To many, it's the Jason, the Chucky or the Freddy Krueger of healthcare information technology -- that ol' bugaboo known by many names, including the "unique patient identifier," the "unique health identifier," the "national patient identifier" -- that just won't die and stay dead. For others, it's a debate that needs to be kept alive to ensure the safety and efficacy of electronic health records.
Since February, there have been several public and private meetings at which, once again, U.S. healthcare IT cognoscenti have discussed establishing a discrete healthcare ID number for each patient. For the sake of this story, we'll abbreviate the term as UPI.
Renewed interest in a UPI comes nearly eight years after both the Clinton administration and Congress, acting three months apart, put a hold on a patient identifier scheme in 1998. Those moves against a UPI came just two years after Congress mandated the creation of a patient identifier as part of the Health Insurance Portability and Accountability Act of 1996.
The recent UPI conversations are taking place as the federal government has contracted with multiple private-sector organizations to develop prototypes for a national health information network an approach to achieving President Bush's goal of providing most Americans with their own electronic medical record by 2014.
Discussions over the UPI also come during a year in which there have been almost weekly reports of computer system security breaches and privacy debates, including news from late April about a hack into the Defense Department's Tricare database, leaving exposed the names, Social Security numbers and partial credit card numbers of more than 14,000 members.
Meanwhile, a recent demonstration by Connecting for Health, a consortium with both private and public representatives, showed that medical records can be located and distributed coast-to-coast between regional healthcare information organizations without a UPI.
The Connecting for Health methodology uses software that applies computer routines called algorithms to assign weights to data elements in a medical record, such as a patient's first name, last name, date of birth, ZIP code, etc., in a method known as "probabilistic matching."
Other private-sector organizations, such as drugstore chains and pharmacy benefit managers, through networks they established -- SureScripts and RxHub -- and e-prescribing software developers, such as ZixCorp, also match individuals' prescription drug information using similar probabilistic matching strategies.
Meetings of the minds
In recent weeks, various players in the debate, representing vendors as well as providers, have met to rehash the issues surrounding the UPI.
On April 26, the Chicago-based National Alliance for Health Information Technology organized a daylong forum aiming "to break the stalemate on patient identification for electronic health records." A brief on this meeting has been posted on the NAHIT Web site, nahit.org, which also touted hosting another discussion on identifiers May 16 as part of the organization's annual meeting.
On May 12, a panel session at a Washington healthcare IT conference was devoted to the UPI issue. The conference was sponsored by Accenture, an IT consulting and outsourcing company, and Harvard Business School Publishing.
These meetings were advertised in advance and were open to registered attendees. The alliance is a coalition of healthcare organizations including vendors and provider associations.
"We did not design our meeting to specifically support or destroy the idea of some kind of specific identifier," says Rod Piechowski, vice president of technology leadership for NAHIT. But when it comes to a UPI, "everybody talks about it in hushed tones," he says. "We just felt it was time to bring it back into discussion. It's a cultural issue, it's a policy issue, and it's a technical issue."
According to Laura Wooster, director of technology leadership for NAHIT, "For truly successful algorithmic matching, you still need human interaction. ... The advantage of having that identifier in there (is) it does act as one of the differentiators you can depend on and make your identifying more dependable."
A far more exclusive, invitation-only gathering on the UPI issue was held in February at the annual convention of the Healthcare Information and Management Systems Society in San Diego. Called by Neal Patterson, chairman and chief executive officer of health IT giant Cerner Corp., the conclave involved representatives from IT companies, including Allscripts Healthcare Solutions, Hewlett-Packard Co., Intel Corp., Microsoft Corp., Picis and Siemens, according to attendees.
Stephen Lieber, president and CEO of HIMSS, says he came to the February meeting and volunteered HIMSS to serve as coordinator of a follow-up meeting of the group held May 4 at a hotel near O'Hare International Airport in Chicago.
Lieber says in February the decision was made to open up the next session to professional groups, so the invitation list for the May gathering was expanded. Those invited included representatives from Connecting for Health, the American Academy of Family Physicians, the American Health Information Management Association, the American Nurses Association, the American Psychiatric Association and the College of American Pathologists. Both the February and May meetings were invitation-only.
Patterson was unavailable for comment on this story, but in an earlier interview, the Cerner CEO said it was time to address the issue head on and push for a UPI.
According to Thomas Tinstman, a physician and a former senior vice president, board member and chief medical officer at Cerner who is now serving as associate director of clinical information systems at the University of California at Davis Health System, Patterson has long been an advocate of a UPI. "We were just furious" when the UPI was, in effect, barred from being implemented as part of HIPAA, Tinstman says.
Patterson's interest in a UPI is both professional and personal, Tinstman adds. "It makes his job easier, (but) he knows this is the right thing" to do.
Richard Hillestad, a principal researcher and healthcare specialist with the RAND Corp. who has been working with the IT vendors group that participated in the February and May meetings, says that at the Chicago meeting there was a consensus to go forward with a feasibility study comparing the costs and benefits of a UPI with other methods of patient identification, including probabilistic matching.
