The Subcommittee on Standards and Security of the National Committee on Vital and Health Statistics held hearings on a unique health identifier for individuals on July 20 and 21, in the James R. Thompson Center, Chicago, Illinois.
The goal of this and several future NCVHS hearings is to enable the Committee, pursuant to its HIPAA mandate, to develop a recommendation for the Department of Health and Human Services on a unique health identifier for individuals (UHID). The approach recommended must serve the health care needs of the American people while balancing concerns about privacy and confidentiality.
During the hearing, the Subcommittee heard testimony from and talked with eight panels, each of which addressed one of the following questions/topics:
NCVHS member Robert Gellman, who opposes the unique health identifier for individuals, was given an opportunity to make statements at the outset and during the proceedings, and to question panelists. Several audience members spoke during the public comment period at the end of each day.
The panelists represented a variety of stakeholders including standards development organizations, health care and public health organizations, an advocacy organization, and a pharmaceutical benefits organization. Many offered detailed recommendations about the desired attributes and necessary precautions related to the UHID. Many panelists related the experience of their institutions with patient identifiers.
The confidentiality/privacy implications of implementing a UHID were a consistent topic, with virtually all panelists and all Committee members agreeing that protections and penalties must be in place before any such identifier is implemented. Because of these concerns, one panelist said her organization, Citizens for Choice in Health Care, urges that the use of an identifier be optional for patients. The representative of the AIDS Foundation of Chicago observed that people with HIV or AIDS face both positives and negatives concerning a unique health identifier. The prevailing view among the panelists was that while privacy and confidentiality concerns are critical and must be addressed, they must be balanced with the clinical and administrative dictates of health care services.
A variety of existing and hypothetical models for patient identification were considered, including a number, a master patient index, and biometrics. Another recurring theme in the hearing was the suitability of the Social Security Number, probably encrypted and enhanced, as the UHID. The chief arguments in favor of the SSN were based on the fact that it already exists and thus would be far less expensive to implement. Otherwise, there was general agreement as to its limitations.
Dr. Lumpkin stressed that this is the first of several hearings on the health identifier for individuals. The next will take place in Washington, D.C., in mid-September. (Subsequently postponed)
Dr. Lumpkin convened the hearings on the unique health identifier for individuals at 10:13 a.m., July 20, 1998, and participants introduced themselves. The hearings are generated by the Health Insurance Portability and Accountability Act (HIPAA), which mandates that a unique health identifier be adopted by DHHS. The National Committee on Vital Health Statistics is charged with advising the Department on administrative simplification and other matters.
Past hearings have yielded recommendations for administrative simplification transaction standards and a unique identifier for providers. Whereas those issues lent themselves to defining a mature standard, the issue of a unique health identifier is less well defined. The goal of this and several future hearings is to develop a recommendation to DHHS on a unique health identifier that best meets the needs of the American people while also balancing concerns about privacy and confidentiality.
Mr. Gellman, a privacy and information policy consultant and a member of the National Committee on Vital and Health Statistics, cautioned panel members that a unique health identifier has potential to become a mandatory universal identifier, much like the Social Security number, which would have severe privacy and logistical consequences. He asserted that the main issue in the current deliberations is whether the Federal Government should be allowed to "control every phase of our lives by requiring that we have a card or a number to exist and to function. Those are the stakes at this hearing." He quoted Committee member Dr. Richard Harding, who called the patient identifier issue "the mother of all privacy issues."
Mr. Gellman noted that although panel members all have a wealth of health care expertise, no consumers, immigrant groups, labor organizations, patients, religious organizations, civil liberties groups, computer scientists, or Internet organizations are represented in the deliberations. In the context of a decision about a "national identifier," he described the composition of the Committee -- which includes representation of the interests of health care providers, health researchers, and public health agencies -- as "woefully unbalanced and inadequate" and "incomplete."
He noted that as early as 1997, when the Committee supported the adoption of a patient identifier, Mr. Gellman and Dr. Harding dissented from that recommendation -- but the dissent was not referenced in the white paper on the issue, and the letter of dissent was located in "an obscure place on the Committee's website." In addition, he asserted that the Committee had ignored his proposal that all Committee documents on the patient identifier issue be placed on the public record.
Asserting that the Committee's recommendation of a unique health identifier appeared to be a foregone conclusion, Mr. Gellman urged the Secretary to solicit other points of view in the debate, inasmuch as the issue is not just a health issue.
In response, Dr. Lumpkin pointed out that Congress has charged the Committee with making recommendations for a unique health identifier for individuals and that the implementation (or not) of such an identifier is not at issue. Dr. Lumpkin then summarized the process that will lead to the Committee's recommendation. He assured that the risks of the unique identifier will be identified in the hearings, and that a Notice of Intent will be published in the near future to inform the public about it and to solicit input regarding a proposed recommendation. The Committee will then make its final recommendation, which will subsequently go to the Department, along with all public comment. The input of this Committee will be just one part of the deliberations at the Department level.
Dr. Lumpkin introduced the first panel.
Dr. Chute framed his presentation in terms of data linkage. The "how" of data linkage relates to the purpose of a patient identifier. The "why" relates to understanding disease natural history, treatment responses, functional outcomes of patients following care, and the effective, efficient, and satisfying engagement of the health care process.
He asserted that the absence of a common patient identifier may compromise efficient and effective delivery of care to an individual, and that understanding of health and disease can be compromised without underlying data linkage, which will enable the discovery of new knowledge about the health care process.
Data security is possible when targeted against patient data rather than the identifier, and security is clearly required. Dr. Chute noted his organization's commitment to patient confidentiality and data security.
From the patient's perspective, the pertinent questions relate to whether there is anything wrong, what the findings mean, and what can be done. The answers to these questions derive from a body of patients' past experience.
American health care is decentralized, and information transfer between and among health care providers and phases is somewhat inefficient. Both clinical decisions and research are often incomplete and potentially biased, based on erroneous or incomplete transfer of information.
In discussing cross-institutional population-based research, Dr. Chute described aspects of the 30-year-old Rochester Epidemiology Project, which is fundamentally dependent upon linkage of information across providers and which pertains to the health history of a single patient over time. This study, which contributes to the understanding of health outcomes and disease, integrates the health experience across providers for persons in one Minnesota county.
The logistics of the project have embraced the master patient index (MPI) approach, with whose shortcomings regarding linkage of patient data the project administrators are familiar. The approach is used to develop a master diagnostic and procedure index of patients in the population-based area, and the information is maintained in a highly secure data format.
Dr. Chute described the benefits of the project, which allowed its investigators to recognize certain notions of hospital bias, including the following: (1) The natural history of disease can differ profoundly in a hospital series from that in a community; (2) hospital series patients tend to be sicker (the Berkson bias); (3) multiple sclerosis as a disease had double the prevalence in populations than had been previously anticipated and had a vastly improved prognosis than that which was expected, in contrast to the population in hospitals, where obviously ill patients were seen disproportionately; and (4) patients referred from distant sites tend to be healthier than patients seen within the community.
Dr. Chute discussed patient data as a valued resource, and ascribed the reputation of the Mayo Foundation and Clinic to their longstanding practice of organizing, preserving, and linking patient data. Mayo has used a common identifier to facilitate linkage of all patient events within the activities of the foundation for more than a century, and Dr. Chute noted Mayo's commitment to and resource expenditure on indexing the information to facilitate learning more about disease and natural history in order to take care of patients better. He further noted that at no time has there been a breach of confidentiality traceable to the use of patient information in research.
Regarding patient anonymity in research, Dr. Chute acknowledged that researchers can and should deal with information that has no patient identifiers within it, and stated that the important issue is how to generate the dataset for the researcher. The required linkage of patient events presumes use of a consistent patient identifier; although the identifier can be discarded once the linkage has been made, its total absence would make impossible the conduct of outcomes research, disease natural history, and treatment response analysis.
Acknowledging the societal concerns Mr. Gellman had expressed earlier, Dr. Chute asserted that the important questions concern when the identifier is discarded, and how the identifier is made appropriate. Within health care, the focus is appropriately on security and confidentiality of the patient data, not on the identifier.
Dr. Chute discussed some caveats. Regarding check digits, the algorithm is immaterial as long as it is sufficient to detect additions, deletions, inversions, or transpositions of digits or elements within the identifier. The length of the identifier or the check digit is a function of "how sure you want to be." A single decimal check digit gives a 1-in-10 chance of that check digit behaving correctly. Two alphanumeric digits (eliminating I and O) gives a 1-in-342 chance of using the check digit appropriately.
A unique identifier facilitates data linkage in direct support of an individual's care and indirectly by acquiring new health care knowledge from aggregate patient experiences.
Making IDs standardized, consistent, and comparable would improve Ids currently in use. Possibly fatal implications attend multiple identifiers attached to a single individual.
One alternative to an identifier is to conduct business as usual, noted Dr. Chute, but there is a "huge opportunity cost" to society and to individuals "as a consequence of suboptimal care and a suboptimal understanding of the health care process and our knowledge about it." Another alternative, MPIs, are fraught with error and misclassification, as well as being costly and difficult (if not impossible) to coordinate with other indexes.
An identifier would not impact on privacy. The data on patients is the issue, and the implementation of an identifier must be in tandem with policies, legislation, logistics, and technology that can ensure the privacy of that data.
The Government is the logical broker for establishing, issuing, maintaining, and overseeing health identifiers, and for monitoring the appropriate patient data use by promulgating policies, data audits, and other legislative mechanisms.
Dr. Chute concluded by saying that a common health identifier would ultimately serve the best interests of individual patients through a better integration of their care and by enabling observational research on health outcomes. "If fairly and intelligently implemented," said Dr. Chute, "electronic patient records using common identifiers might actually reduce risk to patient confidentiality relative to what exists today in our paper environment, which has no ability for audit or usage trails."
Ms. Ebbert described the goals of the AIDS Foundation of Chicago (AFC): (1) to establish a network of providers sensitive to the needs of people diagnosed with HIV and AIDS, (2) to raise and distribute money for the purpose of preventing and treating AIDS and HIV, (3) to administer Government funds for the purpose of preventing AIDS and HIV, and (4) to advocate for the rights of those whose lives have been transformed by the diagnosis of AIDS. Through the AFC's case management cooperative, individuals are served locally by agencies that best meet their needs for advocacy, education, and linkage to services. The system is part of a larger data system that tracks case management activities and use of services.
People with HIV or AIDS face both positives and negatives concerning a unique identifier for health care. In terms of positives, AFC clients, who typically use the health system a great deal, would benefit from a system that emphasizes portability and decreased insurance restrictions based on pre-existing conditions. In the context of complex treatment protocols, a unique identifier could help protect the confidentiality of lab results, assure that prescriptions are not conflicting or duplicative, and assist in the longitudinal evaluation of treatment regimens. Disease trends and referrals into services could be tracked with ease. The AFC is currently engaged in discussions with the Illinois Department of Public Health to consider what identifiers might be appropriate in Illinois to achieve these public health goals.
In order for the AFC and its constituents to support a system of unique identifiers, safeguards must be implemented against the misuse of confidential medical information. Misuse can adversely impact individuals in the areas of insurance coverage, employment, housing, child custody, education, and other areas unrelated to health care.
AFC supports the implementation of federal law designed to protect the confidentiality of medical records. Such a law must have stiff penalties for the violation of standards, and must establish standards that emphasize individual protection before efficiency and cost- effectiveness. As recommended by the 1997 Consumer Bill of Rights, AFC supports "the right to communicate with health care providers in confidence and to have the confidentiality of their individual health care information protected."
Ms. Ebbert itemized criteria for a unique identifier that are most important to assure the individual's right to confidentiality: (1) consent, (2) controls (only entities with written or limited statutory permission to access for the purposes of public health research or health care), (3) focus on health care only, and (4) secure (linkage between confidential information and demographic data, billing status, and administrative function tightly restricted).
Confidentiality of AFC's data, which is stored in an internal, name-based tracking system, is assured by the nature and purpose of the dedicated software (confidential and sensitive information, maintained locally in the individual case management agencies, is not part of the larger system), the structure of the hardware (a distinct server not accessible to all staff or linked to a network with Internet access), and informed consent of the individuals.
Ms. Ebbert suggested that a system based on unique identifiers could protect confidentiality by being designed to manage only administrative information and not every part of an individual's medical record, by having specific structural controls over the access to the information, and by providing for extensive client information with specific consent for the sharing of any information in the system.
AFC supports the Committee's recommendation that no unique identifier system be developed in the absence of federal legislation to protect the confidentiality of health records. Legislation should establish the individual's right to privacy, assure informed consent for the sharing of information, preserve the right of individuals to access their own records, and establish severe penalties for the violation of privacy protection measures.
AFC acknowledged that the concerns expressed by Mr. Gellman are "real," and urged that unique identifiers protect the right to privacy of medical records of all people served by the health care system.
In response to a question from Ms. Fyffe concerning the appropriateness of penalties in the current law, Ms. Ebbert said she would check with her organization and report back to the Subcommittee. She asserted that prevention is better than after-the-fact penalties.
Dr. Lumpkin invited all panelists to submit written answers to the questions posed. There was no verbal response to his first question concerning the adequacy of the security recommendations posed by the Committee.
Dr. Chute stated that the MPI does not create a national repository of health information, although it enables generating such a repository (albeit flawed). Improved patient care can be ensured with a common identifier at the level of an individual, as distinct from an MPI. Insight into health outcomes and knowledge can be undertaken (albeit awkwardly) by linkage between and across clinical centers.
In response to a question from Dr. Lumpkin about the advantage of an MPI vis-a-vis emergency care, Dr. Chute noted that such an index can support access to previous information, but that the MPI does an incomplete and sometimes inaccurate job of maintaining linkages. He asserted that a repository underpinned by a common identifier relative to an MPI would be enhanced.
Acknowledging that the concept of an MPI is subject to ambiguity, Dr. Chute characterized Dr. Lumpkin's view as "a catalog of pointers to previous health care experience encounters that can subsequently engage their own authorization process and access protections," which, according to Dr. Chute, is "clearly a desirable attribute." Dr. Chute takes the position that an ersatz identifier is generated that is a compilation of sundry patient characteristics.
Dr. Chute expressed his opinion that federal legislation and policies that address patient confidentiality and appropriate data use are "sorely lacking," and stated his support for a statute concerning appropriate uses of patient data and appropriate mechanisms of access patient data.
