SUMMARY: The Secretary of Health and Human Services (HHS) intends to publish a proposed rule on requirements for a unique health identifier for individuals. These requirements are mandated by law and are part of a process to achieve uniform national health data standards and health information privacy that will support the efficient electronic exchange of specified administrative and financial health care transactions. The Secretary will first publish a notice to discuss the identifier options that have been put forward for consideration and to ask for public comment.
A. Legislation
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) outlines a process to achieve uniform national health data standards and health information privacy in the United States. Enacted with the widespread support of the industry and bipartisan support in the Congress, the law requires that the Secretary of Health and Human Services (HHS) adopt standards to support the electronic exchange of a variety of administrative and financial health care transactions. All health plans, health care clearinghouses, and those health care providers who elect to conduct the specified transactions electronically are required to comply with the standards within 2 years of their adoption, except that small health plans are required to comply within 3 years. Among these standards are:
Privacy and confidentiality protections for health information play a prominent role in the law as well. The Secretary is required to adopt security standards to safeguard health information, during transmission and while stored in health information systems, to ensure the integrity of the information, and to protect against unauthorized uses and disclosures. Further, the law requires the Secretary to make detailed recommendations to the Congress for protection of individually identifiable health information. These recommendations were delivered to the Congress on September 11, 1997. If the Congress does not enact legislation for health record privacy by August 21, 1999, the law requires the Secretary to issue regulations to protect the privacy of individually identifiable health information transmitted in standard transactions. These regulations must be finalized by February 21, 2000.
The law also specifies steep penalties for misuse of a health identifier and for wrongfully obtaining or disclosing individually identifiable health information. The penalties, which increase by type of offense, can be as much as $250,000 and 10 years in prison. More serious offenses are defined as those committed under false pretenses or those committed with intent to sell, transfer, or use individually identifiable health information for commercial advantage, personal gain, or malicious harm.
HHS formed five implementation teams to identify and analyze options and propose policies to implement the statutory requirements. Through the publication of several proposed rules in the Federal Register, HHS will propose standards for each item required in the legislation.
B. Purpose of The Notice of Intent
There has been considerable consensus on most of the standards that HHS is to adopt. However, opinion on the unique identifier for individuals is deeply divided. Given the level of controversy surrounding the individual identifier, HHS made the decision to proceed cautiously in fulfilling its statutory responsibility to adopt a unique health identifier for individuals for use in the health care system. The notice of intent is the vehicle by which HHS will examine the controversial dimensions of a unique health identifier for individuals, discuss a number of identifier options from which a choice might be made, identify advantages and disadvantages of those options, and request the public to comment. Any subsequent public policy decisions or proposed rules about the unique individual identifier will benefit from the public debate and information gathering elicited by the notice.
Among the areas where comments are solicited are the following:
The notice will also seek comments from the public on additional specific implementation questions in Section IV., Implementation Issues Needing Further Consideration.
C. Future Activities
A. Need for Unique Identifier for Individuals
HIPAA recognized the unique identifier for individuals as an essential component of administrative simplification. There is evidence that a unique identifier for individuals in the health system would have many benefits, including improved quality of care and reduced administrative costs. Being able to identify an individual uniquely is essential in both the delivery and administration of health care. Today, various health care organizations and insurance companies, integrated delivery systems, health plans, managed care organizations, public programs, clinics, hospitals, physicians, and pharmacies routinely assign identifiers to individuals for use within their systems.
Typically, identifiers differ across organizations, while the delivery and administration of health care traverse organizational boundaries frequently. In its report on computer-based patient records (1991), the Institute of Medicine noted that the increased mobility and aging of our population create pressures for patient records that can manage large amounts of information in different locations and at the same time be easily transferrable among an increasing variety of health care providers. For the vast majority of people today, health records no longer consist of a paper file in a single provider's office. Rather, they consist of many records, some paper but an increasing number electronic, as patients visit multiple providers, primary care providers refer patients to specialists, health plans coordinate benefits with other health plans, providers submit claims and eligibility transactions to multiple health plans, and so forth.
The common practice today is for each provider and plan to use different identifiers for the same individual. Efforts to assure continuity of care, accurate record keeping, effective follow-up and preventive care, prompt payment, and detection of fraud, waste, and abuse all could benefit from the availability of a single unique identifier for individuals with appropriate protections against misuse and unauthorized use outside of health care. A unique identifier is necessary because the constellation of personal attributes commonly used to identify an individual (for example, name, birth date, and sex) is rarely captured in the same manner by each entity in the diverse system of health care. Yet, good care depends on the provider's ability to synthesize information from a variety of sources into an accurate picture of the patient's state of health. The first step in this process is for the proper records to be positively identified. A unique identifier would allow for the rapid and accurate identification of the proper records and their integration for the purpose of providing high quality, patient-focused care.
Having multiple identifiers for the same individual within or across organizations prevents or inhibits timely access to integrated information. Unique identifiers for individuals would facilitate ordering tests and reporting results; posting results, diagnoses, procedures, and observations to charts; updating, maintaining, and retrieving medical records; as well as integrating information across the various internal information systems. For some highly sensitive records (for example, records of mental health diagnoses or treatment, HIV antibody tests, or genetic tests) unique identifiers for individuals would be critical components of administrative procedures designed to protect such information from inadvertent disclosure.
A unique identifier for individuals could serve multiple purposes even within a single health care delivery organization. For some clinical interventions -- for example, blood transfusions, invasive tests or surgery, and medication administration -- a reliable means of identifying the patient is important for safety as well as for record keeping purposes. For example, ensuring safe and effective medication administration requires integrated information about the drug and dose being ordered, other medications being taken or recently ordered, and known drug allergies. Accurate and efficient integration of this clinical information, sometimes from different systems within one organization, would be assisted by having a unique identifier for individuals associated with each piece of information.
There is considerable support within the health industry for the adoption of a unique identifier for individuals. In a letter to the Secretary dated November 12, 1997, five major standards development organizations and associations that are described as clinical domain experts recommended the prompt adoption of a unique individual identifier. These organizations are: American Nurses Association, Digital Imaging and Communication in Medicine, Health Level Seven, National Association of Chain Drug Stores, and National Council for Prescription Drug Programs. The reasons cited were to reduce administrative workloads and costs, enable faster access to critical health information, and increase efficiency in the exchange of electronic data.
B. Confidentiality and Privacy
Controversy over the adoption of a standard for the unique health identifier for individuals has focused, to a large degree, on privacy concerns. Some of these views contrast sharply with the previous discussion of the value a unique identifier for individuals would have in clinical practice. We should stress that these privacy issues are substantive, not a trivial concern or a public relations matter. For some, privacy threats outweigh any practical benefits of improved patient care or administrative savings. To others, privacy concerns are significant, but can be managed. To some, the status quo poses greater privacy risks. In this section, we review a range of opinions on how privacy and confidentiality issues, including Federal privacy legislation, relate to identifier options. We welcome comments on these issues.
1. Perspectives on the Unique Identifier and Privacy
The Consumer Bill of Rights and Responsibilities, which was published in November 1997 by the President’s Quality Commission, underscored the importance of the confidentiality of identifiable health information. The confidentiality right states in part: “Consumers have the right to communicate with health care providers in confidence and to have the confidentiality of their individually identifiable health care information protected...” We welcome comments on whether adoption of a unique health identifier for individuals is congruent with this right. (The complete text of the report is available at http://www.hcqualitycommission.gov/cborr/.)
