The unlock gate is three factors: the QR code or link (proves the patient has the delivered plan), the 6-digit PIN (proves they received the email or SMS we sent), and the date of birth (proves they are who we think they are). The error copy on the patient surface always says "Invalid PIN or date of birth" without telling them which one is wrong; that's deliberate to prevent a bad actor from time-distinguishing which factor matched. As the operator, you have to figure out which of the three to look at first.
Open Patients, find the patient, click their row. The detail panel shows the DOB stored on their record. Ask the patient (over the phone) what they're typing on their end. If those don't match, your record is wrong. Click Edit, fix the DOB to whatever the patient actually types, save. They retry and they're in.
The most common variant is the format ambiguity: 5/12/85 gets entered as May 12 by US clinics but as December 5 in other parts of the world. Always confirm month-day-year order before assuming the patient is wrong.
Every PIN expires at the end of the recovery window plus a 24-hour buffer. A 14-day recovery means the PIN works for 15 days. If the patient's trying to open the plan three weeks after their procedure for a 14-day plan, the PIN is gone.
The fix is a brand-new care plan, not a resend. Open the patient row, click New care plan, pick the same template, send. They get a fresh PIN with a fresh window. The old plan stays in the audit trail.
A small number of patient rows from early 2026 have no DOB stored at all. This happened on the older create-care-plan endpoint when DOB was made optional and the form let you skip it. New plans created via Quick Create require DOB up front, so this won't recur.
For affected patients, the verify surface auto-detects after the first failed DOB attempt and flips the prompt to Last Name. The patient types their last name instead and unlocks. You don't have to do anything on the operator side; the patient sees the prompt change.
After eight failed attempts in a rolling hour, the patient is locked out for an hour to prevent brute-force PIN guessing. They'll see "Account temporarily locked" copy with a clear retry timestamp. Two paths:
If the patient is locked out and frustrated, your fastest path is usually to verify their identity over the phone (name + DOB + last 4 of phone), then unlock the situation by editing their patient record to make sure the DOB stored matches what they're typing. The next attempt after edit succeeds.
Different problem; see Resend a care plan. The roster row caption under the patient's name tells you whether the email actually delivered, bounced, or hit a complaint. That diagnoses the delivery path independently of the unlock gate.