Dr. Chute stated that under current legal protections, it is not desirable at this time to have a common patient identifier. He contended, however, that it would be beneficial to move forward "in tandem with policies and legislation that guarantee appropriate protections of confidentiality and privacy for patient data."
Mr. Gellman stated his disagreement with Dr. Lumpkin that the legislation requires the establishment of a patient identifier. He noted that all identification systems have problems, notably the Social Security system: originally, no additional authorized uses were to be permitted, but now 27 uses are authorized. In addition, Mr. Gellman stated, medical ID cards may be subject to mishandling and consequent misidentification of patients. He listed entities that would have access to identifiers: doctors, dentists, hospitals, laboratories, nursing homes, pharmacies (drug stores and supermarkets), employers, and federal, state, and local agencies. He cited an ACLU study on patient data, which showed patient data in 30 of 50 governmental units in Wisconsin. In addition, health researchers; health care consultants; health database companies; health, life, and automobile insurance companies; schools; and social welfare agencies would have access to the number, as would the Attorney General of the United States and inspector generals from various federal agencies, credit card companies; credit reporting agencies; banks; and debt collection agencies.
Dr. Chute noted that a health care identifier does not disclose the substance of a health care history, but is rather a label to which such information could be attached.
In response to Mr. Gellman's comments, Ms. Ebbert stated that access is an issue whenever a system links data, and by whatever means. Because even the best laid-out system could be compromised, it is important to consider how much of the data is linked to the identifier, what data is linked, who has access to it, and how to prevent lawmakers from facilitating access to part of that information for purposes unrelated to health care.
Mr. Gellman discussed the sensitivity of both the data and the identifier, reiterating his view that the identifier will be in widespread use, as is much data today. Ms. Ebbert acknowledged his point.
Ms. Ebbert explained in response to a question by Dr. Cohn that it is not necessary for all data to be linked. That a lab test was done, for example, may be of administrative or financial interest; but not all need to know the results of the test or the conversations between provider and patient concerning the test.
On the issue of linking some or all data, Dr. Chute asserted that the important issue is to ensure that information should be linked that can forward the care and management of a particular patient, including information that can provide insight on health outcomes, treatment consequences, management issues, across populations of patients. He declined to address whether that merit overrides objections, concerns, or legitimate difficulties with linking particular information.
To Ms. Frawley's question concerning AFC's name-based identifier, Ms. Ebbert responded that she would provide complete background in writing on the evolution of their information system. She noted that their case management tracking system, which has tracked more than 5,000 clients, has no detailed information about treatment or conversations with physicians, and does not involve client-based reimbursement.
In response to a question from Dr. Cohn, Dr. Chute stated that the gravity of the problem of misfiled information "is in direct proportion to the amount of resources one is willing to expend to maintain that initial master patient cross-linkage." Even with great diligence and care, imprecision, inaccuracy, and error are discovered. It is not known what is the impact of these problems on the research reports, but "the resources we do obtain could be perhaps better spent, rather than maintaining this massive, tedious, and complete cross-index of patient information," on "studies that could be more carefully, thoroughly, and widely undertaken."
Mr. Arges explained that WEDI, a broad coalition of organizations within health care that are engaged in and are supportive of the delivery, receipt, and processing of electronic health care transactions, is one of the four consulting organizations mentioned in the administrative simplification provisions in HIPAA. Their mission is to improve the effectiveness and efficiency of the nation's health care system by increasing the volume and value of electronic health care transactions while enhancing the security and privacy of their content.
While the idea of a unique patient identifier is attractive to WEDI, and WEDI has been examining potential costs, no conclusive study has been conducted because much depends on the type of privacy and confidentiality protections to be enacted. WEDI recommends that nothing be done until protections are given a prominent role in the process. It is expected that experience with the provider ID and payer ID will provide important information.
The current system suffers from inconsistencies in data recording; standardization is called for. A variety of identifiers are used routinely as part of the handling and submission of claims and other transactions.
Although the member organizations of WEDI have not voted formally on support for a unique patient identifier, members are aware that the system could benefit from a standardized patient identifier. An established identifier should be numeric with a check digit.
WEDI urges that rational and thoughtful consideration be given to privacy and confidentiality protection, in terms of protecting the identification of an individual with respect to a number in a database, and of who would have access to that database. Further exploration is called for in terms of the role and obligation of the participants, and what to do with the data once it is processed, collected, and a response made to the other party.
WEDI plans to continue the dialogue in its policy advisory groups. Mr. Arges noted that the Department's white paper identified a variety of issues that warrant consideration.
Mr. Schalk explained that Gallagher is a third-party administration firm that deals primarily in the single employer marketplace. It pays health care claims and handles large case management and other kinds of managed care issues for single employers, most of which are self-insured.
Gallagher recently completed an internal analysis of its claims system to derive ballpark estimates for HIPAA's potential impact. Changes to system architecture are more expensive as a retrofit; most systems would need to be retrofit for HIPAA. Many factors are undecided (e.g., whether the system is to be key driven and the size and mechanics of the field). Mr. Schalk suggested that a number of variables would prohibit systems on the marketplace with "extra filler areas" from being quickly and expeditiously used for such a change.
Gallagher found a number of challenges in terms of gathering information, size of the field, whether or not the system is to be key driven. It is to be key driven, another aspect of system architecture for retrieval and record keeping will be required. Another area of concern is how fields can be part of other field.
Mr. Schalk's firm has a reporting system driven off of a separate PC/database application. He noted that changes for claim adjudication, for instance, do not necessarily stop at that function; they can feed into other systems used for further reporting or data distribution.
Mr. Schalk stated that the cost to change a mainframe system is larger than to develop a PC-based database, which is how Gallagher developed interfaces for other vendors to whom they supply eligibility information.
Mr. Grimshaw, manager of enterprise systems for the Missouri Medicaid Project, described GTE's capabilities to provide various claims processing systems in the different medical arenas. From GTE's conduct of a HIPAA budgetary cost estimate for Missouri's Division of Medical Services regarding converting the current system via the Medicaid management information system, Mr. Grimshaw noted, large variations in costs are expectable. Implementations vary greatly by organization, depending upon the type of original system and the identifier's type and role. Commercial systems shared by many companies will be better able to handle change, while "homegrown" systems have fixed format identifiers embedded into the systems -- but they may be in fields that are being used for other purposes.
Experience with customers led GTE to convert the system to use a working index key as opposed to an individual field. GTE supports a numeric identifier, in part to conform to an audio/voice response system. The larger the number, the more change can be expected. Mr. Grimshaw noted that its audio/voice response system handles 75 percent of incoming phone calls.
The costs to implement a unique ID are staggering, asserted Mr. Grimshaw, given the involvement of the MPI, transaction code sets, code sets within transaction sets, and program conversions and expansions. If these issues are addressed concurrently, the system will work better and costs will be lower (significant testing costs will be minimized).
Mr. Grimshaw discussed conversion costs, stating that the reaction of Missouri officials to the estimated cost of converting files back to 1979 (currently Missouri processes around 44 million claims a year) was shock. The cost of using the new identifier would be $450,000 -- just to reissue recipient ID cards.
Among the financial benefits of an identifier for health plans and Medicaid agencies, according to Mr. Grimshaw, would be cost savings from the reduction in reconciliation necessary for individuals with multiple identifiers and in straightening out cases of more than one individual with the same identifier.
Mr. Grimshaw stated that security issues regarding numerations must be resolved before any process is accepted. While acknowledging the controversy regarding centralized medical information, he noted that if security issues could be resolved, a unique identifier might reduce duplicate or inappropriate treatments because patient profiles could be shared with physicians reviewing a patient's care.
Mr. Grimshaw identified a number of issues regarding additional infrastructure required in establishing a unique ID number: (1) enumeration methodology (if a separate number, it should be issued similarly to the way Social Security numbers are issued), (2) identification and verification number (possibly using a PIN number) to be sure the identifier is the correct one for a particular person, and (3) implementation of the identifier should take place at the same time as the other HIPAA standards for cost-effectiveness. Privacy legislation must be in place before implementation of the identifier.
HIPAA's electronic data interchange (EDI) standards should be taken further. Savings are not significant for administrative billing purposes, but they would be in the provision of care.
Mr. Grimshaw discussed the electronic transmission of data, saying that the provision of secure transmission would result in administrative cost savings.
It would be most helpful if the format or the link to the format of the proposed identifier were decided upon earlier rather than later, so that current expansions of computer systems could incorporate this data as soon as possible, thus also resulting in cost savings.
In response to Mr. Gellman's questions, the panelists agreed that with a health identifier, a health ID card would be desirable. Mr. Arges suggested that the identifier be embedded in the magnetic strip, rather than imprinted physically and easily read. He added that cost should drive the amount of information on the card, which should be viewed as a routing mechanism that does not necessarily capture the medical record, but that offers access to its user when authorization is confirmed. A picture on the card would not preclude misuse, but the patient's name would be necessary. Mr. Schalk stated that the name, date, and number would be appropriate pieces of information on the card; a check digit would be important for verification.
Mr. Grimshaw asserted that technological considerations are secondary to how providers get access to medical profiles in order to make good medical decisions. He suggested that an additional level of security can be achieved by using an identifier associated with the card, not necessarily with the recipient (or his/her Medicaid number). In terms of the issuance of cards, Mr. Arges and Mr. Schalk stated their preference for a process similar to those that issue and update drivers' licenses. Mr. Grimshaw suggested registration at birth similar to the Social Security process. He also visualized health plans issuing benefit cards.
In response to Dr. Cohn's question concerning the cost ramifications of using mapping versus internal changes to systems, the panelists agreed that mapping would be a technical possibility. Mr. Grimshaw noted that the changes necessary would vary by organization. Mr. Schalk stated his belief that most systems were not as flexible as what had been discussed at the hearings. Mr. Arges described the costs as possibly "enormous," with the cost of issuing the ID the least of them; the costs of education and establishing safeguards and other crosswalks to change over historical files is likely to represent the bulk of the cost.
Ms. Fyffe asked how much risk panelists saw in the development of a large database that would contain information that, when accessed, could provide a longitudinal patient record. Mr. Grimshaw stated that while he is aware of systems that use a central repository, he was not aware of any difficulties involved. Mr. Schalk asserted that while the central system poses the most risk, that risk exists today. The question of risk relates to who is the owner of the database and what they want to do with it; such a database could be exploited. Mr. Arges pointed out that the costs might outweigh the benefits of such a system, and that the databases developed may not be as large as envisioned in the question. Mr. Grimshaw stated that while the feasibility might not be present today, the identifier will pave the way for the time when technology and applications are available in the future.
In response to Dr. Lumpkin's questions, the panelists agreed that a number is appropriate as an identifier. Other items may be associated with that, including biometrics, for example, but they should not be part of the identifier. Mr. Arges noted that identifiers are in use today, but there is no consistency.
Regarding costs related to delay of information on the composition of the identifier, the panelists agreed that changing systems with incremental information is not as cost-effective as having all the information at the time the changes are designed and implemented. In estimating the opportunity costs, Mr. Grimshaw cited statistics with which he was familiar that planning and requirements for each development involve 15-20 percent of development costs, and that testing represents 25-32 percent. Some of these costs would be saved in making all the changes at one time. Mr. Grimshaw stated that if it were announced that the identifier were not going to be any longer than 16 characters, whether alpha or numeric, he would recommend to his client that they change the system to accommodate 16.
In view of the high start-up costs of the investment in unique identifiers and the enormous backlog expected, Mr. Gellman questioned how long it might take to enjoy the real benefits of such a system. Mr. Grimshaw, in responding that administrative cost will pay for itself in the long run, cited the example that improvements in the tracking of third-party liability could result in recovery of millions of dollars now paid by taxpayers through the Medicaid program.
Mr. Gellman questioned whether recouping costs associated with an identifier might take longer than costs associated with converting to a common transaction set. Mr. Grimshaw responded that particularly on data matches in the Medicaid program, costs could be recouped. Mr. Schalk agreed that costs are recoverable at some point. Mr. Arges suggested that some benefits, such as improved quality of care, cannot be quantified. Mr. Gellman identified the intangible cost of the necessity for Americans to go to an office to reregister for an ID card.
In light of legislation passed by the last Congress to make it more difficult for that body to pass future legislation that would impose an unfunded mandate on the states, Mr. Gellman queried who should pay for the all the immediate costs associated with a health identifier. Mr. Arges stated that the Federal Government must set the groundwork for the process, and funds should be set aside to accomplish the national guidelines. This view is predicated on the view of an identifier as a benefit to the public. Mr. Schalk supported Mr. Arges' comments, but pointed out that internal discussions have assumed that the costs will fall where they may, an eventuality he felt was more realistic. Mr. Grimshaw stated that from a commercial standpoint, where the costs occur is where the savings will come in. Medicaid programs will need to be funded.
Dr. Fitzmaurice questioned the panel as to which identifiers companies currently use, and, if the HIPAA-proposed changes are implemented, what would be their opinion of the level of abuse. Mr. Grimshaw stated that the Social Security number is not part of transactions for his Missouri client, who uses a specific Medicaid identifier. He declined to discuss abuse. Mr. Schalk noted that the Social Security number is used primarily in non-Medicaid systems, and that he sees no abuse. Mr. Arges stated that the Social Security number is collected routinely. He asserted that there has been little abuse. Mr. Schalk agreed with Mr. Arges that the same amount of abuse would occur with a new system. Mr. Arges emphasized the importance of safeguarding the detailed medical information related to the number. Mr. Grimshaw pointed to the potential for the health identifier to have the same broad fate as the Social Security number.
Dr. Hieb explained that for five years, members of ASTM E31 have been addressing issues related to the creation and maintenance of a national individual health care identifier. The result is the creation of a national standard, designated as E1714-95, which deals with the properties of a national health care identifier. A white paper has been developed jointly by ASTM and Computer-based Patient Record Institute (CPRI) that summarizes and ranks the requirements for a universal health care identifier.
ASTM proposes both open and encrypted identifiers, called UHIDs and EUHIDs, respectively. The full identifier includes 29 digits, including one non-numeric delimiter digit; a compact UHID is 16 digits and EUHIDs would be slightly longer depending on usage.
