James R. Thompson Center
Room 9-040
100 West
Randolph Street
Chicago, Illinois
Judy Ball, Division of Data Policy, Office of the Assistant Secretary for Planning and Evaluation, DHHS
William Braithwaite, M.D., Ph.D., Senior Advisor, Health Information Policy, Office of the Assistant Secretary for Planning and Evaluation, DHHS
Simon P. Cohn, M.D., M.P.H., FACP, Clinical Information Systems Coordinator, Kaiser Permanente Medical Care Program
J. Michael Fitzmaurice, Ph.D., Senior Science Advisor for Information Technology, Agency for Health Care Policy and Research
Kathleen A. Frawley, J.D., M.S., RRA, Vice-President, Legislative and Public Policy Services, American Health Information Management Association
Kathleen Fyffe, M.H.A., Federal Regulatory Director, Health Insurance Association of America
Robert Gellman, Privacy and Information Policy Consultant
Marjorie S. Greenberg, Chief, Data Policy and Standards Staff, Office of Data Standards, Program Development and Extramural Programs, National Center for Health Statistics, CDC
Wendy A. Liffers, J.D., M.A., Division of Data Policy, Office of the Assistant Secretary for Planning and Evaluation, DHHS
John R. Lumpkin, M.D., M.P.H., Director, Illinois Department of Public Health
Clement Joseph McDonald, M.D., Co-Director, Regenstreif Institute
James Scanlon, Director, Division of Data Policy, Office of the Assistant Secretary for Planning and Evaluation, DHHS
Stewart Streimer, Director, Information Technology Investment Management Group, Office of Information, Health Care Financing Administration
Karen Trudel, Senior Technical Advisor, Security and Standards Group, Health Care Financing Administration
George Arges, American Hospital Association and Workgroup For Electronic Data Interchange (WEDI)
Christopher G. Chute, M.D., Dr.P.H., Mayo Foundation
Shelly Ebbert, MPH, AIDS Foundation of Chicago
James Gabler, Healthdyne Information Enterprises (HIE) and Co-Chair, HL7 Master Patient Index Medicator SIG
Steve Grimshaw, GTE
Barry Hieb, M.D., ASTM
Mary Kratz, MT(ASCP), University of Michigan Health System and CORBAmed
Richard Landen, Blue Cross and Blue Shield Association
Richard M. Peters, Jr., M.D., iTRUST
Barbara Rudolph, Office of health Care Information, Wisconsin Department of Health and Family Services
John Schalk, Gallagher Benefit Administrators
DR. LUMPKIN: Good morning. I think we have the music gone so that now we can start the meeting. My name is John Lumpkin. I am Chairman on the Subcommittee on Standards and Security that is holding this hearing on the unique identifier. First of all, I would like to welcome all of my friends from Washington to Chicago, in the heart of Illinois, one of the best states in the nation, if not the best state.
[Laughter.]
DR. LUMPKIN: For those of you who have not gathered, this is my home state. Certainly, if you have an opportunity to come here and spend money and pay sales tax, we would appreciate that. Our economy happens to be booming, but we always want to make sure it continues on.
Just a couple of things on logistics. We will be taking some breaks. For those of you who have not discovered it, there is a food court. The elevator systems are a little bit strange here so that you have to push "C" for concourse. If you want to get out of the building, you have to push "G" for ground. "G" will get you out, and "C" will get you to lunch or if you need some refreshment.
I think we will start off by doing some introductions, and then we will kick off the hearing. By the way, I am Director of the Illinois Department of Public Health.
MS. FYFFE: Kathleen Fyffe. I am with the Health Insurance Association of America and also a member of the committee.
MS. FRAWLEY: Kathleen Frawley, Vice President of Legislative and Public Policy Services for the American Health Information Management Association and member of the committee, and I chair the Subcommittee on Privacy and Confidentiality.
DR. COHN: I am Dr. Simon Cohn. I am the national Director for Data Warehousing for the Kaiser Permamente Medical Care program and a member of the committee.
MR. GELLMAN: I am Bob Gellman. I am a Privacy and Information Policy Consultant in Washington and a member of the committee.
MS. GREENBERG: I am Marjorie Greenberg from the National Center for Health Statistics and Executive Secretary to the committee.
MR. SCANLON: I am Jim Scanlon from HHS. I am the HHS Staff Director for the committee.
MR. STREIMER: I am Stuart Streimer with the Health Care Financing Administration, and I am a liaison to the committee.
DR. FITZMAURICE: I am Michael Fitzmaurice, Senior Science Advisor for Information Technology to the Federal Agency for Health Care Policy and Research, and I am liaison to the committee.
MS. LIFFERS: Wendy Liffers, HHS and staff to the committee.
MS. BALL: Judy Ball from HHS, staff to the committee.
DR. BRAITHWAITE: Bill Braithwaite from HHS, staff to the committee.
MS. TRUDEL: Karen Trudel, Health Care Financing Administration, staff to the committee.
MS. ARAKI: [Off microphone.] Lynette Araki, National Center for Health Statistics, staff to the committee.
MS. COLEMAN: Brenda Coleman, medical writer Associated Press.
MS. KOSNIAK: Lynne Kosniak, Health Information Management Association.
MS. HENDERSON: Mary Henderson, Health Care Financing Administration.
MS. ABERNATHY: Susan Abernathy, Centers for Disease Control.
DR. CHUTE: Chris Chute, Mayo Foundation.
DR. HIEB: Barry Hieb, ASTM
MR. BURKE: John Burke, Health Care Financing Administration, staff to the committee.
MR. BAYLEN: Britt Baylen, University of Chicago.
MR. WHEELER: Paul Wheeler, State Farm Insurance.
MR. WILDER: Tom Wilder, Bureau of National Affairs.
MS. YEAGER: Kristi Yeager, Director of Health Care Government Programs, EDS.
PARTICIPANT: [Off microphone.] -- Blue Cross and Blue Shield of Illinois.
MR. WATKINS: Barry Watkins, Medic Computer Systems.
MR. FANNON: John Fannon, U.S. Department of Health and Human Services.
PARTICIPANT: [Off microphone.] -- Chicago Tribune.
MR. CONWAY: John Conway, American Medical Association.
MR. APPAVU: Solomon Appavu, Cook County Bureau of Health Services.
DR. LATZ: Bob Latz, American Dental Association.
MR. EVANS: Daryl Evans [Off microphone].
PARTICIPANT: [Off microphone.]
MS. EBBERT: Shelly Ebbert, AIDS Foundation of Chicago.
PARTICIPANT: [Off microphone.]
MS. BRASE: Twila Brase, Citizens for Choice in Health Care.
PARTICIPANTS: [Off microphone.]
MS. MARTINEZ: Karen Martinez, AIDS Foundation of Chicago.
PARTICIPANT: [Off microphone.]
MR. MEYER: Chuck Meyer, HBO and Company
PARTICIPANTS: [Off microphone].
DR. LUMPKIN: Welcome. Today and tomorrow, we are going to have a set of hearings on the unique health identifier for individuals. These hearings are generated by the request of or the Health Insurance Portability Act which mandates that a unique health identifier be selected by the Department of Health and Human Services. The National Committee on Vital Health Statistics is charged with providing advice to the department in relationship to administrative simplification and other matters.
In this particular issue, though, we felt that we have entered a new stage. The first year or so of our hearings, we have identified a number of standards for administrative simplification transaction standards, unique identifier for providers, where we felt that there was a mature standard that could be recommended. As we continue with our administrative simplification activities, we are now looking at those kinds of areas where there is not a mature standard, there is not a clear choice.
In this particular instance, we are moving forward with a white paper which outlines a number of options for creating a unique identifier. It is our hope that based upon this hearing and other hearings that we will be conducting throughout the fall and winter that we will be able to make recommendations to the department on the type of unique identifier that best meets the needs of the people of this country as well as balances the concerns about privacy and confidentiality.
We will proceed with the first panel, but first, Mr. Gellman has asked for a few minutes to make an opening statement.
MR. GELLMAN: Thank you. I want to emphasize two points about what we are doing today, one about the hearings and one about the patient identifier issue. First, I do not believe this is really a hearing about a patient identifier. In my view, it is inevitable that any identifier issued for use in health care will become a single national identifier. It will be used for every purpose under the sun including driver's licenses, voter registration, welfare, employment and tax.
If you need proof, just look at what has happened to the Social Security number. Social Security numbers are now required to open a bank account, get a job, apply for a credit card, buy or sell property, or obtain insurance. If you want a driver's license, occupational license or if you have a baby, you need to disclose your Social Security number. All of this despite the fact that the Social Security number is a rotten identifier.
A new health identifier, if it is issued, will surely cure all of the defects of the Social Security number. That is why I believe that the bureaucrats at HHS and other federal agencies lust after a national identification system provided, of course, that the costs do not come out of their budget.
Once everyone is required to use a government-issued health identification card, it may become impossible for any American citizen to walk down the street without being forced to produce that card on demand by a policeman. You will not be able to use a credit card, cash a check, fly on an airplane, check into a hotel, go to school, or enter or leave the United States without showing that card. You may not be able to use Viagra or even buy an aspirin without the Federal Government being notified.
A new number, a new card, could easily be used as an internal passport and to support the maintenance of a personal profile on everybody. Once a decision to require a health identifier is made, it is likely that every American will be forced to go to a local Social Security office or some other federal facility and bring a passport, birth certificate and driver's license. You will be forced to wait in line for hours while a bureaucrat decides if you have enough evidence to prove that you are who you say you are. If you fail to satisfy that bureaucrat, then you will become an unperson. Without a government-issued identification card, you will simply not be able to exist or to function in society.
There will be much discussion at these hearings about health system identification. As far as I am concerned, that is just a cover story. It is a front. You can forget all of this health stuff; it is not very important. The real issue is whether we should allow the Federal Government to control every phase of our lives by requiring that we have a card or a number to exist and to function. Those are the stakes at this hearing.
Dr. Richard Harding, a member of this committee who is not here today, called the patient identifier issue, "The mother of all privacy issues," and I believe he is right.
This brings me to my second point. This committee, the National Committee on Vital Health Statistics, is a wonderful committee filled with smart, dedicated, hard-working and highly-knowledgeable people. The amount of expertise on the committee is enormous and impressive. However, virtually every member of this committee comes right out of the health care establishment. For most committee purposes, this is just fine, but notice who is not represented on this committee. There are no consumer representatives. There are no immigration groups. There are no labor organizations. There are no patient advocates. There are no religious organizations. There are no civil liberties groups. There are no computer scientists. There are no Internet organizations.
For making decisions about technical health care issues, this committee is qualified and properly representative of the health care community for the most part, but for deciding about a national identifier, this committee is woefully unbalanced and inadequate. The principle interests represented on the committee are health care providers, health researchers and public health agencies. For a major national issue like a personal identifier, this committee is simply incomplete. There are too many important points of view that are not represented.
If you have any doubts about the views of this committee, I suggest that you take a look at the September 9, 1997, letter that the committee sent to Secretary Shalala. Long before these hearings were planned, long before the white paper was drafted, long before any firm information about costs or consequences was available, this committee rushed to go on record supporting the adoption of a national identifier -- of a patient identifier, excuse me. I dissented from that recommendation along with Dr. Harding. Our letter of dissent is hidden away in an obscure place on the committee's website. The dissent has not been referenced in the white paper. I believe the committee and the department have obscured the views of those who do not agree with the preordained decision that we will have a national health identifier.
At the committee's June hearings -- excuse me, at the committee's June meeting, I proposed that these hearings be postponed until the formal notice of intent could be issued for all to see, but the committee decided to rush ahead with the hearings. I also proposed that all committee documents on the patient identifier issue be placed on the public records, but the committee refused, preferring to operate in secrecy.
In my view, it is a lead pipe cinch that this committee will, in the end, once again support a national health identifier. The committee will couch its support and language that makes the committee look concerned about broader issues, but it will do what it has already done, demand an identifier. Obviously, not everyone on this committee will agree with that recommendation. Those of us who have other opinions will have to fight to be heard, but I believe it is preordained that we will lose on the main issue.
I urge the Secretary to make sure that she solicits other points of view in this debate. We are not just dealing with a health issue; the Secretary must listen to a much wider range of opinions than this committee, and perhaps a different forum for hearings is necessary. This committee has already made up its mind on the key issues that these hearings are supposed to address. Thank you.
DR. LUMPKIN: Thank you. Obviously, this committee is not of one mind on the issue of the unique identifier. Yet, we are charged, constituted as Congress as we have been, and certainly as we were essentially before Congress passed this legislation and gave us this charge.
The function of these hearings is not to discuss whether or not there will be a unique identifier because as an agency charged by Congress, really HHS has no choice but to do a unique identifier. That is our nature of government in this country. As an executive branch, we carry our HHS's charge to carry out the will of Congress.
Our challenge here at these hearings, therefore, will not be whether or not there should be a unique identifier, although certainly we hope to hear testimony as to the risks associated with that unique identifier. But, what kind of unique identifier should there be?
We have a document that has been distributed, and we expect that sometime in the near future, which in my experience with the Federal Government means in the next year or two, actually it is probably the next month or two, that there will be a notice of intent which will embody much of what is in our white paper for open public discussion. The committee will make a recommendation. That recommendation will then go to the department in addition to all of the other public comment, and so, it will be a very long, we hope very detailed and very careful decision-making process by the department, of which this committee will be one part of that decision-making process.
At this point, I think we will move to the first panel. Chris. If you will introduce yourselves again. Are we on the Internet?
PARTICIPANT: Yes.
DR. LUMPKIN: If you will introduce yourselves, this hearing, like most of the hearings of the committee, are going out live on the Internet. I can tell you, having listened to one of the committee meetings when I could not go, it is very helpful when people identify themselves so that those who are not here in person can understand what is going on.
MS. EBBERT: My name is Shelly Ebbert. I am the Director of Service Coordination and Planning for the AIDS Foundation of Chicago.
DR. CHUTE: My name is Chris Chute. I am professor of medical informatics and associate professor of epidemiology at the Mayo Foundation.
I am very grateful for the privilege to again present to this committee. I certainly recognize the gravity and the seriousness of the issue that we are addressing today. It is my hope to provide some semblance of balance in our consideration of these issues. I apologize to our colleagues who I seem to be compromising on the left side of the room with the projected powerpoint materials and beg your indulgence on this matter.
We recognize, I think widely, that health care delivery as we understand it today has become an astonishingly information intensive process. No matter what we want to do, be it the control of costs, or the improvement of quality, or the appropriate use of technology, we depend critically upon patient information. Realistically, that patient information can and should be integrated across the experience of the patients.
In my mind, the issue that we are discussing today bears directly on the notion of data linkage. The "How?" we engage linkage is what a patient identifier is all about. the "Why?" with respect to data linkage is to understand notions of disease natural history, treatment responses, functional outcomes of patients following care, and the effective, efficient and satisfying engagement of the health care process.
The absence of a common patient identifier may compromise our efficient and effective delivery of care to an individual, and I will expand upon that. Similarly, at a broader level, our understandings of health and disease can be compromised without underlying data linkage which will enable the discovery of new knowledge about the health care process.
Data security, which is fundamentally the issue to address appropriate confidentiality concerns, I believe is possible when it is targeted against patient data rather than the identifier and is clearly required. I should say without hesitation that the Mayo Foundation is profoundly and unwaveringly committed to the notions of patient confidentiality and data security.
However, if we think from the perspective of a patient, and we are all patients at some point in our lives, when we engage the health care process, the issues that we want to know is, is there anything wrong with me or my loved ones, and if so, what does it mean, these findings, and finally, what can we do about it.
If we pause for a moment, the answer to these and related questions derives from a body of experience with patients in the past. Historically, this has been something akin to anecdote and folklore, and it is in the modern era that we are beginning to overcome these ad hoc mechanisms of understanding how we can take better care of patients, by analyzing repositories of patient information appropriately linked.
Nevertheless, American health care, the way it is practiced today, is profoundly fragmented. This is not fundamentally bad, but it does emphasize a decentralization of specialties and services. A given patient can engage health services at a number of providers even within a single episode. Furthermore, patients, as they move throughout society, are highly mobile and can encounter coverage options with multiple providers at different points in their careers and lives.
Information transfer between and among these phases of health care are somewhat inefficient in our current mechanism. Furthermore, clinical decisions and research, which are premised upon the linkage of information, is often significantly incomplete and potentially biased and might lead to wrong conclusions.
Consider the delivery of services in laboratories, x-rays or other clinical studies. These can be generated from external facilities and resources to a major health care provider that had their own mechanisms of enumeration and numbering. That record or information may or may not be linked back to the right patient at the right time in the right context. Worse, that information may be merged due to insufficient linkage and insufficient identification with patients with a similar name. Anecdotally, I can attest that when I was a medical student, there was a large volume of patient findings and reports that pertained to my father in my own medical record. Obviously, nobody acted on the fact that I might have had prostate cancer at 19, but it was a serious problem.
An example at the broader level of research illustrates a fragmentation of data not only within single patients but across populations of patients. If we take the relationships, which is only recently understood, between papilloma virus and subsequent cervical cancer, these events are often and findings are often separated by decades. They are often identified from multiple providers with different geographic history, and the detailed information is rarely transferred.
The natural history of these chronic conditions then can be significantly misunderstood for a lack of appropriate data linkage. Similarly, our understanding of the incidence and prevalence of disease can be significantly underreported either in a public health context or in an academic context when we try to understand the impact of disease in our society and efforts to improve their treatment and management.
The population-based research, as it is engaged today, offers an opportunity to overcome incomplete and biased experiences that result from single episode hospital-based studies. In a hospital series which tries to elucidate a natural history or an impact of disease, they are often reliant exclusively on immediate episode related information. They are often confronted with a very skewed representation of patients that are the consequence of socioeconomic referral to a given health care facility and are fundamentally non-representative of the population at large if only by the virtue of their being sick.
An alternative, of course, is population-based research which is not reliant upon hospitalization. An example of that that I will expand upon in our own experience is the 30-year old Rochester Epidemiology Project which is fundamentally dependent upon linkage of information across different providers that pertains over time to a single patient. The Rochester Epidemiology Project was begun in 1966. It has generated over 1,000 peer reviewed publications which we hope are widely regarded as a contribution to our understanding of health outcomes and disease. It integrates the health experience across providers for persons in Olmstead County, Minnesota.
The logistics of the Rochester Epidemiology Project, for which I am somewhat directly responsible, have de facto surrounded the master patient index approach. We are intimately familiar with the shortcomings and the inaccuracies that are associated with trying to link patient data from various providers without the common basis. Reliance on names, date of birth, sundry identification numbers including the Social Security number are, in our experience, fraught with inaccuracy and error. We engage in this process so that we can develop a master diagnostic and procedure index of patients in the population-based area, and we maintain that information in a highly secure data format. We have severely restricted access to that information, and any communication of the data associated with those indices are encrypted.
The benefits of such a study allow us to recognize notions of hospital biases. We were the first to demonstrate that the natural history of disease can differ profoundly in a hospital series from that in a community. We were among those to first recognize that hospital series patients tend to be sicker, a famous Berkson(?) bias as it is called in the epidemiologic textbooks.
We were the first to recognize, as an example, that multiple sclerosis as a disease, which is information that we published in the 1950s, had double the prevalence in populations than had been previously anticipated and had a vastly improved prognosis than that which was expected, with persons and population based gainfully employed decades after the onset of the diagnosis, which was in contradistinction to the hospital experience where obviously ill patients were seen disproportionately. We were the first resource to unequivocally demonstrate distance referral bias where patients referred from distant sites, by and large, tend to be more healthy than patients seen within the community. Again, this is a function of data linkage, and it can subsequently distort the quality of care metrics that are presented as they are associated with given medical centers.
One of the questions that I think we might consider is patient data as a valued resource. Mayo Foundation and the Mayo Clinic, we believe, are widely regarded as outstanding health care institutions. Why is that? Why did we emerge from the cornfields of southern Minnesota, which is fundamentally where we are? We have a heritage of organizing, preserving and linking patient data. This dates back to a common medical record structure in 1907 that was fundamentally enhanced by the introduction of a common identifier to facilitate linkage of all patient events within the activities of the foundation over, I might add, a century.
We have a significant and longstanding commitment and resource expenditure on indexing this information so that we can learn more about disease and natural history and reincorporate that, as was illustrated by Codman(?) at the turn of the century, into our health care practice to continuously improve what we do and how we take care of patients. Our record during this 91 years of continuous usage of indexing and linking identifiers on 5.5 million patients, wherein we conduct more than 4,000 studies per year overall, is that we have had no breach of confidentiality traceable to the use of patient information in research.
We recognize and do not dismiss the special concern associated with confidentiality. Clearly, we have, as I said, an unwavering commitment to maintain and preserve the confidentiality of all our patients. However, our overriding concern is the welfare of our patients, and to the extent that we engage in research to look at outcomes and management, we do use patient information and patient record materials to study this process.
The question of whether anonymity in research databases is an adequate response to the identifier problem is an interesting one. Fundamentally, researchers can and should deal with information that is anonymous, that has no patient identifiers within it. The real issue is how is that dataset generated for the researcher. At some point, to make the research database credible and unbiased, a linkage of patient events that precede an episode under study is required. That very linkage implies the existence even if deep within a computer system, of some sort of consistent patient identifier. That identifier can be discarded once the linkage has been undertaken, but the absence of an identifier absolutely would preclude that linkage in the first place and would essentially make impossible the practical conduct of outcomes research, disease natural history, and treatment response analysis.
The question then is when is this identifier discarded, not if, and the question is how is the identifier made appropriate. I would argue that those are non- questions because it is not the identifier we are worried about. I appreciate the comments of Robert Gellman in the opening, that the identifier is in fact a fundamental issue societally. I do not deny that, but I would assert that within health care, the context we are focusing on is the security and confidentiality of the data itself, not of the identifier. Issues of whether an identifier should be encrypted, whether the identifier should have an exclusive application to health care, whether it should be shielded or protected, whether it should incorporate personal characteristics or have any notion of public access are, from the perspective of health care, immaterial because the issue fundamentally is the protection of the patient data. Security and confidentiality issues should focus on patient data rather than the identifier.
Since we were asked to address a broad range of issues, I will present some caveats. On check digits, we recognize that they are a significantly useful enhancement to any identifier if only to safeguard against key entry transcription errors as humans interact with a number. The algorithm is essentially immaterial as long as it is sufficient to detect additions, deletions, inversions or transpositions of digits or elements within the identifier. These, as you know, are typically generated by factoring with discrete prime numbers.
The length of the identifier or the length of the check digit is fundamentally a function of how sure you want to be. Think simplistically. A single decimal check digit gives you, on average, a one in ten chance of that check digit doing what it is supposed to do. Whereas, two alphanumeric digits, assuming that you discard the letters "I" and "O" for clarity, give you roughly a one in 342 chance of appropriately using the check digit.
The fundamental question, Why have a unique identifier? I think I can summarize to facilitate data linkage in direct support of an individual's care and indirectly by acquiring new health care knowledge from aggregate patient experiences.
How can we improve upon IDs in use presently? If we were to make them standardized, consistent and comparable, that would greatly facilitate our process. There are significant problems, and I assert on this slide that conceivably fatal implications to multiple identifiers attached to a single individual, clearly as a function of crucial information being not linked because of the multiplicity of identifiers. That could have a significant impact on clinical care.
Are there alternatives? Naturally, but all of them have their consequences. One alternative is business as usual, but I submit that that has a huge opportunity cost to society and to persons as individuals as a consequence of suboptimal care and a suboptimal understanding of the health care process and our knowledge about it.
We can continue to try to engage master patient indices, but from personal experience in the Rochester project, I can attest that these are fraught with error and misclassification. They engage a very large cost to create and maintain, and they are virtually impossible to submit data interchange with any other master patient index.
