James R. Thompson Center
Room 9-040
100 West
Randolph Street
Chicago, Illinois
John R. Lumpkin, M.D., M.P.H., Chair
Simon P. Cohn, M.D., M.P.H.,
FACP
Kathleen Fyffe, M.H.A.
Jeffrey S. Blair, M.B.A.
Kathleen
A. Frawley, J.D., M.S., RRA
Clement Joseph McDonald, M.D.
William
Braithwaite, M.D., Ph.D
Robert Gellman, J.D.
Karen Trudel
Judy
Ball
Wendy Liffers
Marjorie Greenberg
James Scanlon
Stewart
Streimer
Michael Fitzmaurice
DR. LUMPKIN: Good morning. I'd like to welcome everyone back to the second day of hearings. Sometimes it can be very frustrating when we are trying to work as a committee on some very crucial issues, and no one ever takes any notice of what we do.
So again, welcome. My name is John Lumpkin. I'm Director of the Illinois Department of Public Health, and I am chairing the subcommittee that is holding the hearings today.
We are going to start off with the introductions. So as we welcome our listeners on the Internet, they will at least be able to hear the members of the committee's names. Again, when people are making comments from the floor, we will ask you to identify yourselves, so that individuals who are listening on the Internet will be able to know who is speaking.
So we will start with our new addition. We're glad you could make it today, Clem.
DR. MC DONALD: I'm sorry, I was reading all this news from yesterday. What am I supposed to do?
DR. LUMPKIN: Just introduce yourself.
DR. MC DONALD: I'm Clem McDonald from Indiana University and Regenstrief Institute.
DR. FYFFE: Kathleen Fyffe, Health Insurance Association of America.
DR. FRAWLEY: Kathleen Frawley, the American Health Information Management Association and chair of the Subcommittee on Privacy and Confidentiality.
DR. COHN: I'm Simon Cohn. I'm a practicing physician and the National Director for Data Warehousing for Kaiser Permanente, and a member of the committee.
DR. GELLMAN: I'm Bob Gellman. I'm a privacy and information privacy consultant in Washington.
DR. LUMPKIN: Now that we have had the committee introduce themselves, we'll have departmental staff.
MS. TRUDEL: Karen Trudell, Health Care Financing Administration, staff to the committee.
DR. BRAITHWAITE: Bill Braithwaite, HHS and staff to the subcommittee.
MS. BALL: Judy Ball, HHS and staff to the subcommittee.
MS. LIFFERS: Wendy Liffers, HHS and staff to the subcommittee.
DR. FITZMAURICE: Michael Fitzmaurice, Agency for Health Care Policy and Research, liaison to the committee.
MR. STREIMER: Stuart Streimer, Health Care Financing Administration, liaison to the committee.
MR. SCANLON: Jim Scanlon, HHS, staff director for the full committee.
MS. GREENBERG: Marjorie Greenberg, National Center for Health Statistics and Executive Secretary for the committee.
(The remainder of the introductions were performed off mike.)
DR. LUMPKIN: Great. At this point, we'll ask the first panel to come forward.
MS. BRASE: My name is Twyla Brase. I'm from Citizens for Choice in Health Care. I am a public health nurse and president of Citizens for Choice in Health Care, otherwise known as CCHC.
CCHC is a health care policy organization located in St. Paul, Minnesota, which was founded three and a half years ago as a result of health care consolidation, a growing loss of medical confidentiality and the elimination of many health care choices in the areas of insurance, treatment and providers.
Our mailings reach approximately 6,000 people nationwide, and our e-mail list has been growing since we went online in November. We are pleased to say that we have a comprehensive website focused on health care reform policy issues and medical confidentiality.
Thank you for giving me the opportunity to present our organization's thoughts on the very important issue of unique patient identifiers for individuals. I will begin with our thoughts and end with eight recommendations.
With insight beyond his time, U.S. Supreme Court Justice William O. Douglass in 1966, in the case of Osborne v. the United States, said, "Once electronic surveillance is added to the techniques of snooping, which this sophisticated age has developed, we face the stark reality that the walls of privacy have broken down, and all the tools of the police state are handed over to our bureaucracy on a Constitutional platter."
After reciting the Fourth Amendment, Justice Douglass went on to say, the time may come when no one can be sure whether his words are being recorded for use at some future time. When everyone will fear that his secret thoughts are no longer his own, but belong to the government, when the most confidentiality and intimate conversations are always open to eager, prying ears, when that time comes, privacy and with it liberty will be gone. If a man's privacy can be invaded at will, who can say he is free? If every word is taken down and evaluated, or if he is afraid every word may be, who can say he enjoys freedom of speech?"
Justice Osborne had no idea how sophisticated we would become in the computer age. In light of his comments, it is important to remember that the definition of health care information in the Health Insurance Portability and Accountability Act, HIPAA, includes -- and I quote, "Any information whether oral or recorded in any form or medium that is created or received by a health care provider, health plan, public health authority, employer, life insurer, school or university or health care clearinghouse which relates to the past, present or future physical or mental health or condition of an individual, the provision of health care to an individual, or the past, present or future payment for the provision of health care to an individual."
Add to that Secretary Shalala's recommendation that government officials have access to citizen medical records without patient consent for four national priorities which, if implemented, would give unprecedented rather than restricted government access to health care information on citizens.
Therefore, Citizens for Choice in Health Care cannot support the implementation of standardized, government issued unique patient identifiers for individuals. Despite the fact that Congress passed the HIPAA law, this enumeration and surveillance system will clearly be detrimental to the liberty, privacy and security of every United States citizen. Not only will this surveillance system allow government officials to use doctors to track citizens at their most vulnerable times when they have nowhere else to go, which in itself is unconscionable, it will also raise the cost of health care, diminish the excellence of our health care system and inhibit citizen access to medical care, especially in the at-risk and immigrant populations.
Confidentiality is rooted in personal integrity and limited distribution and access, not legislation or encryption. As they say, loose lips sink ships. And unfortunately, we have all heard stories about government employees and others perusing or disclosing data on citizens. Many citizens deal with diseases, conditions or injuries that if disclosed, can harm their reputation, employment, marriage, credibility, community standing and insurability. In truth, there are not enough lawyers, attorney generals or police officers to stop anyone from breaking the law.
That being said, there is also no punitive sentence from a court that could ever restore the loss of confidentiality or eliminate the resulting personal chaos that may follow.
In addition, although our government may currently be considered beneficent, it is a well-known fact that oppressive governments in the course of history have used access to medical information to commit egregious act crimes against their own people. There mere fact that administrative simplification even passed may cause more than a little speculation of our government's beneficence.
For all these reasons, plus the protections within our Constitution, it is clearly not within the purview of the government to have access to or begin the process toward comprehensive medical information on citizens. If this system of identification and tracking is implemented, there will be a growing unwillingness of patients to give complete information to their providers. This may cause delayed or incorrect diagnoses and therefore increased costs. In addition, more people may choose to leave the traditional health care system, accessing medical care only in desperation and perhaps only with practitioners willing to violate the government tracking system requirements in order to secure the privacy of their patients.
Already, there are a growing number of persons who elect to forego vaccinations, home school their children or have home births in order to escape the probing problems of HMOs and the pressure exerted by doctors, hospitals and office staffs to submit their children to vaccinations against their wishes or to complete intrusive surveys for the creation of patient profiles.
One of the worst imaginable outcomes of the proposed surveillance system would be the creation of a black market for medicine in America.
In light of these concerns, Citizens for Choice in Health Care has the following seven recommendations.
One. There should be no government-issued unique patient identifiers for all citizens or government repositories of medical data on all citizens either directly or through data linkages.
Two. Each provider or clinic may choose a separate unique patient identifier or medical record number for each patient, as is current practice. While we know that many health plans and others want a single identifier to create a lifelong record on individuals, the fact is, many patients have sincere personal reasons why they don't want Doctor A to know about their care from Doctor B. It is the right of individual citizens to protect themselves and their confidentiality from others.
Three. To protect anonymous access to care, no unique patient identifier or social security number should be required in order to obtain health care services from any health care provider.
Four. Government access to patient identifiers or individually identifiable patient information for law enforcement purposes must include the protections of due practice as afforded in the Constitution, such as a valid court order for access or a search warrant.
Five. Use of electronic identifiers and electronic transactions must not be required for access to medical services.
Six. There must be use of strong encryption for any patient identifiers which are used in electronic transactions. Some have suggested 128-bit encryption, and I am not a specialist at this, but this is what I've heard.
Seven. No insurance company should require submission of a social security number for purchase of or enrollment into a health insurance policy, but should offer an alternative enrollee identification number to those enrollees which request them. This separate identifier should not resemble the social security number, and should not contain embedded intelligence on the enrollee.
Last, the following seven items, A through G, should not be permitted without informed voluntary written patient consent which details all intended uses and recipients of the data to be shared, and contains a written agreement that the data will be used for nothing else and shared with no one else.
A. Creation of a unique patient identifier which cuts across every medical or health care encounter.
B. A requirement to have an electronic unique patient identifier as in a smart card or biochip.
C. The sale, distribution or release of identifiers or individually identifiable information by anyone who holds health care data, as in physicians and others.
D. Government access to unique patient identifiers or individually identifiable information for research, oversight or widespread surveillance.
E. Entry of unique patient identifiers or individually identifiable information onto any registry or database.
F. Medical research using unique patient identifiers or individually identifiable information, including CQI, continuous quality improvement activities by HMOs, which is more appropriately called risk assessment, patient categorizing or patient profiling.
G. Behind the scenes tracking of citizens through a government master patient index system.
The patient and the provider, who is under an ethical oath to protect confidentiality of the patient, should control or limit access to information. The system we propose by necessity makes tracking and linking difficult, because decentralization is the essence of maintaining privacy.
Since patient privacy, health care access and lower health care costs are stated concerns of Congress and the federal government, I trust that our recommendations will be given full consideration. If followed, there can be an improved sense of trust in the health care system and the government. Trust will not happen with force, enumeration of surveillance of citizens.
Thank you again for allowing me to share our comments and concerns.
DR. LUMPKIN: Has Dennis Bush arrived? Then we will thank you. Comments or questions?
DR. FYFFE: Are we going to get a written copy of your --
MS. BRASE: Yes. I apologize, but the hotel did not have facilities to print it, and I have made recent changes, so it is on the disk that they have.
DR. FYFFE: Thanks. I have another question.
DR. LUMPKIN: What is it in?
MS. BRASE: Mac.
DR. LUMPKIN: I'm sorry, that's not standard state of Illinois issue otherwise. We would print it up here. I don't want to reveal my biases about computer systems, I'm sorry.
DR. FYFFE: Could you please elaborate on the proposed surveillance system that you refer to in your transcript?
MS. BRASE: Sure. The surveillance system would be a system that allows any kind of accumulation of information on individually identifiable persons. So when you have a system where everyone has a unique identifier, and whether it is a linked system or one national registry, if there is any access by virtue of one number to all the information on a person, that would be a type of a surveillance system.
And as a matter of fact, in Minnesota right now, the Commissioner of Health said during one hearing that we are creating multiple surveillance systems in the health departments. She had said that there were over 90 conditions that they were accumulating information on citizens, most of which without their consent.
So that is from a government perspective. It is already moving in that direction, and if we all have a unique patient identifier, that type of surveillance will only increase.
DR. FYFFE: Thank you.
DR. MC DONALD: Just to clarify that, I'm not quite sure where there is any point at which you would justify any kind of tracking of patients on a collective basis. That is, these are public health issues that we're talking about, aren't they? You are talking about the surveillance?
MS. BRASE: The 90 conditions?
DR. MC DONALD: Yes. Is that something you are arguing against, any public health surveillance?
MS. BRASE: If there is public health surveillance necessary, which would be for illnesses that are fatal, like HIV, we are not opposed to that. But as in 1997 when a birth defects system was proposed, all we wanted to do in Minnesota was to have patient access and even acknowledgment, and at that time, that department of health did not want to let patients or parents know that they intended to put every child with a birth defect on a birth defect registry, as well as information on their parents.
So we worked with legislators to get parent and patient consent. As soon as we got parent and patient consent on both the House and the Senate bill, various versions of it, the language was stripped. We don't consider birth defects something that is going to -- that is contagious or communicable, that is going to be fatal to the population. That is a decision for parents and patients, whether or not they want to be on such a registry.
DR. MC DONALD: Most of everything you said was what shouldn't happen, and I'm not sure if anything is allowed. That is what I was trying to get to -- where the boundary is and what you would accept or your group would accept. Maybe it was a preventive issue there they were looking at, whether these things could be prevented. And folic acid, we know, does prevent neural tube defects, which is a very, very fatal disease to the child with that defect.
MS. BRASE: I think that public health and public safety could actually be just holding public health and public safety up as something -- as a mechanism for why all of our records have to be invaded by officials. There is not value in that it is intrusive. There are many people who would be more than happy to let public health officials have access to information in their records, but the fact the public health officials want to do it without asking for consent is invasive, and it is unnecessary.
DR. MC DONALD: Well, that is what I am still trying to clarify. The scope of your --
MS. BRASE: It is very limited.
DR. MC DONALD: In other words, you really don't support public health access to data.
MS. BRASE: Without consent.
DR. MC DONALD: Okay.
DR. LUMPKIN: I think she did say that communicable diseases, if we could define that universe, there are certain things which you do believe it is appropriate, but the issue is -- what I thought I heard you say is, if there is not value, then they should not have access without consent.
MS. BRASE: For most --
DR. LUMPKIN: Is that a fair statement?
MS. BRASE: I'm sorry, but for most things we would not be promoting access without consent. HIV on the other hand is fatal, and we would certainly support that.
DR. LUMPKIN: Bob?
DR. GELLMAN: The researchers say that if you give us all your data and let us track you forever, that we are going to produce all these wonderful results that are going to save everybody's lives. Would you like to respond to that?
MS. BRASE: Well, there has been a lot of research over the years which has been very, very beneficial, and it hasn't been done with comprehensive tracking of every individual. It has been done with requests for patient involvement in studies, it has been done internally by physicians with their own patients. So I think that we can have a lot of research which is done without invading the privacy of individuals that will be very beneficial.
In addition, you can have statistical sampling, and it doesn't have to be the entire comprehensive population in order to give results that will be very beneficial.
DR. GELLMAN: Do you think that researchers could convince people on the basis of their expectations that they can produce better medical information and provide better treatments? That they can get people to consent to disclosures?
MS. BRASE: When I talk with the people about this issue, many of them say to me, a lot of these things are not very confidential, I don't feel very confidential about them. I would be more than willing to give access to my records, but there are of course a few things that people would feel confidentiality was necessary. It would all depend on their employment and their position in the community, whether they were in politics, et cetera, as to whether or not they would be convinced by researchers to give total access to their records.
DR. GELLMAN: Are you worried that any information that a researcher has for the most part can be readily subpoenaed by the police?
MS. BRASE: That is something that we have not really looked into, and you probably are more aware of that than I am.
DR. GELLMAN: Let me ask you a different question. You talked about your concern that a patient identifier may make patients less willing to be candid with their physicians, which is an argument we have heard a little bit about.
I sort of want to come at this from the other end. That is, is there any reason today why a knowledgeable patient concerned about privacy would be candid with their physician? Because records today are widely disseminated to a lot of people. People talk about records today as if they are confidential, which is really not the case. Would you like to talk about that?
MS. BRASE: Well, perhaps the emphasis should more be on the mandated usage of a card and an identifier or an identification number. If one could have access to health care without using their card and therefore using a name that isn't related to their card, and that no one checks to see whether or not they really are that person, then confidentiality would be assured. I do believe that people do that today, because they don't believe there is confidentiality in their -- total confidentiality in their records, particularly as managed care organizations and government agencies move closer and closer together.
So the problem is that we have a mandated identifier and all health care transactions require it, it will be nearly impossible to remain anonymous.
DR. GELLMAN: Thank you.
DR. FYFFE: I have a problem.
DR. LUMPKIN: You do?
DR. FYFFE: Yes.
DR. LUMPKIN: Please.
DR. FYFFE: You said as managed care organizations and the government become closer and closer. Could you explain that, please?
MS. BRASE: Sure. We are in Minnesota, and --
DR. FYFFE: That explains it.
MS. BRASE: In Minnesota we have three managed care organizations that control access to health care for slightly offer 80 percent of the population.
DR. FYFFE: In the whole state?
MS. BRASE: In the whole state, as a result of a health care reform law and an antitrust exception. So in addition to that, all the managed care organizations which obviously have the rest of the population in them as well have all the Medicaid population -- are being given by the government all the Medicaid populations. In addition to that, our health care reform law mandates that all the information, the claims information, be sent to the state government through our health data institute.
So in addition to that, I was just speaking with some people in Wisconsin, and there is a law apparently in Wisconsin that has to do with the same type of information being sent to the government from all patients, not just Medicaid patients. So that's what I'm talking about.
DR. FYFFE: Okay, thank you.
DR. LUMPKIN: I have a few questions, and I hope you will bear with me, because I am really trying to understand your position, so I'm going to try to see if I can understand where the boundaries are that you're setting.
My father, who is going to be 84 this year, when he was 39 had a heart attack. When he goes to see his health care provider, he never tells them about that. His response is, he's a doctor, he should know that.
I don't think that that is atypical, at least in my experience, from some folks who grew up in environments where they don't have a lot of experience with physicians. So I believe that there are some people who would want to see this kind of system in place.
So as I am trying to get to your position and understand where you're coming from, would you believe that such a system would be acceptable, of the unique health identifier, if people had -- and there are going to be a couple of scenarios, one, the option to opt out? In other words, they could opt out as a person, or they could opt out as to a visit. So you go to a health care provider and you say, I don't want my unique identifier applied to this particular visit because I am now seeing my psychiatrist for the first time. So that psychiatrist would have a mechanism whereby they could apply an identifier that would not be your unique identifier. Or a person could say, I don't trust the whole system, so I want to be able to generate my own number or letter or code name or whatever every time I visit somebody.
Would you find that as being an acceptable alternative to what has been proposed? Either one of those or both?
MS. BRASE: So are you saying that every -- let's say Doctor A, B, C, D and E. At every visit that I go to between the five doctors, I could choose any identifier I wanted to with each of them, and a new identifier for every visit?
DR. LUMPKIN: Well, obviously they would know your name. That health care provider would know your name, but would not have a number. You would essentially opt out of the system, choose not to play. Would that be an escape clause that meets your concern?
MS. BRASE: In general, we are not supportive of opt-outs because it requires a burden on the citizen to opt out of a program that the government or another entity has created. It is better to opt in.
That is a new thought that I have not heard of with the idea of every visit, having a new number or creating a new number at the time of the visit, if that is what you are saying. But I still believe that it is best to be able to opt in and not out. Then with only knowing the full ramifications of how the data is accessed, how the unique provider is accessed who has access to it.
There certainly may be people in the United States that want a unique patient identifier for everything. We are a free country, we can choose to have such a thing, except for the fact that if you're going to create it for the whole country and half the people don't want to opt in, it would certainly be an expense.
I will tell you that on the way over here from the airport, I mentioned this to someone, about a unique patient identifier, and her immediate response was, well, that is an invasion of privacy.
So I think it would be much better to opt in, but then that is a great deal of expense if no one opted in, or if few did.
DR. LUMPKIN: There was some discussion yesterday, and I think you were here yesterday, about the issue of, if there is such a system of there being a trusted authority that would do the enumeration, that would be the repository of how John Jones or Ralph Doe would be associated with whatever this number is.
Would you feel that you would be more comfortable with this being a governmental trusted authority or a non-governmental trusted authority?
MS. BRASE: In the opt-in system?
DR. LUMPKIN: In whichever system.
MS. BRASE: Well, given the fact that we don't support a government-issued unique identifier, we would therefore not be very supportive of a government trusted authority.
DR. LUMPKIN: Can you tell me to what extent is your group concerned about new technology such as computerized patient records?
MS. BRASE: What we have thought about computerized patient records is that every patient should have the option to not have a computerized record or to choose what will or will not be on the record. Because once it is computerized, and all your data is accessible by a database, of which many are able to be cracked by those who know how to do it, your information is far more accessible and far less secure.
DR. LUMPKIN: If I could tease that out, let's run the scenario. Your ob-gyn two-person office purchases a computerized patient record system for use in that one office, not networked to anybody, but just on some street in your home town. Do you believe that patients should be given a choice, or then say, I do not want my name in your system, you would have to do a paper record? Is that a scenario? So the option would be either not to be entered into your computer system, or not do a patient record or go to another provider?
MS. BRASE: We would support the option of continuing to have a paper record, but I think that most people would be perfectly fine with an electronic medical record, as long as anything that was very sensitive on it in their mind was never placed on the record.
DR. LUMPKIN: Okay. Any other questions?
DR. MC DONALD: To follow up on the computer records, that would imply that they couldn't dictate in most cases. Would you really mean that? Because it is a very common practice to dictate a note, because that will go through a computer.
MS. BRASE: What happens to the dictated notes?
DR. MC DONALD: They sit on a disk and are accessible, I think as anything else on a disk that you are worried about. It can be searched, it can be scanned, it can be connected to the Internet. What I worry is that some of the proposals you say may paralyze the existing -- it may not be practical, because of what already goes on.
DR. LUMPKIN: Let me perhaps clarify that, and you weren't privy to some of the hearings that we had. There are a number of scenarios where dictated records are created. One is that they may go in an internal system by tape. The transcriptionist would then type it up.
