Search our
entire site
Enter your search
terms below, or visit
our search page

Search case
studies only
Enter your search
terms below:

For the table
of contents and
hyperlinks to
general topics
proceed to toc

THIS TRANSCRIPT IS UNEDITED

NATIONAL COMMITTEE ON VITAL HEALTH STATISTICS

SUBCOMMITTEE ON STANDARDS AND SECURITY

July 21, 1998

Hearings on the Unique Health Identifier for Individuals

James R. Thompson Center
Room 9-040
100 West Randolph Street
Chicago, Illinois

Proceedings By:
CASET Associates, Ltd.
10201 Lee Highway, Suite 160
Fairfax, VA 22030
(703) 352-0091

List of Participants:

John R. Lumpkin, M.D., M.P.H., Chair
Simon P. Cohn, M.D., M.P.H., FACP
Kathleen Fyffe, M.H.A.
Jeffrey S. Blair, M.B.A.
Kathleen A. Frawley, J.D., M.S., RRA
Clement Joseph McDonald, M.D.
William Braithwaite, M.D., Ph.D
Robert Gellman, J.D.
Karen Trudel
Judy Ball
Wendy Liffers
Marjorie Greenberg
James Scanlon
Stewart Streimer
Michael Fitzmaurice

TABLE OF CONTENTS

Panel 4b: Allowable uses of a unique health identifier and safeguards to protect it

• Twila Brase

Panel 3b: Assuming an identifier must be chosen, what is the best identifier to use?

• Soloman I. Appavu
• Daryl Evans

Panel 2b: What are the cost-benefit implications of a unique individual identifier?

• David Miller
• Steven Seweryn

Panel 1b: Should we have a unique individual identifier for health care and what are the alternatives for such an identifier?

• Diane L. Hillbrant
• John Quinn
• Shannah Koss

P R O C E E D I N G S

DR. LUMPKIN: Good morning. I'd like to welcome everyone back to the second day of hearings. Sometimes it can be very frustrating when we are trying to work as a committee on some very crucial issues, and no one ever takes any notice of what we do.

So again, welcome. My name is John Lumpkin. I'm Director of the Illinois Department of Public Health, and I am chairing the subcommittee that is holding the hearings today.

We are going to start off with the introductions. So as we welcome our listeners on the Internet, they will at least be able to hear the members of the committee's names. Again, when people are making comments from the floor, we will ask you to identify yourselves, so that individuals who are listening on the Internet will be able to know who is speaking.

So we will start with our new addition. We're glad you could make it today, Clem.

DR. MC DONALD: I'm sorry, I was reading all this news from yesterday. What am I supposed to do?

DR. LUMPKIN: Just introduce yourself.

DR. MC DONALD: I'm Clem McDonald from Indiana University and Regenstrief Institute.

DR. FYFFE: Kathleen Fyffe, Health Insurance Association of America.

DR. FRAWLEY: Kathleen Frawley, the American Health Information Management Association and chair of the Subcommittee on Privacy and Confidentiality.

DR. COHN: I'm Simon Cohn. I'm a practicing physician and the National Director for Data Warehousing for Kaiser Permanente, and a member of the committee.

DR. GELLMAN: I'm Bob Gellman. I'm a privacy and information privacy consultant in Washington.

DR. LUMPKIN: Now that we have had the committee introduce themselves, we'll have departmental staff.

MS. TRUDEL: Karen Trudell, Health Care Financing Administration, staff to the committee.

DR. BRAITHWAITE: Bill Braithwaite, HHS and staff to the subcommittee.

MS. BALL: Judy Ball, HHS and staff to the subcommittee.

MS. LIFFERS: Wendy Liffers, HHS and staff to the subcommittee.

DR. FITZMAURICE: Michael Fitzmaurice, Agency for Health Care Policy and Research, liaison to the committee.

MR. STREIMER: Stuart Streimer, Health Care Financing Administration, liaison to the committee.

MR. SCANLON: Jim Scanlon, HHS, staff director for the full committee.

MS. GREENBERG: Marjorie Greenberg, National Center for Health Statistics and Executive Secretary for the committee.

(The remainder of the introductions were performed off mike.)

DR. LUMPKIN: Great. At this point, we'll ask the first panel to come forward.

Panel 4b: Allowable uses of a unique health identifier and safeguards to protect it

MS. BRASE: My name is Twyla Brase. I'm from Citizens for Choice in Health Care. I am a public health nurse and president of Citizens for Choice in Health Care, otherwise known as CCHC.

CCHC is a health care policy organization located in St. Paul, Minnesota, which was founded three and a half years ago as a result of health care consolidation, a growing loss of medical confidentiality and the elimination of many health care choices in the areas of insurance, treatment and providers.

Our mailings reach approximately 6,000 people nationwide, and our e-mail list has been growing since we went online in November. We are pleased to say that we have a comprehensive website focused on health care reform policy issues and medical confidentiality.

Thank you for giving me the opportunity to present our organization's thoughts on the very important issue of unique patient identifiers for individuals. I will begin with our thoughts and end with eight recommendations.

With insight beyond his time, U.S. Supreme Court Justice William O. Douglass in 1966, in the case of Osborne v. the United States, said, "Once electronic surveillance is added to the techniques of snooping, which this sophisticated age has developed, we face the stark reality that the walls of privacy have broken down, and all the tools of the police state are handed over to our bureaucracy on a Constitutional platter."

After reciting the Fourth Amendment, Justice Douglass went on to say, the time may come when no one can be sure whether his words are being recorded for use at some future time. When everyone will fear that his secret thoughts are no longer his own, but belong to the government, when the most confidentiality and intimate conversations are always open to eager, prying ears, when that time comes, privacy and with it liberty will be gone. If a man's privacy can be invaded at will, who can say he is free? If every word is taken down and evaluated, or if he is afraid every word may be, who can say he enjoys freedom of speech?"

Justice Osborne had no idea how sophisticated we would become in the computer age. In light of his comments, it is important to remember that the definition of health care information in the Health Insurance Portability and Accountability Act, HIPAA, includes -- and I quote, "Any information whether oral or recorded in any form or medium that is created or received by a health care provider, health plan, public health authority, employer, life insurer, school or university or health care clearinghouse which relates to the past, present or future physical or mental health or condition of an individual, the provision of health care to an individual, or the past, present or future payment for the provision of health care to an individual."

Add to that Secretary Shalala's recommendation that government officials have access to citizen medical records without patient consent for four national priorities which, if implemented, would give unprecedented rather than restricted government access to health care information on citizens.

Therefore, Citizens for Choice in Health Care cannot support the implementation of standardized, government issued unique patient identifiers for individuals. Despite the fact that Congress passed the HIPAA law, this enumeration and surveillance system will clearly be detrimental to the liberty, privacy and security of every United States citizen. Not only will this surveillance system allow government officials to use doctors to track citizens at their most vulnerable times when they have nowhere else to go, which in itself is unconscionable, it will also raise the cost of health care, diminish the excellence of our health care system and inhibit citizen access to medical care, especially in the at-risk and immigrant populations.

Confidentiality is rooted in personal integrity and limited distribution and access, not legislation or encryption. As they say, loose lips sink ships. And unfortunately, we have all heard stories about government employees and others perusing or disclosing data on citizens. Many citizens deal with diseases, conditions or injuries that if disclosed, can harm their reputation, employment, marriage, credibility, community standing and insurability. In truth, there are not enough lawyers, attorney generals or police officers to stop anyone from breaking the law.

That being said, there is also no punitive sentence from a court that could ever restore the loss of confidentiality or eliminate the resulting personal chaos that may follow.

In addition, although our government may currently be considered beneficent, it is a well-known fact that oppressive governments in the course of history have used access to medical information to commit egregious act crimes against their own people. There mere fact that administrative simplification even passed may cause more than a little speculation of our government's beneficence.

For all these reasons, plus the protections within our Constitution, it is clearly not within the purview of the government to have access to or begin the process toward comprehensive medical information on citizens. If this system of identification and tracking is implemented, there will be a growing unwillingness of patients to give complete information to their providers. This may cause delayed or incorrect diagnoses and therefore increased costs. In addition, more people may choose to leave the traditional health care system, accessing medical care only in desperation and perhaps only with practitioners willing to violate the government tracking system requirements in order to secure the privacy of their patients.

Already, there are a growing number of persons who elect to forego vaccinations, home school their children or have home births in order to escape the probing problems of HMOs and the pressure exerted by doctors, hospitals and office staffs to submit their children to vaccinations against their wishes or to complete intrusive surveys for the creation of patient profiles.