Some believe that threats to privacy are inherent in any unique identifier for individuals. Having different identifiers for the same individual across organizations is sometimes perceived to be protective of individual privacy because potential linkages across data systems are impeded. Having all health care organizations use the same identifier increases the threat to privacy by facilitating unauthorized linkages of information about an individual within and across organizations. This is why some believe that an electronic environment poses greater risks than one that relies on paper records.
Further, if the Social Security number (SSN) were to become the unique health identifier for individuals, some believe that the potential for linkages expands to include not only an individual's medical data but also credit and financial data, employment information, consumer behavior data, and a wide range of other information. The availability and widespread use of the SSN combined with the increasing use of electronic databases and the lack of adequate legal and social controls lend support to these concerns. To some, the SSN is simply unacceptable for identifying health records.
To others, preserving the ability to link health care records with records from other sources using the SSN is essential. The choice of an identifier that is used only in health care could constrain important clinical and public health research that depends on such linking. For example, linkage of health databases and other data sets using a unique individual identifier can assist public health researchers:
If a unique identifier used only for health care purposes were to be selected, those studies could not be done without a directory for linking the identifier to corresponding SSNs.
In the midst of the differing opinions over what unique identifier might be acceptable and whether it is necessary, it is easy to forget the implications of current practices. Because identifiers differ across organizations, most health care records and transactions contain more elements of identifying information than might be necessary if a single unique identifier were used. Typically, health care records contain a patient’s name, gender, address, phone number, birth date, SSN, health insurance number, employer, and relationships to other family members. A combination of several of these data items is often necessary to ensure a correct match between the records and a particular individual. In effect, a medical record or transaction bearing merely a person’s name and address may make the information “open” to anyone who deliberately or accidentally comes in contact with it. Ironically, this use of personal information for matching people and records generates little controversy, despite the lack of security standards and privacy protections in place today.
In addition, some believe that protection of health information from inadvertent or unauthorized disclosure would become easier with a unique individual identifier that is used for health care, but not for other purposes. Such an identifier would be used in a similar manner to the way that HIV testing is often conducted anonymously, by assigning an individual a number that is not otherwise known or used. This number, which is used to track and retrieve the test result, cannot easily be used to identify the individual, whereas name and other identifiers could be. A test result bearing only a protected number cannot be associated easily with an individual.
From this perspective, an identifier that could replace other items of identifying information and that would be used only in health care might yield greater privacy protection than alternatives that do not share these properties. Other such properties have been suggested. A check digit that could be used to validate an identifier might further reduce the need for other identifying information. An identifier with no embedded intelligence (e.g., initials or a location code) would be more protective than one containing intelligence. A longer identifier would be less easily transcribed or remembered than a shorter one. Encryption of an identifier under controlled conditions might add protection. A decentralized method of issuing identifiers that required no central database would offer other protections. We welcome comments on these and other properties of identifiers that would contribute to privacy protection.
2. Importance of Privacy Legislation
Regardless of possibilities for protecting medical information by using a unique health identifier for individuals and by applying the security safeguards required by HIPAA, some argue that HHS should not select a unique health identifier for individuals until the Federal privacy legislation required by HIPAA has been enacted. In the meantime, of course, identification of individuals’ medical records and transactions will continue, even though the methods are costly and burdensome and may themselves be a threat to privacy.
We welcome comments on what the major confidentiality and privacy concerns associated with a unique health identifier for individuals are and how they should be resolved.
The National Committee on Vital and Health Statistics (NCVHS), which was given a special role by HIPAA to advise the Secretary on standards issues, itself recommended that HHS not adopt a standard for a unique identifier for individuals until after privacy legislation is enacted. The NCVHS stated that "...it would be unwise and premature to proceed to select and implement such an identifier in the absence of legislation to assure the confidentiality of individually identifiable health information and to preserve an individual's right to privacy.”
The NCVHS outlined three concerns. First, it noted that the selection of a unique health identifier for individuals will become the focus of tremendous public attention and interest, far beyond that afforded to other health privacy decisions. It concluded that no choice should be made without more public notice, hearings, and comment. Second, it concluded that, until new Federal privacy law adequately protects health record privacy, it is not possible to make a sufficiently informed choice about an identification number or procedure. The degree of formal legal protection in such a law will have a major influence on both the decision itself and the public acceptance of that decision. Indeed, passage of a comprehensive health privacy law may make the choice of an identifier easier and less threatening to privacy. Finally, the NCVHS believed that a unique health identifier for individuals could not be protected from misuses under current law, notwithstanding the criminal penalties enacted in HIPAA. [The full text of the NCVHS recommendation is available at http://aspe.os.dhhs.gov/ncvhs/uhid.htm.]
The NCVHS is conducting public hearings to explore these issues during 1998. Information about these hearings will be posted on the NCVHS website at http://aspe.os.dhhs.gov/ncvhs/.
C. Approved Uses of an Identifier for Individuals
In addition to the HIPAA requirements for health information security and privacy, Congress included provisions in HIPAA that relate directly to the individual identifier and constrain its use. HIPAA directs the Secretary of HHS to adopt “standards providing for a standard unique health identifier for each individual ... for use in the health care system.” HIPAA goes on to say that the standards “shall specify the purposes for which a unique health identifier may be used.” Therefore, in any proposed rule to adopt a particular identifier, HHS would be obligated to specify the purposes for which the identifier would be required, permitted, and prohibited. The notice raises some of these issues to elicit your comments.
HIPAA’s language suggests that uses of the individual identifier outside the health care system could be prohibited, and that HHS could designate that such uses would be an offense subject to the penalties outlined in HIPAA. This leaves open the question of what other uses within the health care system might be approved or disapproved as well as what the boundaries of the health care system are. Certain approved uses can be derived directly from HIPAA. HIPAA requires use of the unique individual identifier in administrative and financial health transactions adopted by the Secretary under HIPAA authority. Thus, the identifier no doubt would be used in health care treatment, payment, and associated administrative and financial activities.
While HIPAA mandates the adoption of a standard unique identifier for use in the health care system, it does not mandate its use for purposes other than the transactions listed in the statute. There are many ways that the identifier could lawfully come into use for such other purposes. For example, such purposes could be permitted (but not mandated) by listing them among the “lawful uses” HHS is required to publish with the identifier. Use of the identifier could be required by other programs, for example, by an accreditation organization in its standards for quality assurance record keeping, or by the FDA for reporting adverse drug reactions. These additional potential uses of the identifier should be taken into account in considering the identifier alternatives.
Similarly, in a regulation proposed on May 7, 1998, in 63FR25320, the unique identifier for health care providers will be required in the administrative and financial transactions adopted under HIPAA and will be permitted (but not required) to be used for other purposes.
Limiting the uses of the unique identifier for individuals to purposes related to health care could be more important than for the identifier for health care providers. Other statements of policy offer additional specificity on the boundaries of the health care system. The President’s Quality Commission described the uses and disclosures of individually identifiable health care information that were consistent with the right to confidentiality and could be made without direct patient consent. These included uses and disclosures for:
The Secretary’s recommendations for Federal privacy legislation would authorize uses of individually identifiable health information without direct patient consent for:
Both the President’s Quality Commission and the Secretary recognized that we must take care not to draw the boundaries of the health care system and permissible uses for the unique identifier too narrowly. They recognized that quality assurance, health research, and public health reporting, for example, are within the realm of the health care system and ought to be permitted to use the unique identifier.
We will welcome public comment on the purposes for which a unique health identifier for individuals could be used and whether limits should be placed on such use. If so, what should the limits be?
