Unique Health Identifier for Individuals
A White Paper
--------------------------------------------------------------------------------
I. General Background
A. Legislation
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) outlines a process to achieve uniform national health data standards and health information privacy in the United States. Enacted with the widespread support of the industry and bipartisan support in the Congress, the law requires that the Secretary of Health and Human Services (HHS) adopt standards to support the electronic exchange of a variety of administrative and financial health care transactions. All health plans, health care clearinghouses, and those health care providers who elect to conduct the specified transactions electronically are required to comply with the standards within 2 years of their adoption, except that small health plans are required to comply within 3 years. Among these standards are:
Certain uniform transactions and data elements for health claims and equivalent encounter information, claims attachments, health care payment and remittance advice, health plan enrollment and disenrollment, health plan eligibility, health plan premium payments, first report of injury, health claim status, referral certification and authorization, and for coordination of benefits.
Unique identifiers for individuals, employers, health plans, and health care providers for use in the health care system.
Code sets and classification systems for the data elements of the transactions identified.
Security standards for health information.
Standards for procedures for the electronic transmission and authentication of signatures with respect to the transactions identified.
Privacy and confidentiality protections for health information play a prominent role in the law as well. The Secretary is required to adopt security standards to safeguard health information, during transmission and while stored in health information systems, to ensure the integrity of the information, and to protect against unauthorized uses and disclosures. Further, the law requires the Secretary to make detailed recommendations to the Congress for protection of individually identifiable health information. These recommendations were delivered to the Congress on September 11, 1997. If the Congress does not enact legislation for health record privacy by August 21, 1999, the law requires the Secretary to issue regulations to protect the privacy of individually identifiable health information transmitted in standard transactions. These regulations must be finalized by February 21, 2000.
The law also specifies steep penalties for misuse of a health identifier and for wrongfully obtaining or disclosing individually identifiable health information. The penalties, which increase by type of offense, can be as much as $250,000 and 10 years in prison. More serious offenses are defined as those committed under false pretenses or those committed with intent to sell, transfer, or use individually identifiable health information for commercial advantage, personal gain, or malicious harm.
HHS formed five implementation teams to identify and analyze options and propose policies to implement the statutory requirements. Through the publication of several proposed rules in the Federal Register, HHS will propose standards for each item required in the legislation.
B. Purpose of The Notice of Intent
There has been considerable consensus on most of the standards that HHS is to adopt. However, opinion on the unique identifier for individuals
Unique Health Identifier for Individuals is deeply divided. Given the level of controversy surrounding the individual identifier, HHS made the decision to proceed cautiously in fulfilling its statutory responsibility to adopt a unique health identifier for individuals for use in the health care system. The notice of intent is the vehicle by which HHS will examine the controversial dimensions of a unique health identifier for individuals, discuss a number of identifier options from which a choice might be made, identify advantages and disadvantages of those options, and request the public to comment. Any subsequent public policy decisions or proposed rules about the unique individual identifier will benefit from the public debate and information gathering elicited by the notice.
Among the areas where comments are solicited are the following:
What are the major confidentiality and privacy concerns associated with a health identifier for individuals and how should they be resolved? What principles should underlie the choice and implementation of an identifier? What uses should be approved for the health identifier for individuals? What is the relationship of this identifier to legal protection for health information generally?
What model should be selected for a health identifier for individuals? Are there other viable options that are not discussed in this notice? How should candidate identifiers be evaluated? Are the relevant positive and negative aspects included for the alternatives in this notice? Which alternative do you prefer and which ones should be eliminated from consideration? Why?
What will it cost both to transition to a new identifier system and to operate it? Who should pay those costs and why? What will the impact be for small providers and, if significant, how can it be mitigated?
What are the critical implementation issues for a health identifier for individuals and how should they be addressed? For instance: How will the system of authenticating requests and assigning identifiers work on a day-to-day basis? Who will operate the system? What are the infrastructure requirements? How can encryption and other digital security technologies enhance identifier protection? What will the transition process look like?
