Health Policy

A National Patient Identifier: Should You Care?


The rather esoteric issue of a national patient identifier has come to light as a difference between two major heath care bills making their way through the House and the Senate.

The bills are linked to outrage over surprise medical bills but they have major implications over how the underlying health care costs will be controlled through competitive insurance and regulatory price-setting schemes. This Brookings comment to the Senate HELP Committee bill summarizes some of the issues.

Who Cares?

Those in favor of a national patient identifier are mostly hospitals and data brokers, along with their suppliers. More support is discussed here. The opposition is mostly on the basis of privacyand libertarian perspective. A more general opposition discussion of the Senate bill is here.

Although obscure, national patient identifier standards can help clarify the role of government in the debate over how to reduce the unusual health care costs and disparities in the U.S. system. What follows is a brief analysis of the complexities of patient identifiers and their role relative to health records and health policy.

Patient Matching

Patient matching enables surveillance of patient activity across service providers and time. It can be done either coercively or voluntarily. We’re familiar with voluntary matching like using a driver’s license number to get a controlled substance prescription. People are not aware of the coercive matching that goes on without our consent.

Voluntary matching is cheap and reliable. Coercive surveillance for patient matching is quite expensive and prone to errors. Why would so many businesses promote the coercive alternative? It’s mostly about money. The relationship between health surveillance and money in the U.S. healthcare system is relatively unique in the world. The issue of a national patient identifier is also pretty specific to the U.S. The reasons, as all things in U.S. healthcare, are complicated. But, fundamentally, they boil down to two things:

  • Patients have a right to be treated without identification — what HIPAA calls “known to the practice” — but paying for that treatment clearly requires some identification.
  • The byzantine financial incentives in the U.S. system mean that thousands of data brokers have a financial interest in the hidden surveillance. Otherwise, they would just ask patients for consent.


Payers already have a patient identifier. The impact of adding a surveillance component, either voluntary or coercive, is hard to estimate. Would patients have a choice of plans with or without coercive surveillance? Would we need regulations, similar to GINA, to reduce the risk of biased interpretation? I’m not aware of any insurance industry comments on the House national patient identifier amendment.

All Payer Claims Databases

Pretty much everyone in the health care “system” is working as hard as they can to avoid transparency. Transparency of quality, of cost, of data uses, of directories, of “black box” and artificial intelligence algorithms, and more. The principal strategy for both the House and Senate versions of the cost reduction bills is to increase transparency, but that could be achieved with either coercive or voluntary identifiers.


Coercive patient surveillance is already in place on a massive scale. Surescripts tracks over 200 million U.S. patients and sells that information for all sorts of purposes without patient consent or obvious oversight. In theory, one can opt-out of Surescripts. In practice, it’s practically impossible. (I tried it.) I did find errors in my file. Even fixing those errors was more trouble than it was worth. Would Surescripts’ coercive surveillance be mitigated by a national patient identifier? Quite possibly, if the final legislation introduces privacy protections, such as opt-in and real-time patient notification by Surescripts or anyone else that is making use of the identifier.

Known to the Practice

HIPAA encourages a trusting physician-patient relationship by allowing confidential and even anonymous consultation. This promotes public health. The implementation of a national patient identifier must preserve this option.


The federal government has been trying to create a national network for health records for over a decade. The current state is the Trusted Exchange Framework and Common Agreement (TEFCA) Draft 2. TEFCA is still far from obvious with major detractors from the incumbents and no clear solution to the very hard problems of regulatory capture of standards, security, consent, and patient matching. Three comments by Patient Privacy Rights address these issues.

Aside from moving patient data from here to there, TEFCA aims to provide a surveillance mechanism that will track the locations where patients receive health services. This can be quite useful for maintaining a longitudinal patient record, measuring outcomes, and informing research, as well as policy.

But a national surveillance system can also spook patients and increase public health risks if populations concerned about bias and loss of opportunity hide or actively game the system. It’s therefore essential to design TEFCA with the highest level of privacy and transparency, similar to what we have in finance. A national patient identifier will help TEFCA, but only if it is voluntary (linked to consent), transparent (to mitigate security risks), and most importantly, if it replaces the current design based on coercive surveillance.