One of the worst imaginable outcomes of the proposed surveillance system would be the creation of a black market for medicine in America.

In light of these concerns, Citizens for Choice in Health Care has the following seven recommendations.

One. There should be no government-issued unique patient identifiers for all citizens or government repositories of medical data on all citizens either directly or through data linkages.

Two. Each provider or clinic may choose a separate unique patient identifier or medical record number for each patient, as is current practice. While we know that many health plans and others want a single identifier to create a lifelong record on individuals, the fact is, many patients have sincere personal reasons why they don't want Doctor A to know about their care from Doctor B. It is the right of individual citizens to protect themselves and their confidentiality from others.

Three. To protect anonymous access to care, no unique patient identifier or social security number should be required in order to obtain health care services from any health care provider.

Four. Government access to patient identifiers or individually identifiable patient information for law enforcement purposes must include the protections of due practice as afforded in the Constitution, such as a valid court order for access or a search warrant.

Five. Use of electronic identifiers and electronic transactions must not be required for access to medical services.

Six. There must be use of strong encryption for any patient identifiers which are used in electronic transactions. Some have suggested 128-bit encryption, and I am not a specialist at this, but this is what I've heard.

Seven. No insurance company should require submission of a social security number for purchase of or enrollment into a health insurance policy, but should offer an alternative enrollee identification number to those enrollees which request them. This separate identifier should not resemble the social security number, and should not contain embedded intelligence on the enrollee.

Last, the following seven items, A through G, should not be permitted without informed voluntary written patient consent which details all intended uses and recipients of the data to be shared, and contains a written agreement that the data will be used for nothing else and shared with no one else.

A. Creation of a unique patient identifier which cuts across every medical or health care encounter.

B. A requirement to have an electronic unique patient identifier as in a smart card or biochip.

C. The sale, distribution or release of identifiers or individually identifiable information by anyone who holds health care data, as in physicians and others.

D. Government access to unique patient identifiers or individually identifiable information for research, oversight or widespread surveillance.

E. Entry of unique patient identifiers or individually identifiable information onto any registry or database.

F. Medical research using unique patient identifiers or individually identifiable information, including CQI, continuous quality improvement activities by HMOs, which is more appropriately called risk assessment, patient categorizing or patient profiling.

G. Behind the scenes tracking of citizens through a government master patient index system.

The patient and the provider, who is under an ethical oath to protect confidentiality of the patient, should control or limit access to information. The system we propose by necessity makes tracking and linking difficult, because decentralization is the essence of maintaining privacy.

Since patient privacy, health care access and lower health care costs are stated concerns of Congress and the federal government, I trust that our recommendations will be given full consideration. If followed, there can be an improved sense of trust in the health care system and the government. Trust will not happen with force, enumeration of surveillance of citizens.

Thank you again for allowing me to share our comments and concerns.

DR. LUMPKIN: Has Dennis Bush arrived? Then we will thank you. Comments or questions?

DR. FYFFE: Are we going to get a written copy of your --

MS. BRASE: Yes. I apologize, but the hotel did not have facilities to print it, and I have made recent changes, so it is on the disk that they have.

DR. FYFFE: Thanks. I have another question.

DR. LUMPKIN: What is it in?

MS. BRASE: Mac.

DR. LUMPKIN: I'm sorry, that's not standard state of Illinois issue otherwise. We would print it up here. I don't want to reveal my biases about computer systems, I'm sorry.

DR. FYFFE: Could you please elaborate on the proposed surveillance system that you refer to in your transcript?

MS. BRASE: Sure. The surveillance system would be a system that allows any kind of accumulation of information on individually identifiable persons. So when you have a system where everyone has a unique identifier, and whether it is a linked system or one national registry, if there is any access by virtue of one number to all the information on a person, that would be a type of a surveillance system.

And as a matter of fact, in Minnesota right now, the Commissioner of Health said during one hearing that we are creating multiple surveillance systems in the health departments. She had said that there were over 90 conditions that they were accumulating information on citizens, most of which without their consent.

So that is from a government perspective. It is already moving in that direction, and if we all have a unique patient identifier, that type of surveillance will only increase.

DR. FYFFE: Thank you.

DR. MC DONALD: Just to clarify that, I'm not quite sure where there is any point at which you would justify any kind of tracking of patients on a collective basis. That is, these are public health issues that we're talking about, aren't they? You are talking about the surveillance?

MS. BRASE: The 90 conditions?

DR. MC DONALD: Yes. Is that something you are arguing against, any public health surveillance?

MS. BRASE: If there is public health surveillance necessary, which would be for illnesses that are fatal, like HIV, we are not opposed to that. But as in 1997 when a birth defects system was proposed, all we wanted to do in Minnesota was to have patient access and even acknowledgment, and at that time, that department of health did not want to let patients or parents know that they intended to put every child with a birth defect on a birth defect registry, as well as information on their parents.

So we worked with legislators to get parent and patient consent. As soon as we got parent and patient consent on both the House and the Senate bill, various versions of it, the language was stripped. We don't consider birth defects something that is going to -- that is contagious or communicable, that is going to be fatal to the population. That is a decision for parents and patients, whether or not they want to be on such a registry.

DR. MC DONALD: Most of everything you said was what shouldn't happen, and I'm not sure if anything is allowed. That is what I was trying to get to -- where the boundary is and what you would accept or your group would accept. Maybe it was a preventive issue there they were looking at, whether these things could be prevented. And folic acid, we know, does prevent neural tube defects, which is a very, very fatal disease to the child with that defect.

MS. BRASE: I think that public health and public safety could actually be just holding public health and public safety up as something -- as a mechanism for why all of our records have to be invaded by officials. There is not value in that it is intrusive. There are many people who would be more than happy to let public health officials have access to information in their records, but the fact the public health officials want to do it without asking for consent is invasive, and it is unnecessary.

DR. MC DONALD: Well, that is what I am still trying to clarify. The scope of your --

MS. BRASE: It is very limited.

DR. MC DONALD: In other words, you really don't support public health access to data.

MS. BRASE: Without consent.

DR. MC DONALD: Okay.

DR. LUMPKIN: I think she did say that communicable diseases, if we could define that universe, there are certain things which you do believe it is appropriate, but the issue is -- what I thought I heard you say is, if there is not value, then they should not have access without consent.

MS. BRASE: For most --

DR. LUMPKIN: Is that a fair statement?

MS. BRASE: I'm sorry, but for most things we would not be promoting access without consent. HIV on the other hand is fatal, and we would certainly support that.

DR. LUMPKIN: Bob?

DR. GELLMAN: The researchers say that if you give us all your data and let us track you forever, that we are going to produce all these wonderful results that are going to save everybody's lives. Would you like to respond to that?

MS. BRASE: Well, there has been a lot of research over the years which has been very, very beneficial, and it hasn't been done with comprehensive tracking of every individual. It has been done with requests for patient involvement in studies, it has been done internally by physicians with their own patients. So I think that we can have a lot of research which is done without invading the privacy of individuals that will be very beneficial.

In addition, you can have statistical sampling, and it doesn't have to be the entire comprehensive population in order to give results that will be very beneficial.

DR. GELLMAN: Do you think that researchers could convince people on the basis of their expectations that they can produce better medical information and provide better treatments? That they can get people to consent to disclosures?

MS. BRASE: When I talk with the people about this issue, many of them say to me, a lot of these things are not very confidential, I don't feel very confidential about them. I would be more than willing to give access to my records, but there are of course a few things that people would feel confidentiality was necessary. It would all depend on their employment and their position in the community, whether they were in politics, et cetera, as to whether or not they would be convinced by researchers to give total access to their records.

DR. GELLMAN: Are you worried that any information that a researcher has for the most part can be readily subpoenaed by the police?

MS. BRASE: That is something that we have not really looked into, and you probably are more aware of that than I am.

DR. GELLMAN: Let me ask you a different question. You talked about your concern that a patient identifier may make patients less willing to be candid with their physicians, which is an argument we have heard a little bit about.

I sort of want to come at this from the other end. That is, is there any reason today why a knowledgeable patient concerned about privacy would be candid with their physician? Because records today are widely disseminated to a lot of people. People talk about records today as if they are confidential, which is really not the case. Would you like to talk about that?

MS. BRASE: Well, perhaps the emphasis should more be on the mandated usage of a card and an identifier or an identification number. If one could have access to health care without using their card and therefore using a name that isn't related to their card, and that no one checks to see whether or not they really are that person, then confidentiality would be assured. I do believe that people do that today, because they don't believe there is confidentiality in their -- total confidentiality in their records, particularly as managed care organizations and government agencies move closer and closer together.