ASTM believes that privacy and confidentiality requirements and concerns are significant and deserve careful attention. The ASTM design, Dr. Hieb asserted, "goes a long way toward addressing those concerns." The superiority that ASTM claims for its proposal rests on its guarantee of producing a unique HID because it is based on a database system that oversees the issuance of the identifiers and that has sufficient capacity to support at least 40 generations of Americans.
Check digits are part of the design. Both open and encrypted identifiers are of the same format, permitting them to be processed by computer systems and require no additional fields to assure validity of representation of an individual. Up to one million EUHIDs are available for each individual, thus making it possible to issue EUHIDs for specific purposes. The multiple identifier capability built into the ASTM proposal is one of its key strengths, because it allows issuance of the identifiers today and to continue to issue them if it were mandated by future legislation.
ASTM's proposal, focused exclusively on the needs of health care, is not influenced by requirements from other agencies or market segments. Using current technology, its identifier system can be implemented rapidly and cost-effectively.
Dr. Hieb acknowledged that no identifier can guarantee security, privacy, or confidentiality, but he pointed out that an inadequately conceived identifier can limit our ability to perform those functions. ASTM holds that its identifier design specifically avoids those limitations and allows maximum freedom to meet those needs both today and in the future.
Dr. Hieb rejected the notion of EMPI or a national health care identifier, suggesting instead that the construct should be EMPIs and national health care identifiers. Recognizing that some old systems that cannot change their formats may have difficulty adapting to a national health care identifier, he posited that the combination of EMPIs with national identifiers would be the most effective way to meet the operational needs of health care.
The answer to the question of who pays is, "We pay," whether it be through federal taxes, state taxes, or premiums to HMOs. A simple algorithm can be used to divide up the payment, making it feasible to develop an optimal division of cost to make the cost as small as possible.
ASTM disagrees with the sentiments expressed that implementation of a national health care identifier must follow legislation providing for security and privacy protections. Because of the multiple encrypted identifier capability of its UHID/EUHID, ASTM believes that one can implement this system now "with assurance that it will support what is known and what is functional today without limiting in any way the ability to modify or expand that capability later."
ASTM understands that two major candidates exist for a national health care identifier, the UHID and the enhanced Social Security number (ESSN). ASTM has identified unresolved issues concerning the ESSN proposal, including whether or not it is envisioned as a replacement for the Social Security number. Until these issues are resolved, a proper analysis of the competing proposal cannot be made.
The creation of a national health care identifier promises long-term benefits for health care automation systems. With appropriate functional characteristics, ASTM believes it should facilitate linking information from disparate sources into a single, comprehensive, consistent electronic medical record while simultaneously preserving and enhancing patient confidentiality and privacy. Conversely, implementing an identifier with significant functional deficiencies may make it impossible to achieve these goals. Dr. Hieb cautioned that the requirements and criteria outlined in ASTM's documentation must be carefully measured against each proposed identifier implementation plan to ensure that health care receives the maximum benefit from the time, effort, and money invested in the creation of a national health care identifier.
Ms. Rudolph summarized her department's mandate, and described what must be in place for WDHFS to implement its proposed unique health identifier. Before any identifier is put in place, she asserted, passage of confidentiality provisions must occur. WDHFS supports the uses of individually identifiable health information outlined by Secretary Shalala in her September 11, 1997, speech to Congress. WDHFS uses individually identifiable information, and the data and information must not be reduced in order to assure service delivery, to safeguard against misuse of WDHFS programs, to facilitate cross-program linkage, and to facilitate public health research. WDHFS also recommends that a public education program be designed and implemented about the use of individually identifiable health information.
WDHFS recommends Social Security numbers with a check digit as identifiers. The check digit would be helpful in eliminating duplicates, invalid numbers, and some misuse. A single-character, numeric check digit is recommended based on lower cost estimates.
WDHFS supports holding back the Notice of Proposed Rule Making (NPRM) for the unique patient identifier until confidentiality provisions are enacted and implemented.
Ms. Rudolph stated her discouragement of identifiers of more than 10 characters or encrypted identifiers, which would engender implementation difficulties, increase costs, and negatively impact patient access to care, by making it increasingly difficult for smaller providers to continue to provide health care services, particularly in rural areas. She recommended that the Social Security Administration (SSA) continue its efforts to improve its enumeration process.
The benefits of the recommended identifier include the following: (1) the Social Security number with a check digit already exists as a widely used identifier; (2) a trusted authority exists and is well known by the public; (3) Wisconsin experience has shown this identifier to be satisfactory for health care payment, enrollment, and eligibility; (4) use of the Social Security number would obviate the need for costly changes in Wisconsin; and (5) the public can remember the number.
Ms. Rudolph described the effects on WDHFS, should a different identifier be proposed. All other alternatives would be more costly to implement, including the option of doing nothing at all. She asserted that doing nothing may be the most costly option, given the loss of important tracking information, for example, and the delay in availability of medical information during a crisis. If a longer identifier were required, Wisconsin would incur considerable costs to alter its information systems. Adding extra fields would be "extremely costly" to the state's Medicaid program. Unless a longer identifier uses the Social Security number to match a new identifier with the patient number currently on file, "incorrect matches could occur, the result of which could be detrimental or even deadly."
The anticipated effects of HIPAA on WDHFS are significant costs for implementation, especially in the state Medicaid program, compounded by costs inherent in the shortage of skilled computer programming staff (who are focused on Year 2000 issues). Effects will be felt related to conflicting federal regulations, "potentially resulting in the development of multiple crosswalks or other kinds of system accommodations." An example of conflicting regulations is the National Center for Health Statistics' mandated use of ICD-10 codes one year prior to the change required for HIPAA.
WDHFS is also concerned about DHHS's silence on other federal data systems, such as the MDS; systems should be compliant with the data definitions and coding found in HIPAA proposed rules. WDHFS is concerned about maintaining duplicate systems and would prefer that a "turnkey deadline" be established; maintaining information in two formats may lead to errors in the data and is more costly to support. Because this is an unfunded mandate, WDHFS "would like to reduce costs where it is possible to do so without sacrificing the overall intent of administrative simplification."
Mr. Gabler advocated the effectiveness of a "tandem of a health care identifier and an MPI" in addressing many of the issues faced by the Subcommittee.
In briefly outlining the history of MPI, Mr. Gabler discussed the results of a series of workshops in 1996 designed to define the issue of MPI with a view to linking personal health information. The need was recognized that identifying a person accurately must occur first, and a "peer structure" rather than a hierarchical structure was developed. In 1997, workshop participants associated as a special interest group with HL7, taking the position that MPI mediation offered a significant tool for facilitating the implementation of the HIPAA health identifier. There was no consensus on what MPI should stand for, but the abbreviation was retained, even though it was dissociated from what the words typically have meant in the past. Mr. Gabler explained that his usage of the term denotes a "person-director." Early in 1998, CORBAmed finalized a definition for interface to deal with patient identification between systems. They shared their model with HL7, and a significant amount of overlap exists both in participants and in the model.
Mr. Gabler stated that a unique health identifier is needed, but it should not be the primary ID in the local system. It should be associated with a person as an additional data field or a secondary ID, but not the primary ID, for a number of reasons, including technological concerns. HL7 believes that MPI mediation directories can be used to improve the accuracy and consistency of the associated ID.
Multiple Ids are already associated with a person, and less trauma, inefficiency, and waste would be experienced in trying to work with those IDs rather than to replace them. It may be easier to accommodate associated information than to conduct a changeover.
Correction mechanisms must be in place to account for human involvement in the use of identifiers. It is more manageable to separate the validation of an ID associated with a person from the actual usage of the ID; it is easier to find and correct incorrect information associated with a person than if the incorrect information is applied as a primary identifier.
In the CORBAmed process, an ID domain is a system that assigns an ID in order to do its work. An ID domain must control the IDs, and if there is a conflict in that process, the domain holds it up until the conflict is resolved. A local ID domain would be, for example, a physician office system; its ID is the primary ID, which is then associated with whatever other ID ties information together.
One model under consideration is an enterprise directory, "an integrated delivery system or some composite that recognized that there are multiple facilities that need to cooperate with a given patient population and defining the mechanism for how that functions with the existing MPIs that may exist in a local system." The next step is a specialty directory, for example, "an HMO that wants to identify its population [or] a state government that wants to identify a subset of its population." Mr. Gabler described this as a peer model, whereby if the models were diagrammed, the lines connecting the specialty directories to the enterprise directory would indicate that if a population is to be tracked, it is not necessary to hold everything in the specialty directory itself.
Mr. Gabler next described the hierarchical use of the peer model, first addressing the idea of a coordinating tag, for which the health ID is envisioned as being used. The key is to design something to use for coordination, which permits disparate activities to occur asynchronously to the central process so it can be brought back together. This design also permits existing systems to do their own validation (perhaps with a mediation directory) of the ID associated with a person; in fact, existing systems handle the validation task now.
The system could store or not store the ID, depending on the mechanics of the process, which is where the cost impact of the recommendation enters into the equation, and the ability to add that associated health ID to the outbound information when it is required. The mediation directory could be used as a supplement if it is not specifically stored in the system.
Mr. Gabler used the "not .. exactly politically correct" example of the system used by the IRS. Systems around the country send information to the IRS. They have a coordinating tag (Social Security number), used to pull everything together so they can get a composite picture on an annual basis of the individual. He stated that this model, whereby a coordinating tag pulls together a number of systems, simplifies the process and offers flexibility.
He discussed the issue of levels of validation of identity: Is the person who the person says he/she is? The information comes either from a person or from a document; an ID should have some level of validation associated with it. Alternative processes should be implementable to obtain an identifier. More and better tools are becoming available to validate IDs, as well as some mechanisms for monitoring that process to see that it is done accurately.
In terms of security, Mr. Gabler noted that it is impossible to completely prevent deceptive practices, although tools are available to try. Preventing and monitoring misuse must work together.
In summary, he stated that a unique health identifier is much needed, "but should not be looked at as the primary key in any system, but rather an associated bit of information that could be used. This allows you to use whatever associated identifiers that person may have available” in the identification process, “making that more accurate itself." In addition, MPI mediation directories can be used to improve accuracy.
In response to a question from Ms. Fyffe regarding how small providers and rural providers would use the identifier he proposed, Dr. Hieb stated that the program is designed to be scalable. A physician's office that lacks a personal computer is rare, and, he asserted, implementation should be based on secure Internet technologies. Thus, this system would not be a burden on small organizations. Dr. Hieb concurred with Mr. Gabler that it is important to let systems continue to operate as they have and to add the national identifier as an additional item.
Mr. Gabler responded to a question by Ms. Frawley, saying that no consensus was reached on mandatory data elements for the MPI mediation directory. The model used in the CORBAmed personal identification system (PIDS) described a set of demographics to enable a matching process. The more information in the directory, the better. He noted that when validation is at the front end, that is where you need the demographics to do the matching. Once the coordinating tag is assigned, the downstream task of dealing with it is simplified. A number of MPI mediation directory models are being tested by vendors and standards groups. Progress has been hampered by lack of a firm definition.
In response to questions from Ms. Frawley, Dr. Hieb concurred with Ms. Rudolph that the most expensive option is to do nothing. In terms of optimum size of the identifier, it is constrained by human issues -- how many numbers can we remember? -- and physical considerations -- what size space do you need on the form? The important issue is, however, consistency over length and time.
Software can encrypt and decrypt, and distribute the results free over the Internet. The expensive part is creating software and making it available, and then including it in the places that want to use it. The State of Wisconsin will find that if they go to the ESSN or the UHID or a biometric identifier, they will encounter significant costs. Costs may be mitigated, but no identifier comes free of charge. "The important thing is that this Committee make a choice that is functionally robust," in that it can support both today's and tomorrow's needs, Dr. Hieb asserted.
In recent months, ASTM and CPRI have joined efforts to synchronize the various documents and requirements around a national health care identifier. The white paper, "Prioritized Requirements for a National Personal Health Identifier," is an attempt to summarize and rank those requirements.
The Department of Veterans Affairs (VA) has combined the ASTM UHID capability with its internal MPI and is in the process of rolling that out to the total VA population of 26 million veterans -- 10 percent of the U.S. population.
Dr. Cohn stated his aim to reconcile the presentations by Dr. Hieb and Mr. Gabler. In response, Mr. Gabler noted the need for the identifier as part of the mechanics of the system. The mediation process can help facilitate not only the accurate identification of the identifier, but also its association with an individual, no matter how one goes through the identification process or how large the patient group. One issue is whether to use an already existing number or to create a new one; this process permits either. The association aspect of mediation represents a mechanism to deal with systems as systems.
Mr. Gabler stated that his view is consistent with those of both Ms. Rudolph and Dr. Hieb. Mr. Gabler's contribution was to suggest a mechanism to associate a number, presuming the number is selected with good logic. The MPI mediation permits use of a unique identifier (as suggested by Dr. Hieb) or an enhanced one (per Ms. Rudolph), and at the same time deal with systems that may take a long time before they can accommodate those. Mediation is a tool that can defray costs, but it is still a specific number that must be associated so all pieces can come together.
Dr. Cohn expressed his agreement, and asked of Dr. Hieb whether, if the MPI were used, the requirements would represent "overkill." Dr. Hieb responded that the requirements are needed to ensure that the identifier fulfills its basic function of identifying an individual. In addition, the identifier does so "in the context of the health care information systems that are going to use that number, then, to facilitate their operations." ASTM has focused on the properties of the identifier, and HL7 has examined how to incorporate it into existing systems so they can continue, but with improved functionality and mapped to existing identifiers that already have data associated with them.
A system in which one does not have a correct number is "broken." Similarly, if a system has a correct number but cannot access systems that exist to make use of it, the system is broken. The combination of the two in a functional system adds benefit to health care.
Ms. Rudolph stated that because the WDHFS has other data to tackle validation besides the identifier, having to add an additional 29 characters would be very costly and constitute "overkill."
Mr. Gellman commented that doing the wrong thing, not doing nothing, is the most expensive option.
As part of an ensuing dialogue with Mr. Gellman, Dr. Hieb described the process by which ASTM develops its recommendations. ASTM, a public standards organization, establishes a committee that "owns" that standard. Drafts of wording for the standard are developed and made available for public comment. A rigorous balloting process is undergone in several stages; a strong negative vote from one individual requires the committee to consider the negative statements and address them. The process for the standard under discussion took about three years. Participants included individuals from industry -- vendors who are developing products -- health care users who use the products, academicians (the theorists), and other interested people.