D. Criteria for Evaluation of Candidate Identifiers
Much has been published about the need for a unique identifier for individuals and the criteria that should be considered in selecting an identifier. While different authors bring different perspectives to these topics, there is also some overlap, as would be expected. A general discussion of some of the published or frequently discussed criteria is included below. There is not consensus on the criteria that should guide the selection of a unique identifier for individuals. These criteria are presented to stimulate thought about the identifier characteristics.
1. Standard Guide for Properties of a Universal Healthcare Identifier (UHID)
The American Society for Testing and Materials (ASTM), a standards development organization accredited by the American National Standards Institute, has published the Standard Guide for Properties of a Universal Healthcare Identifier (UHID), hereafter referred to as the Standard Guide. The Standard Guide and its criteria will be referenced in the following discussion of each proposal. The Standard Guide provides 30 criteria against which one may evaluate candidate identifiers and a sample UHID, which illustrates the use of the criteria. The 30 criteria are designed to support four basic functions of a universal health care identifier in the population of the United States. The functions are: (a) Positive identification of patients when clinical care is rendered, (b) Automated linkage of various computer-based records on the same patient for the creation of lifelong electronic health care files, (c) Provision of a mechanism to support data security for the protection of privileged clinical information (does not attempt to address all safety concerns, however), and (d) Use of technology for patient records handling to keep health care operating costs at a minimum.
The Standard Guide also discusses the need for a temporary patient identifier when the universal health identifier is not available; for example, emergency care of unconscious patients, care provided to infants when a responsible informed adult is not present, or care being provided when a significant language barrier exists. During public discussions of the unique identifiers, participants have stressed that the unique health identifier should be available at birth.
The 30 criteria are:
Use of the Standard Guide helps to ensure that all proposals for an individual identifier receive scrutiny against the same set of criteria covering a broad range of considerations. Several noteworthy aspects of the relationship between the proposals described in this document and the various evaluation criteria hamper the ability to apply meaningful numeric “scores.” Some of the criteria (such as atomic--meaning a single data item without subelements) are relevant to a unique identifier, while others (such as mappable-- meaning possible to create bidirectional linkages between identifiers during incremental implementation) describe a system for maintenance or implementation. However, most of the proposals for an individual identifier provided only a concept of the identifier itself and did not include a proposed infrastructure or trusted authority to establish or maintain the system.
The Standard Guide provides a system for assigning a numerical score to each of the 30 criteria, but provides no method for weighting the relative importance of the criteria. Most of the proposals fully or partially met a large number of the criteria. However, among the proposals considered, only one included an analysis of both the identifier and the infrastructure needed to implement and maintain it. Some of the proposals would not ensure a unique identifier for each individual. Some of the proposals are not identifiers at all, but rather are systems of identification or maintenance of an infrastructure for identification. For these reasons, numeric scoring of each criterion may not be the most valuable way to use the Standard Guide. Nevertheless, the criteria served as a baseline set of functions against which all proposals were considered, and both positive and negative aspects were identified and compared.
2. Institute of Medicine’s Committee on Regional Health Data Networks
Six qualities of an ideal identifier were identified by the Institute of Medicine’s Committee on Regional Health Data Networks.
3. Practicality and Cost Effectiveness
Representatives from all segments of the health system have emphasized that practicality and cost effectiveness must be given careful consideration in selection of a unique identifier for individuals.
4. Privacy Principles
As noted earlier, privacy considerations are key in choosing the identifier. There are several criteria that might be applied in determining whether a particular identifier helps to serve the privacy interests of individuals. In order to stimulate thought and comment on the relationship between privacy and the identifier, some criteria that have been discussed in privacy studies are presented:
Many of the criteria that might be used to evaluate candidate identifiers can be summarized as relating to practicality, cost effectiveness, or privacy. Privacy must be balanced with practicality and cost. An identifier that protects privacy absolutely may rely on a technology that is neither practical to implement nor cost effective. An identifier that is the least expensive or simplest to implement may pose unacceptable privacy risks. The challenge is to find an identifier option that achieves an appropriate balance among privacy, practicality, and cost.
The American National Standards Institute’s (ANSI) Healthcare Informatics Standards Board (HISB) prepared an inventory of existing healthcare informatics standards to assist the Secretary with adopting standards. Information was collected by ANSI HISB from accredited standards development organizations, other organizations, and government agencies. The inventory included a discussion of standards for a unique identifier for individuals. It reported that ASTM was the only standards development organization with a published standard, the Standard Guide, on this topic and listed ASTM’s Sample UHID as a proposed identifier. It also listed six other candidate options which are “frequently discussed by industry experts.” The six options are:
Additional proposals are also addressed in this paper.
Overall, the proposals for unique identifiers for individuals fall into four general classes.
HIPAA requires that the Secretary of HHS adopt a standard for a unique identifier for each individual for use in the health care system. In the interest of promoting a full and complete discussion of all options, we present here several options that do not include a unique identifier but that may nevertheless allow each individual to be accurately identified in the health care system.
A. The SSN and Enumeration Process of the Social Security Administration (SSA)
Many of the proposals involve either the SSN, SSA’s enumeration process, or both. The following background relates to some or all of these proposals and includes discussion of information about the use of the SSN as a personal identifier, improvements in the SSA enumeration process that have been undertaken, other needed improvements, and the costs of such improvements.
1. Information About the Use of the SSN as a Personal Identifier
The SSA has always taken the position that the SSN is not a personal identifier. When the Social Security law was passed in 1935, the SSN was called the Social Security Account Number and was meant to identify the account, not the person. However, in practice, the SSN has been adopted for numerous identification purposes outside of the Social Security system. In 1943, President Franklin D. Roosevelt signed an Executive Order requiring Federal agencies to use the SSN as an identifier for any new record systems. The Department of Defense used the SSN as a military identification number during World War II and adopted it officially in 1967 as an Armed Services personnel identifier.
In 1961, the Civil Service Commission adopted the SSN as an official Federal employee identifier, and in 1962 the Internal Revenue Service adopted it as the taxpayer identification number. In the 1960s, the Treasury Department required buyers of Series H savings bonds to provide their SSNs and again in the 1970s required it for the purchase of Series E savings bonds. The SSN was selected in the 1960s as the Medicare health insurance number, with an alphabetic character appended to designate the beneficiary’s relationship to the wage earner on whom benefits are based.
In 1970, financial institutions were required by law to obtain SSNs of all their customers. Although the Privacy Act of 1974 prohibited States from using the SSN without congressional authority, it allowed those already using it to continue. Then, the Tax Reform Act of 1976 authorized States to use the SSN for State and local tax authorities, welfare systems, driver’s license systems, departments of motor vehicles, and for finding parents who were delinquent in child support payments. Later laws required or permitted States to require SSNs for participation in school lunch programs, Food Stamp programs, and numerous other programs. Placement of the SSN on State drivers licenses is required by the year 2000 under a 1996 immigration reform provision.
There are few prohibitions against use of the SSN in the private sector. Educational institutions frequently use the SSN as a student identifier, and the National Student Loan Data System has required the SSN of the borrower since 1989. Many health care providers also use the SSN to identify patients. Many private health plans use the SSN to identify subscribers and, to a lesser extent, dependents. Individuals are now indexed by their SSN in a number of databases with routine linkages and data exchange among them. The SSN is in such extraordinarily wide use as to be a de facto personal identifier. With appropriate privacy and confidentiality protections mandated in HIPAA legislation, the choice of using a unique identifier associated with the SSN would facilitate the potential linkage of medical records with administrative databases, as needed for public health or clinical research. Although the SSN is widely used as a health identifier in many health systems, legislation would likely be required for the SSN to become the unique identifier for individuals envisioned by HIPAA. This is because when an organization independently decides to use the SSN as an individual identifier, individuals may elect to withhold their SSN. However, when the use of the SSN is statutorily mandated, as is possible under HIPAA, the Social Security Act should be modified to specifically authorize the SSN for that use.
