Patient Identifiers are vital for healthcare organization's day to day operations such as the delivery of care, administrative processes, support services, record keeping, information management, and follow-up and preventive care. The revolution, currently taking place in our national healthcare delivery system and in the computer and telecommunication technologies, has expanded the scope of these functions across multiple organizations spread around the nation. In addition, patients are mobile, visit multiple providers and treated by multiple organizations. Therefore, to support the continuum of care, it is necessary to uniquely identify patients across multiple providers and access their information from multiple locations.
The current method of patient identification involves the use of a medical record number, issued and maintained by a practitioner or a provider organization. This number is based on an institutional Master Patient Index (MPI) and the numbering system is specific to the issuing organization. Different provider organizations use different numbering systems. Patients receive multiple Medical Record Numbers, each issued by the organization that provided them care. These numbers provide unique identification only within the issuing organization. A Patient Identifier that is unique only within a provider organization or a single enterprise is inadequate to support the national healthcare system. In order to uniquely identify an individual across multiple organizations, a reliable Unique Patient Identifier is required. The Health Insurance Portability and Accountability Act of 1996 requires the Secretary of Health and Human Services to adopt standards for Unique Health Identifiers to identify individuals in addition to providers, health plans and employers. The industry has put forth several options for the Unique Patient Identifier; this report examines their effectiveness and readiness.
The objective of this study is to perform an analysis of the various Unique Patient Identifier options that are available for use in healthcare. The result of this analysis will facilitate and support the recommendation to be made to the Secretary of HHS by the NCVHS.
In order to evaluate all functional and operational aspects of the various Unique Patient Identifier options, this analysis employs a two step process. In the first step, various issues surrounding the Unique Patient Identifier including its required characteristics, capabilities, components, functions and use are analyzed. In the next step, each Unique Patient Identifier option is analyzed individually. The analysis was based on a set of criteria including ASTM criteria for a Universal Healthcare
Identifier. ASTM's "Standard Guide for Properties of a Universal Healthcare Identifier (UHID)" includes thirty (30) conceptual characteristics for evaluating identifier candidates. However, it does not address implementation issues and operational characteristics. Therefore, in order to fully evaluate the Unique Patient Identifier options beyond a conceptual level and verify their compliance both with functional and operational capabilities required in a live day-to-day patient care environment, the options are analyzed based on the following evaluation criteria:
- ASTM's Conceptual Characteristics
- Unique Patient Identifier's Operational Characteristics
- Unique Patient Identifier's Components
- Unique Patient Identifier's Basic Functional Requirements.
For the sake of consistency, a common template consisting of the following categories is used to analyze each option:
I. Description of the Option
II. Author/Proponent of the Option and Documentation
III. Compliance with ASTM's Conceptual Characteristics
IV. Compliance with Operational Characteristics
V. Compliance with Unique Patient Identifier Components Requirements
VI. Compliance with Basic Functions Requirements
VII. Strengths and Weaknesses
VIII. Potential Barriers and Challenges to Overcoming the Barriers.
IX. Solutions to the Barriers.
The four (4) basic functions that a Unique Patient Identifier must support are:
1) Positive identification of the individual:
a) for delivery of care (e.g. diagnosis, treatment, blood transfusion and medication)
b) for administrative functions (e.g. eligibility, reimbursement, billing and payment)
2) Identification of information:
a) Identification to access patient information for prompt delivery of care, coordination of multi-disciplinary patient care services during current encounters and communication of orders, results, supplies, etc.
b) Organization of patient care information into a manual medical record chart or an automated electronic medical record for both current and future use
c) Manual and automated linkage of various clinical records pertaining to a patient from different practitioners, sites of care and times to form a lifelong view of the patient's record and facilitate continuity of care in future
d) Aggregation of information across institutional boundaries for population- based research and planning
3) Support the protection of privacy and confidentiality through, accurate identification (explicit identification of patient information) and dis- identification (mask/encrypt/hide patient information).
4) Reduce healthcare operational cost and enhance the health status of the nation by supporting both automated and manual patient record management, access to care and information sharing.