Of the privacy organizations enumerated by Mr. Gellman, Dr. Hieb recognized only the legal counsel for the American Civil Liberties Union as among the participants. In response to a question from Mr. Gellman concerning ASTM's outreach efforts to enlist privacy organizations in the process, Dr. Hieb responded that attempts were made to make the process open to everyone, although it did not specifically solicit participation.
Dr. Hieb described the expenses inherent in participating on the committee: a $20 meeting fee plus travel expenses. Mr. Gellman pointed out that there is a potential financial impediment to participation in ASTM's deliberations. Ms. Frawley noted, however, that it is not necessary to attend the meetings to participate in the balloting.
Dr. Hieb acknowledged that ASTM "could have done better," but he insisted that the resulting standard "represented a wide consensus of opinion from a variety of groups, including people or groups like the ACLU, who had access to this information and looked at it."
Dr. Hieb noted that they do not believe that the identifier per se solves the privacy and confidentiality problem, but that "an inadequate identifier can preclude privacy and confidentiality solutions because it may not be able to handle multiple encrypted forms and therefore cannot support different uses." He described the identifier as an enabling technology that must be linked with privacy legislation and with systems that implement it in a secure manner. As the privacy legislation evolves, work on the identifier can start in a manner that will support the requirements as they become clear.
Mr. Gellman stated that while he does not reject ASTM's proposal out of hand, he views it as "not particularly broadly based. This is not a technical health care issue; this is an issue that affects everybody directly." He stated his view that ASTM's failure actively to recruit people to participate was a mistake. Dr. Hieb agreed that the broader the analysis the better, and even though the standard is published, the group would welcome information and recommendations concerning specific deficiencies in the identifier scheme identified by the privacy groups, because the standard can be amended.
Dr. Hieb explained that multiple encryption has not been incorporated in other identification schemes. No other system includes the encryption scheme in the identifier. Mr. Gellman questioned whether it were possible to keep the keys secure in a multiple encryption scheme, and Dr. Hieb replied that this was possible because the generation of the encrypted key is separate from the use of that key. The only individuals who need know sensitive information are the provider and the trusted authority who generates the encrypted identifier. The technology problems to facilitate this are being addressed.
Mr. Gellman noted, and Dr. Hieb concurred, that whether the problems can be addressed politically is another issue, and that additional legislation would probably be required. Mr. Gellman, in response to a question from Dr. Lumpkin, acknowledged that the legislation must protect the trusted authority from attempts to get information from it, among other possible elements.
Mr. Gellman and Dr. Hieb discussed the issue of export of encryption under U.S. law. Dr. Hieb explained that U.S. bans on export of encryption do not apply in this case, because "the encryption is done internal to the trusted authority." The identifier is just a "gobbledegook linkage mechanism."
In response to a question from Dr. Cohn, Dr. Hieb noted that the identifier standard is explained in detail in the ASTM-CRPI white paper, which includes as an appendix an illustration of the implementation of the standard.
Dr. Hieb responded to questions from Dr. Fitzmaurice, saying that information on the uniform health identifier was published in November 1995, and that no specific comments have been received from the privacy groups enumerated by Mr. Gellman about design deficiencies in the proposed identifier. If ASTM received a letter critical of the standard, Dr. Hieb explained, the letter would be referred to a subcommittee, which would revisit the standard to see if a revision were in order. The committee would ultimately review the comments at its next meeting.
To a question from Dr. Fitzmaurice on a "big directory in the sky," Mr. Gabler responded that the peer structure of the directories arose from this concern and identified two immediate issues: who would pay for it, and what would be the political implications. The peer structure recognizes different motivations and goals and scopes relevant to different organizations. Standards are attempting to define the roles of government and the private sector in making directories work more efficiently. The Government's participation in the standards process facilitates that effort.
Mr. Gabler assured Dr. Fitzmaurice that a format has been devised and plans are to be formulated to avoid stigma and the release of sensitive information in the proposed directory system.
Ms. Rudolph noted that it has been decided in her department to address Year 2000 issues and HIPAA issues separately.
Ms. Kratz spoke on the requirements of health care provider organizations and mechanisms to enable person identifiers. She described the current environment, in which multiple providers generate for a single patient many different identifiers, which are meaningless outside each system or organization, and do not lend themselves to efficient collection or correlation of health records across providers.
A standard mechanism whereby independent providers can identify patients definitively is one of the key technologies needed for secure sharing of health care information. Aside from considerations of the properties of a numerical identifier, it is necessary to have a standard, open interface between systems on different computers to enable secure identification of people, as well as selection of specific trait definitions.
Two related components in this process are communication and data formats. Communication within and between various organizations takes place by means of standard interfaces. The requirements for health care identification interfaces include support for: (1) both assignment of identifiers within a particular identification domain (e.g., physician's office, single departmental applications, within an organization) and correlation of identifiers among multiple identification domains (e.g., across organizational boundaries or a state); (2) searching and matching of people in attended, interactive, and unattended or EDI messaging modes; (3) federation of person identification services in an information system that supports interoperability; (4) protection of person confidentiality under the broadest variety of security policies and mechanisms; (5) enabling plug-and-play interoperability by means of a core set of profile elements, yet still site-specific and implementation-specific extensions and customization; (6) appropriate, meaningful compliance levels for several degrees of sophistication, ranging from small physicians' offices to complex health care organizations.
The CORBAmed PIDS is designed to address these requirements. In addition, the Object Management Group PIDS standard will be submitted to ISO for a fast-track standardization process.
The University of Michigan Health System subscribes to the notion of federating identification domains, correlating identifiers within and across organizations. Ms. Kratz enumerated several examples of the use of this concept. A federated identification domain is the ability to structure identities into hierarchical domains, and federating information systems is becoming prevalent information system architecture. This architecture was recommended at a series of MPI workshops in 1996 and 1997.
Ms. Kratz noted that the health care industry requires plug and play interoperability by means of a core set of profile elements, but also requires site-specific and implementation- specific extensions and customization of these profile elements. Flexible trait definitions will enable security mechanisms, such as digital signatures, as specific requirements arise and the technology matures. Biometric advances offer potential mechanisms for authentication into systems. In addition to potential ways of uniquely identifying an individual, unique person identifier traits should be extensible to incorporate emerging technologies.
Systems must support searching and matching of people in several modes, including both manual and automated correlation of identifiers and records. Problems of correlating identifiers among multiple identifier domains must be addressed.
Direct support for identification of people receiving care in a specific venue must support identification using highly incomplete identifying information. Several degrees of sophistication for compliance levels must be addressed. The PIDS specification defines compliance for federation of correlating identification domains.
The protection of person confidentiality by security policies and mechanisms is the basis of ethical and regulatory guidelines in the health care industry. The interfaces of a PIDS are delineated so that request interceptors can enforce any policy defined in terms of a user's identity, a person identity that is the target of the information request, identification domain(s) involved, and person traits requested.
Integration of identifiers between health care, clinical, and financial information systems, and across organizational boundaries must be addressed. Integration must be achieved without the requirement to couple.
A major concern of health care person identification is security. A standard mechanism with standard interface definitions will enable independent health care enterprises to identify patients securely.
Following a brief introduction that included his affiliations, Dr. Peters spoke on whether "we can do what we think should be allowable without a health care identifier." He summarized allowable uses without need for an identifier as provision of health care, payment of services, public health reporting, peer review, health promotion, disease management, quality assurance, health care oversight, and health care research.
The problem is incompatibility of existing systems, not a lack of a unique patient identifier. The problem that most legacy systems are not accessible 24 hours a day is not solvable with an identifier, but raises the question of how to design systems to be available around the clock.
An identifier is used for concise, consistent identification of an individual, for matching of clinical and administrative data to that individual, for data interchange and interoperability, and for data aggregation.
The essential problem is protecting the confidentiality of the individual. One measure is whether an identification number is published, readily available, or openly disclosed -- specifically on a card. The Social Security number would not be acceptable, according to these criteria, since it is mandated by law to be associated with driver's license information. Other screens are whether information is liable to be intercepted from electronic records, if it would be exposed to other settings for similar or different purposes. Dr. Peters described as an example the ready availability of prescription drug information that de facto discloses diagnoses, noting that this issue is unrelated to an identifying number.
Dr. Peters asserted that, contrary to popular myth, the vast majority of health care transactions do not require explicit identification of the patient or provider. Many transactions can be conducted in an encrypted or encoded environment that conceals the identity of the patient or provider. In provider claims, only at the generation and the adjudication of a claim must a patient's identity be known; the processing of the claim does not require an identity and can be conducted from coded databases.
Dr. Peters expects that to be compliant with HIPAA legislation, "large players" will not adopt new systems to deal with, for example, an X12 837 claim. They will "put a gateway in place that will take an 837 claim, strip the UHID, and substitute the Social Security number. They will strip the clinical fields from the form . . . and generate a HCFA 1500 format or UB-92 format and put it in their traditional systems."
A unique identity is not necessary for data analysis, epidemiology, or research. Demographic information is important, but that can be kept private. A unique identity similarly is not necessary for peer review or quality assurance, in which care and not the patients are the issue.
Identity is important when direct intervention is required, for example, in cases in which the CDC is involved.
An important philosophical question is whether a unique patient identifier is needed -- or a uniform and standard way to "disidentify" an individual. Dr. Peters raised the issue that patient confidentiality, for instance, in dispensing certain drugs whose purpose is evident by the dosage, may impact on physician's practice confidentiality as well. Some have noted that the provider ID must be confidential as well.
Dr. Peters challenged several additional myths. He claimed that the lack of unique patient identifier does not delay the acceptance, utility, or implementation of electronic health records; rather, delay results from software from vendors that is not acceptable to users. Lack of an identifier does not delay completion of the processing of claims; rather, delays result from insufficient understanding of the rules of payment. Lack of an identifier does not hamper eligibility verification; rather, it is lack of a good connection between employers and payers to understand who is eligible for a specific plan at a specific time. Lack of a unique identifier does not cost the U.S. health care system a specific amount of money per year -- any dollar amount is conjecture. Lack of an identifier does not impede adjudication of patient claims, but ironically, difficulties in identification protects their confidentiality, because of the difficulties in linking information.
Dr. Peters concluded that it is more important to discuss the infrastructure of a identification system than its properties. Modern technology can tackle the task very securely and very confidentially. Access can be controlled, and interactions can be simplified. Relative cost should not be an issue, particularly because there is no cheap or simple way to accomplish the task at hand; but also, the private sector would be able to implement change in a far more cost-effective way than, for instance, the SSA has estimated. He would focus the discussion on what we want an identifier for. He asserted that health care data should be intentionally and routinely disidentified to ensure protection of data.
Mr. Landen discussed the position of his organization vis-a-vis using the Social Security number as an individual identifier for the HIPAA administrative standard. The Blue Cross/Blue Shield Association's HIPAA Policy Advisory Group is currently revisiting the association's previous endorsement of the Social Security number. Three options are under consideration: (1) ESSN with a check digit (endorsed in 1997); (2) federal parameters for each health plan to assign a consistent number within that health plan, to include a check digit algorithm that is a national parameter, of maximum length, guidance on whether the number could or could not be alphanumeric, what the positions and where the check digit would be; and (3) no standard identifier whatsoever.
Mr. Landen asserted that few systems now in place could harness the potential of an individual identifier. In the current marketplace, his organization would not be able to cost- justify an infrastructure to assign and maintain an individual identifier nationally.
The association is carefully examining privacy issues and is cautious about proceeding with a recommendation at this time for an individual identifier without an understanding of the privacy rules.
Mr. Gellman pointed to the apparent lack of consensus on the question addressed by this panel, and noted his surprise at the lack of consensus on what the question really is.
In response to a question from Dr. Lumpkin, Dr. Peters explained that to reach HIPAA compliance, clinical data on claims, in addition to the UHID, must be stripped off because most systems cannot store or use it. Because most systems are in the business of adjudicating claims, not in improving the quality of claims databases, it is probably not worth changing those systems that store HCFA 1500 and UB-92 data.
Mr. Landen asserted that the proper question is what the legacy systems can handle, and whatever standard is used must then be converted or mapped into what the legacy system can process. Most Blue Cross and Blue Shield organizations at this point plan to map into their legacy systems. Over time, new systems will be able to harness the new technology, but the current capability is not in the marketplace now. It is not possible to estimate how long it would take to get to the next step.
Dr. Cohn made several points. At some point, legacy systems become obsolete. Many believe that having more information is a competitive advantage. Having a target as one plans to implement new systems is an advantage. Dr. Peters noted that Kaiser has decided financially to begin new system implementation.
At the request of Mr. Gellman, Ms. Kratz described the relationship between ASTM's criteria for a health care identifier and the requirements she cited for identification interfaces. The PIDS defines a series of interfaces. Within the PIDS specification, one of the modules is traits. Traits are a "series of ... data elements that you can string together as profiles; or you could use the unique identifier." It would be a trait that would be defined specifically within the implementation. She agreed with Mr. Gellman that it would be one of a number of elements that contribute to her interfaces. She added that the traits were purposely defined to be very extensible.
The panel members responded to Dr. Braithwaite's question concerning the identity and function of the trusted authority. Dr. Peters noted that some suggestions (notably from WEDI and COWLinks [?]) suggest a nonprofit organization whose sole job is the management of confidential identifiers.
Dr. Peters described the European environment. The European Union has adopted longstanding German legislation on the protection of individual data; no American vendor will be permitted to sell or manage information that is European in origin without being compliant with those laws and regulations. Whoever collects data on an individual is de facto a trusted authority with specified legal responsibilities to manage that data. Marketing of private data will be illegal in Europe as of October 1998. Many U.S. vendors are already compliant with those laws. Instead of exporting encryption (which is not legal), Dr. Peters' firm uses encryption as a "plug-in tool," in that they buy the same keys in Europe that are used in the U.S. The concept of trusted authorities can be implemented in patient data exchange across international borders. The authority can be non-governmental, private -- either for profit or not for profit -- but under specific guidelines or rules.
Mr. Landen noted that although his association's advisory group has not specifically discussed the issue, concerns are that any entity that administers a program must be accountable to the users and must operate in a legal environment that permits it to maintain the confidentiality required of it, so that data files are secure for all purposes for which that data is compiled.
Ms. Kratz's interpretation of a trusted authority would be an identification domain to which every participant in health care would need to federate. The authority would define federation patterns and other policies, including some relating to identifiers.