2. Improvements in the SSA Enumeration Process
The SSA has taken steps to overcome problematic aspects of the SSN that stem from the current system’s lack of both a strategy for systematic assignment to every person and a means to authenticate a person’s identity. The SSA has improved its process to verify the identity of the person receiving an SSN. Before 1971, the issuance of SSNs was based on information provided by the individual. Starting in 1971, some applicants had to document evidence of age, identity, and alien status. In 1974, the SSA started recording when a non-work SSN had been issued to an alien and reported this to the Immigration and Naturalization Service. Beginning on May 15, 1978, applicants for SSNs have had to document (using documents such as birth certificate or driver’s license) age, identity, and citizenship or alien status. If the applicant is at least 18 years old, a personal interview is conducted to determine if the person has had an SSN before. Additional verification is performed, such as contacting the State Bureau of Vital Statistics to verify the existence of a birth certificate, conducting a search for a death certificate or verifying Immigration and Naturalization documents presented by the applicant. Currently, the verification process is based on a combination of personal data such as name, date and place of birth, sex, mother’s maiden name, and father’s name. These data elements are also used to screen the SSA database for any previous issuance to the person. The SSA reported to Congress in 1997 that its SSN database is highly accurate and allows assignment of an SSN within 24 hours if there are no questions about the data.
3. Other Needed Improvements
Beginning with tax returns filed 1/1/98 or later, the SSNs of all dependents claimed by a taxpayer must be included on the tax return. Thus a child could need an SSN during the first year of life. SSA’s “Enumeration at Birth” process allows a parent to apply for an SSN for his/her newborn as part of the State’s birth registration process. The State sends to SSA the data needed to assign an SSN and issue a card. About half of the original Social Security cards issued in fiscal years 1993-1994 used the “Enumeration at Birth” process. The addition of California in the process added an estimated 15 percent for fiscal year 1995. All 50 States, as well as New York City, Washington, DC, and Puerto Rico, now participate in this process.
In 1988 and again in 1991, the HHS Office of Inspector General cited major weaknesses in the birth certificate issuance process that hampered the ability of both Federal and State user agencies to rely on birth certificates retrospectively for identity. Among the problems cited were the use of false birth certificates as “breeder documents” to create false identities. The SSA defined breeder documents as those “... that are used to obtain other documents used for identity: for example, a birth certificate is used to obtain a drivers license, which is then used as an identity document.” The HHS Office of Inspector General also cited as problems the many different versions of birth certificate forms that are used, and open access with lax physical security for vital records.
All of the proposals for a health care identifier that depend on the SSN or the SSA would benefit from further improvements in the process for issuing and maintaining both SSNs and birth certificates. An improved process could begin with a newborn patient in the birth hospital or other health care provider; at once the proper authorities would assign a birth certificate number, assign an SSN, and assign the health identifier. Such a process would permit the longitudinal patient record to begin at the initial health care encounter. Health care providers that deliver newborns in non-hospital settings would need to have a method to access this system and report to it when necessary. Improved accuracy in identification and reductions in fraud from a process linking birth registration and SSN issuance would benefit vital records agencies, SSA, and the public. These processes for assigning identifiers at birth would have to be supplemented with procedures to verify identities and issue numbers to individuals (for example, immigrants) whose enumeration would not occur at birth. The legislation that would be necessary to involve the SSA in this process would need to allow for these improvements.
4. The Costs of Improving SSA Enumeration
In relative terms, building upon an existing system, such as that administered by the SSA, should be less costly than creating an infrastructure to administer an entirely new identifier system. Nevertheless, proposals that require substantial investments by the SSA to improve its processes must address SSA’s costs for those changes. The need to improve the existing SSN system by eliminating duplicate numbers and re-verifying the identities of SSN holders is well established and independent of proposals to use SSA as the trusted authority for issuance of a unique health identifier. The term “trusted authority” as used in this document refers to the authority that will have the responsibility of administering a unique health identifier system.
As noted above, some of the needed improvements began several years ago. The SSNs that were assigned at birth using the enumeration process described earlier would not need to be changed or re-verified, and health identifiers could be issued immediately to people whose SSNs were assigned under the improved processes.
At the request of the Congress, SSA reported recently that, based on fiscal year 1996 data, verifying the identities of all SSN holders and reissuing new cards would have a basic minimum cost of about $3.9 billion. Additional estimates (up to $9.3 billion) were given if the process included new security features in the cards. The report did not attempt to estimate possible related costs, such as special processing for very young and very old number holders, those in rural locations, or those outside the United States.
If the SSA were to undertake the re-validation and re-issuance project in order to overcome the current limitations of the SSN, a unique health identifier issuance and maintenance system could benefit from being part of the process. If the SSA were to incur the cost of re-validation and re-issuance, the additional effort to issue a health identifier could be incorporated into the process at the earliest planning stages, and the costs for this process certainly would be smaller than instituting a new system to issue and administer such identifiers.
Improvements to the SSN and to SSA's enumeration process should yield benefits for other activities such as immigration reform and welfare fraud reform. It might be reasonable, therefore, if the improvements were undertaken in connection with SSA’s role as trusted authority for issuance of a health identifier for individuals, to apportion the cost of the improvements across all the agencies that would benefit from them.
B. Unique Identifier Proposals Based on the SSN
1. The Unenhanced SSN
Description This option was listed in the ANSI HISB inventory. The SSN is described in section III.A., above. The SSN is commonly used as an identifier in current health care systems. For this reason, it would be the least costly identifier to implement.
Positive Aspects
Negative Aspects
Application of the ASTM criteria revealed negative aspects of this proposal relative to others in the areas of being focused for health care (created and maintained solely to support health care), for being unique (identifying one and only one person), and for being able to merge or split identifiers (to correct for duplicates) when necessary. Some of the positive aspects of this proposal as revealed by the ASTM criteria relative to other proposals were in the areas of accessibility, content free, and cost effectiveness.
Some of the negative aspects exist primarily with the SSNs that were issued before the improvements in the SSA processes were made. These will be improved or corrected as the proportion of SSN holders who are enumerated under the new procedures increases. However, this may not happen quickly enough to meet the needs for a health identifier for individuals. Some of the other problems are addressed by ongoing or proposed improvements in SSA’s enumeration process. Whether these improvements will be made is not known; even if they are, some aspects of using the unenhanced SSN remain problematic.
2. Proposal of The Computer-based Patient Record Institute (CPRI)
In 1993, CPRI published a position paper recommending that the SSN, with modifications in the number and the process for issuing it, be adopted as a “universal patient identifier.” In September 1996, CPRI published an Action Plan for Implementing a Unique Health Identifier, Version 1.0, hereafter referred to as the Action Plan, which gave further detail on their proposal. The CPRI proposed an identifier based on the SSN, with the addition of a check digit. Many people know only this component of the CPRI proposal; however, the proposal also includes the following improvements and enhancements that would affect the utility of the SSN as a health identifier:
There must be increased funding and specific tasking of the SSA to clean up existing duplication, multiple assignments, and other errors. ... In addition, there must be legislation permitting the use of SSNs for health identification purposes. There must also be a mechanism whereby identifiers can be assigned to those without an SSN. Finally there must be an authentication algorithm used to establish the identity and authority of the organization requesting a number.
