Patient identifiers: Feel more secure, or be very afraid?

The implementation of a Unique Patient Identifier (UPI), some argue, will lead to unauthorized access to people's health information, resulting in discrimination and denial of opportunities. Others counter that it will, in fact, improve security and protect privacy. What are the implications of using the alternatives? Let us unravel the mystery!

The current method of identification starts with a provider organization assigning Medical Record Numbers (MRNs) to patients based on its patient directory called the Master Patient Index (MPI). MRNs facilitate access to a patient's information from multiple visits but are provider-specific. Integrated delivery networks and multi-facility provider organizations use enterprise-wide MPIs (EMPIs) and EMPI numbers. The EMPI number facilitates access to patients' information across multiple organizations within the enterprise. At the national level, UPI is intended to facilitate access to clinical information from all providers who provided care but may be situated across organizational and geographical boundaries. The medical record information belongs to the patients but the provider has the custodial ownership.

Feel More Secure with UPI

How can UPI protect your privacy? The content-free UPI masks your identity and eliminates the repeated use of your personal information such as name, address, sex and date of birth. It protects your privacy and facilitates anonymous care.

How can UPI improve security? Contrary to popular misgivings, the identifier adds more layers of protection. An identifier separates the identification process from the access control process. Directory level security verifies the requestor's privileges and authenticity before validating an identifier. Access control level security verifies the requestor's role, privileges and patient consent among other things before granting access to information. The identifier itself can be encrypted to add another layer of protection.

The UPI provides timely access to appropriate and complete information. On the other hand, multiple identifiers for the same patient keeps the information fragmented and results in delayed access. UPI enhances the existing system, and builds upon the available personal and technical infrastructure. Unscrupulous and determined hackers can of course find a way to break into systems with or without an identifier. However, you can feel safe that UPI is significantly strengthening access security and privacy protections.

One of the alternatives to using a content-free UPI is to use the patient's personal attributes such as name, address, sex and date of birth to search and match information from other locations. This is in contradiction to HIPAA's de-identification concept and the ANSI/ASTM's content-free identifier requirement; however, many recommend this method.

Don't you think it is scary that instead of safeguarding personal information to protect your privacy, the information will be transmitted back and forth across the nation among the many providers each time to search and match your clinical information? Why should we develop or maintain methods that can potentially expose rather than safeguard patient information?

Consider the human errors that can occur while obtaining, transcribing and transmitting such detailed information. The reliability of a matching algorithm can only be as good as that of the information it uses.

Be very, very afraid

Matching algorithms have been in use to detect duplicate numbers and overlays, and several vendors have already included them as part of their MPI software. Experience shows that MPI errors occur in spite of such algorithms. Proposals to create identification systems based on matching algorithm have been around for years. Due to inherent complexities and difficulties a commercially available solution, however, is still elusive.

The current method of identification across the industry is based on identifiers. All users such as providers, payers, system developers, and standard developing organizations depend on it. Can the industry bear the burden of supporting dual systems? The current regional and national health information network initiatives depend upon a reliable identifier to interconnect providers. The failure to use the UPI as a patient identifier standard will indeed be a situation of which you should be very afraid.

UPI is a natural outgrowth of MPI and EMPI. MRN provides the control that a provider organization needs to create, manage and protect patient information. EMPI while preserving the provider's control, facilitates interoperability across an enterprise. Similarly, UPI will preserve the providers' control of patient information and facilitate interoperability among them across the nation.

Soloman I. Appavu, CHPS, CPHIMS, FHIMSS is the Director of Systems Planning at Cook County Hospital and Cook County Bureau of Health Services. He has served as the leader of NHII Special Interest Group on Patient Identifier (2003 & 2004).