There are some systems where there are voice generated computer systems that would then create the record that would be corrected, and then there are some offsite systems whereby the dictation would go over a telephone line to a service that then would transcribe it and return it to the practitioner. So those are the options that are currently in place. Did I miss any? Okay.
So that is a scenario that Clem is suggesting, and you can comment on any of those three different alternatives.
DR. MC DONALD: But I think when people think computer medical records, the average computer medical record is a collection of all the dictations. I just really want to make sure that you are disqualifying that, a patient saying you can't dictate my note, in effect. How could one operate a practice as a business or as an efficient process if one has very bad handwriting and went to the dictation? You are really putting people back in pen and pencil, I think. Is that realistic?
MS. BRASE: We haven't considered the dictation part, because it was something that never hit our radar screen, so we would have to spend some time just thinking about that.
But there is a problem with dictation if it does become a part of the electronic medical record. It includes the thoughts of the physician about the patient, whether or not they are accurate. I did have one woman who called absolutely enraged after I had suggested that she get her medical records, if she wondered what was in them. She was enraged by what the physician thought about her and then understood why the physician who next got her felt or acted the way he did towards her.
So access to that kind of information on an electronic basis, where it may or may not be true, just the thoughts of the physician, I think can be hazardous to the privacy of a person.
DR. MC DONALD: But the electronic --
MS. BRASE: But I haven't given great thought to that piece.
DR. MC DONALD: Because really, you're saying having a record, because the electronic part really isn't relevant. If someone has faxed it, it is the same thing. If one chose a record they hand wrote, it is the same phenomenon. Whether it is electronic or not isn't really an issue.
MS. BRASE: But if it is electronic, it can easily be transferred or accessed. If it is in a paper record, you have to go in and get it.
DR. LUMPKIN: If you have additional thoughts on dictation, please feel free to --
MS. BRASE: Sure.
DR. LUMPKIN: And we would appreciate it if you would send us some subsequent communication about that issue, and any other questions that we presented to you new here, if you have thoughts.
MR. STREIMER: Just a point of clarification, please. Did I understand correctly that you said earlier that you would support a patient willingly consenting to allow their medical information to be used for research, for example?
MS. BRASE: Correct.
MR. STREIMER: Okay. I just wanted to be sure I understood. I wanted to reconcile that with Dr. Lumpkin's model, where if a patient went in and could opt in or opt out, allowing to use the national ID, how that consent would be different from that particular model. How did you see that as differing?
MS. BRASE: I'm sorry, will you clarify that?
MR. STREIMER: Well, I was trying to take the example earlier about you supporting the fact that if a patient could indeed allow their health care information to be made available at their choice. But also, with Dr. Lumpkin's model, I think he was saying that a patient could come in and could say, yes, please assign the national health care identifier to my patient information, or please do not, use your own separate individual number. You did not support that particular concept.
I am trying in my mind to reconcile those two different models and why they would be different.
MS. BRASE: I would say that we would support the consenting or opting in. I believe what I heard him say was opting out. If you opt into research or you opt into a unique patient identifier, that is the choice, that is the free choice that you have. The question is, do you really want to start up a system and then have half the population never opt in? Then you have -- I don't know that you have anything different than what you have now.
DR. BRAITHWAITE: I'm sorry your other person on the panel didn't come, so you get the brunt of all the questions, I'm afraid, the curiosity of the committee here.
Today when you go into a provider, in order to accurately identify you as an individual for all kinds of purposes, like sending out for lab tests and all the exchange of information with specialists and everything that goes on, making sure that you get the right blood transfusion as opposed to somebody else, everyone in the health care system identifies you one way or another, usually by collecting a lot of personal information, like your name and your maiden name and your mother's maiden name and your address and your phone number and your social security number, and a bunch of other stuff. This accumulation of demographic information about you becomes your identifier.
That gets passed around with each piece of information that is built up about you, like when a lab test comes in that has to have a bunch of stuff about you in order to identify you, so that it can be accumulated with the rest, so that appropriate medical decisions can be made about you.
You are proposing to not allow that to be summarized into an identification number that has built into it some cross checks and so on, to make sure the information actually belongs to you, and not to somebody else by accident. It seems to me at least that the current system of passing around a bunch of personal information about you in the system is a lot less private than getting a lab test reported with a number that can't be easily associated with an individual.
Can you talk a little bit about that, and help resolve that seeming conflict?
MS. BRASE: Well, one thing I would say is, you mentioned about the identifier and making sure that you get the health care that you need, and errors aren't made and that sort of thing. Being a nurse and working in the ER or having worked in the ER, you can never trust a number to identify the patient, especially in times of crisis or emergency. You have got to ask people next to the patient or the patient themselves if they are really who they say they are.
I'll just throw this in as a personal anecdote. In some surgery that I had as an individual, where I told the anesthesiologist, the physician and the nurse anesthetist about medication that I was allergic to. Thank God I'm a nurse, because as she was going to put the antibiotic in my IV, I asked her what it was, and I'll tell you -- I know you will know, but I'm allergic to Suprex. It is a cephalosporin, but I just said Suprex. She said, oh, it's Anisef. I said, isn't that a cephalosporin? She said, yes. I said, well, I'm allergic to Suprex and she said, what is that?
So you can pass a lot of information around, but the fact is that having one unique patient identifier doesn't guarantee any errors. They all knew who I was, and they were making errors even though I gave them information time after time.
So I don't necessarily believe that having one unique identifier is going to keep errors from happening. As a professional, you need to be able to identify the person right then and there before you do something to them. You need their name attached.
What we are asking for is the possibility of a more decentralized, rather than centralized, system, and where the information is at more of a local level, because privacy will not be protected by having a single centralized number accessible to all sorts of people, even though it is encrypted. That is what we are asking for.
DR. LUMPKIN: Can I follow through on that? I have this vision of an information system in the emergency department that would be networked -- let's say I was at one of my favorite places that I work. It shall remain nameless, but its initials are University of Chicago. They have a network of hospitals that they work with, in an outpatient network scattered throughout the city, and someone could be seen at one location for some minor problems, and they give a history of allergy to Suprex.
The information system because it has embedded intelligence would say, ah ha, cephalosporin, let's flag any order that is given for this patient for cephalosporin. They go into the central hospital, having never been there before. They are unambiguously identified as being that person whose medical record is now scattered in three or four or five scattered locations within the same health system. They sign a consent to have that information shared. They go into surgery, and before they even get to the point of bringing the bottle in, the system starts flashing, the bells go off, saying you can't give this person this antibiotic because they told somebody over here that they are allergic to this medicine, and our system will help you make this medical decision and not make the wrong decision.
That is all technologically possible. Is that a vision that makes you uncomfortable?
MS. BRASE: No, as long as you have the consent of the person.
DR. LUMPKIN: Consent. Consent is the issue.
MS. BRASE: Yes.
DR. LUMPKIN: Okay. Other questions?
DR. MC DONALD: Well, I think there is a separation I would like to make between having a number and having a national database, because I have heard no proposals to build a national database in any formal, official place. I can't even imagine how it would be done. I don't know that it would be good, for many of the reasons you just described.
But I see people standing in the ER and it takes 20 minutes to register them. I think it would be nice to have some kind of number, that they wouldn't have to re-register and be so slow each time. I think there would be all kind of advantages within communities with institutions to have a community number or some number which is easy to hang onto, which is separate I think from the access to the data.
At least, I would like you to ponder how much of your -- is it because of the data connections -- because you actually said in terms of your proposal, you would oppose any linking system. So that was one of the points under E.
But the question is, is it the data you oppose or the number system, or possibly the number system to get to the data?
MS. BRASE: I would say both.
DR. MC DONALD: Why the number system if it wasn't going to get to the data?
MS. BRASE: Because the creation of a number mandates a tagging of an individual regardless.
DR. MC DONALD: But we have done that already.
MS. BRASE: One single number. One single number.
DR. MC DONALD: I understand, but you used a lot of very emotional words in your statement, from numbers to freedom to liberty, if I remember. These are the sort of things we can all get behind and charge, because no one wants to lose all that.
But we have had since what, '32, a social security number which you now have to have within a year of when you're born. Should we repeal that?
MS. BRASE: The social security number was promised that it would not be an identifier. Interestingly, about 10 years or so ago, the fact that it would not be an identifier was removed from the actual security card itself, which used to say that it should never be used as an identifier.
I do think it is a mistake of the federal government to move more and more programs -- or mandate that it be used for more programs and more areas. So --
DR. MC DONALD: But you described some fairly horrendous -- I just have one last point.
DR. LUMPKIN: Yes, but I think she has been fairly clear. Just in the hope of trying not to put too much pressure on our witnesses, maybe if you could frame your question a little bit clearer, give her a chance to respond before jumping into the next question.
DR. MC DONALD: Would you propose repealing it then now that has become an identifier?
MS. BRASE: The social security number? That has never been something that our organization has considered.
DR. LUMPKIN: Any other questions? I do have one other question. Are you familiar with Medalert?
MS. BRASE: No.
DR. LUMPKIN: The --
MS. BRASE: Oh, the bracelet?
DR. LUMPKIN: The little bracelets?
MS. BRASE: Yes.
DR. LUMPKIN: Is that a -- which obviously it is not a mandatory system, it is a system that -- for those that are not familiar with it, it is a repository of medical information for people who want somebody to know if they are in an emergency. Is that a model that works for you?
MS. BRASE: Because they consent to it, yes.
DR. LUMPKIN: Well, it is more than consent. You have to apply to it. My follow-up question is, one of the difficulties of that kind of system is, it is not readily accessible to the American public, just because it is a private entity, it is not well known, there is a cost associated with it. Would you feel comfortable with government assuming that on a larger scale, that role, for those who choose to want to have their medical information readily available in the event of an emergency?
MS. BRASE: If people were willing to have that information known by whatever entity controls it, it is their choice. So if the government would -- if people knew that the government ran Medalert, and they were willing to apply and give consent to that information being known, then it is their choice to do that.
DR. LUMPKIN: Thank you very much.
MS. BRASE: Thank you.
DR. LUMPKIN: Is Dennis Bush here? No. It has been suggested this would be a great time for a break. Is Daryl Evans here? Okay, what we're going to do is, we're going to break for about 15 minutes, and then we'll start with Daryl Evans and hopefully we will hear a presentation and maybe questions. Solomon will be here, and we may do it as a two-part panel. We'll do you first and then do Solomon, depending on the time frames. But we're going to take a 15-minute break now.
(Brief recess.)
DR. LUMPKIN: Let's get started. We will start off with the panel -- I have asked you to introduce yourselves.
MR. APPAVU: I am Solomon Appavu. I am with the Cook County Bureau of Health Services.
MR. EVANS: I'm Daryl Evans. I'm with Government Employee Hospital Association.
DR. LUMPKIN: Thank you. Solomon?
MR. APPAVU: It is a pleasure to give testimony before this committee. I already did a report, an analysis of the unique patient identifier.
I have been working in this area for quite some time. Since '92 I served as the co-chair of the CPRI work group on unique health identifier and produced a report in '95. I also helped prepare the inventory of standards by ANSI, that followed the task force that prepared the inventory of standards, and particularly I was responsible for the section relating to identifiers.
I co-chair the ad hoc committee on unique individual identifier under Ramsey Hess, and last year I prepared the analysis of unique patient identifier options for this committee.
This year, I also worked with the ASTM, CPRI and created common requirements, together with Dr. Barry Hipp.
My testimony today will be based on my experience, my work that I have done so far, the reports and the analysis.
A couple of words about my report. Listening to the testimony that was given yesterday, there are a lot of issues that were raised. My report and my work seems to be very relevant to those issues. So I want to spend a couple of minutes talking about my report. It was an objective analysis of the available options for use in health care, unique patient identifier options that are available for use in health care.
I started with a study plan, and the study plan called for the examination of industry requirements. It also called for the creation of evaluation criteria to analyze the different options, and it called for the interview of the various proponents, analysis of various information that are available, both for and against, the advantages and disadvantages, strengths and weaknesses. So it called for all those things, and we went through that.
In essence, it was a two-step process. The analysis was a two-step process: a careful examination of the industry requirement, the industry as a whole, analysis of its need, and then an objective analysis of the available options. So it is a two-step process.
I used four level evaluation criteria, four sets of evaluation criteria, four different levels: a conceptual level, an operational level, a component level and functional level.
At the conceptual level, I used the ASTM conceptual characteristics, 30 characteristics. At the operational level, I used characteristics that I created, five of them, and identified six components that are part of an identifier. I also came up with 11 basic functions that a unique patient identifier really must fulfill.
I want to draw your attention to the language of the HIPAA legislation. It calls not only for the adoption of standards that provide a unique patient identifier for an individual, but also to specify the uses, the purposes and use of the identifier.
That is basically the fourth criteria, the fourth level of analysis, basic functions. It is very important to recognize this: if you don't recognize the use of the identifier, the scope, the purpose and use of the identifier, the need for the identifier becomes meaningless. So I thought it was very important to recognize the use of the identifier.
The 11 functions that an identifier is supposed to perform: identification of an individual for the purpose of delivery of care and for the purpose of administrative function. It is very clear when we say delivery of care, administrative function refers to reimbursement, registration and so forth.
Identification of information. There are four functions that a unique patient identifier needs to fulfill, which is coordination of multidisciplinary care process, medical record keeping, information management. When we talked about the use of the identifier, we tend to focus on linkages after the fact, linking information, accessing information. But generating the information, documentation of observation requires an identifier.
Health care by nature is a multidisciplinary process. You need to be able to communicate among the multidisciplinary professionals, whether it is a laboratory order, processing orders, communicating back the results, whether it is a radiology exam. The professional, the practitioners, today are using this identifier.
It is being used by a medical record department, one of the largest departments within the organization. They use the identifier to assemble, analyze and code and abstract and all kinds of different things; they are depending upon that for information management, whether it is record keeping or information being used. Then it is used for linkage of information from previous episodes among multiple organizations and so forth. Also, it is used for aggregation of information for population-based research and so forth.
It also needs to support the privacy, confidentiality and security functions. It needs to support it. It does not provide directly (words lost) but it needs to support the four functions that are listed in your handout.
Finally, it needs to improve efficiency in the health status of the nation, health status of the population. Otherwise we don't need to use an identifier if it is not going to give us any benefit.
So it is very important that we recognize this is the context. This is the need that we are trying to fulfill.
A couple of definitions are in order. What do we mean by identifier, what do we mean by identity and what do we mean by identification?
Identity is a set of personal characteristics by which an individual can be identified, Like my name, my address, my picture, my sex, my address and so forth. My personal characteristics forms my identity.
Identifier is merely a label, maybe an electronic placeholder that is used to link my identity. So it is basically a label, flag or placeholder with a value assigned to represent my personal characteristics as an individual.
Identification is the process of linking the identity with the identifier. It is clearly the association between the identifier and my identity.
What do we want to protect -- when we talk about protecting privacy and confidentiality, what do we want to protect? It is basically the identity. You want to protect my identity, my name, my sex, my age and whatnot, you want to protect that, not the identifier so much, relatively. It is also the identification process, the association. How do you associate my identity with the identifier? You want to protect that. So those are the two things that you want to protect when you want to protect the privacy and confidentiality of an individual, the identity and the identification process.
So what is a unique patient identifier made up of? It is made up of identifier, identification information, index that link the identifier to the identification information which is my identity, and a security protection, technology infrastructure and administrative infrastructure.
As I mentioned before, an identifier is just a flag. You can use any scheme, identifier numbering scheme. It could be a numeric value, it could be a sequential number, it could be random, it could be check digit, it can be alpha, numeric, it can be encrypted with different methods, and it could even be my biometrics.
The identification information is very important, because that is my identity, that is what you want to protect. What does it include? A permanent data segment. By that, I mean data that is unchangeable, my date of birth, my sex and so forth, the mother's maiden name.
Then longitudinal data segment. What do I mean by that? The data that you acquire, the personal characteristics that you create over a period of time, your spouse, your address, employment and so forth.
Then health services segment. That refers to the encounters, in essence the location of my health record, the encounter information. Today hospitals have MPIs and they do contain encounter information. Then you need an index that links the identification information with the identifier.
You need a security protection. It is a very important thing. We talked about it quite a bit yesterday; in the testimony we heard a lot of things about it. I indicated what needs to be protected and how does a unique patient identifier help that process.
You need to have a design that supports, that promotes the security. You really need to have the identifier perform only the identification function. Identifiers should only identify the individual and the individual's information, and should not provide access to the information. That is the function of a separate process, which is access control. So you want to design an identification system where you have -- the function of the identifier is only to identify the information on the individual, and you have a separate function which is access control, which gives access to that information. Before giving access, it should check the authentication, the authorization, keep an audit trail and maintain accountability and so forth. So you have an access control separate from identification.
The identifier itself should be content free. It should be capable of encryption, it should be capable of masking itself.
You need to have organizational measures to assure the security of the identification process. We need to use secure technology, whether it is an operating system or software or hardware. Whatever we used, we need to have secure systems, secure technology.
You can train the individuals to be responsible, and you can take organizational measures, but you also need on a national level federal legislation. Such legislation should not only stipulate penalty and make it illegal to misuse the information, but also mandate these processes, these security measures. Like, you should have access control, you should have authentication, you should have audit trails and accountability and so forth. The legislation should mandate that also; that is the preventive step you want to take.
Then you need a technology infrastructure. This is the fourth component -- actually, fifth component. The job of the technology infrastructure is to actually link -- using the technology, link the identifier to the identity and also provide access to the patient information.
We heard yesterday from (word lost) HL7 mediation. Those are the person's (word lost). Those are validation, software for searching, matching, verification, validation. Those tools provide this component, they make up this component in my view. You need technology to encrypt and decrypt identifiers as well as patient care information.
Administrative infrastructure. This is necessary to assure the integrity of the issue and maintenance of the unique patient identifier.
When I think about all the six components, the identifier, the identity, the identification index and administrative infrastructure and technology infrastructure, these are not something new. We have these processes in place in provider organizations, in health care organizations and user organizations. The industry has these components in place already. If you go to the hospital, an organization like mine, Cook County Hospital, we have a technology infrastructure in place to link the identity with the identifier. We have administrative infrastructure in place, a medical record department, for example, is the custodian of the information, custodian of the record. These health information management professionals form the infrastructure to maintain the integrity of the information, maintain the security of the information, maintain the identifier itself.
So we have infrastructure in place, this is not something new. We need to leverage from what we have. In the same area, the technology infrastructure, we have infrastructure in place. The HIS vendors provide solution in that area, and basically the government have patient identification service, HL7, mediation or examples of that. We do need to step up, though.
I was responsible for converting Cook County Hospital from manual operation into a computerized operation back in 1988 when the complaint that was that there were a lot of islands of information with no way to connect them. Then a lot of solutions showed up, like the interface engine, the interoperable standards and so forth. But when I computerized it, I realized we need to change the way that we work. We cannot overlay the information on top of what we are doing today. We need to change ourselves.
What we have today is non-unique, institution specific identifiers in the nation. We want to link them together. The technology is available, like the (word lost) or HL7 or so many other things that are available today. But we need to change ourselves, too, and that is coming up with a unique patient identifier which is pretty much long overdue, in my opinion.
So these six components are very important. These components actually work together as a whole system. If you take each one of these components and talk about it, it is very difficult to understand them. We engage in the debate about what numbering system we should use, whether it should be SSN, ESSN or some other numbering system. Outside the context of this whole system, the patient identification system, these components which work together, which function together as a system, if you take that out of context and try to analyze the security protection, how are we going to secure the identifier, how are we going to secure patient data? It is going to be really difficult to comprehend that. It works as a system, it works as a whole, so we need to see that from that perspective. That will reduce a lot of the complexity that we see.
I'll go back to the operational characteristics. I talked about the functional characteristics. In the functional ones I talked about the component requirements. Operational characteristics, there are about five of them I created to analyze the options. Whether they are currently operational or whether the technology is ready depends upon the future technology, whether it can be implemented in a timely manner, whether it has adequate identification information.
Again, the identification information is something that keeps changing. My identity will change, the longitudinal will change, my address will change, my encounter information will change. Somebody needs to keep on updating that. That is part of the existing infrastructure, the different segments of the industry, the HIM professionals, the HIS professionals and so forth.
At the top level, I used the 30 ASTM characteristics to analyze the identifier concept. ASTM calls them conceptual characteristics. I did an analysis at an operational level and a component level and a conceptual level and at a functional level.
Basically, the options that are available when I did the analysis were about 14, if I include the manual operation and the existing medical record member. Six of them were a unique patient identifier; you have them in front of you. It should read as ESSN rather than SSN. ESSN was proposed by CPRI. Sample HID was proposed by Dr. Bailey. Each one of those things are proposed by individuals from different organizations.
Non-unique patient identifiers are existing, medical record number and medical record number with a provider prefix, which was proposed by Peter (word lost) from Medical Record Institute. They also analyzed the cryptography based identifier. The ultimate, you heard about them yesterday, HL7. Directory service is similar to them. Family health outcome product is using a code data element as an identifier, a computer identifier, a manual process.
The result of my analysis is documented, and it is in the web page, the Health and Human Services web page, and the address is at the end. But the summary of my findings, I want to spend a couple of minutes talking about that.
The patient identifier is an integral part of patient care and patient care information. It is part of patient care. When you provide care, it is a necessary piece. For example, JCHO mandates the provider organizations to do a positive identification of patients when you are doing invasive procedures, when you are transfusing blood and so forth. So it is part of the patient care process. It is also part of patient care information. The identifier is not different from patient care information. If you have legislation for policies and procedures to protect the patient care information, patient ID is part of that. It is patient care information.