In response to a question by Dr. Braithwaite, Ms. Kratz stated that there were pros and cons both to permitting the trusted authority to evolve in the private marketplace and to enacting federal legislation in setting up the standards and procedures under which such an authority should be created.
Dr. Peters asserted that there is a role for the Federal Government as well as associations, payers, vendor associations, and standards organizations. The decision should be based on consensus, but a Federal role is evident.
Mr. Landen opined that HIPAA administrative simplification must be a public/private partnership. If the private marketplace cannot do the job, then Governmental assistance should be invoked, whether by regulation or legislation. In response to a question from Mr. Gellman on subpoena powers and a trusted authority, Mr. Landen raised Freedom of Information Act considerations should the authority be governmental.
Drs. Fitzmaurice and Dr. Peters engaged in a short dialogue on several issues. In terms of fraud and abuse, where true identity is not required for verification of a claim, Dr. Peters suggested that most judgments can be made on the basis of a number, not a name (which may be obtained from a look-up file by those who in fact need to know). To coordinate benefits across insurance companies, although it is not yet clear what the shape of the new claims process will be, Dr. Peters asked, "Is it not better to have a disidentifier with a way to unlock that only on a need-to-know basis, rather than to have an identifier that is identified specifically with an individual that is used for the same purposes?"
In response to Dr. Fitzmaurice's question, Ms. Kratz stated that ID domains can have their own unique way of identifying patients, but they must be able to federate across those ID domains, and they must have enough traits defined in common.
Mr. Gellman stated that he had been opposed to holding hearings before the Notice of Intent was published, and that the white paper has not addressed adequately all the questions that have been raised. He advised DHHS to broaden the scope of the white paper before it becomes official.
Andy Anderson of Hewitt Associates, the largest benefits consulting firm in the country, suggested that the employer's perspective is missing from the discussion and that testimony be solicited for future hearings that provides input from that segment of the market. Another missing perspective, from the employer's point of view, is that employees represent many different data elements. Today most employees are identified by Social Security numbers, but with implementation of any other health care identifier, the data sets will essentially double for identifying these individuals. Mr. Anderson urged the Subcommittee to be certain they obtain information on what it would require for employers to take on the "gargantuan effort" of doubling the identifiers they need to keep track of their employee population.
Dr. Lumpkin concurred and raised the issue of whether employers would have a right to that health identifier. He suggested a panel of employers and a panel of labor representatives might be appropriate to testify at an upcoming hearing.
Kristi Yeager of EDS Health Care Government Programs stated that, in the Department of Defense's Tricare Management System, just a number is not sufficient to identify a person definitively; other information, such as relationship to the person for eligibility purposes, is necessary.
Twila Brase of Citizens for Choice in Health Care noted a 1976 Minnesota law that citizens could choose, if they were not in a residential health care facility, whether or not to have any of their information accessed. Both linking and consent are very important.
Chuck Meyer of HBO and Company stated that a unique identifier would not supplant what systems currently do to identify their customers. His company will treat a unique identifier as an "associate identifier, another element in the database, something we need to know in case we come to the point where ultimately these are linked." They will continue to use the patient ID for billing, the medical record number for consolidation of information, and the enterprise identifier.
Dr. Lumpkin reconvened the hearings on the unique health identifier for individuals on July 21, 1998, and participants introduced themselves.
Ms. Brase introduced CCHC, a health care policy organization, and set forth some background on privacy. After quoting Justice William O. Douglas in 1966 on the bleak future of privacy, reviewing the HIPAA definition of health care information, and noting Secretary Shalala's recommendation that government officials have access to citizen medical records for four national priorities, Ms. Brase stated that CCHC cannot support the implementation of standardized, government-issued unique patient identifiers for individuals. She asserted that HIPAA's enumeration and surveillance system will "clearly be detrimental to the liberty, privacy, and security of every United States citizen."
Irreversible harm can come from disclosing health care data on individuals, Ms. Brase noted, and "no punitive sentence from a court can restore loss of confidentiality." However beneficent the U.S. Government may be considered, oppressive governments in the course of history have "used access to medical information to commit egregious crimes against their own people."
Ms. Brase asserted that it is not within the purview of the Government to have access to or begin the process toward comprehensive medical information on citizens. This process may prompt patients to withhold complete information from their providers, which may cause delayed or incorrect diagnoses and therefore increased costs; or it even may prompt patients to leave the traditional health care system and engage the services of providers willing to violate Government tracking-system requirements.
One of the worst imaginable outcomes of the proposed system, Ms. Brase postulated, would be the creation of a black market for medicine in America. Already, she noted, there are a growing number of persons who forego vaccinations, home school their children, or have home births in order to escape the "probing questions of HMOs and pressure exerted by doctors, schools, and office staffs to submit their children to vaccinations . . . or to complete intrusive surveys for . . . patient profiles."
CCHC recommends the following: (1) No Government-issued unique patient identifiers should be required for all citizens or government repositories of medical data on all citizens, either indirectly or through data linkages; (2) each provider or clinic may choose a separate, unique patient identifier, as is current practice; (3) to protect anonymous access to care, no unique patient identifier or Social Security number should be required in order to obtain health care services from any provider; (4) Government access to patient identifiers or individually identifiable patient information for law enforcement purposes must include the protections of due process as afforded in the Constitution, such as a valid court order for access or a search warrant; (5) use of electronic identifiers and electronic transactions must not be required for access to medical services; (6) there must be use of strong encryption for any patient identifiers used in electronic transactions (some have suggested a 128-bit encryption); and (7) no insurance company should require submission of a Social Security number for purchase of or enrollment into a health insurance policy, but should offer an alternative enrollee identification number. This separate identifier should not resemble the Social Security number and should not contain embedded intelligence on the enrollee.
The following items should not be permitted without informed, voluntary, written patient consent that details all intended uses and recipients of the data to be shared, and contains a written agreement that the data will be used for nothing else and shared with no one else: (1) creation of a unique patient identifier that cuts across every medical or health care encounter, (2) requirement to have an electronic, unique patient identifier, as in a smart card or biochip, (3) sale, distribution, or release of identifiers or individually identifiable information by anyone who holds health care data, (4) Government access to unique patient identifiers or individually identifiable information for research, oversight, or widespread surveillance, (5) entry of unique patient identifiers or individually identifiable information onto any registry or database, (6) medical research using unique patient identifiers or individually identifiable information, including continuous quality improvement activities by HMOs, also called risk assessment, patient categorizing, or patient profiling, and (7) behind-the-scenes tracking of citizens through a government MPI system.
Ms. Brase concluded that the patient and provider should control or limit access to information, and that decentralization is the essence of maintaining privacy.
In response to a request from Ms. Fyffe, Ms. Brase described the proposed surveillance system as a system that allows any kind of accumulation of information on individually identifiable persons. As an example, Minnesota's Commissioner of Health said that there were more than 90 conditions on which they were collecting information on citizens, most without their consent.
Ms. Brase responded to Dr. McDonald's question, saying that CCHC does not oppose public health surveillance for fatal illnesses. However, she asserted that invoking public health and safety could be a mechanism for promoting invasion of records by officials -- without consent. Consent is the important issue.
In a dialogue with Mr. Gellman, Ms. Brase asserted that beneficial research has been done with voluntary participation in studies. Statistical sampling, not comprehensive populations, gives results that are beneficial. Some people feel that their information is not sensitive and have no problems sharing it. CCHC has not looked into subpoena power over research data. Confidentiality would be assured without mandated use of a card and an identifier or identification number.
In response to a question from Ms. Fyffe, Ms. Brase described the situation in Minnesota wherein managed care organizations and government agencies are moving closer together.
In a dialogue with Dr. Lumpkin, Ms. Brase stated that CCHC does not support opt- outs because it puts the burden on the citizen; it is better to opt in. CCHC would not support a Government trusted authority. Patients should have the option to choose whether or not to have a computerized record. If a provider office were to purchase a new computerized record system, CCHC would support the option of continuing to have a paper record. Most people would find an electronic medical record acceptable, however, if nothing sensitive were placed in it.
Following a question by Dr. McDonald, Dr. Lumpkin described scenarios whereby computer records are generated from dictation. Ms. Brase stated that CCHC had not considered the dictation issue, but that electronic access to the thoughts of the physician, whether or not they are true, can be hazardous to the privacy of a patient, because of its ease of transfer. Dr. Lumpkin invited Ms. Brase to send a communication about the outstanding issues.
In response to a question from Mr. Streimer, Ms. Brase posed the possibility that with an opt-in system, half the population might not opt in.
Dr. Braithwaite raised the issue of accumulation of demographic information on a patient and bundling that information into an identification number with built-in cross-checks. Ms. Brase stated that from professional experience as an emergency room nurse, she knows that one cannot trust a number to identify a patient, and one cannot eliminate the possibility of error with a unique patient identifier.
CCHC is seeking a "more decentralized, rather than a centralized, system, where the information is more at a local level, because privacy will not be protected by having a single, centralized number accessible to all sorts of people, even though it is encrypted." Ms. Brase reiterated that technology or linkage is not the issue; consent is.
As part of a dialogue, Ms. Brase responded to Dr. McDonald about whether she would oppose electronic data or the number system, or the number system to get to the data: Both, was her answer. The creation of a number mandates a tagging of an individual regardless of whether it was going to get the data. Ms. Brase stated that CCHC has not considered repealing the Social Security number now that it has become an identifier.
Ms. Brase stated she would support the Med-Alert system (bracelets) because of its inherent consent. If the Government were to run the Med-Alert system, and the public were aware of that and consented to participate, that would be acceptable.
Mr. Appavu described his affiliations and his work, including a 1995 report which examined industry requirements and analyzed available options for use of a unique patient identifier.
As part of the report, the basic functions of a unique identifier were examined: (1) identification of an individual for the purpose of delivery of care and for the purpose of administrative function (reimbursement, registration, etc.); (2) identification of information (coordination of multidisciplinary care process, medical record keeping, information management [including supporting privacy, confidentiality, and security functions]); (3) improved efficiency in the health status of the population.
Mr. Appavu distinguished between identity (a set of personal characteristics), identifier (a label), and identification (the process of associating the identity with the identifier). Protection should secure the identity and the identification process. He described the possible characteristics of an identifier, and defined and described a number of terms, including longitudinal data segment and health services segment.
In terms of security protections, the identifier should perform only the identification function; it should not provide access to it. That should be the function of a separate function, access control, which should check the authentication, the authorization, keep an audit trail, and maintain accountability. The identifier should be content free and capable of encryption and of masking itself. Organizational measures must be imposed to assure security of the identification process, including secure systems and secure technology. Federal legislation should stipulate penalties, make it illegal to misuse information, and mandate security measures (as noted above).
A technology infrastructure is necessary to link the identifier to the identity and to provide access to patient information. Such tools as validation, searching, matching, and verification, make up this component. Technology is necessary to encrypt and decrypt identifiers and patient information. Administrative infrastructure is necessary to assure the integrity of the issue and maintenance of the unique patient identifier.
Mr. Appavu noted that he was responsible for converting Cook County Hospital from manual operation into a computerized operation in 1988, to link islands of information. Today's health care environment is characterized by non-unique, institution-specific identifiers; the idea is to link them together, and the technology is available.
The components described work together as a patient identification system. The system must be considered in its context for it to make sense, for example, in terms of securing patient data.
Identification information is something that changes, and updates are necessary; this function is part of the existing infrastructure.
Mr. Appavu used the 30 ASTM conceptual characteristics to analyze the identifier concept on four levels: operational, component, conceptual, and functional. Fourteen options emerged, including six that were a unique patient identifier. The documented results are accessible on the NCVHS webpage.
In a summary of his findings, Mr. Appavu asserted that the patient identifier is an integral part of patient care and patient care information. Privacy, confidentiality, and security not only do not preclude the use of a unique patient identifier, identifiers protect them. By using an identifier to order a lab test, for instance, the name is not necessary and is thus masked.
When the access process is standardized using the identifier, the security of the information is strengthened. Security depends on judicious design of the identifier. The function of the identifier should be only to identify and not to provide access.
The check digit, encryption, and longevity capabilities can be added to any of the 14 options. Encryption can be added to any one of the unique patient identifier options; check digit can be added to any numeric numbering scheme.
The conclusion was to come up with an identifier. The best identifier is one that is simple to use by both humans and computers. The available course of action is either to accept an existing option or to adopt a new option. Mr. Appavu recommended building on existing infrastructure: the health information management professional or health care information system, the providers, users of the identifiers, standards and policies and procedures that are already in place. Then add federal legislation and the component the Federal Government will bring in. Cost will be distributed over existing process and infrastructure. Enhancement and updates to the existing system are long overdue.
Mr. Evans's organization, a federal contractor in the FEHBP program, already uses an identifier that is unique to individuals, but has some flaws. The ideal identifier is the Social Security number, which is already deployed in the private sector. If another identifier were to be implemented, all it would take is an upgrade to the existing system to store it. Cross- referencing to current keys presents no problem. The system would have to have the security measures that are mandated.
Mr. Evans responded to the prepared questions for submitters. Personal immutable properties, demographics, and name are used currently as a secondary check to Social Security number. If it is keyed incorrectly, the error can be caught by the secondary check. A check digit would be desirable. The costs will be borne by all, either as taxpayers or consumers, so the most cost-efficient system that still protects patient confidentiality is desirable.
He discussed CHID as a concern. A hybrid proposal, given good marks by Mr. Evans if one is to rely on the identifier to protect the confidentiality of the patient, is the ASTM UHID, using the SSA to administer it. The identifier itself will not offer sufficient protection.
Biometrics -- retinal scans, fingerprints -- are not available at point of service, nor is it useful to the payer side. Numbering schemes such as MPI, PIDS, HL7, and/or ASTM's UHID under those guidelines, administered by the SSA might be an acceptable way to separate the identifier from the data. Payers do not need the key to all medical data; they have no use for the information. Secure channels should be created to deal with suspected fraud, but only where consent is given.