What would the impact of an identifier be on privacy? Simplistically, I assert, there would be no impact on privacy associated with the identifier. Again, it is the data about patients which is the issue and that implementation of an identifier must be in tandem with policies, legislation, logistics, technology that can insure the privacy of that data.
Should the government be involved? Well, heck, I do not know who else would do it. They are, in my opinion, a logical broker for establishing, issuing, maintaining and overseeing health identifiers and to monitor the appropriate patient data use by way of policies, data audits and other legislative mechanisms.
My second to the last word is that a common health identifier would ultimately serve the best interests of individual patients through a better integration of their care and enabling observational research on health outcomes. My last word is that if fairly and intelligently implemented, electronic patient records using common identifiers might actually reduce risk to patient confidentiality relative to what exists today in our paper environment, which has no ability for audit or usage trails as they are currently manifest.
Thank you for this opportunity to present our opinions.
DR. LUMPKIN: Thank you. We will proceed on to our second speaker, and then we will have questions of the panel.
MS. EBBERT: Good morning. As I said before, my name is Shelly Ebbert, and serve the AIDS Foundation of Chicago as the Director for Service Coordination and Planning. For those of you not from the Chicago area, the AIDS Foundation or AFC was founded by providers more than ten years ago to achieve four goals: First, to establish a network of providers sensitive to the needs of people diagnosed with HIV and AIDS; second, to raise and distribute money for the purpose of preventing and treating AIDS and HIV; third, to administer government funds for the purpose of preventing AIDS and HIV; and fourth, to advocate for the rights of those whose lives have been transformed by the diagnosis of AIDS.
The AIDS Foundation of Chicago is unique in the nation for its coordination of a case management system that serves the majority of people with AIDS or symptomatic HIV in the Chicago metropolitan area. Through our case management cooperative, individuals are served locally by agencies that can best meet their varied needs for advocacy, education and linkage to services, and they are also part of a larger data system that has a capacity to track case management activities and the use of services.
I am pleased today to present what we have learned and to provide testimony regarding the development of unit identifier for health care on behalf of the clients and providers served by ARC. Thank you for the opportunity to comment today.
The development of a unique identifier for health care is of concern to all Americans and possibly more so for those whose records reflect an HIV positive test result, behaviors that may have put them at risk, and a treatment history for a disease. People living with HIV or AIDS have a lot to gain and a lot to lose from this proposed system. Our clients utilize the health system a great deal and have the opportunity to benefit from the system that emphasizes portability and decreased insurance restrictions based upon pre-existing conditions. Treatment protocols for people living with HIV are increasingly complex and require careful monitoring of treatment adherence, drug interactions and laboratory monitoring.
A unique identifier in these situations could assist in protecting confidentiality of lab results, assuring that prescriptions are not conflicting or duplicative, and could assist in the longitudinal evaluation of treatment regimens to the extent that a unique identifier is linked to other identifying information primarily for the purposes of facilitating better health care and reducing administrative barriers to care. It could also assure appropriate tracking of disease trends and referrals into services. In fact, the AIDS Foundation and other advocacy organizations are currently engaged in a discussion with IDPH to consider what identifiers might be appropriate in Illinois to achieve those public health goals.
In spite of these potential benefits, however, the AFC and its constituents would not support any system for unique identifiers without the implementation of safeguards against the misuse of confidential medical information. Many Americans, not just those with HIV but those with other chronic diseases or disabilities, family histories of disease or a record of certain medical tests having been performed, are concerned with the confidentiality and appropriate use of their medical records. there are very real threats to the availability of insurance coverage as well as to things like employment, housing, child custody, education and other areas that are unrelated to health care by the unauthorized and inappropriate use of confidential medical information.
Some argue that the current system of medical information as to hear(?) safeguards for confidentiality than would be a system based on unique identifiers. In the interest of developing a unique identifier system that best protects the privacy of individuals while achieving the goals of the Health Insurance Portability and Accountability Act, AFC supports the implementation of federal law designed to protect the confidentiality of medical records. Such legislation should provide not only stiff penalties for the violation of standards but standards the emphasize individual protection before efficiency and cost effectiveness.
We have been asked to comment this morning on the criteria for selecting or developing a unique identifiers system. As recommended by the Consumer Bill of Rights published in 1997 by the President's Quality Commission, AFC supports, and I quote, "The right to communicate with health care providers in confidence and to have the confidentiality of their individual health care information protected."
If the four basic functions of the unique identifier system -- and this is from the white paper. If we assume that the four basic functions of the unique identifier system are: one, to provide positive identification for patients when treatment is rendered; two, to create automated linkages for computer-based records; three, to provide a mechanism to support the security of privileged clinical information; and four, to utilize technology to keep health care operating costs in check, then the following criteria would be most important to assure the individual's right to confidentiality. Those would include: first, consent, that the individual must be informed and give their consent before any identifiable, unencrypted data is shared for any reason. Second, controls. The only entities with access to personal information are those with written permission from the individual or those with limited statutory permission for the purposes of public health research or health care. That the system be focused, that the system be created and maintained for the purpose of supporting health care and not influenced by other activities. Fourth, that the system be secure. The means by which test results, clinical notes, behavioral history and other confidential information is linked with things like demographic data, billing status, and administrative function is tightly restricted.
The experience of the AIDS Foundation in developing and implementing a standard to protect confidentiality is important to note. Granted, our system is an internal system, and it is not linked with other major systems, but we do manage -- by presence in our system, our case managed clients are acknowledged to have an HIV diagnosis.
The case management system is a name based tracking system. Confidentiality is assured by the nature and purpose of the software, the structure of the hardware and by informed consent of the individuals.
Before clients enroll in the system, they are provided with information concerning the entry of personal data into a computer system, the uses of that information, and assurances of the confidentiality of that information. The database itself is designed solely for tracking and evaluation of the system and for administrative ease in preparing statistical utilization reports. Confidential and sensitive information is maintained locally in the individual case management agencies; it is not part of the larger system. In addition, the data is maintained on a distinct server which is not accessible to all staff at AFC or linked to a network with internet access.
Member agencies of the case management cooperative developed the standard for record confidentiality that requires written consent for the sharing of any client information which applies to the database as well as to case manager communication with other agencies or providers. Similarly, a system based on unique identifiers could protect the confidentiality of sensitive information by being designed to manage only administrative information and not every part of an individual's medical record, by having specific structural controls over the access to the information, and provide for extensive client information with specific consent for the sharing of any information available within the system.
As providers with extensive experience in serving the needs of people living with HIV and AIDS, we know that threats to privacy can jeopardize the lives and livelihood of our clients. While a unique identifier may indeed facilitate high quality, patient-focused care, assurances are needed to protect confidential, sensitive health information from use not related to care.
We support the National Committee on Vital Health Statistics' own recommendation that no unique identifier system be developed until federal legislation is enacted to protect the confidentiality of health records. This legislation should establish the individual's right to privacy, assure informed consent for the sharing of information, preserve the right of the individual to access their own records, and establish severe penalties for the violation of privacy protections.
To the extent that the unique identifier system may protect the confidentiality of people with HIV and AIDS and all Americans, AFC encourages this committee to emphasize issues of individual right to privacy. You have an important opportunity to establish a system that protects and serves people and prevent the development of a system that provides for administrative efficiencies at the cost to individual privacy. The concerns expressed by Mr. Gellman are real. Please use this opportunity to assure that unique identifiers protect the right to privacy of medical records of all people served by the health care system. Thank you.
DR. LUMPKIN: Thank you. Questions?
MS. FYFFE: Thank you, Shelly. You mentioned more than once in your presentation that you felt that penalties should be severe. I am going to just paraphrase what the current law says, and perhaps you could let us know if these penalties sound severe enough or if it should be more severe. Again, in the HIPAA law, there is a section entitled, "Wrongful Disclosure of Individually-Identifiable Health Information." The penalty section says that a person described as doing something wrong in terms of individually-identifiable health information shall be fined not more than $50,000 and imprisoned not more than one year, or both. If the offense is committed under false pretenses, to be fined not more than $100,000, imprisoned not more than five years, or both. Then finally, if the offense is committed with intent to sell, transfer or use individually-identifiable health information for commercial advantage, personal gain or malicious harm, fined not more than $250,000, imprisoned not more than ten years, or both.
MS. EBBERT: Are you asking me, is that enough?
[Laughter.]
MS. FYFFE: I do not mean to put you on the spot. You can get, you know, you can check with your organization and get back to us.
MS. EBBERT: I would like to check with the organization and get back to you, but I think that the extent to which on the prevention side the access to information can be controlled is better than after-the-fact penalties. You need the after-the-fact penalties because there is always that threat to confidentiality, and somebody may blow it either with intent or by accident, but the more that there is control on the front end of the information, the better off you are going to be. I think that any penalty, you know, people's knowledge of the penalty is going to be sort of a cost benefit. Is it worth the risk or is it not worth the risk. Other kinds of controls, fines are assumed in certain industries, that they are just going to pay a fine for violating some kind of a requirement. So, if it is a big enough penalty that people cannot just budget it in, then it is --
MS. FYFFE: Okay.
MS. EBBERT: -- probably worth supporting.
MS. FYFFE: So what you are saying is that these penalties as stated in the HIPAA law may or may not serve as a deterrent?
MS. EBBERT: Yes, and prevention is always better than coming after the fact because after the fact, somebody's privacy has already been violated, and their life may be changed forever because of the violation of that privacy.
MS. FYFFE: Okay. Thank you.
DR. LUMPKIN: Other questions? I have a few. Again, for this panel and any other panels, if there are questions that you are not comfortable about, we are beginning the process, so feel free to submit written answers to the questions.
The first question has to do with security, and you discussed some security mechanisms that you are using for your own internal system. I was just wondering if you have looked at the security recommendations by the Committee on Vital Health Statistics that we made to the Secretary and whether or not you feel that those would be adequate or the kinds of measures that you take internally are consistent with those. [Pause.] Probably not having looked at those, you do not have an answer, but if you could get back to us if you have an opportunity.
I have a question for Dr. Chute. On the MPI, you mentioned some of the weaknesses that you thought, based upon your experience, in the MPI. One of my questions on the master patient index is relationship to what extent does a master patient index -- based upon your Rochester experience, does it create a national repository of health information, which I think there has been concern expressed about?
DR. CHUTE: No is the short answer. It clearly enables the possibility of generating such a repository, but absent a common assigned patient identifier, that repository will contain wrong, inappropriate and misaligned linkages based on the inaccuracies of the master patient index. Again, the fundamental question of a patient repository which, as you know, I am something of a fan of as long as it is appropriately safeguarded and overseen, are separate from the notion of a patient identifier per se. One can ensure improved patient care with a common identifier at the level of an individual. That is obviously very distinct from an MPI. Similarly, our insights into health outcomes and knowledge can be, albeit awkwardly, undertaken without a national repository by linkage between and across clinical centers providing care to a cohort of individuals. Again, that will have, by nature of our mechanisms of linkage and our ability to access this information, significant gaps and incompleteness which may or may not distort and bias the findings of such a study.
DR. LUMPKIN: Perhaps as a follow up because I have to admit that I have a certain biased frame of reference which is related to my specialty training in emergency medicine and the frustration that I have often had at 2:00 at night, when you have a very sick patient coming in, trying to figure out what is going on, what has happened, why do they have those scars. To what extent would you see that a master patient index as you described and in your experience provide access at that particular time for potentially crucial medical information for someone obviously who, in emergency department, is not showing up in their normal network of care?
DR. CHUTE: A master patient index can support that kind of access to previous information. We are, I think, talking about nuances of precision and completeness. It is my experience that the master patient index does an incomplete job and sometimes an inaccurate job of maintaining linkages. So, the scar history that you find via a master patient index linked information may be somebody else's scar history. Or, more probably, it could have been missed in the linkage process for lack of an appropriate alignment of master patient index components that would preclude the ability of a repository to link that information. It would be enhanced, the "it" here being a repository, in that it will allow you to learn more about the patient at 2:00 in the morning by having underpinning that repository a common identifier relative to a master patient index.
DR. LUMPKIN: Let me just follow that through a little bit more because I think, of the suggestions in the document, the one that perhaps is the most difficult for me to fully get my arms around is the MPI. In reference to my first question, if at 2:00 in the morning I can go to the national patient index, and it will tell me where to find information about this guy who is sitting in front of me in the emergency department, an extremist, that means that somewhere there exists a set of pointers that would tell someone where all of my health information is. I am trying to counterpoise that as a risk to security and confidentiality versus a number that would require that I need to go someplace and say, "I have 123456 here in front of me; what information do you have?"
DR. CHUTE: Thank you for clarifying. Permit me to parse the concepts of master patient index which are often intertwined to the point that there is great confusion, specifically on the one level, on I think the level that you are using it, a master patient index is tantamount to a catalog of pointers to previous health care experience encounters that can subsequently engage their own authorization process, their own access protections and so on, and this is clearly a desirable attribute. The notion of a master patient index that I have been stuck upon is the one wherein you generate an ersatz identifier that is a compilation of sundry patient characteristics such as name, address, date of birth, mother's maiden name -- the usual suspects, in short -- and it is the creation of these ersatz identifiers to link together that catalog that I focus upon when I discuss the notion of a master patient index. The issue of a catalog which is underpinned by a common patient identifier or by this composite ersatz identifier is the issue I have been trying to distinguish.
DR. LUMPKIN: Okay. Then one more, and then I will turn it over to other members of the committee. You made a comment in your presentation of the -- I think you used the term "policies and laws" to protect confidentiality and privacy. Where do you see the gap right now in relationship to a unique health information between what currently exists and what you think ought to be in place to protect that privacy and confidentiality?
DR. CHUTE: It is my understanding, and I confess that my familiarity with pending and current legislation is incomplete, but it is my understanding having been instructed by Kathleen Frawley and others more familiar than I that legislation and policies at a federal level to address patient confidentiality and appropriate data use are sorely lacking. I accept this premise and therefore would be significantly supportive of an effort to generate a national body of legislation and law that would provide more than guidelines but a statute with respect to appropriate uses of patient data and, more importantly, to appropriate mechanisms of access to patient data, an example being the national repository and the 2:00 a.m. emergency room scenario you had presented.
DR. LUMPKIN: As a follow-up, we heard from the other member of the panel that the assessment of the AIDS Foundation of Chicago is that the risk benefit analysis, given current protections, goes toward not having a national identifier even though they have identified some significant benefits. What would be your assessment given the risk benefits now with the current confidentiality and protection?
DR. CHUTE: To the extent that I understand existing confidentiality protection, I would agree with that assessment, specifically the ratio tips on the side of not having a common patient identifier presently. However, my contention would be that we need to move forward, and I think that the word I used was in tandem with policies and legislation that do address and hopefully guarantee appropriate protections of confidentiality and privacy for patient data as we address the notion of a common patient identifier.
DR. LUMPKIN: Thank you. Do you want to jump in on any of those?
MR. GELLMAN: I have a couple of points that I would like to make. First, I would like to disagree with something that our illustrious chairman said earlier about the interpretation of the law, that we are required to have a patient identifier. I do not read the law that way, and I think the Secretary is fully capable of saying that we should not have an identifier. In any event, even if the Secretary decides to have a patient identifier, that will require enormous appropriations and other legislation in order to move forward, so I do not think this is something that is preordained and can be resolved administratively. There are other points of view when interpreting the law, of course.
I want to make a couple of points about identifier. It is interesting listening to people who like the idea because they describe this sort of pie in the sky, wonderful process where we are going to be able to link all of these records and provide people with better health care, and we are going to have all of these controls over the identifier so it will not be misused, and it is not at all clear to me that those goals are realizable to that degree.
Every system of identification has its problems. The Social Security number is a good example. People have run to use the Social Security number for a whole variety of purposes even though it is not a very good identifier and it does not necessarily avoid problems of overlap or duplication.
I do not think that anyone can advocate that a new identifier is necessarily going to avoid that. Unless you start tattooing identifiers on people, you are going to have people who walk into hospitals or other places and hand over somebody else's ID card. The only way to control that is with collecting more and more information, biometrics or whatever, and then, of course, there is always the problem of all of this being counterfeited in some way.
There have been efforts, however, to control the Social Security number. I do not know if either of our witnesses are familiar with the Privacy Act of 1974. Section 7 of Public Law 93-579 was an attempt by the Congress to say to the states and local governments, and indeed to the Federal Government itself, that we will not allow new uses of Social Security numbers. In the 25 years since that legislation passed, there are now 27 separate authorized uses of Social Security numbers by the Congress. So, what has happened is that basically one a year, ever since Congress passed a law that said, okay, we are going to stop new uses. One a year since then they said were authorized new uses of Social Security numbers, and that is what I think will happen with the health identifier. If anybody wants to make a comment, you are welcome to jump in.
I want to make another point. People talk about limiting the use of numbers to health purposes only. I am going to read a list of the institutions that are going to get access to the health identifier. It is really nice to talk about legislative protections and criminal penalties for misuse of an identifier. Let's look at the reality of who is going to get access to identifiers. Doctors; dentists; hospitals; laboratories; nursing homes; pharmacies, and that includes local drug stores and supermarkets; employers; federal, state and local agencies in the hundreds and hundreds.
In Wisconsin, there was just a study done by the ACLU, and of 50 governmental units investigated, 30 of them had either identifiable or potentially identifiable patient data in 13 different state agencies. Some of them were places you would not expect to have data. In Wisconsin, I believe that they give discounts to people who are disabled if they are getting a fishing license. So, lo and behold, the department that issues fishing licenses has health data on those people because you have to prove that you are entitled to the discount. So, the data is all over the place. Of course, one of the federal agencies likely to get access to this is the Internal Revenue Service and the Department of Justice, law enforcement agencies up and down the food chain. Then we get to health researchers; health care consultants; health database companies; health, life and automobile insurance companies would also have the number; schools; social welfare agencies. The Attorney General of the United States today has the authority to subpoena administratively every health care record in the country without exception. Inspector generals from various federal agencies; credit card companies; credit reporting agencies; banks; and debt collection agencies. Does anybody disagree with any of those, that any of those people are involved?
DR. CHUTE: Permit me to question the what to which they are given is the identifier or data about health care status.
MR. GELLMAN: Well, the answer is probably in most cases both, but I am just talking about the identifier itself.
DR. CHUTE: There were many cultures where knowledge of an individual's name was considered sacred and privileged. We have, by and large, moved beyond that, and we recognize that the spirit and soul is as much a function of an individual rather than the label. I think, analogously, the notion of a health care identifier does not disclose the spirit and soul and the substance of a health care history but rather a label to which such information could be attached.
MR. GELLMAN: That is certainly true with the Social Security number, wouldn't you say?
DR. LUMPKIN: I think we are going to try to not have as much back and forth. Maybe if you could finish your line of comments and then we can have a response from the panel.
MR. GELLMAN: I think we are doing just fine. Would you say that is true of your Social Security number?
DR. CHUTE: I defer to our chair.
MR. GELLMAN: What is your problem, John? I am just asking questions of the witnesses.
DR. LUMPKIN: If you do not mind, if you could finish maybe that line of thought and then let them respond. I think the way that we have tended to do hearings has been more in that format and not a back and forth.
MR. GELLMAN: I thought the point of hearings was to have back and forth with witnesses. Okay, would you like to respond, anyone like to respond to what I have said?
MS. EBBERT: I think it is true that anytime you create a system of data that is linked by any means, whether that is a unique identifier or names or whatever, access becomes an issue. The very creation of the system of information linking it all across the board, access and the appropriate access is an issue. I believe in the white paper it talks about three different kinds of use of information. This goes back to your point. I do not know if I have the categories exactly right: open use, permitted use, prohibited use.
Even in the best laid out system that this committee might recommend, there may be conditions that come out that would provide -- would threaten the integrity of that system or challenge the safety of the data. I think that is incumbent on everybody here to consider how much the data is linked, as Dr. Chute said, how much the data is linked to the identifier. It might not be the identifier itself that is the big issue, but it is what data is linked, and who has access to it, and how do you control access to it, and how do you prevent lawmakers from being influenced by people who think that somebody needs access to some piece of that information for some totally unrelated thing that is not related to health care.
MR. GELLMAN: Let me make a point. I think that it is true, of course, that data is sensitive, but it is also true that an identifier itself is sensitive. Everybody gets an identifier. It is almost impossible to devise a health identifier that will not go to at least half of the major institutions of this country if not three-quarters. The notion that the identifier itself can be protected, I think -- and can be controlled in some way, I think, is impossible. I think that the identifier will be in widespread use.
Furthermore, it is also true that the data is in widespread use. Many of the institutions that I read and identified already have data. There are no protections for data today to speak of. Health records are probably the least confidential of all the records that are maintained by third party recordkeepers. There are lots of institutions that have access to it. My concern is about the data, but it is also about the identifier because the identifier, just like the Social Security number, will get used for lots of other purposes. You will be required to have the identifier, and as you build more of the infrastructure that may go with a national patient identifier, that all of the other links to all of these institutions and access to the data will all be fueled simply by that identifier.
The links exist today; the data is used today. The notion that health records are protected very much is simply not true. So, I think that in fact what will happen with a new identifier besides its use in lots of other purposes is that it will simply facilitate greater sharing of information that goes on today among other institutions. Comment?
MS. EBBERT: I think your point is well taken.
DR. LUMPKIN: Other questions? Simon?
DR. COHN: Shelly, I actually just wanted to follow up with a comment you had made and also from your testimony, and it had to do with the idea that perhaps not all data should be linked. You commented about that just a minute ago, and then in your testimony, you talked about potentially being designed to manage only administrative information and not every part of the individual's medical record. Could you elaborate on that a little more and explain your thoughts about that?
MS. EBBERT: I think that there is a big difference between a test result, for example, and an all-out -- and parts of the medical record that may indicate the discussions between the provider and the client that may have -- I mean, it may concern behaviors, it may concern health history, it may concern other things that are not related. If you want to pay for a test result, that is one thing, and that may be administrative, that may be financial. The person who pays for the test result may not need to know that a person is -- you know, what their risk factor was for HIV specifically or something like that.
I think what those categories -- and I am not, I do not pretend to be a sophisticate about this issue, but there needs to be -- there could be a differentiation between what is administrative and what is part of the medical record that is accessible to everyone. They have done it in mental health confidentiality control statutes. You know, in mental health, you cannot even acknowledge that someone is your client, and that is how strong the protection is. There are parts of the medical record that could be available, demographics, outcomes, without including the entire part of the medical record. I can defer to my colleague here who knows a lot more about medical records than I do.
DR. COHN: I actually do want to hear comment from Dr. Chute about this, but I just want to understand. Is it that you are talking about the confidentiality of the information that is already linked or are you saying that some of the information should not even be linked to begin with?
MS. EBBERT: Some of the information might not even be linked to begin with.
MR. COHN: Okay. Dr. Chute, can you comment?
DR. CHUTE: That is a societal question. I mean, fundamentally, it gets at where is the best benefit for, and where is the highest risk, and how do we weigh those issues. I cannot sit here and say all information on every person should be linked. That may be a highly inappropriate position to take. The goal is to ensure that information that can forward the care and management of a particular patient clearly should be linked. Information that can provide insight as to health outcomes, treatment consequences, management issues, across populations of patients has merit in being linked. Whether that merit overrides objections, concerns or legitimate difficulties with linking particular information is not a question I, as an individual, can address.
DR. LUMPKIN: Kathleen.
MS. FRAWLEY: Shelly, I was just curious, when the Foundation set up its case management system why they went with a name-based tracking system instead of some type of unique identifier. It seems a little odd to me that you actually use patient name as the tracking system, so I was wondering if you could give us a little bit more background on that.
MS. EBBERT: Great, and that is a good question, and it goes back to Dr. Lumpkin's question of whether or not the AIDS Foundation's own confidentiality policy is coherent with what is recommended by this committee. I am new to the AIDS Foundation, so I do not know all of the history of how this was developed. We do put an identifier with the client name so that any reports that we would generate would not be generated by name. Whether it is based on the unique identifier, based on names, I cannot give you the finer points for the reasons. I can get back to you on that, though.
