SHIF-ting strategies: Biometrics, OTPs and MoH’s never-ending patient verification struggle

The Kenyan government’s quest for a secure, efficient public health insurance system has seen it pivot from biometric patient verification to one-time passwords (OTPs) and now back again; yet each technological turn has been marred by system flaws and vulnerabilities ripe for abuse.

The Ministry of Health (MoH) introduced biometric patient verification with the now-defunct National Health Insurance Fund (NHIF) in 2021 to streamline health service access and reduce fraud by phasing out the use of national ID cards at hospitals.

Patients could access services under the public healthcare scheme by scanning their fingerprints to authenticate their identity, in a move also touted as a solution to administrative delays.

From the onset, however, it faced opposition from hospitals, especially those in rural areas. The Rural and Urban Private Hospitals Association of Kenya (RUPHA) sued NHIF, arguing that the biometric requirement was introduced abruptly, without consultation, and imposed significant costs on facilities.

Still, the government moved on with it, until a few years down the line when it emerged that the verification system was a goldmine for fraudsters; rogue hospitals abused the system by using a single fingerprint to file claims for thousands of fictitious beneficiaries.

In a January 2024 report, then-Health Cabinet Secretary Susan Nakhumicha said some hospitals even revived dormant NHIF accounts, cooked up claims, and used biometrics collected from elsewhere – some reportedly from students – to milk money from the fund.

The minister at the time said the fraud cost the government at least Ksh.20 billion.

But RUPHA rejected the claims, terming them a ploy to tarnish NHIF’s image and possibly make the case for why a change to a new public healthcare scheme was needed.

OLD AND NEW PROBLEMS

With the switch to SHIF in October 2024 came OTP, a security code used for a single login attempt or transaction. 

OTPs are sent via SMS or email and are common globally in preventing unauthorised access to accounts or systems.

The government hoped this would seal security loopholes and tame medical claim fraud, only that it brought with it new issues and carried some from the defunct NHIF’s biometric woes.

It was riddled with issues such as poor mobile coverage woes for patients in rural areas, delayed verifications, and failed requests from healthcare providers. Hospitals also decried system downtime and frequent updates.

RUPHA, in a February 2025 SHIF status update, said a staggering 89 per cent of patient authentication requests faced challenges, with OTP delays in 71 per cent of the requests, some of up to 24 hours.

Additionally, the association said 73 per cent of the time, SHIF’s system was down. This meant patients were being forced to pay out of pocket for health services, despite contributing to the public insurance scheme.

By this time, MoH had begun hinting at plans to revert to biometric authentication to promote efficiency.

Meanwhile, reports of corruption persisted; the health ministry said some unscrupulous healthcare providers were exploiting the OTP system by misusing patients’ fingerprints to process fictitious claims.

“We will shift back to biometric since this is the only way we can curb corruption. With NHIF, the biometrics were just at facility level, and some of the corrupt health care providers would take their own fingerprints, which would then be used by thousands of patients within the facility,” then-Health CS Deborah Barasa told Daily Nation in a December 2024 interview.

BACK TO THE FINGERPRINT

This week, MoH made a U-turn, and the current Health CS, Aden Duale, announced the abandonment of OTP verification for SHIF claims. He cited operational challenges, public feedback, and corruption.

“SHA will no longer accept OTP based authorisation. All approvals must be completed using a biometric health ID or the Practice 360 app,” Duale said on Monday.

He was referencing a new mobile application healthcare workers will now use to review, approve, and manage pre-authorisation claims, which the CS touts as a solution to unauthorised sharing of the pre-authorisation approval codes by doctors.

Duale added that biometric identification was now live at Level 4, 5, and 6 hospitals and was on course to be onboarded at lower-level health centres countrywide.

In the lead up to Monday’s announcement, MoH says it has been distributing biometric authentication devices to public health facilities across the country.

The ministry claims fingerprint data is now linked to a central database for real-time validation, with the ability to detect duplicate or suspicious claims using automated pattern recognition tools.

However, going by the rampant failures the OTP system faced, the Practice 360 app’s efficiency remains to be seen, as does its performance in areas with poor network connections.

Additionally, it is not clear how well hospitals are prepared for the rollback since facilities abandoned the biometric verification equipment since the NHIF-to-SHIF transition nearly a year ago.

MoH is betting on tech to clean up its act. The latest move is, as Duale called it on Monday, “the beginning of a clean break from the past, where fraudulent claims and identity manipulation undermined the integrity and sustainability of our health insurance systems.”

Whether this bet pays off or becomes another costly loop in a reform-and-relapse cycle remains to be seen.