So the problem is that we have a mandated identifier and all health care transactions require it, it will be nearly impossible to remain anonymous.

DR. GELLMAN: Thank you.

DR. FYFFE: I have a problem.

DR. LUMPKIN: You do?

DR. FYFFE: Yes.

DR. LUMPKIN: Please.

DR. FYFFE: You said as managed care organizations and the government become closer and closer. Could you explain that, please?

MS. BRASE: Sure. We are in Minnesota, and --

DR. FYFFE: That explains it.

MS. BRASE: In Minnesota we have three managed care organizations that control access to health care for slightly offer 80 percent of the population.

DR. FYFFE: In the whole state?

MS. BRASE: In the whole state, as a result of a health care reform law and an antitrust exception. So in addition to that, all the managed care organizations which obviously have the rest of the population in them as well have all the Medicaid population -- are being given by the government all the Medicaid populations. In addition to that, our health care reform law mandates that all the information, the claims information, be sent to the state government through our health data institute.

So in addition to that, I was just speaking with some people in Wisconsin, and there is a law apparently in Wisconsin that has to do with the same type of information being sent to the government from all patients, not just Medicaid patients. So that's what I'm talking about.

DR. FYFFE: Okay, thank you.

DR. LUMPKIN: I have a few questions, and I hope you will bear with me, because I am really trying to understand your position, so I'm going to try to see if I can understand where the boundaries are that you're setting.

My father, who is going to be 84 this year, when he was 39 had a heart attack. When he goes to see his health care provider, he never tells them about that. His response is, he's a doctor, he should know that.

I don't think that that is atypical, at least in my experience, from some folks who grew up in environments where they don't have a lot of experience with physicians. So I believe that there are some people who would want to see this kind of system in place.

So as I am trying to get to your position and understand where you're coming from, would you believe that such a system would be acceptable, of the unique health identifier, if people had -- and there are going to be a couple of scenarios, one, the option to opt out? In other words, they could opt out as a person, or they could opt out as to a visit. So you go to a health care provider and you say, I don't want my unique identifier applied to this particular visit because I am now seeing my psychiatrist for the first time. So that psychiatrist would have a mechanism whereby they could apply an identifier that would not be your unique identifier. Or a person could say, I don't trust the whole system, so I want to be able to generate my own number or letter or code name or whatever every time I visit somebody.

Would you find that as being an acceptable alternative to what has been proposed? Either one of those or both?

MS. BRASE: So are you saying that every -- let's say Doctor A, B, C, D and E. At every visit that I go to between the five doctors, I could choose any identifier I wanted to with each of them, and a new identifier for every visit?

DR. LUMPKIN: Well, obviously they would know your name. That health care provider would know your name, but would not have a number. You would essentially opt out of the system, choose not to play. Would that be an escape clause that meets your concern?

MS. BRASE: In general, we are not supportive of opt-outs because it requires a burden on the citizen to opt out of a program that the government or another entity has created. It is better to opt in.

That is a new thought that I have not heard of with the idea of every visit, having a new number or creating a new number at the time of the visit, if that is what you are saying. But I still believe that it is best to be able to opt in and not out. Then with only knowing the full ramifications of how the data is accessed, how the unique provider is accessed who has access to it.

There certainly may be people in the United States that want a unique patient identifier for everything. We are a free country, we can choose to have such a thing, except for the fact that if you're going to create it for the whole country and half the people don't want to opt in, it would certainly be an expense.

I will tell you that on the way over here from the airport, I mentioned this to someone, about a unique patient identifier, and her immediate response was, well, that is an invasion of privacy.

So I think it would be much better to opt in, but then that is a great deal of expense if no one opted in, or if few did.

DR. LUMPKIN: There was some discussion yesterday, and I think you were here yesterday, about the issue of, if there is such a system of there being a trusted authority that would do the enumeration, that would be the repository of how John Jones or Ralph Doe would be associated with whatever this number is.

Would you feel that you would be more comfortable with this being a governmental trusted authority or a non-governmental trusted authority?

MS. BRASE: In the opt-in system?

DR. LUMPKIN: In whichever system.

MS. BRASE: Well, given the fact that we don't support a government-issued unique identifier, we would therefore not be very supportive of a government trusted authority.

DR. LUMPKIN: Can you tell me to what extent is your group concerned about new technology such as computerized patient records?

MS. BRASE: What we have thought about computerized patient records is that every patient should have the option to not have a computerized record or to choose what will or will not be on the record. Because once it is computerized, and all your data is accessible by a database, of which many are able to be cracked by those who know how to do it, your information is far more accessible and far less secure.

DR. LUMPKIN: If I could tease that out, let's run the scenario. Your ob-gyn two-person office purchases a computerized patient record system for use in that one office, not networked to anybody, but just on some street in your home town. Do you believe that patients should be given a choice, or then say, I do not want my name in your system, you would have to do a paper record? Is that a scenario? So the option would be either not to be entered into your computer system, or not do a patient record or go to another provider?

MS. BRASE: We would support the option of continuing to have a paper record, but I think that most people would be perfectly fine with an electronic medical record, as long as anything that was very sensitive on it in their mind was never placed on the record.

DR. LUMPKIN: Okay. Any other questions?

DR. MC DONALD: To follow up on the computer records, that would imply that they couldn't dictate in most cases. Would you really mean that? Because it is a very common practice to dictate a note, because that will go through a computer.

MS. BRASE: What happens to the dictated notes?

DR. MC DONALD: They sit on a disk and are accessible, I think as anything else on a disk that you are worried about. It can be searched, it can be scanned, it can be connected to the Internet. What I worry is that some of the proposals you say may paralyze the existing -- it may not be practical, because of what already goes on.

DR. LUMPKIN: Let me perhaps clarify that, and you weren't privy to some of the hearings that we had. There are a number of scenarios where dictated records are created. One is that they may go in an internal system by tape. The transcriptionist would then type it up.

There are some systems where there are voice generated computer systems that would then create the record that would be corrected, and then there are some offsite systems whereby the dictation would go over a telephone line to a service that then would transcribe it and return it to the practitioner. So those are the options that are currently in place. Did I miss any? Okay.

So that is a scenario that Clem is suggesting, and you can comment on any of those three different alternatives.

DR. MC DONALD: But I think when people think computer medical records, the average computer medical record is a collection of all the dictations. I just really want to make sure that you are disqualifying that, a patient saying you can't dictate my note, in effect. How could one operate a practice as a business or as an efficient process if one has very bad handwriting and went to the dictation? You are really putting people back in pen and pencil, I think. Is that realistic?

MS. BRASE: We haven't considered the dictation part, because it was something that never hit our radar screen, so we would have to spend some time just thinking about that.

But there is a problem with dictation if it does become a part of the electronic medical record. It includes the thoughts of the physician about the patient, whether or not they are accurate. I did have one woman who called absolutely enraged after I had suggested that she get her medical records, if she wondered what was in them. She was enraged by what the physician thought about her and then understood why the physician who next got her felt or acted the way he did towards her.

So access to that kind of information on an electronic basis, where it may or may not be true, just the thoughts of the physician, I think can be hazardous to the privacy of a person.

DR. MC DONALD: But the electronic --

MS. BRASE: But I haven't given great thought to that piece.

DR. MC DONALD: Because really, you're saying having a record, because the electronic part really isn't relevant. If someone has faxed it, it is the same thing. If one chose a record they hand wrote, it is the same phenomenon. Whether it is electronic or not isn't really an issue.

MS. BRASE: But if it is electronic, it can easily be transferred or accessed. If it is in a paper record, you have to go in and get it.

DR. LUMPKIN: If you have additional thoughts on dictation, please feel free to --

MS. BRASE: Sure.

DR. LUMPKIN: And we would appreciate it if you would send us some subsequent communication about that issue, and any other questions that we presented to you new here, if you have thoughts.

MR. STREIMER: Just a point of clarification, please. Did I understand correctly that you said earlier that you would support a patient willingly consenting to allow their medical information to be used for research, for example?

MS. BRASE: Correct.

MR. STREIMER: Okay. I just wanted to be sure I understood. I wanted to reconcile that with Dr. Lumpkin's model, where if a patient went in and could opt in or opt out, allowing to use the national ID, how that consent would be different from that particular model. How did you see that as differing?

MS. BRASE: I'm sorry, will you clarify that?

MR. STREIMER: Well, I was trying to take the example earlier about you supporting the fact that if a patient could indeed allow their health care information to be made available at their choice. But also, with Dr. Lumpkin's model, I think he was saying that a patient could come in and could say, yes, please assign the national health care identifier to my patient information, or please do not, use your own separate individual number. You did not support that particular concept.