A Unique Patient Identifier must include components that will provide it with the necessary functional capabilities. Each identifier must be supported by adequate identification information of the individual it identifies. Such information must be current; indexed and stored properly. The identification process includes searching MPIs, matching identifiers and verifying information. Depending on the identifier's scope and level of use, the search processes can range from a single provider organization to the entire national healthcare system with the possibility, in future, to expand worldwide. Therefore, the Unique Patient Identifier requires a robust technical and administrative infrastructure. The following six (6) components are integral parts of the Unique Patient Identifier. They must work together in order for it to perform its functions and fulfill its objectives:
Privacy, in the healthcare context, amounts to the freedom and ability to share an individual's personal and health information in confidence. Confidentiality is the actual protection such information receives from the provider organizations. An individual's personal and health information include those that were supplied by the individual and those observed by the care giver during the course of the delivery of care. Security is the measure that an organization has employed to protect the confidentiality of the patient information. In essence, privacy of an individual's health information depends on the level of confidentiality maintained by organizations which in turn, depends on the security measures implemented by them. Respect for the privacy and confidentiality of patient information must be adopted and fostered as an essential organizational policy and culture. Security measures that are failsafe must be utilized. Yet, the organizational security measures can work only within the walls of the organization and among its employees. Protection outside the provider organization will require federal legislative measure in addition to an organization's security measures. Therefore, protecting the privacy of patient information is a joint responsibility of individuals, organizations and the nation as a whole; appropriate effort must be put forth by all of them.
The privacy and confidentiality of patient care information is a difficult challenge facing the entire healthcare industry and cannot be ignored. The following measures are necessary to overcome this challenge:
1) A judicious design of the identifier
2) Organizational security measures to control access
3) Uniform federal/state legislation
4) Developing security policies and instilling responsibility among individuals.
Identifier design should separate the identification function from the access control function. The identifier's capability must be limited to identification only and the access control function must handle access to all information. The access control will verify the authentication of the system user, check the access privileges of the requestor and maintain an audit trail of all activities. The identifier must be designed to be unique and supported by a set of standard/uniform identification information. The design must also include the capability to store as well as communicate the identifier in an encrypted format.
Appropriate organizational policies and procedures to protect the patient care information must be maintained by healthcare organizations. A failsafe access control mechanism including software access security, physical access security, encryption protection and an authentication mechanism must be in place to prevent unauthorized access and ensure legitimate access. The security measures include audit trails for tracking inappropriate access and preventive steps against possible misuse. These protective measures must be evaluated on an ongoing basis and improved continuously.
Uniform federal and state privacy and confidentiality legislation is required to assure the privacy and confidentiality of patient care information beyond the organizational boundaries. Such legislation must protect the Unique Patient Identifier from misuse, and prevent unauthorized access to patient information and illegal linkages of confidential information to cause harm.
4) Developing Security Policies and Instilling Responsibility Among Individuals.
Employees and others who use patient care information have a responsibility for its security. Therefore, individual responsibility for the privacy and confidentiality of patient information must be instilled through staff and user training, education and reinforcement among the users and consumers.
There are six (6) options for the Unique Patient Identifier, three (3) for Non Unique Patient Identifiers and five (5) as alternatives to Unique Patient Identifier.
1) Medical Record Number
2) Medical Record Number with a Provider Prefix
3) Cryptography-based Identifier
The outcome of this analysis is summarized in two parts:
1) general findings relating to Unique Patient Identifier requirements, functions, characteristics, components and capabilities
2) Unique Patient Identifier options' compliance with conceptual characteristics, and operational and components requirements
Patient Identifiers are an integral part of the process of delivery of care. Reliable Patient Identifiers are mandatory for sensitive procedures, such as blood transfusion, invasive testing, surgical procedures and medication administration. They are routinely used for 1) ordering and reporting the results of tests, procedures and medications, 2) coordinating the multi-disciplinary patient care delivery processes and 3) managing all administrative functions, such as scheduling, billing, coordination of benefit, etc.
