Home / Medicine & the Law / Do unique identifiers violate patient privacy?

Do unique identifiers violate patient privacy?

By Karen E. Davidson, Esq. & Dana L. Holtz, Esq.

There is a dynamic transformation taking place in the health care industry. With the emergence of managed care, there has been an increased demand for high quality health care, cost effectiveness, increased productivity and quality assurance. The provision of health care through geographically disperse and functionally diverse entities—such as group practices, management service organizations, independent practice associations and physician/hospital organizations—has created a need for the effective and efficient exchange of health information. Modern technological advances have both supported and fostered this trend, and will continue to do so into the future.

Every health care organization uses some type of identification system to identify patients and maintain medical records. These identification systems are unique to each organization, yet individuals frequently traverse organizational boundaries. Today, medical records consist of more than paper files in the office of one provider. Rather, there is an increasing use of computerized records, frequently maintained in the offices of multiple providers. As individuals have become more mobile, frequently visiting multiple providers, and are increasingly being referred by primary physicians to various specialists (especially in the managed care arena), a growing need for the sharing of health care information has arisen. The effective exchange of health care information facilitates the delivery of coordinated and continuous health care, and enhances the management of administrative functions, such as billing and submission of claims and the coordination of benefits.

Health Insurance Portability and Accountability Act

The Health Insurance Portability and Accountability Act enacted by Congress in 1996 (HIPAA) requires the Department of Health and Human Services (HHS) to adopt standards which provide for a unique health identifier (UHI) for each individual, employer, health plan and health care provider. In response, HHS issued a “White Paper” summarizing the issues involved in the development and implementation of UHIs for individuals. The paper indicates that the standards HHS is required to adopt on UHIs for individuals are designed to be part of a process to achieve uniform national health data standards and to maintain health information privacy while supporting the electronic exchange of health information.

Unique Health Identifiers

The proposed adoption of UHIs for individuals has generated much controversy, a great degree of which surrounds the impact these identifiers may have on the privacy of health information (i.e., individually identifiable health information). Given the controversy, HHS has announced that it will proceed cautiously in implementing UHIs for individuals. It has requested public comment on several issues including those associated with confidentiality and privacy concerns.

A unique health identifier for individuals could serve several purposes. One could be to enhance the provision of quality health care services by facilitating the accurate and rapid identification and compilation of an individual’s health records. The identification of health information can often be difficult because, at present, each organization uses its own identification system. Although many of these systems are based on the same attributes (e.g., patient name, birth date, etc.), the information is not necessarily captured in identical ways.

Unique health identifiers for individuals could also facilitate the synthesis of health information among various health care providers. Their access to historical and other health information can be an important component of quality care. Thus, for example, unique health identifiers may help to coordinate the medicating of patients through the integration of information on drug allergies and other medications being taken by patients.

Privacy and Confidentiality Concerns

In addition to the establishment of UHIs for individuals, HIPAA requires the Secretary of HHS to submit to Congress detailed recommendations on standards with respect to privacy of individually identifiable health information. In September 1997, the Secretary submitted her recommendations to Congress regarding these privacy standards. If Congress fails to enact such privacy legislation by August 21, 1999, the Secretary will be required to issue final regulations to protect the privacy of such individually identifiable information. The Secretary’s recommendations focus on, and underscore, the need for privacy legislation to be enacted in conjunction with the implementation of UHIs for individuals.

Currently, there is little federal protection for the privacy of health information. Such information is generally protected by state law with each state having its own set of standards and requirements. As the Secretary noted in her recommendation to Congress, state laws vary greatly in both scope and effectiveness. As a result, they cannot adequately protect the privacy of health information moving across state borders. Consequently, the privacy and confidentiality of health information may be threatened even more by interstate movement. It is precisely because of the increased flow of health information across interstate boundaries that many believe there is a need for uniform privacy standards.

Any discussion about the exchange of health information must address the privacy and confidentiality implications. The National Committee on Vital Health and Statistics (the public advisory board to HHS which helps HHS develop policy on health data, statistics and national health information), has recommended to the Secretary that the selection and implementation of UHIs be delayed in the absence of federal legislation aimed at ensuring the confidentiality of individually identifiable health information. Similarly, Vice President Gore announced that the Clinton administration will attempt to block the implementation of UHIs until comprehensive privacy legislation is enacted.

Confidentiality is one cornerstone of quality health care. Legal and ethical duties to maintain the confidentiality of health information are imposed on health care providers, in part, to encourage complete disclosure by the patient. The basis for the imposition of these duties is premised on the notion that a patient, believing that all communications will be held in the strictest of confidence, will be more willing to seek treatment and fully disclose all vital information, enabling the health care provider to more effectively diagnose and treat the patient. Without full disclosure of pertinent information, the quality of health care is endangered.

Protection of the confidentiality of health information within an organization is provided by the organization’s own security system and the underlying state’s privacy laws. Opponents to the adoption of a unique health identifier argue that the use of multiple identifiers across organizations helps protect the confidentiality of health information, precisely because it impedes linkages of information across data systems. They also argue that the use of an identifier for more than one purpose, such as the use of social security numbers as the unique health identifier, may threaten the privacy of other types of information, such as financial and credit data, and employment information.

Proponents of unique health identifiers acknowledge that maintaining the confidentiality of health information should clearly be a priority. But, they counter that it should not impede progress towards the development of a system within which health information may be effectively exchanged. They also argue that the current system for maintaining health information not only impedes the exchange of information, but also may threaten privacy because each organization has its own identification system, and personal information must be revealed about patients to ensure proper identification. They posit that UHIs for individuals can help standardize access and identification methods and, by eliminating the need for the repetitive disclosure of personal information, can help protect individual privacy.

The general consensus seems to be that, if a unique health identifier is adopted, it should only be done in conjunction with the enactment of federal legislation on privacy. With levels of security varying from organization to organization and state laws differing widely, comprehensive federal protection may well be needed to protect the transfer of health information among different organizations. Most people agree that there must be some basic protections to maintain the privacy of health information. But, with the changing face of the health care industry, federal privacy legislation may need to go beyond providing basic protections for maintaining confidentiality while fostering the free flow of health information.

Karen E. Davidson, Esq. & Dana L. Holtz, Esq. are with Wade, Goldstein, Landau, Abruzzo, Mackarey & Davidson, P.C., in Berwyn, PA.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.