MS. FRAWLEY: I just think that it would be very helpful if possibly somebody from your foundation could give us more background on that in terms of some of the decision making. I know that a lot of the HIV and AIDS-related community has a lot of concern about reporting a patient name, and some states are now mandating the reporting of name. I am just curious in terms of your case management system, just a little bit more in terms of some of that decisionmaking.
MS. EBBERT: I think it started out -- you know, the technology has come a long way in the past ten years and what was okay ten years ago may not be okay now. We, like any other organization that manages records, should probably take a look at that and revisit that again, but we can provide some additional information as to the background of how our system evolved to be the way that it is.
Again, I think it is important to realize that the system -- the information in the system is not -- by nature, it is a sensitive system because anybody who is in is HIV positive. There is not detailed information about treatment or conversations with physicians. It is a case management tracking system, and that is all.
MS. FRAWLEY: How many clients do you have in your system?
MS. EBBERT: I believe that the total over the course of ten years, it has been over 5,000 and may be at that level now.
DR. LUMPKIN: If I could just follow up. That system does not have client-based reimbursement, so you are funded to provide services? It is not like the medical system in the sense that you have to justify every service and every --
MS. EBBERT: That is correct.
DR. COHN: I was actually going to ask a question on that note. Dr. Chute, you had talked earlier about the issues of name and linkages in numbers and I think had waxed somewhat poetically about the issues of not having a unique identifier which linked them together. Yet, at Mayo, you have produced over 1,000 referenced reports and journals. Based on this many years of history at Mayo and Olmstead County, I know that there are anecdotal cases of information being misfiled and others that I hear frequently from other speakers. Can you give me an idea of the percentage or the gravity of the issue as you observe it in Olmstead County?
DR. CHUTE: That is an excellent question, Dr. Cohn, and I think the short answer is that the gravity of the situation is in direct proportion to the amount of resources one is willing to expend to maintain that initial master patient cross-linkage. The bulk of our NIH funding to support the Rochester project is consumed by the task of maintaining these indices. We do it with great diligence, great care, and yet we still, from time to time, discover imprecision, inaccuracy and error.
The impact that these problems have on our reports may or not be small. It assumes that we knew the true magnitude of our error, which of course is fundamentally unknowable. It also points out that the resources we do obtain could be perhaps better spent rather than maintaining this massive, tedious and incomplete cross-index of patient information we could devote those resources to studies that could be more carefully, thoroughly and widely undertaken.
DR. LUMPKIN: I would like to thank the panel. At this point, we are scheduled to take a break. We are about 15 minutes ahead of schedule; I would like to keep us that way, particularly that somebody did notice the 1:30 break for lunch. So, if we can just take a 15 minute break, then we will come back 15 minutes ahead of time and finish up a little bit early so that we can all have lunch.
[Brief recess.]
DR. LUMPKIN: Before we get started with the second panel, I do want to let individuals in the audience know, and I will mention this again, that at the end of today and the end of tomorrow, we will have a period of time for comments from individuals in the audience who are not on the panels. So, there will be opportunities for statements then.
DR. LUMPKIN: The next panel is on What are the cost benefit implications of a unique identifier. If the panel members would introduce themselves.
MR. ARGES: I am George Arges, American Hospital Association here on behalf of the Workgroup For Electronic Data Interchange, WEDI.
MR. SCHALK: John Schalk. I am Vice President of Systems for Gallagher Benefit Administrators, a third party administration firm located in Itaska here.
MR. GRIMSHAW: Steve Grimshaw, GTE Data Services. I am a manager of enterprise systems for the Missouri Medicaid Project.
DR. LUMPKIN: Thank you.
MR. ARGES: I would like to thank the NCVHS for allowing the Workgroup for Electronic Data Interchange the opportunity to be here today and present some views on the development and search for a national patient identifier. This is probably one of the most controversial and if not one of the most important points to be considered as part of the administration simplification provisions contained in HIPAA.
WEDI, as you know, is one of the four consulting organizations mentioned in the administrative simplification provisions in HIPAA. WEDI was basically an outgrowth of a 1991 initiative set out by Secretary Sullivan to basically look at administrative aspects to the health care system. WEDI looked at and issued a variety of reports from 1991 to 1993 and back in 1995 was reconstituted as the present WEDI. WEDI is a broad coalition of organizations within health care that are engaged in and are supportive of the delivery, receipt and processing of electronic health care transactions. We are very sensitive to the need to improve the efficiency but at the same time understand the need for privacy and confidentiality of the health care system. Our mission is primarily one to improve the effectiveness and efficiency of our nation's health care system by increasing the volume and value of electronic health care transactions while enhancing the security and privacy of their content.
We have been involved recently in looking at a variety of aspects of the MPRMs that were recently published with respect to transaction sets, the provider identifier code sets. We are eagerly waiting the other ideas in terms of security, patient identifiers, and will be commenting shortly on the employer identifier as well.
Our mission has not really changed that much since our founding in the early 1991. You have before you, as part of the administrative transactions, nine transaction sets involving a variety of administrative financial functions. Clearly, the whole idea of patient identifiers is important. The industry today uses a variety of patient identifiers from name, address, employer ID. The ZIP Code in many cases can even be used as an identifier. So, the idea of a unique patient identifier is one that seems attractive to the Workgroup for Electronic Data Interchange.
There are a variety of proposals that were mentioned in the white paper that look at the process of establishing a unique patient identifier, whether it is the SSN, a master patient index, some biometrics or other types that were mentioned. WEDI has been looking at the costs but has not really come up with any conclusive study on this issue only because much depends really on the type of privacy and confidentiality protections that will be enacted. We do believe that nothing should be done until the privacy and confidentiality protections are, in fact, given their prominent role in the process.
We also realize that the financial and administrative transactions that are currently underway will benefit from recommendations set out by the provider ID and soon to be payer ID. I think those two components will also help to better identify the handling of many of these transaction sets and to be able to get further clarification about additional pieces of information if needed.
The current system is fraught with many inconsistencies in the way that things are handled, even from the simple recording of a patient's name, how you record it in terms of the enrollment process, the first name, the middle name, the last name. All of those still need to be standardized as part of the process. Other identifiers that are currently used include, for instance, Social Security number, in some instances, at the time of admissions in a hospital setting. There is also the patient control number. There is also the medical record number. All of these are identifiers of one form or another.
These are often -- the patient control number and the medical record number are often included along with the patient's name, address and sometimes -- depending upon the program, for instance, Medicare includes the Social Security number of a kind on the transaction set as part of the process. These are used routinely as part of the handling and submission of the transactions, the claims transactions, and oftentimes components of that are echoed back in terms of remittance and payment. The debt collection as well, on the payer side in terms of the enrollment process, as well as the eligibility process, collects similar pieces of information about the patient as part of that process.
To say that WEDI is interested in the establishment of a unique patient identifier, the answer based on a strawman's vote on this issue, because we have not really formally voted on it, but in terms of a strawman opinion, the answer is yes, that we are aware that the system could benefit by having some form of patient identifier that could be standardized as part of that process. We also are sensitive to the fact that if in fact an identifier is established that that identifier be a numeric identifier with a check digit that should be utilized. We basically discussed this similar issue with respect to the provider ID and suggested that we avoid the alphanumeric identification with provider ID and stayed with a numeric as part of that process. We would strongly encourage the NCVHS to make that same recommendation for any other type of identifiers that would be used, whether it is employer or payer, as well.
We do strongly urge basically that a rational and thoughtful consideration be given really to the privacy and confidentiality protections. We are operating today with a piecemeal system that is based on a variety of state laws that dictate the process. We are also operating with a multitude of identifiers that when put together probably give you more of a complete picture than perhaps in some cases strictly a numeric number would give you if it stood alone.
The question then becomes how do you basically protect the identification of an individual with respect to a number in a database that may be created and who would have access to that database. Clearly, the financial administrative transactions that were outlined have a specific purpose and function. One said purpose and function has been completed. Then the role and obligation of the participants needs to be further spelled out as part of that process, what do you do with the data once you have processed it and collected it and respond back to the other party. From an historical point of view, I think these issues need to be further explored.
We do plan to continue holding a variety of other discussions as part of the Workgroup for Electronic Data Interchange process. We have policy advisory groups that have been very instrumental in putting together a variety of recommendations and proposals. I want to commend the NCVHS's hearings today, and I also thought that the white paper really identified a variety of different issues that need to be considered as a part of that process. I would like to thank the committee for giving me the opportunity, and we will answer questions later on.
MR. SCHALK: On behalf of Gallagher, I would like to thank you for having me here today and listening to what I can contribute to this discussion. Gallagher, as I mentioned earlier, is a third party administration firm. It basically deals in the single employer marketplace and pays health care claims and handles large case management and other kinds of managed care issues for single employers, most of which are self-insured.
I believe that I have been asked to share some of my knowledge today with you because I am familiar with and have a broad background with claims adjudication systems that are in the marketplace. We have completed recently an analysis, an internal analysis of the claims system we do use to get some ballpark estimates together for HIPAA's potential impact. It is kind of driving an internal decision that we have as to the life of the system, et cetera, so there were a few reasons we went down this path. We did a fairly exhaustive study, and I will not be able to share any precise dollar amounts with you today, but I think that I can speak pretty well from the perspective of the magnitude of changes and how they can trickle down into various aspects of the system.
In any kind of a change to a system architecture, first of all, they are the generally more expensive to do as a retrofit. In my opinion, most of the systems out there would need to be retrofit for this kind of a proposal. We are not sure if we are going to have it key driven. We are not sure of the size. we are not sure of the mechanics of the field. So, there are a number of variables that I think would prohibit even systems on the marketplace that have, quote, "extra filler areas" from being quickly and expeditiously used for a change like this.
I think that for our firm specifically, we found a number of challenges in implementing something like this from the perspective of just gathering the information, the size of the field, whether it is to be key driven or not. If it is, it means a whole another aspect of system architecture for retrieval and recordkeeping. Then I think another area that needs to be recognized as well is how fields can be part of other fields. That is not always necessarily easy to understand and get from a first cursory review of a system. Sort keys were mentioned here earlier as one example of that. How you store data, all kinds of ways that systems need to handle and manipulate the field need to be taken into consideration.
For our firm, in addition to that, we have a reporting system that is driven off of a separate PC/database kind of an application, so when organization such as mine talk about changing a system for claims adjudication, that does not necessarily mean that the system changes stop there. They can feed down into other systems that are used for further reporting or data distribution. In our specific case, that is quite expansive. I would imagine a lot of organizations make decisions from a cost benefit perspective. In our case, the cost to change a mainframe system is certainly a lot larger than it is to cost and develop a PC-based database. That is how we went and developed our interfaces for other vendors that we supply eligibility information and things like that. We designed another system to do that.
I think that pretty much wraps up what I have to say.
MR. GRIMSHAW: My name is Steve Grimshaw, and I am with GTE Data Services with our Commercial Services Division. GTE Data Services has various claims processing systems in the different medical arenas. We have a managed care product that is sold to commercial HMOs. We also have a Medicare Part B claims processing system, and we also do system maintenance for the Missouri and Kansas Medicaid Program. In Missouri, we also provide full fiscal agent services there. In addition to that, GTE also provides network services to the ENVOY/NEIC network.
Personal background. I have spent about ten years in health care data processing, and seven of those years has been in Medicaid in the states of Missouri, Kansas and Oklahoma. My current assignment is the Missouri Medicaid Project.
In 1997, the Division of Medical Services, which is the arm of the State of Missouri's government that handles the state Medicaid program, we conducted a HIPAA budgetary cost estimate for them on converting the current MOIS system via the Medicaid management information system. One thing overall with all systems, we feel that -- you know, the white paper talked about costs varying from $10,000 to $270 million. I can very much see where those variations in costs can occur. Therefore, implementations will vary greatly by organizations. It will depend upon what type of system was originally in the application and also what type and what the role of the identifier is. Commercial systems that are shared by many companies, meaning that that system is sold to this HMO and sold to this HMO over various states, various agencies, those systems tend to have bigger fields open which allows various numbering schemes. Obviously, if you are selling a commercial system, each entity you go to is probably going to have a different type of identifier, and you are going to have to be able to handle it.
Home grown systems similar to the Missouri Medicaid System, which is a public domain system, has fixed format identifiers that are embedded into the systems. As a matter of fact, in Missouri, our identifier is actually numeric. To save space back in the days when space was very expensive, those identifiers were packed, stored in different parts of the system, and colleagues here had sort keys and stuff like that. You almost get into the situation where you are looking at a whole another Y2K(?) type exchange of how to determine where are all these identifiers at and are they in fields that are no longer identifying them as being an identifier but are being used for other purposes.
Various discussions with our customers as to whether to change the system to use a new identifier or just an additional field, some of the discussion came up with the confusion factor. If you have a working key index as the new number would become or use an additional field, you come into the situation of what should show up on the screen, what should show up on a report. The beneficiaries out in the field are going to be looking at what they know their number to be, not what your internal system has. So, our initial talks with our customers have been to convert the system to use a working index key as opposed to an additional field.
Numeric versus alphanumeric. We agree the number should be numeric, not just for internal purposes from a system standpoint but also from an end user standpoint. In Missouri, we have an audio/voice response system that is both used for providers and used for beneficiaries. Those people can call into those numbers and get various benefit information. While there are mechanisms to convert alphas into numeric keystrokes on a telephone, it would be very much easier for the end user if they had a straight numeric number that they could use to go into things.
Size of the numbers. I have seen systems hold numbers as small as 8, as large as 16. The larger the number is, it is going to cause everybody some type of change.
The one point on the ARU that I was wanting to mention earlier, right now, just from a manpower standpoint, those audio/voice response systems, both for provider identifiers and recipients, handles 75 percent of our phone calls that we get coming in.
The other item that I wanted to talk about was what would it cost to implement a unique ID. Those costs become staggering when you start figuring everything in. some of those deal with -- right now, with HIPAA legislation, there are a lot of changes going on. You have the MPI. You have transaction code sets. You have code sets within those. You are going to be conducting program conversions, expansions and a number of other items. One thing that needs to be looked at is that these things need to -- if they occur concurrently, the better it will work. If you look at the costs of testing, one of the things that I looked at some surveys that said testing accounts for 25 to 32 percent of the cost of a system. If I have to develop a system and test it with MPI and then three years later turn around and retest that system, I am recurring part of that cost that could have been built in if it was all done during the same implementation.
Conversion costs. In Missouri, we process approximately 44 million claims a year. We convert files all the way back to the beginning of the program back in 1979. Just the sheer cost of converting those files from what the previous identifier was to what the new identifier is will add continued cost to that. When we gave our estimate to the Division of Medical Services, obviously they were shocked. Just to point out one line item on there, because we identified to them that their recipient ID cards that they issue, just the cost of reissuing those cards was $450,000 of the cost of using the new identifier.
What are the financial benefits for health plans, Medicaid agencies, of having an identifier? One of them that we see in our system quite a bit has to deal with duplicate ID numbers existing. Currently in the Medicaid population, at least in the State of Missouri, recipients move a lot. One month, they are living with their mom, and they are living in one county. The next month, they may be living with their father in another county. Even the next month after that, they may be living with their grandmother in a third county. One thing we find out is when they go into their welfare offices to apply for the medical assistance, they may not remember or may not even tell the social worker there that they were previously on Medicaid. It is not until their number is already in the system that somebody has realized that this person has multiple numbers. The administrative costs involved in resolving those problems between getting the claims under the correct ID number and getting everything straightened out could be reduced if their was a central identifier. I still think there is going to be a duplication problem but probably not to the extent that we are identifying in other areas.
The other area which is not necessarily unique to Medicaid but deals with third party liability. In the commercial area, it is considered coordination of benefits. Medicaid is the payer of last resort meaning that they must go to all other sources prior to it being paid for by the Medicaid program. Part of our job is to identify what are those third party liability issues. When a recipient is talking with their social worker, they may not remember that they have coverage here, have coverage there.
One thing that we do is data matches. Data matches are things where we go against the big Blue Crosses in the state and look at, do you have recipients on your files that are in the state Medicaid program. If you do, we want you to pay the bill first, and we will pay what is left. Those data matches are very difficult. We run into problems with people using the name, the date of birth, Social Security number, even mother's maiden name.
I remember a couple of years ago, I had a research item in front of me where -- I will just use John Doe as an example. There was John Doe, and there was Johnny Doe. They thought they were one person. They both had the same Social Security number, same date of birth, same mother's maiden name. The difference was that they were actually twins. The mother named one kid John and one kid Johnny. So, using the names also provides confusion and a manual effort to resolve, is this actually a match or not.
Future capabilities, we heard a lot of comment this morning regarding the confidentiality of numbers. We definitely agree that the security issues regarding numerations need to be resolved before any processes is accepted.
Recently, I belonged to an encounter task force group. One of those groups, our purpose was to figure out how to get more encounter data into the system be able to evaluate medical care, which is I think really where the big cost savings is going to be is in the medical care. We invited not just health plans, but we invited providers, physicians, to our encounter task force group. We asked them, what is it that we can provide in this encounter data that would make it worth your benefit to provide this information to us? One of the physicians popped up and said, you know, one thing that we would really like is profiling. You have people in managed care now. They are swapping back and forth between managed care plans. They are also swapping back and forth between PCPs.
One thing they said in dealing with especially children, EPSTD programs is it would be nice to know what previous screenings this patient had had as opposed to what they know, which was a limited amount. Obviously, there is a lot of controversy regarding centralized documents and centralized medical information but if you go into a physician and you see that he sees that you have had all of these treatments before, he could see what does work, what does not work with you as an individual. So, I think duplicate treatments and inappropriate treatments could be resolved by having a unique identifier to allow in the future, when the security is there, we can share patient profiles with the physicians that are reviewing your care.
What additional infrastructure would be required for setting up and issuing a unique ID number? There is a lot of issues with that. One thing, just from reading the white paper, the enumeration of birth makes sense, but I think the SSA knows all of the current problems dealing with even the enumeration process with the Social Security number. Having a separate number is going to create those same type of problems. I think it does need to be at a national level as opposed to putting that infrastructure into each individual state. At least in my opinion, I believe that if there is going to be a separate number, it needs to be done similar to the way that they are doing the Social Security number.
Identification and verification number. There needs to be a way to identify whether or not this health care identifier is the one for this person, whether it is a match between the health care identifier and the Social Security number, that yes, these two match and you have a valid number, or even some other type of identifier. When you get to talking about numbers dealing with does this person have authorization to use your number, you could even throw a pin number on the end of that. Whether that is feasible or not, I do not know. Insofar as granting of provider access to your medical to all providers as opposed to what he individually has.
Finally, when should the identifier be implemented and how long a time period it should be, I think that it is critical that it is implemented at the same time as the other HIPAA standards, mainly from an administrative standpoint to share development costs mainly in testing. The other thing is that it does definitely need to be done after the privacy legislation is adopted.
HIPAA has pretty much mandated EDI standards for the industry. We need to take that further and make sure that we make adequate use of it. To use it just for administrative billing purposes is not really the big savings; I feel that the big savings are going to be in the treatment of care.
One thing that we hear from a lot of our health plans and different stuff like that is why can't we use the Internet to send you claims data. We said it is not secure at this time. You must use private networks. The privacy legislation and what is required to consider something that as being private will help save some administrative costs dealing with how to transport data from one place to the other whether it is using private networks or using let's say a health care internet network or even the use of the network.
One thing that I do feel is critical overall of everything is the format of the identifier. Even if you cannot tell us the rules of what the identifier are, at least tell us what format or the link to that format is going to be. That way, if we are in there making changes to other parts of the system, we can go ahead and do that expansion at that time now. It will be less costly in the future if I do not have to expand my system to hold the number.
I would like to thank you for the opportunity to talk to you. If you have any questions, please let me know.
DR. LUMPKIN: Thank you. Bob.
MR. GELLMAN: Thank you for your testimony. I think it is very helpful. We can talk about all of the social consequences, but just sort of the nuts and bolts if you make a decision to go ahead are actually quite overwhelming, and I think that has sort of been the thrust of what you said. I just want to get your opinion about some of the questions. Do you all think that if we are going to have a health identifier that it means that we have to have a health ID card along with it? Do you see those two decisions as linked?
MR. GRIMSHAW: From a standpoint of when patients go into an emergency room or go into a doctor's office, they need to have some way of knowing what that number is. Insofar as actually having a physical card, it does make the hospitals or it does make the providers feel a little bit better because they have the paper there. We have a point of sale eligibility system which puts out a little ticker tape of a person's eligibility. It is amazing how providers will hold onto that because it is their proof that the person was eligible, they do have information, this was their ID card that they presented to me.
MR. GELLMAN: Mr. Schalk, do you agree?
MR. SCHALK: Yes, I agree. I think from a practical standpoint, that is the only way that I can see it working.
MR. GELLMAN: Mr. Arges?
MR. ARGES: I would agree as well. In fact, I would suggest that it would be put on at least the mag part of the card and not necessarily imbedded so that it can be read visually. In other words, you swipe it and have the capability. I also think it should maybe even be expanded to include the last time the patient visited a particular facility so that you know exactly where that medical record may reside. In other words, you may have the provider ID identified on there so that you can be able to find that medical record and treat the patient appropriately.
MR. GELLMAN: That actually leads me into my next question which is what other information ought to be on the card. I mean, there is a whole range of cards. You can have a cardboard card with a name and a number, you can have a plastic card with raised lettering, you can have a plastic card with a mag stripe, and we can have all kinds of smart cards. What do you think ought to be done? Do you think there is other information besides what you just suggested?
MR. ARGES: My opinion is a question of cost. I would say the mag stripe is probably the most common in use today, and you ought to look at the card really as a routing mechanism not necessarily capturing the medical record per se but allowing someone to be pointed to the right direction where that medical record would reside. Then it would be incumbent upon the user who is requesting the additional pieces of information to put down who they are in terms of access and whether they have authorization to see that record so you are tracking that.
MR. GELLMAN: What other kind of identification ought to be on the card. Do you see the need for a picture, for a biometric identification, for a date of birth, for other kinds of identifiers?
MR. ARGES: Again, I suppose cost is dependent. A picture would be okay, but you get into the whole idea, if somebody is out to commit or falsify a card, they are going to do it no matter what, and no matter what the identification, you can bypass it. I do not know if you necessarily need it, but you do need to be able to identify the patient's name, at least, on the card so you know who it is and you can verify that either with another piece of information that may contain the patient's name, driver's license or picture --
MR. GELLMAN: Mr. Schalk, can you talk about what you see as appropriate as to the contents of a card?
MR. SCHALK: Sure. I think the name and date and the number would be appropriate. That would be enough information. I think the number has to contain a check digit or some way to validate the number whether it is swiped, stamped or however it gets into the data processing systems, it has to be able to be verified. I do not see any other additional information that would be needed from that standpoint.
MR. GELLMAN: Are you worried that I show up with a card? How do you know that that is my card?
MR. SCHALK: Yes. That is an issue. Your comment earlier about whether picture and date of birth or whether there are other defining elements on there, I think, are valid, but I think from a practical standpoint, I do not know that it is actually going to substantiate that you in fact are who you are.
MR. GELLMAN: Mr. Grimshaw?
MR. GRIMSHAW: On two things regarding the card, whether a smart card should be used or whatever identification, I think technology is second. I think the most important thing is how providers get access to medical profiles to be able to make good medical decisions. On the identifier, what should be on the card, here is another level of security that you can put onto the card. I have seen different states actually use an ID number as opposed to their Medicaid number on the card. Therefore, it is actually a number associated with the card and not with the recipient. Therefore, when the inquiry is done, they do get that information back, but at the same time, if a person loses the card, they report their card stolen and get it remade, the other card can be invalidated.
MR. GELLMAN: Okay.
