Search our
entire site
Enter your search
terms below, or visit
our search page

Search case
studies only
Enter your search
terms below:

For the table
of contents and
hyperlinks to
general topics
proceed to toc

UNIQUE PATIENT IDENTIFIER/UNIVERSAL IDENTIFIER PROPOSALS  

INTRODUCTION

On July 6, 1998, the Department of Health and Human Services (HHS) and the Health Care Financing Administration (HCFA) published a Notice of Intent to move forward on addressing the National Health Identifier for Individuals (NHII) (Also referred to as unique patient identifier or universal patient identifier). The NHII was among the identifiers included in the Health Insurance Portability and Accountability Act (HIPAA) of 1996.

Since the Notice of Intent was published in July, no further action has been taken by HHS to issue a proposed rule for the identifier. Many in industry and in Congress questioned the appropriateness and timeliness of a unique identifier before the confidentiality provisions in the HIPAA legislation have been addressed. The National Committee on Vital and Health Statistics recommended to HHS that the unique identifier be considered only after confidentiality legislation has been passed in Congress. Congress stated in the Fiscal Year 1999 Omnibus Supplemental that HHS could not use any funds to continue their work on a unique identifier, which ensures that nothing will be done until Congress revisits this issue during the 106^th Congress.

The Notice of Intent serves as a vehicle to discuss and analyze the proposals that have been offered to date. The following summary of unique identifier proposals is based largely on the proposals provided in the Notice of Intent. In addition, an analysis of the identifier proposals incorporated into a document that was provided to HHS and prepared by Solomon Appavu was also referenced frequently in the comparison of identifiers. The unique identifier proposals have been placed in the following five categories: Unique Identifier Proposals Based on the Social Security Number (SSN); Identifiers Not Based on the SSN; Proposals That Do Not Require Universal Unique Identifiers; Hybrid Proposals; and Cryptography Methods That Are Not Identifiers. Below is a summary of the unique identifier proposals within those categories.

I. UNIQUE IDENTIFIER PROPOSALS BASED ON THE SSN

The Unenhanced SSN is commonly used in many institutions to identify individuals and is administered by the Social Security Administration (SSA). Its positive attributes include its availability to the public; minimal implementing cost; it is the current de facto identifier; and the government would bear the cost without having to create a new system. However, the unenhanced SSN’s negative attributes are that it does not include a check digit; not every individual is eligible or chooses to obtain a SSN; individuals may have more than one SSN or SSN’s may be erroneously used by more than one person; no legal requirement for non-Federal users to keep the number confidential or to limit its use; a mechanism for providers to verify its authenticity would need to be created; and the SSN is easy to counterfeit.

The Proposal of the Computer-Based Record Institute calls for legislation to fund and task the SSA to add a check digit to the SSN. An authentication algorithm would be used to establish the identity of the organization requesting a number. In addition, the proposal calls for federal preemptive legislation to provide confidentiality of health information. Positive aspects of the proposal include: the addition of a check digit to the SSN; the proposal’s privacy protections; and the existing infrastructure, trained staff, policies, procedures and guidelines in place. Negative aspects of the proposal include lack of details regarding the issuance process, such as time, effort and cost; it is unclear how proposed legislation could or should protect health information identified by the SSN from being linked with other information systems that already use the SSN as the basic identifier; the typical time required to obtain a SSN is measured in weeks rather than "minutes"; there is no provision for the use of temporary numbers; and the significant percentage of error within the SSN system that does not have a provision to check the errors.

The Alternate to the SSN proposal would use the SSN as an identifier for those individuals to whom it is acceptable, but offer an alternate identifier to others (who have privacy concerns). The alternate identifier would be a 9-position identifier and would not be the same as any current or future SSN. Since the alternate identifier is the same length as the SSN it could be used in any record structures that carry the SSN. However, a potential stigma could be attached to the alternate identifier -- a request for the identifier might be interpreted to mean that the individual has something to hide.