Privacy, confidentiality and security do not preclude the use of unique patient identifier. On the contrary, identifiers protect them. When you are ordering a lab test or when you are ordering a radiology exam, you don't need to use the patient's name, sex, address and everything to communicate. You can use the identifier. That way, you mask the identity of the individual. The lab tech or radiology tech doesn't need to know the identity of the individual. So identifiers do protect the privacy and confidentiality.
Also, when you standardize the process and when you use the identifier to access information, it is a focused process. You can strengthen that access process. If you start using names, if you start using different identification methods, then it is open. You cannot protect, you cannot strengthen the access -- you cannot have access control. But when you use a standard identifier, you standardize the access method also, so you do strengthen the security of the information.
Security really depends on judicious design, as I mentioned before. It depends on the design of the identifier. It does not depend -- design of the identifier as a whole, the six components. Identifier is (word lost) the other five components, give the functionality to the identifier. So that is what you want to strengthen.
Function of the identifier should be only to identify and not to provide access, and the access should be provided by access control. It is an individual response. In spite of all this, things can go wrong. It is an individual response of the organization. Measures can help, federal legislation can help, but still, if somebody wants to break into the system, they could do that.
Again, the critical functions are independent of the identifier scheme. So we focus too much on the identifier scheme, but the functions of the identifier are pretty much independent of that.
The check digit -- an important finding was the check digit, encryption and the longevity capabilities can be added to any of these options that I looked at. Encryption can be added to any one of the unique patient identifier options. Check digit can be added to any numeric membering scheme.
So my finding at the very end was to really come up with an identifier. The best identifier is an identifier that is simple to use, simple to be used by both humans and computers.
I was not charged with the responsibility to recommend an identifier, but this is my conclusion. If you want an identifier, you want a simple -- simple enough human beings can use, remember and carry with them.
In the interest of time, I don't want to go through a lot of this information. The difference between existing options and new identifiers. The existing options such as enhanced social security number require enhancements; that needs to be done. The new proposal such as the ATSM sample HID or any one of the proposals would need a lot of development. You would need to develop the infrastructure that are not in place now. You need to bring them into place.
So the available course of action is either accept an existing option or go with a new option. That is the course of action that is available to us.
My recommendation to this committee is to build on existing infrastructure. What do I mean by that? As I mentioned before, it is the segments of the industry that is already there, like the health information management professional or the health care information system, the providers, the users of the identifiers. You need to build on that.
You need to build on the standards and policies and procedures that are already there. You need to add the federal legislation and the component the federal government will bring in. Cost will be distributed over existing process and infrastructure, or utilized.
Finally, talking about the ID cards. That was discussed yesterday, what kind of ID card should be used. In my hospital, we are just using an embossed card. When we need to positively identify a patient, we ask them to produce a picture ID. We are all used to that. When we need to cash a check, we need to give the driver's license or a state ID or an employee ID or a student ID or whatever. So when we need a positive identification, we can always use the existing methods.
Enhancement to the existing system, as I mentioned before, is long overdue. It is not a needed change, it is just evolving to a new system. When I implemented the HBO system in my hospital in '88, it was version 7.0. Now we are in the 15.3 version. We kept updating our systems. I think we also need to update our patient identification system. It is long overdue.
That concludes my testimony. Thanks for your attention.
DR. FRAWLEY: Thanks, Solomon. Mr. Evans, would you like to present your testimony, and then we'll take questions?
MR. EVANS: My name is Daryl Evans. I am a senior systems analyst for the Government Employees Hospital Association. My background is administration of justice. I have been in the insurance industry on the payor side for 14 years. I have been in the systems end of the world for about eight.
The best way to conceptualize me is, I am a data guy. I have been working on EDI transaction sets for the last five to six years. We have gone from zero EDI to approximately 35 to 40 percent of our claims incoming EDI. In two years, that's about two and a half million.
My concerns here, my reason for -- besides the invitation, was, we already have an identifier. It is already unique to individuals. It just has some flaws. It is already deployed. It is already in place. It is already in use in the private sector.
To respond to the questions that I was asked to, the ideal characteristics of the identifier are the social security number. It is already deployed, it is already in use. If you want to pick another one, re-invent the wheel, you are welcome to do so, and the structure and length is of no consequence, as long as you can tell us what it will be so that we can upgrade our systems to be able to store it, or if it is something that is just going to be cross referenced to the current keys, -- patient identifiers in my world are called keys. That is how we get to the patient. That is how our systems work. That is how I am envisioning what you are going to do on the health care delivery side in order to help patient care by being able to disseminate all the information on a patient at point of service in the ER. You are going to use this number, whatever it will be, as a key.
Now, your system will have to have the security that is going to be mandated. That is obvious. It would be to beg the question if you were going to say otherwise. But I'm going to move off of these questions and move onto -- there were some questions for submitters that are not bulleted.
One of them was based on your experience, what identifiers for individuals are used currently. Besides the social security number, let's face it, personal immutable properties, demographics and name are used today as a secondary check to social security number. If it happens to be keyed wrong, either by the transmitter of the data, or if it is a hard copy claim, by the person who is inputting it or quote-quote, logging it, getting it into a system. That is a secondary check. So that is already in use.
If you wanted to look at the specifics that were in the white paper, the ESSN, it would be nice to have a check digit. One of the questions was, who should bear the cost or the expense of the unique patient identifier. Well, that is also obvious. We as taxpayers will if the federal government mandates it. We as consumers will if the private sector does it. So we are all going to pay for it.
So I would encourage whatever system is chosen, if a system is chosen, that you make it the most efficient, least expensive possible and still protect patient confidentiality.
For that reason, you could say we need to look at CHID. Well, as a data person, if I was working with my LAN department, calculating a billion and cross referencing, creating a database, one or two of my guys think that would be a cool project to burn in a couple of mother boards and a new server over a weekend. Some kid somewhere is going to do that, just for grins. Then some other kid is going to say, hey, I know how you can make some money with that. They are going to be so young, they are not going to know the repercussions of what they are doing. That is one of my fears on CHID.
The ASTM UHID, using the social security number or office to administer it, that is one of the hybrid proposals. It is probably a very good idea if you're going to rely on the identifier to protect the confidentiality of the patient. I don't think the identifier itself will do that.
The biometric, retinal scans, fingerprints, that's interesting theory, but that is not available at point of service, nor is it something useful to the payor side. We are not going to be able to store all the fingerprints of eery member of our association or the retinal scans.
Civil registration, MPI, PIDS, HL7, those are -- I'm sorry, let me get off civil registration. MPI, PIDS, HL7, I think those types of numbering schemes and/or the UHID recommended by ASTM under those guidelines, administered by Social Security Administration, that might be a great way to separate the identifier from the data. If in the transaction sets that we are supposed to use by HIPAA, and I'm talking about the 837, the 835, the 834, the 270, the 271, the 276, the 277, the 278 and the 148, if we do not have to pass this data, this unique data for an individual that is your key in the health delivery system, with that data that is only used for remuneration, we just want to be able to pay for the services that these patients have received, we really have no business with that unique number. We don't need the key to give every medical note that was written about them by a practitioner, or that was used to get lab samples. That really should not be in the public domain, or even in a somewhat protected private payor domain. That is my opinion. We have no use for it.
If we need to get, for reasons of suspected fraud, additional information to make payment decisions, there should be secure channels where that data is specifically requested and only if the patient gives their consent. The old-time authorizations to release information from my claims processing days. If that doesn't exist, this data should not be available, in my opinion.
Back to some of the other questions. I'm sorry I don't have a handout, but if I did, I would have had to judiciously shred it after listening to the testimony yesterday.
Of the five criteria that in my opinion should be given the most weight in evaluating candidate identifiers, it should be controllable. Only the trusted authorities have access to linkages between encrypted and non-encrypted identifiers, if we are not going to use the public domain social security number.
Dis-identifiable. Again, if you are going to have an identifier that you no longer need a patient's -- and I'm talking on the payor's side perspective here. If I no longer need the patient's name and some of the other demographic data because this number is so reliable, then we need to change the standard, so that that data element is not passed in conjunction with the number or the identifier.
I don't think in my opinion my industry is going to be comfortable with that. There is too much manual intervention that is going to have to continue, at least in the foreseeable future. If you come up with a -- I'll move on.
Governed linkable, I guess for the benefit of folks that haven't seen the white paper, I should read what governed would mean. It has an entity responsible for overseeing the system, determines the policies, manages trusted authorities and insures proper and effective support for health care, and I would add to that, has appropriate legal remedies for those who do not -- or misuse the number. Again, I would support those who previously testified that we are looking forward to the confidentiality and security standards.
Linkable, can link health records together in both automated and manual systems. I know that our charge, at least mine has been, is to get us as electronic as possible. I don't think we will ever completely get there, at least not in the foreseeable future, which I would say the next five to 10 years. So whatever numbering scheme that may come out of this, again, it needs to be something that even a data entry clerk can enter.
If you come up with a 29-digit character string, you are going to have so many typographical errors on entering manual claims, that they would have to cross reference to another key in order to get it in the system. That is my opinion. The more keystrokes I have to do, the more room for error. My system is not going to have a database to check with these check digits in the foreseeable future, if I was ever given privy to that.
Secure, can encrypt and decrypt securely. I hope that when the privacy and confidentiality legislation as it relates to HIPAA comes out, that if there is any use of the Internet whatsoever, that encryption and decryption be mandated by law. We all know that it is a somewhat open environment out there, but again, these youngsters that I mentioned -- we calculate those numbers potentially, also do a lot of surfing.
Let's face it, they can do things we can't yet. We haven't got there. They are already there, and they are doing it. The Department of Defense won't let you do much on the Internet.
Question number 13: Are there other important criteria to be considered? I would reiterate my contention that we as in the payor environment already have the data that we need on electronic claims to identify the patient, and oftentimes autoadjudicate the claim, which is the goal for electronic claims, is for some portion of these claims to pass through our systems, generate checks without being handled by a person, and to deliver ERA, electronic remittance advices, and at some point in time, EFT, electronic fund transfers.
So if we have a unique number that is specifically designed for the health care delivery system, that is also used as a key, ion my opinion it would not be necessary unless mandated to be in the transactions, to be passed simply for financial transactions, because in the 835 and potentially the EFT, now it is no longer within my control as a payor. It is going through a financial institution or it is being split whether you are using CCT or CCTX technology to do your 835 and your electronic fund transfer, and some of that information is going around the financial institution, but it is going through somebody else's servers.
I know we have a lot of legislation coming up to protect us. But let's face it, I'm a data guy, and that scares me. These folks are not the health care delivery system at all. They are working for profit.
That goes to question 16, what uses should be approved for the health identifier for individuals. In my opinion, if we are going to come up with a unique identifier, we will reiterate it again: If you can somehow through legislation or by design keep it within the provider, delivery service and out of the payors and the public domain, that would probably be the most secure thing you could do.
Question number 25 is, what kind of computer and communications infrastructure would be required to support such an identifier system? I don't know, but the bottom question, would he computer network to support the system's function need to provide nationwide access 24 hours a day, seven days a week, that answer I would think, if you are going to use it for the dissemination of patient information in order to increase care, it would be yes.
Your typical example of the ER at 2 o'clock in the morning, the system is down, they are running batch. You can't get access to this person's medical records from previous visit when they come in. If you are going to have a delivery system -- I'm talking information network here of some sort, even if it is within small communities, then I would think that you would want that to also be a part of this design.
Question number 30: What are the implications of implementing the electronic transaction standards without a standard identifier for individuals? We have been doing that for many years.
I think I'll conclude there.
DR. FRAWLEY: Thank you, Mr. Evans. We are going to open it up to questions right now. Kathleen?
DR. FYFFE: Yes, thank you, Daryl. The agenda we have says that you are with the Government Employees Hospital Association?
MR. EVANS: Yes.
DR. FYFFE: What is that? I'm not familiar with that association
MR. EVANS: We are a federal contractor in the FIBA program. We were one of the original FIBA participants. In fact, the original 1960 Medicare Part B benefits were patterned after our plan.
DR. FYFFE: So you all are a plan. You are not -- well, --
MR. EVANS: We are a not-for-profit corporation.
DR. FYFFE: But you are a plan. When I see this name, I was thinking, DoD, VA -- you know?
MR. EVANS: No.
DR. FYFFE: Okay. Thank you.
DR. FRAWLEY: Bob?
DR. GELLMAN: Solomon, I'm sorry I missed part of your presentation, but I have seen your report. I have to tell you, I find it to be seriously flawed, and I think that you have completely failed to understand the privacy issue, and I want to talk about this.
I have a summary of this report that is 41 pages long. On page 20 of the summary, the report says -- and I quote, "Privacy in the health care context amounts to the freedom and ability to share an individual's personal and health information in confidence."
It seems to me that that is exactly the opposite definition of what privacy is. Privacy is not the ability to share information, privacy is the ability to keep information secret. Would you like to comment?
MR. APPAVU: For health care purpose, you have to share your health care information with a provider in order to receive service. You want to be able to share that information without the fear of being misused. That is what I meant by that.
DR. GELLMAN: Well, I think it is completely unclear. Let me ask you another question. Do you know what fair information practices are?
MR. APPAVU: I heard, yes.
DR. GELLMAN: Well, fair information practices are not mentioned in your report anywhere. Fair information practices are the most important concept in privacy anywhere in the world. They are principles that describe how personal information is collected, maintained, used and disclosed, and they form the basis for every information privacy law basically anywhere in the world today. It is the key issue in privacy.
There is a debate going on in Washington about self regulation, not in the health care context but in other contexts. Everybody is talking about fair information practices. Industries are putting forth a code. I don't find the concept in your report, and I think that is a serious mistake.
MR. APPAVU: I was focusing on health care processes, information that are required for providing health care. I wasn't looking at the Fair Information Practice Act.
DR. GELLMAN: Fair information practice is applied to every kind of record, no matter what they are.
MR. APPAVU: I understand that.
DR. GELLMAN: The report lists some points in favor of the social security number. Two of them are, the social security number is a de facto linkage, and two, it already has broad distribution and widespread use. It seems to me that those are exactly the reasons not to adopt the social security number, and those aren't reasons in favor of using the social security number. Do you care to comment?
MR. APPAVU: I simply stated the fact that as you correctly observe, it is used as a de facto standard. I recognized that in my report, and it is used as a linkage. So that is basically what I have done there.
There is a strength for those purposes. If you want an easy implementation, you can go for it. You may not want that. But I just listed them as advantages for those specific purposes, for linkages and for easy implementation.
DR. GELLMAN: Well, I don't disagree with your analysis, with the statements, but identifying those as reasons in favor of the social security number seems to me to be backward.
On page 38, the report lists six steps that must be taken in order to fully and effectively address the privacy requirements. I'm not going to read them. The report says right afterwards, "The critical need of the industry such as the unique patient identifier cannot be sacrificed due to the failure to adequately address the necessary privacy safeguards and subject the patient care to unnecessary risks."
This says, the heck with privacy, let's go right ahead and have an identifier. We don't have to deal with privacy. Here are things that ought to be done for privacy, let's have an identifier anyway.
MR. APPAVU: It highlights the importance of not failing to do that. It is a way of expression, and it means that health care is more important. Therefore, you need to secure the privacy and confidentiality protection. It does not mean those are unimportant. It just means, in spite of that you do want to provide care to patients.
DR. GELLMAN: Well, I appreciate your response, but I have to tell you that I really find the report to be seriously flawed. I don't think it addresses privacy in any fair or adequate way, and I think that it shows a bias in this area that privacy is not important, and I find it very difficult to find this report to be useful at all.
Thank you.
MR. EVANS: Can I ask the committee a question?
DR. FRAWLEY: Sure.
MR. EVANS: This is facetious. If the federal government did not mandate the sun to come up tomorrow, would it? That's my point with the social security number in practice.
DR. GELLMAN: Will you be more specific?
MR. EVANS: Just like Solomon's point that it is the de facto identifier, my point is, it is already the identifier. Now, we may be coming up with another one, but it is already there, it is already in place. It is the common one across the industry, at least on the payor side.
DR. GELLMAN: It is common well beyond the industry, and it is mandated for use by law in lots of other areas. That doesn't necessarily mean it is a good thing, it doesn't necessarily mean it is something that the American public is willing to accept, and it doesn't mean it is something that can't be changed.
There are a lot of bills before the Congress right now that are seeking to limit the use of social security numbers in a lot of different contexts. I seriously doubt that any of them are going to pass, but you didn't find bills like this before the Congress three and four years ago.
If you look at some of the things that have happened in the last three and four years with respect to social security numbers, there was an incident about two years ago involving a service called PTRACK. This is an Internet service. People found out on the Net that social security numbers were basically available from a lookup company. There was a firestorm on the Net of objections to this, and it spilled immediately over into the general press. It was on the evening news. Two days later, there were bills introduced in the Congress to prohibit this kind of activity, and the industry responded with some seriously inadequate standards for privacy. But they stopped the ready dissemination of social security numbers.
Last year, the Social Security Administration put a web page up that enabled people with the use of their social security number and a few other items of information to get their social security account information. Someone wrote a story that said this was insecure and people could use this because of the ready availability of social security numbers. This was an even bigger firestorm, and two days later the Social Security Administration shut down the service and there were the usual slew of bills on Capitol Hill following up and press releases and all that sort of garbage.
There is a strong concern out there among segments at least of the American public about the ready availability and the misuse of social security numbers. So yes, this is going on. But there is a change going on also in public acceptance of this. How far this is going to go, I can't tell you. But things are different than they were five years ago. Things are different than they were two years ago, I think.
I suspect that -- and you already saw what has happened in the press. We've got a sleepy little advisory committee holding hearings outside of Washington. Look at what happened in the newspapers and on TV in the last day. This is an issue that resonates with people.
So yes, there are lots of things that are already in place, but there are a lot of changes as well.
MR. APPAVU: If I may, I want to clarify, for those who are looking on the Internet as well as -- I did not recommend any identifier. What I did in my report was made observations of the facts relating to each option, including social security number. I did list its strength, I listed its weaknesses equally. So I did not endorse -- that was not my job, and I did not recommend any options in my report.
DR. FRAWLEY: Clem?
DR. MC DONALD: I wonder if we have data about what other industrialized countries do regarding patient identifiers. Are there many that have them, and what kind of problems have they had with them if they have?
DR. GELLMAN: I can offer a little bit of information. It is really hard to compare the U.S. with other countries, because most other countries have some kind of centralized health service. So the Canadians and lots of countries in Europe -- they're also smaller populations.
So I'm not saying the experiences abroad aren't relevant, because I think they are. But you also find that in Canada, one of the numbers in use in Canada is the SIN number. It is the social insurance number. They found exactly what is going on in Canada is what has happened here with the social security number. It was only to be used for health purposes, and all of a sudden you turned around and it is being used for lots of other purposes, because everybody wants a better identifier, and everybody is looking for clearer ways to identify who people are.
You weren't here yesterday, but I expressed a concern that a patient identifier would become a national identifier for all purposes a couple of years after it got adopted, simply because of these pressures that had led to the expansion of social security numbers.
In any event, it may be useful to get some kind of information about other countries for this process, but it is only going to help up to a point.
DR. COHN: I was curious if Solomon had any comments in response to your question about the international situation. Is that something you are knowledgeable about?
MR. APPAVU: Could you repeat it? I'm sorry.
DR. COHN: Clem had addressed a question about the status of international activities around unique patient identifiers. Obviously, Mr. Gellman had responded. I was curious if you had any comments or input about that specifically.
MR. APPAVU: In my report, I did not address that, and I did not do any work in looking at what international communities do with regard to this.
DR. MC DONALD: There are some. I know Canada and England, I think Germany, most of the Scandinavian countries, and some of these are quite old, 20 and 30 years. I just think that it would be worthwhile understanding what kind of problems they have had.
We hear some dire predictions, and in some of these we should be able to confirm or find solutions to.
DR. COHN: One other difference I might point out between us and all the members at least of the EU is, they all have comprehensive privacy legislation, and we don't have anything. So they do have a privacy infrastructure in place, including data protection offices and a whole slew of rules, and people have expressed concern, saying -- so has this committee, saying we shouldn't adopt an identifier until we have a law in place. They have a law in place.
DR. MC DONALD: One other question on the same line. The military services of the 17-some hospitals have used a unique -- within the military services -- identifier for many years, 20 years, 30 years, and that actually is a social security number, and what kind of problems have they had with that.
MR. APPAVU: Well, the military uses social security number, and so that's the VA. I had a conversation with the VA. I interviewed a pilot project behind done by VA in three locations within Florida.
VA in specific are moving ahead with issuing an identification card that contains social security number, the picture of the individual, the social security name being bar coded, put in magnetic strip and that is what they are implementing right now system wide in VA.
In Florida, in three locations, the VA is also piloting a sample UH ID, something called internal control number. It is not being used as a patient identifier. It is not issued to the patient. The patient does not carry that, or the providers do not use that. It is used for internal control number within computer systems to keep track of the database. It is being piloted.
But it looks like they are expanding its use by issuing this new identification card within VA. That is to the extent I gathered information.
DR. FRAWLEY: Michael?
DR. FITZMAURICE: I have a couple of questions for Mr. Daryl Evans. One or two of them I have asked before.