Positive Aspects
Because of its reliance on the SSN, the CPRI proposal offers a practical solution that would require a minimum amount of change in current health care databases. It brings benefits of cost, ease, and time to implement when compared with candidates that would implement a completely new health identifier.
Negative Aspects
Application of the ASTM criteria revealed negative aspects of this proposal relative to others in the areas of being focused for health care (created and maintained solely to support health care), for being unique (identifying one and only one person), and for being cost effective. Many of the aspects of this proposal, as revealed by the ASTM criteria, were positive relative to others, but depended on the enhancements that were outlined generally in the proposal.
3. Alternate to SSN Identifier
Description
This proposal is related to the use of the SSN as the health care identifier. One suggested approach to address privacy concerns with the SSN or the CPRI proposal is to use the SSN as the health identifier for those individuals to whom it is acceptable, but offer an alternate identifier to others. Individuals who have concerns over linkage of their health information with other information already linked by the SSN, could receive a permanent, unique, alternate 9-position identifier. The alternate identifier would not be the same as any current or future SSN. This modification of the SSN proposal would be restricted to the limited number of such alternate numbers available.
Positive Aspects
Negative Aspects
Application of the ASTM criteria revealed similar negative aspects of this proposal to others based on the SSN. One difference is in the area of being public (able to be revealed to any person or organization by those who would not want to reveal their SSN). Some of the positive aspects of this proposal as revealed by the ASTM criteria relative to other proposals were in the areas of accessibility, content free, and cost effectiveness.
4. The Computed Healthcare Identifier (CHID)
Description
The CHID proposal provides an alternative to using the SSN. Under this proposal, a new identifier would be computed from the SSN. The proposal would not require changes in SSNs or in SSA’s processes, therefore its cost could be lower than that of the CPRI proposal. Assignment of this identifier would be accomplished by health care providers or health plans. During enumeration, each validated health plan and health care provider would be provided a standard encryption algorithm for the purpose of converting a patient's existing SSN into another, private number. The proposed algorithm would perform a one-way mathematical function that is significantly easier to perform in a forward direction than in the opposite, or inverse, direction. A one-way function is sometimes called a trap-door algorithm because, like falling through a trap door, a one-way function is a process that is easy to do but very difficult or even impossible to undo. As an illustration, multiplying four or five three-digit prime numbers together is the mathematical equivalent of falling through the trap door--it is easy to do. It is quite a different matter, however, to take the huge number resulting from that multiplication and calculate backwards to reveal the original four or five numbers. That would be the mathematical equivalent of un-falling through the trap door--it is very hard to do. With a high speed computer it might be possible to compute a one-way function in a fraction of a second, but to compute its inverse could take many years.
Under this proposal, the plan or provider would apply a trap door algorithm to a patient’s SSN to compute a new unique health identification number. Since the identical algorithm would be used by all plans and providers, the resulting Computed Healthcare Identifier (CHID) for a specific individual would always be the same and would be used to identify all of that individual’s health records. The number would contain check digits that could be used to distinguish valid from invalid numbers.
Unique temporary numbers or identifiers for people ineligible for an SSN would be issued on demand by a health care provider or plan from a national computer system accessible from modems and the Internet. Such identifiers would be indistinguishable from the CHID. Temporary numbers would be issued from the domain of numbers that cannot be computed from a valid SSN. If necessary, the SSA would be asked to set aside a range of SSNs for this purpose and agree never to assign them. This proposal has not been piloted, and no cost estimates are available.
Positive Aspects
Negative Aspects
Application of the ASTM criteria reflected problematic areas similar to those of the use of the SSN itself--in the areas related to being governed (having an entity oversee and manage the system), such as mergeable and splittable (to correct for duplicates, and in being unique (identifying one and only one person). Some of the positive aspects of this proposal, as revealed by the ASTM criteria relative to other proposals, were in the areas of accessibility, content free, cost effectiveness, and being focused for health care (created and maintained solely to support health care).
C. Unique Identifier Proposals Not Based on the SSN
1. The ASTM Sample UHID
Description
The UHID provided as a sample in the Standard Guide is designed with a length up to 29 characters. The number is constructed from four parts: (a) a 16-digit sequential number that identifies an individual uniquely, (b) a delimiter (defined as a single character, such as a period, that denotes the boundary between two digits or characters) that separates the 16-digit number from the check digits and encryption scheme identifier that follow, © 6 check digits, and (d) a 6-digit encryption scheme identifier, if the number has been encrypted. If the UHID does not need to be encrypted, the last six digits can be valued as "000000" or omitted entirely. Leading zeros of the 16-digit sequential number may also be omitted to produce a shorter identifier. The proposal did not describe the Sample UHID’s implementation. One of the authors of the proposal suggested it should be a simple implementation, with a small staff operating one computer to assign the numbers.
Positive Aspects
Negative Aspects
Application of the ASTM criteria revealed negative aspects of this proposal relative to others in the areas of being governed because of the simple plan described for a small administrative staff and, therefore, for being able to merge or split identifiers (to correct for duplicates) when necessary at a national level. The length of the UHID is also a negative aspect when considering concise (as short as possible) and cost-effective features. Some of the positive aspects of this proposal, as revealed by the ASTM criteria relative to other proposals, were in the areas of accessibility, able to be public, and content free.
2. Biometric Identifiers
Description
The ANSI HISB Inventory of Standards described biometric identifiers as a class of proposals, rather than an individual one, and defined them as sophisticated methods of biometric identification. Biometric identifiers are based on unique physical attributes, including fingerprints, retinal pattern analysis, iris scan, voice pattern identification, and DNA analysis. The individual must be present for issuance and verification of the identifier. Issuance and verification require special equipment to scan or read the specific biometric attribute used for the identifier. Biometric identifiers are used by government agencies such as those concerned with law enforcement and immigration. The biometric information can be stored in digitized form in electronic records and on identification cards. Biometric identifiers are not widely used as health identifiers.
Positive Aspects
Negative Aspects
Application of the ASTM criteria revealed negative aspects of this proposal relative to others in areas related to conciseness (the size of the digitized identifier), cost- effectiveness of producing and using the identifier for the entire population, and the equipment requirements. Some of the positive aspects of this proposal, as revealed by the ASTM criteria relative to other proposals, are that it is unique (identifying one and only one person) and atomic (not containing subelements with meaning).
3. Personal Immutable Properties
Description
Many variations of this type of identifier exist. The ANSI HISB Inventory of Standards described one particular proposal from this type. It is designed as a 19-digit number, although a method of compressing it to a 10-digit identifier by expressing it as a base 34 number was described. It would have three immutable values plus a check digit, with each separated by a delimiter. The first value is a 7-digit date of birth (using only the last three digits of year), the second is a 6-digit geographic code based on degrees of longitude and latitude, and the third is a 5-digit sequence number assigned by an area jurisdiction, with an international registry administered by an organization such as the World Health Organization. Temporary assignments would have a leading “T.” In general, the proposals for identification based on personal immutable properties involve an identifier based on a combination of a person’s characteristics that would not change (for example, birth name, date of birth, place of birth, gender, mother’s maiden name), possibly in combination with a sequential identifier to form a health care identifier.