GF2. Patient Identifier is an Integral Part of Patient Information
Patient Identifier is an integral part of the patient care information. Clinical documentation including results, observations, diagnosis, procedures, medication, progress, outcomes, etc. are all based on the Patient Identifier. It is vital for the management of automated information and manual medical record functions including compilation, filing, storage, retrieval and communication. It is mandated by regulatory authorities as a component of the medical record.
GF3. The Need for a Unique Patient Identifier is Urgent and Essential
The continuum of care across multiple providers, access to information from multiple care settings that is required during the delivery of care, and the retrieval and assembly of relevant patient care information from past episodes of care across different times require the use of a Unique Patient Identifier. The identifiers being currently used are not unique across the national healthcare system. Lack of a Unique Patient Identifier presents significant problems in 1) accessing and integrating information from different providers and provider computer systems, 2) aggregating and providing a lifelong view of a patient's information and 3) supporting population-based research and development. The need for a Unique Patient Identifier is, therefore, vital and urgent.
GF4. Industry pursues an aggressive solution for a Unique Patient Identifier
In response to the urgent need for a Unique Patient Identifier, the industry has come up with a total of 12 new proposals for the Unique Patient Identifier. The proponents include provider organizations, healthcare professionals from different disciplines, software developers, standards developing organizations, information technology professionals, industry consortium and professional organizations.
GF5. Privacy, Confidentiality & Security Do Not Preclude the Use of Unique Patient Identifier
The privacy and confidentiality of patient care information is a difficult challenge facing the entire healthcare industry and it cannot be ignored. A Unique Patient Identifier is an integral part of the patient care information. Therefore, it requires the same confidentiality and security protection as the patient care information itself. The privacy, confidentiality and security requirements do not preclude the use of a Unique Patient Identifier. In fact, the Unique Patient Identifier can help meet these requirements by standardizing and strengthening access control, and eliminating the repeated use of personal identification information. Additional measures to fully and effectively address the privacy concerns include: federal legislation, appropriate organizational policies and procedures, access control, audit trails for tracking inappropriate access, public education and continuous evaluation and improvement of these protective measures.
GF6. A Judicious Design of the Unique Patient Identifier Can Fulfill the Patient Care Need and Protect the Privacy and Confidentiality of Patient Information
Unique Patient Identifier requires a design architecture that will keep the identification of patient care information and its access as two distinct and separate functions within healthcare. The identifier's role is limited merely to identify the patient record by accessing only the identification segment of the patient record and not its content. Access control deals with the authentication of the user (e.g. validation of user ID and password), verification of access privileges, audit trails, physical security, etc. It must be supplemented by organizational policies and procedures, and federal legislation.
GF7. Effective Ongoing Organizational Measures are Required to Support Patient Identification and Confidentiality
The judicious design discussed above must be supplemented by appropriate ongoing organizational measures to protect the patient care information. A failsafe access control mechanism including software security, physical access security, encryption protection and an authentication mechanism must be in place to prevent unauthorized access and ensure legitimate access. The security measures include audit trails for tracking inappropriate access and preventive steps against possible misuse. They must be evaluated on an ongoing basis and improved continuously.
GF8 Uniform Federal/State Legislation is Required to Protect the Privacy and Confidentiality of Healthcare Information
In order to ensure the privacy and confidentiality of patient care information beyond organizational boundaries, uniform federal and state privacy and confidentiality legislation is required. Such legislation must protect the Unique Patient Identifier from misuse, prevent unauthorized access to patient care information, illegal linkages and discrimination based on patient care information.
GF9. Individual Responsibility Must be Instilled Through Education
Protection of patient care information is also the responsibility of individuals that handle them. Therefore, individual responsibility for the privacy and confidentiality of patient information must be instilled through staff and user training, education and reinforcement among the users and consumers. Public education of the value of privacy and confidentiality of healthcare information and the legal consequences of violation must be provided nation-wide.
