Identity Verification in Healthcare: Protecting Patients and Providers in Remote Care

Available and fully legal in many countries, online medical advice services are widely recognized by patients.

This digital transformation not only expands the remote Healthcare industry but also requires new operational approaches for doctor appointments, sick leave certificates, drug prescriptions, access to test results, and ongoing treatments. 

In this framework, accurate patient identity verification is crucial, ensuring that the right person receives the correct medical treatment while helping prevent medical identity theft and other fraudulent tactics. 

Additionally, since some remote healthcare providers have age restrictions, IDV in this sector might include an age verification component.

Services offering online doctor consultations typically operate like other digital platforms, such as mobility services or bank apps. They require a login for new customers and authentication for registered users. 

A first-time user usually needs to create a patient profile before making an appointment. This profile may include the patient’s name, address, mobile number, and a personal identity number from a passport and/or a national ID card. After registration, all appointments, healthcare questionnaires, and other sensitive medical information are stored in this profile. Because of this, personal details may need to be confirmed during onboarding. Also, secure authentication is needed.

Most healthcare providers choose how to verify a patient’s identity based on their internal policies. Common methods include:

• A standard ID check, where patients provide a government-issued document and sometimes a selfie

• Sign-in via verified third-party services

• Email or phone number verification

Depending on the provider, healthcare identity verification may be required for all new patients or only for certain services.

Let’s see how these methods work in practice.

The Latvian provider Medon offers several patient verification options, including ID document submission or verification via third-party services like banks or digital identity platforms.

As mentioned above, patient identity verification can be selective. This is the approach taken by Boots Digital Health Ltd in the UK. 

Depending on the service, users may be asked to confirm their identity by presenting a selfie along with a photo of an ID document that includes their name. However, all new users must provide a knowledge-based authentication factor during registration.

In some countries, such as the US, authentication services like MyChart provide patients access to appointments, health profiles, and medical records across multiple healthcare providers. This allows users to sign in to connected healthcare platforms using their MyChart profile.

Interestingly, the customer onboarding process varies significantly. While MyChart has a short sign-up form with instant email verification, Ballad Health requires more personal details, including address, sex, date of birth, and phone number. However, ID verification is still not required on both platforms.

Doctor On Demand, another US-based online healthcare service, follows a similar policy. Users can quickly sign up using an email and password, with email verification required on their first login. However, if they want to update critical profile details—such as their name, date of birth, email address, or gender—they must submit a request to the support team.

Despite differences in regulations and operating conditions, online healthcare providers worldwide face similar challenges—most of which are identity-related. 

Unfortunately, deepfakes in the Healthcare industry aren’t uncommon. According to Regula’s study, companies in the sector have encountered both audio (43%) and video (41%) deepfakes. These incidents can lead to reputational damage, business disruptions, and legal expenses.

By generating entirely fake or partially genuine synthetic identities, fraudsters can impersonate real patients or even healthcare professionals affiliated with legitimate services. This allows scammers to gain unauthorized access to medical records, receive prescriptions for restricted medication, or exploit a patient's insurance benefits and/or other funds to receive free consultations. Importantly, deepfakes are also fueling the spread of false and misleading healthcare information, particularly on social media.

Real-world example

In 2024, a deepfake video campaign on Facebook impersonated a real health expert from The Baker Heart and Diabetes Institute in Melbourne, Australia. In the fake ad, the “doctor” promoted dietary supplements as a treatment for type 2 diabetes while dismissing legally approved first-line treatments. 

As a result, both the organization and the impersonated expert had to issue an official statement clarifying that the video was AI-generated and warning patients about the scam. However, many patients who saw the ad began calling the doctor’s clinic to inquire about the false treatment.

Since many online healthcare providers offer non-video consultations, fraudsters can exploit this by using stolen or fake IDs to register for medical services. The primary sources of personal data in these cases are healthcare data breaches, phishing emails, messages, and phone calls.

As a result, legitimate patients may be left paying for someone else’s medical bills. Additionally, their healthcare records can be compromised, potentially leading to mixed medical histories with the fraudster. This can result in incorrect diagnosis and improper medical care. For healthcare providers, such incidents pose long-term reputational and legal risks.

