November 2009
Feature Story

Anne Paxton

In some federal government offices, all one has to do to stop a conversation cold is mention a national patient identifier. That’s how adamantly Congress, in a 1998 bill, outlawed any plans for, consideration of, and even research on a national system of assigning patient ID numbers. “I talk to federal bureaucrats who are very smart, very savvy people in every other respect,” says Raymond D. Aller, MD, director of automated disease surveillance systems for Los Angeles County. “But when I start on national patient identifiers, they kind of cross themselves and say, ‘We can’t talk.’”

A national patient identifier was a key component of the 1996 HIPAA (Health Information Portability and Accountability Act), but Congress reversed course on the issue only two years after HIPAA became law, and most experts agree that chances of a federal system happening are pretty much zero. “We’re basically all creating medical record numbers on our own,” says J. Mark Tuthill, MD, division head of pathology informatics at Henry Ford Health System in Detroit.

In 2009, however, a new player arrived on stage: a private-sector alternative called VUHID, short for Voluntary Universal Healthcare Identifier. It’s a voluntary system of assigning patient IDs that manages to sidestep most of the objections that have stymied a national system so far, and many in the health care informatics community are wondering if it may be able to fill the void. VUHID is based on two standards developed by ASTM (originally the American Society of Testing and Materials) and ANSI (American National Standards Institute). The system’s goal is to make unique health care identifiers available at nominal cost to individuals who want one. But more than that, VUHID promises to shield patient privacy by using two categories of identifier: an open identifier for information a person wants to have known to all of his or her care providers, and multiple private identifiers for medical information a person wants to keep private.

The system would enable unambiguous patient identification, error-free linkage of clinical information, and enhanced privacy of patient information, says Barry Hieb, MD, chief scientist of Global Patient Identifiers Inc., Tucson, which is sponsoring the VUHID project.

“When I first heard about VUHID, I was delighted to hear they were doing it,” says Dr. Aller. “The federal government has decided to hamstring itself, and that doesn’t seem likely to change in the near future. So we should have private enterprise do it.”

“Thirty years ago I was already of the opinion that the lack of a uniform patient identifier is the No. 1 clinical informatics problem in this country. Is this specimen of John Jones linked to the specimen of last week, or was that a different John Jones? We can’t always be sure.”

For many people, the debate over a unique health care ID flies below the radar. “People don’t remember or acknowledge how serious a problem lack of identifiers is,” Dr. Aller says. “Because they live with it every day, they essentially sweep it under the rug. But it’s really a life and death situation to know this patient is diabetic, or whatever it happens to be, when they may be unable to respond. And it would be a tremendous efficiency gain for health care organizations to not have to chase after who exactly this person is.”

The Kennedy-Kassebaum bill that became HIPAA was going to impose a national patient identifier. “It was secondarily going to establish a whole family of draconian provisions to secure the safety and use of that identifier, and it set standards for transactions between different business partners. And we in medicine were willing to put up with the restrictions—provided we got the national identifier.”

“But two years later, they removed the national patient identifier from the law and left everything else there. So we have a lot of absurd HIPAA regulations and extra trouble and extra costs, and none of the benefits we’d receive from a national patient identifier.”

There would be wild celebrations if HIPAA were to die, Dr. Aller believes. “Unfortunately, Congress made a terrible overcorrection in the other direction.”

He is not alone in expressing frustration over HIPAA. Rob Bush, president of LIS developer Orchard Software, says, “Most people think the ‘P’ stands for privacy because those interests hijacked the act, but it actually stands for portability.” He adds: “I suppose the battle cry would be, ‘Oh no, a common patient ID makes it easier for someone to go through my private data,’ but if we’re trying to move information around, there’s a benefit to different groups and a benefit to patients. Access to a complete set of medical records means every doctor has the potential to see all our records and do a better job of treating us.”

A task that HIPAA mandated but the Centers for Medicare and Medicaid Services has not completed is a table to identify common insurance programs, Bush says. “One of the biggest challenges we have is every time we put an interface in place with a lab, someone has to manually reconcile a table between what you call this insurance company and what we call it. But about once a year I call someone in Medicare and ask who’s responsible for that table. And the answer is, ‘We’re going to study how to assign a number.’”