People already have any number of national-scale identifiers. Mobile phone numbers and the unique device identifiers that phones broadcast just by being on, email addresses, driver’s license numbers, Medicare and private insurance IDs, a Social Security Number, and credit cards. What matters for privacy is not the existence of personal identifiers but how they are used. Is the usage regulated? Does use in one domain, e.g. purchasing, cross over into another domain such as taxation? Is the use of the identifier voluntary like when you sign to allow your credit surveillance history to be accessed by an auto dealer or a landlord? Are you notified whenever an identifier is used? Are there usage logs and statements conveniently available to you? A national patient identifier will need to answer all of these questions and more.

Errors, bias, and ethics

Every large system is subject to errors, bias, and ethical issues. The proponents of a national patient identifier make self-serving arguments about reducing errors, such as assigning data to the wrong patient, without a critical analysis of how errors might be intentionally or accidentally introduced into the system. Other questions include how patients can catch errors or omissions and how access to a national identifier might bias relationships with employers or a new generation dating sites. The ethics of health care are mostly about the unintended consequences of what superficially seems like a good idea.

Coerced, Voluntary, or Self-sovereign

Self-Sovereign Identity (SSI) that is cryptographically secure and controlled by the individual person. If we introduce a national identifier, for patients or any other large-scale use, in 2020, should that identifier be compatible with SSI?

Independent Patient-Controlled Longitudinal Health Record

A new national patient identifier is not an end in itself, it must serve or enable something new. That new thing could be universal healthcare coverage, which exists in almost every other developed economy. Another new thing would be a longitudinal health record that is independent of any particular public or private institution. An independent health record would promote competition, enable greater transparency of outcomes and costs, and it would significantly reduce the costs of research and innovation. It’s important to design TEFCA and other federal programs around the outcome rather than a tweak of the process.

Non-HIPAA Components

What would be the scope of a new national patient identifier? Should it be used to add non-HIPAA components like exercise or diet to a patient’s record? Should it apply to over-the-counter purchases in pharmacies or telemedicine from outside the US? Will the new identifier expand the scope of surveillance by Facebook, Google, and other hard-to-avoid platforms?

Should you care?

Yes. The uniquely high U.S. health care costs are now driving politics directly and indirectly. Universal coverage could be the top issue in 2020. But health costs also impact immigration discussions, as well how we deal with technology-driven shifts in employment and employer-based insurance.

Bi-partisan efforts such as the “surprise medical bills” legislation now before the House and Senate are aimed at health care cost outcomes and the balance of power between hospitals, payers, patients, physicians, and regulators. That balance of power was swept under the political rug in previous efforts. With health care waste and fraud running at about $1.5 trillion or 6 percent of GDP, the debate over a national patient identifier should not be about the process of patient matching but over the path to increased transparency, competition and innovation.

Adrian Gropper, MD, is the CTO of Patient Privacy Rights, a national organization representing 10.3 million patients and among the foremost open data advocates in the country. This post originally appeared on Bill of Health here.

Livongo’s Post Ad Banner 728*90
Spread the love

5 replies »

  1. Adrian, Take a look at “Certify reproducibility with confidential data” by Christophe Perignon, et al, in Science 12 July Vol 365, issue 6449, 2019.

    It is a paper showing how researchers can trust journal articles a little more. There may be some applicable points in here that you can use.

  2. “…All told, we are barreling toward a future where every ritual of public life carries implicit consent to be surveilled: obtaining a license, driving a car, shopping in the mall, and even walking across a college campus or city block all open one up to tracking and database matching of some kind. Opting out would mean nonparticipation in social life—a consequence much more dire than the invasion of privacy. When participating in daily life means being searched, law enforcement ceases to presume that the public is innocent.”

  3. A biometric ID would make the problem much worse to the extent it further removes consent and it has to be used in-person. This is not a problem for CLEAR because consent is implied when you use that lane at the airport and, by definition, you are in-person. Technology can read your iris from 30 feet away. In the wild, this would become surveillance on a massive scale. Biometric IDs also have major security problems if compromised and the methods tend to be proprietary which limits interoperability.

    India’s Adhaaar program is an established biometric ID on a national scale. Even now that it’s in place, the path to applying it to health records has not been clear.

  4. What if an inexpensive biometric ID becomes available (e.g., retinal, like my CLEAR scan, or something genetic)?

Leave a Reply

Your email address will not be published. Required fields are marked *