I am trying in my mind to reconcile those two different models and why they would be different.

MS. BRASE: I would say that we would support the consenting or opting in. I believe what I heard him say was opting out. If you opt into research or you opt into a unique patient identifier, that is the choice, that is the free choice that you have. The question is, do you really want to start up a system and then have half the population never opt in? Then you have -- I don't know that you have anything different than what you have now.

DR. BRAITHWAITE: I'm sorry your other person on the panel didn't come, so you get the brunt of all the questions, I'm afraid, the curiosity of the committee here.

Today when you go into a provider, in order to accurately identify you as an individual for all kinds of purposes, like sending out for lab tests and all the exchange of information with specialists and everything that goes on, making sure that you get the right blood transfusion as opposed to somebody else, everyone in the health care system identifies you one way or another, usually by collecting a lot of personal information, like your name and your maiden name and your mother's maiden name and your address and your phone number and your social security number, and a bunch of other stuff. This accumulation of demographic information about you becomes your identifier.

That gets passed around with each piece of information that is built up about you, like when a lab test comes in that has to have a bunch of stuff about you in order to identify you, so that it can be accumulated with the rest, so that appropriate medical decisions can be made about you.

You are proposing to not allow that to be summarized into an identification number that has built into it some cross checks and so on, to make sure the information actually belongs to you, and not to somebody else by accident. It seems to me at least that the current system of passing around a bunch of personal information about you in the system is a lot less private than getting a lab test reported with a number that can't be easily associated with an individual.

Can you talk a little bit about that, and help resolve that seeming conflict?

MS. BRASE: Well, one thing I would say is, you mentioned about the identifier and making sure that you get the health care that you need, and errors aren't made and that sort of thing. Being a nurse and working in the ER or having worked in the ER, you can never trust a number to identify the patient, especially in times of crisis or emergency. You have got to ask people next to the patient or the patient themselves if they are really who they say they are.

I'll just throw this in as a personal anecdote. In some surgery that I had as an individual, where I told the anesthesiologist, the physician and the nurse anesthetist about medication that I was allergic to. Thank God I'm a nurse, because as she was going to put the antibiotic in my IV, I asked her what it was, and I'll tell you -- I know you will know, but I'm allergic to Suprex. It is a cephalosporin, but I just said Suprex. She said, oh, it's Anisef. I said, isn't that a cephalosporin? She said, yes. I said, well, I'm allergic to Suprex and she said, what is that?

So you can pass a lot of information around, but the fact is that having one unique patient identifier doesn't guarantee any errors. They all knew who I was, and they were making errors even though I gave them information time after time.

So I don't necessarily believe that having one unique identifier is going to keep errors from happening. As a professional, you need to be able to identify the person right then and there before you do something to them. You need their name attached.

What we are asking for is the possibility of a more decentralized, rather than centralized, system, and where the information is at more of a local level, because privacy will not be protected by having a single centralized number accessible to all sorts of people, even though it is encrypted. That is what we are asking for.

DR. LUMPKIN: Can I follow through on that? I have this vision of an information system in the emergency department that would be networked -- let's say I was at one of my favorite places that I work. It shall remain nameless, but its initials are University of Chicago. They have a network of hospitals that they work with, in an outpatient network scattered throughout the city, and someone could be seen at one location for some minor problems, and they give a history of allergy to Suprex.

The information system because it has embedded intelligence would say, ah ha, cephalosporin, let's flag any order that is given for this patient for cephalosporin. They go into the central hospital, having never been there before. They are unambiguously identified as being that person whose medical record is now scattered in three or four or five scattered locations within the same health system. They sign a consent to have that information shared. They go into surgery, and before they even get to the point of bringing the bottle in, the system starts flashing, the bells go off, saying you can't give this person this antibiotic because they told somebody over here that they are allergic to this medicine, and our system will help you make this medical decision and not make the wrong decision.

That is all technologically possible. Is that a vision that makes you uncomfortable?

MS. BRASE: No, as long as you have the consent of the person.

DR. LUMPKIN: Consent. Consent is the issue.

MS. BRASE: Yes.

DR. LUMPKIN: Okay. Other questions?

DR. MC DONALD: Well, I think there is a separation I would like to make between having a number and having a national database, because I have heard no proposals to build a national database in any formal, official place. I can't even imagine how it would be done. I don't know that it would be good, for many of the reasons you just described.

But I see people standing in the ER and it takes 20 minutes to register them. I think it would be nice to have some kind of number, that they wouldn't have to re-register and be so slow each time. I think there would be all kind of advantages within communities with institutions to have a community number or some number which is easy to hang onto, which is separate I think from the access to the data.

At least, I would like you to ponder how much of your -- is it because of the data connections -- because you actually said in terms of your proposal, you would oppose any linking system. So that was one of the points under E.

But the question is, is it the data you oppose or the number system, or possibly the number system to get to the data?

MS. BRASE: I would say both.

DR. MC DONALD: Why the number system if it wasn't going to get to the data?

MS. BRASE: Because the creation of a number mandates a tagging of an individual regardless.

DR. MC DONALD: But we have done that already.

MS. BRASE: One single number. One single number.

DR. MC DONALD: I understand, but you used a lot of very emotional words in your statement, from numbers to freedom to liberty, if I remember. These are the sort of things we can all get behind and charge, because no one wants to lose all that.

But we have had since what, '32, a social security number which you now have to have within a year of when you're born. Should we repeal that?

MS. BRASE: The social security number was promised that it would not be an identifier. Interestingly, about 10 years or so ago, the fact that it would not be an identifier was removed from the actual security card itself, which used to say that it should never be used as an identifier.

I do think it is a mistake of the federal government to move more and more programs -- or mandate that it be used for more programs and more areas. So --

DR. MC DONALD: But you described some fairly horrendous -- I just have one last point.

DR. LUMPKIN: Yes, but I think she has been fairly clear. Just in the hope of trying not to put too much pressure on our witnesses, maybe if you could frame your question a little bit clearer, give her a chance to respond before jumping into the next question.

DR. MC DONALD: Would you propose repealing it then now that has become an identifier?

MS. BRASE: The social security number? That has never been something that our organization has considered.

DR. LUMPKIN: Any other questions? I do have one other question. Are you familiar with Medalert?

MS. BRASE: No.

DR. LUMPKIN: The --

MS. BRASE: Oh, the bracelet?

DR. LUMPKIN: The little bracelets?

MS. BRASE: Yes.

DR. LUMPKIN: Is that a -- which obviously it is not a mandatory system, it is a system that -- for those that are not familiar with it, it is a repository of medical information for people who want somebody to know if they are in an emergency. Is that a model that works for you?

MS. BRASE: Because they consent to it, yes.

DR. LUMPKIN: Well, it is more than consent. You have to apply to it. My follow-up question is, one of the difficulties of that kind of system is, it is not readily accessible to the American public, just because it is a private entity, it is not well known, there is a cost associated with it. Would you feel comfortable with government assuming that on a larger scale, that role, for those who choose to want to have their medical information readily available in the event of an emergency?

MS. BRASE: If people were willing to have that information known by whatever entity controls it, it is their choice. So if the government would -- if people knew that the government ran Medalert, and they were willing to apply and give consent to that information being known, then it is their choice to do that.

DR. LUMPKIN: Thank you very much.

MS. BRASE: Thank you.

DR. LUMPKIN: Is Dennis Bush here? No. It has been suggested this would be a great time for a break. Is Daryl Evans here? Okay, what we're going to do is, we're going to break for about 15 minutes, and then we'll start with Daryl Evans and hopefully we will hear a presentation and maybe questions. Solomon will be here, and we may do it as a two-part panel. We'll do you first and then do Solomon, depending on the time frames. But we're going to take a 15-minute break now.

(Brief recess.)

DR. LUMPKIN: Let's get started. We will start off with the panel -- I have asked you to introduce yourselves.

Panel 3b: Assuming an identifier must be chosen, what is the best identifier to use?

MR. APPAVU: I am Solomon Appavu. I am with the Cook County Bureau of Health Services.

MR. EVANS: I'm Daryl Evans. I'm with Government Employee Hospital Association.

DR. LUMPKIN: Thank you. Solomon?

MR. APPAVU: It is a pleasure to give testimony before this committee. I already did a report, an analysis of the unique patient identifier.

I have been working in this area for quite some time. Since '92 I served as the co-chair of the CPRI work group on unique health identifier and produced a report in '95. I also helped prepare the inventory of standards by ANSI, that followed the task force that prepared the inventory of standards, and particularly I was responsible for the section relating to identifiers.