MR. GRIMSHAW: It would not necessarily have to have the --
MR. GELLMAN: Let me ask one more question of all of you. What do you envision as the process by which the card would be issued? I mean, if we are going to have to issue a card to everybody in the country, how do we do that? Does the government do it? Do we have plans do it? Has anyone thought about sort of the infrastructure and mechanism necessary for this? Do you have any thoughts?
MR. ARGES: I have my own personal thoughts. I would probably like to see something where it is basically set up as the government sets up a driver's license, where you have bureaus and you go down individually. You basically fill it out, you pay a nominal fee to do it, and you are issued a card. You have to present certain pieces of information about who you are to validate that. I would put in the type of health plan that you have as well, other components. All of that changes, too, so you have to have the capability of being able to change some of those components.
MR. SCHALK: I agree. I would rather see it done that way.
MR. GRIMSHAW: I would think that similar to -- if you are looking at doing these things at birth, the same process that you go are going to go through that you go through with the Social Security number right now would be feasible. Insofar as the physical card itself, I see it being used for establishing services and stuff like that. On a day-to-day basis, I see the health plans and stuff still issuing benefit cards. I know my benefit card has my copays on it, has some other information on it. I think they are going to have an identifier just like your Social Security number as when you go get a job, you have to provide your Social Security card, and you have to provide a driver's license and stuff like that.
MR. GELLMAN: I have some more questions, Mr. Chairman. I will wait for a later round.
DR. LUMPKIN: Simon.
MR. COHN: Your discussion, I was actually just sort of mulling over some of the discussion around how you might implement whatever number. Within my organization, we had looked at this a couple of years ago and not really actually thought that any internal reengineering of any of the systems would be necessary. Mapping is a likely technology that you would use with legacy systems which, at least in the view of a couple of years ago, seemed to be a relatively cost-effective way to deal with a new number, yet I do not see that well referenced by any of you in your discussions. Can you comment about that and the cost ramifications of just mapping versus any internal changes?
MR. GRIMSHAW: Right. So far as using an additional field as an identifier and mapping that to whatever the system, those are all possibilities. When talking with our client, their confusion was now having two numbers in a system for a given individual. As I said earlier, the systems, the changes required by the systems are going to vary greatly by organizations. Those that have very restrictive designs, home grown systems that everything was built for an eight or nine digit identifier as opposed to commercial systems which may leave 16 or more characters there available for a number could do the flexibility.
MR. SCHALK: I agree. I just do not think that I am aware of many systems like that, that are built that way today. As a matter of fact, I am not aware of any. If there are, then I would be -- I just do not think that they are the majority. I think most people have some kind of a defined set that does not seem to be quite as flexible as all of the alternatives that we have tossed around here today.
MR. ARGES: Actually, I missed part of your question. I did not quite hear it.
DR. COHN: Okay, I was just mulling over the costs related to system changes, and I was just -- at least when my organization looked at the whole issue of changing to a unique patient identifier, it had really thought that it was not -- I mean, that the main costs were not going to be system changes, they were going to be rekeying in new numbers and all of this, but that you could effectively set up relational databases to handle the mapping issues as opposed to having to make really any major system changes. It could be pretty much done outside of the system. I had not seen that really referenced in any of your comments.
MR. ARGES: Yes. I think you are absolutely right. There is a cost to convert to a patient identifier, but then there are the other costs that go along with that in terms of the crosswalking from the new number to the historical files and may contain information and verifying that information, too, to make sure that that information is indeed what belongs to that individual and keeping that current. I think those costs can be enormous. In fact, I think the cost of just issuing the ID is the least of your costs. I think the whole costs of educating, putting in safeguards and other crosswalks to change over historical files are probably going to be the bulk of your cost.
MS. FYFFE: Hi. Thank you for your presentations. This question is for everyone on the panel. Given your practical experience in the operations of systems involving health information, how much risk do you see in the development of a large database that would contain information that could be accessed that would provide a longitudinal patient record for someone? There has been discussion about the large database in the sky and Big Brother and the risks involved in doing all of this. Given your operational experience, I am wondering if you could comment on how feasible that sort of thing is and how much risk is involved, perhaps, in that actually happening.
MR. GRIMSHAW: That is a tough question.
MS. FYFFE: I know it is tough, but you guys have been out there in the field, and I would very much like to hear your thoughtful comments on that.
MR. GRIMSHAW: I do not know if I can give a real good statement on this. I know there are other eligibility systems out there used in Medicare today, CWF and stuff like that, that have a central repository for sharing information. I am not aware of the difficulties involved in there. I know that there are links to the carriers every evening and all of this type of stuff. I guess I really cannot answer whether a central or distributed type of system would be better. It can be very complicated.
MR. SCHALK: I think from my perspective, the central system poses the most risk, but I believe also from where I am in my industry that I think a large part of that exists today. I think that the question is and the risk is magnified by who is the owner of that database and what other ancillary types of concerns or knowledge they want to work out of that database. In my industry, we work for an employer, and the employer owns the data. We collect it and keep it. Because it is not in their particular domain, we feel that leaves a fair level of security and things like that, but I believe it could be exploited if there was a reason to do so.
MR. ARGES: Actually, I would think the costs would be just so enormous, and I am not sure that the goals themselves would be realizable as well. I think there is a lot that has to happen in order to do something along those lines. I am not sure that the benefits really would be there per se. Although there are instances where there are databases developed, they are not as large, I think, as what you may have envisioned with the question.
I do think, though, that the industry basically needs to take a look and realize, too, that there are limits. To some extent, the medical record itself are the thoughts of the physicians who treated the patients. They are the provider's account of what has taken place. In many cases, it is like the search for the Holy Grail. It is a continuous search, and really maybe the journey is the reality and not the endpoint. So, I am not certain that we would necessarily ever reach that endpoint.
MR. GRIMSHAW: I think while the feasibility may not be there today to do that, one thing that the identifier will do is pave the path for when technology and applications are available in the future, that at least the identifier, the groundwork has been laid to make that possible.
DR. LUMPKIN: I have some questions. Maybe I will take a couple of them, and then I will let Bob take a couple, and then I will take a couple back.
The first is, I thought I heard at least two of you say that you want a number, that there ought to be a number, which would tend to negate the biometric identifiers and the master patient index kinds of things. Did I hear that correctly, or is it all three of you?
MR. GRIMSHAW: I think on the number, as far as identifier, would be good. Whether there are other things associated with that, whether it be biometric or whatever but not part of the central identifier that identifies me as who I am, whether there is a validation process, whether it be to identify that yes, this is me, whether it be through biometrics or some of the other things mentioned in the paper.
MR. SCHALK: That is true.
MR. ARGES: Generally, it is true. Again, I think we are using identifiers today. The question is, there is no consistency.
DR. LUMPKIN: The other thing I heard, and I heard Mr. Grimshaw say that, so let me ask the other two, is that there is an opportunity cost which is that currently many systems are going to be revised because of HIPAA. If we phase this in, in other words we tell you what HIPAA requirements are now, and then wait a period of time and then tell you what the number is going to be or how it is structured, that that will be more expensive than if we tell you everything up front. Did I hear that correctly?
MR. GRIMSHAW: That is the point that I was getting at. If the two MPRMs are out now, they get approved, they are mandated two years. Let's say it gets approved by January. They are mandated in two years, but we are still another year in talking about the recipient identifier. When I go in to make those system changes, I am not going to be able to make the assumptions that I need to be able to make on that recipient identifier if I know it is going to change.
MR. SCHALK: I agree. I think there is an opportunity cost.
MR. ARGES: Yes, there is a cost to implement something and not know what the other component will be and whether that will basically have to go back and change the earlier components.
DR. LUMPKIN: Now I am going to ask you a question which you may not be prepared to answer, so feel free to give this back. Is it bigger than a bread box, that cost? I mean, obviously we are talking about a guesstimate, but some range or idea? Again, I do not necessarily want to pin you down today, but I think that may be useful for us as we begin to move forward to try to decide the time frames for making the decision.
MR. GRIMSHAW: So far as -- I guess you are referring to how big is the cost savings or whatever. Some statistics that I have had, if you look at some of the things that will occur each time you do a development, the planning and the requirements, the planning and requirements itself could be anywhere from 15 to 20 percent of a development cost. Testing is going to be from 25 to 32 percent of a development cost. If you look at those where parts of that can be shared between a central development, you have to form a test team. You have to put end users creating test scripts. You have to have people looking at printouts. You have CPU time required to run the jobs. Running them to take care of multiple things at the same time. I have to do all those same things if I have to do the recipient in the future, too. So, in that case, you can take -- the figure in the white paper said that the estimates were from $10,000 to $270 million. Wherever you fall in that spectrum, while you may have a system in there that may only cost you $10,000 to convert, you could take those percentages and say some part of that is going to be saved if it is all done together.
DR. LUMPKIN: I guess kind of following up on that question, the issue which is before us and comes up again and again is the cost benefit of doing -- the risk benefit, not the cost benefit -- the risk benefit of doing a unique identifier. That has to be weighed, the risk to privacy and confidentiality versus the benefit for continuity of care. If we were to say this is what we want it to be but we do not want to implement it until Congress does X, would that be a benefit as opposed to just saying we are not going to make any statements until Congress does X?
MR. GRIMSHAW: What I would advise my customer to do, if you would come out and say we know it is not going to be any longer than 16 characters, whether it be alpha or numeric, I would advise my customer to change their system to handle 16 whether it ends up being 10 or being alpha, I can handle it a little bit easier then.
DR. LUMPKIN: Okay. Bob.
MR. GELLMAN: If we view the decision here sort of strictly as an investment decision, with costs and benefits and how does it balance out in the end, it seems to me and I would like to get reaction to this, that a lot of the costs that occur are going to occur right away as people begin to change their systems. A lot of the benefits are likely not to be realized for a long time because it will take a while to implement the system, and we have an enormous backlog, if you will, of existing systems and records, all of which would have to be assigned a new identifier. The question sort of is how long do you think it would take before we get the full benefits realized and sort of viewed -- and this is a really impossible question, sort of viewed as an investment. Is this one of those things where you never recover the cost because it would take so long before the benefits start to appear that you might actually -- and given the time value of money, you might never get back to even?
MR. GRIMSHAW: Well, the costs are substantial from a starting point. I guess the difference between administrative costs and cost to health care, I think the administrative cost in the long run will eventually pay for itself. Some of the stuff that we use with this identifier we may not even realize at this point, but it is at least a path to get to future technology and future ways of doing things. The savings and the infrastructures that are in place right now just in what HIPAA does with the transaction sets and stuff like that. I know ourselves, we support many, many different transaction sets coming into our system and stuff like that. While the initial cost of converting everyone to a central one will be large, I look at what I am doing now today to support 10 to 20 different input transaction sets. The same with identifiers. The savings or the costs associated with that, while they would be staggering at first, it definitely -- if you looked at third party liability in Medicaid, right now, we could be missing millions of dollars that should be being paid by third parties and that are being paid by the taxpayer through the Medicaid program. Had we had accurate data matches with accurate identifiers, we could find out who is actually responsible for the costs of the health care.
MR. GELLMAN: One thing that occurs to me talking about transactions is that if we can get everyone to convert to a common transaction set in three years, the benefits will start being recovered at that point whereas the identifier thing may take a lot longer. Is that a fair comment?
MR. GRIMSHAW: Some of it is fair. There will be some initial stuff, especially on data matches and stuff like that where at least in the Medicaid program, you may be able to recoup some money that you previously paid out.
MR. GELLMAN: John do you have thoughts on this?
MR. SCHALK: I agree. I think there is a finite point, so I think investments would be recovered. I do not think that it would always be out there and unreachable and one change ahead of you.
MR. GELLMAN: George?
MR. ARGES: Actually, I think it depends really on what you include as part of the costs, I mean, whether there are some tangible benefits and some intangible benefits that could be accrued. How do you ascribe some of the cost benefits of some of the intangible items if you are able to basically better treat a patient as a result of that number, how do you assign a cost to that. Clearly, there will be costs. What they are, both short term in terms of moving to just the identifier for the transactions themselves is one dimension, but there is also what you can do once you move beyond that in terms of managing the patient's care across the continuum.
MR. GELLMAN: Well, and of course, they are also true in terms of calculating the costs if you figure out just the costs of having every American go down to an office and reregister for a card, that is an enormous number right there. Just whatever you are doing to recover that.
Let me ask you a different kind of cost question. This is more of a policy question. In the last Congress, legislation was passed to make it more difficult for Congress to pass legislation in the future that would impose an unfunded mandate on the states. The sort of policy behind this and the details of the legislation are kind of pretty complicated and not all that effective, by the way, but that is another point. It is legislation, after all.
It was that Congress should not impose costs on the states, state and local governments, that it does not fund. In this Congress, this sort of same principle has been carried a step further in proposals, not in legislation that I know of. It says, if we are imposing costs on private parties, that the Congress ought to fund that as well. So, the question is, who should pay for costs? I mean, if Congress says we have to have an ID, a health ID, there would be costs on possibly every single person in the country, and a lot of focused costs on people who are datakeepers, of course. Who should pay the costs? This is a policy question? Should the Congress pay for it? If HHS is mandating the requirement, should the money come out of its budget? Should the costs fall where they lie? should we tax people who are getting savings to pay the costs that are incurred by other people? Do you have any thoughts on this?
MR. ARGES: Speaking strictly to the cost of registering and enrolling the individual as far as --
MR. GELLMAN: Changing data systems, all of the immediate costs that you can identify.
MR. ARGES: Do I have any thoughts on it. I will probably throw up my hands and say it. Clearly, I think the government has a role to basically set the groundwork in terms of how this should proceed. I think it needs to be done really at a federal level in terms of the framework. I do think that the states obviously have a right to speak up and look at financing alternatives to help implement some of these components. If we are talking about health care across the country and the ability to access care, we have to look at it from how individuals basically receive care. It does not stop at the state line. It basically crosses state lines. Therefore, the framework should basically follow a set of national guidelines.
There should be funds set aside to do this. I do think that there could be a variety of financing methods that could be used and explored. What they are, I do not want to necessarily second guess, but I do think that you need to propose the recommendation as a benefit to the public and let the public basically guide the legislators both at the state and the federal level.
MR. GELLMAN: John, who should pay?
MR. SCHALK: I have not given a lot of consideration to that. The comments that were just made seem fairly appropriate. I have to admit, though, that the past year when we have been talking internally and going back and forth with this, I do not think that there was any anticipation of that. I think that we were more expecting that the costs fall where they may, the costs of continuing to do business. That is what I think is the more realistic.
MR. GELLMAN: Okay, Steve?
MR. GRIMSHAW: Looking at where costs are incurred, it does make sense from at least a commercial standpoint where the cost savings is going to eventually come in at. Insofar as some of the unfunded mandates, I know recently in the MPI discussion there were all different kinds of ways that MPI could have been done and whether the states are doing enumerating or whether the federal Government is doing enumerating and the states not being funded to do that enumeration and who pays for it there. It is also kind of falling where the cost is. If you have Medicaid providers and Medicaid recipients, in those cases, they individuals do not have it but those programs will need to be funded. Of course, then you are going to have the commercial side hollering you are paying for all of those systems to be converted and who is going to help us. I think it has to be looked at as to where the savings is going to be and where the costs needs to ride.
MR. GELLMAN: Thank you.
DR. LUMPKIN: Marjorie, did you have any questions? No, okay.
DR. FITZMAURICE: I would like to know, from the experience of the panel, would you have any guesses as to what percent of the companies or the claims or the health care transactions do in fact usually contain the Social Security number, and do you have a sense of what is the level of abuse of personal health information and how that might change if we had a uniform health identifier? What I am trying to do is get a sense of what are companies using now and secondly, if the change goes through that is proposed by HIPAA, do you see a change in the level of abuse?
MR. GRIMSHAW: As far as Social Security number in the transactions themselves, I know at least in our program that we are running in Missouri, it is not in the transaction itself. We use a specific Medicaid identifier. As far as abuse, I really cannot talk on it.
MR. SCHALK: As far as non-Medicaid kinds of systems, I believe that the Social Security number is used primarily, so I think it is there. There are other numbers associated with it but when you are doing customer service, when you are doing work with the patients, that is the number that you know.
As far as abuse, I do not think I see any abuses. That is again my industry, not having the reason to do that or to exploit it. I do not see it.
MR. ARGES: The only one that I know that is included on the transactions is probably Medicare, but then there is probably the little caveat in terms of reassigning the number to the wage earner, basically, as part of that process. The SSN in many cases is routinely collected at the time of admission. It is kept on file, in many cases, on the provider side as part of that process. Looking at the white paper in terms of what they talk about in terms of the issues with the SSN, I think a lot of things need to be cleaned up as a part of that process to move things forward to use the SSN as part of the number in the system.
In terms of abuse, overall and fortunately, I would say that there has not been a whole lot. There are sporadic incidences where the potential has not happened. The sporadic instances where it has happened, but the potential for it to be larger is there, but it has not happened.
DR. FITZMAURICE: Could I just follow up. The second part of my question was, do you think if we move from whatever people or companies use right now to identify patients to a unique health identifier, do you think there would be more abuse or about the same or less abuse?
MR. ARGES: I would say about the same. It depends. Once you establish a national number, my guess is the opportunities to better identify the population and what their needs are will probably grow. Part of it may be to the public even asking for some of that in terms of being able to be solicited for certain types of additional benefits that they may want. The question is safeguarding the detailed information that goes with the number and that is the medical information that is part of that process and what you should release, when to release it, and how long is that release good for is another issue that I think still needs to be further explored.
MR. SCHALK: I would agree to that.
MR. GRIMSHAW: I would think that it would be similar to the Social Security number. Currently, if you look how many years back when they were talking about the Social Security number, how it was only to be used for one purpose and how it has changed. You can see the potential for that to happen to this, too.
DR. LUMPKIN: Thank you very much for good testimony. No more questions? I would like to thank the panel very much.
At this point, we are a little bit ahead of schedule, but for those of us who are used to eating lunch at noon, we are running a little bit late. What I would like to do is to -- is the 2:30 panel -- are the folks here for that? Do we know? Let's try to do that at 2:00. We will adjourn now and reconvene at 2:00.
[Whereupon, at 12:55 p.m., a recess was taken until 2:30 p.m. that same day.]
DR. LUMPKIN: Okay, we are going to get started. If you could introduce yourselves.
DR. HIEB: I am Barry Hieb. I am with the ASTM Medical Informatics Committee.
DR. LUMPKIN: Could you perhaps move that microphone a little bit closer so that the folks on the Internet can hear you.
DR. HIEB: I am Barry Hieb. I am with ASTM E31.20 on Data and Systems Security for Health Information.
MS. RUDOLPH: I am Barbara Rudolph, and I am the Director of the Office of Health Care Information in the Department of Health and Family Service, State of Wisconsin.
MR. GABLER: Jim Gabler. I am with Healthdyne Information Enterprises, and I am also co-chair of the HL7 Special Interest Group on MPI Mediation.
DR. HIEB: Good afternoon. I want to make sure that all of you have had a chance to get the handouts that are associated with this presentation. As I indicated, I am with the ASTM. For the past five years, members of ASTM E31 have been addressing issues related to the creation and maintenance of a national individual health care identifier. This has resulted in the creation of a national standard designated E 1714-95, which you should have a copy with dealing with the properties of a national health care identifier. In addition, I have attached a copy of a white paper that has recently been jointly developed by ASTM and CPRI which summarizes and prioritizes the requirements for an NHID.
I would like to thank this committee for permitting me to represent ASTM. I would like to also thank ASTM for supporting my ability to attend this meeting.
In the interest of time, I will only comment briefly on the first several pages of this document, and I would draw your attention to the diagram on the bottom of page three which is figure number one. This gives a look at the implementation of a national health care identifier which has been proposed by ASTM. As you can see, ASTM is proposing both open and encrypted identifiers. The open identifiers are called UHIDs and the encrypted identifiers are EUHIDs. In either case, a full identifier is 25 -- I am sorry, 29 digits including one non-numeric delimiter digit. As you can see, both encrypted and open identifiers can be compacted. The typical length of a compact open identifier is 16 digits, which is roughly the length of the identifier as you currently have on your Master Card and Visa. Encrypted identifiers will be several digits longer depending on the usage.
There are a couple of points that I think are relevant here. First, ASTM believes that some of the privacy and confidentiality requirements and concerns, as for example you indicated, Mr. Gellman, are very significant and deserve very careful consideration. We believe that our design, which allows not only an open identifier for individuals but multiple encrypted identifiers for individuals goes a long way toward addressing those concerns. I will return to that in a moment.
ASTM believes that the UHID/EUHID proposal it has created has clear advantages over competing proposals with respect to the requirements that have been listed earlier in this document. The UHID is guaranteed unique because it is based on a database system that oversees the issuance of these identifiers. It has sufficient capacity to allow us to guarantee to be able to support at least 40 generations of Americans.
Internal to the identifier are check digits which permit validation that the identifier is correct to the part of one part in one million. Because both open and encrypted identifiers are of the same format, they can both be processed by computer systems and do not require any additional fields to be valid as representations of an individual.
There are available up to one million encrypted identifiers for each individual. This allows us to issue encrypted identifiers for specific purposes where the usage policies and the security and confidentiality pertaining to that series of identifiers may indeed be different from other identifiers. We believe it is this multiple identifier capability which is built into the ASTM proposal which represents one of its key strengths because it allows us to begin issuing these identifiers today and to continue to issue new identifiers in the event they are required, for example, by new legislation which would occur tomorrow.
The UHID proposal is focused exclusively on the needs of health care, and ASTM believes this is a major advantage because it allows us to make sure that whatever we implement is designed specifically to meet the needs of health care and is not influenced by requirements from other agencies or market segments. By taking advantage of currently existing computer networking and internet technology, the UHID can be implemented in both a rapid and cost-effective manner. ASTM believes that these advantages and numerous others which are outlined in the attached documents combine to make the UHID proposal the leading candidate for implementation of a national health care identifier.
Several comments are in order. It has been duly noted that an identifier cannot insure or guarantee security, privacy or confidentiality, but it is also true that an inadequately conceived identifier can limit our ability to perform those functions. It is the ASTM's opinion that a universal health care identifier is a design which specifically avoids those limitations and allows us the maximum freedom to meet those needs both today and in the future.
Secondly, there has been significant discussion by this panel about an EMPI or a national health care identifier, and it is the ASTM's opinion that that is not an appropriate question. Those should be EMPIs and national health care identifiers. We believe that for the foreseeable future, the existence of systems as were mentioned this morning that are old, that cannot change their particular formats, that may have difficulty adapting to a national health care identifier, mean that the combination of a national health care identifier and appropriate EMPI systems is the most effective way to meet the operational needs of health care.
Third, there was a question this morning of who pays for this. I believe the answer is obvious. We pay for this system. Whether we do it through federal taxes, through state taxes, through premiums to HMOs, we pay for this system. I think there is a simple algorithm to determine how that payment should be divided up. That is, we should try to optimize the payment mechanisms to the various components. For example, a national health care identifier is a national system, and it seems unlikely that any organization other than the federal government could effectively oversee the implementation and reimbursement of that component. On the other hand, a particular health care provider's information system that requires modification is unlikely to be effectively paid for by the national government but much more likely by that provider. So, I believe that the appropriate question is not who pays but how do we allocate the cost optimally to make sure that the cost is as small as possible.
Fourth, there has been significant discussion about delaying the implementation of a national health care identifier because the security and privacy requirements have not been effectively put into regulations. ASTM believes that it is possible because of the multiple encrypted identifier capability of its UHID/EUHID that it is possible to proceed now, that one can implement this system with assurance that it will support what is known and what is functional today without limiting in any way the ability to modify or expand that capability later.
