Lifting the U.S. Ban on a National Patient Identifier: 3 Things to Know

By Daniel Cidon, CTO of NextGate
Twitter: @NextGate
Twitter: @dcidon

On June 12, the nation’s longtime ban on a universal patient identifier was overturned in a landmark decision by the House. While the Foster-Kelly Amendment to remove Section 510 still needs approval by the Senate to become law, it nevertheless is a sizable victory for industry groups two-decades in the making.

When Congress dismissed the concept of a national patient identifier in the early 1990s, healthcare’s IT infrastructure was still relatively immature. Today, however, in the wake of digitization, healthcare organizations are inundated with data, and widespread information sharing across settings remains a decisive goal.

Healthcare’s massive transformation is forcing federal officials to rethink current approaches for managing patient identity. In the interest of establishing a highly-integrated, data-driven future, changing opinions in Washington come at a very salient time. But what would adoption of national patient identifier really mean? Here are three things to know.

1. A national patient identifier will not solve America’s patient matching crisis
Attention on accurate patient identification has accelerated in the past few years, with all sectors of the industry working to develop a better understanding of the issues and identifying potential solutions. However, much of the work has demonstrated that there is no single solution that will guarantee 100 percent accuracy.

A sound patient matching strategy requires more than simply focusing on a single source or number to identify an individual. The social security number (SSN), for example, was used for decades in the U.S. as a national identifier. However, highly vulnerable to fraud and data entry errors, most healthcare institutions have ceased use of the SSN as a part of their patient identification strategy.

While a national patient identifier (NPI) would help to further medical record linkage across systems and locations, matching algorithms and processes for data governance in practice today would still be required. One only needs to look at other countries that have a mandated number for confirmation—but more on that later.

Rather than look to a universal patient identifier as the holy grail to solving America’s patient matching challenges, it would be wise to treat an NPI as just another strong indicator of identity, like a driver’s license or phone number.

2. Implementation of a universal patient identifier will not happen overnight
Over the years, many industry experts have pointed to other countries that have instituted unique patient identifiers. While such identifiers have improved the state of patient matching, the results in countries such as England and Scotland—which have long had a mandated identifier—show it alone is not enough to achieve total integration across health and social care services. For example, legacy applications in England still cannot store valid National Health Service (NHS) numbers or connect in real-time to query the Patient Demographic Service for the NHS number. Further, systems continue to have demographic inaccuracies and multiple NHS numbers applied to a single patient. In fact, even with the NHS identifier in place, our Enterprise Master Patient Index (EMPI) platform is routinely utilized to help manage patient identifiers. Employed by multiple NHS trusts, the EMPI allows social care data, which often does not include an NHS number, to be married together with healthcare data.

Leaders in England estimate it will take another 10-15 years to get social care systems (which were never designed to manage an NHS number) integrated into the program. Because the U.S. healthcare system is much larger in scope and far more complex than that of the U.K., we can expect difficulties in implementing a unique patient identifier to be proportionally greater. Although the infrastructure is in large part available, transmission and capture of a single patient identifier across thousands of disparate systems in America will take decades for full adoption.

Even before widespread adoption of an NPI can begin to take place, regulatory and systemic standards must be addressed, including:

  • Management of the NPI itself: Which organization will be responsible for assigning and maintaining the NPI and associated demographic information? How will that organization manage the NPI so that it remains up to date and accurate, and de-duplicated?
  • Assessment of industry’s existing applications and infrastructure capabilities: If technology is required at the initial NPI collection point, it will take time for the existing systems (e.g. registration, emergency department) to get the technology. Once the NPI is created, how will it be supported (adopted) by existing systems?

At a minimum, systems will need to be modified to store the NPI as a new data element, and then more customizations in business logic will be required to incorporate the NPI in patient queries and data transactions. This will take the bulk of the time, to retrofit and update the systems used by the industry so they can accept, and more importantly leverage, the NPI.

3. A unique health identifier will not threaten patient privacy
Critics of NPIs fear that tying all of an individual’s health information to a single identifier could spell a privacy disaster and thus remains a significant barrier to political support.

Though removal of the ban would reinstate provisions of the HIPAA Act which call for adoption of standards that would protect one’s data privacy and security against fraud or misuse. As the provision states: “The Secretary shall adopt standards providing for a standard unique health identifier for each individual, employer, health plan and health care provider for use in the health care system.”

In fact, an NPI would actually be more secure than the industry’s current practice of collecting multiple demographic data elements on individuals—all of which are highly susceptible to medical identity theft. Medical data is now the top target of hackers and healthcare continues to lead all other industries in data breach incidents. According to a new report, almost 32 million patient records were breached in the first half of 2019 — more than double over the entire 2018 calendar year.

Additionally, a breached identifier would be easier to retire and replace than immutable elements that cannot be changed, like your name and date of birth. Further, studies that have analyzed use of NPIs in Europe have found no significant security breaches of consumer health information.

Healthcare Transformation Places National Spotlight on Patient Identification
Instituting an NPI won’t be the silver bullet to overcoming all our patient matching challenges, however, to do nothing is no longer an option. While removing the prohibition does not imply an NHS-like solution—it will allow the dialog to start.

Today, the issue of poor patient identification and duplicate records has grown increasingly complex as more data is generated and more applications are introduced into the healthcare environment. As population health and accountable, coordinated care take hold, organizations now find themselves under increased pressure to effectively identify, track and manage individuals across care settings.

As the foundation for patient safety and interoperability, patient identification issues are financially crippling—costing our nation’s healthcare system over $6 billion dollars annually. Furthermore, industry statistics tell us:

Reaping the rewards of a fully-integrated healthcare system can only be realized when patients are accurately and consistently matched with their data. As we move forward to make interoperability more of a reality, let’s ensure a national patient matching and identification strategy is an integral part of the process. It will not only result in safe, effective care management, but establish the foundation for reliable data exchange, operational and financial efficiencies, and a better patient experience.

This article was originally published on the NextGate Blog and is republished here with permission.