The notice will also seek comments from the public on additional specific implementation questions in Section IV., Implementation Issues Needing Further Consideration.
C. Future Activities
60-day public comment period.
Analysis of comments on the notice.
Public hearings conducted by the National Committee on Vital and Health Statistics (NCVHS) in Washington and in different regions of the Nation.
NCVHS recommendations to Secretary.
HHS decision to issue a notice of proposed rulemaking or take other action.
II. Identifier for Individuals
A. Need for Unique Identifier for Individuals
HIPAA recognized the unique identifier for individuals as an essential component of administrative simplification. There is evidence that a unique identifier for individuals in the health system would have many benefits, including improved quality of care and reduced administrative costs. Being able to identify an individual uniquely is essential in both the delivery and administration of health care. Today, various health care organizations and insurance companies, integrated delivery systems, health plans, managed care organizations, public programs, clinics, hospitals, physicians, and pharmacies routinely assign identifiers to individuals for use within their systems.
Typically, identifiers differ across organizations, while the delivery and administration of health care traverse organizational boun
Unique Health Identifier for Individualsdaries frequently. In its report on computer-based patient records (1991), the Institute of Medicine noted that the increased mobility and aging of our population create pressures for patient records that can manage large amounts of information in different locations and at the same time be easily transferrable among an increasing variety of health care providers. For the vast majority of people today, health records no longer consist of a paper file in a single provider's office. Rather, they consist of many records, some paper but an increasing number electronic, as patients visit multiple providers, primary care providers refer patients to specialists, health plans coordinate benefits with other health plans, providers submit claims and eligibility transactions to multiple health plans, and so forth.
The common practice today is for each provider and plan to use different identifiers for the same individual. Efforts to assure continuity of care, accurate record keeping, effective follow-up and preventive care, prompt payment, and detection of fraud, waste, and abuse all could benefit from the availability of a single unique identifier for individuals with appropriate protections against misuse and unauthorized use outside of health care. A unique identifier is necessary because the constellation of personal attributes commonly used to identify an individual (for example, name, birth date, and sex) is rarely captured in the same manner by each entity in the diverse system of health care. Yet, good care depends on the provider's ability to synthesize information from a variety of sources into an accurate picture of the patient's state of health. The first step in this process is for the proper records to be positively identified. A unique identifier would allow for the rapid and accurate identification of the proper records and their integration for the purpose of providing high quality, patient-focused care.
Having multiple identifiers for the same individual within or across organizations prevents or inhibits timely access to integrated information. Unique identifiers for individuals would facilitate ordering tests and reporting results; posting results, diagnoses, procedures, and observations to charts; updating, maintaining, and retrieving medical records; as well as integrating information across the various internal information systems. For some highly sensitive records (for example, records of mental health diagnoses or treatment, HIV antibody tests, or genetic tests) unique identifiers for individuals would be critical components of administrative procedures designed to protect such information from inadvertent disclosure.
A unique identifier for individuals could serve multiple purposes even within a single health care delivery organization. For some clinical interventions -- for example, blood transfusions, invasive tests or surgery, and medication administration -- a reliable means of identifying the patient is important for safety as well as for record keeping purposes. For example, ensuring safe and effective medication administration requires integrated information about the drug and dose being ordered, other medications being taken or recently ordered, and known drug allergies. Accurate and efficient integration of this clinical information, sometimes from different systems within one organization, would be assisted by having a unique identifier for individuals associated with each piece of information.
There is considerable support within the health industry for the adoption of a unique identifier for individuals. In a letter to the Secretary dated November 12, 1997, five major standards development organizations and associations that are describ
Unique Health Identifier for Individualsed as clinical domain experts recommended the prompt adoption of a unique individual identifier. These organizations are: American Nurses Association, Digital Imaging and Communication in Medicine, Health Level Seven, National Association of Chain Drug Stores, and National Council for Prescription Drug Programs. The reasons cited were to reduce administrative workloads and costs, enable faster access to critical health information, and increase efficiency in the exchange of electronic data.