The first one is, the year 2K problem, is there any advantage to having HIPAA come along at the same time as the year 2K, or are you already well underway with the year 2K and HIPAA will just be an add-on after that? Is there any synergy there?
MR. EVANS: No, it is actually competing for resources. I think you will find that throughout the industry.
DR. FITZMAURICE: The next question. You acknowledged that the de facto standard is the social security number. Suppose the social security number were to be issued with a check digit. Would that cause you a lot of programming problems, a lot of field storage problems? Is it something that is a large magnitude or a small magnitude to handle?
MR. EVANS: Let me respond in general instead of specifically for my company. If it were used as a key, then yes, the systems would have to be redesigned to use that as a key. That would be very costly.
Another alternative which may be less beneficial from the security of the numbers standpoint is, there would be tables that would be read that would cross reference that number to the key used in the legacy system.
I suspect whatever comes out of the legislation for a unique health identifier for a patient, at least in the near term, that is how it is going to be accommodated. That number, whatever it is, will probably be tabled and cross referenced to whatever the old key was, so that business can continue.
DR. FITZMAURICE: Now, if the old key were the social security number and the new key is the social security number plus one check digit, does that still have the same kinds of problems?
MR. EVANS: Most systems, at least our system, has a very structured key, no filler in the key, so yes, it would take some reprogramming, and we would have to go to a software vendor.
I sit on an enhancement committee. I watch what is coming out of here very closely, so that I can say, hey, guys, gotta do this, it is coming, it is coming. They are still working on HIPAA. The same thing with the key, to change the key.
DR. FITZMAURICE: So it is about the same magnitude for a problem as if you had a brand new health identifier?
MR. EVANS: My only contention is, it may take longer to process, a 29 to 35 digit code. After you go through the algorithms to decrypt it so you can read it and/or uncompress it or whatever else you may have to do to it, it may take longer for the system to process it. How long, I don't know.
DR. FITZMAURICE: My last question, I believe you had mentioned in your testimony that there is no need to put the new identifying number on a lot of the clinical data. There is one possibility though. I am aware that sometimes, insurance companies want things to be attached to verify a diagnosis. It may be a lab test, it may be the whole record.
In that case, we probably would want an identifier being placed on that lab result to match up with the same number on the claim. Would that be right?
MR. EVANS: If this is going to come in like the 275 claim attachment, electronically? Potentially. If there was some way to dis-identify that from the other demographic data that is going to be in the 837 the 275 is going to be married to, that would be better. I don't know a better way to put it.
Okay, back up. I do this all the time at work. The electronic claim, the 837, currently that transaction set has mandatory elements that include patient demographic data, as well as if the UHID is going to be embedded in there somewhere. The 275 could be attached to that without necessarily containing this patient key.
DR. FITZMAURICE: As long as there is some accurate way of attaching it, so name, address and so forth, which will give you maybe many keys to look at instead of just the one.
MR. EVANS: Your translator can handle that. If you go through the proper channels with ANSE and they set up the data segments in a certain way, the translator can put them back together. But while they are being transmitted, they are not attached. They are potentially not even the same transmission.
DR. FITZMAURICE: I guess I for one am glad there are people like you out there who can make the systems work. Thank you very much.
DR. MC DONALD: To elaborate on that, the only time -- you wouldn't have to send anything about the patient identifier in that attachment transmission. All the attachment transmission needs back is really the billing number, so that they can make that -- they don't have a concept of a patient in some sense, in these billing systems. It is just that account.
MR. EVANS: Is the MPRM on the 275 out yet? It is not out yet, is it?
DR. MC DONALD: What really would be there, I don't know.
MR. EVANS: Yes.
DR. FRAWLEY: Other questions? I'd like to thank both of the witnesses for joining us this morning. Thank you.
MR. EVANS: Thank you for the opportunity.
MR. APPAVU: Thank you.
DR. FRAWLEY: Is Dennis Bush here? David Miller from United Health Care? Is there anyone in the audience that would like to make any public comment at this time? What we will do then is adjourn now, and then we will reconvene at 1 p.m. Thank you.
(Whereupon, the meeting adjourned for lunch at 11:30 a.m., to reconvene at 1:30 p.m.)
DR. LUMPKIN: Good afternoon. Thank you for chairing the session this morning. I think maybe the spirochetes willing, I'll be able to be here for the rest of the afternoon.
Our next panel, is Steven Seweryn here? We will get started. We'll start off with Mr. Miller, if you would introduce yourself.
MR. MILLER: My name is David Miller. I am the senior director of Health Systems Services, United Health Care, based on Hartford, Connecticut.
DR. LUMPKIN: Great, welcome. If you cold just perhaps move that mike a little bit closer to you. e are broadcasting live over the Internet, so all those folks at home and in their offices can hear you. Proceed.
MR. MILLER: United Health Care is pleased to have an opportunity to participate in the NCVHS hearing on the unique health identifier for individuals.
By way of background, United Health Care serves ore than 13 million Americans with a broad array of health care produces and services. Our customers are distributed across all states and in most major cities.
We are currently participating with the work group for electronic data interchange and are actively involved in the accredited standards committee. We have for a number of years worked with HCFA to develop and establish data standards for the insurance industry. In addition, we are serving as a member of the National Uniform Claim Committee.
Let me begin my remarks on the cost-benefit implications of a unique health identifier for individuals by stating that we believe having a standard identifier is extremely important for the administrative simplification of the health care business. It is also an opportunity to apply these standards to managing information that will ultimately improve the health and well-being of all Americans.
United Health Care has over time combined with several health plans and as a result has long recognized the need to simplify health care administration by adopting national standards. We also recognize the need to join with providers and other health plans to work together to develop standards for electronic data interchange.
United Health Care currently enrolls members utilizing a number of data elements, such as the member's social security number, name, gender, date of birth and address. In addition, we generally link covered dependents to the member's identification number. When we receive a request for payment, we match the information on a claim to the information contained in a master person index, and route the claim data to one of several claims system platforms.
The identification number is extremely important to the accurate and timely completion of the request for payment, and in today's environment, we have a high degree of success utilizing the identification number assigned to the patient, and assigned by United Health Care. This information is supplied to the member in the form of an identification card. In the event the member or provider submits the identification number incorrectly, we use alternate information such as the member's name and address to locate the eligibility file or historical claim payment records.
At the point in time when the unique health identifier for individuals is established, it will be necessary for United Health Care to update all of its records with the new number and cross reference it to the prior member identification number. This will be necessary to locate historical records, calculate benefits properly and screen for potential duplicate payments.
I'll now describe the key cost-benefit implications of a unique health identifier for individuals. Positive identification for the insured member, issuance of new identification cards, members' familiarity with the identification number, upgrading software and programs and databases, electronic data interchange with providers and other payors, and responding to customer service calls.
With respect to positive identification of the insured member, we have established a system that works efficiently and effectively, and have very little difficulty identifying our members or locating their records. In the majority of cases, we receive the information as it appears on the member's ID card. A new and different identification number will not contribute significantly to this key function.
Issuing new identification cards. We do not issue new ID cards to all members each year. In many instances, members have established longstanding relationships with providers under their current United Health Care identification number. It is a common practice for providers to photocopy the member's card and add the member's ID card to their practice management systems.
When a member changes plans within United Health Care, their identification number usually remains the same. When a new and unique health identifier for individuals is adopted, and United Health Care is required to issue new ID cards to all of its members, it would increase the operating cost.
Familiarity with the individual identification number. Today, members are very familiar with the United Health Care identification number, because it is generally based on their social security number or on an alternative they supply to us. Even when the health card is not available in an emergency situation, the provider is able to contact us by phone to verify the coverage. An identifier other than the social security number will not have a positive impact on the process.
It should be noted that in the 1993 WIDI report, Appendix 4, unique health identifiers for the health care industry, Addendum 4 indicated 71 percent of the payors responding to the survey based the individual identifier on the member's social security number. However, 89 percent requested the insured's social security number for application of insurance. Clearly, the social security number is the current de facto identifier.
With respect to upgrading the software programs and databases, any change to the length of the current identifier will generate an expanse to modify multiple software programs of various claim system platforms used by United Health Care.
It is difficult to estimate the expense, since we do not yet know what the specification of the identifier will be. If the identifier is based on the social security number, it would generate the lowest cost to make the modification.
The member's identifier is a key index to the information and not simply additional information which must be captured and stored on a database. This information is required on nearly every system record, and is used to relate historical information to current processing of payments. It is therefore the critical element to the information process. If unique health identifier for individuals required a length greater than 11 characters, significant changes would be required to both software programs and system databases.
Electronic data interchange with providers and other payors. EDI with providers continues to grow at a steady pace. We would expect a unique health identifier for individuals to facilitate an increase in the electronic transaction volume. This is due to the confidence trading partners would have in utilizing a standard identifier and the result of reducing the number of rejected transactions.
In the current environment, the requirement for member identification for electronic claims and paper-based claims are the same. There is some difference in the efficiency of locating member records when the claims are submitted on paper. This is due to the lack of completeness and accuracy of the paper forms and the need to transfer the information to an electronic record.
For paper-based submissions, the result is an increase in the number of records that must be manually reviewed. A standard identifier with a check digit would improve the process if the person submitting the claim was required by a computer system to verify the check digit prior to submission. We believe this would have a positive impact on 10 percent of the volume.
Finally, responding to customer service calls. A change of this magnitude could generate a number of customer service calls during the transition period. Some of these calls will be from providers to verify the member's eligibility in United Health Care plans under the new number. We would also expect calls from members with questions about the new identification number: how to obtain one, how to make modifications to the number, and general questions about the reason for change. With the number of elderly insureds, this will be a special concern.
Finally, with respect to cost-benefit implications of a unique health identifier for individuals, it is difficult to accurately estimate the total cost impact with the limited amount of time we have had to review the white paper on this subject. Based on our current membership, we project compliance to potentially cost United Health Care as much as $10 million.
This assumes the social security number is used as the basis, and the new identifier is not required until after United Health Care issues the member a new identification card and has updated the member's record. In a worst-case scenario, the potential cost could exceed five times the minimum effort. This assumes the unique health identifier for individuals is expanded to more than 11 positions, required complete re-engineering and mandatory issuance of the member ID card.
It is apparent that cost could exceed the benefit unless the transition to the unique health identifier for individuals is based on the social security number. We believe this can be accomplished by making modifications to the enumeration process used by the Social Security Administration.
We would suggest that if the standard for the unique health identifier is based on the member's social security number, we would begin to issue new identification numbers, including the check digit to the existing members, and continue to accept the former United Health Care identifier which in most cases will be the same.
With either number being viable during the transition period, it would mitigate the problem of locating the member's record and allow providers to adapt to the new number on a patient by patient basis. We would enroll those members who have been issued a new unique health identifier under the new number and expect enhancements to be made to the Social Security Administration to improve the process over time.
We have reviewed HCFA's white paper on the unique health identifier for individuals based on the social security number, and we have concluded all of the negative aspects identified can be resolved. We suggest that any numbering system will inherently generate problems associated with duplicate numbers, enumerating individuals not incorporated into the system, and transition to the standard.
We have also concluded from a cost perspective the social security number would be the lowest cost option. We believe an investment in the enhancement to the enumeration process via the Social Security Administration would provide the health industry with an opportunity to move the administrative simplification process forward, rather than starting over with a new administrative system for assigning unique identifiers.
We believe the purpose of the unique health identifier for individuals is to simplify the administrative process and increase the electronic data interchange between providers and health plans.
We urge the National Committee on Vital and Health Statistics to carefully consider the impact of this change on the health industry in its recommendations to the Secretary of Health and Human Services, and we would again like to thank this committee for the opportunity to share our views on this matter.
Thank you.
DR. LUMPKIN: Thank you. Steve, if you could introduce yourself.
MR. SEWERYN: My name is Steven Seweryn. I am here today representing the Cook County Department of Public Health, or CCDPH, where I serve as the director of epidemiology and data development. I wish to thank the committee for the opportunity to be here today to discuss issues surrounding the development of a unique health identifier, or UHID.
The Cook County Department of Public Health is the local public health authority for the majority of suburban Cook County, and serves 2.1 million residents. As in other jurisdictions, CCDPH is charged with preventing disease and disability and promoting health by fulfilling its core functions of assessment, policy development and assurance.
My comments today will focus on some of the potential benefits and costs of a unique health identifier from a public health perspective.
As the agency chiefly responsible for monitoring the health of its communities, CCDPH sees a UHID as a means of improving the efficiency of disease surveillance systems. In the area of infectious diseases reporting and control, a UHID would potentially allow for collection of data from disparate sources, including infection control practitioners, primary care providers and laboratories, while reducing time spent in managing duplicate reporting and investigations on the part of both public and private sector employees.
Improvements in timeliness of reporting would enable earlier identification of outbreaks of disease and implementation of investigative and control activities. However, these potential benefits are not limited to infectious diseases, since a UHID would potentially allow for improved surveillance of non-infectious disease morbidity and other adverse health conditions. For many of these conditions, mortality records, which only reflect the most severe consequences of such events, are the only source of data
For example, improved surveillance for events associated with an environmental exposure may be assisted through a system where medical histories for multiple providers might be obtained while assuring that each case is unique and unduplicated.
Similarly, CCDPH as a mandated reporting entity for child abuse and neglect sees a UHID as assisting in surveillance for patterns of provider usage that may be indicative of abuse or neglect of children and the elderly.
Surveillance activities could also be potentially improved by elimination of the need for multiple reporting requirements to single purpose registries. Cost savings would be realized in eliminating the need for stand-alone systems to monitor unique health events.
In addition to surveillance of health events, public health agencies are increasingly involved in community-wide assessment and planning activities. In Illinois, local health departments are required as part of their certification process to conduct a community-based assessment of health needs and priorities called IPLAN. Data for these activities originate in both the public and private sector. A UHID would assist these public health agencies in assuring that data disassociated with patient identifiers represent unduplicated counts of events. This information would then reflect a more accurate picture of a community's health, thereby assisting in developmental plans which direct resources where most needed.
Public health agencies also are providers of medical service in the community. A UHID would assist in the continuity of care between public and private providers. In many cases, CCDPH is not the primary care provider for the patient, and provides only categorical services such as immunizations or only a portion of the patient's care.
Patients frequently switch between public and private providers for care. Information linkages enabled by a UHID system would allow for continuity of service delivery and reduction in duplication of activities by public agencies, resulting in cost savings.
A UHID could provide benefits in the area of individual patient tracking. Improved tracking of immunization histories and assessment of immunization coverage from both public and private providers would be facilitated by a unified patient identifier.
Besides improvement in patient tracking, cost savings could be realized by public health agencies, by the elimination of special purpose tracking systems. For example, wards of the state may receive care from a variety of unrelated sources under the supervision of multiple guardians.
In its jurisdiction, CCDPH must implement a tracking program to gather this information into one unified health record for these children. Efforts spent in this area could be reduced or eliminated if unified by a single patient identifier.
All of the potential benefits and improvements to activities performed by the public health agencies such as CCDPH do not come without some cost. Assurance must first and foremost be in place that patient confidentiality is not paid as the cost for information access.
CCDPH agrees with the NCVHS recommendation that we must not proceed to select an identifier in the absence of legislation to assure the confidentiality of individually identifiable health information. Any UHID system implemented must be sensitive to the fact that local agencies have limited resources to retool existing data systems.
While CCDPH recognizes that cost savings will be realized from potential improvements in service delivery, it does not wish to incur substantial costs of redesigning standing electronic record systems and associated staff training time. CCDPH believes that MPI-based systems have merit in both assuring confidentiality while preserving resources invested in legacy systems.
Further, while CCDPH believes that a UHID system will provide improvements in the quality and efficiency of public and private health care delivery, it is imperative that any UHID system not stand as an impediment to access to health care services, especially to those persons in our community who are most disadvantaged and at greatest risk.
Thank you.
DR. LUMPKIN: Thank you. Questions from the panel?
DR. FYFFE: Thank you. Hi, Dave. Would there ever be a situation that a patient being treated by United Health Care would not have a social security number? And if so, what would you do in order to give them a number or handle their record?
MR. MILLER: The employers those patients work for would assign them a number.
DR. FYFFE: Oh, really?
MR. MILLER: If they do not have a social security number.
DR. FYFFE: Do you have any like --
MR. MILLER: An employee identification number.
DR. COHN: I want to thank you both for a very interesting set of testimonies.
David, I had a couple of questions for you to start with. I guess I was a little unclear in your testimony. Is the social security number your identifier?
MR. MILLER: Primarily the social security number. Except for a few customers who use an employee identification number, we base it on social security number. We also have a contract with the government processing medical claims that is based on social security.
DR. COHN: So we are talking about 98 percent of your members, 97 percent?
MR. MILLER: I think you could probably say 85 percent.
DR. COHN: Eighty-five percent, okay. Now, I was I guess sort of surprised as I looked on page seven of your testimony. You seemed to indicate that using a check digit by the person sending the claim would have a positive impact on 10 percent of the volume. I just wanted to make sure I understood. I began to read that as -- are you saying that 10 percent of the claims that come in have the wrong number associated and therefore have to be sent back for re-checks?
MR. MILLER: No.
DR. COHN: What exactly does this mean?
MR. MILLER: On the paper claims that have inaccurate information, we use an alternate of the name and the address. So if we are missing a social security number or it matches another we have in our system or it is inherently wrong, we would use a name and address. So if the check digit allowed the number to be correct before it came to us, we would not be forced to resolve those claims manually.
DR. COHN: Maybe you can explain to me, what exactly does this mean, a positive impact on 10 percent of the volume? Does that mean that in 10 percent of the cases there needs to be some adjudication to identify the individual?
MR. MILLER: Correct.
DR. COHN: And that is because there is no social security number or no United Health Care ID, or it is the wrong one?
MR. MILLER: Right, correct.
DR. COHN: I think that sounds like a fairly substantial number.
MR. MILLER: Well, at the end result we are still able to locate 98.5 percent of the members. A small portion of that are rejected and returned to either the patient or to the provider, depending on how it was submitted, or either formally covered under our plans and no longer covered under our plans or not members of United Health Care. So a very small portion of the documents or electronic transactions we get, we cannot find a record for.
DR. COHN: Just a general question of your membership. Do you have a sense, or does your corporation have a sense of whether there was concern by your membership with using the social security number as their ID?
MR. MILLER: I'm not aware of any concern that has been expressed to date using this ID number.
DR. COHN: Okay, fine. Is it okay to ask a couple of questions of Steve? I was also looking through your testimony, which I thought was excellent. I was having some problem identifying -- I presume you do have a unique health identifier of some sort now?
MR. SEWERYN: Yes, in the current system.
DR. COHN: What are you using currently?
MR. SEWERYN: What system?
DR. COHN: No, what number?
MR. SEWERYN: The system generates a unique patient record number.'
DR. COHN: So that is not the social security number at this point?
MR. SEWERYN: No. The social security number is collected where available, but a fair number of our clients don't have them, or don't remember at the time of service. So we don't rely on the social security number as a means of generating a patient identifier.
DR. COHN: Are you having problems currently linking data about your patients?
MR. SEWERYN: No. Clients who come into our clinic are assigned a number. There are other activities which the department is involved with which are outside of that clinic system, and therefore those people don't necessarily get into the system, so those linkages aren't made.
DR. COHN: Can I just clarify one part? Is that a global number or is that the cornerstone number?
MR. SEWERYN: No, it is a global number in most cases, but they may also have a cornerstone number.
DR. COHN: There are two different systems. There is a clinic tracking system that they use at Cook County Health Department made by global, then there is a state developed system which is called cornerstone, which develops the unique statewide ID, which is a combination of a soundex-like algorithm from the last name, some other characteristics, date of birth, a couple of other things like that.
DR. LUMPKIN: Thanks for the clarification. Can I ask --
MR. MILLER: No, go ahead. I was trying to clarify because I didn't understand the answer to your question because I knew too much about the system.
DR. COHN: I was just following up about the linkage question, and you were beginning to explain that you have some trouble with linkages with outside information. I want' sure whether that problem had to do with the fact that the information was not coming in, and therefore you can't link it, or whether you have the information and it is just because of the lack of a unique health identifier, it causes problems.
MR. SEWERYN: We have information on patients who access our system. In many cases, in immunization, for example, people go to private providers and other sources for service, and we don't always have access to that information unless they provide it to us in the form of an immunization record at the time of entrance into the clinic, but they don't always bring those with them. So in some cases where they come in the clinic with nothing, they will be immunized age appropriately, but they may actually be receiving some duplicate immunizations.
So there is duplication there because of the lack of linkage, in terms of the health record. And certainly, some of the cornerstone and some of the other activities the health department is involved with try to eliminate some of those problems around immunization. But certainly we have those type of situations with other types of clinics and patients.
DR. FRAWLEY: Mr. MiIler, I'm just curious. At United, is there any information given to your members at the time of enrollment regarding the use of their social security number as an identifier, or any information about how that information will be used?
MR. MILLER: The member enrollment form clearly states that they are being requested to supply their social security number for identification.
DR. FRAWLEY: And does it explain to the patient or the member what the number will be used for, as far as claims processing?
MR. MILLER: I don't believe so.
DR. FRAWLEY: Your system would be able to accommodate someone if they objected to the use of their social security number?
MR. MILLER: Yes, it would.
DR. FRAWLEY: So potentially from your testimony, I am assuming you would be able to accommodate up to 11 digits?
MR. MILLER: Up to 11 digits.
DR. FRAWLEY: If a patient wanted to make up their own number, you would be able to do that.