Positive Aspects
Negative Aspects
Application of the ASTM criteria revealed negative aspects of this proposal relative to others in the areas of being atomic (a single data item without meaningful subelements), being content-free, and being cost-effective. It would also be relatively difficult to use by manual systems. One of the positive aspects of this proposal as revealed by the ASTM criteria relative to other proposals was in the area of verifiable (able to determine validity of the identifier) and assignable (possible to assign whenever needed).
4. Civil Registration System
Description
This proposal would use records established in the current system of civil registration as the basis to assign a unique, unchanging 16-position randomly-generated (in base 10 or base 16) identifier for each individual. Uniqueness would be established based on data, such as name, date of birth, place of birth, and mother’s first name, present in the civil records. The 16-digit unique identifier would link the lifetime records of an individual’s human services and medical treatments. A system would be developed to track these and other encounters with the civil system. Tracking would occur through rank-ordered documents--first order would be state birth files, visas, “green cards,” etc.; second order would be SSA records and military identification, etc.; and third order would be library card and membership in civic organizations, etc. To guard against unauthorized access of records, and to ensure the voluntary participation of the individual in the tracking and linking of his/her records, each individual would choose a personal identification number (PIN). Such a feature would operate much as does the combination of an Automated Teller Machine card and PIN in accessing bank records. This proposal has not been piloted, and no cost estimates are available.
Positive Aspects
Negative Aspects
Application of the ASTM criteria revealed negative aspects of this proposal relative to others in the areas of being focused for health care (created and maintained solely to support health care), being cost-effective, being able to be assigned retroactively, and being verifiable (able to determine validity without additional information). Some of the positive aspects of this proposal, as revealed by the ASTM criteria relative to other proposals, were in the areas of being permanent (never assigned to someone else) and public (able to be revealed).
D. Proposals That Do Not Require a Universal, Unique Identifier
1. Identification Methods Based on the Master Patient Index Concept
Several identification system proposals are based on the Master Patient Index concept. These proposals attempt to address the challenge of locating and linking medical records across organizations or enterprises, without requiring the use of a unique identifier. While individual institutions currently use Master Patient Indexes, the other proposals in this group have not been piloted, and no cost estimates are available.
A Master Patient Index (MPI) is a commonly-used system in health care that links a patient medical record number with a limited set of common identification elements known to a patient, such as patient first name, patient last name, sex, birth date, SSN, and mother’s maiden name. A patient seeking care provides the common elements; the MPI system matches the common data elements across its index to identify the patient's medical record number, which is required to retrieve the patient's record. Because this system is already in use successfully in many sites, some people see no need for a unique health care identifier.
Multiple sites within a large organization may keep their own separate medical records and have separate medical record numbering systems and separate MPIs. The separate MPIs may use different matching processes to obtain the medical record number. MPIs often have different identifying elements and sometimes lack any common identification number for the patient, although the SSN is frequently used as the identifier. This means that, for example, in one large health care enterprise, the hospital, the emergency services department and one or more outpatient clinics may each have separate medical record numbering systems and separate MPI systems. When organizations merge, it is very difficult to merge MPIs, since each system brings a historical data set with one or more identification numbers, possibly of various lengths, with no guarantee that there will be a common non-health care assigned number. When an enterprise attempts to integrate its systems, merging may reveal data integrity issues, including duplicate records. The merging process must not only match records that have some identical identifiers, but must identify possible matches when the records’ identifying data are inconclusive. Performing the final verification usually requires human intervention.
This proposal would use legacy system directories at local sites of patient care and cross reference directories to records at other sites. The legacy system directories would consist of patient characteristics such as name, address, SSN, race, sex, biometric identifiers, and local patient identifiers to identify the individual. The concept of the legacy system directory is similar to that of a Master Patient Index. The legacy system directory would be coupled with a system of cross reference directories to provide linkages to records of individuals across systems. The directory service would use these directories to search across patient record systems to locate prior points of care for the individual and electronically exchange network addresses so that linkages could occur.
CORBAmed is the health care component of the Object Management Group, an industry consortium that promotes application of Object Oriented Technologies. CORBAmed has issued a Request for Proposals for development of the CORBAmed PIDS, which is intended to facilitate communication across multiple levels of Master Patient Indices. CORBAmed PIDS would support the identification of people receiving care at a specific site and the correlation of identifiers and records of people who have received care in different sites. It would permit and support a broad range of confidentiality policies.
In October 1997, the U.S. Commerce Department’s National Institute of Standards and Technology awarded Sequoia Software Corporation a research and development grant to develop a Master Patient Index that can correlate and cross reference computerized patient records from different health care organizations. The goal is to match records across a national computer network without the need for human intervention.
The HL7 mediation is a software process that searches and locates patient records across separate Master Patient Indices. HL7, an accredited standards development organization, has established a Special Interest Group to propose and develop the process by which identifying information will be located and matched.
Positive Aspects of Proposals Based on a Master Patient Index Concept
Negative Aspects of Proposals Based on a Master Patient Index Concept
Application of the ASTM criteria revealed many negative aspects of this proposal relative to others in the areas of being focused for health care (created and maintained solely to support health care), being unique (identifying one and only one person), atomic (not containing subelements with meaning), concise, content-free, cost effective, permanent, unique, and unambiguous. These reflect the quality of not having one controllable number that can be governed for health care related uses. Some of the positive aspects of this proposal, as revealed by the ASTM criteria relative to other proposals, were in the areas of accessibility and assignability.
2. Identification Systems Based on Existing Medical Record Numbers with a Practitioner Prefix
Description
This candidate identifier proposal was listed in the ANSI HISB inventory. This proposal is for a practitioner prefix to be added to the medical record number. The most common method of identifying an individual in health organizations is through use of a medical record number. Each provider organization maintains a Master Patient Index and assigns and maintains the medical record number based on identifying information in the index. The medical record number is unique only within the provider organization. The two- position practitioner prefix would indicate a practitioner that maintains medical records on the individual. The medical record number would identify the individual’s record within the practitioner’s data base. The individual would designate one practitioner that would have primary responsibility for linking and updating the information in the individual’s medical record. This proposal has not been piloted, and no cost estimates are available.
Positive Aspects
Negative Aspects
Application of the ASTM criteria revealed negative aspects of this proposal relative to others in the areas of being governed, identifiable, repository-based, verifiable, unique, and permanent. These aspects reflected the proposal’s purpose of not facilitating linkages across systems. Some of the positive aspects of this proposal, as revealed by the ASTM criteria relative to other proposals, were in the areas of accessibility, assignability, usable, and focused.
E. Hybrid Proposals
1. The UHID/SSA Proposal
Description
This proposal consists of a unique identifier based on the properties of the Sample UHID as described in ASTM’s Standard Guide, with the SSA as the trusted authority for assignment and maintenance. This proposal has not been piloted, and no cost estimates are available.
The identifier under this proposal would have the same structure as the Sample UHID, discussed above. It would consist of four parts: (a) a sequential number that identifies an individual uniquely, (b) a delimiter, (c) one or more check digits, and (d) an encryption scheme identifier to allow for extra protection of a patient’s identity in sensitive situations. Unlike the ASTM Sample UHID, the UHID/SSA proposal does not specify the lengths of each of the components of this identifier. In a later section, Implementation Issues Needing Further Consideration, we solicit input on the appropriate lengths and, where applicable, algorithms for each of these components.