Finally, it is ASTM's understanding that there are probably two major candidates for a national health care identifier at this point should it be chosen to implement one, one being the UHID and the other being the ESSN or enhanced Social Security number. We believe that there are a number of unresolved issues concerning the ESSN proposal and that until those issues are answered it will be impossible to fully evaluate that competing proposal. As an example, we are yet not aware of a decision as to whether the ESSN is designed to replace the Social Security number or to be in addition to it. That fundamental question drives a number of other questions that we believe are very important to answer if we are going to obtain the ability to properly evaluate that option.
In conclusion, the creation of a national health care identifier promises to have long-term benefits for health care automation systems. Creation of an identifier with appropriate functional characteristics should prove to be a boon for the ability to link information from disparate sources into a single, comprehensive, consistent electronic medical record while at the same time preserving and actually enhancing patient confidentiality and privacy. Conversely, choice of an identifier implementation which has significant functional deficiencies may make it impossible to achieve these goals. The requirements and criteria outlined in this paper need to be carefully measured against each proposed NHID implementation plan to ensure that health care receives the maximum benefit from the time, effort and money which is being invested in the creation of a national health care identifier. Thank you.
DR. LUMPKIN: Thank you. Ms. Rudolph.
MS. RUDOLPH: Good afternoon. First of all, I would like to thank the National Committee on Vital and Health Statistics for this opportunity to comment on the unique health identifier. Before I do that, I would like to also lay the groundwork or the context for my comments. I am from the Wisconsin Department of Health and Family Services. We are the agency within the State of Wisconsin that has administrative responsibility for the Wisconsin Medicaid program, the high risk insurance program, the state mental health institutes, the state long-term care system, the regulation of health care providers, hospitals, nursing homes, the public health system, and the state health data organization and many other smaller programs. We directly provide health and welfare services and indirectly pay for health and welfare services for hundreds of thousands of Wisconsin residents.
Our testimony today will cover the following critical questions and their answers. What must be in place for use of our proposed unique health identifier. which identifier does the Department of Health and Family Services in the State of Wisconsin recommend to the National Committee and to Secretary Shalala? What are the benefits of this recommended identifier? And, What effects would there be if the national committee and Health and Human Services proposed a different identifier? Then, What can we anticipate thus far along as to the overall effects of HIPAA on our department.
Our responses will encompass the three questions posed by the committee for this particular panel, that is: What are the ideal characteristics of the identifier, that is structure, length, et cetera? What are the best criteria for choosing the identifier? Should the identifier be encrypted? How and under what circumstances should encryption be required?
First off, what do we think should be in place for use of our unique health identifier? We consider the public's concern about misuse of personal identifiers to be real and valid, and therefore, we must support the national committee's stance in regard to the passage of confidentiality provisions. Before any personal health identifier is put into place, the citizens must be reassured that threats to their well being are being taken seriously and are being attended to by the health care delivery system and the state and federal governments. Passage of confidentiality provisions must take place prior to rules on the unique identifier. Without our assurance that individually identifiable health information can be safeguarded from misuse, passage of a politically-acceptable unique identifier may be impossible.
Second, the Department of Health and Family Services in the State of Wisconsin supports the uses of individually identifiable health information outlined by the Secretary in her speech to Congress on September 11 of 1997. The Department in Wisconsin must use individually identifiable information to manage and monitor its many health and welfare programs. The data and information available for this oversight must not be reduced. It is critical to have access to information regarding utilization, eligibility, in order to assure that eligible individuals receive health and welfare services.
Individually identifiable information is also necessary to assure that programs sponsored by the department are not misused. This is critical if we are to maintain the support for services for those who are eligible and are in need.
Data within a state agency such as DHFS should be available across programs. We have found high levels of cross program participation and need individually identifiable data to link across programs and better serve high users of services.
Additionally, we make use of the data and information for improving the health of the public. After stripping off identifiers, we release information for consumers and purchasers who are charged with decisionmaking for their particular plans through our state health data organization. Health care researchers in Wisconsin also need data with identifiers for specific health research including areas of research such as cancer, cardiac surgery, et cetera. These uses must continue to be supported albeit with differing levels of access or authorizations.
In addition, we recommend that an educational program for the public be designed and in place for reassuring the public about the use of individually-identifiable health information. The federal government must make all efforts to combat misinformation or privacy concerns with solid information about the safeguards in place for an individual's health information.
Which identifier do we recommend to the national committee? After consideration of the proposals listed in the white paper and the earlier discussion paper, our department recommends the use of the Social Security number with a check digit referred to in the white paper as the proposal of the Computer-Based Patient Record Institute. This suggestion follows our first suggestion that passage of confidentiality provisions must occur prior to the final rules for this unique health identifier. In fact, we could support holding the MPRM back for the unique patient identifier until the confidentiality provisions are signed into rules and implemented.
Of concern are the many issues you have outlined in the white paper including the presence of duplicates, invalid numbers and misuse. For those reasons, we recommend the addition of the check digit. It is useful in eliminating duplicates, invalid numbers and some misuse of the number. A single character check digit is sufficient for the uses just described. We also recommend that the check digit be numeric rather than alphanumeric. Our recommendation is based upon the lower costs associated with numeric versus alphanumeric codes.
We would discourage use of identifiers of increased length, that is more than ten characters, or encrypted identifiers. These alternative identifiers would increase difficulties in implementation associated with correctly matching patients with new identifiers and would also result in large numbers of health plans and providers being required to use an encryption algorithm. These factors would increase costs and negatively impact patient access to care by making it increasingly difficult for smaller providers to continue to provide health care services. This problem could be particularly acute in rural areas such as northern Wisconsin.
We were to recommend that the Social Security Administration continue its efforts to improve their enumeration process for the Social Security number. Improving that process will have many additional benefits beyond the use of the unique health care identifier.
The benefits that we see for the recommended identifier are the following: We chose the Social Security number with a check digit because it already exists and is widely used for identification. A trusted authority exists and is well known by the public. Our Medicaid program in Wisconsin uses the Social Security number with a check digit and has found this to be satisfactory as an identifier for health care payment, enrollment and eligibility. Health care providers in Wisconsin frequently use the Social Security number as the patient's medical record number, and I might add as to health plans in the state use it as the subscriber numbers.
Changes to another health identifier would be more costly to implement in the current health information systems operating within our department. Finally, the public can remember this number, an important attribute.
I will skip over some of the benefits of the unique patient identifier in general which I have outlined in my testimony that the panel already has.
What would we expect or what effects could be predicted if the national committee and DHHS were to propose a different identifier from the Social Security number and check digit? We believe that all other alternatives would be more costly to implement than the Social Security number with the check digit including the option of doing nothing at all. Doing nothing may, in fact, be the most costly given the loss of important tracking information, the delay in availability of medical information during a crisis, et cetera. It is difficult, if not impossible, to quantify the dollar value associated with losing this opportunity to make health care data more useful.
Should a longer identifier be passed into rule, the State of Wisconsin would incur considerable costs to alter its information systems. Adding extra fields, especially the high number of fields proposed for non-SSN identifiers would be extremely costly to the state's Medicaid program, especially in the Medicaid Management Information System called the MMIS and the eligibility determination system.
As I have mentioned before, changing to alphanumeric fields is more costly than adding numeric fields. In addition, unless a longer identifier uses the SSN for correctly matching the new identifier with the patient number currently on file, incorrect matches could occur, the result of which could be detrimental or even deadly.
In terms of what we anticipate thus far as a department as to the effects of HIPAA, we have carefully examined the first two MPRMs. We anticipate significant costs for implementation, especially for the state Medicaid program. Because it has the largest and the most complex information system, the MMIS, within our state department, cost to implement the MPRMs seen thus far are substantial. Also because of the year 2000 problem, it is difficult to find the skilled programming staff to make the changes for HIPAA implementation.
Other areas of the department will also require significant reprogramming to switch to the new transaction standards. Of particular concern to some units within the department are conflicting federal regulations, potentially resulting in the development of multiple crosswalks or other kinds of system accommodations. I give one example. The National Center for Health Statistics has mandated use of the ICD-10 codes one year prior to the change required for HIPAA.
We are also concerned about DHHS's silence on other federal data systems such as the MDS. Clearly, these systems, we believe, should be compliant with the data definitions and coding found in HIPAA proposed rules. We are also extremely concerned about maintaining duplicate systems and would prefer that a turnkey deadline be established rather than the current strategy of willing business partners which would allow early implementation resulting in dual formats for data. Maintaining information in two formats may lead to errors in the data and is much more costly for our state to support. A turnkey deadline could reduce costs.
Because this is an unfunded mandate, we would like to reduce costs where it is possible to do so without sacrificing the overall intent of administrative simplification. Thank you for consideration of this testimony.
DR. GABLER: I wish to thank the chairman and the committee members for the opportunity to address you on the issue of the health identifier. It is obviously a very challenging task.
I am not going to advocate for a particular health identifier; that can be done much more effectively by others as two of my co-presenters here have said. I am going to suggest that a tandem of a health care identifier and an MPI can be very effective in addressing a lot of the issues that are faced by the committee.
My background is that I have been both an advocate and a user of an enterprise-wide MPI since the mid-1980s. I have been involved in several efforts, one of which is the HL7 Special Interest Group on MPI Mediation, as well as being a participant in the CORBAmed PIDS(?) definition.
I am going to be going through a handout which I hope each of you got. Just a very quick history because there are a couple of issues that I tried to highlight in history. There was a series of MPI workshops that was really initiated by Los Alamos National Lab, but there were a number of others from CPRI, HOST, HCFA and so forth -- and the University of Virginia and so forth that held a series of sessions to try to define what the issue of an MPI was.
It was really triggered by the need to tie together a person's health information. There were two things that came out of that I think are very significant. One is the identification of the need to accurately identify a person has to occur first. Historically, there has not always been sufficient emphasis put on the need for accurate identification. The second thing is that the structure that was developed was a peer structure rather than a hierarchical structure, and that has bearing on some things that I am going to cover later.
That was in 1996. In 1997, the people that had participated in the workshop realized that they needed to be associated with a standards body if they were going to be able to move forward and chose to associate with HL7. At that time, we became a special interest group in HL7. We felt that MPI mediation offered a significant tool for facilitating the implementation of the HIPAA health identifier.
I might also add in here that we specifically use the term "MPI mediation" because there is a mediation aspect. You might also be interested in knowing that there was no consensus on what MPI should stand for, but we kept it because there was a warm fuzzy associated with what MPI. Probably, if you had to choose two terms that best describe it, it is more of a person directory, and I will use it in that context. If you use anything other than MPI, people often do not know what you are talking about, so we decided to keep MPI and stay away from what the words have typically meant in the past.
More recently, in the early part of this year, CORBAmed finalized a definition for interface to deal with patient identification between systems. That model that they developed in that has been shared with the HL7, and there is a significant amount of overlap both in participants and in the model. Having been involved in all of these, I am trying to give a composite here as we go through this.
Just to give you a quick summary of what I think makes the most sense is that I believe a unique health identifier is definitely needed, but it should not be the primary ID in the local system. The health ID should be associated with a person as an additional data field or perhaps a secondary ID but not as the primary ID. Part of this comes from just the mechanics of the process of systems identifying a person, but there are some other factors that I am going to build on in this. In addition to that, we believe that MPI mediation directories can be used to improve the accuracy of the associated ID. It enables a more consistent -- and I think consistent is actually the key word here, but the accuracy that can come out of a consistent process and determining the association as well as the cross-reference or the associations that go along with that.
A couple of observations that I think are in order. Multiple IDs are already associated with a person. I believe it is really more effective, efficient and economical and far less traumatic to try to work with those IDs rather than to totally go through and totally replace those. There are some very practical reasons for that in terms of systems being able to change over wherein it is much easier for a system to accommodate associated information.
There is also a key element of the vulnerability at the point of identification. We can talk a lot about what a health identifier does in pulling information together, but there has to be due attention paid to the fact to make sure that we have the right identifier associated with the person up front in the process. There is no way to get around the fact that at some point there will be some human involvement involved in the process. As such, there has to be correction mechanisms to deal with that. It would be great if anybody would walk in and have an automatically-assigned number, but there are just two many situations that could potentially appear where you may not have that.
We also believe it is more manageable to separate the validation of an ID associated with a person from the actual usage of the ID. By that, what I am referring to is that if you have incorrect information associated with a person, it is actually easier to find and to correct that information than if the incorrect information is actually applied as a primary identifier. So, when you start to separate the validation, you can say one part of the process associates it and the next part of the process makes use of it.
The fourth point really came out of the CORBAmed process. We referred to ID domains, and an ID domain really refers to -- you can think of it as a system that assigns an ID in order to do its work. That is just fundamental to computer processing. A key element is that an ID domain needs to control the IDs in order for it to proceed. If there is a conflict in that process, it holds it up. For example, if somebody comes in and claims to have the same Social Security number as someone else, you cannot hold up the care for that person until that can be resolved.
The idea of an ID domain was just a mechanism to recognize that a system has to operate within that realm, and so a local ID domain would be a physician office system, a hospital system or whatever. Its ID has to be the primary ID, and then you associate with it whatever other ID is going to be used to tie information together.
I have a couple of diagrams on that to show you where the standards model is currently and where we intend to go further. This current model is dealing with what I have loosely described an enterprise directory. Most typically, that would be an integrated delivery system or some composite that recognized that there are multiple facilities that need to cooperate with a given patient population and defining the mechanism for how that functions with the existing MPIs that may exist in a local system. I am calling that the enterprise model.
The next step in this, and this was really precipitated by those initial workshops that LANL started is defining what I am generally calling here a specialty directory. A specialty directory could be an HMO that wants to identify its population. It could be a state government that wants to identify a subset of its population for some reason. Whoever wants to track a population would set up their own specialty directory, and it would point to the appropriate enterprise directories.
Now, the key to this is that this is a peer model. The lines connecting to the enterprise directories are not balanced just to indicate that not everything crosses over in every way but more to represent the fact that if you want to track a population, the capability to know where to find that population without necessarily holding everything in the specialty directory itself.
The next step in that is what I call the hierarchical use of the peer model. You can obviously build a hierarchy out of the peer model, and there may be hierarchies that exist for different reasons, but you are still going to have basically a peer model in terms of how that is to be used. There are obviously a lot of issues to be dealt with, and that is why the standards efforts have dealt first with the enterprise directory. I will start to move into dealing with what I have loosely labeled the specialty directory.
In terms of a suggested approach, I think the key element here is the idea of a coordinating tag. That is really what a health ID would be used for. This is really what an ID is used for within an enterprise system or any other system. The key is to have something assigned so that you can use it for coordination. That then allows a number of disparate activities to take place asynchronously to the central process so that you can pull it back together. This would also allow existing systems to do their own validation of the ID that is associated with a person. They may use a mediation directory in doing that validation, but nevertheless, existing systems do handle that task of validating the ID now.
The system could optionally store or not store the ID depending on the mechanics of the process, and this is where you start to get into some of the cost impact of whatever comes out of the recommendation of this committee to the department, and the ability to add that associated health ID to the outbound information when it is required. Again, the mediation directory could be used to supplement that if it is not specifically stored in the system. That then separates that from the process of consolidating systems which combine the information based on that health ID.
An example that may not be exactly politically correct given all of the adverse publicity that the IRS has gotten recently, but I think there are some elements to the IRS that I think embody some simplicity that is worth looking at. That is the fact that there are a number of systems around the country that send information to the IRS. They have a coordinating tag, in this case the Social Security number, and they use that coordinating tag to pull everything together so that they then get a composite picture on an annual basis of an individual.
I am taking that at a very high level. Obviously, how you carry that out can go in different directions as we have seen recently, but the model of allowing a coordinating tag to pull together a number of systems is really the model that I think makes a lot of sense. It simplifies the process quite a bit and gives it a lot of flexibility in terms of what that coordinating tag really is.
A couple of issues that I think this fleshes out that I did not see particularly addressed in the material before today. One is this issue of levels of validation. The validation I am referring to is when someone appears to be identified, you can go through a process to identify them. There are some very good matching algorithms that can be used, but fundamentally, you are dealing with the issue is the information provided by the person or is the information provided by some official document. I think there should be some capability to say here is an ID and perhaps some level of validation associated with it.
I am mindful that the immigration service requires that you have some solid document to show who you are, which is different than just saying, I exist. Employers have to deal with that type of paperwork. In the state of Arizona, where I live, if I do not have some official document showing my Social Security number when I go to get my driver's license, they have an alternative process for that. So, they are recognizing that there are different levels of validation. That can be done a number of different ways, but it is an issue that I think has to be recognized in terms of how this information got that health ID associated with it.
Also in terms of types of errors, I call it transition errors, but basically you could call it mistakes. I think they can be reduced over time. we are going to be getting better tools by which we can deal with, Here is my ID, but there are also some very good mechanisms for monitoring that process to make sure that it is done accurately, and that is more of a management issue. That, I think, is completely separate from the knowingly false situation where someone is trying to deceive the system. I do think that there are two aspects to that. One is that you can never 100 percent prevent deceptive practices, but on the other hand, you can create some tools to certainly deal with that. I know that there are portions of the legislation that deal with very definite penalties if someone purposely does it. So, both the issue of preventing as well as the issue of monitoring have to work hand in hand.
Then just to summarize up again, I think a unique health identifier is very much needed, but it should not be looked at as the primary key in any system but simply an associated bit of information that could be used. This allows you to use whatever associated identifiers that person may have available to them when you go through the identification process, making that more accurate itself and that MPI mediation directories can be used to improve the accuracy, primarily through the fact that there is a consistent process that can be applied to it. Thank you very much.
MS. FRAWLEY: Thank you, Dr. Hieb, Ms. Rudolph and Mr. Gabler. I would like to open it up to questions. Kathleen, do you want to start?
MS. FYFFE: Yes. Barbara, what is MDS?
MS. RUDOLPH: It is the new data collection system. Perhaps some of the federal folks could answer this better, for nursing home patients.
PARTICIPANT: Minimum data set.
MS. FYFFE: Oh, the minimum data set. Oh!
MS. RUDOLPH: It is related to nursing homes.
MS. FYFFE: I am sorry; I should have realized that. Barry, I am going to play the devil's advocate here. One of my concerns in terms of the use of identification number is how small providers, for example small home health agencies, et cetera, and those in rural areas are going to be able to take advantage of administrative simplification because they are not that technically advanced. Although I am comfortable with a lot of what you have said, my concern is how the smaller providers and those in the rural areas would be able to use the identifier that you all have proposed?
DR. HIEB: Well, in a certain sense, this is designed to be very scalable. These days, I would say the physician's practice office that does not have a PC is quite rare and essentially a vanishing breed. We believe that that is an adequate level to start using this because we believe that the implementation should be based on some of the secure Internet technologies which are essentially available as part of, for example, Microsoft Office package, Internet Explorer. So, we do not believe this is a particular burden on small organizations. But, I do also want to reinforce Jim's idea that basically what we want to do is to let these systems continue to operate as they have with their existing identifiers and add the national identifier as an additional data item. That minimizes the impact on these systems.
MS. FRAWLEY: Mr. Gabler, I would just like to ask you, for the MPI mediation directory, do you have any recommendations in terms of what data elements need to be a part of the directory?
MR. GABLER: Quite frankly, when we were going through this process, we not only had trouble defining what the letters stood for but also trying to get a common definition, which I am sure you may have seen that issue in other ways. The model that was used in the CORBAmed PIDs basically described a set of demographics because part of what the process is is to go through and do a matching process. Matching starts to get into issues like some fields, you know, you can say how close they are in terms of real values. Other fields start to form confirmatory.
There was not enough consensus to say, This is a mandatory set, so the PIDS definition itself can go from almost very few data elements and broaden all the way up. Obviously, the matching routine is the more information that is in there the better.
I also want to distinguish between the fact that if you move the validation to the front end is where you need that set of demographics to do the matching. Once that coordinating tag is assigned, then that greatly simplifies the downstream task of dealing with it. That was one of the reasons that I proposed the separation of the validation from the usage and basically hold accountable for whoever is sending the information in to go through proper procedures to correctly identify them. That then puts the issue of which information is used more in those systems as to how they deal with it and to get you out of a lot of the issues of a composite picture at some point that is hard to get a consensus on.
That does not mean -- you know, at the same time, you can also say use good judgment, and you can set some guidelines for that. That is also where you start to factor in what is available in given systems and the time it is going to take some of these simple systems to be able to accommodate these more complex things. That is where the mediation directories, I think, can provide that.
MS. FRAWLEY: The other thing that I was curious is are there any models that you can point us to right now in terms of the MPI mediation directory? Is there anyone who is really testing this?
MR. GABLER: There are number of them that are in various stages of it. I would rather shy away from saying a particular place. There are a number of vendors that are trying to address this issue. There are number of standards groups that are addressing it. I would say in probably before the end of the year, we will probably see some sites that have some semblance of what we are dealing with here. Unfortunately, it is an area that has drawn a lot of interest, but there has not been a hardened definition for people to move ahead, so it is sort of like we need it but what is it.
MS. FRAWLEY: Barry, I had a couple of questions. This morning, I know you were here for some of the testimony in terms of some of the costs and the benefit, and certainly we heard from Ms. Rudolph that if the department in Wisconsin had to change to something other than the Social Security plus check digit, that would have a significant impact. Certainly the ASTM proposal is talking about up to 29 digits. So, I just wanted to get you to just talk a little bit more about that particular issue, I mean, the realities of having such a large number. Then the second thing that I thought could be helpful to the committee is really just to talk a little bit more about some of the work with CPRI in terms of what has been going on there.
DR. HIEB: Well, with respect to cost, as I think Barbara indicated, perhaps the most expensive option is to do nothing. So, I think we all agree that that has major problems. The part that I am curious about before I could really comment on Barbara's recommendation is what really were they considering as the ESSN. As I indicated, for example, were they talking about replacing the Social Security number or doing it in addition. There are all sorts of subsequent things. I think technology has gotten to the point today where the issue of how long is too long or whatever is not really an issue for the computers. It is an issue for us as humans in terms of how we can -- how many digits we can remember, and it is probably an issue in terms of displays, how big a space do you need on the forms and things. It is not really an issue. If you are going to put in a new identifier, then whether it is 15 digits or 30 digits is not the issue. The issue is more one of if you say it is 15 today and then you change it to 27 next week, that additional change is the thing that gets you into trouble.
Similarly, these days, you can create software to do the encryption and the decryption and distribute that free over the Internet. So, the expensive part is creating the software once and making it available, and then, obviously, the expense of including it in the various places that want to use it. We believe that no matter what, the State of Wisconsin will find that if they go to the ESSN or the UHID or a biometric identifier, they are going to encounter significant costs.
There are ways to mitigate those costs, but none of these are free, and that to a close approximation, we can demonstrate that the important thing is that this committee make a choice that is functionally robust. Given that it is functionally robust, that is that it can support today's needs and tomorrow's needs to the best that we understand them, that the prices of those different implementations are likely to be fairly similar.
The second question that you had is working with the CPRI. For the last several months, there has been a joint effort going on between ASTM and CPRI to synchronize the various documents and requirements around a national health care identifier. The white paper that you have entitled, "Prioritized Requirements for a National Personal Health Identifier," is an attempt to summarize those requirements. Let me simply say that when you boil it all down, the current total is 54 different requirements, and the tables in that document attempt to provide a consensus prioritization of those as to they are essential for the proper creation; they are very, very helpful; they are kind of optional; and they do not seem to have an impact. Using those four categories, CPRI and ASTM has agreed on all but one of the 54 criteria in terms of its priority. So, we hope that that prioritized list of requirements will be used to help evaluate possible implementation options.
MS. FRAWLEY: Barry, just a final question. Are you familiar at all with the VA in terms of the working that they have been doing in terms of the UHID?
DR. HIEB: Yes. Basically, the VA has combined the ASTM UHID capability with their internal master person index and essentially is in the process of rolling that out to the total VA population which means that when they are done, it will be roughly 26 million veterans, which is roughly 10 percent of the U.S. population, under that system. The implementation that they have done is essentially the UHID, not the encrypted part, but it is the same syntax and format.
