Healthcare is abuzz with calls for Universal Patient Identifiers. Universal people identifiers have been around for decades and experience can help us understand what, if anything, makes patients different from people. This post argues that surveillance may be a desirable side-effect of access to a health service but the use of unique patient identifiers for surveillance needs to be managed separately from the use of identifiers in a service relationship. Surveillance uses must always be clearly disclosed to the patient or their custodian each time they are sent by the service provider or “matched” by the surveillance agency. This includes health information exchanges or research data registries.
As a medical device entrepreneur, physician, engineer, and CTO of Patient Privacy Rights, I have decades of experience with patient identifier practices and standards. I feel particularly qualified to discuss patient identifiers because I serve on the Board and Management Council of the NIST-founded Identity Ecosystems Steering Group (IDESG) where I am the Privacy and Civil Liberties Delegate. I am also a core participant to industry standards groups Kantara-UMA and OpenID-HEART working on personal data and I consult on patient and citizen identity with public agencies.
Universal patient identifiers are, first and foremost, a surveillance technology and need to be designed and managed as such. The surveillance is designed to:
• alert any number of different practices and providers when their patient visits a healthcare facility,
• assemble in a database all of the claims associated with a particular patient,
• assemble in a database all of the places and dates when a patient seeks care,
• assemble in a database all of the prescriptions for controlled substances for a patient,
• assemble patient characteristics ranging from immunizations to physical problems and even behavioral health issues to be used for therapy, public health, and research.
Many candidate universal identifiers already exist in other fields and could be adapted to medicine. Examples are email addresses, mobile phone numbers, and credit card numbers. These universal identifiers are voluntary, in that a person can have zero, one, or more of each and the person can choose when to use which one in a service relationship. Voluntary identifiers are designed to limit or control surveillance.
Identifiers such as driver’s license or passport numbers, often associated with a biometric, are designed for coercive surveillance in law enforcement. They are not voluntary and the associated systems are designed to avoid multiple identities and enable coercive surveillance for law enforcement purposes. The most coercive of these are identifiers derived directly from a biometric, such as an iris scan, where the identifier and the identity are inseparable in the same way that identity number tattoos were used in some circumstances.
Identifiers are associated with identity solutions. A good set of principles for identity solutions is the National Strategy for Trusted Identities in Cyberspace (NSTIC). Patient identifiers can be designed per the NSTIC principles. If another set of principles is chosen by industry or by government, they need to be clearly stated so that they can be compared and commented upon for their departures from the NSTIC principles.
A new round of healthcare bills is now making its way through Congress. These include provisions for clinical and research access to personal health data. Any legislation or private initiative designed to support universal patient identifiers should clearly state the surveillance goals and the solution principles. Is the surveillance associated with the identifier to be coercive or voluntary? Is the surveillance associated with the identifier to be hidden or transparent to the patient? Will the same identifier be used for coercive purposes such as controlled substance prescriptions and for voluntary purposes such as seeking mental health services? Will the same identifier be used across the domains of health and law enforcement such as for firearms license checks or “do not fly” lists? Can the identifier be used for non-therapy purposes such as marketing or medical research?
A health bank account number, a health spending account debit card number, a regular bank account number, a health insurance account number, a social security number, can all be used for surveillance to the extent they are communicated or shared beyond the hospital or pharmacy where a patient seeks service. It is important to distinguish the communication of an account number for purposes of providing a specific service, such as getting paid, from the communication of the identifier for surveillance. The use of identifiers outside of the scope for which they were intended needs to be clearly disclosed in the service provider’s privacy practices. Then, each use needs to be transparent to the patient such as by an email notice or text message, and it needs to be independently audited. Most important, the recipients of these surveillance identifiers must be known to and accessible for redress by the patient. For secret surveillance, the recipients of the surveillance info must be subject to a court such as the Foreign Intelligence Surveillance Court. I can’t think of any reason for secret surveillance in healthcare so all recipients of patient identifiers must be known and accessible to the patient.
In summary, access to and use of unique patient identifiers used for a specific purpose such as payment for services or access to a personal health record need not be associated with surveillance. These are simple transactions between entities that are both known and accessible to the patient. These transactions may require a coercive identity, such as when a controlled substance is prescribed, but typically can be managed in a voluntary and pairwise pseudonymous manner. (Pairwise pseudonymous simply means that the unique patient identifier is only useful in that particular service relationship and every service relationship gets a different unique patient identifier.)
Surveillance may be a desirable side-effect of access to a health service but the use of unique patient identifiers for surveillance needs to be managed separately from the use of identifiers in a service relationship. Surveillance uses must always be clearly disclosed to the patient or their custodian each time they are sent by the service provider or “matched” by the surveillance agency.
Providers, vendors, and legislators that are serious about improving health data reliability and security would do well to take note of the NSTIC principles and ensure that transparency of surveillance is the foundation for 21st Century practices around our most intimate data.