House Approves Lifting HHS Ban on Unique Patient IDsAmendment - Part of a Funding Bill - Still Has a Long Way to Go
The House of Representatives on Wednesday approved an amendment to a proposed appropriations bill that would lift a 20-year ban on the Department of Health and Human Services funding the development or adoption of a unique, national patient identifier. But plenty of hurdles remain.
Many healthcare and health IT industry groups have long been urging Congress to lift the ban so that an identifier could be used to help match patients with the correct electronic health information from multiple sources to improve care quality and patient safety. But privacy advocates worry that an identifier could lead to inappropriate exposure of sensitive information.
The bipartisan passage of the amendment by a 246 to 178 vote is the first time either chamber of Congress has approved an initiative to lift the ban.
But the House still needs to approve its appropriations bill. Plus, a similar provision lifting the ban would need to be approved by the Senate in its funding bill. Then a final funding bill containing a provision lifting the ban would need to be signed by President Trump.
"We still have a long way to go, but this [House amendment] is a major milestone," Leslie Krigstein, vice president of Congressional affairs at the College of Healthcare Information Management Executives, tells Information Security Media Group.
Along with the push in the 21st Century Cures Act for improved interoperability and secure national health information exchange, "this is the beginning of a serious conversation [in Congress] to improve patient matching, outcomes and health information exchange," she says.
The House-approved amendment is part of 2020 funding bill for HHS, which was listed as "unfinished business" as of Thursday.
Originally, HIPAA, which was enacted in 1996, required the creation of patient identifiers and other uniform standards for electronic data transmission to improve the reliability of health information. But Congress later banned HHS from expending funds to develop a unique patient identifier system, mainly because of privacy concerns.
Since the ban was first enacted in 1999, Congress has repeatedly included wording in annual HHS appropriation bills to uphold the restriction.
For instance, in fiscal 2019, the HHS appropriations bill states, "none of the funds made available in this Act may be used to promulgate or adopt any final standard ... providing for, or providing for the assignment of, a unique health identifier for an individual (except in an individual's capacity as an employer or a healthcare provider), until legislation is enacted specifically approving the standard."
Support for reassessing that ban has been gaining momentum over the last several years.
For example, the 21st Century Cures Act, passed by Congress and signed into law by President Obama in late 2016, required the Government Accountability Office to study the issue of matching all patient data obtained from various sources to the correct individual to help ensure appropriate treatment decisions are made.
Also, a bipartisan group of five senators in October 2017 sent a letter to the GAO asking the watchdog agency in its study on patient matching to produce specific recommendations for steps the HHS Office of the National Coordinator for Health IT could take to develop improved patient matching methods (see: Senators Portray Patient Matching as Urgent Issue).
The GAO in January issued that report, concluding that matching the right patients to all the right records continues to be a significant challenge, especially as healthcare providers increasingly seek to exchange health information, posing risks to patient safety and privacy (see: Patient Record Matching: Fixing What's Broken).
GAO noted in its report that healthcare industry stakeholders told the agency that much more could be done to improve patient record matching.
"For example, some said that implementing common standards for recording demographic data, sharing best practices and other resources and developing a public-private collaboration effort could each improve matching," GAO writes.
Stakeholders' views varied on the roles the ONC and others should play in these efforts and the extent to which the efforts would improve matching, GAO wrote.
"For example, some said that ONC could require demographic data standards as part of its responsibility for certifying EHR systems, while other stakeholders said that ONC could facilitate the voluntary adoption of such standards," the GAO wrote. "Multiple stakeholders emphasized that no single effort would solve the challenge of patient record matching."
In promoting his amendment on the House floor Wednesday, Rep. Bill Foster, D-Ill., told his Congressional colleagues that the proposal would "strike" the HHS ban from adopting standards for a unique patient identifier.
"For the last 21 years, this misguided policy has been in place, and thousands of Americans have died due to getting the wrong drug to the wrong patient or due to incorrect or incomplete electronic medical records, all arising from the inability to simply and correctly merge health records from different systems."
Krigstein of CHIME notes that HHS already uses unique identifiers for Medicare beneficiaries. Due to concerns, including identity theft risk, the Centers for Medicare and Medicaid Services began last year transitioning from the use of Social Security numbers to identify Medicare beneficiaries. Instead, CMS now uses new alpha-numerical identifiers.
A source tells ISMG that a patient identifier would be potentially "easier to change than a Social Security number" if a patients' identifier was breached or misused.
Balancing Benefits vs. Risks
Mac McMillan, CEO of security consulting firm CynergisTek, notes that most systems, applications and identity and access management solutions depend on the ability to accurately identify the user.
"The average healthcare enterprise has multiple identities for each patient, multiple identities for each caregiver, many duplicative names, etc., making relying on someone's name completely unreliable for access determinations," he says. "Just as adopting a standard format for [healthcare] claims made it possible to simplify administration and reduce fraud, having a unique identifier would enhance decisions on access, reduce fraud. That identifier plus other pieces of information about the patient can make accurately identifying the patient with more confidence.
"At some point the benefits outweigh the risk. We have Social Security numbers, drivers licenses, etc. that uniquely identify us. Why don't we get rid of them?"
The passage of the amendment is a significant development, but not necessarily a sign that the ban will actually get lifted anytime soon, some legal experts note.
"It's an interesting but very preliminary development," says privacy attorney Kirk Nahra of the law firm WilmerHale. "Obviously studying an issue is not the same as passing a law about it. There are various pros and cons about this question, but it is hard to see how the cons are so substantial that this isn't a topic worth evaluating," he adds.
"This is an important step in that direction but both a reasonable way away from happening and then a long way from any actionable result implementing anything."
There are valid privacy concerns about the potential for abuse of a patient identifier, similar to how Social Security numbers became used in a manner far outside their original intent, says privacy attorney Adam Greene of the law firm Davis Wright Tremaine. "But I believe that these concerns reasonably can be addressed through safeguards governing the permitted use of a UPI [unique patient identifier]. "Finally allowing a national unique patient identifier could lead to improved interoperability and patient safety and is long overdue."
Gus Malezis, CEO and president of security vendor Imprivata, says he strongly supports lifting the ban. "We welcome this newly cleared path to using unique health identifiers to help achieve interoperability," he says.
"True interoperability requires federation and identity management, which we can only achieve with a trusted foundation. That trusted foundation starts with identity proofing, and includes record resolution and binding to a biometric authenticator. Simply put: it's time to put an end to nation's patient identity crisis."
Some privacy advocates, however, are vehemently opposed to lifting the ban on a patient identifier.
Deborah Peel, M.D., a psychotherapist and president of advocacy group, Patient Privacy Rights, says the ban should "never, ever" be lifted.
"By now it's painfully obvious how destructive the imposition of $135 billion of bad health IT has been for the nation's health system - due to data holders' control of all our health data," she says, referring to the HITECH Act financial incentive program that propelled the nationwide adoption of EHRs. "Unique patient ID numbers will deepen the destruction of the health system."
Peel adds: "UPI numbers will ensure that all U.S. health data, no matter how sensitive, will be available to millions more hidden entities - corporations, governments, hackers, extortionists, ID thieves, etc. Without control over our own health data, massive continuing mega-data breaches will never end, because our data is in thousands or millions of databases and we have no way of protecting our data when we have no way of knowing how/where it's held or what corporations and governments hold it."
Peel contends that "the solution to patient matching is the very same method used in the 'paper age' - obtaining informed consent. No data flowed to any doctor or insurer without consent."