Mr. Evans enumerated five criteria that should be given the most weight in evaluating candidate identifiers: (1) controllable, whereby only trusted authorities have access to linkages between encrypted and nonencrypted identifiers, if Social Security numbers are not to be used; (2) disidentifiable, reflecting unlinking of identity with identifier, which the payer community is not likely to endorse; (3) governed linkable, having an entity responsible for overseeing the system, determining policies, managing trusted authorities, ensuring proper and effective support for health care, and appropriate legal remedies for those who do not do the above or who misuse the number (Mr. Evans's organization looks forward to confidentiality and security standards.); (4) linkable, can link health records together in both automated and manual systems (a 29-digit character string invites multiple typographical errors); (5) secure, can encrypt and decrypt securely (legal mandates would be welcome).
Mr. Evans reiterated his contention that the payer environment already has the data needed on electronic claims to identify the patient, and often to auto-adjudicate the claim, which is the goal of electronic claims. A unique number is not necessary, unless mandated, to be in the transaction.
Concerning uses that should be approved for the health identifier for individuals, if it is kept within the health care system and out of the hands of the payers and the public domain, that would be the most secure option.
Desirable computer and communications infrastructure would include the ability to provide nationwide access 24 hours a day. Today's environment involves implementing electronic transaction standards without a standard identifier for individuals.
Calling Mr. Appavu's report "seriously flawed," Mr. Gellman requested comment from Mr. Appavu on certain aspects of his report with which Mr. Gellman took issue. Mr. Gellman claimed that privacy "is not the ability to share information, privacy is the ability to keep information secret." Mr. Appavu responded that for health care purposes, you must share your health care information with a provider in order to receive service, and you want to be able to share that information without fear of its being misused.
Mr. Gellman pointed out that fair information practices, the most important concept in privacy, are not mentioned in the report. Mr. Appavu responded that he focused on health care processes, not the Fair Information Practice Act.
Mr. Gellman questioned Mr. Appavu's approbation of the Social Security number in terms of its qualities as de facto linkage and its broad distribution and widespread use, saying that those are reasons not to adopt that identifier. Mr. Appavu explained that those qualities make the Social Security number easy to implement and adaptable to linkages.
Mr. Gellman took issue with Mr. Appavu's statement that the "critical need of the industry such as the unique patient identifier cannot be sacrificed due to the failure to adequately address the necessary privacy safeguards and subject the patient care to unnecessary risks." Mr. Appavu countered that the statement "does not mean that [privacy and confidentiality protection] are unimportant; it just means that, in spite of that, you want to provide care to patients."
Mr. Gellman concluded by saying that he felt the report shows a bias that privacy is not important.
Mr. Evans proposed a facetious question concerning usage of the Social Security number: "If the Federal Government did not mandate the sun to come up tomorrow, would it?" The Social Security number is already an identifier, in place particularly in the payer community.
Mr. Gellman asserted that its use is common well beyond the payer community, and is even mandated for use by law in other areas, but that it is not necessarily a good thing. He described recent history in the recent controversy surrounding confidentiality and the Social Security number, and the perceptions of the public.
Mr. Appavu concluded that he had not recommended any identifier, that he had made observations of the facts relating to each option, including Social Security number. He asserted that it was not his mandate to endorse any option.
In response to a question by Dr. McDonald, Mr. Gellman noted the difficulty in comparing the U.S. with other countries, because most others have centralized health service. Canada uses a Social Insurance number, which originally was to be used just for health care, but is now being used for many other purposes. Mr. Gellman asserted that it would be useful to collect information on other countries. Mr. Appavu stated that the scope of his report did not include other countries. Dr. McDonald noted that Canada, England, Germany, and most of the Scandinavian countries use a unique patient identifier, and that it would be worthwhile to understand what problems they have encountered.
Dr. Cohn pointed out that the European Union nations all have comprehensive privacy legislation, which is nonexistent in the United States. Mr. Appavu described the experience of the VA concerning its forthcoming identification card, which will include Social Security number, photograph, Social Security name bar coded, put on magnetic strip. In Florida the VA is piloting a sample UHID, called an internal control number, and has used inside computer systems to keep track of the database.
In a dialogue with Dr. Fitzmaurice, Mr. Evans stated that throughout the industry, HIPAA changes would compete with fixing the Year 2000 problem. If a Social Security number enhanced with a check digit were to be implemented, for those systems that would use it as a key, change would be very costly because the system would need to be redesigned. A less secure fix would be to use tables that would cross-reference the number to the key used in the legacy system; this process will probably be used widely. Systems for which the old key was the Social Security number would have to be upgraded to accommodate the ESSN, and the services of a software vendor may be required. Mr. Evans added that a longer health identifier might take longer to process after it is decrypted and/or uncompressed. The electronic claim, the 837, has mandatory elements that include patient demographic data. The 275 could be attached to that without necessarily containing the patient key. A translator would handle the re-identification after processing following the de-identification. Dr. McDonald added that the billing number is the only information the attachment transmission would need.
Mr. Miller explained that his organization, which serves more than 13 million Americans with a broad array of health care products and services in all states and most major cities, is participating with the Workgroup for Electronic Data Exchange and is actively involved in the accredited standards committees. He expressed support for a standard identifier in the context of administrative simplification of the health care industry, noting first-hand experience in the need for national standards in the wake of his organization's combination with several other health plans over time.
Mr. Miller asserted that the identification number is extremely important to the accurate and timely completion of the request for payment; his company has a "high degree of success" utilizing the identification number it assigns the member. Alternate information is used if the ID number is submitted incorrectly.
When the UHID identifier for individuals is established, the company must update all records with the new number and cross-reference it to the prior member ID number, in order to locate historical records, calculate benefits properly, and screen for potential duplicate payments.
Mr. Miller summarized the key cost-benefit implications of a UHID: (1) Positive identification for the insured member: The current system works well; a new ID number will not contribute significantly to this function. (2) Issuance of new ID cards: When the company is required to issue new ID cards to all members, operating costs will increase. (3) Members' familiarity with the ID number. An identifier other than a Social Security number, which, according to the 1993 WEDI report, is the current de facto identifier, would not have a positive impact on the claims process. (4) Upgrading software, programs, and databases: Any change to the length of the current identifier will generate an expense (unknown at this time) to modify multiple software programs of various claim system platforms. An identifier based on the Social Security number would generate the lowest cost for modification. If a unique identifier were longer than 11 characters, significant changes would be necessary to both software programs and database systems. (5) Electronic data interchange with providers and other payers: EDI with providers is growing steadily, and a unique identifier is expected to increase the volume because of the "confidence the partners would have in utilizing a standard identifier and the result of reducing the number of rejected transactions." Currently, the requirements for member identification for electronic and paper-based claims are the same. Efficiency is diminished in locating member records on paper, due to lack of completeness and accuracy, and the need to transfer information to an electronic record. For paper-based submissions, more records must be reviewed manually. A standard identifier with a check digit would improve the process by 10 percent if the submitter were required by a computer system to verify the check digit prior to submission. (6) Responding to customer service calls: Customer calls would increase during the transition, as would provider calls to verify member eligibility.
Mr. Miller acknowledged difficulty in estimating the total cost impact of a UHID, but he put the figure at as much as $10 million. This presumes that the Social Security number is used as the basis, and the new identifier is not required until after the company issues the member a new ID card and has updated the member's record. In a worst-case scenario, the potential cost "could exceed five times the minimum effort," and assumes the identifier is expanded to more than 11 positions, required complete reengineering, and mandatory issuance of the member card. The cost could exceed the benefit unless the transition is based on the Social Security number. With either number being viable during the transition period, the problem of locating member records would be mitigated, and providers could adapt to the new number on a patient-by-patient basis.
In a review of HCFA's white paper, it was determined that all the negative aspects identified can be resolved. The Social Security number would be the lowest-cost option.
Mr. Seweryn discussed the potential benefits and costs of a UHID from a public health perspective. CCDPH sees a UHID as a means to improve the efficiency of disease surveillance systems by reducing time spent in managing duplicate reporting and investigations on the part of both public- and private-sector employees. Improvements in timeliness would enable earlier identification of disease outbreaks and implementation of investigative and control activities. A UHID would permit improved surveillance for noninfectious disease morbidity and other adverse health conditions.
CCDPH sees a role for UHID in monitoring patterns of provider usage that may indicate abuse or neglect of children and the elderly. A UHID could also help by eliminating the need for multiple reporting requirements to single-purpose registries. Cost-savings would be a result from eliminating the need for special-purpose monitoring and tracking systems.
A UHID would help public health agencies in eliminating duplicates in their community-wide assessment and planning activities, providing continuity of care between the public and private sectors regarding medical services, tracking immunization coverage, and tracking medical care for wards of the state.
CCDPH believes that patient confidentiality should not be a cost for information access. Legislation to assure confidentiality must precede use of a unique identifier. In addition, any UHID system implemented must recognize that "local agencies have limited resources to retool existing data systems." CCDPH believes that MPI-based systems have "merit in both assuring confidentiality while reserving resources invested in legacy systems," and that any UHID system must not be an impediment to access to health care services.
In response to a question by Ms. Fyffe, Mr. Miller stated that patients treated by his company who did not have a Social Security number would be assigned an employee identification number by his or her employer.
Dr. Cohn and Mr. Miller engaged in a brief dialogue. Mr. Miller noted that the Social Security number is the organization's identifier for 85 percent of its business and explained that the 10 percent figure he presented in his testimony related to the 10 percent of cases that need some adjudication to identify the individual because of a lack of identifier. Ultimately the organization is able to locate 98.5 percent of its members. Mr. Miller was aware of no concern on the part of the company's members about use of their Social Security numbers.
Dr. Cohn next engaged Mr. Seweryn in dialogue. The CCDPH system generates a unique patient record number; the Social Security number is collected when available. No difficulty is currently experienced in linking data about patients. The identifier is a Global number in most cases, but patients may also have a Cornerstone number. Dr. Cohn clarified that CCDPH uses a clinic tracking system made by Global, and a state-developed system called Cornerstone develops the unique statewide ID. Mr. Seweryn explained the circumstances behind the difficulties in linkage with outside information; when they access CCDPH facilities, patients do not bring with them, for instance, immunization records from private providers.
Ms. Frawley asked a series of questions of the panelists about the Social Security number. Mr. Miller noted that the member enrollment form clearly states that the Social Security number is requested for identification, but does not explain what the number will be used for in terms of claims processing. The system could accommodate a member who objected to the use of the Social Security number by assigning a number of up to 11 digits. Upon enrollment, the member receives an ID card that clearly states the enrollment number. Mr. Seweryn stated that CCDPH is required to give patients informed consent regarding collection of data concerning them, except if the individuals are wards of the state. For the Global system, patients can refuse to give any information they wish to withhold.
Mr. Miller responded to a question from Ms. Fyffe that, under HIPAA, his company does not anticipate having to enumerate dependents; a two-digit suffix on the identifier would point to the dependent.
In answer to Ms. Fyffe's questions alluding to the political incorrectness of the term, Mr. Seweryn explained the concept of "surveillance," age-old jargon in the public health field for monitoring the trends of disease. Surveillance systems are established by a series of state laws for certain sexually transmitted diseases and cancer, for example.
Mr. Seweryn responded to Dr. McDonald's queries concerning the benefit of an identifier vis-a-vis immunization reporting and disease tracking. The identifier would permit the patient's immunization history to be on hand in the clinics so that children are not immunized unnecessarily due to lack of adequate documentation. In terms of disease tracking, an identifier would help to minimize duplication and to consolidate reporting.
In response to Mr. Gellman's question on institutional privacy policy, Mr. Seweryn stated that confidentiality rules are part of CCDPH's record maintenance function, and that CCDPH abides by state confidentiality laws regarding communicable diseases. Dr. Lumpkin added that the state requires a memorandum of understanding with the local health department to assure state authorities that they meet the state privacy test for procedures. Employees and members of Mr. Miller's organization are informed of the existing policy in the benefits handbook. The chief information officer of the company is the dedicated privacy officer. Mr. Seweryn will determine whether CCDPH has a dedicated privacy officer and report back to the Subcommittee.
If a mandated patient identifier card were to become a national ID card used for all purposes, Mr. Gellman asked of the panelists, "would that change your opinion about whether we should go down that road?" Both panelists stated it would not.
Dr. Lumpkin next questioned the panelists. Mr. Miller explained that his company uses various ID alternatives to the Social Security number. If one identifier is similar to another, a manual selection is made on the basis of other member information. The MPI is used for medical record purposes. Dependents are first distinguished by name, and then by date of birth, and then relationship to the member. The history of the patient is separate from the member's claim history. If a member would opt out of a national system, a user-supplied number could be accommodated if it met the system requirements within the 11-digit limit.
Mr. Seweryn described a situation in which duplicate counts would appear: A hospital provides information and information is also available through client patient systems. In the absence of identifiers, it is impossible to know if patient records are duplicates. The downside of having duplicates is potential misrepresentation of the level of health events in a population or the frequency with which services are provided. In response to Dr. McDonald's question, Mr. Seweryn noted that harmful effects could occur regarding calculating the frequency of an adverse health event if identifiers are not present, particularly in cases that cross jurisdictional lines and different health regions. Mr. Seweryn responded to Dr. Lumpkin that after determining that an unduplicated count has been achieved, only the demographic data is useful, and the identifier need not be maintained. Because names are often used as a "reliable" identifier, a clerk at the point of medical service need not know the unique identifier for the patient.
Dr. McDonald initiated a discussion of identifiers vis-a-vis members and their dependents, and the difficulty in accommodating change in marital or employment status. Mr. Miller stated that his company is able to continue to identify the member, but that a change in identifier system would require adding an additional piece of data. In that system, the insured's ID number is the primary key index to the file, and that would be retained separately in the MPI. Dependents who grow up and subscribe on their own would be assigned a new number, but the previous records would be cross-referenced.
Ms. Hillbrant spoke to the Subcommittee from the perspective of a pharmacy benefit manager (PBM). She described her affiliations, including her position as co-chair for the NCPDP workgroup responsible for reviewing the option for unique health identifiers for individuals, and the nature of the industry, which maintains online connections with more than 54,000 pharmacies with a total number of electronic prescription claims, including Medicaid, surpassing one billion in 1997. Ms. Hillbrant responded to the Subcommittee's prepared questions.
The most important reason for adopting a unique identifier is that standardization will improve the ability of health care providers and others to share information and enhance patient care. Standardization has already benefitted the pharmacy services industry in terms of ease of communication, and a unique identifier can easily be linked into the system. The industry believes that the adoption of a unique identifier is necessary for the advancement of health care in this country.
