Healthcare is abuzz with calls for Universal Patient Identifiers. Universal people identifiers have been around for decades and experience can help us understand what, if anything, makes patients different from people. This post argues that surveillance may be a desirable side-effect of access to a health service but the use of unique patient identifiers for surveillance needs to be managed separately from the use of identifiers in a service relationship. Surveillance uses must always be clearly disclosed to the patient or their custodian each time they are sent by the service provider or “matched” by the surveillance agency. This includes health information exchanges or research data registries.
As a medical device entrepreneur, physician, engineer, and CTO of Patient Privacy Rights, I have decades of experience with patient identifier practices and standards. I feel particularly qualified to discuss patient identifiers because I serve on the Board and Management Council of the NIST-founded Identity Ecosystems Steering Group (IDESG) where I am the Privacy and Civil Liberties Delegate. I am also a core participant to industry standards groups Kantara-UMA and OpenID-HEART working on personal data and I consult on patient and citizen identity with public agencies.
Universal patient identifiers are, first and foremost, a surveillance technology and need to be designed and managed as such. The surveillance is designed to:
• alert any number of different practices and providers when their patient visits a healthcare facility,
• assemble in a database all of the claims associated with a particular patient,
• assemble in a database all of the places and dates when a patient seeks care,
• assemble in a database all of the prescriptions for controlled substances for a patient,
• assemble patient characteristics ranging from immunizations to physical problems and even behavioral health issues to be used for therapy, public health, and research.
Many candidate universal identifiers already exist in other fields and could be adapted to medicine. Examples are email addresses, mobile phone numbers, and credit card numbers. These universal identifiers are voluntary, in that a person can have zero, one, or more of each and the person can choose when to use which one in a service relationship. Voluntary identifiers are designed to limit or control surveillance.
Identifiers such as driver’s license or passport numbers, often associated with a biometric, are designed for coercive surveillance in law enforcement. They are not voluntary and the associated systems are designed to avoid multiple identities and enable coercive surveillance for law enforcement purposes. The most coercive of these are identifiers derived directly from a biometric, such as an iris scan, where the identifier and the identity are inseparable in the same way that identity number tattoos were used in some circumstances.
Identifiers are associated with identity solutions. A good set of principles for identity solutions is the National Strategy for Trusted Identities in Cyberspace (NSTIC). Patient identifiers can be designed per the NSTIC principles. If another set of principles is chosen by industry or by government, they need to be clearly stated so that they can be compared and commented upon for their departures from the NSTIC principles.
A new round of healthcare bills is now making its way through Congress. These include provisions for clinical and research access to personal health data. Any legislation or private initiative designed to support universal patient identifiers should clearly state the surveillance goals and the solution principles. Is the surveillance associated with the identifier to be coercive or voluntary? Is the surveillance associated with the identifier to be hidden or transparent to the patient? Will the same identifier be used for coercive purposes such as controlled substance prescriptions and for voluntary purposes such as seeking mental health services? Will the same identifier be used across the domains of health and law enforcement such as for firearms license checks or “do not fly” lists? Can the identifier be used for non-therapy purposes such as marketing or medical research?
A health bank account number, a health spending account debit card number, a regular bank account number, a health insurance account number, a social security number, can all be used for surveillance to the extent they are communicated or shared beyond the hospital or pharmacy where a patient seeks service. It is important to distinguish the communication of an account number for purposes of providing a specific service, such as getting paid, from the communication of the identifier for surveillance. The use of identifiers outside of the scope for which they were intended needs to be clearly disclosed in the service provider’s privacy practices. Then, each use needs to be transparent to the patient such as by an email notice or text message, and it needs to be independently audited. Most important, the recipients of these surveillance identifiers must be known to and accessible for redress by the patient. For secret surveillance, the recipients of the surveillance info must be subject to a court such as the Foreign Intelligence Surveillance Court. I can’t think of any reason for secret surveillance in healthcare so all recipients of patient identifiers must be known and accessible to the patient.
In summary, access to and use of unique patient identifiers used for a specific purpose such as payment for services or access to a personal health record need not be associated with surveillance. These are simple transactions between entities that are both known and accessible to the patient. These transactions may require a coercive identity, such as when a controlled substance is prescribed, but typically can be managed in a voluntary and pairwise pseudonymous manner. (Pairwise pseudonymous simply means that the unique patient identifier is only useful in that particular service relationship and every service relationship gets a different unique patient identifier.)