However, Bush doesn’t think the uniform patient identifier issue makes as much difference to the laboratory. “Sure, we spend money trying to identify patients because there’s no centralized ID, and mistakes are made, but we’ve had to deal with it for a long time, and in the grand scheme of things that isn’t one of the really expensive things needed to get the job done.”

Tailoring an LIS to a hospital ID system is usually not a problem, agrees William Shipley, president of LIS developer Schuyler House. “The problem comes when you have two health agencies merge or you have a legacy database you need to incorporate into your current system.”

The de facto “workaround” solution most health care organizations rely on for patient identification is the Enterprise Master Patient Identifier, or EMPI, system. “EMPI systems have existed since probably the 1980s and are very important to enterprises like hospitals and regional systems,” Dr. Aller says. “The computer pulls together all kinds of different identifiers like birthdate, address, the spelling of the name, and the sound of the name.” Then it makes a sophisticated guess as to whether individuals match.

No hospital can rely only on exact matches, Dr. Hieb points out, because names and addresses can differ in all sorts of ways. Names get typed with misspellings, typos, and digits transposed, while apostrophes or double letters add confusion. So an EMPI does a demographic match and calculates the chance that two sets of data are in fact the same person. “It’s called probabilistic matching; the system will say there’s a 94 percent chance these are the same. But unfortunately, the experience of the industry is there’s a four percent to eight percent error rate in doing this. While it’s the best that’s out there, our concern is it’s not good enough.”

EMPI has another key limitation, Dr. Tuthill says. “There’s a subset of rules to tell you Mrs. Smith and Mrs. Ann Smith are probably the same person. But the systems have not been particularly proactive in crafting tools to help you go out and find data, or warn you that data exist or someone has got different episodes under a different name.”

To some extent, Congress’ change of heart on HIPAA made sense, in Dr. Hieb’s view. “The problem that caused Congress to reverse itself was that the plans called for essentially one huge database of everyone,” which would have been a risk in terms of hackers gaining access or, for example, lawyers subpoenaing to extract information on everyone in a particular state, he says. “It was the right thing to do at that time to reverse the decision, but the 1998 language was just a blanket denial of anything; it said no federal resources will even be put into investigations of a national health care identifier.”

Some solutions that might seem promising on the surface turn out to have multiple pitfalls. For instance, a number of characteristics of the Social Security number make it less than helpful as a medical identifier, Dr. Aller points out. “One is how closely it is tied to financial records, and we really don’t want medical records tied to financial records. The second thing is the SSN was introduced in the 1930s, when people didn’t know how to create identifying numbers. So there’s no check digit in it, and if you mistype it, you’re not going to realize it.” In addition, SSNs are notoriously easy to steal, borrow, or share among multiple people.

Then there’s the sometimes wildly inconsistent policy of federal agencies. Says Schuyler House’s Shipley: “We have found that the government alternately requires the use of Social Security numbers and adamantly forbids it. For the past 15 years we’ve been through both ends of that cycle.” The projected cost of a national patient identifier system has been a chronic stumbling block. Estimates for putting a system in place have ranged from $1 billion to $50 billion, depending on who’s doing the figuring, Dr. Hieb says.

Why would a system of assigning numbers have to cost so much? Dr. Tuthill explains: “There has to be a brokering agency that provides the nomenclature and numerical generating infrastructure. So obviously there’s a level of bureaucracy involved with that, making sure people aren’t getting two numbers, and a functional component. And when you multiply that by hundreds of millions of people, by definition it’s not going to cost 20 bucks.”

“It’s an infrastructure and it’s not free,” Dr. Tuthill adds. “Health care systems, laboratory systems, radiology systems would have to somehow adapt to using this number, and you would have to apply it to patients already in the systems.” On the other hand, he says, billions of dollars are being wasted across the country trying to patch things together. A 2008 study by the Rand Corp. (“Identity Crisis: An Examination of the Costs and Benefits of a Unique Patient Identifier for the U.S. Health Care System”) estimated that a 90 percent adoption of a standard patient identifier would save the United States $77 billion to $154 billion per year.

Dr. Hieb identifies other “show-stoppers” that have prevented a uniform patient ID from being adopted. These include: Technical issues such as what the identifier should look like, how to use it, and how to incorporate it into systems out there already. The need to get federal legislation passed, and to get everyone to agree before moving forward. The resistance to a national database because it’s too large a privacy risk. The need to make modifications to all the existing systems in doctors’ offices and hospitals. And finally, the possible need to coordinate a “big bang” implementation date.