The UHID/SSA proposal selects the SSA to become a “trusted authority” for providing the infrastructure and maintenance of the UHID/SSA and with issuing the health identifier as part of its re-validation procedure, discussed above. This proposal echoes the call for improvements to the birth certificate process to ensure reliable issuance of SSNs and UHIDs at birth. It would also make obtaining false SSNs and UHIDs by altering, counterfeiting, or obtaining fraudulent evidence documents more difficult. As the SSA validates new applicants for SSNs to be unique, it would issue the UHID. People who do not have SSNs would be issued UHIDs as they generate their first encounter with the health system, as discussed below. The UHID would not be placed on the card used to issue the SSN. The SSA would maintain the database linking the SSN with the health identifier for its internal verification process, but other unauthorized users would be prohibited from linking the two numbers. The SSA is an experienced public program with a national identification system that includes most U.S. citizens and with the infrastructure necessary to issue and maintain the health care identifier. The relative cost to the Government of adding a unique health identifier to SSA records should not be great.
Positive Aspects
Negative Aspects
Application of the ASTM criteria revealed negative aspects of this proposal relative to others in the areas of being concise and in whether it would be cost effective. This depends on whether SSA would reverify its SSNs for reasons unrelated to its proposed role as a trusted authority. Most of the remaining aspects of this proposal, as revealed by the ASTM criteria relative to other proposals, were positive.
2. Veterans Health Administration Hybrid Model
Description
This system is currently being pilot tested. It is based on an implementation by the Veterans Health Administration (VHA). The method involves the use of a master patient index system that identifies patients using VHA services based on several identifying properties, including the SSN, and the assignment of a unique identifier that is based on the ASTM Sample UHID. The VHA terms this unique identifier an Integration Control Number (ICN). When a person who does not yet have an ICN presents for care, access is established to the centralized MPI. The central system assigns a temporary ICN. If the person is later adequately identified and is determined to already have an ICN, the temporarily assigned ICN becomes an alias to the principal ICN, and the system using the alias ICN is electronically informed to begin using the principal ICN and recording the temporarily assigned ICN as an alias.
Positive Aspects
Negative Aspects
Application of the ASTM criteria revealed negative aspects of this proposal relative to others in the areas of the ICN lacking conciseness and its cost effectiveness if extended to become a national system. Most of the other aspects of this proposal, as revealed by the ASTM criteria relative to other proposals, were positive.
F. Cryptography Methods That Are Not Identifiers
Description
The National Research Council defines cryptography as the art of keeping data secret, primarily through the use of mathematical or logical functions that transform intelligible data into seemingly unintelligible data and back again. As noted earlier, cryptography is not actually an identifier, but a means to protect identifiers through the application of encryption technology. The ANSI HISB Inventory of Standards described this method as a two-key system that would allow data to be encoded with one key and decoded with another key in such a way as to reveal the patient identity only to entities with both keys, one of which would be in the control of the patient.
The United States Postal Service is developing new electronic commerce services that include methods to ensure the security and privacy of electronic information. The Postal Service cryptography and public key management services might be useful components of public/private key management for a health identifier. These services, however, have not received robust testing for implementation on a national scale, and no cost estimates are available.
Positive Aspects
Negative Aspects
Application of the ASTM criteria revealed negative aspects of this proposal relative to others in the areas related to the technical nature of this proposal, particularly the characteristics of being usable (processable by both manual and automated means), verifiable, public, concise, and deployable (implementable using a variety of technologies). Some of the positive aspects of this proposal, as revealed by the ASTM criteria relative to other proposals, were in the areas of atomic (a single data item without meaningful subelements), content-free, focused, and permanent.
All of the proposals have implementation issues that would need to be resolved. We discuss and seek comment on the implementation issues below. We note that some of the issues, such as those presented in parts IV.A., B., C., and D. below, apply only to those proposals that include an identifier.
A. Temporary Identifiers
A system would be required to learn the identifier for an individual who has one but is unable to provide it, to assign a temporary identifier for an individual who has none or whose identifier is unknown, and to manage the linkage of temporary and permanent identifiers. The complexity, cost, and potential for error associated with management of temporary identifiers could be significant. We welcome feedback on ways to reduce complexity, cost, and error. We can distinguish two kinds of situations in which temporary identifiers would be necessary:
(1) Most of the candidate identifier proposals would require the individual to submit information and the trusted authority to verify the individual’s identity before assignment of a permanent identifier. Under this type of process, if the individual’s identity could not be quickly and positively authenticated to satisfy the requirements for a permanent identifier, the trusted authority would assign a temporary identifier that would be controlled at the national level. Under one possible scenario, temporary identifiers would have the same structure as permanent identifiers, but would be reserved from the pool of permanent identifiers. They would be unique nationwide. The temporary health identifier would be used for any episodes of care until the trusted authority could adequately verify the identity of the individual. Once identity was verified, if the trusted authority found that this individual did not already have an entry in the identifier index, the "temporary" health identifier would become the permanent unique health identifier. On the other hand, if an entry were found to exist in the identifier index, the temporary identifier would be recorded as an alias identifier, which would be merged with the permanent unique health identifier. The trusted authority would inform the individual and the health care provider of the permanent unique health identifier.
(2) Temporary identifiers would also be required for emergency care of unconscious individuals, infants, or those with significant language barriers. A provider would issue a temporary identifier for an individual when the unique health identifier is unknown. Each provider would be responsible for the format of its own temporary health identifiers. The temporary health identifiers would be unique within the provider’s system, but not unique nationwide. The provider would find out the permanent identifier from the patient at a later time. When this is not possible, the provider would transfer the individual’s identifying information to the trusted authority, and the trusted authority would determine if a permanent unique identifier had already been issued to the individual. If not, it would assign a temporary health identifier or assign a permanent one and would inform the individual and the health care provider of the permanent unique identifier. The provider would then change the patient number of record, replacing the temporary identifier that the provider produced with the temporary health identifier or the permanent one of the trusted authority.
B. Encryption of the Identifier
A method of encrypting the unique individual identifier would be required for circumstances in which the identity of the individual needs to be obscured. The encryption of the identifier to obscure the identity of the individual is distinguished from encryption of entire medical records or messages in transmission. The Standard Guide indicates it would be desirable to be able to generate an arbitrary number of encrypted identifiers from any primary identifier. An encrypted identifier would be used during a single patient care episode, for example, reporting a sensitive laboratory test. The encryption scheme used to generate the encrypted identifier could be designated by an encryption scheme identifier, which could be appended to the encrypted identifier or could be stored separately. The algorithms and keys used to encrypt and decrypt would be known and used only by the trusted authority. Encrypted identifiers would be treated as aliases to the identifier. Capability for encryption of the identifier could add to its length. The encryption requirements would also add to the complexity and cost of the infrastructure that would link the original and encrypted identifiers and manage the encryption and decryption schemes. We are specifically soliciting public comment on to what degree is encryption of the identifier an essential part of an acceptable identifier design? Under what conditions is encryption of the identifier appropriate? What are the costs and benefits of identifier encryption?
C. Length of the Identifier
The optimal length of the identifier should be considered. A longer identifier would increase storage and transmission costs and would decrease ease and accuracy of manual use. We do not know how great these impacts would be.
Some people believe that an identifier format that is longer than that of the identifiers in common use would pose significant conversion burdens. Replacement of current identifiers in existing record formats with a new, longer identifier would require health plans and providers to modify their information systems and record formats.
Other people believe that health plans and providers will choose to add a new identifier to existing record formats rather than replace existing identifiers. In this case, record formats would need to be modified, regardless of the length of the new identifier, so the length of the new identifier would not significantly affect conversion costs.
We invite the public to comment on what is the optimal length of the identifier and why?