The issue and maintenance of the Unique Patient Identifier, the identification information and their use need to be handled either under a centralized or decentralized administration. The ASTM Standards Guide requires a Central Trusted Authority for this purpose. Example of available options are Social Security Administration and the United States Postal Service. The LHSTR Number proposal recommends the creation of a United States Vital Health Records Trust for this purpose.
GF11. Unique Patient Identifier Prevents Exposure and Protects Patient's Privacy
A Unique Patient Identifier eliminates repetitive use and disclosure of an individual's personal identification information (i.e. name, age, sex, race, marital status, place of residence, etc.) for routine internal and external communications (e.g. orders, results, medication, consultation, etc.) and protects the privacy of the individual. It helps preserve the patient anonymity while facilitating communication and information sharing.
GF12. Unique Patient Identifiers help Standardize the Method of Accessing Patient Care Information
The use of a Unique Patient Identifier to access patient care information helps standardize the access method and enable organizations to use a single point of access. The direct use of the patient demographic information for the purposes of identification will increase the level of exposure and subject the patient to unnecessary privacy risks. The use of non-standard access methods instead of the Unique Patient Identifier method will be difficult to control and monitor. Therefore, it will also increase the potential for the violation of privacy and confidentiality of patient information.
GF13. Unique Patient Identifier Strengthens Access Control to Protect the Privacy, Confidentiality and Security of Health Information
The single point of access and the standard access method enable organizations to plan and implement the necessary access control. They can monitor the access and continuously improve and strengthen the access control with appropriate measures. A valid Unique Patient Identifier provides both the necessary focused control as well as timely and reliable access.
Use of multiple identifiers for the same patient keeps the information fragmented and isolated and makes the timely access to information difficult for care providers from other locations. It may be difficult and cumbersome for unauthorized linkage, but by the same token it also hurts legitimate purposes such as timely access to information and timely delivery of care.
GF15. Access Security Controls the Privacy and Confidentiality, and not the Identifier
The role of access security is to grant access for authorized use and prevent unauthorized use. The role of a Unique Patient Identifier is to assist the authorized use by accurately identifying the patient and his/her information.
GF16. Unique Patient Identifier is Made Up of Six (6) Critical Components
Unique Patient Identifier is made up of six (6) components essential for its performance. They are:
These components must work together to effectively fulfill the objectives of the Unique Patient Identifier.
GF17. Identifier Components and Operational Characteristics are Critical to the Basic Functions of Unique Patient Identifier
The focus, on the choice of a Unique Patient Identifier, its content/format and assignment, alone will not address the patient identification need. It can neither protect the privacy and confidentiality of patient care information nor assure its accurate identification. These functions depend also on the maintenance of current identification information, security measures such as access security and secure communication, and appropriate technology infrastructure. The six (6) identifier components and operational characteristics provide these capabilities, and in essence give the identifier the necessary functionality.
GF18. Reliable Identification and Confidentiality Require Provider/User Organizations' Participation and Compliance
Although most of the ASTM characteristics such as assignable, accessible, identifiable, etc. deal with compliance by the Issuing Authority, healthcare information is created, maintained, accessed and used at healthcare organizations. Positive identification of individuals and access to their patient care information are required at these sites. Therefore, the major threat to the privacy of patient care information occurs at the user end where the information resides rather than at the issuing end. Appropriate control and security are therefore, required both at the point of issue of Unique Patient Identifier such as a Central Trusted Authority and the point of use, such as a provider organization.
Check-digit protects against transcription errors and assures accuracy. It can be used to support any numeric identifier. Encryption ensures storage and communication in a secure format. All the Unique Patient Identifier options discussed in this report can make use of this feature. Different encryption schemes yield different encrypted identifier for the same patient. Only authorized users can decrypt the encrypted identifier. Encryption may be used when protection is needed or on a permanent basis. It may be administered either by a Cental Trusted Authority or by provider organizations themselves.