MR. MILLER: After enrollment, the member receives an identification card, and it clearly states the number that they enrolled under. So they are very well aware that their social security number is being used on their identification card. And they are given instructions to supply that whenever they receive health care.
DR. FRAWLEY: Steven, just a question in terms of the Cook County Department of Public Health. Similar type of question. Do your patients or any of the individuals that you are collecting information on, are they given any type of notice? Are they aware of any information being captured on them?
MR. SEWERYN: The patients being enrolled under the cornerstone system are required -- I'm sorry, we are required to give them informed consent if they are going to be in the system, except in the case where they are wards of the state. But for our global system, there is a general clinic services, in terms of what is enumerated and what we are going to collect. We ask them the information. They are able to refuse any of the information if they so choose.
DR. FRAWLEY: Thank you.
DR. FYFFE: Questions for Dave and Steve, different questions. Dave, you say United Health Care serves more than 13,000 Americans?
MR. MILLER: Million.
DR. FYFFE: Thirteen million, I'm sorry. Is that policy holders or is that policy holders plus dependents?
MR. MILLER: That is subscribers, members. That doesn't include dependents.
DR. FYFFE: That does not include dependents.
MR. MILLER: Correct.
DR. FYFFE: Then you go on in your testimony on page three under the current process. You say you generally link covered dependents to the member's identification number.
MR. MILLER: Correct.
DR. FYFFE: So that -- well, that is as it is stated. Under the HIPAA law, are you envisioning having to enumerate all dependents in your system, if the law in fact says there has to be a unique identification number? How would you handle that?
MR. MILLER: We are currently not anticipating that. We are anticipating that we would have the insured's ID number continue to be used as the primary identifier of the coverage, and the dependent be an additional two-digit byte suffix to point to the member. So the patient would have the same identification number as the insured would in our system.
DR. FYFFE: Now I have a question for Steve. I'm not a public health type, that's pretty obvious. And today, this word surveillance has intrigued me. I feel like I am reading a mystery novel. You say, put surveillance on that person, and everybody gets all excited.
Are there state laws that say, let's do surveillance on peoples' diseases? This is an inflammatory word. Can't you say tracking or monitoring of disease instead of surveillance? I'm quite serious. This is bad PR.
MR. SEWERYN: I guess this is a battle that we in public health fight all the time, in terms of trying to explain what we mean by surveillance. Surveillance involves disease monitoring the trends of disease, and surveillance is a jargony --
DR. FYFFE: It is kind of an interesting word, but -- okay. But are there state laws that say --
MR. SEWERYN: Yes.
DR. FYFFE: -- we are setting up disease surveillance systems in the state of Illinois?
MR. SEWERYN: These surveillance systems in the state are established under state law. There is a series of state laws. The main one is the Communicable Disease Act, which specifies that the state department of public health will identify those diseases that are considered to be communicable and reportable.
There are some that are -- for instance, general herpes is communicable but not reportable. But other sexually transmitted diseases are reportable. There are laws that would generate a state cancer registry, which mandates those. All of those have associated provisions that determine in what cases that information can or may not be related.
DR. FYFFE: Yes, I understand that, but I am curious about the word surveillance in the law.
MR. SEWERYN: It's a --
DR. FYFFE: Politicians wouldn't like that word, I would think.
MR. SEWERYN: It is a public health term that has been in existence forever. I think Dr. Snow invented that term in 1854 when he first was investigating an outbreak of cholera in London, and it just kind of stuck. But it does have those connotations.
DR. FYFFE: Thank you. That's all I have.
DR. MC DONALD: I wanted to get Dr. Seweryn to talk about the immunization and the laboratory reporting, because where the unique identifier has the most utility is where you do have many systems talking to one another, many foreign systems. In Indiana anyway, the immunization reporting system they have tried to develop has been unrealized by practitioners, because they can't get into it very easily. They don't have any keys. They can look through names, but if you're a Smith, it is hard to find the right one.
So what has been your experience with that here? How much benefit would an identifier have to you in trying to provide immunization information from and to practitioners, not just in the public health environment?
MR. SEWERYN: We feel that it would be of benefit in terms of having the patient's immunization history on hand in our clinics, because we do know that a fair proportion of our clients do have primary care providers where they seek immunizations. But they may come to our clinic either because of time constraints, they can't get an appointment with their provider. They may have cost constraints. We provide immunizations free, at no charge, on a walk-in basis at our clinics, so clients may choose to come to our clinics.
But we feel that a system that coordinates those records as much as possible -- and cornerstone is attempting to do some of those things, but we feel that that would be a benefit to our clients in those instances where they come into the clinic, the mother has three children, she hasn't brought their records or the records were destroyed in a fire or they moved or whatever. So we don't have the re-immunize children inappropriately -- not that we immunize them inappropriately, but we have no history, and so we have to go with what we know in order to get them in compliance with the requirements for school entrance and to get them appropriately immunized for the most part by page two. I think that would be a benefit.
DR. MC DONALD: Well, let me ask along the same lines in terms of disease tracking or surveillance. You I'm sure like Indiana get reports from all the laboratories in the county, to decide about disease reporting. How much use would it be to have a unique identifier on those reports for reducing work you have to do to track them and getting them electronically, getting all of them? Do you think you'll be getting more reporting, and do you think it will be done less expensively?
MR. SEWERYN: I believe that it would eliminate some duplication. From time to time, we do get reports that -- the first thing we have to do is a record search, to make sure that the client hasn't been previously reported or that result hasn't been previously reported. So it may assist both us and the private provider in terms of having to make duplicate reports or initiate duplicate investigations.
It would also assist us in terms of eliminating the need -- for example, in our hospitals, our infection control practitioners report the four programs currently separately. They have to make four phone calls to report four separate diseases. That may be in part a problem with our public health system, but certainly a unique identifier system may help to unify that, and we can centralize that at the health department and then distribute those reports to the appropriate programs.
So there are some benefits which we probably haven't even examined yet.
DR. GELLMAN: I would like to ask each of you about how your organizations deal with privacy issues. Do you have a formal privacy policy or written policy, Steve?
MR. SEWERYN: I believe we do, as part of our record maintenance. We have confidentiality rules and there are laws regarding communicable disease confidentiality for the state, which we abide by. I'm sure that the agency itself has a privacy policy.
DR. GELLMAN: David?
MR. MILLER: Yes, we do.
DR. LUMPKIN: If I can jump in, the state requires a memorandum of understanding between us and the local health department for assuring that they meet the state privacy test for procedures.
DR. GELLMAN: David?
MR. MILLER: United Health Care has a confidentiality policy. All the employees are informed of that policy.
DR. GELLMAN: How about the patients?
MR. MILLER: The patients are informed of the policy.
DR. GELLMAN: How? How do they get the policy?
MR. MILLER: In the construction of the benefits handbook, patients are instructed, members are instructed as to our policy.
DR. GELLMAN: Do you have a dedicated privacy officer in your organization?
MR. MILLER: Yes, we do.
DR. GELLMAN: Who is it?
MR. MILLER: Paul LaForte.
DR. GELLMAN: Does he have other functions?
MR. MILLER: Yes, he is chief information officer.
DR. GELLMAN: Steve, how about you? Do you have a dedicated privacy officer?
MR. SEWERYN: I might have to check on that and get back to you.
DR. GELLMAN: Okay. One of the concerns that has been expressed here is that a patient identifier, mandated patient identifier, and the card that goes along with it would become a national ID card used for all purposes. Assuming that to be the case, would that change your opinion about whether we should go down that road, David?
MR. MILLER: No, it would not.
DR. GELLMAN: Steve?
MR. SEWERYN: Well, as I said, in most cases the presence of a unique identifier which could link the data that we have or need access to would -- if it would assure that it was unique, and we could assure that records were unduplicated, in many cases we wouldn't need to know a patient identifier.
So I don't know if I'm answering your question. You're asking if --
DR. GELLMAN: Assuming that a health identification card was used as a national identifier, would that change your opinion, if that was an inevitable consequence of adopting a uniform health identification system, that there would become a national ID card based on that, would that change --
MR. SEWERYN: I don't believe so.
DR. GELLMAN: Thank you.
DR. LUMPKIN: I have a couple of questions. The first is for David Miller. I am intrigued by this alternative ID that you have. My assumption would be is that you would not allow an
alternative ID to be one that had the same number of digits as the social security number.
MR. MILLER: The alternative -- there are various ID alternatives to the ID we use. We simply take the patient master index information such as name and address and create a key, which cross references to the original social security number or member identifier.
So if that information comes in the claim and the identifier does not, we can use the alternative information to find the master record. There are occasions when we would find several records with fairly similar alternative IDs, in which case we would then have to manually select the correct member record.
DR. LUMPKIN: In your description of the use of the ID which is for your 13 million subscribers, and then their dependents are listed as being extensions of that subscriber, I was a little bit confused as to whether or not you used that ID for a billing identification or an identification to group medical records that belong to the same individual.
So if I am enrolled in your plan, and my son who is a junior has the same name, how do you know whether or not those records are mine or his?
MR. MILLER: We distinguish by name and secondarily by date of birth and tertiary by the relationship that he has to you as a member.
DR. LUMPKIN: So for medical record purposes you really are using the master patient index --
MR. MILLER: Correct.
DR. LUMPKIN: -- to group those records.
MR. MILLER: The history of the patient, whether it is a spouse or a child, is completely separate from the member's history claim. But we find those records, first the member, the patient, underneath the relationship to member and distinguish the subtle differences between date of birth and name.
DR. LUMPKIN: In the system that you described of alternative IDs, if we were to move to a national system and allow people to opt out, it sounds like your system would be able to accommodate a user supplied ID number.
MR. MILLER: If it met the system requirements within the 11 digits.
DR. LUMPKIN: Steve, in your presentation you talked about unduplicated counts. Can you give me an example of how a health department would be duplicated counts?
MR. SEWERYN: We work fairly closely in some cases with local hospitals, and they provide us with information about the number of births or other events that occur in their hospital, and we have data available from our system through client patient systems or other reporting systems. If identifiers are removed from there, it may be difficult to discern whether there are duplicates in those two lists of records or two sets of databases.
In some cases, neither of us are willing to disclose an identifier to do a match, and so some means of doing that match to eliminate those duplicates would be helpful.
DR. LUMPKIN: What is the downside of having duplicate counts?
MR. SEWERYN: The downside of having duplicates is, you can misrepresent the level of health events in a community or the frequency that services are being provided, and there is a mismatch between what is going on and services or resources that you are allocating to a program.
DR. LUMPKIN: Clem.
DR. MC DONALD: A little bit of a follow-up in terms of duplicates. It seems to me that is the nature of the beast: you get duplicates. They just happen, and they happen a lot, because the matching isn't done carefully enough. When a person comes in on another encounter and they you are taking care of patients, that can have a big harmful effect, because the results you are looking for may not be under the file you are looking at, in contrast to the research and surveillance activities, is that right?
MR. SEWERYN: Right. In addition, for instance, reporting many of the infectious diseases, there are mandates on reporting by providers as well as laboratories. So if you get a report in from the laboratory about leptospirosis or something like that, and then you get a laboratory result, and then you maybe get two laboratory results because the hospital didn't believe it and they sent it out to an outside lab, (words lost) Illinois, since we only see one of those every year through a report, it might actually be significant. You would have no way to adjudicate whether or not those were different. And those issues become especially important when you look at cross jurisdictional lines and different health regions.
DR. LUMPKIN: Let me ask this question. Obviously you are talking about two different parts of what you do as a local health department.
MR. SEWERYN: Correct.
DR. LUMPKIN: The cornerstone and the clinic part, where you are providing medical services, and then the other part where you are conducting surveillance on diseases, not on people. After you have done the linking, you have done the unduplicated counts, is there a reason for you to maintain the identifier in your really?
MR. SEWERYN: No. In most cases, if we can be assured that we have an unduplicated count, we really only need the demographic data to try and characterize the incidence or prevalence of disease in a given community.
Right now, names are often used as one of the reliable identifiers, and reliable is in quotes in some cases, but it is the most reliable thing we have in many cases. So in most cases, even at the point of service and discussing this, the need for a unique identifier is necessary, but at the point of service the individual clerk would not necessarily need to know the unique identifier for that patient. So they wouldn't necessarily need to know to be able to link it to the rest of the patient's medical history.
DR. LUMPKIN: Other questions?
DR. MC DONALD: One more question for Mr. Miller. The number system you describe is I think almost identical to what the military has used in terms of the social security number of the service person and then the dependent as an add-on. But that isn't exactly what HIPAA is speaking of, I think. Maybe you can help me clarify it. That number then would be change in terms of divorce, remarraiges and children as they went out and got jobs or became a military person.
So in that context, I think you said that the number you had would work fairly easily, but if one were required to adopt a unique identifier per patient, that would cause you more pain?
MR. MILLER: We would expect that we would be able to continue to identify the patient, the member in a similar fashion, notwithstanding that if there was a separate patient identifier which uniquely identified the patient or the member, we could utilize that, but it would be an additional piece of data, not a key index. The insured's ID number is still the primary key index to the file, and we would retain that separately in the master patient index, at least as we would envision it today.
DR. MC DONALD: I don't think there is anything in the legislation that says you must use it as a key index.
DR. LUMPKIN: If I could follow up on that question, because something that Clem just said brought this to mind. My family is enrolled in United Health Care and we are dedicated members, et cetera, et cetera. Let's assume that. But you guys don't have any market share here, so it doesn't really matter.
My son now graduates from college and becomes employed and he becomes a subscriber. He now is enrolled in the plan under his social security number. How do you find his records from when he was a kid?
MR. MILLER: If he was working for an employer that we have coverage for, we would enroll him separately and build a record for him under that employment record. His prior history would be cross referenced, moved to his new employment record.
DR. LUMPKIN: Thank you. Thank you very much. First I have to ask if Dennis Bush has arrived. I think we are going to forge ahead to the next panel, since we are ahead of schedule. Miss Shannah Koss?
PARTICIPANT: No, she's not here yet.
DR. LUMPKIN: Diane Hillbrant, please come forward. We will probably begin with Diane. Please introduce yourself.
MS. HILLBRANT: Good afternoon. Thank you for the opportunity to share the pharmacy benefit manager perspective, PBM perspective. My name is Diane Hillbrant, and I too am from Minnesota. I am the senior director for strategic provider networks for Diversified Pharmaceutical Services.
Diversified is one of the three largest PBMs in the United States. Our business is focused primarily in the managed care marketplace. I am a member of NCPDP and co-chair for the work group responsible for reviewing the option for unique health identifiers for individuals.
As you may recall from previous testimony, NCPDP is the ANSE accredited standards development organization representing the pharmacy services sector of the health care industry. Currently there are over 120 PBMs providing services to self funded employers, insurance companies and managed care organizations covering over 125 million people.
Our industry maintains online connections with over 54,000 pharmacies with a total number of electronic prescription claims, including Medicaid, surpassing one billion in 1997. Each of these claims were submitted and responded to within seconds.
I'll go into the general question. The first question asks the most important reason for having such an identifier. The most important reason for adopting a unique identifier is that standardization will improve the ability of authorized health care providers and others providing valuable service to share information and enhance patient care. The pharmacy services industry has benefitted tremendously from the standardization that has already occurred, and been developed through NCPDP. Patient care and administrative efficiencies are enhanced when components of the health care system are able to easily communicate information to each other. The use of a unique identifier all health care services rendered to or with respect to an individual can easily be linked.
The question two asks about alternatives. We as an industry believe that the adoption of a unique identifier is necessary for the advancement of health care in this country.
Question three talks about other identifier options. The NCPDP membership has considered the options and has decided to support the CPRI proposal. the membership including the PBM industry has eliminated any system that does not produce a unique identifier for individuals for the reasons discussed earlier.
Number four talks about, what is used in the industry today. The most commonly used identifier in the private pay portion of the pharmacy industry is a variant of the social security number. The social security number of the subscriber of the individual covered by the prescription drug program is used as the base. Additional numbers are generally added to the social security number to identify, for example, the applicable group or other members of the family.
Question five speaks about other options that do not require universal unique numbers. It is our hope that a unique identifier will be adopted. Earlier discussion addressed the benefit that the pharmacy and health care industry consider an important reason for the adoption of the unique identifier. If we do not have a unique identifier, the cost of the administrative and technological investment to translate and match information will continue.
Privacy and confidentiality. It is important to acknowledge and address the need to maintain confidentiality and privacy of health care information relating to individuals. Industry participants should be expected and required to take precautions to safeguard this information with associated fines and penalties for violations. The health care industry and especially pharmacy, which has been using electronic claims submission for many years, must be allowed to continue to perform the administrative and clinical services that are helping to control health care costs. Legislation or regulatory action must be carefully considered. The health care system cannot afford to hinder the quality enhancing cost effective administration of the pharmacy benefit.
I then go into a discussion about some of the criteria that are important, and I have come to about six. The first is a concise numbering system. As the number increases, or I should say as the length of the number increases, so does the storage cost. As part of the health care industry, we are required to keep significant amounts of data and information. The expansion of the length of the field results in incremental increases in storage costs.
The second is permanent. To develop a numbering system that is subject to change will require the industry to develop linkages and valuable clinical services will be lost. The net result will be to increase health care costs.
Compatibility with current standards. The current electronic pharmacy standard has been in place since 1988. The current identifier field allows for 18 alpha numeric bytes, although few within the industry use 18 bytes. Significant cost throughout the pharmacy and health care industry would be incomplete to support a change in the electronic standard.
Timely. Millions of pharmacy claims are submitted on a daily basis. A delay in the assignment and distribution of an individual identifier would delay or deny the individuals access to the prescription drug benefit and could have a disastrous effect on every link of the pharmacy industry.
Unique to the individual. We have discussed the rationale for the unique identifier. In addition, the pharmacy health care industry must continue to develop new and innovative services that enhance administrative and clinical services while controlling cost.
Universal. Developing a standard which cannot accommodate every individual may result in conversion of the identifier. As we all know, conversions are costly. The assignment of duplicate identifiers would compromise the PBM industry's ability to deliver administrative and clinical services.
Since the social security number is the most commonly used standard, the advantages are that it is the most commonly used, it is compatible with current electronic pharmacy standard, and when compared to others it is concise. Its uniqueness could be addressed in a reverification process.
Approved uses. The use of the individual identifier requires a balance in privacy and health care needs. The health care industry must be able to continue to provide services -- and note that this is not a complete list -- such as disease management, treatment, epidemiological research, quality assurance and general health care operations.
Infrastructure, policy and procedures. The identifier must be capable to assignment to an individual in a short period of time. The assignment of a unique identifier should occur prior to accessing the health care system, ideally no later than birth. Because of the potential impact on the delivery of health care services, it is important that adequate verification occur prior to the assignment of the identifier.
Implementation and transition issues. For a smooth implementation, the identifier must be readily available. That is, before mandating use, every link in the chain of the health care system must have the information.
The individual must be able to supply each family member's identifier to the employer. The employer in turn provides this information to the health plan administrator, or PBM. The individual when they enter the pharmacy presents the prescription with the identification card containing the unique identifier. The PBM matches the identification number on the pharmacy claim with the eligibility file and approves the claim. Such a match will produce an immediate response to the pharmacy facilitating the prompt delivery of services.
To talk about the identifier characteristics, I spoke earlier about the length. The more concise, the better. Each link within the pharmacy system uses the identifier and stores the data as part of the pharmacy claim. Any approach that expands the length of the identifier incrementally increases the storage and administration costs for every sector in the health care continuum..
Check digits. The addition of a check digit can significantly decrease the incidence of inaccurate recording of the individual identifier and thereby lower administrative costs. The check digit algorithm should be readily available to all sectors of the health care industry, including pharmacy.
Temporary identifiers. Expedited assignment of individual identifiers will minimize the need for temporary identifiers. Although necessary to consider, every effort should be made to limit the need for temporary identifiers.
Encryption. Encryption of the identifier would minimize the privacy concerns associated with the use of the social security number. Encryption increases the cost of the unique health identifier proposal.
Cost. The cost of the unique identifier will be low if the current capabilities and systems are used. It is important that any project of this magnitude receive proper funding to assure quality and security. Any changes to the current system will result in cost. Items impacting cost are the length of the unique identifier, the magnitude of change from current business practices, and the time line for implementation.
Conclusion. The PBM industry supports the adoption of the unique identifier for individuals. Within the pharmacy health care sector, the most commonly used identifier is the social security number. Privacy and confidentiality concerns of the individual are important, but must be balanced with the health care industry's need to perform vital clinical and administrative health care services.
Thank you.
MR. QUINN: My name is John Quinn. I am here representing -- well, first of all, I was sent here by my firm, Ernst and Young, but more importantly I am here representing HL7. I am the technical committee chair of HL7 as well.
In my work with Ernst and Young, I have in the last three or four years worked on many large implementations of identification schemes for large provider organizations. So while I can't represent those organizations per se, I can certainly bring my knowledge and experience in having worked on that in the last several years, as well as the needs of HL7.
I'm going to start with the specific questions. Why or why not have a unique identifier for health care? Speaking from the perspective of Ernst and Young and the providers that I serve, the ability to correctly identify a person is directly responsible to correctly finding a patient's history and clinical records and the ability to correctly bill and be reimbursed for services given to the patient. Patient safety and general customer service requires that this be done quickly.
As provider organizations have merged into larger integrated delivery networks over the last five to 10 years, we are finding more time and money being spent in the provider organizations to create information systems that can deal with the status quo, which is several different historical identifiers and identification schemes.
