A national unique patient identifier faces an uncertain, bumpy road
Recent legislative action may clear the path for developing a uniform, accurate and effective way to tie data to patients, but challenges are looming.
The Senate’s recent decision to repeal the ban on funding for the development of a unique patient identifier (UPI) marks a potential watershed moment in the development of what previously has been a hot third rail for privacy concerns.
This controversial possibility of developing a UPI provides a new opportunity to link a patient’s health records throughout the health ecosystem, but also highlights the inherent challenges of such a project.
The Senate in October dropped the prohibition from its appropriations bill for the first time in about 20 years, citing the need to remove this barrier to the sharing of patient information and for public health entities to effectively track contacts and immunizations during the COVID-19 pandemic.
The Senate’s move follows in the footsteps of the House of Representatives, which had removed the ban from its appropriations bill earlier this year. If Congress passes the 2021 budget, the Department of Health and Human Services (HHS) then could take a serious look at the feasibility of adopting a UPI as part of a national strategy to better link patient records, thereby setting the stage for improving patient safety, enhancing the coordination of care, and reducing the cost of healthcare.
UPI faces challenges
A UPI is an identification number that’s specific to each individual and would be used to link and manage that person’s health information.
The repeal of the ban on funding for the UPI provides a chance for the government to consider it. “A UPI would simplify and help achieve a higher accuracy of patient matching,” says Hans Buitendijk, chair of the Electronic Health Records Association in Chicago.
But that does not necessarily mean that creating a UPI program in the United States would be easy. If it goes forward, it will be a large, complex undertaking.
“In Ireland, it took 10 years. [Research] started in 2013, then they had to pass a statute and create the product. They’re only now starting to roll it out, and the country only has 4.6 million people,” says says Karen Proffitt, vice president of data integrity solutions for Just Associates in Colorado.
Areas needing analysis – and proposed solutions – include the following.
How to create the UPI. There are differing opinions as to whether UPIs should be created from scratch or simply be an enhanced version of an existing identifier.
The UPI also need not be an actual number – biometrics, smart cards or other digital identity methods could be deployed, says Buitendijk. If a UPI is in number format, existing formats, like the nine-digit Social Security Number, should be avoided to mitigate privacy and security risks, says Rebecca Herold, CEO of Privacy & Security Brainiacs, in Des Moines, Iowa. “That format is being used maliciously on the dark web,” she explains.
How it would be operationalized. For instance, HHS could look to other countries that have implemented a UPI and follow their example. However, many of the other countries that have adopted a UPI have single payer health insurance systems, so the United States may not be able replicate their programs.
There’s also the question of rollout. Initially, a UPI would be added into patient records as patients engage in the healthcare system, says Susan Lucci, senior privacy/security consultant with tw-Security in Overland Park, Kan. As the initiative matures, it would effectively be assigned at a person’s birth, says Buitendijk.
The rollout itself should be first piloted in diverse areas to identify and resolve any problems, says Herold. “It can’t be rolled out all at once,” she says.
Who would control and administer it. Decisions will need to be made as to whether the UPI should be issued and managed by the government, a private/public collaborative or outsourced to a vendor. There is some fear from a patient standpoint of big government doing it, says Proffitt. However, control by a private entity can also raise concerns. For instance, Experian Health announced in 2019 that it had created UPIs for every American, but they’re not patient-facing and are not known to patients or providers, so there’s little transparency.
The extent of patient choice. If using a UPI is deemed voluntary, it could be less effective overall because it would be adopted less widely. Singapore disbanded its national registry ID card because 28 percent of the country were non-citizens, so it was less useful, says Proffitt.
A voluntary program could also create or increase health disparities. But a mandated UPI could be met with skepticism and hesitancy – consumers are increasingly leery of government intrusion into their healthcare, so consent may need to be a factor, says Adrian Gropper, MD, chief technology officer of Patient Privacy Rights, in Watertown, Mass. Another question is whether patients should have the option to have more than one UPI to segregate data, such as one UPI for medical information and another for behavioral information, he says.
How the UPI would be protected. The longstanding claim that a UPI would increase risks to a patient’s privacy and security may be less persuasive than in the past. “People in civil liberties say ‘privacy,’ but news flash – we’ve pretty easily identified now. The argument is old and not valid anymore,” says Lucci.
On the other hand, using a UPI could reduce privacy concerns, because fewer data elements would be needed to effectuate patient matching, says Buitendijk. And since the UPI would, unlike Social Security Numbers, be limited only to health records, the narrow purpose can mitigate privacy and security risks, says Scott Afzal, president of Audacious Inquiry, a Baltimore-based health IT company. However, as with any data, there are privacy and security risks that would need to be mitigated. There may also need to be new rules limiting the use of a UPI, says Herold.
The cost of implementation. The expense for the government to issue UPIs – and for providers, health plans and other stakeholders – to retool their systems to use them, would be immense. “Healthcare is already stretched out to the max,” says Lucci. A 2008 Rand study estimated it would cost $1.5 billion to $11.1 billion to issue UPIs, and those figures presumably have not decreased. However, Rand also found that UPIs had the potential efficiency savings of $77 billion a year at the 90 percent level of adoption.
The road ahead
Now that HHS almost has the go-ahead to explore the implementation of a UPI, the government should start looking at how to create a national roadmap regarding patient matching, involving HHS, private industry, and public health, suggests Kate McFadyen, director of government affairs for the American Health Information Management Association (AHIMA).
It may not need to start from scratch. For instance, Patient ID Now, a coalition of about 50 organizations, in April published a proposed framework for a national strategy on patient identity to improve patient identification and matching. The framework details issues to be addressed and makes concrete recommendations, such as identifying performance measures, reviewing alternate ways of handling patient consent, and encouraging collaboration with industry-based patient matching efforts. This blueprint discusses the UPI but itself is solution agnostic, according to McFadyen.
A report on the topic from HHS’ Office of the National Coordinator for Health IT, mandated by Congress in 2020 and expected later in 2021, should also help inform the government as to how to proceed.
And while improving patient matching is a top priority in the United States, some caution was urged.
“First, look at what exists today and what we already know. Capture past research and set a plan that sets us at a good cadence. You want to balance between urgency and diligence that inspires confidence of stakeholders that it’s being looked at in a thoughtful way” says Afzal.
HHS’ review of UPI adoption may also influence related discussions on privacy. “The way patient matching is set up in the private sector, especially referential matching from other industries, is using surveillance without consent and transparency. The UPI is good, but the laws need to be improved, and the way to get that done is federal oversight. Getting the federal government involved will be an incentive to handle this privacy issue and force people to realize we need a federal national privacy law,” says Gropper.