HIPAA/HITECH , Privacy

Ease Ban on Unique Patient IDs, Groups Again Urge Congress

Industry Groups Seek Better Coordination With HHS
Ease Ban on Unique Patient IDs, Groups Again Urge Congress
Credit: Architect of the Capitol

Healthcare industry organizations are again asking Congress to ease a ban that prohibits the Department of Health and Human Services from funding unique patient identifiers, saying that a failure to act will be detrimental to the success of healthcare information exchanges, especially at a national level.

See Also: Spear Phishing, Identity Deception, Ransomware: How to Predict the Future of Crime

The ban was passed by Congress almost two decades ago, prompted in part by privacy concerns.

But an April 5 letter to eight key Senate and House committee leaders warns that "one of the most significant challenges inhibiting the safe and secure electronic exchange of health information is the lack of a consistent patient data matching strategy."

Accordingly, the letter asks that Congress include in its fiscal 2018 appropriations bill language stating that HHS is allowed to engage with private sector organizations and to help advance patient data matching.

The letter has been signed by 25 health industry organizations, including several healthcare CIO and CISO professional organizations. The Healthcare Information and Management Systems Society, the College of Healthcare Information Management Executives, and the American Medical Informatics Association are amongst the various organizations that have signed the letter.

Post-HIPAA Ban

When Congress passed the Health Insurance Portability and Accountability Act in 1996, the law called for the creation of a unique health identifier for individuals. But in response to related privacy concerns, Congress in 1999 passed a law that prohibits federal funds to be used to develop any such identifier.

But that law has had repercussions that lawmakers may not have predicted, not least when it comes to the challenge of attempting to securely and safely share electronic patient data. For example, as the nation's healthcare providers have transitioned to electronic health record systems, driven in part by government mandates, one of the biggest obstacles remains the difficulty of ensuring that providers can access all relevant health information for any given individual, not least for making clinical decisions.

In recent years, HIMSS, the College of Healthcare Information Management Executives, the American Health Information Management Association, as well as a number of healthcare industry organizations have been calling on Congress to rethink their prohibition on HHS being involved in the use of unique patient identifiers.

While most of the groups aren't specifically calling for Congress to allow the creation of a government-issued unique national identifier for patients, they are asking legislators to allow HHS to collaborate with private organizations to find better ways to employ patient IDs, or to bring together multiple unique IDs that might all reference the same individual.

In an email to Information Security Media Group, HIMSS says it and its partner organizations "are in ongoing discussions to educate appropriators on the importance of [adding] this language [to the funding bill] and the patient matching issue more broadly."

Goal: Remove Barriers

Specifically, the letter asks Congress to include language in its fiscal 2018 appropriations bill that would "remove barriers to HHS engaging with the private sector to develop solutions to improve the accuracy and efficiency of patient data matching."

In a statement, HIMSS says the groups' letter asks Congress to include language in its appropriation bill that will make clear that the current ban on unique patient identifiers "should not prohibit HHS from examining the issues around patient matching."

This isn't the first time that lawmakers have weighed related moves. Last year, the House Committee on Appropriations, in a report accompanying a fiscal 2017 funding bill, proposed allowing HHS to provide technical assistance on the patient data matching issue. However, that language was dropped in the final spending package signed into law.

Risk to Patients

Misidentifying patients - or failing to provide clinicians with the full picture of a patient's health - can increase risks for patients, leading to medical errors, as well as create privacy risks and other problems, according to a National Patient Misidentification Report issued in 2016 by the Ponemon Institute, sponsored by healthcare IT security firm Imprivata.

Prior HHS officials - including Karen DeSalvo, M.D., former national coordinator for health IT - have also sounded warnings about the danger of failing to accurately match patients' identities with the correct patient data, saying it remains one of the biggest hurdles in the United States for exchanging health information at a national level.

Time to Ease Up?

Other privacy and security experts are also calling on Congress to ease up.

"It is absolutely clear that a better way to match patients would be helpful to both the healthcare industry and patients, by making care somewhat less expensive, generally more efficient and reducing some scenarios where there is actual harm to patients," says privacy attorney Kirk Nahra of the law firm Wiley Rein.

A failure to act now could create even more repercussions in the future. "This is probably one of the biggest hurdles the industry needs to clear if it ever hopes to create a complete medical record view of the patient," says Mac McMillan, president of security consulting firm CynergisTek. "The ability to accurately relate a patient to his or her medical information has huge implications in many areas, privacy and security included."

McMillan says that allowing government agencies with health IT policy responsibilities to work with industry to improve the accuracy of patient databases and information "is the right thing to do," and that there's no hidden agenda. "You look at the list of organizations that signed this letter, these are healthcare organizations dedicated to the responsible use of patient information," he says.

Among the two dozen entities signing the letter are several healthcare provider organizations, including Intermountain Healthcare, an integrated health delivery system in Utah, as well as Nemours Children's Health System, which is a pediatric health system in Delaware, New Jersey, Pennsylvania and Florida.

Twenty Years Later

The original Congressional ban that dates from nearly 20 years ago "was a rigid objection to a new patient identifier," Wiley Rein's Nahra says. "Most of the objections about this identifier are primarily 'general' objections about the overall use of healthcare data and not really anything specific about this identifier, per se."

Nahra adds that prohibiting HHS from being involved in issues relating to patient ID matching "doesn't make a lot of sense" because the federal government "is such a critical player in the healthcare industry as a provider and payer, in addition to being a regulator."


About the Author

Marianne Kolbasuk McGee

Marianne Kolbasuk McGee

Executive Editor, HealthcareInfoSecurity

Marianne Kolbasuk McGee is executive editor of Information Security Media Group's HealthcareInfoSecurity.com media site. She has about 30 years of IT journalism experience, with a focus on healthcare information technology issues for more than 15 years. Before joining ISMG in 2012, she was a reporter at InformationWeek magazine and news site, and played a lead role in the launch of InformationWeek's healthcare IT media site.




Around the Network