MS. FRAWLEY: Thank you.
DR. COHN: This is a very interesting panel. Thank you all. I am trying in my own mind to put together the presentation by Mr. Gabler and Dr. Hieb, your presentations, and trying to decide whether they are consistent or thaganal(?) or what, I guess is sort of the question.
I thought I might start with you, Mr. Gabler, about your requirements around a unique health identifier. As I read your overheads and listen to you, I cannot decide whether a unique health identifier is sort of almost besides the point, or whether it is critical, or really where it fits in. I am sure curious about, if one uses an MPI such as I think you were describing, whether one needs all of the requirements identified in the document that Barry has brought or whether it changes things completely. Can you comment?
MR. GABLER: Yes. First of all, the process that whether it be an enterprise directory or a specialty directory goes through is to try to say I have one point for this person. That, in itself, implies a single ID for that individual just by the mechanics of the system. If in the process of doing that you assign -- you have associated with it a number that you can use to further consolidate, you have simplified the process in other places. That is why the position that I feel makes a lot of sense is that yes, there needs to be some kind of an identifier. The mediation process can help facilitate not only the accurate identification of it but also the association of it with an individual no matter how you go through the identification process. A person could come in with just their HMO number. You use that to associate it with their health ID. They could come in with any number, and once you know the individual, this is the process that goes on every day whether it be in the physician's office, a clinic or whatever. In a physician's office, they know people so well, somebody walks in, and they know Smith, and they know exactly who it is. They are going through an identification process that is not rigorous but is accurate.
As you deal with larger and larger patient groups, you have to go through some kind of a matching process that is a little bit more sophisticated, which is what the mediation deals with. Once you have found John Smith or whoever, you now know who they are and what is associated with him. That is where a health identifier makes a lot of sense to proceed forward. Now, there are a lot of issues associated with that. Among them is do you take something that is assigned by somebody else and use it, which the IRS example I gave earlier dealt with, or do you create a new number.
One of the things, the approach that I described is that it frees you up to deal with them on a more equal footing, to say that we could assign our own number and whatever makes sense to do it because we have a mechanism to associate it, or we could piggyback off of a different number. There are a lot of issues related to that, and as I understand the document you are referring to, there are a number of issues, no matter which one you deal with. The groups that I have been associated with were more interested in saying if you have a number, how do you deal with all of the other mechanics because other people are a lot smarter than we are in determining the mechanics of the identifier itself.
There are so many issues associated with it, not the least of which is the confidentiality and privacy issues related to it. We just knew that we needed a mechanism to deal with systems as systems. That is where the association aspect of mediation comes in.
DR. COHN: Let me just follow up, and you may not be able to answer this one now. I am just struck as I look at the different -- the uses of the unique health identifier are very different. I mean, Barry's is obviously meant to be a main unique health identifier whereas yours is more of an associated, back end sort of number in some sort of computer system, it sounds like, and you still might have your Kaiser number or your United Healthcare number and certainly your name and everything else.
I would actually just be curious. Once again, you do not have to answer now; you can come back, perhaps in just a letter, but I would be curious on the basis of what you need, based on you view of the world, whether or not all of the requirements listed are applicable in your vision of the world or whether some of them could be -- are not quite so important if one approaches it using an MPI and then also has a number on top of it. You may have a comment now, or you may want to hold.
MR. GABLER: I do not see it as being inconsistent with what either Barbara or Barry covered in their presentation. When you assign a number, there are a lot of issues that have to be dealt with, and those factors are dealing with the implications of those issues. I do not see this as just a back end number. I am saying here is a mechanism to associate a number. Now, let's put some good logic on choosing that number, and so I am bringing to the table one piece of the puzzle. Other people are bringing other pieces to the puzzle. I really think the MPI mediation has -- that piece of it has not been addressed as much as the issue of what the identifier is. It does free you up to say that not only can I create a unique identifier, like Barry was suggesting, or using an enhanced one, like Barbara was suggesting, and at the same time deal with the fact that there are systems out there that may take a long period of time before they can accommodate those. That is where the mediation gives you a tool to defray costs and so forth, but it does not get away from the fact that somehow a specific number needs to be associated so that all of it can be tied together as necessary.
DR. COHN: I agree with you completely, and I think that maybe I will ask Barry the question just to take the pressure off of you a little bit, I guess. Really, the question I am asking is if one uses an MPI approach, is the methodology you are describing and the requirements overkill
DR. HIEB: We do not believe so because we believe these requirements are what are needed, first of all, to make sure that the identifier fulfills its basic function, that is 12345 is really Barry Hieb. Secondly, that it does so in the context of the health care information systems that are going to use that number then to facilitate their operations.
I believe what has happened here is ASTM is focusing on the identifier itself, what it should look like, its syntax, its function, et cetera. Jim has more focused on, okay, we have that now, how do we gracefully incorporate that into this hodgepodge of existing systems so that they can continue to function but with an improved functionality. The PIDS functionality really says, given that we know 123 is Barry Hieb, how do I map that into all of the existing identifiers that have data associated with them already because it is that combination that represents a functional approach for health care.
If you do not have the right number, so you do not know who the person is, it is broken. If you have the right number and you cannot get it into the systems that exist so that they can make use of it, the system is broken. It is the combination of the two that makes a functional system that really starts to add benefit to health care.
DR. COHN: I want to follow on, Barbara, about that. What is your sense about what is overkill and what is not?
MS. RUDOLPH: I think that for our systems, because we do in a sense have other data to do the validation besides just the identifier, having to add an additional 29 characters into some of our very complex databases is very costly and to us would be overkill because we can identify. We have shown that we can identify the individual with the Social Security number and a check digit. Because we do have other information, as well, about that individual, I guess for us, it is overkill.
DR. COHN: Okay, thank you.
MR. GELLMAN: Let me begin by making a cheap point. Several people here have said that the most expensive thing is to do nothing. My cheap point is the most expensive thing is to do the wrong thing. If we adopt a health identifier that is not supported by the American public, it is going to cost you five times as much as you thought.
Dr. Hieb, can you describe the process by which ASTM develops its recommendations?
DR. HIEB: Certainly. ASTM is a public standards organization, and so when a standard is proposed, a particular committee is established as owning that standard. Then there are drafts created of proposed wording in the standard. Those drafts are open for public consideration at ASTM committee meetings as well as publicly available. There is a rigorous balloting process that is undergone which has several stages and which can be blocked essentially at any stage by a strong negative vote from an individual. Basically, the ASTM rules state that if any individual votes negatively, the committee must reconsider those negative statements and appropriately address them to the satisfaction of that individual or declare that objection not substantial. The total process for this particular standard took about three years.
MR. GELLMAN: Can you describe who participated in the development of this standard?
DR. HIEB: Participants include a variety of people from both industry, that is vendors who are developing products, from health care users that are actually using these products, from academicians who are the theorists, and other people as expressed interest.
MR. GELLMAN: Let me name some groups. Center for Democracy in Technology, American Civil Liberties Union, Electronic Privacy Information Center, Privacy Rights Clearing House, patient advocacy groups. Did any of those participate in this process?
DR. HIEB: I know that specifically the legal council for ACLU did participate in some of the discussions around this. I am not aware of the other organizations.
MR. GELLMAN: Did you reach out to find any of the privacy organizations to try to get them to participate in the process?
DR. HIEB: We made attempts to make this open to everyone, but we do not specifically go out and solicit.
MR. GELLMAN: When people participate in this, is it at their own expense?
DR. HIEB: There are certain expenses that we bear. There is a $20 meeting fee, and obviously travel and things. If you choose to come to the meetings, travel has to be arranged at the individual's expense.
MR. GELLMAN: So, it is a pretty expensive operation if you want to participate in all of the meetings.
DR. HIEB: It is not free.
MR. GELLMAN: So basically what you have described is a process here in which a bunch of health care people, without much participation at the very least from privacy or patient advocacy community, none of those people -- actually, many of these organizations do not have much money and could not participate without some kind of financial report, so you do not really care if they cannot afford to come to your meeting.
MS. FRAWLEY: Can I just make a comment, Bob. You do not have to attend the meeting in order to ballot on the standard or to participate. So, I think that is an important point. There are a lot of people who are members of the E31 committee on medical informatics who do not have the ability to attend meetings but do participate in the process. Physical attendance and travel, because there are a lot of people in health care who do not have the ability.
MR. GELLMAN: That is a fair point, but you have to know about it.
DR. HIEB: If your question is, Could we have done better, I imagine almost certainly that we could have. We do believe that the resulting standard represented a wide consensus of opinion from a variety of groups including people or groups like the ACLU, who had access to this information and looked at it.
We do not believe, by the way, that the identifier per se solves the privacy and confidentiality problem. What we do believe is that an inadequate identifier can preclude privacy and confidentiality solutions because, for example, maybe it cannot handle multiple encrypted forms and therefore cannot support different uses. The identifier itself is an enabling technology and must be linked, as many people have made the point, with privacy legislation and with systems that actually implement it in a secure manner.
MR. GELLMAN: I thought you said we do not need privacy legislation to go ahead with an identifier.
DR. HIEB: What I said is we can start now, and as the legislation evolves, we can be sure that the scheme can accommodate those new and unforeseen requirements. So, we are not saying that we do not need legislation. What we are saying is we do not have to wait until the last T is crossed and I is dotted before we can start to work on the national health care identifier in a manner that we are sure will support those requirements as they become clear.
MR. GELLMAN: Well, I still see your proposal, and I am not rejecting it out of hand, but I still see your proposal as not particularly broadly based. This is not a technical health care issue, this is an issue that affects everybody directly, and it seems to me that more broad based participation in the process by which the recommendations were developed is essential. The fact that ASTM did not go out and actively recruit people to participate in this, to have other points of view, was a mistake.
DR. HIEB: We certainly agree that the broader the analysis of this that is possible the better, and we would still, at this stage, even though it is already a published standard, be very interested in receiving information about specific deficiencies in the identifier scheme that have been identified by the privacy groups because we can amend the standard. What we need is here is something it does not do that we need for privacy. What we need is specific recommendations about it needs an additional check digit or it needs a something.
ASTM, on an ongoing basis, is open to those recommendations. What we cannot do is deal with an issue that says we were not consulted and therefore it is deficient because we do not know in what way that it is deficient.
MR. GELLMAN: Let me ask you about the multiple encryption. I assume, by the way, that would work with any identifier, not just yours?
DR. HIEB: Actually, unfortunately, no. That is, we have not yet seen multiple encryption incorporated in the other identification schemes.
MR. GELLMAN: Is there any reason in theory why it could not be?
DR. HIEB: Yes. If you look at page three of the document, you will see that an EUHID is an encrypted EUHID by virtue of the fact that at least one of those last six digits is non-zero. So, in this case, it is a 77. That represents the encryption. That is part of the identifier. What that means is that one identifier, which is atomic, and that is a strong requirement for ASTM's evaluation, that in the identifier itself, you can look at the identifier and say, oh, that is a type 77 encrypted identifier. I am not supposed to know a) who it is, and also the 77 says, and these are the rules by which you are supposed to treat this particular identifier. You look that up in a manual or a table someplace, and it says, This is AIDS data; treat it thus and so, or This is substance abuse data; treat it differently. No other scheme that we are aware of includes that encryption scheme in the identifier. Instead, it is something else, someplace else, and then we immediately get into the multiple fields and complex associations and errors associated with that.
MR. GELLMAN: Scheme of multiple encryption, tell me if I am wrong here, only works if you can keep the key secure.
DR. HIEB: That is true.
MR. GELLMAN: So, for example, suppose that we had a system of sort of special encryption for mental health data. There could be thousands or tens of thousands of providers who could be encrypting to that standard because that is how we are going to create --
DR. HIEB: That will be using those encrypted identifiers, yes.
MR. GELLMAN: Is it possible in a system like this to keep the keys secured and keep the algorithms secured?
DR. HIEB: We believe so. The reason is that you separate the generation of the encrypted key from the use of that key. A quick example. Suppose we decide that encrypted series one is to be used for HIV tests that you want to perform because just the existence of a test might be prejudicial. The provider would take the open identifier, contact the trusted authority and say, Give me a series one encrypted identifier for this person. That trusted authority would generate that identifier and send it back to the provider.
The provider would use that encrypted identifier to attach to the test, run the test and get the result. What that means is for that particular encrypted identifier, the only authorities who know anything about the identity is the provider and the trusted authority. That means that the fact that there are 9,999 other providers who might want to do similar things for their patients, they have no exposure to that. What it does mean is the trusted authority has to indeed be trusted. We have to invest a lot of time and effort into thinking into how to make the trusted authority trusted, and we have to invest a lot of time and effort into thinking how to make the communication between a particular provider and the trusted authority appropriate. Given that the -- and those are both technological problems that we know roughly how to address these days.
MR. GELLMAN: Whether they can be addressed politically is another matter.
DR. HIEB: Absolutely.
MR. GELLMAN: I just might point out that for the adoption of a scheme of this sort, it would require additional legislation in order to provide that.
DR. HIEB: Most likely, you are right.
MR. GELLMAN: Right, so that this encryption scheme could not be adopted and would not be workable without additional legislation. The Secretary cannot take action on her own to do this.
DR. HIEB: I do not know enough to know what is possible in the current situation.
MR. GELLMAN: Let me ask you about encryption techniques.
DR. LUMPKIN: I'm sorry. Why would it need legislation? I just missed that.
MR. GELLMAN: In order to provide the legal protections, among other things, perhaps, in order to provide the legal protections for information in the hands of the trusted third party. If all of the information goes to the trusted third party and the cops go to the trusted third party and get it there and find out that John Smith got his ID encrypted by the substance abuse clinic in Chicago, they know what they need to know simply from that simple piece of information. So you have to be able to --
DR. LUMPKIN: So, the legislation would be to protect the trusted authority from attempts to get information from them?
MR. GELLMAN: And there may be other elements. I mean, this is just very informal, but that may be required.
DR. LUMPKIN: Thank you.
MR. GELLMAN: I want to talk just very briefly and not technically about encryption techniques. Under current U.S. law, there are limits on what kind of encryption can be exported, and the effect of that in a lot of ways is to impose limits on what kind of encryption can be used within the United States. I assume that whatever scheme -- that a scheme that calls for encryption would have to be one that tolerates export. Is that fair or not?
DR. HIEB: Right. In fact, those laws are not applicable in this case, and that is because the encryption is done internal to the trusted authority, and all that comes back to you is some gobbledegook identifier that you use for the specified purpose. there is no actual encryption/decryption, et cetera, going on at the user's point of use. So, as long as the trusted authority is encapsulated and protected, what they do inside is essentially magic and is not exported in any way and is not subject, to my knowledge, to any of the export regulations that are currently in existence.
MR. GELLMAN: I will have to think about that. I mean, if there is -- there will be health information coming from abroad.
DR. HIEB: Right. Now, that is different than -- okay, if you want to take a medical record that has some identifier and health information and encrypt it to send it to the United States, that is a different situation.
MR. GELLMAN: No, I am just talking about the identifier.
DR. HIEB: The identifier is just a gobbledegook linkage mechanism. It is a number you use to link certain items. That is it.
MR. GELLMAN: I have t think about that some more because I am not sure, but there could be some issues there, but that is getting too technical for the moment.
DR. COHN: I just wanted to clarify in my own mind. I actually find your proposal very interesting. I am actually -- as I look through the standards guide, I was just trying to figure out whether or not -- how it relates exactly to the standard guide. It appears, as I look through this, that there is -- the standard guide talks about principles and requirements, and then you go into the appendices which is noted as non-mandatory information. The identifier which I think you are describing is sort of an illustration.
DR. HIEB: It is included as an appendix.
DR. COHN: It is identified as an illustration. So, is this a standard proposed by ASTM? Is this an example of something that meets the criteria? How would you describe it exactly?
DR. HIEB: The heart of the standard is section 6, which is the 30 criteria against which any identifier should be measured. You can see them listed as 6.1.1 to 6.1.30.
DR. COHN: On page two and three.
DR. HIEB: Now, the problem we faced is, well, it is very well to say that to solve this problem you need antigravity, but the question is could an engineer actually build antigravity. So, we included the appendix as an example implementation to say here is something real, tangible and implementable that you can test against these criteria. It set the bar for us in terms of evaluation capabilities. Indeed, there is, at the very end of the document, a self-serving, internally done evaluation against those criteria that says it meets fully, at a Category 5 level, 18 of the criteria, 5 of them it met at the level 4, et cetera. So, the implementation is meant to say here is one way you could do it. If you can propose a better one, great, but we used this to set the bar. Thus far, none of the other proposals that we have been able to identify and evaluate have come close to meeting this level of functionality, particularly the issue of multiple encrypted identifiers has been a hanging point for all other proposals that we have seen to date.
MS. FRAWLEY: Okay, we would like to thank the panel very much. We really appreciate your input; it was excellent. I'm sorry, Mike. I can't see you guys down there.
DR. FITZMAURICE: Barry, I would like to ask you a question and then maybe Jim a question. I remember about a year and a half ago, my colleague, Bill Braithwaite, in the Office of the Secretary, sitting across there, gave a good presentation on the features of ASTM's uniform health identifier. Could I ask you, how long has this uniform health identifier been out, available to the public for inspection?
DR. HIEB: It was published in November of 1995, so it is about three years.
DR. FITZMAURICE: About three years.
DR. HIEB: A little bit less.
DR. FITZMAURICE: Let me ask a second question. Have any comments come in from the groups such as Mr. Gellman had mentioned criticizing the identifier or proposing suggested changes to it?
DR. HIEB: There has been much discussion about various alternatives, particularly the ESSN. We have not received specific comments from any group that I am aware of about design deficiencies in what we have proposed.
DR. FITZMAURICE: Let me follow up with a third question, and then I will move on to another question. If you had such a comment come in, like a letter from an organization saying, "This is bad because..." what would ASTM do with that, because it would apply to a particular standard that they had?
DR. HIEB: That would go back to subcommittee E31.20 which would then revisit the standard and see whether a revision of the standard would be in order based on the assessment of that.
DR. FITZMAURICE: So, your process could not simply ignore it --
DR. HIEB: No.
DR. FITZMAURICE: -- if it came in?
DR. HIEB: No. Now, I am not aware of the exact mechanism of filtering that would get it to our committee, but if our committee received such comments, then they would be reviewed at the next committee meeting.
DR. FITZMAURICE: A question for Mr. Gabler. I see the directories up here, and I see maybe little institutional directories, maybe enterprise directories and then larger directories. Eventually, there may be concern that we would have one big directory in the sky. Do you see a one big directory in the sky that points to everyplace where my health information is? Secondly, what do you see as the role of the government in directories?
MR. GABLER: One of the reasons that the peer structure came about was directly related to your issue. The first reality is that if you are going to have the quote "one big directory in the sky," you have two issues that immediately jump in front of you and become almost insurmountable obstacles. One is who is going to pay for it, and two, what are the political implications related to it.
At that point, we said it makes sense for any organization that wants to track a population can justify their need to track that population. I know there are several states, for example, that want to track the immunization of children. They have defined a subset of the state, of whatever state that they are in, in order to do that. They could create an MPI to do that, and their costs would be greatly decreased because they could leverage off of these other directories that exist. That is where the peer structure came in. Therefore, multiple ones can be pointed to, but it becomes an issue of what population that you want to attract. If somebody wants to track everybody in the United States, conceivably that would be the directory in the sky. Whatever organization wants to track that population has their own internal mechanisms which includes Congress of saying, Here is my justification for doing it. We felt that was a more natural check and balance rather than trying to create a structure that depended on a hierarchy. The peer structure does not depend on a hierarchy, but you can create one if you really want to.
DR. FITZMAURICE: Do you see a role for the government in making these directories work more efficiently? Or is this is a private sector matter?
MR. GABLER: First of all, standards are attempting to address that issue because there are a number of issues in the private sector to deal with some of these things. The government's participation in those standards also assures the fact that their ability to link into that given the legislation and so forth and the rules on it. You will notice several times in my comments, I said, "...as required." That was sort of my code word to say that somebody has to require this in some way, so why not have a mechanism that facilitates the movement of information when it is required and let someone deal with the rules of when it is required. The government's participation in that process that helps the private sector as well as the government. It helps both of them is the assumption behind that.
DR. FITZMAURICE: My concern then is if I go see a particular provider to which there may be a social stigma attached, that information is in the directory. Somebody may see that in looking for my information, this person went to a particular kind of provider. Now, is there an allowance for -- can I block that out so that is not in there anywhere or is that a matter of whatever the privacy law that comes down the road will have to address, that you are simply worried with the efficiency of pointing to and obtaining the information, and the privacy law will have to deal with this other aspect of it?
MR. GABLER: Obviously, when you try to distill things down to ten minutes, you do not cover all of the pieces. There was a concept that we have not lost track of that addresses exactly what you are talking about. For lack of a better term, whoever coined it called it the unmarked door. The idea behind it was that you would have a specialty directory that says, I know about a person but there are security issues related to it and can control what they can see. It was intended to insert in there so that there would be no stigma associated with it, but it was a way to respond to the issue of dealing with information without giving away who it was or where it was. The issue of the unmarked door has not been lost, but there are a lot of other issues where you are using to build toward it. The intent of it was to address exactly what you described.
DR. FITZMAURICE: One last question, if I may. I will ask this of Barbara since she has the system experience, not that the other two of you do not. Can you do your 2K solutions and HIPAA and uniform identifiers at the same time if you know the format in advance? That is, is it a help to have them both roughly at the same time or is it a hindrance because you have people working on year 2K problems and to have them work on HIPAA problems, widening field lengths, for example, would be an additional burden? Is it effective having them both done together or separate?
MS. RUDOLPH: I think, from our discussions, we have decided that it would be better to do them separately rather than at the same time.
DR. FITZMAURICE: Thank you. Thank all of you.
MS. FRAWLEY: Staff have any other questions? Thank you very much to the panel. It was very excellent. We are scheduled to take a 15 minute break, which we will do now, and we will reconvene at 4:05. Thank you.
[Brief recess.]
MS. FRAWLEY: Thank you very much. We would like to reconvene our next panel, and if we could, have our witnesses identify themselves, and then we will start with Ms. Kratz' testimony.
MS. KRATZ: Mary Kratz.
DR. PETERS: Rick Peters.
MR. LANDEN: Richard Landen.
MS. FRAWLEY: Mary, do you want to start?
MS. KRATZ: Members of the National Committee on Vital Health Statistics, my name is Mary Kratz, as I just said. I am the University of Michigan Health System representative to many health care standard development organizations. I am also co-chair of the Object Management Group, Domain Task Force on Health Care, CORBAmed.
Thank you for the opportunity to be here today to discuss identification standards and issues surrounding health care information management. I commend the subcommittee for undertaking a project to gather input from such a large and diverse group of health care participants, the creation, gathering, organizing and promulgation of health data affects a wide variety of participants, each of which has its own set of issues. It is important when attempting to set a standard for health care data that these various needs and uses are understood in order to prevent the creation of a standard that interferes with the delivery of care. My comments today will focus on the requirements of health care provider organizations and mechanisms to enable person identifiers.
Throughout a person's lifetime, he or she may have episodes of care provided by dozens or hundreds of health care providers, most of which may assign and maintain patient identifiers autonomously. In today's health care environment, each organization simply assigns identifiers that uniquely identify patients within local identification domains. the resulting identifier values are meaningless outside of that system or organization. These autonomously managed identifiers suit the purposes of recording and retrieval for the local organization. However, there is no basis for efficient collection or correlation of health records among multiple venues.
It is clear from the success of applying information technology in fields like telecommunication and finance that improvements might be obtainable for health care. It is realized that the accurate identification of people, patients in health care, is more critical than other industries. Financial transactions can be reversed; however, health care, clinical treatment that is inaccurate is not always reversible. Having a standard mechanism where independent enterprises can identify patients is one of the key technologies needed for secure sharing of health care information.