I co-chair the ad hoc committee on unique individual identifier under Ramsey Hess, and last year I prepared the analysis of unique patient identifier options for this committee.

This year, I also worked with the ASTM, CPRI and created common requirements, together with Dr. Barry Hipp.

My testimony today will be based on my experience, my work that I have done so far, the reports and the analysis.

A couple of words about my report. Listening to the testimony that was given yesterday, there are a lot of issues that were raised. My report and my work seems to be very relevant to those issues. So I want to spend a couple of minutes talking about my report. It was an objective analysis of the available options for use in health care, unique patient identifier options that are available for use in health care.

I started with a study plan, and the study plan called for the examination of industry requirements. It also called for the creation of evaluation criteria to analyze the different options, and it called for the interview of the various proponents, analysis of various information that are available, both for and against, the advantages and disadvantages, strengths and weaknesses. So it called for all those things, and we went through that.

In essence, it was a two-step process. The analysis was a two-step process: a careful examination of the industry requirement, the industry as a whole, analysis of its need, and then an objective analysis of the available options. So it is a two-step process.

I used four level evaluation criteria, four sets of evaluation criteria, four different levels: a conceptual level, an operational level, a component level and functional level.

At the conceptual level, I used the ASTM conceptual characteristics, 30 characteristics. At the operational level, I used characteristics that I created, five of them, and identified six components that are part of an identifier. I also came up with 11 basic functions that a unique patient identifier really must fulfill.

I want to draw your attention to the language of the HIPAA legislation. It calls not only for the adoption of standards that provide a unique patient identifier for an individual, but also to specify the uses, the purposes and use of the identifier.

That is basically the fourth criteria, the fourth level of analysis, basic functions. It is very important to recognize this: if you don't recognize the use of the identifier, the scope, the purpose and use of the identifier, the need for the identifier becomes meaningless. So I thought it was very important to recognize the use of the identifier.

The 11 functions that an identifier is supposed to perform: identification of an individual for the purpose of delivery of care and for the purpose of administrative function. It is very clear when we say delivery of care, administrative function refers to reimbursement, registration and so forth.

Identification of information. There are four functions that a unique patient identifier needs to fulfill, which is coordination of multidisciplinary care process, medical record keeping, information management. When we talked about the use of the identifier, we tend to focus on linkages after the fact, linking information, accessing information. But generating the information, documentation of observation requires an identifier.

Health care by nature is a multidisciplinary process. You need to be able to communicate among the multidisciplinary professionals, whether it is a laboratory order, processing orders, communicating back the results, whether it is a radiology exam. The professional, the practitioners, today are using this identifier.

It is being used by a medical record department, one of the largest departments within the organization. They use the identifier to assemble, analyze and code and abstract and all kinds of different things; they are depending upon that for information management, whether it is record keeping or information being used. Then it is used for linkage of information from previous episodes among multiple organizations and so forth. Also, it is used for aggregation of information for population-based research and so forth.

It also needs to support the privacy, confidentiality and security functions. It needs to support it. It does not provide directly (words lost) but it needs to support the four functions that are listed in your handout.

Finally, it needs to improve efficiency in the health status of the nation, health status of the population. Otherwise we don't need to use an identifier if it is not going to give us any benefit.

So it is very important that we recognize this is the context. This is the need that we are trying to fulfill.

A couple of definitions are in order. What do we mean by identifier, what do we mean by identity and what do we mean by identification?

Identity is a set of personal characteristics by which an individual can be identified, Like my name, my address, my picture, my sex, my address and so forth. My personal characteristics forms my identity.

Identifier is merely a label, maybe an electronic placeholder that is used to link my identity. So it is basically a label, flag or placeholder with a value assigned to represent my personal characteristics as an individual.

Identification is the process of linking the identity with the identifier. It is clearly the association between the identifier and my identity.

What do we want to protect -- when we talk about protecting privacy and confidentiality, what do we want to protect? It is basically the identity. You want to protect my identity, my name, my sex, my age and whatnot, you want to protect that, not the identifier so much, relatively. It is also the identification process, the association. How do you associate my identity with the identifier? You want to protect that. So those are the two things that you want to protect when you want to protect the privacy and confidentiality of an individual, the identity and the identification process.

So what is a unique patient identifier made up of? It is made up of identifier, identification information, index that link the identifier to the identification information which is my identity, and a security protection, technology infrastructure and administrative infrastructure.

As I mentioned before, an identifier is just a flag. You can use any scheme, identifier numbering scheme. It could be a numeric value, it could be a sequential number, it could be random, it could be check digit, it can be alpha, numeric, it can be encrypted with different methods, and it could even be my biometrics.

The identification information is very important, because that is my identity, that is what you want to protect. What does it include? A permanent data segment. By that, I mean data that is unchangeable, my date of birth, my sex and so forth, the mother's maiden name.

Then longitudinal data segment. What do I mean by that? The data that you acquire, the personal characteristics that you create over a period of time, your spouse, your address, employment and so forth.

Then health services segment. That refers to the encounters, in essence the location of my health record, the encounter information. Today hospitals have MPIs and they do contain encounter information. Then you need an index that links the identification information with the identifier.

You need a security protection. It is a very important thing. We talked about it quite a bit yesterday; in the testimony we heard a lot of things about it. I indicated what needs to be protected and how does a unique patient identifier help that process.

You need to have a design that supports, that promotes the security. You really need to have the identifier perform only the identification function. Identifiers should only identify the individual and the individual's information, and should not provide access to the information. That is the function of a separate process, which is access control. So you want to design an identification system where you have -- the function of the identifier is only to identify the information on the individual, and you have a separate function which is access control, which gives access to that information. Before giving access, it should check the authentication, the authorization, keep an audit trail and maintain accountability and so forth. So you have an access control separate from identification.

The identifier itself should be content free. It should be capable of encryption, it should be capable of masking itself.

You need to have organizational measures to assure the security of the identification process. We need to use secure technology, whether it is an operating system or software or hardware. Whatever we used, we need to have secure systems, secure technology.

You can train the individuals to be responsible, and you can take organizational measures, but you also need on a national level federal legislation. Such legislation should not only stipulate penalty and make it illegal to misuse the information, but also mandate these processes, these security measures. Like, you should have access control, you should have authentication, you should have audit trails and accountability and so forth. The legislation should mandate that also; that is the preventive step you want to take.

Then you need a technology infrastructure. This is the fourth component -- actually, fifth component. The job of the technology infrastructure is to actually link -- using the technology, link the identifier to the identity and also provide access to the patient information.

We heard yesterday from (word lost) HL7 mediation. Those are the person's (word lost). Those are validation, software for searching, matching, verification, validation. Those tools provide this component, they make up this component in my view. You need technology to encrypt and decrypt identifiers as well as patient care information.

Administrative infrastructure. This is necessary to assure the integrity of the issue and maintenance of the unique patient identifier.

When I think about all the six components, the identifier, the identity, the identification index and administrative infrastructure and technology infrastructure, these are not something new. We have these processes in place in provider organizations, in health care organizations and user organizations. The industry has these components in place already. If you go to the hospital, an organization like mine, Cook County Hospital, we have a technology infrastructure in place to link the identity with the identifier. We have administrative infrastructure in place, a medical record department, for example, is the custodian of the information, custodian of the record. These health information management professionals form the infrastructure to maintain the integrity of the information, maintain the security of the information, maintain the identifier itself.

So we have infrastructure in place, this is not something new. We need to leverage from what we have. In the same area, the technology infrastructure, we have infrastructure in place. The HIS vendors provide solution in that area, and basically the government have patient identification service, HL7, mediation or examples of that. We do need to step up, though.

I was responsible for converting Cook County Hospital from manual operation into a computerized operation back in 1988 when the complaint that was that there were a lot of islands of information with no way to connect them. Then a lot of solutions showed up, like the interface engine, the interoperable standards and so forth. But when I computerized it, I realized we need to change the way that we work. We cannot overlay the information on top of what we are doing today. We need to change ourselves.

What we have today is non-unique, institution specific identifiers in the nation. We want to link them together. The technology is available, like the (word lost) or HL7 or so many other things that are available today. But we need to change ourselves, too, and that is coming up with a unique patient identifier which is pretty much long overdue, in my opinion.

So these six components are very important. These components actually work together as a whole system. If you take each one of these components and talk about it, it is very difficult to understand them. We engage in the debate about what numbering system we should use, whether it should be SSN, ESSN or some other numbering system. Outside the context of this whole system, the patient identification system, these components which work together, which function together as a system, if you take that out of context and try to analyze the security protection, how are we going to secure the identifier, how are we going to secure patient data? It is going to be really difficult to comprehend that. It works as a system, it works as a whole, so we need to see that from that perspective. That will reduce a lot of the complexity that we see.

