Wednesday, February 1, 2012

Universal Health ID -- Enable Privacy

I enjoyed reading the Wall Street Journal article “Should Every Patient Have a Unique ID Number for All Medical Records?”, at least until I got to the section by Deborah Peel. I respect Deborah as an advocate for Privacy, but her argument against Universal Health ID is a complete non-sequitur. Deborah says “But a universal health ID system would empower government and corporations to exploit the single biggest flaw in health-care technology today: Patients can't control who sees, uses and sells their sensitive health data.”

I added the bold on the words “empower government and corporations to exploit” as this is the part that is totally FALSE. There is nothing in having a universal ID that ‘empowers’ anyone. In fact one of the struggles that I am faced with in writing Privacy standards is that there is not a solid patient identifier that I can apply to Privacy Directives and Privacy Policy. This concept that having a universal ID empowers exploitation is totally wrong. What is empowering the exploitation today is that there is no way to determine what policies apply to the data. Therefore the default policy could just possibly be ‘exploit away’.

Without a solid link between the policy, patient, and data; there is no control. I want to enable the patient to control their data, for that I need to know who the patient is. The thought that healthcare organizations would never keep your data, and always transfer it to a PHR, is simply not going to happen in the USA due to many many rules including medical licensing, public health reporting, disclosure, and malpractice. We need to get over the failed attempt to change. This doesn't mean the PHR doesn't have it's place, I believe it does hold a strong role as a peer on an HIE. I just see controlling the patients data as being something that needs to be addressed Universally. For that we need strong identifiers, strong policies, and strong data management.

I have written on Patient Identity Matching, this is the process that is being used today. It is an error prone process, and worse it requires that everyone share the patient demographics in the most exacting detail they possibly can, and that centrally there is a database of all of the shared demographics. This is MORE of a privacy violation than if the central core needed to only hold Patient ID values, where a Patient ID value is an opaque string of numbers uniquely assigned to that patient by an assigning authority (binding both the identifier and the identifier of the assigning authority – results in a unique value).

The first section of the Wall Street Journal article, written by Michael Collins, hinted at this. I won’t bother hinting. The ramifications of NOT having a universal ID is that we are FORCED to expose high fidelity patient demographics. Even if we are using a PHR, even if we are using Direct Push. We MUST fully describe the patient in order to make sure we are dealing with the right patient. 

Note that Patient Safety will eventually come into the picture, as ultimately before the patient is treated they need to be highly identified, using their Universal ID alone at treatment time is simply not “Safe”. – For one, we know that people share insurance ID values so that their treatment is paid for.

We do NOT need a single Universal ID: especially not a single assigning authority. All we need to do is determine a set of assigning authorities that are considered ‘good enough’. When I say ‘good enough’ what I mean is that the assigning authority has processes in place to positively identify and prove that the human they are assigning an identity to is really that specific human. We know of some of these ‘assigning authorities’ already: Passport, and Driver’s License. Yes, these are non-healthcare identifiers; but if you have one then you should be able to use it. Many states are starting up mandatory Voter identity systems, these likely are going to be ‘good enough’ too. More likely is to simply use the identifier assigned by your GP, or Your Insurance. Fact is we don’t need to have a pre-determined list of assigning authorities, each facility can determine what is ‘good enough’ for them; yes it would be nice if there was a starter set already proofed.

How are these used? Simply, they are entered into the Patient Identity Matching as a ‘high assurance’ identity with the assigning authority value. Thus they can be matched directly, bit-for-bit. 

Not that any system MUST recognize that any ID value can be revoked or replaced. Thus there is a need to keep old ID values in a cross-reference. This is another reason there is no 'single' health ID; and there will likely be multiple over time, even if things are always wonderful for the patient.

Once this is done, we end up with a really cool thing. The patient can choose their own Voluntary Patient ID; likely their PHR address. Yes, this is enabled by recognizing the use of IDs as a binding between the unique value assigned and the identity of the assigning authority. You all see this daily, when you use an e-mail address. Globally unique, because the first part is your identity the second part is the identity of the assigning authority. In these cases, the assigning authority is likely not highly trusted, but if the patient trust them then they are likely trustworthy.

Patient Privacy is enabled when we have strongly assured Identifiers. We don't even need to invent a new system. We just need to use the identifiers that we have already. It would not hurt to have a new system of trustable opaque identifiers that support federation.

1 comment:

  1. It may make sense to look at some countries that use patient identifiers for sharing medical data, or even unique person identifiers.

    Norway uses a unique person number for absolutely everything - any dealings with government, any exchange of any healthcare data - it will carry your person ID. Having such an ID, or knowing the ID of a fellow citizen doesn't in and of itself entitle anybody to do or view anything, that's up to the applicable privacy and access policies.

    The English NHS introduced the "NHS Number", a unique ID for patients within the goverment health system, with the specific intent of allowing the exchange of data between healthcare providers; to increase the reliability and trustworthiness of the data as created by other providers (and associated with one and the same ID). CDA documents in this environment usually only contain the NHS Number (and no other demographics data) - if a receiver wishes to get hold of the demographics [i.e. should the patient be unknown to them], they are allowed to query a central registry, which based on privacy policies may respond with no/partial/full/confidential parts of the patient demographics.

    Whether federated or centrally assigned: without reliable patient IDs any attempt at creating a shared medical record are doomed to fail. Sure, there are legal differences between the US and the aforementioned European countries - the experiences are however general enough to apply to any country which is serious in its attempt to create a shared EHR.