Selecting a number to be the health care patient unique identifier, be it a modification of the Social Security number, a newly-generated unique health care identifier or a combination of specific data elements or traits is important, but it is not the only issue. A standard, open interface to enable secure identification of people is required in addition to selection of specific trait definitions. An interface is a mechanism that allows systems that reside on different computers to share data. It is a standard way to ask a question or request a service.
There are two main aspects of making this happen: communication and data formats. For example, a physician may need to look up a person's medical record. They will trigger an interface in a computer application by entering a set of demographic traits. The need for this standard identification interface reflects changes in the business of the health care industry. As patient populations become increasingly mobile and the frequency of referrals increases, patients are seen at a number of multiple locations. Patients may be transferred to a variety of organizations before an episode of care reaches completion. The primary care trust enable gatekeepers, who send patients elsewhere for complex services.
How do we communicate within and between various organizations? Through the use of standard interfaces. The requirements for health care identification interfaces include support for both the assignment of identifiers within a particular identification domain, for example, a primary care physician office, single departmental applications or within an organization, and the correlation of identifiers among multiple identification domains, for example, across organizational boundaries or a state.
Support for the searching and matching of people in both attended, interactive and unattended or EDI messaging modes is required. Support for a federation of person identification services in an information system that supports interoperability; protection of person confidentiality under the broadest variety of security policies and mechanisms; enabling plug and play interoperability by means of a core set of profile elements yet still site specific and implementation specific extensions and customization; appropriate, meaningful compliance levels for several degrees of sophistication ranging from small primary care physician offices to large, complex health care organizations.
Standards such as the object management group person identification service or PIDS defines a set of freely-available standard interfaces that organized person identification management functionality to meet health care needs. The CORBAmed PIDS is designed to address these requirements. In addition, the Object Management Group Person Identification Service standard will be submitted to ISO for a fast track standardization process.
At the University of Michigan Health System, we subscribe to the notion of federating identification domains. A federating identification domain is the ability to correlate identifiers within an organization and across organizations. This architecture was the recommended solution from a series of master patient index workshops held by Los Alamos National Lab, CPRI and HOST in 1996 and 1997.
A federated identification domain is the ability to structure identities into hierarchical domains. For example, a hierarchy might be at the department level within a hospital. At a hospital level, the hospital is part of a larger health care organization. At the state level, hierarchies where the higher level identification domains, for example the state level, contain identifiers for a super set of the persons with identifiers in the lower level identification domains. For example, a department of a hospital might need to report a communicable disease to the state. Operations such as searches for persons are performed at various levels. A PIDS implementation can manage identification for every domain within its federation. The best solution to address provider requirements is to enable open, standard interfaces to communicate across various identification domains both within organizations and across organizational boundaries. The logic of federated identification domains is increasingly important as the complexities of the health care industry continue to grow. Federating information systems is becoming prevalent information system architecture.
As the committee knows, this is issue is not as simple as picking a number to use as a health care identifier. The health care industry requires plug and play interoperability by means of a core set of profile elements but also requires the ability of site-specific and implementation-specific extensions and customization of these profile elements. Flexible trait definitions will allow the ability to enable security mechanisms such as digital signatures as the technology matures and specific requirements arise for the health care industry. Advancements in biometrics offers potential mechanisms for authentication into systems. In addition to potential ways of uniquely identifying an individual, unique person identifier traits should be extensible to incorporate emerging technologies.
Today's health care provider organizations may consist of multiple hospital and multiple clinics forming an integrated delivery system. Each clinic that is automated will likely have one practice management system which manages its own identification domain. A health care provider organization also has many systems each with their own identification domain. The health care provider organization requires a high level of correlation that consolidates these various ID domains.
Health care business processes dictate that systems must support searching and matching of people in both attended, which is interactive, manual users, and unattended EDI messaging modes. Independent of an algorithm that is used to match the identifiers, health care systems must support both manual and automated correlation of identifiers and records associated with health care customers.
Care may be received in multiple settings. The problems of correlating identifiers among various identifier domains of highly-autonomous and frequently reorganizing entities must be addressed.
Identifying information is not always complete in health care settings. Direct support for identification of people receiving care in a specific venue must support identification in the face of highly incomplete identifying information. Compliance levels for several degrees of sophistication ranging from PCP offices to large, complex health care organizations must be addressed. The PIDS specification defines compliance for federation of correlating identification domains.
The protection of person confidentiality under the broadest variety of security policies and mechanisms is the basis of ethical and regulatory guidelines in the health care industry. While a person identification service is not required to enforce confidentiality, its interfaces are delineated so that request interceptors can enforce any policy that is defined in terms of a user's identity, a person identity that is the target of the information request, identification domain or domains involved, and the person traits requested. It is reasonable to expect and demand that person identification interface implementations compete on the basis of their abilities to enforce complex or individualized confidentiality policy and to protect person information from inferential analysis.
Integration of identifiers between health care, clinical and financial information systems and across organizational boundaries must be addressed. The solution must integrate with health care systems without the requirement of coupling to them.
It is critical that the functional scope of health care person identification be drawn with extreme care. A major concern is security. When done properly with standards, individual rights will not be breached. Having a standard mechanism with standard interface definitions will enable independent health care enterprises to securely identify patients. This is one of the key technologies needed for secure sharing of health are information. Thank you for your consideration.
DR. PETERS: Thank you very much for inviting me to speak. What I would like to do is just to give a quick background. What I am going to be speaking about today is essentially, in the notion that this segment of the meeting is devoted to allowable uses, specifically can we do what we think should be allowable without a unique identifier. I think this will also tie back in to what Mary's presentation was and the earlier presentation of HL7 as well.
First, a quick background to relate my bias. Many of you know this already. I am a practicing emergency physician with a large health care provider in California. I am the founder and one of the key designers of the system at Oceana, which is an electronic medical record vendor which now has clients Kaiser Permanente, the Department of Defense, the CIA and the State Department. I left that company two years ago to found a new company, which is iTRUST, which is also an electronic medical records vendor that does secure and confidential systems and complete the integrated electronic records that run over the Internet, Intranet, closed LANs or open LAN networks.
I represent the ASTM as vice chair, but I do not represent them. Today, I will be speaking as a private citizen. Also, I represent the California Medical Association, the California state arm of the AMA, for several subcommittees regarding HIPAA legislation, one being the X 12837 committee, the other being the national provider ID committee, and also a newly-formed committee for the patient identifier which we have just started but has not had any meetings at this point.
What I would like to do is to reprise a presentation that I gave at the electronic patient record meeting in the spring which I was asked to present today which again relates to if we have allowable uses of the identifier, can we do this without a specific identifier, i.e. without a specific number or way to attach that to an individual mandated under HIPAA legislation or by the Federal Government. Allowable uses under discussion would be as follows: the provision of health care, an obvious and straightforward use; payment of services, which I think is what many of us, particularly from the insurance side and from the vendor side are looking at, which is the generation of a link between a claim and the individual that claim is against, as well as with the national provider ID, the notion of linking that claim as well to the provider of that service. Public health reporting is commonly discussed as is linkage, the notion of linkage of health care data outside of health care to accident reports or to environmental or workplace exposure, for example.
One that is given less that adequate coverage sometimes is peer review, the notion of how we look at providers. This is something, for example, in California, the employers think is a critical issue in terms of judging the comparative benefits of individual health plans or the quality of care provided by different physicians within a given health plan providing care to their provider or to a group of patients.
Other uses: Health promotion. Disease management. Within the expanding market for health care services among the pharmaceutical companies, for example, disease management being a very big issue. The notion of carving out specific areas of disease, to manage specific types of disease by specialized services from the health care community. Quality assurance, which ties back into peer review. Health care oversight. Finally, health care research.
Again, can we do these allowable uses and provide access to this information without the use of health care identifier. Here today speaking as a private citizen, I would like to say that yes, we absolutely can and give some reasoning why we should do that and some backing in terms of the technical perspective of how it should be done and why it should be done.
The primary problem that we have is not the use the access -- excuse me. The problem is not the lack of a unique patient identifier. It is really an incompatibility of existing systems, and a lot of this has to do with the implementation we have done within our organizations and within the government for how we have put our computer systems together. One of the primary issues we have within individual organizations for lack of a unique identifier or the lack of a consistent medical record number is the very simple fact that most of our legacy systems go down for a certain number of hours per day, and we have systems that then have to release patient identifiers or medical record numbers that do not even match the patient identification which is within our own systems. This is commonly seen in the emergency setting where we have patients in the middle of the night while the computers are down, where we order lab studies and others. So, we even have problems because of our systems within our own organizations keeping track of unique identifiers. That is not something that a unique identifier or an established number would solve. That is something that takes a much deeper approach, which is the notion of how do we design our systems to be available around the clock because we practice medicine around the clock.
A universal health identifier is basically used for concise and consistent identification of an individual, its unique identification and match of clinical and administrative data to that individual, its use for data interchange and interoperability, which are many of the uses that we are talking about as allowable. Last, it is used for data aggregation, the notion that we can aggregate data in the clinical care environment, for administrative management, i.e. claims and billing, or for health care fraud, and finally for data analysis.
The essential problem, however, and I would agree with Mary Kratz and some of the other speakers today, is really the notion of protecting the confidentiality of the individual. Now, certainly a unique identifier is not the only way to protect the confidentiality of the individual, and not having one is not going to automatically make individual health care information non-identifiable. It is a concern, as many of you well know, that having an identifier and using it uniquely to identify a person associated with a given administrative or clinical event does open that up for easier scrutiny under a computerized environment.
The notion there that if a specific identifier, as a number or as an alphanumeric number or whatever combination of characters there is, is openly and publicly associated with the individual, than anything with that number attached is readily and openly associated with that individual. Relatively straightforward. The criteria we use to define that is, is that number published, readily available or openly disclosed. In other words, do people have access to that number. Specifically, is it physically disclosed as on a card.
The notion that is in the white paper from the department basically stating that the Social Security numbers will be on driver's licenses or associated with driver's license information as mandated under the 1996 immigration law basically states that the Social Security number should, for all intents and purposes, not be considered. It is too readily and easily available, particularly if it is on your driver's license or with your driving records which are easily available from state agencies.
Is it electronically disclosed, and I think this is the issue that we have with electronic records. Is there a way to get this information either by logging onto the Internet, by outlogging onto a directory service or a name server or actually by breaking into a system and getting electronic access to that data. Not just from a service, but is it on a file or a disk or any other way that it can be stolen.
If it is revealed in one setting for one purpose, is it exposed to other settings for similar or different purposes. This goes back to the notion of tying financial data from a Social Security number's perspective back to health care data.
The thing that we use for examples are that information that is readily available, i.e. prescription data, and we recently convened a meeting in California with the CMA to bring in people who have pharmacy data and show the major providers in California how easy and readily available pharmacy data is. The physicians who saw this presentation were stunned that the information out on what they have prescribed, who has prescribed it, who it was prescribed to is easily and readily available for purchase from a variety of different sources. The notion here that drugs like Acyclovir, Crixivan, Epivir, Prozac or Stelazine, for example, these give away diagnoses automatically. All you need to know is if a patient is on this or a provider prescribed this. You know exactly what that is for. Librium, 25 milligrams, PO Q four to six hours PRM tremor. This data is available. That patient is an alcoholic, and we know that for a fact.
So, again, having open disclosability of this data which is available now is not an issue related just to the provider ID. It is the notion that there is data available, and that is what we need to do and deal with first before we discuss this issue. This goes back to my support of the NCVHS's recommendation that we address privacy legislation before we jump too deeply into the unique identifier.
The other key issue that I would like to discuss, and this was the basis for my presentation at the electronic patient record is that the key principle that we need to deal with is that contrary to popular myth, the vast majority of health care transactions do not require explicit identification of the patient or the care provider. The key issue here is that most of the things that we do do not require us to know who the individual is that we are doing that for or we have done that to.
In the pharmacy example, a pharmacist and the dispensing assistant or clerk need explicit identification of the individual. They need to hand a prescription to someone and make sure it is either that person or a family member who is getting that prescription. Very few others, however, in the pharmacy chain need to know anything about who that individual is, particularly no one on the claims side of that because the identity of the individual has nothing to do with the actual adjudication of that financial information. The key issue there is, is the patient eligible for that service, and if they are eligible, should that service be paid. That can be done in an encrypted or encoded environment where there is no need to identify the individual. It is only in the pharmacy situation that direct provision of pharmacy care, i.e. between the physician and the patient, or between the pharmacist and the patient, the direct identity of an individual needs to be known.
In provider claims, another major aspect of HIPAA legislation which is the 837 claim, for example, from the provider side, at the generation of the claim, the identity is required for eligibility verification. At the adjudication of the claim, identity is required, again to look at eligibility, and also to pay the provider at some point.
No where else in the chain or the food chain of the claim is the ID of the individual or the ID of the provider necessary. Basically, these can be done from coded databases that looks up a number and says, Is the patient eligible or not. None of the clerks or intermediaries need to know or have any requirement to know that information. The number is only needed and required for verification not for real identity, and I think that is a key point.
One of the things, too, dealing with HIPAA compliance which has been very interesting for me as an individual to sit on the committee with the large insurers, particularly in the State of California, look at how they will be compliant with HIPAA legislation. I do not think that I am giving away any secrets here to say that the vast majority of the large players in this country who need to be compliant will not adopt brand new systems that will deal 100 percent with an X 12837 claim. They will put a gateway in place that will take an 837 claim, strip the UHID and substitute the Social Security number. They will strip the clinical fields from the form. They will generate a HCFA 1500 format or UB-92 format and put it in their traditional systems.
Again, the notion that there is a significant need for this for the adjudication of claims falls on the sort of the fact that the providers of claims processing are not automatically going to shift over all of their systems to be consistent with new standards, but they will be compliant because they will provide gateways and translators to make this a functionality that will work. Again, they are not putting up a specific opposition, particularly in the State of California, as to what the patient ID is, what the provider ID is or how this is done. They say, Do not worry about it; we will work out a mechanism within which to do that.
Data analysis, epidemiology and research is an area of major discussion and I know Chris Chute gave a discussion this morning. I am sorry I was not hear for that, but I flew in this afternoon. What is very important for this for us to realize as well is that we do not need unique identity for the vast majority of this work if any of it. We know, for example, historically in clinical research that the identity of the individual is not important. What is more important is much of the demographic information which we should keep private anyway and would not want identified back with an individual. We want to know what ethnicity they are, we want to know what they have done in terms of where they have lived, we want to know what kind of work they have done and other things like that but who they are has no real bearing on the majority of clinical research or data analysis.
It certainly does not have a lot of bearing in regard to peer review or quality assurance either. We are not worried about individual patients. We are worried about the care provided by providers or provider organizations, so identity is not an issue in those settings.
It is an issue when we have direct intervention that is required. The CDC has specific requirements in some areas to know who has been exposed to specific diseases carried by specific individuals, but that is a unique case and is covered currently under law.
The philosophical question to me is do we really want or need a unique patient identifier or UHID. I put that back to say that do we want a UHID or do we really want a uniform and standardized way to disidentify an individual, going back to the discussion of Dr. Barry Hieb, in relation to the ASTM identifier, which can be used for disidentification; the notion of using a PIDS type server from CORBAmed; or the HL7 directory scheme where basically we have ways to look up information when we have a right to know or a need to know but that the vast majority of the identifiers used out there are disidentifiers. In other words, they do not provide any automatic identity.
One of the things that we are addressing is specifically here two things. One is patient confidentiality. I give an example here of three medications: Methotrexate, Ethinyl, Estradiol, birth control pills, and a steroid. Given in one dose, these are all specifically used for birth control, ectopic pregnancy or early induction of labor. But, if you switch those doses for the exact three medications, all of those are termination of pregnancy drugs. We have shown conclusively that this data is publicly available from all of the sources that track pharmacy claims. Therefore, you can look at claims, and you can see from the provider and the patient information perspective what people are doing in their practice.
What this means is that all of a sudden this is not just an issue of patient confidentiality. This brings bearing back to the providers, i.e. the physicians. One of the interesting things to me also is Cow Links(?), which is the organization we have in California that is looking at HIPAA implementation which has all of the major employers, major payers, the major health care providers, the physicians and some of the privacy advocates, as well as the state. Basically, the national provider ID committee had one physician on it; that was me. The patient identifier committee has seven physicians on it. I think we will see very different output from that than we did from the national provider ID committee. The national provider ID committee, at least from the State of California, however, and in working with WEDI, has come up with the approach that at least the information in the national provider ID should also be confidential. That information should not be easily available because the identification of the individual as a provider is as dangerous as the identification of a patient.
A few other myths that I would like to knock off the table. One is that the lack of a unique patient identifier is delaying the acceptance, utility and implementation of electronic health records. That is not true. As a developer of electronic health records, the only thing that is delaying the implementation of them is bad software from all of us who are vendors that is not acceptable to the organizations and entities that want to use it and to providers who need to use it in a daily practice. We need to come up to the plate and say what we need to is improve what we provide, not use a lot of Trojan horses or, if you will, things to blame such as the lack of a UHID as a reason that electronic records are not implemented.
The lack of a unique health identifier is delaying completion of the processing of claims. The insurers and the providers, I think, would deny this categorically. We have a way to identify individuals; it is not delaying claims. What is delaying claims is the notion of is the care that was provided to be paid for under the guides, rule or understanding of the provider. What we need to do is work out with the payers, and we are starting to discuss this in California, a better way to understand what we need to and are allowed to bill for and how we adjudicate those claims rather than trying to say that a unique identifier or other things like that will simplify it and get doctors their money quicker. I do not think that will happen.
The lack of a unique patient identifier is hampering eligibility verification. We know this is not true. The thing that is hampering eligibility verification is a lack of good connection between the employers and the payers to understand who is eligible for a specific plan at a specific time. That is a systems issue, and there are a number of vendors out there addressing that, but it is not something that a patient identifier will address for us.
The lack of a unique patient identifier is costing the U.S. health care system a specific amount of money per year. I think that is conjecture because there is not anything specifically that states that we are losing money because we cannot identify people. The people who claim they are losing money because they cannot identify people may be the providers because they are not getting paid on time, but as I stated, I do not think that is true.
For patients, there is some claim that the lack of an identifier is a pain in the neck to them because it causes problems when they are trying to adjudicate their own claims. The other side of that, however, is that it does act in its own strange way as a way to protect their confidentiality because it is so hard to link a lot of this data, which is one of the things that we are trying to solve.
What I would like to speak to is the notion that I think the presentations that have been given today and will be given tomorrow and throughout the hearings is the notion that providing ID services, i.e. a way to both identify and disidentify an individual, it is far more important that we discuss as an infrastructure within this country rather than the notion of finding a specific number or way to identify an individual. We can do this with modern technology very securely, very confidentially. We can control the access to the individuals who have a right to know the identity. What we can do is that we can simplify a lot of the interactions in health care by eliminating any reason or need to know an individual's identity by doing it through a name server, a directory server or a PIDS type server if we need to.
Just to summarize, I do not think that this should be a debate about what the number ought to be. It should not be a discussion of cost because all of the systems are going to involve some implementation of new technology. Costs will be awash across all of them. There is not any cheap or simple way to do this. I do think, from a technological perspective, if I step into the fray of cost from how to implement these systems, that it can be done significantly less expensively than the billions of dollars that the Social Security Administration states. I do not doubt that that is what that would cost them but for private vendors to come in and provide a name server, a PIDS service or a directory service would be phenomenally less expensive.
We have sort of seat of the pants estimates that between $10 million to $25 million this could be done. Again, this is looking at the Internet industry and how people do webpages and other things like that. These can be done very securely in this day and age. The financial services industry does so.
I think this should be a discussion about what we want an identifier for. That is the key thing. We need patient identity only when there is a categorical requirement for association if information with a unique and identifiable individual. That is primarily at the time that a payment is made, i.e. to a provider; that a patient needs to be asked specific question about a bill or a claim; or when a provider talks directly to a patient or a clerk talks directly to a patient at a given specific patient encounter. Other than that, there is very little need in the system to know who is associated with what health care information.
I think that health care data should be intentionally and routinely disidentified. That is what we should be discussing. Again, I think the key issue here is protection of data. As the NCVHS has stated, it is the issue of privacy and dealing with the privacy issues primarily before we deal with issues of how to open up Pandora's box by providing unique identification of an individual, by a random number such as a Social Security number, which is something that, for example, we know is easily identified with a variety of other information and with individuals. Thank you very much.
MR. LANDEN: Good afternoon. I am Richard Landen. I am with the Blue Cross/Blue Shield Association. I was scheduled to appear tomorrow at a panel but due to a conflict, I was unable to make that, so I want to express my appreciation to the subcommittee and staff for allowing me to speak today.
My message today is fairly short. About a year ago, the Association testified to this same subcommittee that we endorsed -- the association endorsed the use of an extended Social Security number as the individual identifier for the HIPAA administrative standard. Because we have come a long way in our learning curve over the last 18 months and there is so much more known, especially now with the publication of the MPRMs for the transaction sets and code lists, we are in a position at the association that I would like to advise the committee of without saying that we have taken a position.
On the record, we endorsed the extended Social Security number last year. Our committee, which is called the HIPAA Policy Advisory Group, is relooking at that position based on the discussions that we had about the transaction sets, a better knowledge now than we had a year and a half ago about X-12 and NCPDP, and we are currently evaluating three potentials for an individual identifier. The first is the option that we endorsed last year, the extended Social Security number with the check digit. The second option is something that is still in the midst of discussion, and I want to stress that we have not come to any conclusions about this.
We are exploring the possibility of having some sort of federal parameters for each health plan to assign a consistent number within that health plan meaning that there would be a check digit algorithm that is a national parameter, that there would be a maximum length, there would be details on whether the number could or could not be alphanumeric, what the positions and where the check digit would be, and rules like that. Again, no details absolutely established at this point.
Our third option would be to have no standard identifier whatsoever. Now, our rationale behind that is that we have looked at the transaction sets and come to the conclusion that the transaction sets themselves, the HIPAA administrative simplification transaction sets, do not necessarily require a standardized individual identifier to work effectively and efficiently. When we looked at the reasoning behind the need for a national individual identifier, most of the uses there were clinical or for research purposes.
What we found when we looked at the marketplace is that there are very few systems in place now that could actually harness the potential of an individual identifier, which leads us to the conclusion then that the current marketplace, we would not be able to cost justify any sort of infrastructure to assign and maintain an individual identifier nationally. We also are considering the privacy issues of this. We are very, very cautious about proceeding at this point in time with a recommendation for an individual identifier when we do not know what the outcome will be of the privacy, either the legislation or the other alternative, the regulations for privacy.
Based on those two considerations, privacy and the no current marketplace use of a national identifier, we plan to continue our deliberations and hope to have a position which we can publicly state and again run from an advisory committee within the association up through the association governance and come out with a position statement on individual identifier at the time of the public comment to the notice of intent. Thank you.
DR. LUMPKIN: Bob?
MR. GELLMAN: This is sort of more and more interesting. I am kind of not surprised a bit that there has been no consensus here on the answer to the question, but what I am, I guess, more surprised at is there is no consensus on what the question is. Basically, everyone seems to define the problem and the issues in a completely different way. I am not even sure that the issues raised by the white paper -- I mean, I am sure that they are not -- they do not nearly seem to be broad enough. They are focusing more narrowly on the question of which of the identifiers we ought to pick. That seem to be too narrow a slice of the question, at least from what we have heard today, so in the usual fashion of hearings, I go away more confused than I was when I started.
Dr. Peters, I want to pursue one specific thing that you raised. You were talking about pharmacy claims being publicly available. Could you provide more specifics about where and what and how that happens?
DR. PETERS: Not on a public record at all.
MR. GELLMAN: Okay. I will pursue it with you later.