NCPDP membership has considered identifier options and has decided to support the CPRI proposal. The membership, including the PBM industry, eliminated any system that does not produce a unique identifier for individuals.
The most commonly used identifier in the private-pay portion of the pharmacy industry is a variant of the Social Security number; additional numbers are usually added to identify the applicable group or other members of the family.
Without a unique identifier, the cost of the administrative and technological investment to translate and match information will continue to mount.
Industry participants should be required to safeguard confidential information with associated penalties for violations. Legislation or regulatory action must be considered carefully. The health care system cannot afford to hinder the quality-enhancing, cost-effective administration of the pharmacy benefit.
The following criteria are important in the use of a unique identifier: (1) Concise numbering system: Storage costs increase with length of the number. (2) Permanent: A numbering system that is subject to change will require the industry to develop linkages at a cost, and valuable clinical services will be lost. (3) Compatible with current standards: Significant cost would be incurred to support a change in the electronic standard. The current identifier field allows for 18 alphanumeric bytes. (4) Timely: Delayed assignment or distribution of an individual identifier would jeopardize an individual's access to the prescription drug benefit and could have a disastrous effect on every link in the industry. (5) Unique to the individual. (6) Universal: Developing a standard that cannot accommodate every individual may result in conversion of the identifier, at a cost. Advantages of the Social Security number are that it is the most widely used, it is compatible with current electronic pharmacy standard, it is concise, and its uniqueness could be addressed in a reverification process.
In addressing approved uses, Ms. Hillbrant noted that use of the identifier requires a balance in privacy and health care needs. The health care industry must provide services such as (but not limited to) disease management, treatment, epidemiological research, quality assurance, and general health care operations.
In terms of infrastructure, policy, and procedures, assignment of an identifier must take a short time and should occur prior to accessing the health care system (ideally no later than birth). Adequate verification should occur prior to assignment of the identifier.
To ensure smooth implementation and transition, the identifier must be readily available throughout the chain of the health care system before mandating use. An individual must be able to supply each family member's identifier to the employer, who transmits the information to the health plan administrator or PBM. When an individual enters a pharmacy, he/she presents the prescription with the ID card containing the unique identifier. The PBM matches the ID number on the pharmacy claim with the eligibility file and approves the claim. Such a match will produce an immediate response to the pharmacy, facilitating the prompt delivery of service.
Important identifier characteristics are as follows: (1) Concise length: The more concise, the better. (2) Check digits: A check digit can significantly decrease the incidence of inaccurate recording of the individual identifier and thereby lower administrative costs. The algorithm should be readily available to all sectors of the health care industry, including pharmacies. (3) Temporary identifiers: Every effort should be made to limit the need for temporary identifiers. (4) Encryption: Encryption would minimize privacy concerns associated with use of the Social Security number but would increase the cost.
If current capabilities and systems are used, cost of the unique identifier would be low. Proper funding is necessary to assure quality and security. Any changes to the current system will incur costs. Items impacting on cost include length of the identifier, magnitude of change from current business practices, and time line for implementation.
Ms. Hillbrant stated in conclusion that the PBM industry supports the adoption of the unique identifier for individuals. Within the industry, the Social Security number is the most widely used identifier. Privacy and confidentiality concerns are important, but must be balanced with the health care industry's need to perform vital clinical and administrative health care services.
Mr. Quinn explained his experience with implementation of identification schemes for large provider organizations and responded to the Subcommittee's prepared questions.
From the perspective of his organization and the providers it serves, the unique individual identifier would eliminate the need over time for new, complex, MPI systems that have an approximate or statistically uncertain chance at matching the various historical identifiers that an organization may have inherited through acquisitions and mergers. "A working system of unique individual identifiers would vastly . . . improve this process."
Each of the identifiers in use today has its problems. Among the most common used by health care providers today are internally generated numbers and Social Security numbers. Causes of these problems relate to a "central source of truth" that can be relied upon in the patient identification process.
The next best thing to a unique identifier would be a limited number of managed identifiers with a trusted and available database. An internally generated and managed identifier, as exists today, is the most workable, but cross-company sharing of information would be impaired.
A unique identifier might make it easier for private information to be released.
The Federal Government should be involved if a unique identifier is to be used. A single source of truth connects the identifier to a person. If a private concern were to tackle this task, the Federal Government would be the largest single payer and user of the unique identifier. If the Federal Government does not give authority to implement the unique identifier, some entity in the private sector must do so.
The most important reasons to use unique identifiers are: (1) to identify an individual correctly, and (2) to put more patient clinical information on computer, thereby making more information available on shorter notice to caregivers.
Mr. Quinn acknowledged that he supports a unique identifier. He favors any such scheme that meets the need for the health care industry. From the HL7 perspective, it is necessary to identify a patient when sending information. The preferred format is a Social Security number. Although imperfect, it already is distributed to all Americans and could be implemented in least time. Its defects are that it does not cover aliens, has a "not insignificant error rate," is limited in size, and does not have a check digit scheme. While this is the quickest solution, the best solution would be to create a new identifier that meets all criteria needs.
Options that do not involve a unique identifier could include improved MPI systems, but there would be no benefit to interorganizational electronic transfers among providers, payers, and the Federal and State Governments. Important criteria from an HL7 perspective would be unique, deployable, governed, identifiable, and mergeable, plus accessible.
The primary advantage of the Social Security number is its existence and wide distribution. Otherwise, it is at a significant disadvantage when compared to other proposed schemes. Reverification of the Social Security number would make identifier options based on it more acceptable.
From the HL7 perspective, current information technology places no practical limit on the length of an identifier. The more important issue is the minimum allowable length, assuming that shorter is better.
Dr. Cooper explained that CPRI is a not-for-profit membership organization committed to advancing improvements in health care quality, cost, and access through use of information technology. He stated that the Institute of Medicine and CPRI "have identified the unique health identifier for individuals as one of the essential elements required for effective and efficient use of computer-based patient record systems." He noted that the concepts, value, necessity, and challenges in its adoption are well described in the DHHS white paper, which also describes CPRI's 1993 position paper and its 1996 action plan for use of an ESSN as a UHID.
Dr. Cooper presented CPRI's position on the UHID. The urgency of the issue relates to increasing numbers of providers involved in an individual's care whose treatment is documented in separate records, rising costs associated with merging patient records as the health care industry integrates delivery systems, and the increasing frequency of need to exchange an individual's health care information with different providers or provider organizations.
The need for a UHID is generally agreed upon, and various options debated, but no consensus has been reached on a strategy. CPRI, WEDI, the National Association of Health Data Organizations, and the American Medical Informatics Association have supported the Social Security number for this purpose. Several states have mandated use of the Social Security number for state data reporting. Many alternatives have been suggested. Some organizations support creation of a new numbering system, and many algorithms have been proposed.
ASTM's guide for the properties of each UHID outlines many of the limitations to the Social Security number: They are not issued at birth, not all Americans are eligible to receive one, some individuals have more than one number, one number has been issued to more than one individual, and there is no check digit. These issues would need to be addressed.
Although biometrics is a viable technology for use as an identifier, its cost, reliability, and especially availability are issues. It is estimated, for example, that 80 percent of instances where access to patient-specific information is required do not involve the patient's physical presence.
Proponents of a new number assert that it would be linked only to health records and associated databases. With appropriate security procedures and legislation imposing penalties for breach of confidentiality, the Social Security number can be as secure as any other identifier. Because of its current availability, it can be implemented at lower cost than a new system. Most providers currently record the Social Security number of their patients, thereby reducing implementation costs to providers.
In response to public concerns, in 1994 a CPRI task force reevaluated the Social Security number and its role. Its conclusion was that with modifications to the Social Security number and important changes to issuance procedures, the UHID based on the Social Security number is the most feasible option.
Dr. Cooper offered the following recommendations:
(1) Confidentiality and security: These are primarily policy issues, a portion of which can be accomplished by technology. In addition, establishing guidelines and legislating maintenance of strict confidentiality in patient records is "crucial" to implementing the computer-based record. A primary concern about use of the Social Security number is the potential to link it to other non-health care data, but preventing unlawful linkage lies in privacy protection law, antidiscrimination law, and the use of system security features. Encryption, secure networks, and other technologies provide means of security for the data itself.
(2) Trusted authority: The choice is to create a new organization or incorporate the function into the charter of an existing organization. Such an organization will require public trust. The cost and time of establishing a new organization would exceed the cost of using an existing organization. A logical choice for an existing entity is the SSA, with its more than 1,300 offices nationwide and its new ability to issue Social Security numbers in real time. If the SSA is the chosen option, significant changes must be implemented in number issuance. Increased funding would be necessary, as would specific tasking to eliminate existing duplication, multiple assignments, and other errors. A lack of capacity may be faced if the Social Security number is limited to numbers only; the limitation could be handled by converting digits to alpha characters, as is proposed for the universal provider identifier. If the Social Security number is adopted for health identification purposes, a mechanism must be fashioned whereby identifiers can be assigned to those lacking a Social Security number, and an authentication algorithm must be used to establish the identity and authority of an organization requesting a number.
(3) Uniqueness: A check digit, which does not need to be stored, should be used to verify the accuracy of the data entry process.
(4) Cost/benefit: The availability of the Social Security number makes it the most cost- effective solution. Many health care organizations, including the VA and HCFA, already use it in their identifiers or at least collect it as part of patient demographics. Improving issuance would impact on fraud and abuse in the entire system of entitlement, which relies on the Social Security number for identification purposes.
(5) Education: The 1993 health care information privacy survey conducted for Equifax by Lewis Harris and Associates shows strong support for the Social Security number as a unique health identifier. Nevertheless, CPRI recommends developing a program of public education describing the potential advantages to the unique health identifier and the measures that ensure protection of personal health data.
Dr. Cooper summarized the recommendations of the CPRI action plan of 1996. He stated that CPRI calls upon the National Committee on Vital and Health Statistics to recommend immediately to the Secretary of DHHS the adoption of a unique health identifier based on the Social Security number. He outlined a course of specific actions necessary to achieve this objective: (1) Enact legislation to fund and task the SSA to add a check digit to the Social Security number and modify the process of issuing Social Security numbers, so that it may be used as a unique health identifier; (2) enact federal, preemptive legislation to provide uniform protection of the confidentiality of health information as called for in HIPAA; and (3) develop and promote a public education program outlining the importance of a unique health identifier and describing how access to individually identifiable health care information will be protected and controlled.
Dr. Cooper noted that CPRI continues to endorse these recommendations. He explained that recently it was recognized that many individuals interpreted the CPRI position of using the ESSN for a UHID, and the ASTM standard E1714-95, Standard Guide for Properties of the Unique Health Identifier, as being in conflict. To resolve this apparent conflict, the CPRI and ASTM asked Barry Hieb, M.D., representing ASTM, and Solomon Appavu, representing the CPRI, to develop a list of the requirements for the UHID and to list them by priority. The CPRI board of directors endorsed that document at its July 1998 meeting.
The only difference in the views of the two organizations was for Requirement 10, which says that focused health care identifiers should be created and maintained solely for the purpose of supporting health care, and that their form and policy should not be influenced by the needs or requirements of other activities. The CPRI views this requirement as desirable, but not essential, whereas ASTM views it as essential.
Dr. Cooper suggested that this difference of opinion could be overcome if the ESSN were designated as focused according to the above definition. In that case the ESSN would be used only for health care and would not replace the Social Security number for non-health care uses.
Mr. Gellman led off the questioning of the panelists. Ms. Hillbrant said her company does not sell or rent lists of identifier patient information; information is shared only with clients with whom they have a relationship. She denied that chains of drugstores make patient lists available for use by pharmaceutical manufacturers, as Mr. Gellman stated has been testified to in the past before the Committee.
Mr. Gellman postulated that if the Social Security number is chosen now, in the face of such emerging useful technologies as digital signatures, another decision may have to be made in the near term to change identifiers. Mr. Quinn responded that digital signatures is not a foreign concept, and that it would fall into the category of a newly generated identifier. He acknowledged that his first and most immediate reason for his preferred option is its immediacy, but he stated that nothing about a digital signature leads him to believe that a patient would be able to remember it any better than a Social Security number now. From the perspective of changeable passwords, the question is raised of what to do when the patient is, for example, comatose and shows up in the emergency room. A Social Security number is usually obtainable if the patient's wallet is present, or from a relative, and the number is looked up in the MPI. Digital signatures, as in e-mail systems, sometimes require as many as four passwords to invoke identification.
Dr. Cooper suggested that implementing a digital signature for all Americans may take up to 20 years, within which time most health care approaches will have changed. The advantage of the Social Security number is its immediate availability, even though it is not perfect and privacy legislation must be enacted to protect individuals.
Dr. Cohn asked the panel how "broken" they felt the Social Security number was, particularly in its linkage to nonmedical data, and what would it take to fix it. Ms. Hillbrant explained that the pharmacy industry associates an individual identifier number with the Social Security number, resulting in few duplicates. Its ready availability is mainly why it is used.
Mr. Quinn stated that for the general provider community, it is "a little worse" than the PBM view, in that not all individuals are prescreened in a plan. He evaluated the Social Security number as "pretty good," but it is flawed when erroneous numbers are presented for any reason.
Dr. Cooper declined to answer from personal experience, but commented that at Kaiser Permanente, the Social Security number is used when primary identification methods fail.
Dr. McDonald posed a question concerning pharmacy data that showed low usage of Social Security numbers compared to usage in hospitals, perhaps related to lack of emphasis on patients over time. Ms. Hillbrant replied that the industry has evolved to the point that a significant amount of clinical activities are associated with the claims approval process, including looking for drug interactions, and that use of Social Security numbers ranges from 70 to 90 percent of subscribers.
Dr. Fitzmaurice questioned the panel on the cost/benefits of adding a check digit to the Social Security number. Ms. Hillbrant responded that her industry standard permits 18 digits, so a check digit could be added. Significant costs for the pharmacy industry and software vendors would be associated with anything larger than 18 digits.
Mr. Quinn explained (and recommended) that the check digit can be dropped after verification of error-free entry. He pointed out that great costs are associated with software changes. Dr. Cooper concurred with Mr. Quinn that system modifications are costly, noting that retraining personnel is an additional cost.
In response to a question from Dr. Lumpkin, Dr. Cooper replied that in the CPRI proposal, if numeric characters are depleted in the issuance of Social Security numbers, alpha characters would be used as well. Ms. Hillbrant reiterated that NCPDP supports alphanumeric identifiers.