The Computer Healthcare Identifier (CHID) proposal does not require changes in SSNs or in SSA’s processes and would be assigned by healthcare providers or health plans. Each validated health plan and health care provider would be provided a standard encryption algorithm for the purpose of converting a patient’s existing SSN into another, private number. The algorithm performs a one-way mathematical function – with highspeed computing it can be done in a fraction of a second. The resulting unique number will always be the same no matter what entity is computing it and would contain a check digit. Positive aspects of the proposal are that it would not involve the SSA or require any changes in the current process of assigning SSNs; it would be guaranteed mathematically to be unique; would be less expensive to implement than a system to create a totally new number, although no cost estimates are available; could address privacy concerns because it makes linkage to other records using the SSN more difficult; and could be.validated with a check digit program. The negative aspects are that many of the current problems with SSNs would not be addressed unless and until the SSA re-verifies the SSNs; because the algorithm would have wide distribution, it is likely to become publicly known within some relatively short period despite legal sanctions against disclosure; anyone with access to the algorithm could, theoretically, take the one billion 9-digit numbers that include all potential SSNs, apply the algorithm, and generate a database of all health identifiers, each linked to its corresponding SSN; no infrastructure currently exists to support appropriate linkages of encrypted versions of the CHID back to the original CHID; and the cost to the industry to modify its systems would be significant;

II.IDENTIFIERS NOT BASED ON THE SSN

The ASTM Sample UHID is designed with a length up to 29 characters. The number is constructed from four parts: (a) a 16-digit sequential number that identifies an individual uniquely, (b) a delimiter (defined as a single character, such as a period, that denotes the boundary between two digits or characters) that separates the 16-digit number from the check digits and encryption scheme identifier that follow, (c) 6 check digits, and (d) a 6-digit encryption scheme identifier, if the number has been encrypted. If the UHID does not need to be encrypted, the last six digits can be valued as "000000" or omitted entirely. The proposal does not describe implementation. Positive aspects of the proposal include: it meets the requirement of HIPAA for a standard, unique health identifier for each individual; it incorporates check digits and encryption capabilities; could restrict the identifier to health care and other desirable uses that can be protected with legislation; avoids crossover problems; provides an opportunity to design an identification system that will fully take advantage of existing technology; and offers the capacity to handle the nation's population for a foreseeable future. Among the negative aspects of the proposal are its cost to the industry to modify their systems and add another, longer identifier; the additional infrastructure a new number would require; its length makes it less user-friendly; and it is untested.

A Biometric identifier is based on a person’s unique physical attributes, such as fingerprints, retinal pattern analysis, iris scan, voice pattern identification and DNA analysis. However, an individual must be receive their identifier in person. The issuance and verification requires special equipment to scan or read the individual’s special attributes. It is already used in government agencies. Biometric information can be stored in digitized form in electronic records and on identification cards. Positive attributes include its unique and positive identification of the patient and its avoidance of crossover problems. Some negative attributes include the lack of infrastructure to issue and maintain the identifiers; the need for special equipment for issuing identifier and the requirement that the individual be present; the identifier would need to be digitized; significant cost; and the biometric attributes of patients could change due to age, injury or disease.

The Personal Immutable Properties proposal as described by the ANSI HISB Inventory of Standards is designed as a 19-digit number. The identifier would have 3 immutable values, plus a check digit, with each separated by a delimiter. The first value is a 6-digit geographic code based on degrees of longitude and latitude. The third value is a 5-digit sequence number assigned by an area jurisdiction, with an international registry administered by an organization such as the World Health Organization. Temporary assignments would have a leading "T". In general, the proposals based on personal immutable properties involve an identifier based on a combination of a person’s characteristics that would not change (for example, birth name, date of birth, place of birth, gender, mother’s maiden name). Positive attributes include: the individual would not have to remember a new number, since the identifier would contain known elements; it is a new choice that provides a new start and can be designed to exclude known defects or limitations; and it avoids crossover problems from an existing system. Negative attributes are that it would require the creation of a new system for assigning and maintaining the number as well as technology infrastructure and administrative structures; it could be assembled by someone who knows personal details about the individual and then could be used fraudulently; it remains only as an untested concept; is not content-free; and the development and implementation would require a huge investment of financial resources.

