Tech

Universal Patient Identifiers for the 21st Century

Healthcare is abuzz with calls for Universal Patient Identifiers. Universal people identifiers have been around for decades and experience can help us understand what, if anything, makes patients different from people. This post argues that surveillance may be a desirable side-effect of access to a health service but the use of unique patient identifiers for surveillance needs to be managed separately from the use of identifiers in a service relationship. Surveillance uses must always be clearly disclosed to the patient or their custodian each time they are sent by the service provider or “matched” by the surveillance agency. This includes health information exchanges or research data registries.

As a medical device entrepreneur, physician, engineer, and CTO of Patient Privacy Rights, I have decades of experience with patient identifier practices and standards. I feel particularly qualified to discuss patient identifiers because I serve on the Board and Management Council of the NIST-founded Identity Ecosystems Steering Group (IDESG) where I am the Privacy and Civil Liberties Delegate. I am also a core participant to industry standards groups Kantara-UMA and OpenID-HEART working on personal data and I consult on patient and citizen identity with public agencies.

Universal patient identifiers are, first and foremost, a surveillance technology and need to be designed and managed as such. The surveillance is designed to:
• alert any number of different practices and providers when their patient visits a healthcare facility,
• assemble in a database all of the claims associated with a particular patient,
• assemble in a database all of the places and dates when a patient seeks care,
• assemble in a database all of the prescriptions for controlled substances for a patient,
• assemble patient characteristics ranging from immunizations to physical problems and even behavioral health issues to be used for therapy, public health, and research.

Many candidate universal identifiers already exist in other fields and could be adapted to medicine. Examples are email addresses, mobile phone numbers, and credit card numbers. These universal identifiers are voluntary, in that a person can have zero, one, or more of each and the person can choose when to use which one in a service relationship. Voluntary identifiers are designed to limit or control surveillance.

Identifiers such as driver’s license or passport numbers, often associated with a biometric, are designed for coercive surveillance in law enforcement. They are not voluntary and the associated systems are designed to avoid multiple identities and enable coercive surveillance for law enforcement purposes. The most coercive of these are identifiers derived directly from a biometric, such as an iris scan, where the identifier and the identity are inseparable in the same way that identity number tattoos were used in some circumstances.

Identifiers are associated with identity solutions. A good set of principles for identity solutions is the National Strategy for Trusted Identities in Cyberspace (NSTIC). Patient identifiers can be designed per the NSTIC principles. If another set of principles is chosen by industry or by government, they need to be clearly stated so that they can be compared and commented upon for their departures from the NSTIC principles.

A new round of healthcare bills is now making its way through Congress. These include provisions for clinical and research access to personal health data. Any legislation or private initiative designed to support universal patient identifiers should clearly state the surveillance goals and the solution principles. Is the surveillance associated with the identifier to be coercive or voluntary? Is the surveillance associated with the identifier to be hidden or transparent to the patient? Will the same identifier be used for coercive purposes such as controlled substance prescriptions and for voluntary purposes such as seeking mental health services? Will the same identifier be used across the domains of health and law enforcement such as for firearms license checks or “do not fly” lists? Can the identifier be used for non-therapy purposes such as marketing or medical research?

A health bank account number, a health spending account debit card number, a regular bank account number, a health insurance account number, a social security number, can all be used for surveillance to the extent they are communicated or shared beyond the hospital or pharmacy where a patient seeks service. It is important to distinguish the communication of an account number for purposes of providing a specific service, such as getting paid, from the communication of the identifier for surveillance. The use of identifiers outside of the scope for which they were intended needs to be clearly disclosed in the service provider’s privacy practices. Then, each use needs to be transparent to the patient such as by an email notice or text message, and it needs to be independently audited. Most important, the recipients of these surveillance identifiers must be known to and accessible for redress by the patient. For secret surveillance, the recipients of the surveillance info must be subject to a court such as the Foreign Intelligence Surveillance Court. I can’t think of any reason for secret surveillance in healthcare so all recipients of patient identifiers must be known and accessible to the patient.

In summary, access to and use of unique patient identifiers used for a specific purpose such as payment for services or access to a personal health record need not be associated with surveillance. These are simple transactions between entities that are both known and accessible to the patient. These transactions may require a coercive identity, such as when a controlled substance is prescribed, but typically can be managed in a voluntary and pairwise pseudonymous manner. (Pairwise pseudonymous simply means that the unique patient identifier is only useful in that particular service relationship and every service relationship gets a different unique patient identifier.)

Surveillance may be a desirable side-effect of access to a health service but the use of unique patient identifiers for surveillance needs to be managed separately from the use of identifiers in a service relationship. Surveillance uses must always be clearly disclosed to the patient or their custodian each time they are sent by the service provider or “matched” by the surveillance agency.

Providers, vendors, and legislators that are serious about improving health data reliability and security would do well to take note of the NSTIC principles and ensure that transparency of surveillance is the foundation for 21st Century practices around our most intimate data.

Livongo’s Post Ad Banner 728*90

5
Leave a Reply

3 Comment threads
2 Thread replies
1 Followers
 
Most reacted comment
Hottest comment thread
4 Comment authors
danmunroPeterAdrian Gropper, MDCaptBlueButton Recent comment authors
newest oldest most voted
danmunro
Member

I find it difficult to believe that the word “surveillance” is even remotely appropriate in this context. That may be acceptable to bureaucracies (like the one referenced), but it’s confusing and entirely counter-productive to any dialog based on patient identification – and by extension – patient safety. In fact – the author acknowledges this at the very end of the article – when he says: “In summary, access to and use of unique patient identifiers used for a specific purpose such as payment for services or access to a personal health record need not be associated with surveillance.” So what… Read more »

Peter
Member
Peter

“Universal patient identifiers are, first and foremost, a surveillance technology and need to be designed and managed as such.”

Just what we need, more individual “surveillance”. Why not just implant a chip at birth then we could be tracked, monitored and “coerced”.

Is this a solution looking for a problem? Adrian, do you set your cell phone so that you can be tracked and monitored?

Adrian Gropper, MD
Member
Adrian Gropper, MD

People can choose surveillance if it serves a purpose. People with a rare disease often choose surveillance so they can find each other and form a community. Many of us might choose to have our medical claims tracked in a totally secure state database if we could use that information to choose the most cost-effective deductible when we sign up for health insurance – and nothing else. My point is that health-related surveillance needs to be voluntary, based on clear individual goals, and total transparency. “Patient safety” and “fraud prevention” goals can be achieved without surveillance in most cases and… Read more »

CaptBlueButton
Member

Adrian – Great article – I think it is one of the best you have written but there is a notion that you are using that is confounding my understanding. I think. In the first paragraph you state: This post argues that surveillance may be a desirable side-effect of access to a health service but the use of unique patient identifiers for surveillance needs to be managed separately from the use of identifiers in a service relationship. Just to make sure I am following your argument can you correct me if the following restatement of what I understand the above… Read more »

Adrian Gropper, MD
Member
Adrian Gropper, MD

– Access to health services = access to a doctor, hospital, payer, pharmacy, etc… – Shared identifiers within a local context like EMR-1 is risky for both the hospital and the patient, and it’s completely unnecessary. For the hospital and their EMR, it’s risky if it collides with another identifier. To avoid that, they need to go out to some external service that guarantees uniqueness and that’s extra work. For the patient it’s risky because it allows surveillance across different hospitals if both hospitals send the shared identifier to some registry or other surveillance agent. My whole post is about… Read more »