate an automobile.

Examples include:

  • Driver’s license
  • Probationary driver’s license
  • Non-driver photo identification card


Under PIPPA, scanning means accessing an identification card’s barcode or other machine-readable parts to interpret the holder’s electronically-encoded information.

When Can You Scan an Identification card?

PIPPA outlines instances when a service provider or retailer can scan a client’s identification card. You can do so strictly for the following seven purposes:

Identity Verification During Transactions

You may scan a patient’s identification card to confirm its authenticity or to verify that the person presenting it is the legitimate owner. This exception only applies when:

  • Someone uses a payment method other than cash
  • A customer requests an exchange or refund
  • Someone returns an item

Age Verification in Certain Transactions

Do you offer age-restricted products? You can scan a customer’s driving license to confirm they are of the recommended age to receive your services.

Fraud Prevention

You may want to be sure that the requested refunds and product exchanges in your practice are genuine. If you use a fraud protection system, you can scan a customer’s identification card before approving such requests.

Contractual Relationships

It’s in your best interest to know the correct details of another party before entering into a contract with them. PIPPA allows you to scan another person’s identification card when establishing or cementing a contractual relationship.

Compliance with Legal Requirements

The state or federal law might require you to record, transmit, or retain some information. You can scan a person’s driver’s license if necessary to comply.

Consumer Information Transmission within the Law 

Federal laws like the Fair Debt Collection Practices Act and Fair Credit Reporting Act may allow some third parties to access consumer information.

You can scan an individual’s identification card to submit their data to a financial institution, debt collector, or consumer reporting agency if the law allows.

HIPAA Compliance

The Health Insurance Portability and Accountability Act (HIPAA) dictates how healthcare practices should record, store, or transmit patient data. You may scan a patient’s driving license to meet HIPAA regulations.

Restrictions on Scanned Information

While you can scan a patient’s driver’s license for the reasons described above, there are restrictions on the data you can extract.

What Data Can You Collect?

PIPPA allows you only to collect the following information about an identification card’s owner:

  • Name
  • Date of birth
  • Address
  • Identification card number

If you run a medical practice, you cannot extract further information from a patient’s driver’s license. The prohibited details include the individual’s photograph, eye color, height, weight, organ-donor status, and driving license restrictions.

Drivers License Data Storage Restrictions

If you scan an identification card to verify a person’s identity or age, you cannot retain the data you access whatsoever. PIPPA permits you only to view the data, nothing more.

A retailer or service provider can keep information obtained from an identification card for other permitted purposes. If you choose to do so, you have to store the data securely.

Should there be a security breach on the information, you must promptly report it to the State Police under the Department of Law and Public Safety.

You must also inform the affected persons, pursuant to section 12 of P.L.2005. PIPPA doesn’t expressly limit the period you can retain someone’s identification card details.

Personal Information Distribution

You can only distribute information gathered from a driving license or other identification documents for the reasons outlined in paragraphs 3 through 7. That is:

  • To prevent fraud
  • To establish or maintain a contract
  • When the law requires you to do so

Never sell or share information mined from an identification card with third parties for marketing, promotional, and advertising purposes.

Penalty for PIPPA Violations

The Attorney General’s Office can sue entities that violate consumer rights under the provisions of PIPPA. Individuals have a limited window to pursue justice through private suits.

If you violate PIPPA provisions, the Attorney General’s Office can collect $2,500 from you for the first violation. Each subsequent offense attracts a civil penalty of $5,000.

The law collects these penalties in a civil action through a summary proceeding. Additionally, an individual who feels aggrieved due to a PIPPA violation can recover damages by bringing an action to Superior Court.

Implications of PIPPA on Your Practice

Many retailers and service providers scan or swipe customer identification cards to determine whether they are authentic or not. The practice is also useful in verifying customer identities when using credit cards and controlling fraudulent merchandise return practices.

If you still scan state-issued ID cards or driver’s licenses in your practice in New Jersey, you might unknowingly violate PIPPA. As you have seen, one violation can set you back up to $5,000.

Avoid such predicaments by overhauling your identification card scanning policies and procedures. Don’t scan a patient’s driver’s license unless you have to satisfy one of the PIPPA-permitted purposes.

Most importantly, evaluate the information you collect from patient identification cards to ensure you’re compliant with PIPPA. Store such data securely to prevent unauthorized access or misuse.

Get Healthcare Technology for Compliance

Would you like to heighten data collection, transmission, and storage in your medical facility? MATHE provides various healthcare technologies to help your practice stay compliant with HIPAA ad PIPPA.

Contact us for data top security tips from experts.

Information Technology Backed By The Power Of A Fortress!

Partner with Mathe As Your Trusted Technology Partner

IT Fortress IT Fortress 365 IT Fortress Compliance
  • Access To The Best IT Professionals
  • Reliable Always-On Cloud Technologies
  • Fortified Cybersecurity Systems
  • 100% Compliant Systems
Get A Quote