DR. LUMPKIN: Other questions? I guess I have one for Dr. Peters, and first of all, let me apologize for going in and out, but we have a little episode of leptospirosis in a lake in Illinois, and so as my real job, I try to stamp out disease. It is kind of a fascinating --
[Laughter.]
PARTICIPANT: Shame on you.
DR. LUMPKIN: It is a kind of fascinating thing how they can take a small amount of medical information with three individuals in two different states and connect them all to one particular event. It is certainly the use of medical information has some significant roles and being able to track it down to find some 28 individuals who appear to have been ill but for which the diagnosis could not be made because a critical piece of information was not there. So, we have been -- it is fascinating that they all seem to have participated in the same triathlon in the same lake, and then we're trying to contact people at risk. So, pick your lakes wisely.
That apology aside, Dr. Peters, in your presentation, it seemed to say that you envision a system whereby to reach HIPAA compliance, large claims houses are just going to attach the Social Security number anyway. I think that is what this chart says, that they would take an 837, strip of the UHID and put in a Social Security number for internal processing? Do you feel that if that is what is going to happen anyway that that would provide as much security as if we were to develop a separate UHID?
DR. PETERS: I do not think that directly addresses the issue. I would defer to Richard in terms of what the large insurers from his group will do. I think it is not a notion of stripping it off and replacing it; I think it is an issue of how are they going to be compliant and be financially whole at the same time. They are not in a position, I think any of the major payers that we deal with in California, to completely reimplement systems.
One of the key issues, I think -- and Richard, you brought it up also -- is that much of the additional clinical data on these claims, not just the UHID, would have to be stripped off because there just is no way to store this data or to use it. The notion that the X 12837, for example -- and this is a slightly different subject, but I think it has bearing here -- is going to provide us greater data in the claims system, i.e. will provide us greater clinical data to claims, and this data therefore will be available for greater analysis, and we can look and find the people who were in a triathlon or had a specific GI complaint or things like that, I think that is spurious because most of the systems cannot store that.
They are set up to store HCFA 1500 and UV-92 data. It is a lot of money and a lot of time to change that. It is probably not worth it for them because all they are really in the business of doing, I think, in all fairness, is adjudication of claims, not in improving the quality of claims databases. Not even the payers make the claim publicly that claims data is truly valid for clinical data analysis, clinical work or other things like that.
MR. LANDEN: I would defer right back to Dr. Peters other than to say that it is more of an issue of what can the legacy system handle, and a matter of converting whatever comes in the front door, whatever standard is used and comes in on the transaction must then be converted or mapped into what the legacy system can process. So, in my remarks, I talked about current market need. We have to make a distinction between what is going to happen on day one, whenever that is, and then in the longer term. On day one, the Blue Cross and Blue Shield plans that I have consulted with, most of those plans are in process of deciding will they continue to use their legacy system or will they convert their system into a new system which can handle a national identifier directly. Without decisions having been made at this point in time, I can say that most plans indicate that they will probably go with some sort of map into their legacy system.
Now, also from discussions at that advisory group, it is fairly clear that over time, as we move from current capabilities and technology improves and we have the ability to harness some of the power of the things that we are engendering here with the HIPAA transaction sets, we will move to a -- after the legacy systems are unplugged and the new systems replace them, the new systems will be able to harness and utilize what we are talking about today.
The current capability is not in the marketplace now. We are dealing mainly with legacy systems, and that will involve, for the most part, a translation from whatever identifier comes in on the transaction to whatever identification is used internally.
DR. LUMPKIN: Can you ballpark your best guess of how long that process would take?
MR. LANDEN: Too many variables to even begin to talk about. It depends upon what happens with the evolution of managed care, clinical research, how many triathlons happen per week.
DR. LUMPKIN: [Laughing.] Okay, you can stop right there. Thank you.
DR. COHN: I was actually just going to I think try to answer your question, at least from one large health insurer/HMO. Certainly, you are right on the legacy systems are legacy systems. You do not necessarily throw them out. On the other hand, all of them have their period of obsolescence. I know Rick would certainly observe that that is happening more and more as you move into the new future of information systems.
Certainly, I think, many of us believe that having more information is a competitive advantage. Knowing what target to go towards as you begin to implement new systems, be it a health identifier, be it a standard transaction that you know you can depend on, I think, are very useful for those of us who are planning to put in systems over the next couple of years. I know that we are putting a new national insurance system in at our organization, and this has turned out to be very, very helpful as we move forward and potentially saving us a lot of money to know what the future holds. Just a comment.
DR. PETERS: There are two major payers in California, and Kaiser is one of them that are doing that. They have made the decision financially to begin new system implementation. Again, they are two out of probably five or six major payers, and then gosh knows, 200 or something minor payers in the state.
DR. COHN: Yes. It is serendipitous, perhaps is the best way to describe it.
MR. GELLMAN: Mary, let me ask you a question. We heard -- I am just going to pick ASTM came out with a set of criteria for a health care identifier. I assume you have seen that before.
MS. KRATZ: Yes.
MR. GELLMAN: You have come up with requirements for health care identification interfaces. How do I figure out how to reconcile these two things? They are obviously dealing at different levels. Can you talk about how the two -- how the way you each have defined the problem relate to one another?
MS. KRATZ: Yes. The PIDS identification service, as you said, just defines a series of interfaces. As these new systems are implemented, as a provider organization and talking to payers and others within our region, I see the importance of standardizing on interfaces such as identifiers. Within the specification, one of the modules is traits. Traits basically are a series of these data elements that you can string together as profiles or that you could use the unique identifier. So, it would just be a trait that would be defined specific within the implementation.
MR. GELLMAN: So, it is just one of a number of elements that contribute to your interfaces then?
MS. KRATZ: Yes, and the traits was purposely defined to be very extensible. They did a demonstration with V-cards(?), which are the JABA smart cards(?), smart chips that are becoming in real common use to open doors or as different identifiers. A demonstration using the PIDS service with V-cards was done at HIMMS(?) this year, and also the HL7 version 2.3 traits were put into the specification.
DR. BRAITHWAITE: It seems that several of the people who have talked today, particularly Rick Peters and some others have talked about the need to disidentify the patient in one form or another at one stage or another. I have heard from other countries like New Zealand that has a national mechanism in place and a well thought out mechanism and trusted authority for doing that sort of thing. We have not really identified a trusted authority in this country, and it seems like most of the alternative proposals to the unique identifier demand that there be a trusted authority that we can all bounce our electronic transactions off of. Could the three of you talk a little bit about what you perceive that trusted authority might be and what role it might really play?
DR. LUMPKIN: Are you talking about the Bureau of Disinformation?
DR. BRAITHWAITE: The Bureau of Disidentification.
DR. LUMPKIN: Disidentification, okay.
[Laughter.]
DR. PETERS: I have been stuck by my colleagues with the first response because they say I brought it up.
[Laughter.]
DR. PETERS: For example, the national provider ID, the recommendation from the Cow Links in the State of California and also, I understand, from WEDI was the notion of having a non-profit organization do that whose sole job is the management of confidential identifiers.
I think one of the things that we do not talk about enough but I think is critical, particularly from the vendor perspective, is the notion of European law and what has happened in the European Economic Union in regard to the recent guidelines that are now becoming law as of October 1998 for the protection of individual data. That is all basically modeled on German law that was passed after the Second World War, and now all of the European countries will be complying with that, and they have turned around and said, as you well know, that no American vendor would be able to sell information or manage information that is European in origin without being compliant with those laws and regulations.
The laws and regulations are pretty simple in terms of trusted authority, and that is that anybody who has data on an individual becomes a trusted authority by that. When they become a trusted authority, i.e. you collect data on an individual, you then have legal responsibilities to manage that data. If you cannot do that, you need to find someone, a trading partner, if you will, who can do so.
That is not managed, however, by the governments in those countries uniformly. There is a notion of private sector management of data. They just do not accept the management of data like we have in the United States where you have credit card information that is saleable or other things like that. For example, Master Card had significant problems in Germany because much of the data on German citizens was being used for marketing purposes. That is illegal under German law and will now be illegal throughout Europe as of October 1998.
All of the people who hold credit card data, including Master Card now, they are a trusted data authority for that data. They can use it for the verification and validity of a given credit card transaction or to look for fraud, i.e. they can use the software from Fair Issak or some of the other countries to look for the number of gasoline purchases or other things like that, but they cannot use that data for anything else. They cannot market it; they cannot sell it. They truly are a trusted data authority by the fact that they agree to keep the data and keep it securely. There are a set of guidelines under the law and under the regulations which basically specifies how you can and cannot qualify as a trusted authority.
I think that there are examples out there. Whether or not we will have that type of regulation in the United States is probably doubtful because of our concept of selling data in this country. Many vendors, ourselves included, are compliant already with European law. We can lock data down to that level, and when we sell into European countries, we already have specific information that can do that. Also, the notion of encryption and other things like that, supposedly we cannot export encryption. We are smart like most vendors. We do not export encryption at all. What we do is that our systems use encryption as a plug-in tool. We buy the exact same keys in Europe that we use here, the exact same length; they just are not manufactured in the United States.
The notion of how you do things in terms of trusted authorities, I think, can be done, and it can be done across international borders, too. I think the European Union is forcing us to think about that because we are, I think, both hopeful from an epidemiologic and public health view that we will exchange data with Europe, with Australia, with New Zealand, with Southeast Asia and others, certainly with Latin America where we have a significant patient population in the U.S. that is from there and travels in that area. Also, the notion of is there a way of managing data a good thing for us to look for in terms of the trusted authority concept in the United States. Again, non-governmental, private, either for-profit or not-for-profit but under specific guidelines or rules.
DR. FITZMAURICE: Just a quick question. I am sorry, did you want to add onto what Rick just said?
MR. LANDEN: We are nodding at each other. Thank you, Michael.
The association's advisory group has not specifically discussed the concept of a trusted authority because it has not figured at this point in any of the solutions that we are actively considering, but we have touched on it in passing in terms of the national provider identifier. Our concerns were that any entity that administered a program, and call it a trusted authority for the purposes of these discussions, needed to be accountable. It also needed to operate in a legal environment where it was allowed to maintain the confidentiality which was required of that.
The reason I say that is because in some of the discussions that we had, we talked about the access to data files under different federal and state Freedom of Information Acts or the state counterparts of that. Sometimes depending on how that entity was or was not governed, access to those data files were different under the legislation. So, those were our concerns. Whoever had to be accountable to the users, and it had to be such that the data files were secure for all the purposes for which that data was compiled.
MS. KRATZ: I have had time to formulate a response. You asked a trusted authority: what is it, and what role may it play. A trusted authority, what is it. It would be an identification domain that every participant in health care would need to federate to. I brought several copies of the specification, and on page 18 is a reference model.
Within that reference model, I would take it from the perspective of our organization. As we are reviewing and updating our security policy, we are assigning data stewards for all of the various data stores that we have across our organization. We would expect that those data stewards would comply to the policy of our organization. If you apply that to HIPAA and to a federal level, as an organization, we might need to comply to some federal level trusted authority as the Social Security Administration or perhaps that identification domain would be at the state level, and then the states would federate across each other. I would expect that the trusted authority basically would be defined for us as to who we would need to federate to.
The role that it would play basically is to define that policy and also to define other policies. Specific to identifiers, there is the notion of deprecating IDs or deactivating IDs and what should the policy be for a particular ID. Deprecating it would mean we never want to see it again, it was put in by mistake, we know that you should delete this forever. Whereas, deactivating is we no longer have a need for this, we no longer have a persistent store, please deactivate this identifier. Those policies need to be defined.
DR. BRAITHWAITE: Just to follow up. Do you see this trusted authority just kind of evolving out of the private marketplace as we expect to do things like certification authorities for digital signatures and that sort of thing, or do you think that there is a role for specific federal legislation in setting up the standards and the procedures under which such an authority should be created.
MS. KRATZ: I can see both sides of the issue. Personally, I do not know if I have an opinion on that. There are pros and cons to each.
DR. PETERS: I certainly see a role for the Federal Government. I certainly see a role for associations, the payers, vendor associations, the standards organizations. I think the process such as been discussed, particularly if we change their perspective to one of how to set up an organization to do this rather than what specifically to do in terms of a number. I think the more that we can have consensus on what needs to be done and how to do it, then I think the issue of whether it is done privately, non-profit or by governmental agency, I think, then becomes a consensus decision and is more straightforward. I think there is certainly a role for the Federal Government and the players at the table specifically to trading partners to be involved in that discussion.
MR. LANDEN: Consistent with our ideas, this HIPAA administrative simplification has to be a public/private partnership. Our normal thinking on this is that let's first take a look and see what the private marketplace can do. If the private marketplace cannot do it, then invoke whatever level of government assistance, be it regulation or legislation, is required to make it feasible.
MR. GELLMAN: Can I follow up on that? One of the questions with trusted authorities is -- I mean, I think your comment is sort of, in some respects, a fair one, but without legislation, you cannot stop the government or even private litigants from extracting information from a trusted authority. The question is, how can you proceed without tying up the information in the hands of a trusted authority and keeping it immune from subpoenas for purposes that you do not want it to be used for?
MR. LANDEN: That is a very good point. The other side of that argument is under some of the Freedom of Information laws, there are certain parameters for access to data. Now, am I an expert in that, no, so I cannot go down that deep in the onion, but that is one of the issues that has come up in the discussion. Because of the laws currently on the book about who can look at the data if it is a governmental agency, that has had some downsides. I mean, there is no perfect answer that fits everybody. That is why we kind of cautiously say let's take a look and see what we can do privately and then, if it is not sufficient for the purpose for which we need that trusted authority, let's look to government at that point in time.
DR. FITZMAURICE: The question, I guess, of Rick Peters. You mention in your provider claim example that only a number is required for verification of the claim, not the real identity. I am not sure if I understand; maybe it is just a matter of semantics, but I am thinking of a fraud and abuse. I would want to know if this is the same person who has had a knee replaced five times. Stu Streimer, to my left, reminds me that you need to know who the person is to verify the coinsurance and deductibles. You may need to know the relationship to a family member. Is that all within the bounds of you only need a number, not the real identity, because the number and a system associated with it would contain all those relationships? Or, is it really more complicated than this, and maybe you really do need to know who the person is?
DR. PETERS: I would state that it would be the former rather than the latter. In fact, most of the systems, particularly legacy systems, use a number internally anyway, whether it is a Social Security number or some other randomly-generated number. That is the primary way that they associate data records together or data tables in a database. The real issue is does the individual who is looking at whether or not this is the fifth knee replacement in any way need to know who the person is, whether it is Mary Smith or Joe Jones. They do not, but they may be able to easily look at their own system and say, wow, this number, whatever it is, has had five knee replacements. That is not quite possible.
DR. FITZMAURICE: So that if somebody has a need to know, then they are able to look it up in a look-up file, but most people do not have that need to know, and so the name does not need to appear on all of these pieces of paper or the electronic screens?
DR. PETERS: Precisely, or even issues of address or other things like that. I think the real issue when you look at a trusted authority is the notion that a trusted authority is only valid if there is some chain of authority, if you will, for who is allowed to have access to what data. Therefore, specific rules that are in place to say that you can only find out the true identity of an individual in certain spots within the claims process would mean that primarily the payers would have certain points where they would say, we need to request authorization at this point to get an identity from this server or directory or PID server or other things like that.
DR. FITZMAURICE: If one of the functions is coordination of benefits across different insurance companies, would that then lead to, if not a uniform health identifier, a more broadly uniform than just the enterprise model for identification? If we have to both pay the same bill, we both need to know that it is the same patient.
DR. PETERS: This is an issue that will come up in California, and it did for the national provider ID, too. The notion on the provider ID was we could not have one ID anyway because too many providers belong to too many different plans, and there are too many different trading partner relationships in the adjudication of a claim. This would be true in California as well for patient identifiers, and that is to have a payer-specific identifier and to have that the primary basis of the claim is going to make it more difficult for that payer unless the primary payer is going to take the responsibility for adjudication of all of the other people who are in the food chain in terms of copays or other things like that.
I think it is going to depend on the complexity of the market. Again, I would defer to what Richard had said. We do not know yet under managed care what we are going to end up in terms of the real claims process. We do not know really what is going to happen in the adjudication process. We probably cannot have just an enterprise-specific identification, which is again to back to the notion of we are going to have to have something that ties and links data. Is it not better to have a disidentifier with a way to unlock that only on a need-to-know basis rather than to have an identifier that is identified specific with an individual that is used for the same purposes. Does that make sense?
DR. FITZMAURICE: One more question, and that is, to Mary Kratz. In your conclusion, you note that integration of identifiers between clinical and financial information systems and across organizations must be addressed. Does that lead necessarily to a uniform health identifier, or is it more efficient with a uniform health identifier, or is there another way of doing that?
MS. KRATZ: I was referencing the reference model of the PIDS specification where you have the ability to federate across ID domains, so ID domains can have their own unique way of identifying patients, but they have the ability to federate across those ID domains.
DR. FITZMAURICE: So, they have to have enough variables in common at least so that they can be sure it is the same person?
MS. KRATZ: Yes. They have to have enough traits defined in common, and if that is one unique health identifier, that is fine; if it is a combination of traits such as name, date of birth, sex, et cetera, that is -- whatever you would wish to define it as you can plug into the interface and have the ability to communicate across those different identification domains.
DR. FITZMAURICE: Okay, thank you.
DR. LUMPKIN: Thank you very much. At this time, we are going to thank the panel and open the mike -- did you want to make a comment?
MR. GELLMAN: Yes, I just want to make a comment, a general one. I was opposed to starting these hearings before the notice of intent was published. I may have been wrong. I have looked -- I mean, the rumor is that this white paper is really the notice of intent in drag.
[Laughter.]
MR. GELLMAN: I assume that is the case. It seems to me, at least, based on what we have heard today, that the white paper, which may be very nice for the purpose. The narrow purpose for which it is defined is sort of woefully inadequate in addressing a lot of the issues that a lot of the people today have raised, and we have not heard from the folks tomorrow. My preliminary advice to the people at HHS is you guys have to go back to the drawing boards before you put this thing out for real and make sure that it is broad enough to cover all of the issues that everyone is talking about.
DR. LUMPKIN: Okay, is there anyone who would -- from the -- Andy would like to make a statement at this time. We will also have time at the end of the agenda tomorrow, too. Please come to the microphone and identify yourself for the folks on the Internet.
MS. ANDERSON: Thank you. John, my name is Andy Anderson. I am from a benefits consulting firm called Hewitt Associates. We are the largest benefits consulting firm in the country. One perspective that seems woefully lacking so far is the employer's perspective. Using your food chain analogy, we are very involved in the up front part of that food chain. We communicate between the employers and their participants and the health care providers around the country. I would certainly hope that in your subsequent hearings you make room for organizations like myself to describe the processes we have in place today to communicate this information back and forth between and betwixt the employers, the health plans and the participants. The difficulties that would be associated with changing from their current process of identifying those individuals, which across the board is exclusively Social Security numbers. That is the reality of how that system works today, and any change to that would have huge ramifications for simply the data that employers have to retain.
The other perspective that you seem to be missing here is, again from the employer's point of view, that their employees represent many different data elements. They provide many different benefits to them of which health care is only one small component. Today, employers use simply a single number to keep track of those individuals, and it is that number that the Internal Revenue Service wants to see with the wage and the wage withholding information. It is information that their 401(k) provider wants to see for purposes of retaining or collecting or building their retirement benefits. The same information their defined benefit provider wants to see. And, coincidentally, as a small but major slice, the information that their health care providers want to see.
Again, today employers use a single number for that. That number, at least the reality today is that that is the Social Security number. If you consider adopting a unique national identifier, which may not be the appropriate answer, but if you do consider adopting one, and that is different than the Social Security number, you require every employer in the United States, after the two and three year period phase is through, to essentially double their datasets for identifying all of these individuals.
I would certainly encourage the panel to be certain that they collect that information and some cost estimates as to what it would require for employers to undertake what would really be a gargantuan effort and double the identifiers they would need to keep track of their employee population.
DR. LUMPKIN: I would like to thank you for raising that. I think it begs a couple of other questions which is do the employers have a right to that number, and so I think that we probably should have some discussion on that. We have two hearings coming up, and perhaps a panel of employers and a panel of labor representatives who may have a different perspective on that same exact issue, but I think it is one that we need to discuss.
MR. ANDERSON: I would be happy to participate in that. As your white paper points out, I think, the debate about whether employers have a right to that number or not is over with. The horse is out of that barn door. That is industry standard today. I do not think you can pull the clock back 20 or 30 or 40 years and disgorge that or pry it away from employers and their computer systems. That is the way the world works today. Any attempt to change or lay another identifier on top of that would, I think, be most distressing to the typical employer in the United States.
DR. LUMPKIN: It will certainly liven up what has right now not been a lively discussion.
[Laughter.]
DR. LUMPKIN: Nothing is better than getting between labor and employers on an issue. Yes.
MS. YEAGER: Hi, I am Kristi Yeager with EDS Health Care Government Programs. Mike asked Dr. Peters here earlier about using or not having the identifier tied to the person directly. In one of the systems that we run for the Department of Defense in their Tricare Management System, we need to know more than just the identifier, which currently is the Social Security number. If you are not using a Social Security number, like at birth you do not have a Social Security number, then we are creating a foreign ID for this person, this infant. We need to know other types of information such as the association to the person for eligibility purposes. For example, if is a spouse, if is an ex-spouse, if it is an ex-ex-spouse and ex-ex-spouse's stepchild. I mean, it gets down to a really nth degree of level that we need to know. We need to be able to identify the person in order to determine if they are eligible for the benefit. So, I would say that needing more than just an identifier is essential in some of the systems today that are out there.
DR. LUMPKIN: Thank you.
MS. BRASE: My name is Twila Brase from Citizens for Choice in Health Care, and I will be speaking tomorrow. This just has to do with the doctor from Mayo Foundation who was here this morning whose name is now escaping me.
PARTICIPANT: Chute.
MS. BRASE: Dr. Chute, there we go. I just wanted to say that he referenced the Rochester Epidemiology Study. Dr. Melton from Mayo talked about that in the New England Journal of Medicine last November. Since I am from Minnesota, I know a lot about the Minnesota health care privacy laws. When we looked back into the laws, we found that in 1976, it was mandated that citizens have a choice if they were not in sort of a residential health care facility, to choose whether or not to have any of their information accessed. So, in April of this year, I wrote a letter which was in the New England Journal of Medicine asking for their statutory right to access that information and whether or not they had gotten consent. The response that came back was not necessarily, did not really answer the question.
If I had an opportunity this morning, I would have just mentioned that. Linking for Mayo is very important, but consent is very important as well.
DR. LUMPKIN: Thank you.
MR. MEYER: Chuck Meyer with HBO and Company. As Jim Gabler pointed out and several others during the day as well as Dr. Chute, the purpose of this identifier, at least as envisioned now, is to allow linkage of patient information to facilitate patient care. Yes, there are concerns about privacy and confidentiality. Certainly, there are concerns about promulgation of this identifier to other uses. However, I do not think that there should be major concerns with people thinking that this becomes the be all, end all identifier. It is not going to supplant what systems are currently doing to identify their customers, for lack of a better term.
HBOC Systems is a case in point. We will treat this as an associate identifier, another element in the database, something that we need to know in case we come to the point where ultimately these are linked. We are not going to give up the concept of the patient ID for billing, of the medical record number for consolidation of information, or of the enterprise identifier which in essence is our unique individual identifier at a higher level, simply because we have the designation of a unique health care identifier. It is a valid and valuable piece of information, but it does not necessitate near term change of existing systems. Case and point.
DR. LUMPKIN: Thank you. At this point, we are going to adjourn. We will reconvene tomorrow at 9:00 in the morning, the same place, same channel, same station, same location.
[Whereupon at 5:30 p.m., a recess was taken until 9:00 a.m. the following day, Tuesday, July 21, 1998.]