I'll go back to the operational characteristics. I talked about the functional characteristics. In the functional ones I talked about the component requirements. Operational characteristics, there are about five of them I created to analyze the options. Whether they are currently operational or whether the technology is ready depends upon the future technology, whether it can be implemented in a timely manner, whether it has adequate identification information.

Again, the identification information is something that keeps changing. My identity will change, the longitudinal will change, my address will change, my encounter information will change. Somebody needs to keep on updating that. That is part of the existing infrastructure, the different segments of the industry, the HIM professionals, the HIS professionals and so forth.

At the top level, I used the 30 ASTM characteristics to analyze the identifier concept. ASTM calls them conceptual characteristics. I did an analysis at an operational level and a component level and a conceptual level and at a functional level.

Basically, the options that are available when I did the analysis were about 14, if I include the manual operation and the existing medical record member. Six of them were a unique patient identifier; you have them in front of you. It should read as ESSN rather than SSN. ESSN was proposed by CPRI. Sample HID was proposed by Dr. Bailey. Each one of those things are proposed by individuals from different organizations.

Non-unique patient identifiers are existing, medical record number and medical record number with a provider prefix, which was proposed by Peter (word lost) from Medical Record Institute. They also analyzed the cryptography based identifier. The ultimate, you heard about them yesterday, HL7. Directory service is similar to them. Family health outcome product is using a code data element as an identifier, a computer identifier, a manual process.

The result of my analysis is documented, and it is in the web page, the Health and Human Services web page, and the address is at the end. But the summary of my findings, I want to spend a couple of minutes talking about that.

The patient identifier is an integral part of patient care and patient care information. It is part of patient care. When you provide care, it is a necessary piece. For example, JCHO mandates the provider organizations to do a positive identification of patients when you are doing invasive procedures, when you are transfusing blood and so forth. So it is part of the patient care process. It is also part of patient care information. The identifier is not different from patient care information. If you have legislation for policies and procedures to protect the patient care information, patient ID is part of that. It is patient care information.

Privacy, confidentiality and security do not preclude the use of unique patient identifier. On the contrary, identifiers protect them. When you are ordering a lab test or when you are ordering a radiology exam, you don't need to use the patient's name, sex, address and everything to communicate. You can use the identifier. That way, you mask the identity of the individual. The lab tech or radiology tech doesn't need to know the identity of the individual. So identifiers do protect the privacy and confidentiality.

Also, when you standardize the process and when you use the identifier to access information, it is a focused process. You can strengthen that access process. If you start using names, if you start using different identification methods, then it is open. You cannot protect, you cannot strengthen the access -- you cannot have access control. But when you use a standard identifier, you standardize the access method also, so you do strengthen the security of the information.

Security really depends on judicious design, as I mentioned before. It depends on the design of the identifier. It does not depend -- design of the identifier as a whole, the six components. Identifier is (word lost) the other five components, give the functionality to the identifier. So that is what you want to strengthen.

Function of the identifier should be only to identify and not to provide access, and the access should be provided by access control. It is an individual response. In spite of all this, things can go wrong. It is an individual response of the organization. Measures can help, federal legislation can help, but still, if somebody wants to break into the system, they could do that.

Again, the critical functions are independent of the identifier scheme. So we focus too much on the identifier scheme, but the functions of the identifier are pretty much independent of that.

The check digit -- an important finding was the check digit, encryption and the longevity capabilities can be added to any of these options that I looked at. Encryption can be added to any one of the unique patient identifier options. Check digit can be added to any numeric membering scheme.

So my finding at the very end was to really come up with an identifier. The best identifier is an identifier that is simple to use, simple to be used by both humans and computers.

I was not charged with the responsibility to recommend an identifier, but this is my conclusion. If you want an identifier, you want a simple -- simple enough human beings can use, remember and carry with them.

In the interest of time, I don't want to go through a lot of this information. The difference between existing options and new identifiers. The existing options such as enhanced social security number require enhancements; that needs to be done. The new proposal such as the ATSM sample HID or any one of the proposals would need a lot of development. You would need to develop the infrastructure that are not in place now. You need to bring them into place.

So the available course of action is either accept an existing option or go with a new option. That is the course of action that is available to us.

My recommendation to this committee is to build on existing infrastructure. What do I mean by that? As I mentioned before, it is the segments of the industry that is already there, like the health information management professional or the health care information system, the providers, the users of the identifiers. You need to build on that.

You need to build on the standards and policies and procedures that are already there. You need to add the federal legislation and the component the federal government will bring in. Cost will be distributed over existing process and infrastructure, or utilized.

Finally, talking about the ID cards. That was discussed yesterday, what kind of ID card should be used. In my hospital, we are just using an embossed card. When we need to positively identify a patient, we ask them to produce a picture ID. We are all used to that. When we need to cash a check, we need to give the driver's license or a state ID or an employee ID or a student ID or whatever. So when we need a positive identification, we can always use the existing methods.

Enhancement to the existing system, as I mentioned before, is long overdue. It is not a needed change, it is just evolving to a new system. When I implemented the HBO system in my hospital in '88, it was version 7.0. Now we are in the 15.3 version. We kept updating our systems. I think we also need to update our patient identification system. It is long overdue.

That concludes my testimony. Thanks for your attention.

DR. FRAWLEY: Thanks, Solomon. Mr. Evans, would you like to present your testimony, and then we'll take questions?

MR. EVANS: My name is Daryl Evans. I am a senior systems analyst for the Government Employees Hospital Association. My background is administration of justice. I have been in the insurance industry on the payor side for 14 years. I have been in the systems end of the world for about eight.

The best way to conceptualize me is, I am a data guy. I have been working on EDI transaction sets for the last five to six years. We have gone from zero EDI to approximately 35 to 40 percent of our claims incoming EDI. In two years, that's about two and a half million.

My concerns here, my reason for -- besides the invitation, was, we already have an identifier. It is already unique to individuals. It just has some flaws. It is already deployed. It is already in place. It is already in use in the private sector.

To respond to the questions that I was asked to, the ideal characteristics of the identifier are the social security number. It is already deployed, it is already in use. If you want to pick another one, re-invent the wheel, you are welcome to do so, and the structure and length is of no consequence, as long as you can tell us what it will be so that we can upgrade our systems to be able to store it, or if it is something that is just going to be cross referenced to the current keys, -- patient identifiers in my world are called keys. That is how we get to the patient. That is how our systems work. That is how I am envisioning what you are going to do on the health care delivery side in order to help patient care by being able to disseminate all the information on a patient at point of service in the ER. You are going to use this number, whatever it will be, as a key.

Now, your system will have to have the security that is going to be mandated. That is obvious. It would be to beg the question if you were going to say otherwise. But I'm going to move off of these questions and move onto -- there were some questions for submitters that are not bulleted.

One of them was based on your experience, what identifiers for individuals are used currently. Besides the social security number, let's face it, personal immutable properties, demographics and name are used today as a secondary check to social security number. If it happens to be keyed wrong, either by the transmitter of the data, or if it is a hard copy claim, by the person who is inputting it or quote-quote, logging it, getting it into a system. That is a secondary check. So that is already in use.

If you wanted to look at the specifics that were in the white paper, the ESSN, it would be nice to have a check digit. One of the questions was, who should bear the cost or the expense of the unique patient identifier. Well, that is also obvious. We as taxpayers will if the federal government mandates it. We as consumers will if the private sector does it. So we are all going to pay for it.

So I would encourage whatever system is chosen, if a system is chosen, that you make it the most efficient, least expensive possible and still protect patient confidentiality.

For that reason, you could say we need to look at CHID. Well, as a data person, if I was working with my LAN department, calculating a billion and cross referencing, creating a database, one or two of my guys think that would be a cool project to burn in a couple of mother boards and a new server over a weekend. Some kid somewhere is going to do that, just for grins. Then some other kid is going to say, hey, I know how you can make some money with that. They are going to be so young, they are not going to know the repercussions of what they are doing. That is one of my fears on CHID.

The ASTM UHID, using the social security number or office to administer it, that is one of the hybrid proposals. It is probably a very good idea if you're going to rely on the identifier to protect the confidentiality of the patient. I don't think the identifier itself will do that.

The biometric, retinal scans, fingerprints, that's interesting theory, but that is not available at point of service, nor is it something useful to the payor side. We are not going to be able to store all the fingerprints of eery member of our association or the retinal scans.