Surveillance may be a desirable side-effect of access to a health service but the use of unique patient identifiers for surveillance needs to be managed separately from the use of identifiers in a service relationship. Surveillance uses must always be clearly disclosed to the patient or their custodian each time they are sent by the service provider or “matched” by the surveillance agency.
Providers, vendors, and legislators that are serious about improving health data reliability and security would do well to take note of the NSTIC principles and ensure that transparency of surveillance is the foundation for 21st Century practices around our most intimate data.
Categories: Uncategorized
I find it difficult to believe that the word “surveillance” is even remotely appropriate in this context. That may be acceptable to bureaucracies (like the one referenced), but it’s confusing and entirely counter-productive to any dialog based on patient identification – and by extension – patient safety.
In fact – the author acknowledges this at the very end of the article – when he says: “In summary, access to and use of unique patient identifiers used for a specific purpose such as payment for services or access to a personal health record need not be associated with surveillance.” So what was the purpose of the whole surveillance discussion to begin with?
Certainly if someone wants to actively *prevent* the use of intelligent patient identifiers – ones that protect and serve patients – then there’s likely no better word to use than surveillance.
I was also disappointed to see a lack of any discussion around newer technologies (block chain for example) that could be used effectively for this exact purpose. It’s the underlying technology to cryptocurrencies like bitcoin – and has many inherent safeguards that could specifically help with patient mismatching (by one account – HIMSS – representing 8-14% of all medical errors inside U.S. hospitals).
Instead, the whole article seemed to suggest that a governing body (NSTIC – where the author is a member) needs to be consulted relative to their efforts around more global initiatives of civilian identification (presumably around issues of border protection, Homeland Security and terrorism more generally?). I can’t help but wonder how many years this bureaucracy will add to the patient safety issue we have today.
I would also encourage the author to review a more current announcement by the NHS – which intends to mandate “digital standards” (including patient identification) for their system in the U.K.
“A new set of “digital standards” that healthcare providers must provide will be integrated into NHS contracts while organizations will be inspected by the Care Quality Commission to ensure that they are being implemented.” http://hc4.us/NHSNPI1
People can choose surveillance if it serves a purpose. People with a rare disease often choose surveillance so they can find each other and form a community. Many of us might choose to have our medical claims tracked in a totally secure state database if we could use that information to choose the most cost-effective deductible when we sign up for health insurance – and nothing else. My point is that health-related surveillance needs to be voluntary, based on clear individual goals, and total transparency. “Patient safety” and “fraud prevention” goals can be achieved without surveillance in most cases and do not require universal people identifiers.
“Universal patient identifiers are, first and foremost, a surveillance technology and need to be designed and managed as such.”
Just what we need, more individual “surveillance”. Why not just implant a chip at birth then we could be tracked, monitored and “coerced”.
Is this a solution looking for a problem? Adrian, do you set your cell phone so that you can be tracked and monitored?
– Access to health services = access to a doctor, hospital, payer, pharmacy, etc…
– Shared identifiers within a local context like EMR-1 is risky for both the hospital and the patient, and it’s completely unnecessary. For the hospital and their EMR, it’s risky if it collides with another identifier. To avoid that, they need to go out to some external service that guarantees uniqueness and that’s extra work. For the patient it’s risky because it allows surveillance across different hospitals if both hospitals send the shared identifier to some registry or other surveillance agent. My whole post is about separating the local identifier 342311 from any external use whatsoever, including surveillance and managing the surveillance identifiers separately as an option of the local service relationship.
– You seem to agree with me that the use of a Voluntary Universal Patient Identifier should be under a governance mechanism separate from any single hospital and I assume that you agree that transparency and notice to the patient is an essential part of that governance mechanism.
– The surveillance goals are one or more of the 5 bullet points in my piece. Accurate patient matching among hospitals and service providers where I have a direct relationship _does not require a shared unique identifier_. All it requires is OAuth or UMA or HEART. This is because I sign into EMR-1 as 342311 and then, in that context, I sign into EMR-2 as 562311. It is me that is the common denominator and nobody else would be able to do that because they don’t know my password at either hospital.