Dr. McDonald posed to the panel a question on the ramifications of increased accuracy in the matching process. Dr. Cooper suggested that Dr. McDonald's question relates to the balance between greater accuracy and potentially allowing information to be released inappropriately. He favored identifying patients correctly and avoiding inappropriate treatment, and relying on additional protective measures for confidentiality.
Mr. Quinn explained that the status quo is an MPI system with a 2-3 percent error rate. The question remains one of using an old identifier and trying to match it, or promulgating an entirely new identifier throughout the entire system.
Ms. Hillbrant commented that a cost is always associated with matching data, and that other pieces of information are often brought into the conversion to improve accuracy.
Dr. Cohn requested clarification on the 2-3 percent error rate discussed by Mr. Quinn, who described certain aspects of the identification process. He said that in the best case, six or seven identifiers are used in a statistically weighted matching algorithm, with the result that 2- 3 percent are rejected and require human intervention. At worst, the kick-out rate is as high as 20 percent. The individuals represented by those percentages are not misidentified; their identifications simply must be made manually using medical records research.
Dr. McDonald queried whether privacy can be invaded now, and whether medical care can be compromised. Mr. Quinn reassured him that medical care is not compromised any more than it ever has been. Mr. Quinn cautioned against thinking that, without a unique identifier, systems can magically identify everybody correctly.
Dr. Fitzmaurice presented the analogy of a phonepad-initiated financial transaction as evidence that an alphanumeric electronic system is useful. He wondered whether (and how) the phonepad can be used in alphanumeric health care transactions. Mr. Quinn explained that voicemail applications permit punching in names alphabetically. An alphanumeric identifier can be encoded in such a way to avoid ambiguity. He asserted, in cases where the voicemail reports that the person cannot be found, that that message is preferable to one that says, "'We think we know who you are,' and then gives you somebody else's account balance." Dr. McDonald commented that some systems recognize the spoken word now.
As an information technology vendor, IBM supports government and health care organizations with a wide range of information technologies and with a wide range of information needs. Their solutions include both an MPI and biometrics, which Ms. Koss discussed in terms of how they can support the goals of a unique identifier.
Ms. Koss first acknowledged the concerns of cost and privacy in terms of a unique individual identifiers, as well as the benefits. Easy access to health care information, which would be fostered with use of the UHID, raises privacy concerns.
Several issues regarding each of the identifier options under discussion appear to be generic, regardless of approach, and relate to whether any single UHID is appropriate or affordable. Some of these issues concern the implementation infrastructure and are general rather than specific (i.e., its governance, whether it will be network permanent or repository based). Ms. Koss suggested that if a preferred approach for each criterion were selected, then one could more easily apply them to any particular identifier candidate.
Ms. Koss cautioned against trying to solve a wide host of problems in health care with a single policy, without at least explicitly identifying what problems are intended to be solved. For example, is it the role of the UHID to address health care fraud issues? It is also unwise to expect to go from no system to a perfect system.
Ms. Koss stated that IBM supports biometrics today in ways that are compatible with the goals of the UHID. Although certain biometrics can identify and authenticate individuals, it is not clear that authentication was the primary intent of HIPAA. Nevertheless, biometrics such as fingerprints and the iris offer irrefutable authentication.
The biometric is a unique identifier and can be transformed to a more manageable unique identifier using accepted hashing algorithms that cannot be reversed to access the original biometric identifier. The level of accuracy required and the current cost of the technology are important issues, but they are likely to be resolved within five years. Assuming that authentication is a goal of the UHID, Ms. Koss recommended that biometrics should be considered as a means of authentication for whatever identifier is ultimately considered or adopted. An issue to be debated is whether it will be mandatory or optional, and how it will be accommodated.
Ms. Koss addressed the negative aspects of biometrics raised in the white paper. She asserted that fingerprint biometrics are affordable today and the cost of the technology will continue a downward trend over time. Verification scanners that use a bar code today are only $25, and in a Peruvian voting application, it cost $3 per person in a 25 million-person population. Patient presence is a concern, and it is unclear how much authentication occurs over the phone. The technology for voice biometrics is not mature, but if the biometric is translated into a UHID using the hashing algorithm, it can be used like any other unique identifier. As storage costs diminish, the large amount of storage required for digitized biometric data becomes less of a problem. The negative connotation of using biometrics is also diminishing, and the HIPAA privacy requirements "will deal with misuse of whatever ID is chosen, including a biometric." The concern regarding biometrics, asserted Ms. Koss, seems more akin to a civil liberties issue than a privacy issue. Biometrics can even enhance privacy in that people's fingerprints are permanent and unique.
Ms. Koss noted that Canada's commissioner of privacy, Ann Kavukian, has written an article on biometrics. Canada is using biometrics for a number of its welfare programs, as are some states in the U.S. Gardner Group has published notes on the role of MPIs.
BM believes that MPIs will play an important role, regardless of the approach chosen for a UHID, in linking the UHID to existing records across disparate systems. They will be heavily used until UHIDs are implemented, and are needed for residual and back-up authentication of the UHID.
MPIs will also pay an important role in supporting privacy goals, maintaining other identifier information separate from the UHID, but linkable. An MPI approach is likely to support the separation and linking function when appropriate.
Ms. Koss responded to some issues identified concerning MPIs. Although an MPI has not been done on a national scale, neither has any other solution, except, perhaps, Social Security numbers, which have their flaws as well. All approaches will require privacy protection. The MPI technology is the most tested among the new technology alternatives.
In response to the Subcommittee's prepared questions, Ms. Koss explained that the reasons for the identifier include "linking and locating clinical information across disparate health information systems, which in turn support standardized transactions and the attendant benefits, including facilitating exchange of information, access in records, and for purposes of appropriate treatment" and reduction of fraud.
Ms. Koss did not state a preference for a particular identifier, but asserted that biometrics and MPI technology are part of the solution.
IBM's experience in the health care system and with the MPI indicate that either the Social Security number or a newly assigned unique number within a given enterprise are the common-use identifiers today. Other pieces of information are also used and needed to link information adequately across an information system, such as Social Security number, names, addresses, dates of birth.
Ms. Koss asserted that her company believes that the MPI will play an important role by linking the unique identifier to highly distributed, existing record systems. If, after significant public debate no consensus candidate emerges, the MPI index is the only alternative approach that supports access to needed medical information for an individual across the continuum of care. Similarly, "without a unique identifier, biometrics will be used in the health care environment, as in every other environment in our lives."
Dr. Lumpkin observed that the MPI is not a substitute for the identifier, but is a way to increase accuracy until the identifier becomes more universally used. Ms. Koss commented that the MPI will continue to be used even with the identifier for purposes of authentication in the absence of the identifier. But the biometric can also be the UHID, or a hashing algorithm can be used to create a UHID.
Dr. Lumpkin suggested that people do the strangest things to themselves and others that might preclude use of biometric measures. Ms. Koss added that sometimes naturally occurring situations might also preclude their use; but multiple biometric methodologies are available. She commented that no system is foolproof, and some individuals will go to great lengths to avoid being identified uniquely or to gain another identifier for purposes of fraud.
In response to questions from Dr. McDonald, Ms. Koss responded that there is currently no interoperability between fingerprints produced by two different vendors. Standards organizations and states that use this technology in their welfare programs are currently dealing with the issue. Despite the perception that many people may reject the idea of having a unique identifier, Ms. Koss noted that based on surveys and studies, increasing numbers of people are comfortable with the notion of not having to remember many different identification numbers, and that this, for one reason, drives acceptance of a UHID. Dr. McDonald raised the issue of emotional patient reactions against the biometric. Dr. Lumpkin suggested that once a biometric measurement is taken and the digital code is compared to a reference digital code, it is no longer necessary to have the object that was measured. Ms. Koss responded that although people may fear that their identity can be stolen by someone stealing the digitized version of their biometric, that is not the case if a hashing algorithm or something equivalent is used. Ms. Koss referred again to the example of the Peruvian elections, and agreed to provide the Subcommittee with details on the Peruvian system.
Ms. Frawley raised the issue of patient absence in a biometric identifier system. Ms. Koss suggested that voice biometrics would deal with over-the-phone transactions, to the extent that authentication is conducted over the phone. In addition, using a hashing algorithm, a hexadecimal string of numbers and letters is generated that serves as an identifier for the biometric.
Questioned by Dr. Fitzmaurice about checks and balances for privacy in an MPI, Ms. Koss responded that in order for a UHID to fulfill any of its intended capabilities, it must link across records. When and however a UHID is implemented, we must deal with who has access to the identifying information that enables them to link the records.
Dr. Braithwaite noted that one hashing algorithm could be used to produce an identifier for health care, another to produce an identifier for driver's licenses, and yet another to produce an identifier for any other purpose -- all starting from the same biometric, but not amenable to cross-linkage once they have been created. Ms. Koss agreed that it is impossible to reverse the hashing algorithm to determine the original biometric. Although her company's technical experts suggested only two commonly recognized hashing algorithms, she volunteered to provide to the Subcommittee further information on this concept.
Andy Anderson of Hewitt Associates stated that the role his company plays is as an intermediary among employers, millions of their employees, and their group health plans, to collect the data and get it to the health plans. He questioned the logistical practicality of installing biometric devices in employees, encouraged the Subcommittee to focus on how these processes are completed, and invoked the image of the politician responsible for a constituent having to "trundle off to the worst combination of the voter registration bureau, the automotive registration bureau, and the Social Security Administration, just so they can get their health coverage."
Mr. Anderson supported use of the Social Security number, which is used exclusively as an identifier by his company's clients, and recommended that the Subcommittee solicit the views of those employers. He pointed out that HIPAA requires employers to provide their employees, spouses, or dependents with a certificate of creditable coverage when those individuals lose their group health coverage. That certificate contains on it the group health plan identifier, which in most cases is the Social Security number. Every employer in the country in compliance with HIPAA provisions has or will have Social Security numbers for employees, their spouses, and their dependents. Mr. Anderson suggested that the least amount of disruption would be caused if the Social Security number option be recommended and selected.
Larry Watkins, Chairman, Association for Electronic Health Care Transactions (AFEHCT), commented that an informal poll of participating member companies resulted in no preference for which identifier is used, but strong feelings against becoming involved in the privacy debate. He reminded the Subcommittee that the context for addressing the UHID within HIPAA was the goal of facilitating administrative simplification related specifically to nine administrative and financial transactions. Describing the constituency of AFEHCT as value-added networks, providers, practice management systems vendors, and payer systems, he requested the opportunity to testify.
Mr. Watkins stated that the administration of current patient identifier methods is very proprietary and cumbersome, especially to providers. Although this environment was not addressed as a major reason for implementing a UHID, he suggested that that was why it was brought into HIPAA. He noted that AFEHCT can bring to the Subcommittee a perspective on privacy and security that would be useful. Mr. Watkins asserted that the patient identifier and security and privacy is separate from access to the data itself.
Dr. Lumpkin stated the Subcommittee's willingness to accommodate Mr. Watkins testimony, and the two discussed logistics.
In response to a question from Mr. Scanlon, Mr. Watkins stated that about 70 percent of their members use Social Security numbers, and Government or Blue Cross/Blue Shield plans use their own enumeration systems. Many systems default on the Social Security number because of its wide usage, but for payers who do not use it, providers can expend great resources in determining what the identifier is.
Dr. Lumpkin requested that Mr. Watkins submit information about the separation between the identifier and the medical information.
Arven Goyal, M.D., reported his informal poll taken the previous day in his family practice regarding how his patients would feel about "some sort of identification number pinned on them" in the computers and the information protected. Sixteen people in that poll [N not stated] had minor or major concerns about the information being put in the computer. They didn't care if the information was protected, or if only the doctor could access the information.
Dr. Goyal acknowledged that the public health part of him sees value in the system, in the realm of surveillance for diseases and immunizations and in family history. But as a solo practitioner, he noted, he might have to hire a computer specialist to input the information, and the data might be subject to destruction by virus or other problems. And Dr. Goyal also expressed concern about privacy and confidentiality: "There must be a lot of protection of confidentiality in that information." Cost must also be considered, as well as the subpopulation who would opt out of care.
Dr. Lumpkin advised that the proceedings of this hearing will be posted on the webpage of the National Committee.
Maureen Drummond, Co-director, Illinois Vaccine Awareness Coalition (IVAC), spoke for the coalition, which is composed of individuals concerned with vaccine safety and effectiveness. The coalition advocates informed consent, including full disclosure of vaccines' toxic ingredients, but does not advocate mandatory vaccines, which jeopardize an individual's right to freedom of choice.
IVAC opposes the national provider identification system; the unique patient identifiers on individuals; the implementation of any enumeration tracking system, federal registry, or other similar medical databases; the vaccine surveillance of children; and the tracking of individuals to determine vaccine adherence and status.
As grounds for opposition, Ms. Drummond cited the following: (1) The MPI/UPI are an invasion of personal and professional privacy. Through it, the Government may be able to track individual patients through their providers without the patient's consent, and thus jeopardize the patient-provider relationship and their rights to privacy. (2) MPI/UPI is a prohibition on freedom to practice. Penalties for noncompliance will be installed and applied, providers may fear government reprisal regarding diagnosis and treatment decisions, citizens may be deterred from training as medical professionals, and citizens may be impelled into black-market medicine for reasons of privacy.
As a mother, Ms. Drummond stated that the notion "scares the socks" off her; it seems much like a Trojan horse. She expressed fear that the issues of privacy are not going to be thoroughly or conscientiously taken into account. No one can assure that any information in a database would never be used against a patient or the patient's family. Ms. Drummond stated that she considered this proposal a violation of freedom of choice.
Dr. Lumpkin concluded the hearing by thanking the participants. He explaining that following additional hearings, this Subcommittee will discuss the issues and make a recommendation to the full National Committee on Vital and Health Statistics, which will in turn make its recommendation. Within the next few weeks to a month, DHHS will issue a Notice of Intent on the issue of the unique health identifier, which will open a period of public comment. The public comment and the comments from this Committee will be reviewed by the Secretary and staff of DHHS, and be formulated into a recommendation by the Secretary.
The hearings were adjourned at 4:22 p.m.
I hereby certify that, to the best of my knowledge, the foregoing summary of minutes is accurate and complete.
/s/
John R. Lumpkin 11/16/98
_______________________________________________________
Chair Date