GF20. Development of Technology Infrastructure Requires Direction, Support and Coordination
Alternatives to the Unique Patient Identifier options CORBAMed, HL7 and Directory Service address a critical but only one of the identifier components, namely, the technology infrastructure/software solution. Although these are not identifier initiatives, the selection and industry-wide adoption of a Unique Patient Identifier will help their development and strengthen their capabilities. Basic functions of the Unique Patient Identifier depend on the technology infrastructure.
GF21. Critical Functions are Independent of Identifier Scheme/Value of the Identifier
Critical functions such as access control, identification information, administrative and technology infrastructure, etc. are independent of the numbering scheme or the value of the identifier (i.e. the actual choice of the Unique Patient Identifier). They are not unique or proprietary to any particular Unique Patient Identifier (numbering) scheme or value. They can be implemented with any one of the five Unique Patient Identifier options
CS1. All of the Unique Patient Identifier options (SSN, ASTM Sample UHID, LHSTR Number, Personal Immutable Characteristics based Identifier, Bank Card Method and Biometrics) are in general compliance with the ASTM Conceptual Characteristics, with the exception of Biometric method which does not meet 7 of the 30 characteristics.
CS2. Non Unique Patient Identifier options (Medical Record Number, Medical Record Number with Provider Prefix and Cryptography based Identifier) do not meet the ASTM conceptual characteristics adequately.
CS3. Alternatives to Unique Patient Identifier (CORBAMed, HL7, Directory Service, FHOP Standard Data Set and Manual Process) are significantly non compliant with the ASTM conceptual characteristics.
CS4. Those options that did not comply with the conceptual characteristics, also did not comply with the rest of the requirements including Operational Characteristics, Unique Patient Identifier Component Requirements and Basic Function Requirements.
CS5. Of the five Unique Patient Identifier options that fared well at the conceptual level, Enhanced SSN is the only option that complied with the operational characteristics and component requirements. The remaining four are not operational and they still remain as concepts. In addition, they did not meet the ASTM criteria "concise" and only partly met "usable".
CS6. Of these remaining four, Unique the Sample UHID is a well developed concept followed by the LHSTR Number and Personal Immutable Character based Identifier. Even as a concept the Bank Card Method requires significant amount of additional development.
CS7. SSN is used by 20% of the public as Unique Patient Identifier and the SSA is evaluating different options to enhance SSN and fix its current problems.
CS8. A modified Sample UHID is piloted by the Florida VISN as an internal control number (ICN). However, it is used in conjunction with SSN. SSN continues to be the patient identifier (embossed, bar coded and included in the magnetic stripe of their ID card) as the ICN is too long for veterans to remember and users to handle.
CS9. The MRI's proposal, Medical Record Number with Provider Prefix directs the focus away from patient identification to information identification. It designates the Primary Care Physician as the curator to track the previous sites of care for an individual. Therefore, it seems to neglect some of the basic functions of the Unique Patient Identifier.
CS10. Alternatives to Unique Patient Identifier address only one of the components of the Unique Patient Identifier (e.g. technology infrastructure and identification information) CORBAMed, HL7 and Directory Service address the technology infrastructure/software solution and the FHOP option addresses data standardization.
CS11. Options indicate preference for organizations similar to Social Security Administration (SSA) and United States Postal Service (USPS) to address the Administrative Infrastructure component and serve as the Central Trusted Authority. However, the organizational structure, authority, policies and procedures need to be defined and the Infrastructure established. SSA appears to have the most of the processes currently in use.
Critical functional elements, such as access control, identification information and administrative and technology infrastructures, are independent of the numbering scheme or the value of the identifier (i.e. the actual choice of the Unique Patient Identifier). They are not unique or proprietary to any particular identifier scheme or value. They can be implemented with any one of the five Unique Patient Identifier options. Therefore, a simple user friendly Unique Patient Identifier that is suitable for use by both humans and computers constitutes an ideal choice for the Unique Patient Identifier. In addition, these critical functions are addressed not by the identifier scheme component but by other components. This enables us to separate the identification scheme from all other components. We can, now choose a simple and reliable identification scheme and equip it with all of the required functionality by adding the remaining five components.