The Civil Registration System proposal uses records established in the current system of civil registration as the basis to assign a unique, unchanging 16-position randomly-generated (in base 10 or 16) identifier. Uniqueness would be established based on data, such as name, date of birth, place of birth, and mother’s first name, present in the civil records. 16-digit identifier would link person’s human services to medical treatments. A system would be developed to track these and other encounters with the civil system. To guard against unauthorized access of records and to ensure voluntary participation of tracking, the individual would choose a personal identification number (PIN). Has not been pilot tested and no cost estimates are available. One positive attribute is that it meets the requirements of HIPAA for a standard, unique health identifier for each individual. However, the negative attributes are that it would not allow for an identifier specifically limited to health care; coordination among the State-based birth registration agencies would be a major barrier to implementation; cost of implementing new system would be high; and the proposal would likely raise very strong privacy objections.

The Bank Card Method would consist of a) a 13 to 15 digit identifier with a set of digits to identify the practitioner or the medical group, b) another set of digits to identify payers, and c) a set of digits to identify conditions, such as allergies, disease, etc. A credit card-type plastic card would be used as the identification medium with an authenticator such as mother’s maiden name or date of birth "woven" into the card along with the individual’s name as an easily read identifier for convenience. Positive attributes include: it is a new choice and can be designed to exclude known defects or limitations; provides an opportunity to develop the required specifications and design precisely for the system to efficiently meet the industry's need; avoids crossover problems from an existing system; the capability to implement such a system is already in the private sector; and the necessary technology has already been developed. Negative attributes are that it remains only as a concept and its fruition depends upon significant planning, preparation, specification, design and development; the purpose and scope of Bank Card is limited; it is untested; it lacks technology infrastructure; requires Central Trust Authority; and will entail a substantial investment of money.

The Lifetime Human Service & Treatment Record (LHSTR) Number Based on a Birth Certificate proposal is relies on birth certificates, which are personally specific and uniquely enumerated. The proposal consists of linking birth documents to a randomly assigned 16-digit number. The method includes a six-digit check-digit verification and a public-key/private-key-based encryption on an as needed basis. A three tier approach is explained in the proposal as follows: first order of documents - a set of seven core data elements; second order of documents – includes a longitudinal component supplementing the basic record to corroborate over time to protect against error or fraud of the association between the individual and the record; and third order of documents – consists of medical or social service record. Purpose is to facilitate event-by-event tracking of all health and human services provided to an individual on an explicit and consensual basis. Positive attributes include: it meets both the basic functions criteria and the privacy and security criteria effectively; avoids crossover problems; the three (3) components of the civil registration have the maximum potential to enumerate all individuals living in the nation for the issue of the 16 digit LHSTR Number; the three (3) level data segments can provide reliable identification about a patient's medical records; provides patient participation with PIN security; and provides an opportunity to design an identification system that can take advantage of emerging technologies. The negative attributes are that it is at a conceptual level; is untested; lacks existing infrastructure; lacks existing plan and procedures; and will entail significant cost.

III.PROPOSALS THAT DO NOT REQUIRE UNIVERSAL/UNIQUE IDENTIFIERS

The Identification Methods Based on the Master Patient Index (MPI) Concept incorporates a commonly used system in healthcare that links a patient medical record number with a limited set of common identification elements known to a patient, such as patient first/last name, sex, birth date, SSN and mother’s maiden name. The MPI system matches the common data elements across its index to identify the patient’s medical record number, which is required to retrieve medical record. Other proposals based on the MPI include: Directory Service, Common Object Request Broker Architecture, Healthcare Domain Task Force (CORBAmed) Person Identification Service (PIDS), Health Level Seven (HL7) Master Patient Index Mediator and, Sequoia Software Award for Research and Development of a National Mater Patient Index. Positive attributes include: these proposals would not require any changes to implement a unique health identifier; existing numbering systems would continue to be used, reducing costs associated with changing over to a unique health identifier and eliminating the effort, time and investment that will be required for developing and implementing a new identifier. The negative attributes of the proposal are that: it depends upon search, match, and link functions that have not been implemented in the health system on a national scale; depends upon provider organizations’ participation in the processes to update directories and to link and match information; matching depends upon the probability that records having certain data characteristics in common belong to the same individual; human intervention is required in some cases to confirm the final match; and proposals depend to some extent on new technology that has not been tested on a national scale.

