HIPAA: A Springboard for Technological Innovation
The "Health Insurance Portability and Accountability Act" (HIPAA) has spurred a nationwide initiative to simplify administrative processes and ensure patient privacy and security within a variety of health-related industries. Affected organizations include health care providers, pharmacies, health insurance companies and even some government organizations.
While the HIPAA legislation has yet to be finalized, most rules (the various components that make up the legislation in its entirety) are complete and many companies have already started measures to be “HIPAA-compliant”. This has led to a cross-industry focus on privacy, security and automation of simple tasks, and unprecedented interest from healthcare organizations in information technology (IT) initiatives such as:
- PKI, tokens and digital signatures for network-based access to information
- Fingerprint/retinal/iris/hand/facial scans for physical access
- Voice prints and speech recognition for remote-based access to information.
For those healthcare transactions not conducted over a computer network or conducted in person—yet still require entity authentication, the objectives of security and privacy can be met through biometric voice verification and speech recognition via a telephone, handset or microphone. These speech technologies provide not only an opportunity to be HIPAA-compliant, they also offer healthcare organizations an opportunity to springboard into technological investments that help them achieve new operational efficiencies. Before we begin to examine the ways in which speech technologies are being used within healthcare organizations today, we must first examine what the HIPAA legislation is and why it is driving new IT investments.
What is HIPAA?
HIPAA is a law passed by Congress in 1996 and administered by the Department of Health and Human Services (HHS) that includes a series of “administrative simplification” provisions that require HHS to adopt national standards for electronic health care transactions. The law also requires new security and privacy standards in order to protect personal health information.
Under the “Technical Security Services to Guard Data Integrity, Confidentiality, and Availability Rule” of HIPAA, each organization is required to implement “entity authentication”, which is the corroboration that an entity is who it claims to be. Authentication is critical to prevent the improper identification of an entity that is accessing secure data, and requires a unique user identification “key” (e.g., Policy #, Account ID), plus one of the following implementation features:
- A biometric identification system (e.g., voice prints)
- A password system
- A personal identification number (PIN)
- Telephone callback
- A token system which uses a physical device for user identification.
While voice biometrics are merely one of a number of methods of meeting the “entity authentication” rule, there are distinct advantages of utilizing this technology over other alternatives. Voiceprint Enrollment
Creating a voiceprint is non-intrusive, and simply involves having the speaker say the given phrase a couple of times (e.g., account number, PIN, password, etc.), just as they would in a conversation. Unique features of the voice are identified and used to create a voice template, which is not an audio file, but a set of data features which are then encrypted and saved with the speaker’s profile, just like other data is saved, such as their birth date. The so-called “reference voiceprint” simply becomes another piece of data that needs to be matched by a caller attempting to gain access to a system or account.
Voiceprint Verification
After enrollment, verification is very straightforward. The speaker is prompted for his or her account ID, and perhaps a PIN or pass phrase. Speech recognition is used to recognize the account number and retrieve the account profile from the database. The caller’s voiceprint (associated with either the account ID and/or PIN-pass phrase) is compared to the reference voiceprint on file, and a resulting “confidence score” is calculated and compared to a preset security threshold for the application. If the score exceeds the threshold, the caller is granted access; if not, business rules dictate whether the caller is reprompted or transferred to a customer contact service agent.
While a unique user ID & PIN technically meets the scope of HIPAA, using speaker verification in combination with speech recognition, helps companies not only improve security but convenience as well Benefits of Speech Technologies: Beyond HIPAA
Although HIPAA may be viewed as a “necessary evil”, an interesting outcome is that it is “spring boarding” healthcare organizations—many of which have early-generation information technology—to look at current technologies to meet the HIPAA rules. As they do so, they are seeing some healthy opportunities to improve operational efficiency and/or customer service within the enterprise at the same time.
Speech recognition drives automation in the call center, saving operator costs that, on average, cost five times as much as an automated call. In the healthcare industry, live agent calls can cost over $17.00 per call, due to the high cost of phone calls manned by doctors, pharmacists and nurses. Take skilled clinicians out of the picture and you are still left with agents who require salary, benefits, training and management. It costs $6,200 on average to find and hire a new agent and once they are hired, turnover ranges from 20 to 100 percent.
A speech system can alleviate some of the routine requests, leaving valuable call center agents to handle high value-add and revenue-generating services. Speech applications encourage users to stay in the automated system because of the ease of use and reliability. Furthermore, speech reduces toll charges. Callers can access their information in the automated environment without sitting in a queue waiting for an agent, and racking up 800-number charges for the company. Costs vary by application, but the payback period for most companies is six to 12 months, and some companies have reported strong returns on their investments (ROI) in three to four months.
Organizations worldwide recognize that speech delivers rapid ROI. Industry analyst firm Frost & Sullivan surveyed 100 major call centers in its 2001 Contact Center End User Analysis and found: "When respondents were asked 'If you could implement one and only one technology in your [contact] center, which one would you choose,' speech recognition received the highest score." In addition to meeting HIPAA requirements and delivering a solid ROI, speech technologies also offer a vehicle for improved customer care. For example, “speech” particularly appeals to the elderly population (a demographic group that uses healthcare services frequently), where human factors studies show a preference to speech over using touchtone, because limited dexterity and/or poor eyesight makes touchtone more difficult to use.
Listen Up: Healthcare Companies Are Using Speech Today
Prescription refill applications provide a great opportunity for using voice biometrics. Normally, a customer service agent must authenticate a caller by asking for the policy or prescription number, and then may ask additional authentication questions (address, date-of-birth, etc.) in order to proceed in refilling the prescription. Although asking this information may reduce the chances of an imposter gaining access, it is time consuming and still allows for the possibility that someone other than the person for whom the prescription is intended, could find out this information. Alternatively, several family members may share an account or policy, and the agent may have to ask potentially sensitive information regarding which of the prescription(s) in the account that the person is seeking to refill.
By associating a voiceprint with the policy number, the caller can be uniquely verified and the corresponding prescriptions would be brought up for review. Furthermore, using voiceprints is ideal for identifying individuals in a family or group. In this scenario, each person on the policy would be prompted to say the policy number to enroll a voiceprint that is saved in the account profile. Later, when one of the group members calls, his or her voiceprint is compared to those in the profile to uniquely determine who is calling, in order to access the specific prescription(s) for that person without having to ask additional time-consuming or sensitive questions.
Many healthcare companies like Aetna and United Healthcare, have already invested in speech; many more are evaluating speech recognition and voice biometrics as a way both to meet HIPAA requirements and gain a healthy ROI on their IT investment. Later this year, a major healthcare provider will be launching a new service to conduct transactions and validate the caller using both of these technologies. This company has taken an aggressive position in meeting the “entity authentication” rule of HIPAA. The company has extended its technology investment to incorporate speech into its member and provider lines, allowing callers to use speech to change a primary care physician or dentist, determine eligibility, access claims information and more.
As more healthcare companies strive to meet the “entity authentication” rule of HIPPA, it is likely that speaker verification will become widley used in this area. Whether the goal is meeting HIPPA requirements, gaining a a healthy ROI on an IT investment, or using biometrics to fill prescriptions, speech technology is beginning to pentrate the healthcare industry on many levels.
Christy Clark is a segement marketing manager for SpeechWorks International. She can be reached at christy.clark@speechworks.com.
Brian Eastley is product marketing manager for SpeechWorks International. He can be reached at brian.eastley@speechworks.com.