B. Confidentiality and Privacy
Controversy over the adoption of a standard for the unique health identifier for individuals has focused, to a large degree, on privacy concerns. Some of these views contrast sharply with the previous discussion of the value a unique identifier for individuals would have in clinical practice. We should stress that these privacy issues are substantive, not a trivial concern or a public relations matter. For some, privacy threats outweigh any practical benefits of improved patient care or administrative savings. To others, privacy concerns are significant, but can be managed. To some, the status quo poses greater privacy risks. In this section, we review a range of opinions on how privacy and confidentiality issues, including Federal privacy legislation, relate to identifier options. We welcome comments on these issues.
1. Perspectives on the Unique Identifier and Privacy
The Consumer Bill of Rights and Responsibilities, which was published in November 1997 by the President’s Quality Commission, underscored the importance of the confidentiality of identifiable health information. The confidentiality right states in part: “Consumers have the right to communicate with health care providers in confidence and to have the confidentiality of their individually identifiable health care information protected...” We welcome comments on whether adoption of a unique health identifier for individuals is congruent with this right. (The complete text of the report is available at http://www.hcqualitycommission.gov/cborr/.)
Some believe that threats to privacy are inherent in any unique identifier for individuals. Having different identifiers for the same individual across organizations is sometimes perceived to be protective of individual privacy because potential linkages across data systems are impeded. Having all health care organizations use the same identifier increases the threat to privacy by facilitating unauthorized linkages of information about an individual within and across organizations. This is why some believe that an electronic environment poses greater risks than one that relies on paper records.
Further, if the Social Security number (SSN) were to become the unique health identifier for individuals, some believe that the potential for linkages expands to include not only an individual's medical data but also credit and financial data, employment information, consumer behavior data, and a wide range of other information. The availability and widespread use of the SSN combined with the increasing use of electronic databases and the lack of adequate legal and social controls lend support to these concerns. To some, the SSN is simply unacceptable for identifying health records.
To others, preserving the ability to link health care records with records from other sources using the SSN is essential. The choice of an identifier that is used only in health care could constrain important clinical and public health research that depends on such linking. For example, linkage of health databases and other data sets using a unique&nbs
Unique Health Identifier for Individualsp; individual identifier can assist public health researchers:
By the linkage of police accident reports and hospital records to evaluate the effectiveness of injury prevention through use of helmets, passive restraints, and airbags.
By the linkage of environmental or work place exposure records with medical records containing potential health outcomes and worker demographics.
If a unique identifier used only for health care purposes were to be selected, those studies could not be done without a directory for linking the identifier to corresponding SSNs.
In the midst of the differing opinions over what unique identifier might be acceptable and whether it is necessary, it is easy to forget the implications of current practices. Because identifiers differ across organizations, most health care records and transactions contain more elements of identifying information than might be necessary if a single unique identifier were used. Typically, health care records contain a patient’s name, gender, address, phone number, birth date, SSN, health insurance number, employer, and relationships to other family members. A combination of several of these data items is often necessary to ensure a correct match between the records and a particular individual. In effect, a medical record or transaction bearing merely a person’s name and address may make the information “open” to anyone who deliberately or accidentally comes in contact with it. Ironically, this use of personal information for matching people and records generates little controversy, despite the lack of security standards and privacy protections in place today.
In addition, some believe that protection of health information from inadvertent or unauthorized disclosure would become easier with a unique individual identifier that is used for health care, but not for other purposes. Such an identifier would be used in a similar manner to the way that HIV testing is often conducted anonymously, by assigning an individual a number that is not otherwise known or used. This number, which is used to track and retrieve the test result, cannot easily be used to identify the individual, whereas name and other identifiers could be. A test result bearing only a protected number cannot be associated easily with an individual.
From this perspective, an identifier that could replace other items of identifying information and that would be used only in health care might yield greater privacy protection than alternatives that do not share these