But with a voluntary system like VUHID, he says, “All of those factors are now manageable. The approach we’re taking gets around all of them.” No federal mandate would be required, technical standards are ready to go, the system would be implemented gradually, the cost would be only about $200 million to $400 million, and, most important, there’s no central database.

“This system is designed by intent to make sure there can never be a central major database,” Dr. Hieb says. “We just set it up so that the VUHID system never knows who a particular identifier actually is. But despite that, we can do all the things that need to be done: We can give the person an identifier, we can make sure all of that person’s data are aggregated, we can identify all locations that have information relating to that identifier, and there is no privacy risk because there’s no national database associated with this.”

What about system conversion costs? “We’ve figured out a way so that, at least at the beginning, you don’t have to make changes to your Cerner, your Epic, your McKesson systems.” The EMPI system that’s used would have to be changed, but Dr. Hieb says that cost is small by comparison. “Because this is a voluntary system, we can start small and grow. That means we start with organizations that are ready to go, and we add new ones as they are ready to join.”

VUHID is now in the early stages of deployment. Global Patient Identifiers has a contract signed with one vendor and is in the negotiation stage with others. ‘We’re in what you would say is a beta test site phase,” says Dr. Hieb. “We’re looking for organizations willing to work with us to test and prove the value of this approach.”

Already he has been encouraged by the reactions of opponents of a national ID. One could perhaps attach the word “passionate” to some in the privacy community, Dr. Hieb says. But, “by and large, once they get over their initial emotional reaction, we have a very good discussion. They’re kind of all over the map in how they do or do not support VUHID, but they have to admit this is the least invasive system they’ve seen.”

One of privacy advocates’ key objections to most systems is neutralized by VUHID’s two categories of identifiers: open and private. Dr. Hieb explains the rationale: “I want all my doctors to know my allergies and the time I was treated for appendicitis and when I had pneumonia.” That data would be linked to one “open” identifier. “But as a patient, I might want to keep my psychiatric records separate, and I might want to keep my genetic information, or my cancer treatment, or my sexually transmitted diseases separate, or the fact that I’m participating in a research study.” Information like that would be associated with any number of “private” identifiers.

For example, take a person who would like to have an HIV test but is embarrassed to use his or her own name and wants to keep it private. “Right now, in order to be very, very sure the test comes back to the right chart, you have to put a lot of patient data on that lab specimen. With VUHID, we could give that patient an appropriate private identifier that could be put on the specimen, the lab could run the test and send it back with that identifier and nothing else, so there is no privacy pressure on the patient and no risk that the result will get back to the wrong person.”

Or, take a person who has a neurological disease such as multiple sclerosis and does not want his or her employer to know, but at the same time is eager for medicine to benefit as much as possible. “I would want my data to show up in this national research study. That means we need a mechanism like these private identifiers so you can anonymize the data and researchers can look at the data to see which treatments worked for how many patients.”

The availability of private identifiers would be especially helpful in preserving patient privacy when dealing with health insurers. “They basically have us over a barrel right now,” Dr Hieb insists. “If you want a test for a sexually transmitted disease, you can’t hide that information from your insurance company when you submit a claim. But it’s my contention that the insurance company has no business knowing that it’s me. Using these private identifiers, we could submit a bill saying here’s a test being ordered, this person has the following coverage and has used this much out-of-pocket for the year—all the information an insurance agent would need to decide how much to pay for this particular procedure—and they wouldn’t need to know the name of the patient.”

The same could apply to genetic information. “In theory, insurers aren’t supposed to use it, but you know patients are being leaned on all the time. And they don’t have a good mechanism to protect patient information because they don’t have private identifiers—there’s no way to blind your data.”

VUHID wouldn’t require this switch, just make it available. “We would still have the option of doing things exactly the same way we do now—but going forward, as laws evolve, as privacy policies evolve, we can also do it in an anonymous way.”

It can be tough to get people’s attention when you’re talking about a national patient identifier, Dr. Tuthill admits. “It’s not very exciting. But it’s the linchpin to making systems interoperable.”