– Surveillance poses a risk to the patient. It could be justified or an informed risk but it’s a risk. The corollary of surveillance is discovery. If there is no surveillance, discovery is more difficult. We live in an era where information about us is collected by everyone stored forever and used in ways that allow it to be discovered such as by sharing it with data brokers under pretense of de-identification. Forever is a long time and computers and networks are already fast enough to correlate the fruits of surveillance even if any single hospital thinks they have de-identified the data as far as they’re concerned.
On top of this we need to add the reality of breaches such as Anthem, Ashley Madison, and the Office of Personnel Management. In 2015, breaches affected about half the population. This is critical because information that was sent to a data broker or researcher as de-identified can now be correlated with information form Anthem that IS identified. In the good old days, the sources of re-identification clues were voter registrations, and real estate transactions, and genealogy records – all with limited crossover with our health records. Now, the bad guys are targeting Anthem and OPM _because_ they have health records and re-identification with de-identified sources related to health records is becoming a certainty. Breaches may be unavoidable but the impact of the breaches can be mitigated by strong notice and strong regulation of data brokers and other surveillance agents. Isn’t it time we stop pretending that de-identification is a substitute for notice and authorization?
Adrian – Great article – I think it is one of the best you have written but there is a notion that you are using that is confounding my understanding. I think.
In the first paragraph you state: This post argues that surveillance may be a desirable side-effect of access to a health service but the use of unique patient identifiers for surveillance needs to be managed separately from the use of identifiers in a service relationship.
Just to make sure I am following your argument can you correct me if the following restatement of what I understand the above to be saying is correct?
But before I do that I want to make sure I understand the terms that you are using. When you say access to health services do you mean explicitly getting health care services from a professional care giver or do you mean something else? What I am trying to get down to is plain language that a lay person can get.
My first read makes me think that you are saying in essence that within the system boundary of the software used by the care provider (their EMR) an Identifier related to me will be created and used within that enterprise. For example, lets say I get an identifier 342311 in EMR-1. The way this identifier is managed within the EMR is a local governance issue and should not be confounded with any other Identifiers that might relate to the same person. I have a Driver’s license number which is used by the DMV within their enterprise to make sure I get those photo-speed-trap tickets on a weekly basis. I gather that you are saying it would be a bad thing for EMR-1 or any other EMR to adopt the use of my Driver’s license number as my local Identifier but I was wondering if you could help us by spelling out some of the reasons that would be a bad thing.
To continue with my example I go to a different doc whose EMR-2 creates a local ID from of 562311 and that identifier is used throughout the enterprise to do what EMR software is designed to do.
As you say – ‘ Healthcare is abuzz with calls for Universal Patient Identifiers.’ Specifically the call is to have a voluntary identifier that for those who want to have one they can share them with their Providers (or any other services in the healthcare eco-system) to be used whenever EMR-1 needs to talk to EMR-2 about me. That is to say using some means – such as OAUTH2 – when I interact with a service provider one of the things I want to share with them is my Voluntary Universal Patient Identifier. You use the word surveillance off and on above but for me I want my providers to be sure that they are sharing information about me from a Patient Safety perspective. But be that as it may if the use of the Voluntary Universal Patient Identifiers were to come into broad use the desired end state would be that every EMR that is used in relation to care delivered to me has its own Identifier the governance of which is controlled by the policies of the local institution while the governance of the Voluntary Universal Patient Identifier should be governed independently of any of the other identifiers in the eco-system to adhere to the principles .
Later in the article above you state “Any legislation or private initiative designed to support universal patient identifiers should clearly state the surveillance goals and the solution principles”. You’ve referenced the NSTIC Principles as noteworthy with regards to describing a solutions principles which I follow but what I don’t follow is what you mean by surveillance goals. Maybe put another If I say my surveillance goal is to minimize risk to patient safety when inaccurate patient matching results in either Type 1 or Type 2 errors.
I think you have provided a great briefing on the topic and I am sure it will create some informative dialogue. My one hesitation is where the term ‘Surveillance Goals’ came from – it just seems to imply a negative Iron Curtain connotation when in fact it could significantly improve the quality of many of the aspirations of the Nations investment in HIT – something that I would consider the inverse of negative. Rather than calling it “Surveillance Goals” is there any reasons you couldn’t refer to Justifications?
Again timely piece –