Determining the cost
"We're not pushing one versus another," Hillestad says. "We're going to try to say: 'What's the cost of doing it this way versus that way?' and whose costs they are. The vendors would like a standardized approach. That's what I think they're looking for: What is the pathway?"
Hillestad confirmed that Patterson took the lead in organizing the group and the focus was on a national patient identifier.
"He's the one who suggested we take a look at it, but the other vendors are just as active at taking a look at finding a solution," he says. "They sell their systems to countries outside the U.S., and they see some of those countries impose a patient ID system. Obviously, if you had an assured ID system, it makes things a bit easier."
Hillestad says people within the vendor group "have volunteered to sponsor the research. Our studies of this nature vary from a couple hundred thousand (dollars) to over a million, but exactly what this one is going to cost, I'm not sure."
"We're hoping to have the research done by the end of the calendar year and do a peer-review publication," soon after. He says that could be in the journal Health Affairs, which ran several articles Hillestad and RAND colleagues authored on the financial benefits of a national health information network. Some of the same IT companies that funded that research will be involved in the upcoming identifier project, he says. Even though the study is likely to be financed by the IT companies, "We like to think of ourselves being an objective evaluator."
Privacy experts say those who want to reopen the UPI issue can expect a backlash."I think that privacy advocates will be disturbed to know the unique national patient identifier is back on the table," says Joy Pritts, a lawyer and assistant research professor with the Health Policy Institute at Georgetown University in Washington. "The patient ID has always been a hot-button issue, and I don't think there is any reason to believe it is going to be any less of an issue today."
Pritts says a UPI "is not necessarily a horrible idea if it's done right, but I'm not convinced that they'll do it right. The legal penalties (for violators) have to be put in place," she says, adding that the penalties under HIPAA are inadequate.
Robert Gellman is a lawyer and privacy consultant in Washington who served on the National Committee on Vital and Health Statistics at HHS when HIPAA was enacted in 1996. He was still with the group two years later when "the mere discussion of this issue was a front-page story across the country."
Gellman says if patients are ever told they have to sign up for a healthcare ID number, "People will go screaming from the room and the whole NHIN (national health information network) will sink on this issue."
Carol Diamond, managing director of the health program at the Markle Foundation -- which jointly funded the Connecting for Health project along with the Robert Wood Johnson Foundation -- agrees that the issue has been divisive.
"People who have been in medical informatics for decades have lived through this conversation in many iterations," Diamond says. Within Connecting for Health, "the identifier was a fork in a road." The work group spent an entire year wrestling with the patient identifier question, she says. "People were very divided about the issue."
On April 6, Connecting for Health released an update of its national health information network blueprint, called the Common Framework, in which a key tenet was not to use a UPI but rely on probabilistic matching. The group demonstrated the feasibility of its own probabilistic matching scheme in a pilot program in which records were located and exchanged between three RHIOs: MA-SHARE in Boston, the Indiana Health Information Exchange in Indianapolis and the Mendocino County Health Records Exchange in Ukiah, Calif.
Diamond says a Connecting for Health work group was asked to come up with a method of patient record identification that could be implemented in five years and could be tested in three years. The other constraint was that privacy issues had to be addressed.
"Our big 'aha!' experience in the working group was that (a UPI) is not going to solve everything," she says. "And even if it has some potential to improve (accuracy), it's not going to happen overnight."
Implementation of a UPI is expected to be expensive. According to a 1998 white paper, the National Committee on Vital and Health Statistics reported cost estimates ranging from $10,000 for one hypothetical organization to change the length of its existing identifier to $5.7 million for one state Medicaid program to $370 million for one large insurer to change its system in one state.
Diamond says that in addition to the practical problems of implementing a UPI, there are privacy issues. If there is a single key, i.e., a single number, that is all a privacy violator needs to know, "That does have this potential risk," she says. "It's a matter of degree of risk. We don't feel there should be a way; if you just know something about someone, you can look them up. Health IT has a number of challenges, and this wouldn't be my first priority," Diamond says.
John Halamka -- a physician and CEO of MA-SHARE who also is chief information officer of CareGroup Healthcare System, Boston -- says the record locator used in Connecting for Health's pilot program was adjusted so that it might not pull up all of a patient's medical records, but definitely would not pull up as possible matches the records of two or more patients. That's as it should be, from a clinician's viewpoint, he says.
Combining information from two people's records "is far worse than missing someone's record," says Halamka, a specialist in emergency medicine. "What we said in Massachusetts, we'll set the thresholds so that one small percentage of the time you won't get a record back, but you won't get mismatched records coming back" either.
The alternative, he says, would be to have a physician trying to pick the right records from multiple possible records that might match, and "that's a bad idea," he says. "Any time you give a human the ability to decide whose records should go together, you're going to introduce errors into the system."
A UPI "would solve some of the problems with exchanging records, but it would create others," he says. It may be possible to develop and use a UPI later, but, for now, Halamka believes probabilistic matching affords a quicker step forward.