Civil registration, MPI, PIDS, HL7, those are -- I'm sorry, let me get off civil registration. MPI, PIDS, HL7, I think those types of numbering schemes and/or the UHID recommended by ASTM under those guidelines, administered by Social Security Administration, that might be a great way to separate the identifier from the data. If in the transaction sets that we are supposed to use by HIPAA, and I'm talking about the 837, the 835, the 834, the 270, the 271, the 276, the 277, the 278 and the 148, if we do not have to pass this data, this unique data for an individual that is your key in the health delivery system, with that data that is only used for remuneration, we just want to be able to pay for the services that these patients have received, we really have no business with that unique number. We don't need the key to give every medical note that was written about them by a practitioner, or that was used to get lab samples. That really should not be in the public domain, or even in a somewhat protected private payor domain. That is my opinion. We have no use for it.

If we need to get, for reasons of suspected fraud, additional information to make payment decisions, there should be secure channels where that data is specifically requested and only if the patient gives their consent. The old-time authorizations to release information from my claims processing days. If that doesn't exist, this data should not be available, in my opinion.

Back to some of the other questions. I'm sorry I don't have a handout, but if I did, I would have had to judiciously shred it after listening to the testimony yesterday.

Of the five criteria that in my opinion should be given the most weight in evaluating candidate identifiers, it should be controllable. Only the trusted authorities have access to linkages between encrypted and non-encrypted identifiers, if we are not going to use the public domain social security number.

Dis-identifiable. Again, if you are going to have an identifier that you no longer need a patient's -- and I'm talking on the payor's side perspective here. If I no longer need the patient's name and some of the other demographic data because this number is so reliable, then we need to change the standard, so that that data element is not passed in conjunction with the number or the identifier.

I don't think in my opinion my industry is going to be comfortable with that. There is too much manual intervention that is going to have to continue, at least in the foreseeable future. If you come up with a -- I'll move on.

Governed linkable, I guess for the benefit of folks that haven't seen the white paper, I should read what governed would mean. It has an entity responsible for overseeing the system, determines the policies, manages trusted authorities and insures proper and effective support for health care, and I would add to that, has appropriate legal remedies for those who do not -- or misuse the number. Again, I would support those who previously testified that we are looking forward to the confidentiality and security standards.

Linkable, can link health records together in both automated and manual systems. I know that our charge, at least mine has been, is to get us as electronic as possible. I don't think we will ever completely get there, at least not in the foreseeable future, which I would say the next five to 10 years. So whatever numbering scheme that may come out of this, again, it needs to be something that even a data entry clerk can enter.

If you come up with a 29-digit character string, you are going to have so many typographical errors on entering manual claims, that they would have to cross reference to another key in order to get it in the system. That is my opinion. The more keystrokes I have to do, the more room for error. My system is not going to have a database to check with these check digits in the foreseeable future, if I was ever given privy to that.

Secure, can encrypt and decrypt securely. I hope that when the privacy and confidentiality legislation as it relates to HIPAA comes out, that if there is any use of the Internet whatsoever, that encryption and decryption be mandated by law. We all know that it is a somewhat open environment out there, but again, these youngsters that I mentioned -- we calculate those numbers potentially, also do a lot of surfing.

Let's face it, they can do things we can't yet. We haven't got there. They are already there, and they are doing it. The Department of Defense won't let you do much on the Internet.

Question number 13: Are there other important criteria to be considered? I would reiterate my contention that we as in the payor environment already have the data that we need on electronic claims to identify the patient, and oftentimes autoadjudicate the claim, which is the goal for electronic claims, is for some portion of these claims to pass through our systems, generate checks without being handled by a person, and to deliver ERA, electronic remittance advices, and at some point in time, EFT, electronic fund transfers.

So if we have a unique number that is specifically designed for the health care delivery system, that is also used as a key, ion my opinion it would not be necessary unless mandated to be in the transactions, to be passed simply for financial transactions, because in the 835 and potentially the EFT, now it is no longer within my control as a payor. It is going through a financial institution or it is being split whether you are using CCT or CCTX technology to do your 835 and your electronic fund transfer, and some of that information is going around the financial institution, but it is going through somebody else's servers.

I know we have a lot of legislation coming up to protect us. But let's face it, I'm a data guy, and that scares me. These folks are not the health care delivery system at all. They are working for profit.

That goes to question 16, what uses should be approved for the health identifier for individuals. In my opinion, if we are going to come up with a unique identifier, we will reiterate it again: If you can somehow through legislation or by design keep it within the provider, delivery service and out of the payors and the public domain, that would probably be the most secure thing you could do.

Question number 25 is, what kind of computer and communications infrastructure would be required to support such an identifier system? I don't know, but the bottom question, would he computer network to support the system's function need to provide nationwide access 24 hours a day, seven days a week, that answer I would think, if you are going to use it for the dissemination of patient information in order to increase care, it would be yes.

Your typical example of the ER at 2 o'clock in the morning, the system is down, they are running batch. You can't get access to this person's medical records from previous visit when they come in. If you are going to have a delivery system -- I'm talking information network here of some sort, even if it is within small communities, then I would think that you would want that to also be a part of this design.

Question number 30: What are the implications of implementing the electronic transaction standards without a standard identifier for individuals? We have been doing that for many years.

I think I'll conclude there.

DR. FRAWLEY: Thank you, Mr. Evans. We are going to open it up to questions right now. Kathleen?

DR. FYFFE: Yes, thank you, Daryl. The agenda we have says that you are with the Government Employees Hospital Association?

MR. EVANS: Yes.

DR. FYFFE: What is that? I'm not familiar with that association

MR. EVANS: We are a federal contractor in the FIBA program. We were one of the original FIBA participants. In fact, the original 1960 Medicare Part B benefits were patterned after our plan.

DR. FYFFE: So you all are a plan. You are not -- well, --

MR. EVANS: We are a not-for-profit corporation.

DR. FYFFE: But you are a plan. When I see this name, I was thinking, DoD, VA -- you know?

MR. EVANS: No.

DR. FYFFE: Okay. Thank you.

DR. FRAWLEY: Bob?

DR. GELLMAN: Solomon, I'm sorry I missed part of your presentation, but I have seen your report. I have to tell you, I find it to be seriously flawed, and I think that you have completely failed to understand the privacy issue, and I want to talk about this.

I have a summary of this report that is 41 pages long. On page 20 of the summary, the report says -- and I quote, "Privacy in the health care context amounts to the freedom and ability to share an individual's personal and health information in confidence."

It seems to me that that is exactly the opposite definition of what privacy is. Privacy is not the ability to share information, privacy is the ability to keep information secret. Would you like to comment?

MR. APPAVU: For health care purpose, you have to share your health care information with a provider in order to receive service. You want to be able to share that information without the fear of being misused. That is what I meant by that.

DR. GELLMAN: Well, I think it is completely unclear. Let me ask you another question. Do you know what fair information practices are?

MR. APPAVU: I heard, yes.

DR. GELLMAN: Well, fair information practices are not mentioned in your report anywhere. Fair information practices are the most important concept in privacy anywhere in the world. They are principles that describe how personal information is collected, maintained, used and disclosed, and they form the basis for every information privacy law basically anywhere in the world today. It is the key issue in privacy.

There is a debate going on in Washington about self regulation, not in the health care context but in other contexts. Everybody is talking about fair information practices. Industries are putting forth a code. I don't find the concept in your report, and I think that is a serious mistake.

MR. APPAVU: I was focusing on health care processes, information that are required for providing health care. I wasn't looking at the Fair Information Practice Act.

DR. GELLMAN: Fair information practice is applied to every kind of record, no matter what they are.

MR. APPAVU: I understand that.

DR. GELLMAN: The report lists some points in favor of the social security number. Two of them are, the social security number is a de facto linkage, and two, it already has broad distribution and widespread use. It seems to me that those are exactly the reasons not to adopt the social security number, and those aren't reasons in favor of using the social security number. Do you care to comment?

MR. APPAVU: I simply stated the fact that as you correctly observe, it is used as a de facto standard. I recognized that in my report, and it is used as a linkage. So that is basically what I have done there.

There is a strength for those purposes. If you want an easy implementation, you can go for it. You may not want that. But I just listed them as advantages for those specific purposes, for linkages and for easy implementation.

DR. GELLMAN: Well, I don't disagree with your analysis, with the statements, but identifying those as reasons in favor of the social security number seems to me to be backward.

On page 38, the report lists six steps that must be taken in order to fully and effectively address the privacy requirements. I'm not going to read them. The report says right afterwards, "The critical need of the industry such as the unique patient identifier cannot be sacrificed due to the failure to adequately address the necessary privacy safeguards and subject the patient care to unnecessary risks."