Some organizations are attempting to create a new integrated delivery network-wide identifier while at the same time accommodating different legacy information systems based identifier and hard copy based patient identifiers on patient charts, film jackets, prescriptions, et cetera.
Now, if you are looking around for this on paper, I'm going to email it to everybody when we're done.
The unique individual identifier would eliminate the need over time for new complex MPI systems that have an approximate or statistically uncertain change at matching these different identifiers. These new systems automate the process, reduce the need for humans to research eery encounter, and may -- time will tell -- be more accurate than human research. However, a working system of unique individual identifiers would vastly in my opinion improve this process.
Question two, health plans and health care providers already have systems. Identifiers that range from internally generated numbers, which I find to be the most common, to social security numbers are in use today. Each has their own potential problem. The causes for these problems lie in the variety of the various systems, the individual's ability to know, i.e., remember, their own ID, and the lack of a central source of truth that can be used to find and/or verify known patient demographic information to a patient identifier.
Number three. What are the viable alternatives to the unique individual identifier? Well, the next best alternative would be a limited number of managed identifiers, i.e., those with a trusted and available database. So for instance, if states wanted to have individual identifiers as opposed to the federal government.
Without this, I believe the ad hoc method of a health plan or delivery network internally generated and internally managed identifier, i.e. what we have today, is the next most workable, and that I have given any thought. However, it does not give any relief to external organizations. In other words, other health plans, other health providers or the government are not served by individual organizations having their own identifiers.
What impacts would a unique identifier for health care have on an individual's right to privacy? Without the identifier, it is hard to imagine how we are going to make significant improvements in the use of information systems to handle patient administrative and clinical information. Admittedly, this may make it easier for an individual's private information to be released. This doesn't make the release of an individual's private information any more right or wrong; it does indeed make it easier.
How should the federal government be involved? My feeing is, the federal government should be involved if a unique identifier is to be used. There needs to be a single source of truth that connects the identifier to a person. If this was to be done by a private concern, then the federal government would at the very least be the largest single payor and largest single user of the unique identifier. Someone would have to license or appoint or otherwise give authority to implement the unique identifier if it is not done by the federal government.
I'm going to go over the questions that I picked out relevant to this topic and what I can add useful information to, as opposed to just giving you my opinion as a citizen.
General questions. One, the law requires the Secretary should adopt a unique identifier for individuals in health care. What are the most important reasons for having such an identifier? To correct identify an individual, most important. The opportunity to put more and more patient clinical information into computers makes more and more information available on shorter notice to caregivers. If the patient is incorrectly identified, the probability for serious clinical errors based on what proves to be incorrect information about a patient's clinical history and current treatment goes up in my mind dramatically.
Am I opposed to a unique identifier? I think by now you have probably figured out I'm not, so I'm not opposed.
Number three. What option do I prefer, why, and should others be considered? First of all and most important, I favor any scheme that provides a unique identifier that meets the need for the health care industry. When looking at it from HL7's perspective, we need to identify a patient when we are sending information, and there are fields for doing that. There are effectively an infinite number of fields for doing that if we had to. Certainly we have the ability to chain large numbers of identifiers, and they are used in the industry today, because of the current ad hoc scheme.
I would prefer that the social security number be used. As imperfect as it may be in its current state, it is an identifier that is already distributed to all Americans and could be implemented in the least time. while it is not perfect, it is something that we have now. It does not cover aliens, has a not insignificant error rate, is limited in size, does not have a check digit scheme, et cetera. Nevertheless, it is here now and an infrastructure for supporting it already exists in this country.
Going beyond this, the federal government should create an entirely new identifier that does a much better job of addressing the 30 criteria that are listed in the white paper. This may be the best technical choice, in spite of the fact that it is probably more expensive and will take more time to implement than the social security number. So in favor of the quickest solution, but if you want to go with the best solution, then I would say create a new identifier that meets all criteria needs.
Based on your experience, what identifiers for individuals are currently used? Based on my experience, identifiers that range from internally generated numbers to social security numbers are the ones that I most commonly come across in working with health care providers today. Each has their own potential problem. Causes for these problems like in the variety of the various systems, the individual's ability to correctly remember their ID, the lack of a central source of truth that can be used to find and/or verify known patient demographic information to a patient identifier.
Number five. The white paper outlines several options that do not require a universal unique number to be assigned to each person. Could any of these be used to fulfill the Secretary's statutory obligation to choose an identifier, and if so, how?
MPIs are in use today and are being improved, and in fact, are becoming more widespread. MPIs can satisfy an individual organization's need for person identification. Many payor organizations have also started to use MPIs, especially when it is connected to a delivery system that is integrated with a payor organization.
We can continue to improve these systems. However, this will not allow for any relief to inter-organizational electronic transfers between providers, payors and the federal and state governments.
I just listed out of what five I thought were the most important, looking at it again from an HL7 perspective, that would be unique, that would be deployable, that would be governed, that would be identifiable, and maybe a little more unique to looking at it from a transaction standard perspective, that it be mergable.
The criteria for accessibility is also very important, even though I ran out at five, so I thought I would add it.
Number 15. What is the primary advantage? The primary advantage for the social security number is the existence and wide distribution of the social security number. If it was not widely distributed to most Americans, it would not have a significant advantage, and in fact, significant disadvantage when compared to other proposed schemes.
Implementation and transition issues. What are the implications of implementing the electronic transaction standard without a standard identifier for individuals? The lack of a standard identifier is the status quo. We will continue on with our current organizational unique ID systems. This makes standards for transfer of information utilize a methodology that we sometimes refer to as bilateral, that is, end to end negotiation as to the semantical meaning of the patient identifier field. It is a very time-consuming process, and effectively has to be done for every interface.
Would reverification of the social security number make identifier options based on SSN more acceptable? Of course.
Finally, questions 30 to 35, this was the set of questions on length. Current information technology, looking at it again from an HL7 perspective, does not place any practical limit on the length of an identifier. The more important and on-technical issue is the minimum allowable length, assuming that a shorter identifier is easier for a person to remember and can more easily fit on whatever way you are going to distribute it physically.
Thank you.
MR. COOPER: I'm Ted Cooper, chairperson of the board of directors of the Computer-Based Patient Record Institute. CPRI is a not for profit membership organization committed to advancing improvements in health care quality, cost and access through use of information technology. It serves as a neutral forum to bring together diverse interests of health care stakeholders to develop common solutions.
CPRI was established in 1992 as a result of the recommendation of an Institute of Medicine study, the computer-based patient record, an essential technology for health care.
The IOM study described the potential value for increasing quality and decreasing costs of health care with the use of a computer-based patient record. The IOM and CPRI have identified the unique health identifier for individuals as one of the essential elements required for effective and efficient use of computer-based patient record systems.
The concepts, the value, necessity and challenges in adopting a UHII are well described in the Department of Health and Human Services white paper, Unique Health Identifier for Individuals. This document also describes the CPRI position paper of 1993 and action plan of 1996 for the use of an enhanced social security number as a UHII.
I would like to present the CPRI position on the UHII. The urgency attached to this issue is due to the increasing number of providers involved in an individual's care, all pursuing courses of treatment that are documented in separate records, the rising costs associated with merging patient records as health care providers integrate delivery systems, and the increasing frequency of need to exchange an individual's health care information with different providers or provider organizations.
While the need for a unique health identifier is generally agreed upon and various options have been debated, no breakthrough strategy for a specific solution has been advanced. In 1993, CPRI published a position paper recommending that the social security number with modifications in the numbers and in the process of issuing it, be adopted immediately as a unique patient identifier. At the same time, several other organizations such as the work group on electronic data interchange, the National Association of Health Data Organizations, and the American Medical Informatics Association also supported the social security number for this purpose.
More recently, several states have mandated the use of the social security number for state data reporting and have required process changes to facilitate the issuance of numbers. Many alternatives to the social security number have been suggested. Several organizations support creation of a new numbering system to be used as the identifier. There are many algorithms proposed to create such a number involving various pieces of demographic information about an individual.
ASTM's guide for the properties of each unique health identifier outlines many of the limitations of using the current social security number in issuing policies. For example, social security numbers are not issued at birth. Not everyone receiving health care in the U.S. is eligible for a social security number. Some individuals have more than one social security number, and in some cases, one social security number has been issued to more than one individual.
A technical deficiency in the existing social security number is the lack of a check digit. A check digit is an important tool to help catch transcription errors. Clearly, these issues would need to be addressed in any proposal for a unique health identifier based on the social security number.
Biometric identifiers such as retinal scans, DNA prints and thumbprints are generally capable of uniquely identifying the patient at the time of treatment. While cost and reliability of such systems are issues, the primary issue is availability of the biometric identifier when services are needed. It is estimated that 80 percent of the cases where access to patient specific information is required do not involve the patient's physical presence, such as transferring medical records from one physician to another for consultation and handling phone calls from the patient to the provider. Thus, a biometric identifier would need to be turned into a character stream, essentially becoming an alternative number.
Proponents of a new number point out that it would be linked only to health records and associated databases. Any identifier has as its key attribute the ability to link information. With appropriate security procedures and legislation that provides sanctions for breaches of confidentiality, the social security number can be used in as a secure manner as any other identifier. Because the social security number is available today, it can be implemented at lower cost than an entirely new system. In addition, most providers currently record the social security number of their patients, so it is available as part of many existing systems, thereby reducing implementation costs to providers.
In light of concerns raised by some over the adoption of the social security number as a unique health identifier, CPRI established a task force in 1994 to re-evaluate the social security number and its role. This task force devoted significant effort to evaluating different identification schemes and concluded that with modifications to the social security number and important changes to the process of issuing social security numbers, the unique health identifier based on the social security number is the most feasible option.
Considerations for adopting the social security number. To insure acceptance and functionality of a modified social security number as a unique health identifier, several considerations related to its implementation and performance must be addressed. These include issues of confidentiality and security, procedures for issuing unique health identifiers by a trusted authority, the requirement of uniqueness, cost of implementation, and the need to educate the public on the role of the unique health identifier.
Confidentiality and security. A unique health identifier is essential to implementing the computer-based patient record. Using a unique health identifier to link patient data however must be accompanied by enforceable policies that protect the confidentiality of identifiable patient data.
Confidentiality and security are largely policy issues, a portion of which may be accomplished using technology and functions. The CPRI has consistently held that establishing guidelines and enforcing a law for maintaining strict confidentiality and patient records is crucial to implementing the computer-based patient record.
A primary concern for the use of the social security number is the potential for linking it to other non-health care data. Any number system however may be used to link other data. Preventing unlawful linkage lies not in the number itself, but in privacy protection law, anti-discrimination law and the use of system security features that prevent unauthorized access to confidential data.
There must be explicit constraints regarding linking of health data and appropriate penalties for breach of confidentiality and discriminatory practices. Encryption, secure networks and other technologies provide means of security for the data itself.
Trusted authority. Equally important as the confidentiality and security issue is the identity and responsibilities of the trusted authority that administers a unique health identifier system. Establishing a trusted authority is a choice between creating a new organization or incorporating the function into the charter of an existing organization.
Any such organization will necessarily require the public trust. As such, it must incorporate both public and private interest. The cost and time required to set up a new organization with the accompanying infrastructure would far exceed the cost of using an existing organization.
A logical choice for an existing entity is the Social Security Administration. It has over 1300 offices nationwide and is beginning to process requests for social security numbers in real time. However, the Social Security Administration to effectively administer social security number as unique health identifiers, there must be significant changes to the Social Security Administration procedures for issuing numbers. There must be increased funding and specific tasking for the Social Security Administration to clean up existing duplication, multiple assignments and other errors.
Fortunately, these actions would benefit all users of the social security number. The Social Security Administration will ultimately face a challenge of lack of capacity if the social security number is limited to numbers only. This limitation could be handled by converting digits to alpha characters, as is being proposed for the universal provider identifier.
In addition, there must be legislation for (word lost) the use of the social security number for health identification purposes. There must also be a mechanism whereby identifiers can be assigned to those without a social security number. Finally, there must be an authentication algorithm used to establish the identity and authority of an organization requesting a number.
Uniqueness. Health data in the information age delineates characteristics it believes characteristic to any unique health identifier, including easy transition to the number, built-in error control features, ability to identify and verify the person's identifier identity, universal applicability which never impedes access or delivery of health care, full functionality to link events occurring at multiple providers and minimization of opportunities for crime and abuse.
One helpful characteristic of the unique health identifier is the inclusion of a check digit. A check digit is used to determine the accuracy of the data entry process. The Vierhoff method detects approximately 99.8 percent of the transcription errors associated with entering a social security number. Check digit methods provide a high level of immunity from data input errors. The check digit does not have to be stored.
Cost/benefit. Availability of the social security number makes it the most cost effective solution. Initial estimates that the overall cost of creating a new identification system would be considerably greater than adopting the social security number with a check digit and the process improvements at the Social Security Administration.
Many health care organizations, including the Department of Veteran Affairs and Health Care Financing Administration already use the social security number in their identifiers or at least collected as part of patient demographics. Finally, improving the social security number issuance would have a significant impact on fraud and abuse in the entire system of entitlement which rely on the social security number for identification purposes.
Education. The 1993 health care information privacy survey conducted by Equifax, by Lewis Harris and Associates, shows strong support for the use of the social security number as a unique health identifier. We quote, "Were such a personal ID number introduced, there is a clear preference for it being the same number as the social security number. A strong majority of leaders, 72 percent, and the public, 67 percent, favors using the social security number as their health care identification card."
Although the results of this survey indicate general favorable opinion about the use of the social security number as the patient identifier, CPRI recommends developing a program of public education describing the potential advantages to the unique health identifier and the measures that insure protection of personal health data.
Summary of recommendations of the CPRI action plan of 1996. CPRI calls upon the National Committee on Vital and Health Statistics to immediately recommend to the Secretary of the Department of Health and Human Services the adoption of a unique health identifier based on the social security number.
The following steps outline a course of specific actions that are necessary to meet this objective. One, enact legislation to fund and task the Social Security Administration to add a check digit to the social security number and modify the process of issuing social security numbers, so that it may be used as a unique health identifier.
Two, enact federal pre-emptive legislation to provide uniform protection of the confidentiality of health information as called for in HIPAA.
Three, develop and promote a public education program outlining the importance of a unique health identifier and describing how access to an individually identifiable health care information will be protected and controlled.
The CPRI continues to endorse these recommendations. In the spring of 1998, it was recognized that many individuals interpreted the CPRI position of using the enhanced social security number for a unique health identifier and the ASTM standard E1714-95, standard guide for properties of the unique health identifier, as being at odds with one another.
In an effort to resolve this apparent conflict, the CPRI and ASTM requested Barry Heeb, M.D., representing ASTM, and Solomon Appavu, representing the CPRI, to develop a list of the requirements for the unique health identifier and to list them by priority. At the July 1998 CPRI board of directors meeting, the document they produced was endorsed. I believe that document was presented by Dr. Heeb yesterday in this hearing.
The only difference between the views of the ASTM and CPRI was for requirement 10, which says that focused health care identifiers should be created and maintained solely for the purpose of supporting health care. Their form and policy should not be influenced by the needs or requirements of other activities. While the CPRI views this requirement as desirable, we did not feel it is essential. ASTM on the other hand views it as essential.
There is a possibility that this difference of opinion could be overcome if the enhanced social security number were designated as focused according to the above definition. In that case, the enhanced social security number would only be used for health care and would not replace the social security number for non-health care uses. Certainly taking this approach would simplify the implementation process, for those who are using the social security number now outside of health care would not have to spend resources to change their systems, and would not necessarily have to buy into the enhanced social security number. This approach would appear to meet the requirements described by Dr. Heeb and Solomon Appavu.
Thank you.
DR. LUMPKIN: Thank you. Is Shannah Koss maybe -- questions?
DR. GELLMAN: Diane, does your company sell lists of identifier patient information?
MS. HILLBRANT: No.
DR. GELLMAN: Do you rent them?
MS. HILLBRANT: No.
DR. GELLMAN: Do you make them available to anybody under any circumstances?
MS. HILLBRANT: The patient identifiable health care information -- we have a relationship with our clients regarding patient information, and we share information with them based upon -- for example, we have contracts with health maintenance organizations. There is information that we as part of that relationship share with them. But we do not sell our data, rent it, or do anything else.
DR. GELLMAN: It has been reported, and we have actually had testimony before this committee, not at this hearing, that there are chains of drugstores that are making patient lists available for use by pharmaceutical manufacturers. You are saying that you don't do any of that?
MS. HILLBRANT: We don't do that, no, we do not.
DR. GELLMAN: John, I want to ask a question about the social security number. It seems to me that as an identifier, the whole identification issue, we are on the edge right now of digital signatures. That is not news to any of you, I'm sure. It is clear to me anyway that digital signatures when they are here, and they are not here yet, will be better for identification, they will be better for authentication, they will be better for encryption, they will give individuals more choice and control over their information, and the technology of digital signatures when it is available will last a long time.
Everybody who says, use the social security number, it sounds to me like you are saying, save the dinosaur. The social security number is not going to last 10 years or 20 years. There will be this other identification technology that is going to come on board. If any decision is made in the near future to expand social security numbers, to mandate it, in five years or 10 years it is going to look like the stupidest choice in the world and we are going to have to go back and do this all over again.
Anyway, would you respond, react, argue, whatever?
MR. QUINN: Within a portion of HL7, we actually make use of digital signatures or the ability to pass digital signature information for the ability of doing things like avastation of medical records information.
DR. GELLMAN: Could you speak up a little?
MR. QUINN: So it is not an entirely foreign concept. At this point in time, at least looking at the technology as I am aware of it, and I have come across it, digital signature is a combination of information stored in a computer about you and a password, a set of passwords actually, a series of passwords, that you may be asked to verify your identification.
That would fall into the category for me of a newly generated identifier. You're right in the sense that yes, my first and most immediate reason for suggesting what I suggest is the immediacy.
Now, the question about, is it saving the dinosaur, there is nothing that I have been able to see in digital signatures right now at this point that would lead me to believe that a patient would be able to easily remember them any better than they can a social security number right now. In fact, if I was to look at it from the perspective of changeable passwords, I would then have to ask the question, now what do we do when the patient is not there, what do we do when the patient is comatose and shows up in the ER, how do we get a digital signature from them.
So I'm not saying that --
DR. GELLMAN: How do you get a social security number from a comatose patient?
MR. QUINN: Typically by either looking in their wallet if it is available, or getting it from a relative who happens to be there with it. I'm not saying we are always identification capable, but I am closer at being able to get identification if I have the person's social security number. If nothing else, what do they do now? They open up the wallet, the look at the driver's license, they say, here is name, address, phone number. We go to the MPI and we look it up. So that's the MPI method.
DR. GELLMAN: Yes, but digital signature are not just going to be used for health care. They are likely to be used --
MR. QUINN: Used in my email system right now.
DR. GELLMAN: Right, for lots of purposes. And people are going to have to carry digital signatures on plastic cards.
MR. QUINN: You will have to carry it by some other method, because in fact again, we get into that problem of -- right now, I use a digital signature on my email system. There's four different passwords you go through before you get to the point of being able to read an email system on my computer that I carry around with me. So we need those four passwords before you could authenticate your digital signature using that method today.
DR. GELLMAN: Well, that is that method. There are other methods as well. Anyway, --
MR. QUINN: Okay.
MR. COOPER: It is not quite clear to me how implementing -- how long implementing a digital signature for everybody in the country will take for purposes of identification. I suspect it is as long as a dinosaur will need to exist, really. I bet it is 10 to 20 years. I would agree with you that in 10 to 20 years, probably the approach we are doing for most things today in health care will undergo significant change.
To me, the advantage of the social security number is that it is here now, it is not perfect, but we can make some good use of it. Why not take advantage of it? I do agree that before we do that in any substantial way, we should enact the privacy legislation that is required to give individuals the protection that they need and deserve.
DR. LUMPKIN: Simon?
DR. COHN: Actually, it is a question for all the panelists. Thank you for your very interesting presentation. I think all of it was excellent.
There has been a lot of discussion around the characteristics of a unique health identifier. And certainly at this panel we are talking mostly about the social security number. Now, we are all aware that there are problems with social security number, primarily having to do with the linkages to non-medical data.
But beyond that, how broken in your estimation is the social security number currently? Does it do a pretty good job of uniquely identifying a participant in the health care process? How much would it take for us to fix this up? Diane, do you want to start out?
MS. HILLBRANT: I'll start, based upon what happens in the pharmacy industry and the online claims adjudication. We do everything very quickly. We associate an individual identifier number with the social security number, so our incidence of duplication is fairly small, so it doesn't present a tremendous challenge to us today, because we have some of these other things.
That is a lot of the reason why it has been used so extensively, is because it is readily available. With the addition of the group and the other identifiers, there is very little duplication, so we don't have a problem with that today.
MR. QUINN: Looking at it in the general provider community, I would say a little worse than the PBM view, because we don't have everybody being prescreened in some sort of a plan. So the answer to your question, is it pretty good, yes, it is pretty good. Do we occasionally run into trouble, either because of -- the more likely reason because of fraudulent social security numbers or somebody coming in with a different social security number, because their purpose in life for some reason is to scheme the system. So today they showed up with a different social security number than when they showed up a couple of weeks ago, because their line of work requires them to have different identifications. Then that doesn't help us link it to the clinical information.