"Our experience so far in Massachusetts, using various probabilistic matching (approaches), we can do a pretty good job without a national identifier," Halamka says.
Lieber, the head of HIMSS, says the discussion at the May 4 meeting included debate over other possible methods of identification.
Instead of a national patient identifier, "I would prefer to call this patient identification, and Neal (Patterson) is starting to use that term as well," Lieber says. "Algorithms are generally accepted as a very decent way of establishing relationships between records with a high degree of accuracy. So the question is: If you can get there, why do the other? And the answer is: There is some degree of error" with probabilistic matching.
Still, Lieber concedes, given the conservative national political climate, "You know which one of those approaches is going to fly right now."
As was the case in 1998, opposition to the national patient ID movement these days likely will come from a coalition of strange bedfellows -- consumer activists and liberals in common cause with libertarians and conservatives.
"Privacy often gets a left-right coalition," says Peter Swire, a lawyer who served in the Clinton administration as chief counselor for privacy in the White House Office of Management and Budget from 1999 through early 2001.
"The libertarian right doesn't want the government to intrude and the consumer people on the left want individual privacy rights. We've seen this many times," says Swire, a panelist at the NAHIT meeting last month. Swire says Congress got it right in barring future work on a UPI.
"There have been multiple political and technical barriers to a unique identifier, even though people who administer systems (would) find it useful," he says. But, Swire says, the UPI isn't even the silver bullet its proponents portray it to be.
"We've been learning a lot about network security in the last 15 years since the Internet became important, and Internet experts have stayed far away from a national identifier because they know the risk of spoofing and a variety of security problems," Swire says. "There is an illusion of a perfect system that will come with unique identifiers, but the complexity won't disappear and the security risks will increase."
Todd Cozzens, CEO and vice chairman of Picis, a developer of clinical IT systems for emergency rooms and other high-acuity-care settings, favors a national standard identifier. "Our take on it is it would be much more efficient for the industry and IT companies if we can come to an agreement on a standard," says Cozzens, who attended the February meeting called by Patterson, but not the one in May.
No groundswell of complaints
Rick Spurr, president, CEO and chief operating officer for ZixCorp, a developer of electronic prescribing software, says he is neutral on the UPI. Today, ZixCorp software locates patients' prescription records using probabilistic matching, using five data fields -- first and last names, date of birth, ZIP code and gender. Generally speaking, the system locates patient records well enough, Spurr says. There has been no groundswell of complaints from physician customers about searches coming up blank on formulary or drug-record checks, he says.
ZixCorp would use a national patient identifier if one were available, but the company isn't campaigning for it. "Certainly, that would help," he says, "but that's not relevant to what we do."
The American Hospital Association, meanwhile, is coming out in favor of reopening discussion on a UPI, says Chantal Worzala, senior associate director of policy at the association and a panelist at the April 26 NAHIT meeting.
The AHA's position, according to Worzala, leans more toward a UPI than probabilistic matching, the recommendation from Connecting for Health.
"Their method means that you will be missing relevant information," Worzala says. "I think we're talking beyond incremental improvement. We need to do what it takes to make the exchange of data possible."
IDENTIFYING CONCERNS
Some key dates in the debate over unique patient identifiers
August 1996 -- The Health Insurance Portability and Accountability Act becomes law.
September 1997 -- National Committee on Vital and Health Statistics recommends that HHS not adopt a standard for a unique patient identifier for individuals, or UPI, until after privacy legislation is enacted.
July 1998 -- The National Committee holds the first of several scheduled hearings in Chicago on the patient identifier. Meetings generate considerable media coverage.
July 1998 -- Vice President Al Gore issues statement on UPI, saying, "Because the availability of these identifiers without strong privacy protections in place raises serious privacy concerns, the administration is committed to not implementing the identifiers until such protections are in place."
September 1998 -- Second National Committee hearing on the UPI is canceled because of administration opposition.
October 1998 -- The fiscal 1999 federal appropriations bill is signed into law barring HHS from using any of its appropriated funds to "promulgate or adopt ... a unique health identifier for an individual ..." until Congress acts to create a UPI standard.
May 2001 -- Then House Majority Leader Dick Armey (R-Texas) sends a letter to HHS Secretary Tommy Thompson questioning why "on page 147 of the May 2000 implementation guide for data standards" there is a provision instructing healthcare entities to reserve space for a (Health Insurance Portability and Accountability Act) individual identifier." Armey asks that if work is still progressing on implementation of a UPI, "that you bring the medical ID project to a complete halt."
February 2006 -- An ad hoc group of health information technology vendors meets at the Healthcare Information and Management Systems Society trade show in San Diego to revive discussion of the UPI.
April 2006 -- The National Alliance for Health Information Technology holds a daylong forum in Washington on patient identifiers.
May 2006 -- The IT vendors group meets again in Chicago, reaches consensus to hire RAND Corp. to conduct a comparative analysis of the costs and benefits of a UPI vs. other forms of patient identifiers.
What do you think? Write us with your comments at [email protected]. Please include your name, title and hometown.
This article originally appeared in Modern Healthcare magazine.