This says, the heck with privacy, let's go right ahead and have an identifier. We don't have to deal with privacy. Here are things that ought to be done for privacy, let's have an identifier anyway.

MR. APPAVU: It highlights the importance of not failing to do that. It is a way of expression, and it means that health care is more important. Therefore, you need to secure the privacy and confidentiality protection. It does not mean those are unimportant. It just means, in spite of that you do want to provide care to patients.

DR. GELLMAN: Well, I appreciate your response, but I have to tell you that I really find the report to be seriously flawed. I don't think it addresses privacy in any fair or adequate way, and I think that it shows a bias in this area that privacy is not important, and I find it very difficult to find this report to be useful at all.

Thank you.

MR. EVANS: Can I ask the committee a question?

DR. FRAWLEY: Sure.

MR. EVANS: This is facetious. If the federal government did not mandate the sun to come up tomorrow, would it? That's my point with the social security number in practice.

DR. GELLMAN: Will you be more specific?

MR. EVANS: Just like Solomon's point that it is the de facto identifier, my point is, it is already the identifier. Now, we may be coming up with another one, but it is already there, it is already in place. It is the common one across the industry, at least on the payor side.

DR. GELLMAN: It is common well beyond the industry, and it is mandated for use by law in lots of other areas. That doesn't necessarily mean it is a good thing, it doesn't necessarily mean it is something that the American public is willing to accept, and it doesn't mean it is something that can't be changed.

There are a lot of bills before the Congress right now that are seeking to limit the use of social security numbers in a lot of different contexts. I seriously doubt that any of them are going to pass, but you didn't find bills like this before the Congress three and four years ago.

If you look at some of the things that have happened in the last three and four years with respect to social security numbers, there was an incident about two years ago involving a service called PTRACK. This is an Internet service. People found out on the Net that social security numbers were basically available from a lookup company. There was a firestorm on the Net of objections to this, and it spilled immediately over into the general press. It was on the evening news. Two days later, there were bills introduced in the Congress to prohibit this kind of activity, and the industry responded with some seriously inadequate standards for privacy. But they stopped the ready dissemination of social security numbers.

Last year, the Social Security Administration put a web page up that enabled people with the use of their social security number and a few other items of information to get their social security account information. Someone wrote a story that said this was insecure and people could use this because of the ready availability of social security numbers. This was an even bigger firestorm, and two days later the Social Security Administration shut down the service and there were the usual slew of bills on Capitol Hill following up and press releases and all that sort of garbage.

There is a strong concern out there among segments at least of the American public about the ready availability and the misuse of social security numbers. So yes, this is going on. But there is a change going on also in public acceptance of this. How far this is going to go, I can't tell you. But things are different than they were five years ago. Things are different than they were two years ago, I think.

I suspect that -- and you already saw what has happened in the press. We've got a sleepy little advisory committee holding hearings outside of Washington. Look at what happened in the newspapers and on TV in the last day. This is an issue that resonates with people.

So yes, there are lots of things that are already in place, but there are a lot of changes as well.

MR. APPAVU: If I may, I want to clarify, for those who are looking on the Internet as well as -- I did not recommend any identifier. What I did in my report was made observations of the facts relating to each option, including social security number. I did list its strength, I listed its weaknesses equally. So I did not endorse -- that was not my job, and I did not recommend any options in my report.

DR. FRAWLEY: Clem?

DR. MC DONALD: I wonder if we have data about what other industrialized countries do regarding patient identifiers. Are there many that have them, and what kind of problems have they had with them if they have?

DR. GELLMAN: I can offer a little bit of information. It is really hard to compare the U.S. with other countries, because most other countries have some kind of centralized health service. So the Canadians and lots of countries in Europe -- they're also smaller populations.

So I'm not saying the experiences abroad aren't relevant, because I think they are. But you also find that in Canada, one of the numbers in use in Canada is the SIN number. It is the social insurance number. They found exactly what is going on in Canada is what has happened here with the social security number. It was only to be used for health purposes, and all of a sudden you turned around and it is being used for lots of other purposes, because everybody wants a better identifier, and everybody is looking for clearer ways to identify who people are.

You weren't here yesterday, but I expressed a concern that a patient identifier would become a national identifier for all purposes a couple of years after it got adopted, simply because of these pressures that had led to the expansion of social security numbers.

In any event, it may be useful to get some kind of information about other countries for this process, but it is only going to help up to a point.

DR. COHN: I was curious if Solomon had any comments in response to your question about the international situation. Is that something you are knowledgeable about?

MR. APPAVU: Could you repeat it? I'm sorry.

DR. COHN: Clem had addressed a question about the status of international activities around unique patient identifiers. Obviously, Mr. Gellman had responded. I was curious if you had any comments or input about that specifically.

MR. APPAVU: In my report, I did not address that, and I did not do any work in looking at what international communities do with regard to this.

DR. MC DONALD: There are some. I know Canada and England, I think Germany, most of the Scandinavian countries, and some of these are quite old, 20 and 30 years. I just think that it would be worthwhile understanding what kind of problems they have had.

We hear some dire predictions, and in some of these we should be able to confirm or find solutions to.

DR. COHN: One other difference I might point out between us and all the members at least of the EU is, they all have comprehensive privacy legislation, and we don't have anything. So they do have a privacy infrastructure in place, including data protection offices and a whole slew of rules, and people have expressed concern, saying -- so has this committee, saying we shouldn't adopt an identifier until we have a law in place. They have a law in place.

DR. MC DONALD: One other question on the same line. The military services of the 17-some hospitals have used a unique -- within the military services -- identifier for many years, 20 years, 30 years, and that actually is a social security number, and what kind of problems have they had with that.

MR. APPAVU: Well, the military uses social security number, and so that's the VA. I had a conversation with the VA. I interviewed a pilot project behind done by VA in three locations within Florida.

VA in specific are moving ahead with issuing an identification card that contains social security number, the picture of the individual, the social security name being bar coded, put in magnetic strip and that is what they are implementing right now system wide in VA.

In Florida, in three locations, the VA is also piloting a sample UH ID, something called internal control number. It is not being used as a patient identifier. It is not issued to the patient. The patient does not carry that, or the providers do not use that. It is used for internal control number within computer systems to keep track of the database. It is being piloted.

But it looks like they are expanding its use by issuing this new identification card within VA. That is to the extent I gathered information.

DR. FRAWLEY: Michael?

DR. FITZMAURICE: I have a couple of questions for Mr. Daryl Evans. One or two of them I have asked before.

The first one is, the year 2K problem, is there any advantage to having HIPAA come along at the same time as the year 2K, or are you already well underway with the year 2K and HIPAA will just be an add-on after that? Is there any synergy there?

MR. EVANS: No, it is actually competing for resources. I think you will find that throughout the industry.

DR. FITZMAURICE: The next question. You acknowledged that the de facto standard is the social security number. Suppose the social security number were to be issued with a check digit. Would that cause you a lot of programming problems, a lot of field storage problems? Is it something that is a large magnitude or a small magnitude to handle?

MR. EVANS: Let me respond in general instead of specifically for my company. If it were used as a key, then yes, the systems would have to be redesigned to use that as a key. That would be very costly.

Another alternative which may be less beneficial from the security of the numbers standpoint is, there would be tables that would be read that would cross reference that number to the key used in the legacy system.

I suspect whatever comes out of the legislation for a unique health identifier for a patient, at least in the near term, that is how it is going to be accommodated. That number, whatever it is, will probably be tabled and cross referenced to whatever the old key was, so that business can continue.

DR. FITZMAURICE: Now, if the old key were the social security number and the new key is the social security number plus one check digit, does that still have the same kinds of problems?

MR. EVANS: Most systems, at least our system, has a very structured key, no filler in the key, so yes, it would take some reprogramming, and we would have to go to a software vendor.

I sit on an enhancement committee. I watch what is coming out of here very closely, so that I can say, hey, guys, gotta do this, it is coming, it is coming. They are still working on HIPAA. The same thing with the key, to change the key.

DR. FITZMAURICE: So it is about the same magnitude for a problem as if you had a brand new health identifier?

MR. EVANS: My only contention is, it may take longer to process, a 29 to 35 digit code. After you go through the algorithms to decrypt it so you can read it and/or uncompress it or whatever else you may have to do to it, it may take longer for the system to process it. How long, I don't know.

DR. FITZMAURICE: My last question, I believe you had mentioned in your testimony that there is no need to put the new identifying number on a lot of the clinical data. There is one possibility though. I am aware that sometimes, insurance companies want things to be attached to verify a diagnosis. It may be a lab test, it may be the whole record.