MR. COOPER: I don't think I have any personal experience that allows me to really substantially answer your question. I know that in Kaiser Permanente in Northern California, we fall back onto the social security number when our ordinary methods fail at first, so we go to a second tier.
DR. MC DONALD: A comment about the social security number and a question to Diane. We have looked at a number of hospital systems in town, and what I think we have concluded is that there will never be an identifier, but there could be good hash codes, and that the social security number is way, way better than any other hash code, and you still have to verify it with other pieces of information.
I'll just give an example. We have as many as 2,000 people out of a million with the sam birth date. We have as many as 5,000 with the same name, and we have more than 10 with the same number, social security number, and those in all cases are bogus numbers used for testing at various sites, 9999 or such. I think there are only two or three duplicates, and in many cases they should be duplicates because of merging files.
But the question I have for Diane was, we have looked at some pharmacy data to find out what is really happening in the data, and the pharmacy data had very little social security number compared to the hospitals, on the order of seven or eight percent, versus 85 percent in the hospitals.
I wondered how you are getting by. My guess is you really don't care as much about -- and this may be unique to the one place we had access to, but you don't care about the patient over time yet. That is, the previous things were just to get the bill paid, and if they had the right account number at work, but as you get into refills and drug interactions and things like that, you care more.
MS. HILLBRANT: But the PBM industry has evolved significantly. Originally, we started out as just performing administrative functions such as claims adjudication. It has gotten to the point nowhere there is a significant amount of clinical activities that are associated with that claim approval process. We look for drug interactions, all of those kinds of things.
We are finding that it varies. It may be as low as 70 percent or as high as 90 percent, as far as the number of subscribers that are identified using the social security number. But we do have a significant prevalence of that use, and we are using it for more clinical activities.
DR. LUMPKIN: Mike?
DR. FITZMAURICE: Let me put on the same record again. That is, the answers I have heard to the question of, what is the cost of implementing a social security number with a check digit compared with say a 16 or a 29 digit number have varied. One answer is, if you have to change the field length to go from nine to 10 digits, it may be just as expensive as going out to 29 digits, and yes, there is an initial cost of storage of digits.
Another response has been, maybe not much, because we would still us the social security number internally. We might take the check digit coming in and verify that it is a valid number according to the algorithm, and then drop the check digit, use the social security number, and then when we have to send it through a standard that requires the 10 digit social security number, the one with the check digit, we would recompute the check digit, add it on, and send it on its way. So there are different ways of handling it.
Let me ask, in any of your experiences or planning, what is your answer to the question of, would adding a check digit to the social security number cause additional costs commensurate with a longer number? Then I want to ask a little different question. Is it worthwhile adding a check digit to the social security number if that were the one to be chosen?
MS. HILLBRANT: With regard to the addition of a check digit onto the social security number, the current NCPDP standard allows up to 18 character alpha numeric.
Now, we typically do not use 18, so our standard does allow for the addition of a check digit. If you go to something that is a 26 or a 29 or a 30 digit number, then there are going to be significant costs associated with changing the standard, reprogramming systems, not only for the PBM industry, but also the pharmacy industry, software vendors. So there is a whole chain of things that will have to occur in order to support anything larger than that 18 digits.
MR. QUINN: The purpose of the check digit is solely to deal with the fact that humans have a hard time not making mistakes, not to help computers who are supposed to not make mistakes when they move information between systems. So for that reason, check digit at least in my estimation or at least in looking at it from HL7's perspective, has always been one of your scenario, where we effectively strip it off after we get it. After we get the number keyed in, we verify that there has been no error key in the number, we drop the digit because you can always regenerate it. That is certainly the recommendation.
Now, if somebody -- to answer your question, does increasing the size of the field in an application cost a lot of money, it costs a lot of money because the software has to be changed, not because disk drives really cost that much money these days. Considering how much a three gigabyte drive on this laptop costs, I think we could probably put a check digit on everybody's social security number and store it all in one system and cost less from a hard drive perspective than the cost of driving this machine.
So the issue really is the change of software, what does it cost every time I go in and change anything in software. I am going into programs and extending the fields inside of programs to del with check digits. Once I get beyond that and it has been keyed in correctly, that to me is the cost that we have to look at.
MR. COOPER: In terms of my understanding of this issue, I think I agree completely with John, that the major cost is going to be modifying your system to make use of the check digit and recompute it if you are going to send it out, and modifying the work practices of your people to understand what is going on.
DR. FITZMAURICE: Thank you.
DR. LUMPKIN: One question for the panel on social security numbers. Aren't we going to run out if we don't re-use the numbers? Is that a weakness in the system?
MR. COOPER: In the CPRI proposal for the enhanced social security number, you start using alpha characters as well as numeric numbers.
DR. LUMPKIN: And NCPDP already --
MS. HILLBRANT: Right, alpha numeric.
DR. MC DONALD: I just wanted a comment from the group. Given today's technology without any official new identifier, for nasty purposes one can do -- statistical purposes, one can do a pretty good job of matching, maybe two to three percent error rates. For any of the bad things that any of us would worry about, and it would actually be worse, because we could get accused of things that we are only 98 percent responsible for, having done it.
But for clinical care, we need that higher level of precision, because we are not going to treat someone with a 98 percent certitude of some diagnostic statement. So in that context, I wonder whether you think we could do more harm than good to the world if we had more accuracy in this matching process for the purpose of clinical care.
MR. COOPER: I think you are getting at this that there is a balance here in a certain sense. To get more accuracy, we have to do a variety of -- take a variety of steps, some of which may potentially allow information to be released inappropriately, that wouldn't have been released in the past.
I would rather favor on the side of identifying patients correctly and giving them the right correct treatment and avoid getting them the wrong treatment than a small amount of increased inappropriate release. In the one case, people may be dying or suffering greatly, whereas I think there are additional protective measures we can take on the confidentiality side to mitigate those.
MR. QUINN: I think I'll go back to one of the answers to my questions. The status quo right now is an MPI system, which is going to give you, as you stated, two to three percent error in identifying a patient. If we don't do anything, that is what you're going to have, because that is what is being implemented by the providers today to deal with the mergers that they are having to deal with 340 hospitals coming together. The question is, do you use an old identifier and try to match it, or do you promulgate an entirely new identifier throughout the entire system?
No matter what your choice is, a period of time exists for that transition to occur. In the status quo, when we don't provide a universal person identifier, is an MPI system where we are going to do additional matching. And yes, two to three percent are going to probably not exactly match.
MS. HILLBRANT: One of the other things that the industry looks at too when you are beginning to match data is, there is always a cost associated with it. Do you try -- when you are trying to convert from one system to another and you are not as confident in that crossover, do you bring in other pieces of information that you can use to help with that process as well.
So sometimes that is used in the hopes of raising the accuracy of that conversion.
DR. COHN: John, I just want to clarify my own understanding of MPI and your two to three percent that you threw out. Perhaps I misunderstand, but you are not stating that two to three percent of the overall data that goes through is mismatched. You are talking about those cases that need to be matched to begin with that it otherwise isn't clear, and of those, it is two to three percent.
MR. QUINN: Exactly. Looking at the automation of the process, under the best of circumstances, and by no means is every institution achieving the best, there are anywhere from six or seven or so identifiers that are being used in a statistical weighted matching algorithm.
The things we start out with are, do we have a social security number, do we have a date of birth, do we have a mother's maiden name. Then it gets worse from there on in to things like, does the last name match.
That -- under the best of circumstances, we are seeing institutions with anywhere from at best two to three percent, at worst, 20 percent, that get kicked out for human intervention. So it is not two to three percent or 20 percent who get misidentified. In fact, the issue is, the systems are programmed to err on the conservative side, so they tend to kick out large numbers of things that when humans look at it, they say, of course, that is the daughter, not the mother or whatever, and make the identification that way.
That requires typically medical records research. The requirement is somebody from medical records now to intervene and identify and possibly do research in the charts to find out which of these two possibilities or three possibilities is this person. That I believe is what Clem was talking about.
DR. MC DONALD: My early point is that that kind of error, if done automatically and blindly, is good enough for an insurance company who wants to hurt you.
That is, what I am really saying is that bad things can happen now. All the privacy things that could go bad now could happen now because it is not important that you get it right. So I think that we really have -- we are in a bad state, I guess, and the actual accuracy that is necessary for clinical care, I don't think for demonic things.
DR. COHN: Well, Clem, maybe I need to clarify. What I heard from John was that autoadjudication using an MPI, you have around a two percent issue that requires manual evaluation to identify who the right person is. Am I right, John?
MR. QUINN: I want to really emphasize, that is the very best. I am literally going into institutions where our initial numbers are at 20 percent. It depends upon how clean their medical records are for conversion when you go in. You are really dealing with what is the status quo with what exists, as we take all these institutions together and we try to match records that exist in three institutions for the same person. Do we have enough information that is in there correctly to be able to match it?
So that two to three percent that Clem is talking about is the theoretical numbers that the MPI vendors give us when you take a look at the statistical analysis of where this could all go to, not what is necessarily being achieved today as these systems are being implemented.
DR. MC DONALD: But then the remainder are manually evaluated and put into the right place, so health care is not compromised generally.
MR. QUINN: Health care is not compromised in the sense that -- anymore than it has ever been. Humans make mistakes. So even if you are saying it gets kicked out now for a human to look at it, the human can make a mistake, the physician can make a mistake. The point is, we don't want people to think that without a unique identifier that systems somehow or another can magically identify everybody correctly. That is just not true.
DR. FRAWLEY: Mike?
DR. FITZMAURICE: What I want to know if, if my bank account is overdrawn and I don't get home in time to go to banking hours, I dial up an 800 number and they say, all right, now dial in your account number, press one if it is savings, two if it is checking and so forth. I get down to a series of numbers that finally they will say, we're sure it's you, here is your account balance.
I imagine for managed care and for health insurance purposes and other things, the use of a phone pad is useful when you are keying in a number. So all three of you have said, the use of an alphanumeric ID is just fine.
Now, we have had some very smart people parade up here, and we probably have three of the smartest right in front. I am thinking, how could they deal with alpha numeric? One way I guess is, I start punching in my ID and I come to a letter. Maybe it is the letter A. Maybe they will tell me, hit star pound two for an A, and then for B, hit star pound, scratch your ear and hit three.
The question I'm asking is, does the use of alpha numeric rule out a phone pad or are there some ingenious ways of using a phone pad to have alpha and numeric when you are trying to do that kind of a service?
MR. QUINN: One point of reference. My voicemail system allows me to put in peoples' names. I punch them in alphabetically. I don't have to worry about star star two for A or C or something like that. I just punch it in.
As it goes through it, it is smart enough to statistically match the letter sequences that come up with a sequence of whether or not it matches a name. Certainly the identifier can be encoded in such a way so there is no ambiguity and it still uses alpha numerics in that same fashion.
DR. FITZMAURICE: But sometimes it does comes back saying we can't find the person.
MR. QUINN: I'd rather it did that than say, we think we know who you are and then gave you somebody else's account balance.
DR. MC DONALD: Mike, they are taking the words by the phone now, too. Lately you are just speaking the names and the numbers, so I don't think you're going to be limited to key pad. I have been on the phone. I'm startled; I say it and they understand it. I don't know who is on the other end.
DR. FITZMAURICE: I just want to know, should I worry about the use of a phone pad or not, and you're saying don't worry about it.
DR. FRAWLEY: Any other questions for this panel? Staff? I'd like to thank Diane, John and Ted very much. We're going to take a 15-minute break, and then we will reconvene and give Shannah a chance to catch her breath, and we will hear testimony from Shannah and then turn it open to the audience in terms of comments. So we will reconvene at 3:20 p.m. Thank you.
(Brief recess.)
DR. LUMPKIN: Our last speaker this afternoon who made the mistake of coming on time -- I just wanted to emphasize that because, no, she wasn't late. We did start ahead of time. So we are pleased that you are here. If you could introduce yourself?
MS. KOSS: Sure, thank you. Good afternoon, and thank you for the opportunity to speak on behalf of IBM regarding the unique individual identifier called for under the administrative simplification provisions of the Health Insurance Portability and Accountability Act. I'll use HIPAA from now on.
My name is Shannah Koss, and I am the program manager for government and health care in IBM. As you all know, IBM is an information technology vendor. In our government and health care global industries, we support organizations with a wide range of information technologies and with a wide range of information needs.
Our solutions include both a master patient index and biometrics. My focus today is to discuss the role of both of these and what they can do or how they can support the unique identifier or the goals of a unique identifier.
IBM recognizes the benefits, as with other standards, that a unique individual identifier offers, but we also recognize the related concerns in terms of privacy and costs that such an identifier raises.
The unique individual identifier as we see it was mandated as part of the standards infrastructure in the administrative simplification provisions to facilitate automated information exchange in health care. Yet, easier access to health care information raises privacy concerns which were also addressed in HIPAA by the soon-to-come privacy legislation or regulation.
A number of issues being raised regarding each of the identifier options that your committee is looking at appear to be generic, regardless of the particular identifier approach. The issues really speak to whether or not any single unique health identifier is appropriate or affordable.
For example, the implementation infrastructure needed to assign unique IDs or appropriate uses of the identifiers speak to that problem. Many of the ASTM criteria seem to call for being answered generally rather than specific to a particular identifier such as how it will be governed, that it will be network permanent, repository based, et cetera.
If these types of questions can be answered generally, it will simply the analysis for any particular option. Or maybe stated another way, if a preferred approach for each criteria were selected, then we can more easily apply them to any particular ID candidate.
A few other thoughts before I move into discussing both biometrics and the MPI. As we evaluate the alternative ideas, it seems to me it is important that we not fall into the trap of trying to solve a wide host of problems in health care with a single policy, or at least explicitly identify what problems we are intending to solve.
For instance, is it the role of the unique individual identifier to address health care fraud issues? In addition, we should not expect to go from no system, which is largely what we have in the current system, to a perfect system.
I do want to applaud the efforts of the department and the committee in trying to resolve many of these issues. Now I'd like to turn to both what I think the biometric approach and the MPI approach can offer to this discussion.
IBM is supporting biometrics today in ways that are compatible with the goals of the unique individual identifier. Civilian identification systems have many similarities to what one might envision in the U.S. and are being used throughout the world.
Certain biometrics are uniquely able to identify and authenticate individuals, but it is not necessarily clear that authentication was the primary intent of the statute. By authentication, I mean, I am who I say I am.
Biometrics are perhaps the only potential solution that will enable irrefutable authentication, even when a patient is unconscious. Today, fingerprints are the most commonly available in use biometric and can be very accurate. The term minutiae is used to refer to the purely mathematical definition of the fingerprint that can be highly unique or can be combined with multiple fingerprints to be sufficiently accurate. Other biometrics are also emerging, such as the iris, which shows some of the most promise for a nonrefutable ID, because it has very robust minutiae.
The biometric itself is a unique ID and can be transformed to a more manageable unique ID, using recognized and accepted hashing algorithms that cannot be reversed to access the original biometric ID.
There are of course issues with using a biometric, such as how accurate they should be and the current cost of some of the technology. But many of these issues are likely to be resolved over the next five years.
Consequently, I recommend that whatever approach the unique individual identifier that is considered or adopted should accommodate biometrics as a means of authentication, assuming that that is one of the goals of the unique identifier. The issue to debate will be whether it will be mandatory or optional and how it will be accommodated.
I want to take a few minutes to address some of the negative aspects that were raised about the biometrics in the white paper. One, fingerprint biometrics are affordable today and the cost of the technology will just continue to go down over time. In fact, in an application we put in for Peruvian voting, it is my understanding that it cost three dollars a person, and that is in a 25 million person population. So it doesn't have to be unaffordable. The verification scans which use a bar code today are only -- scanners are only $25.
The issue of patient presence is obviously a concern, but it is unclear today how much if any authentication really occurs over the phone. Voice biometrics don't suffer from the problem of the patient having to be present necessarily, although I don't think the technology is as far along. If you translate the biometric into a unique ID using the hashing algorithm, then it can be used like any other unique ID.
Most biometrics are digitized. The concern that large amounts of storage is a problem obviously becomes less and less of a problem given the cost of storage continuing to go down. Some biometrics change, but so do other identifiers for verification purposes.
Finally, the negative connotation of using biometrics is going away, and the HIPAA privacy requirements will deal with misuse of whatever ID is chosen, including a biometric. The concern regarding biometrics seems more akin to a civil liberties issue rather than a privacy issue.
In fact, one added benefit of the eventual biometrics is that they can serve to enhance privacy if the way the authorization can use it is restricted to the individual's own use. Obviously, it is hard for somebody to take the fingers and go someplace and use them.
I mentioned in a side conversation that Ann Kavukian, who is the commissioner of privacy in Canada, has written a very interesting article on biometrics, and they are using biometrics for a number of their welfare programs. And of course, they are also being used in the U.S. in certain states for welfare identification purposes.
I'm going to turn to master patient index now, unless the panel wants to ask questions about biometrics now? Keep going? Okay. Regardless of the approach chosen for a unique individual identifier, IBM believe the master patient indices will play an important role. MPIs will be critical for implementation of a unique individual identifier in terms of linking it to existing records across today's disparate systems.
MPIs are part of what is needed for the practical realities of linking information and health care today. They will be heavily used until we have and implemented unique ID, and are needed for residual and backup authentication of whatever unique ID is chosen, for example, when someone appears without their ID for verification, or when a biometric isn't available or doesn't uniquely identify someone, which is expected to be a low incidence, but can still occur.
There are a couple of Gardner Group notes on the role of MPIs, and if the panel hasn't seen them, I would be happy to give you those references. They are very good discussions of how they are being used today, and they are important.
MPIs will also play an important role in supporting privacy goals, maintaining other identifier information separate from the unique ID, but linkable, and other identifiers are still going to be needed for various purposes in health care delivery obviously, such as name, address and date of birth. These are readily recognized by human beings, and therefore requiring the greatest protection, as opposed to for instance the hashing algorithm of your biometric, that has absolutely no meaning whatsoever, and can't be readily recognized by somebody looking at it.
An MPI approach is likely to support the separation and linking function when appropriate.
A few responses to some of the issues identified for the MPI. Although a master patient index has not been done on a national scale, neither have any of the other solutions, with the possible exception of social security, and it clearly has its flaws, as laid out in the HHS white paper.
All approaches will require privacy protection. That is not unique to the MPI. It does depend on data characteristics in the record and human intervention, but with the exception of the biometric, this is true for all other approaches. Finally, the technology is perhaps the most tested among the new technology alternatives.
I will take a few moments to just respond to the general NCVHS questions. I did not have enough time to go into all the particular questions, but in terms of reasons for the identifier, we see the linking and locating of clinical information across disparate health information systems, which in turn support standardized transactions and the attendant benefits, including facilitating exchange of information, access in records and for purposes of appropriate treatment as the main rationale for a unique identifier. The questions arise, as I mentioned initially, whether one of the goals is also reducing fraud.
We don't oppose a unique identifier, so I don't have a rationale for that.
In terms of a preferred identifier, we do not prefer one identifier over another, but we do believe that both biometrics and master patient indices technology are part of the solution, for the reasons I have already mentioned.
Our experience in the health care system and with the MPI indicate that either the SSN or a uniquely newly assigned number within a given enterprise are the common use of identifiers today. But numerous other pieces of information are also used and needed to adequately link information about an individual across an information system.
This information includes the social security number, names, addresses, date of birth. One of the Gardner articles I mentioned has a fairly comprehensive list of those that I can share with you.
Then finally, as noted previously, IBM believes that the master patient index will have an important role in supporting the purposes of the unique identifier, linking it to highly distributed existing record systems. If after significant public debate no agreement can be reached on an identifier, then the master patient index is really the only alternative approach that supports access to needed medical information for an individual across the continuum of care.
Similarly, even without a unique identifier, biometrics will be used in the health care environment as in every other environment in our lives. It is coming whether we like it or not, and can support certain goals of a unique identifier.
That is the end of my prepared statement.
DR. LUMPKIN: Thank you. Questions? I do have a question, because I want to make sure I understand what I thought I heard. We are really talking about a unique identifier for which we would build on an authentication mechanism, which would be where biometrics would fit in, until the point where storage costs get so cheap that we can just plug it right into whatever the messaging standard is.
You also would see the MPI piece of it not as a substitute for an identifier, but as a way to increase the accuracy until the identifier becomes more universally used. Is that a --
MS. KOSS: Well, and that it will continue to be used even with that identifier, for purposes of authentication in the absence of the ID, for all the reasons I mentioned.
I did say however that the biometric can in fact be the unique ID or a hashing algorithm can be used to create a unique ID, that you don't have to -- that it can drive the generation of the unique ID.
DR. LUMPKIN: I guess I have a question, and I'm sure this has been thought of, but chalk it up to my personal experience, having practiced emergency medicine for a number of years before I went into government. People do the strangest things to themselves and others, which sometimes may negate the ability of a biometric measure to be taken.
MS. KOSS: Absolutely, and unfortunately, some people suffer from situations where they couldn't have a certain type of biometric taken, so it doesn't have to be -- yes, that's true, and although if you use the hashing algorithm approach, you don't have to necessarily select a given biometric. You could use multiple biometrics, but then that makes the authentication process a lot tricker. But because the hashing algorithms -- and I have received this information from the technical experts at IBM; I am not a technical expert.
DR. LUMPKIN: I'm sorry, did you say hatchet algorithm?
MS. KOSS: Hashing algorithm. They will generate a unique ID based on any biometric that has the same characteristics, so it doesn't have to be precluded to one.