D. Check Digits
The selection of a recognized International Standards Organization check digit or multiple check digits should be evaluated for use with any identifier being considered. Multiple check digits add length to the identifier but are able to detect more kinds of errors than a single check digit. Check digit algorithms are usually designed to be calculated from all-numeric base numbers, but the inclusion of alphabetic characters may be a desirable design for an identifier because it would increase the capacity of a shorter identifier. However, any alphabetic characters in the identifier would need to be translated to specific numbers before the calculation of the check digit, and this conversion would diminish the effectiveness of the check digit in detecting errors. Some people believe that a check digit is a critical part of the identifier design because it can help detect keying errors. Other people believe that the identifier will not need to be keyed in the majority of its uses, since it will already be in a record or on a card. These people believe that the check digit has been overvalued.
The length of the identifier and the error detection capabilities of the check digit must be balanced in selecting the optimal identifier and check digit design. It is critical to recognize that the cost and benefits of check digits could vary significantly depending on the type of identifier selected. For example, the cost to include a check digit in a completely new identifier is minor since most systems will have to be changed anyway to accommodate the new number. On the other hand, the cost of adding a check digit to the SSN would be very significant because the current systems that use the SSN would not have to change otherwise. In addition, other authenticating data can mitigate the need for a check digit. Some people believe that if an online, real-time name and number verification capability were available to anyone who would need to record or verify the identifier, a check digit would provide little additional value.
We solicit public comment specifically on to what degree are check digit(s) a desirable part of the identifier design? What specific check digit scheme is preferred, if any? What are the costs and benefits of using check digit(s)?
E. Compatibility with Evolving Technologies
Any identifier selected should be independent of particular information technologies and flexible enough to adapt to new ones. Do the candidate identifiers meet the requirement for flexibility with respect to future scenarios of record keeping and data transmission?
F. System Infrastructure, Availability, and Access
The identifier system would assign identifiers, match patient information, and verify the unique health identifier for individuals. It would also manage temporary health identifiers, encrypted health identifiers, and linkages among alias health identifiers. We solicit comment on what kind of computer and communications infrastructure is required to support an individual identifier system? Does the computer network to support these functions need to provide nationwide access 24 hours a day, 365 days a year? What kinds of entities should have access to the system and for what purposes?
G. Assignment of Unique Health Identifiers for Individuals
Policies and procedures will have to be established for the assignment of unique health identifiers for individuals. The following are some of the questions that will need to be answered:
Some people believe that for a new identifier to have value over existing identifiers, it must be established on stringent authentication and verification standards. Other people believe that authentication and verification requirements for a health identifier should not be as stringent as, for example, those required to obtain an SSN. These people believe that assignment of more than one health identifier to a single individual would rarely have severe consequences and that there would be little incentive for fraudulent assignment of health identifiers. They believe that the cost of authentication and verification outweighs the benefits of accurate, unique identification. The desired degree of authentication will be determined by balancing accuracy of identification with cost of verification. What is the appropriate standard to apply to these questions?
H. Implementation and Transition
Each provider and health plan will need to develop an implementation plan and transition process for using the new individual identifier. Many providers and health plans will add the new individual identifier to existing records and tables rather than replace existing individual identifiers. The new identifier is required by HIPAA to be used in certain administrative electronic health transactions. It is likely that providers will use it in clinical records and internal communication, as well as in the external communications where it is required by law. The implementation plan for the new individual identifier should be designed to lessen the burden on small providers. Some providers might find it advantageous to use a third-party clearinghouse or communications agent to comply with the requirements to use the individual identifier. The communications agent would convert paper and legacy identification data into the formats required to obtain individual identifiers from the trusted authority.
How can a smooth transition to the individual identifier be accomplished? How can the burden on small entities be lessened?
I. Costs of SSN Reverification
Both the CPRI and UHID/SSA proposals specify that comprehensive reverification of the SSN is a critical element of successful implementation. The cost of this reverification has been estimated by SSA at several billion dollars; however, no funds have been appropriated for the task. This raises some critical questions:
J. Costs to Implement a New Identifier for Individuals
We have no reliable estimates of costs or benefits available for any of the proposed individual identifiers, other than those associated with the SSN reverification. There are a wide range of areas where costs may be incurred. Costs may be incurred by individuals, providers, employers, health plans, state governments, and the Federal Government. Cost would include, for example, the conversion of existing systems, conversion of forms and cards, storage of a check digit, inclusion of a check digit in records/forms/cards where a human would see the identifier, and inclusion of alpha characters in the identifier. What will it cost to transition to the individual identifier system and to operate it? Who should pay those costs and why? How can costs be mitigated, particularly those costs that can be determined not to be recoverable through the improved efficiencies of a unique individual identifier?
The importance of finding a cost effective means to issue a unique individual identifier for health care cannot be overstated. We welcome comments from individuals or organizations with information about the costs of implementing the various proposals. In an attempt to gather more specific information from industry as to the expected costs of implementation for specific characteristics of a unique individual identifier, members of the Workgroup for Electronic Data Interchange (WEDI), a health industry consortium, were asked for informal feedback. Questions were posed relating to the cost of an increase in length of the identifier from 9 to 16 digits, cost to add a check digit, the change from numeric to alphanumeric, and changes to the systems that would result from making the new identifier the “working index key,” not just an additional field.
A number of WEDI member organizations responded, but only five of the responses contained specific cost estimates for implementation by an organization. They ranged from a low of $10 thousand to a high of $370 million. The $10 thousand response was for one hypothetical organization to change the length of the identifier from 9 to 16 digits. The change would involve field and screen changes and the conversion of existing data. This respondent also said that if a check digit were added the additional cost would be $5 thousand, but the resulting increased accuracy would offset this cost. A State Medicaid program responded that its cost would be $5.7 million to expand to 16 digits and change to an alphanumeric field type, assuming the new identifier became the working index key. A large insurer responded that such a change to its statewide system would be a massive undertaking, costing about $370 million. The cost would drop to $7.2 million if they could still use the SSN for internal identification purposes. The insurer expressed concern about having to undertake this kind of conversion while still trying to address the date problem associated with the century change.
Adding a check digit did not appear to raise concerns with any of those responding. Several responded that a new patient identifier would probably be added as a new, alternate key rather than replace the current primary index key and all of its logic. Responses indicated that expanding the field length from 9 to 16 digits would be a major database conversion for their system, but one questioned why it would need to be longer than 12 digits. Several said they currently allow up to 12 digits. There was lack of agreement on whether the identifier field should be numeric or alphanumeric. The responses indicated that increasing the length of a field increases the cost, and that alphanumeric fields of the same length are more costly than numeric. However, an alphanumeric structure might be less costly if it resulted in a shorter field length. Two responses suggested that in the name of simplification we should just adopt the least expensive alternative, the SSN. The responses reflect the absence of a consensus within the industry as to which standard to adopt for this identifier.
Are these concerns valid? How? What are some alternatives?
K. Time Frames for Implementation
HIPAA mandates that implementation of each identifier be completed within 24 months after adoption of the final rule for that identifier. In the case of the identifier for individuals, what strategies will help the various potential users of the identifier (for example, individuals, providers, employers, health plans) be ready by this date?
L. Relationship of Other HIPAA Standards to Identifier for Individuals
It is likely that standards for the electronic transactions required by HIPAA will be adopted before the standard for the unique identifier for individuals. What are the implications of implementing the transaction standards without a standard identifier for individuals? Should the implementation time frame for the identifier for individuals be related to the passage of privacy legislation?
7/2/98