Real-world example

In 2024, a woman from Arizona, USA, was billed hundreds of thousands of dollars after a scammer used her identity to receive medical care from multiple healthcare providers, including consultations, medical tests, and treatments.

Because the US lacks a centralized medical records system, detecting impersonators remains a significant challenge for both healthcare institutions and law enforcement. In this case, authorities were unable to identify a suspect, and the investigation was eventually closed.

In countries with insurance-based healthcare systems, fraudsters can use stolen or fabricated identities to commit health insurance fraud. Common tactics include submitting fraudulent claims using another person’s insurance and enrolling in multiple insurance plans with fake IDs to maximize benefits. 

Unfortunately, large-scale health insurance fraud schemes often go undetected for years, with companies only uncovering the problem after significant damage has been done. This type of fraud directly impacts both insurance companies and healthcare providers, causing financial losses and reputational harm. It also indirectly impacts consumers as insurance companies raise premiums to offset these losses.

Real-world example

A New York medical biller orchestrated a multimillion-dollar health insurance fraud scheme, resulting in a 12-year prison sentence and $336M restitution. Among his many tactics, he impersonated patients and their relatives in thousands of phone calls to insurance companies, pressuring them to reconsider denied claims or increase payments on approved ones.

Leaked credentials from data breaches can also be exploited in account takeover attacks, allowing criminals to access patient portals. Once inside, fraudsters can order prescription drugs for resale or misuse, schedule free medical appointments, or even blackmail victims by threatening to expose their sensitive health data.

Fraudsters often exploit two weak points in patient identity verification—new customer onboarding and authentication of returning patients.

To build a reliable system, healthcare providers need robust identity proofing for new users and strong authentication for existing ones. The following approaches can help combat identity-related threats:

Real-time document authentication prevents fake ID submissions. IDV software analyzes document layout, security features, and data consistency to detect forgeries. 

In countries where electronic government-issued IDs, like biometric passports, are widely used, NFC technology offers a secure way to verify ID authenticity remotely via RFID chip verification. 

With AI-generated IDs and photos on the rise, facial biometrics with liveness detection is a must. This prevents medical identity theft by ensuring a real patient—not a deepfake—is present.

Modern IDV solutions like Regula Face SDK analyze micro-movements and light reflections to spot AI-generated faces. Liveness detection can also verify ID documents by analyzing dynamic security features.

Face matching—when a selfie is compared to a reference photo, such as the one in the ID or an external database—can add an extra layer of security to patient identity verification. When combined with ID document authentication, this step can be completed in a single shot. This check helps prevent impersonation when a scammer tries to use someone else’s identity to access medical services.  

Many remote healthcare providers still rely on passwords, email verification, and one-time passcodes, which only work if users practice strict password hygiene. In particular, they must create strong passwords and regularly update their credentials across all platforms.  

Replacing or supplementing passwords with biometric authentication—such as face recognition—enhances security. Regula’s study shows that many healthcare organizations already implement MFA and biometric verification.

These methods also help with access management, preventing insider threats from practitioners, nurses, or other staff involved in healthcare fraud.  

Many online healthcare providers restrict access to patients under 18 years old, while others serve younger users. For them, age verification is essential.

IDV systems check the holder’s date of birth and document layout—some underage IDs, like US driver’s licenses, have a portrait-oriented design, serving as an extra age indicator.

To ensure smooth UX, age verification can apply only to specific services, like acne treatments.

Last but not least, it’s important to ensure patient verification automation to keep the process smooth for customers. The less manual input required, the better the platform's UX. 

Regula Document Reader SDK automates data entry by extracting personal details from ID documents, reducing errors and ensuring accuracy. With advanced document capture, the solution also prevents ID and selfie retakes, making onboarding a satisfying experience for users. 

Patient verification requires compliance and advanced technologies like biometric and document authentication with liveness checks. In remote healthcare, these are essential.

Regula’s SDKs offer seamless, cross-platform solutions for healthcare providers. Let’s discuss your needs and find the best fit for your use case.