Existing options require enhancements to add features/functions and correct existing problems. New options are at a conceptual level and lack operational characteristics and several of the required components. Although none of the options in its present form is a perfect choice, multiple courses of action are available, offering multiple choices. They are:
I. Enhance an existing option
II. Develop a conceptual level option to fruition
III. Develop or facilitate the development of an ideal option.
The only option that is being currently used as a Unique Patient Identifier is SSN. It is currently used by 20% of the population as a Unique Patient Identifier. It is collected, stored and used as part of patients' demographic information by most of the healthcare organizations. It is also used as a secondary and confirmatory identifier by a large number of provider organizations. With its existing administrative and technology infrastructures and operating procedures, SSN is at a higher level of readiness for use than other options. It meets the conceptual and operational characteristics, and component and basic functions requirements. It is likely to require relatively less time, effort and resources because of its current use and readiness. According to a 1993 Harris poll (Health Information Privacy Survey 1993) the majority of the American population and organizational leaders favor SSN as a patient identifier. It offers an early solution while allowing options that are not fully developed to mature. SSN is a simple, user friendly, Unique Patient Identifier that can be used by both computers and healthcare professionals. Since it is already in use at most of the provider organizations, it is relatively easy to expand its role as the Unique Patient Identifier.
The remaining options discussed in this report, with the exception of Medical Record Number, are at a conceptual level. (A modified Sample UHID is piloted as an Internal Control Number to create an MPI and the FHOP Standard Data Set is being tested on patient care data bases to eliminate duplicate records). These options require significant development since they do not already have all of the necessary operational characteristics, Unique Patient Identifier components, administrative or technology infrastructure, implementation plan, policies and operating procedures, etc. A well developed concept such as Sample UHID or LHSTR Number or one of the other options can be chosen based on their ability to meet the ASTM Conceptual Characteristics. It can be developed further to include those characteristics and components that are missing. Implementation of a new choice will avoid any carry over problems and provide a fresh start. But it will require a relatively longer time frame to develop, test and deploy than enhancing and adopting the SSN. Therefore, the impact of time, resource, effort and cost effectiveness must be thoroughly analyzed.
III. Facilitate the Development of an Ideal Solution that Includes all of the Requirements
None of the proposals, including the ASTM Sample UHID, meets all thirty (30) ASTM conceptual characteristics. Most of them are not concise and not suitable for manual calculation and use. Some are not content-free. All are at a conceptual level; some of them with their concept not fully developed.
1) Therefore, instead of limiting the industry to one of these options, an ideal Unique Patient Identifier can rather be developed by consolidating all of the required characteristics. The time frame for its implementation will be comparable to that of implementing one of the proposed conceptual level Unique Patient Identifiers. This course of action will yield the best possible Unique Patient Identifier choice.
2) Alternatively, instead of integrating the independent proposals together, we can foster the independent growth and maturity of the various options. This course of action will provide an opportunity for the competing options to mature. It can be accomplished by establishing leadership, setting the direction and functioning as a catalyst and facilitator to support and promote the growth and development of the various options. Over a period of time, the industry initiatives will mature and multiple efforts converge. Their capability and suitability can be assessed at appropriate intervals, taking into account the passage of the Privacy, Confidentiality and Security legislation by the U.S. Congress. There is an inherent risk that the progress of the options may remain stagnant. Appropriate leadership and support can bring success and benefit to this option. This course of action may cause delay and postpone the implementation of the urgently needed Unique Patient Identifier.
The new options for the Unique Patient Identifier are at a conceptual level. For the new proposals to progress and materialize, a strong leadership is immediately required to steer the process in the right direction. Waiting for the various options to mature and succeed by themselves, may not fulfill the need adequately or in a timely manner. On the other hand, existing options such as SSN will require the implementation of several enhancements proposed. Therefore, in both cases, a strong leadership with a clear vision is required to steer the process to a successful completion. It will help establish the necessary administrative and technology infrastructures and coordinate the current development processes to progress in harmony to yield the best solution for the Unique Patient Identifier.