The Identification System Based on Existing Medical Record Numbers with a Practitioner Prefix as discussed in the Notice of Intent calls for a practitioner prefix to be added to the medical record number. The medical record is unique only within the provider organization. The two-position practitioner prefix would indicate a practitioner that maintains medical records on the individual. The NCVHS document also includes a proposal on the practitioner prefix that would not change the current practice of patient identification. Neither proposal creates a permanent unique identifier.

The San Francisco Family Health Organization’s (FHOPs) Core Data Elements-Based Patient Identification has opted for data standardization and unique client identification instead of establishing a unique client ID. The identifying data elements consist of two sets – Core Data Elements (birth name, birth date, birth place, mother’s first name, and gender) and Confirmatory Data Elements (Social Security Number, other client number, father’s name, mother’s maiden name, current name, county of client’s residence, and zip of client’s residence) The proposal uses object oriented software technology and a blocking technique (used to determine the relative weighting order an alphanumeric string value is derived). The Common Patient Identifier value can be destroyed after linkage, serving as a virtual identifier. Positive attributes include: it uses a common set of data elements from which an alphanumeric value can be derived; patients are familiar with data elements; and it eliminates the effort, time and investment that will be required for developing and implementing a new identifier. The negative aspects are that it is not a unique patient identifier; it does not replace existing identifiers, but is used in addition to existing identifier; and the use of patient's personal information for identification has inherent risk for violation of privacy.

IV.HYBRID PROPOSALS

The UHID/SSA Proposal suggests an identifier based on properties of the Sample, UHID as described in the ASTM’s Standard Guide, with the SSA as the trusted authority for assignment and maintenance. The identifier would consist of four parts: (a) a sequential number that identifies an individual uniquely, (b) a delimiter, (c) one or more check digits, and (d) an encryption scheme identifier to allow for extra protection of a patient’s identity in sensitive situations. It does not specify the lengths of each component of the identifier and people who do not have an SSN would be issued UHIDs as they generate their first encounter with the health system. UHID would maintain the database linking the SSN with the health identifier for its internal verification process, but other unauthorized users would be prohibited from linking the two numbers. Positive attributes include: it meets the requirements of HIPAA for a standard, unique health identifier for each individual; designating the SSA as the responsible authority builds on the present infrastructure for issuing SSNs; incorporates check digit and encryption capabilities; and would restrict the identifier to health care uses that can be protected with legislation or regulation. The negative attribute associated with this proposal is that it would be costly to the industry to modify its systems and adding another, longer identifier would be significant.

The Veterans Health Administration (VHA) Hybrid Model is currently being pilot tested. Method involves the use of a master patient index system that identifies patients using VHA services based on several identifying properties, including SSN, and the assignment of a unique identifier that is based on the ASTM Sample UHID. VHA terms this unique identifier an Integration Control Number (ICN). When a person does not have an ICN goes in for care, the central system assigns a temporary ICN. If person is later identified and has an ICN, the temporary ICN becomes an alias to the principal ICN. Positive attributes include the use of the ICN to correct deficiencies in use of the SSN as an identifier and the ICN is used only for health care. Negative attributes are that some of the negatives of the UHID/SSA proposal, such as length and cost to implement, carry over to this system due to their similarities; and it would not be cost effective to implement on a national scale if an entirely new agency had to be created to provide governance.

V.CRYPTOGRAPHY METHODS THAT ARE NOT IDENTIFIERS

Cryptography Methods keep data secret, primarily through the use of mathematical or logical functions that transform intelligible data into seemingly unintelligible data and back again. It is not actually an identifier, but a means of protecting identifiers through encryption technology. Two-key system data is encoded with one key and decoded with another key. Positive attributes include: public/private key management schemes are now proven technology and could be used as part of an identifier; it is a new choice and can be designed to exclude known defects or limitations; it avoids crossover problems; the experience, know-how and the capability to develop and implement such a system is already available. Negative attributes include: expense of necessary infrastructure; significant educational and cultural challenges associated with use and control of encryption keys; and method does not yield a UPI.

TABLE OF CONTENTS