But as I mentioned, none of these systems are foolproof, and people will always find ways to try to avoid being identified uniquely, or try to gain an additional identifier for purposes of fraud. But I don't think it is as readily done as for instance what we have seen in social security situations.
DR. MC DONALD: Two questions. I know there is a standards organization dealing with biometrics, APIs and that sort. The question is, if you had two different vendors' thumbprint, would you come up with the same number? That is, is there interoperability between these numbers?
MS. KOSS: It is my understanding currently there is not. As you said, there are standards organizations dealing with it, and it is my understanding for instance, the states that are using this in the welfare environment are working on just that issue right now.
DR. MC DONALD: Because that would be essential. The same with the hashing out one.
The second question is, where we have trouble with duplicate numbers -- and it is not a matter of patients being fraudulent or bad, it is a matter of clerks being in a hurry and not paying attention and not realizing the patient has been there before. But the idea of biometric is appealing, but if people would not like to have a common number, I think they would even not like more not to have a common number based upon a biometric, which is irrefutable. I wondered what the sense of the group or the audience was on that. Doesn't that add even more to the ability to be able to sneak away from a bad Gestapo-like government, a non-beneficent government, if not only do you have a unique identifier, but it gets tested every time you come in?
MS. KOSS: My personal reaction is -- and what the article that I mentioned from the article that I mentioned from the commissioner in Canada, is that based on surveys and studies, more and more people are more comfortable with the notion of not having to remember a hundred different PINs and 10 different cards, and that I carry this and no one can steal it from me, sort of like the good actors in a system and me personally -- I won't speak for anybody else, I would like not to have to carry anything that someone can steal and walk in and say, yes, this is me, you don't have to ask me any questions or intrude into my personal information, you know I am who I am.
DR. MC DONALD: But that is for people logging in computers. I still want to come back to the question -- I thought we would get some discussion, at least in the panel. The advantage of logging a computer is, you don't have to remember your password, and then no one is taking anything away from you when they are giving you access to the computer. But we are talking about a patient who says, this is me and all the data gets connected to my thumbprint, which has a powerful and attractive connection. I'm not trying to diminish it. I'm just trying to get some debate about whether that part would make it even less palatable to people who are worried about being tracked, or the fact that we can track very strongly.
DR. LUMPKIN: Well, there is a follow-up question. If I understand the technology, there is a process of taking a biometric measurement, then encoding, then comparing that encoded digital code to some reference digital code. So if you intercept that digital code, you don't really need to have the object that is being measured anymore.
MS. KOSS: Right. You can have a system where you limit who has access to biometric and what purpose it is used for, in that example.
DR. LUMPKIN: So there are ways to defeat that without --
MS. KOSS: Yes. And in that context, in response to the comment, then the linkage is not per se through your print, and people can't steal -- one of the concerns is that somebody could truly steal your identity by stealing the digitized version of your biometric. If you use that hashing algorithm or something equivalent, that is not the case.
In the example of the Peruvian system, what you do is, you actually get a card that scans -- you, the person, own the biometric created, and you go with your card and it shows that that thumb is my thumb, kind of thing, or it is really two fingers in that context.
DR. LUMPKIN: Could you perhaps provide us with some of the details of the Peruvian system?
MS. KOSS: Yes, I can.
DR. LUMPKIN: Because I think that would be useful for us to see a system that actually is being used and working, because to a lot of us it seems like science fiction.
DR. FYFFE: I thought gangsters used to file down their fingerprints.
DR. LUMPKIN: Yes, so they wouldn't be able to vote in Peru, unless they are from Chicago, in which case we always figure out a way to vote.
DR. FYFFE: You rise from the dead.
DR. FRAWLEY: I have a question for Shannah. Many of the uses of patient information occur after the delivery of care, when the patient would not be present. So the concept of using a biometric identifier when a patient presents for care is very interesting and certainly there are models out there already that we are familiar with.
But since many of the things we are talking about in terms of the administrative and financial transactions as they are mandated by HIPAA occur after care has ended, in terms of claims adjudication and so forth, what would you recommend in that point, when neither the patient nor their thumbprint, the retinal scan or their voiceprint are available?
MS. KOSS: Well, the two things I mentioned are one, voice biometrics dealing with the over-the-phone transaction, to the extent that you really authenticate who is on the phone.
Secondly, again in using an approach like the hashing algorithm, you can give that code back. Essentially, the hashing algorithms create a hexadecimal string of numbers and letters that I can know as a patient and I can call up: this is my ID created for my biometric. So it is not as though you would eliminate the ability to have that identifier that can be used in those transactions.
DR. FITZMAURICE: If I were to believe everything that I read, this is the beginning, that in 20 years we will have this great big database of personal health information on this guy, that everyone will know everything about me. But that certainly isn't the charge of HIPAA, and it is not in administrative simplification, it is not the charge of the committee.
Yet, when we start thinking of master patient indices, I see master patient indices for enterprises and then joint enterprise, and then eventually maybe a master patient index that, if not containing the patient information, might point to the patient information. That could be deemed a criticism of the master patient index in a society that might want to value privacy very highly. Is there anything to offset that criticism, any checks and balances?
Now, it is one thing to say the government is mandating that, which is not happening at all. But it is another thing to say, are we doing things that would facilitate it, and are there checks and balances against that?
MS. KOSS: Well, it seems to me any unique identifier, in order for it to fulfill any of the intended capabilities that we are talking about, needs to have the capability to link across records. That was I thought the fundamental purpose. And MPIs are by their nature created to deal with distributed systems. You really want to get some architects in the room if you want to talk about how it does, but you don't go out and hit the full database. You go out and hit the probable portion of even the directory that your records are most likely to be in, kind of thing.
Then personally, when I try and think about how you move towards this environment, it is not as though with this unique identifier, all of a sudden somebody is presto going to get to my records. In fact, they probably are not going to get to very many of my records at all, especially once I move out of managed care and into fee for service. So it is student a long way coming, and it is really prospectively how is this going to work, and at what level do you need to know that information and for what purposes, which brings us into the privacy realm. If we implement a unique identifier and however we implement it, we are going to have to deal with who has access to that identifying information that enables you to link those records.
DR. FITZMAURICE: Thank you very much.
DR. BRAITHWAITE: Shannah, it is my understanding that if you use a biometric as a base and a hashing algorithm to produce an identifier, that you could use one hashing algorithm to produce an identifier for health care, you could use another hashing algorithm to produce an identifier for driver's licenses, yet another to produce an identifier for any other purpose that people were authorized to use it for, all starting from the same biometric, but not in any way able to cross link from one to the other, once they have been created. Is that what we are talking about?
MS. KOSS: You cannot reverse the hashing algorithm to determine the original biometric. Our technical experts suggested two commonly recognized hashing algorithms. I'm sure there are others, but there are two widely accepted ones called SHA-1 and MD-5, I believe.
I don't know necessarily how many of these are as widely emerging or as widely accepted as those. So I can't speak to the multiple algorithms. But I can find out.
DR. LUMPKIN: Well, thank you very much for coming all the way from D.C. to the big city. I guess a last question is whether or not you could use a full body CAT scan as a biometric measure? No.
MS. KOSS: Presumably you could, and you can bring it down to that same small hashing algorithm. And of course, HHS will pay for that.
DR. LUMPKIN: Of course, specifically HCFA. Thank you. At this time, we're going to open the floor for public comments.
MR. ANDERSON: Hello. My name is Andy Anderson. I would like to amplify my comments that I made yesterday. Again, I am here on behalf of Hewitt Associates. We are the largest employee benefits consulting firm in the country and the largest employee benefits outsourcing firm as well.
The role we play in this process is really an intermediary between employers, millions of their employees and their group health plans. We are the ones that collect this data, get it to the health plans. As such, I am a little troubled by some of the concerns or options we hear expressed today.
While I am fascinated by biometrics, wow, what a cool process, I am trying to figure out how some of my employers with two, three or four hundred thousand employees are going to install this biometric reading device in each of their locations spread around maybe 300 or 400 retail environments in the United States. So at the two-week open enrollment time for the group health coverage, we can parade those people through there, obtain their biometrics, get the number, run the hashing whatever, and convey that to the new group health plan they just enrolled in, because without that information, we will not be able to fulfill the requirements that are in HIPAA today.
So again, it is fascinating, but I can't see practically how it is going to work, at least today. So I would really encourage this committee to focus on how these processes are completed. I will remind you from my personal experience that while I will go to the driver's license bureau and renew my drier's license because I can't drive on the streets of Chicago without it, I haven't been to the Social Security Administration in the last 10 years to get a new social security card. I lost it unfortunately, and I've got to go there in person to make it happen.
If you put a process in place which requires every American citizen, much less their spouses and their infants, to trundle off to the worst combination of the voter registration bureau, the automotive registration bureau and Social Security Administration, just so they can get their health coverage from one of my employers, I would regret to be the politician or the bureaucrat that was responsible for that process.
Last, I was heartened to hear the speakers today who did speak of using the social security number or a variant thereof. As I spoke yesterday, for the tens of millions of employees for whom we engage in these transactions on a daily basis, we use exclusively the social security number as a mechanism for conveying that person's enrollment in a new group health plan or a change in the plan that they are enrolled in. So a change in that process would be a significant disruption to every employer in the United States. In your coming sessions, I would encourage you to speak wit those employers and obtain their views.
Last, and I mentioned this to some folks after our session yesterday, HIPAA already requires employers to provide their employees, spouses or dependents with a certificate of creditable coverage when those individuals lose their group health coverage. That certificate must contain within it the group health plan identifier, which in today's real world is the social security number, at least as far as the employer is concerned.
The period of time within which the employer had to maintain or provide that information for spouses and dependents in a relaxed mode has now run out, and so every employer in the country to the extent they are complying with these HIPAA certificates have social security numbers for their employees and their spouses and their dependents, and must be able to provide them on the HIPAA certificates of creditable coverage.
So while employers haven't completely finished building that system and have all the data that they should, I would provide to you or propose that this year or by the end of next year, all major employers should have that social security number for all employees, spouses and dependents. Therefore, it makes the most sense to me, or at least would cause the least bit of disruption that this committee would recommend that the social security number be used as the identifier for this process.
Thank you.
MR. WATKINS: Good afternoon. My name is Larry Watkins. I am the chairman of the Association for Electronic Health Care Transactions, or AFEHCT.
I spoke to a number of AFEHCT members, participating companies, about the unique health identifier prior to these meetings to say, A, do we need to try to get on the agenda to testify and B, what is our perspective. I got very consistent answers from our members. That is, we don't care what identifier is used, we just as soon stay out of the privacy side of the debate. I don't know why we said that.
DR. LUMPKIN: But you can keep the reason to yourself.
MR. WATKINS: Okay, I appreciate that. Anyway, so I came in here really cautiously, almost didn't come, because I felt like well, maybe we'll just stay out of this debate. I was very surprised by the meeting, did not expect to make the CBS Evening News, and feel like at this point I just need to request that AFEHCT and the types of companies that are within the AFEHCT constituency do testify about this issue, because it is extremely significant to our companies, because of the number of things that you have heard that we need to get our thoughts around and bring that perspective to you.
I wanted to make just a few very brief points. First, the context of the individual health identifier within HIPAA was to facilitate administrative simplification within HIPAA. I don't want to lose that perspective. That is, the context that it is in the law. By administrative simplification specifically, the law is talking about nine transactions, all of which are administrative and financial in nature.
AFEHCT's constituency, for those of you that don't know, our clearinghouse is value-added networks, providers, systems such as practice management systems vendors, hospital information system vendors, and some payor systems as well. So I feel like I would like to get some folks together within AFEHCT and then have an opportunity to testify. I wanted to just ask for that.
A couple of other points, just off the top of my head and a few other folks that had lunch with me today. There are a couple of points that maybe weren't made strongly enough or made at all here. The current administration of the patient identifier methods that exist today are very proprietary, very cumbersome to providers specifically. We don't feel like that was addressed as necessarily a big problem and a big reason for a national uniform ID, although I do think that was why it was brought into HIPAA. So I wanted to make that point.
Secondly, we do believe that AFEHCT can bring a perspective on security and privacy that is perhaps helpful to you all.
Thirdly, the idea which was stated here that I wanted to reiterate is that the patient ID and the security and privacy is separate and apart from access to the data itself, and we do need to keep that in mind as we move forward.
So those are my comments.
DR. LUMPKIN: Just a comment. Certainly we would be willing to accommodate you. I think it would be helpful to us if we knew the time frame in which you were going to have those conversations, because we do have a hearing scheduled in September. But judging from Shannah's case, that might be in Washington where you're based, so we probably want you to go to a different hearing, which will be in December. We just need someplace west of the Mississippi. But I think you may want to think about it and let us know hat your time frames are in being ready to testify.
MR. WATKINS: I will absolutely do that. I am pretty sure we can meet whatever time frame that you want to give us.
Just a clarification. Our executive director is based in Washington, but AFEHCT has companies all over the country. So anywhere we go is going to be fine.
DR. LUMPKIN: Yes.
MR. SCANLON: In anticipation of your testimony, for the organizations that make up AFEHCT now, what kind of identifiers are you using?
MR. WATKINS: Well, you have heard the testimony today. It is probably in the 70 percent social security number, but particularly government or Blue Cross-Blue Shield type payors do have their own enumeration systems.
I think one of the things to point out from a practice management perspective, which is what my company is, is that we don't know -- when we have a system that accommodates a freedom text field and we have to support that, one of the major problems with claims for example is a misidentification of the patient, and what is that identifier and trying to figure out what the format is. A provider pretty much doesn't know necessarily whether the social security number is going to work or not.
Now, our system defaults in the social security number because it is so widely used. But for a payor who is not using that, maybe the provider doesn't realize that or the patient doesn't realize that, and so the provider goes through a whole series of phone calls or whatever to try to figure out what the identifier is, much different from a system where there was a unique patient identifier which uniquely identified every patient to every payor.
So again, it is simplification. That is really what it comes down to from my company's perspective.
DR. LUMPKIN: You made a comment, and I don't want to get into this how, but if you could provide us that information about the separation between the identifier and the medical information. We have had a lot of discussion, and I think that is going to be a very crucial issue. So any insight you get give us to help us substantiate that concept, because there is certainly a substantial amount of concern that by doing the identifier, you now open up the box of all this other information.
MR. WATKINS: Absolutely.
DR. LUMPKIN: So that clarity would be helpful.
MR. WATKINS: Yes, very much so, I agree.
DR. LUMPKIN: Thank you.
MR. WATKINS: Thank you.
DR. LUMPKIN: Any others? Dr. Goyal? We are going live over the Internet, so if you would introduce yourself?
DR. GOYAL: Thank you, Mr. Chairman. My name is Arven Goyal. I am a fan and friend of our esteemed director of public health in the state, so I have to get some credit hours for this one.
I also wanted to say that I specialize in family practice, in solo family practice, and also specialize in preventive medicine and public health, in Rolling Meadows, which is a suburb close to the airport. If some of you need a ride, I'd be happy to --
DR. LUMPKIN: Are you faster than the El?
DR. GOYAL: Yes. I did not get to attend all of the sessions, which I apologize, because I learned of these hearings late. I was asked by the American Association of Physicians and Surgeons to see if I could come to the meeting and get the education that I deserve. I am pleased that I was able to attend some of the sessions and learn.
I did decide while I was trying to identify my patients in the office yesterday to take an informal poll. I asked them how they would feel about having some sort of identification number pinned on them in the computers and this information be protected, as I hope you will see to it that it is protected. There were two people in that unscientific poll who refused to answer because they either didn't understand or felt that they could be identified with that.
There was one person who was a computer software specialist who said it doesn't matter to me, and there was another one, a lady, who had asked her husband to stay out while she talked to the doctor. But 16 people in that informal poll had some concerns, at least minor or major concerns, about the information being put in a computer. They didn't care if the information was protected, they didn't care if the doctor could only access that information, and they said, as long as you talk about something else, don't talk about me, I don't care what you put in.
So I wanted you to be aware of that part. I also wanted to say that one side of me, especially the public health part of me, indicates that there is some value to the system. We talk about surveillance value for diseases, immunizations. We talk about the possibility of people putting their advance directives in the database, which may be available. We talk about certain other immunization type information that may be available. However, there is some concern -- and family history and so on, that would make my job easier.
But there is one concern in my mind that as a solo practitioner, number one, I would have to do some extra legwork to get that information in, and maybe I would need to hire a computer specialist to put that information in, more than what we do at this time.
Number two, I am concerned about the privacy and confidentiality. Somebody else said that if there can be problems, there will be problems. People find computer viruses, and these are not the real viruses, and then there are real germs, real problems that can get in. I want to be sure -- and I have no doubts that the leadership I see here, that you will balance those concerns. I hope that there will be something more than just identifier, access code or thumbprint as people were talking.
I think there needs to be a lot of protection of confidentiality in that information. The cost needs to be considered. The other concern I have is, those people who do not access the health care system now. I don't know of many people who go to Canada to get their health care, but I am aware of some people who will not go to a doctor in Rolling Meadows because they don't want anybody seeing them while they are entering a doctor's office. There are people who don't want to be known as being sick or being prevention oriented or whatever.
So I do believe that there are people who would be left out of this information database, and these may be the people who need to be in that database, so we can target them for immunizations or whatever information we need.
I certainly hope that your committee is able to balance that information in a practical, cost effective, cheap if I may, and without hassle way that we can all live with.
Thank you very much for allowing me the time.
DR. LUMPKIN: Thank you. For those who are on the Internet and in the audience, the proceedings of this hearing will be on the web page of the National Committee, including all the documents that are provided to us, as well as the transcript of the hearing. That usually takes how long, the transcript to get on? About 10 days. So if you did miss part of the meetings, that will be available for you to catch up on the parts that you missed.
I think that we have had a fairly full two days. I appreciate all of you who participated in this. Yes? Please.
MS. DRUMMOND: Good afternoon, everyone, and thank you for the opportunity to speak.
I come to you with two hats today.
DR. LUMPKIN: I'm sorry, could you identify yourself?
MS. DRUMMOND: Yes. My name is Maureen Drummond. The first hat I wear is that I am the co-director of the Illinois Vaccine Awareness Coalition. For the record, I am here as their spokesperson to give you the group's standpoint on this issue.
The Illinois Vaccine Awareness Coalition's statewide membership consists of individuals who are concerned with vaccine safety and effectiveness. We advocate informed consent, including the full disclosure of vaccines' toxic ingredients. We do not advocate mandatory vaccines which jeopardize an individual's right to freedom of choice.
I'd like to show for the record that IVAC opposes the national provider identification system. IVAC opposes the unique patient identifiers on individuals. IVAC opposes the implementation of any enumeration tracking system, federal registry or other similar medical databases. IVAC also opposes the vaccine surveillance of children and the tracking of individuals to determine vaccine adherence and status.
IVAC notes the following points as grounds for opposition. The MPI/UPI are an invasion of personal and professional privacy. Through the MPI/UPI, the government may be able to track individual patients through their providers without the patient's consent. This will further jeopardize the patient-provider relationship and their rights to privacy.
MPI/UPI is a prohibition on freedom to practice. Penalties for noncompliance will be installed and applied. Providers may fear government reprisal regarding diagnosis and treatment decisions, forcing them to care for their patients less aggressively than their professional judgment proscribes. And fear of MPI/UPI ramifications may deter the number of citizens willing to train as medical professionals and also may push citizens into black market medicine for issues of privacy.
The second hat I wear today, I come to you just as me, the mother of three children, citizen of the United States. I must tell you, this whole notion scares the socks off me. The first thing I thought of when I thought of this issue was that this is a Trojan horse. It appears to be a beautiful thing on the outside, but when you open it up it is going to be something very, very different.
I am not convinced that issues of privacy are going to be thoroughly or conscientiously taken into account. I'm not convinced that anyone here can promise me that any information that would go into a database should this system be implemented will never be used against me. I have serious concerns for myself and for the protection of the privacy of my children and the future generations.
I consider this a violation of freedom of choice. I respect your overwhelming job of trying to protect the public health and the issues that concern us regarding health. However, when I think of the cost of freedom, I can never forget my tour through Arlington National Cemetery and the Tomb of the Unknown Soldier, and I will never forget laying my hand on the Vietnam Memorial Wall. Those are costs that we paid for freedom that can never be paralleled by any budget that you can come up with.
I would ask you all to wear a different hat, maybe step down from your responsibilities as public health officials or computer experts, and remember fundamentally, you are a citizen, and this revocation of freedom, whether you see it that way or not, will affect all of us for generations to come.
Thank you.
DR. LUMPKIN: Thank you. Any others? I'd like to thank everyone for participating in this first set of hearings on the unique health identifier. We will have additional hearings. Our committee as a subcommittee will discuss these and make a recommendation to the full committee. The full National Committee on Vital and Health Statistics will make recommendations.
We expect within the next few weeks to a month or so that a notice of intent will be issued by the Department of Health and Human Services on the issue of the unique health identifier. That will open up a period of public comment. That public comment will be reviewed by the Secretary and by the staff of the department and be formulated into a recommendation by the Secretary in addition to the comments from this particular committee. So this really is just the beginning of a very open process of discussion of what direction, and should the Department of Health and Human Services issue a recommendation to the Secretary in relationship to the unique health identifier.
Also, thank you, and welcome again to the city of Chicago. We invite you all to return freely, spend your money freely and pay your state taxes freely, because that is how our government works.
Thank you.
(Whereupon, the meeting was concluded at 4:22 p.m.)