“Without a uniform patient identifier, it’s very difficult to share information. Henry Ford Health System, for example, has at least four medical record systems for its eight hospitals. These were standalone hospitals 20 years ago and have integrated over time, but there’s no unified patient identifier in place, so it’s plausible someone may miss critical medical information in taking care of a patient.”

Henry Ford Health has made sever­al efforts to identify linkages within the system. “We’ve recently implemented technology to provide physician warnings so when I go into an electron­ic medical record, if a patient has a duplicate medical record num­ber, it will give me a warning in red, and say ‘Click here to see other information.’” A new admissions system will, it is hoped, make medical record numbers standard across all the hospitals, at least prospectively, but the challenge will be how to apply that process to the existing medical records.

Medicare, Dr. Tuthill points out, may use SSNs to identify patient eligibility for benefits, but for medical records it uses a series of identifiers, one of which is likely to be the local hospital’s medical record number for an episode of care. “People have proposed using the SSN as a patient identifier, but I don’t think we want to enter into that level of contention. I can certainly see why ultimately you do not want to have identifiers that cross multiple systems including health, financial, and benefits systems. However, to me, it makes sense to have some segregation. I’d like to have my SSN for financial data, my physician provider number for medical and medicolegal data, and a patient identifier for health care.”

His own medical records illustrate some of the difficulties, though. “I think I have at least several patient identifiers at this point. There’s the hospital that took care of me as a kid, the hospital I had as a medical student, and so on, and here at Henry Ford I have at least three different medical record numbers because I go by my middle name.”

It’s a bit illusory to think numbers themselves can provide privacy, he says. “Privacy is really a figment of your imagination. Really all you can hope for is to have legal constraints on how your personal information can be used for or against you.”

Ironically, within the health care system, “HIPAA and patient confidentiality are already under tremendous assault, because in fact all the people who have the most ability to hurt you based on your privacy are the very people permitted to get your data. Meanwhile, the people trying to help you have more obstacles to getting your medical records.”

Many people worry that if they have one number, everyone can find out everything about them, Dr. Tuthill says. But the systems themselves have checks and balances. “Just because I’ve got one driver’s license number, for example, doesn’t mean I go to a 7-11 and write a check and they’ll find out what hotel I stayed in last weekend.”

Last spring, Dr. Tuthill succeeded in persuading the Michigan Medical Society to pass a resolution, and forward it to the American Medical Association House of Delegates, calling for more rationality in patient identification. “The argument was that in Michigan we’re killing ourselves by creating unique medical record numbers in every instance of care, and since we want to have a unified longitudinal health care record to provide continuity of care, it therefore follows that we need uniform patient identification.”

Regarding VUHID, Dr. Tuthill is somewhat skeptical. “I think it’s a very creative approach to say, ‘Wake up, we’ll do it on our own.’ But I’m not sure it can get widespread adoption, and my concern is it’s another nonstandard way of getting health record numbers.”

Dr. Tuthill credits Europe with having a more rational approach. There, he says, privacy, security, and accessibility are seen as three different things. “You can have a secure and private record and still use a common identifier. In the U.S., we spend a huge amount of money on infrastructure to keep from having a national driver’s license.” The compact among the states that permits 50-plus different licenses works, but it costs a lot more money than it would to have a unified system, he says.

Shipley points out that the ultimate patient ID attached to samples in the lab—no government issue necessary—is the person’s DNA. “We have speculated that at some point you will not need to be issued a number, because any sophisticated analyzer will automatically take a genetic blueprint of the sample it’s processing.” In the future, he says, a sample passing through a hematology analyzer could be identified as coming from the same person as a sample passing through a chemistry analyzer, but privacy protections could still prohibit that information from being linked to a patient name.

For now, though, VUHID is an option Dr. Hieb would like the laboratory community to think about: “If we had this capability, we could do all sorts of things to make the whole process better than it is now—easily, cheaply, quickly, and safely.”

“VUHID is a process that’s going to take a long while to grow,” Dr. Aller says. “We just have to get the word out, make people aware it exists, and work on getting support for it.” Dr. Hieb is cautiously optimistic about its prospects, even amid the upheaval of pending health care reform.

Eventually, he predicts, the system’s ease and flexibility will win people over. “We’re going to wait and let lawyers and doctors and patients figure out what they want to do. Then, whatever it is, we can say: Here’s how to use our identifiers to make it happen.”