The Administrative Simplification provisions of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) require the Secretary of Health and Human Services to adopt standards to enable health information to be exchanged electronically. The standards to be established include those for financial and administrative transactions, such as medical claims and payments; for unique identifiers for health care providers, health plans, employers, and individuals for use in the health care system; and for security procedures to protect health information in transit and in storage.
Because of concerns raised by the public about unique identification numbers for individuals, HHS is preparing to publish a notice of intent (NOI) to examine the controversial dimensions of a unique health identifier for individuals, discuss a number of identifier options from which a choice might be made, and identify advantages and disadvantages of those options. Publication of the NOI will be followed by a 60-day comment period, which will provide an opportunity for the public to submit comments to HHS before any decision about which option may be adopted.
The National Committee on Vital and Health Statistics is holding several hearings to discuss these issues and elicit information from which to advise the Secretary. The questions attached illustrate the scope and complexity of the issues surrounding the unique identifier for individuals.
Not all questions are applicable to all participants or their organizations. You need not answer all questions. However, the NCVHS welcomes your written comments on as many of these issues as possible. A White Paper that discusses the issues to be raised in the NOI has been made available by HHS as background information.
1. The law requires the Secretary to adopt a unique identifier for individuals for use in health care. What are the most important reasons for having such an identifier?
2. If you are opposed to the adoption of an identifier for individuals for health care, what alternative(s) should the Secretary consider?
3. Which identifier option do you prefer and which ones should be eliminated from consideration? Why? Are there other identifier options that should be considered?
4. Based on your experience, what identifiers for individuals are used currently?
5. The White Paper outlines several options that do not require a universal, unique number to be assigned to each person. Could any of these be used to fulfil the Secretary’s statutory obligation to choose an identifier? If so, how?
6. What are the major confidentiality and privacy concerns associated with a health identifier for individuals and how should they be resolved?
7. What privacy principles should underlie the choice and implementation of an identifier?
8. The Secretary has a statutory responsibility to adopt a unique identifier for individuals. She is also committed to upholding the right to confidentiality expressed in the The Consumer Bill of Rights and Responsibilities. How would you advise the Secretary to proceed?
9. Should there be a relationship between the implementation of the unique health identifier for individuals and health information privacy legislation or regulation?
10. What properties or characteristics of identifiers would contribute positively to privacy protection?
(Section II.D. of the White Paper lists several criteria for evaluating candidate identifiers.)
11. Which five criteria should be given the most weight in evaluating candidate identifiers?
12. Do these criteria lead to particular choices among candidate identifiers? Do these criteria eliminate particular candidates?
13. Are there other important criteria that should be considered?
14. Which criteria are least important? Are there criteria that should be eliminated from consideration?
15. What are the relative advantages of the Social Security Number (or identifiers that rely on the SSN) when compared with other identifier options? What are the disadvantages?
16. What uses should be approved for the health identifier for individuals?
17. Should there be limits placed on its use? If so, what should the limits be?
18. How would such limits be enforced?
19. How would individual health identifiers be issued to the existing population?
20. What organization should operate the individual identifier system?
21. An identifier system might assign identifiers, match patient information, verify the unique health identifier for individuals, and manage temporary health identifiers, encrypted health identifiers, and linkages among alias health identifiers. Are all of these purposes essential? Are there other essential purposes for an individual identifier system?
22. What kind of authentication should be required to obtain a unique health identifier for individuals? Should a birth certificate, passport, SSN, or driver's license be required for authentication?
23. Authentication of requests for a unique identifier could be performed by providers, health plans, a trusted authority, or some combination of these. Who should determine whether a request for a unique identifier for an individual is authentic?
24. Who could request a unique health identifier? Under what circumstances may someone request an identifier on another’s behalf?
25. What kind of computer and communications infrastructure would be required to support such an identifier system? Would the computer network to support the system's functions need to provide nationwide access 24 hours a day, 7 days a week?
26. What kinds of entities should have access to the system and for what purposes?
27. Do incidents of mistaken assignment of multiple identifiers to an individual need to be distinguished from incidents of fraudulent acquisition of duplicate identifiers? How?
28. How can a smooth transition to incorporate the individual identifier into health care operations be accomplished?
29. What strategies will help the various users of the identifier (e.g., individuals, providers, employers, health plans) be ready by the implementation date?
30. What are the implications of implementing the electronic transaction standards without a standard identifier for individuals?
31. An identifier should be independent of particular information technologies and flexible enough to adapt to new ones. What candidate identifiers meet these requirements?
32. Would reverification of Social Security Numbers make identifier options based on the SSN more acceptable?
33. What is the optimal length for the identifier?
34. What is the maximum acceptable length for the identifier?
35. What are the relative costs and benefits of the lengths?
36. What specific check digit scheme is preferred, if any?
37. What are the costs and benefits of using check digit(s)?
38. For what purposes are temporary identifiers necessary?
39. How should temporary identifiers be issued?
40. What characteristics should temporary and permanent identifiers have in common?
41. What suggestions do you have for reducing the complexity, cost, and potential for errors associated with the management of temporary identifiers?
42. To what degree is encryption of the identifier an essential part of an acceptable identifier design?
43. Under what conditions should encryption and other digital security technologies be used to enhance identifier protection?
44. What are the costs and benefits of identifier encryption?
45. What suggestions do you have for reducing the complexity, cost, and potential for errors associated with the management of encrypted identifiers?
46. What is your estimate of the cost to implement the following specific characteristics of an identifier in your organization?
47. When we asked WEDI for expected costs to implement these characteristics, we received five answers ranging from $10 thousand to $370 million. How can costs be mitigated, particularly those costs that can be determined not to be recoverable through the improved efficiencies of using a unique individual identifier?
48. Who should pay those costs and why?
49. What will the impact be for small providers and, if significant, how can it be mitigated?
50. If SSN reverification is necessary, what strategies would be appropriate for funding the reverification?
Last update 7/2/98.