Here’s a guest post from Meg Aranow, Principal at Aranow Consulting LLC.
Some of us remember that the early HIPAA discussions included the concept of a national patient identifier. As legislators and administrators attempted to find the right balance between the risks and rewards of automation, ultimately the patient identifier was thought to pose too much privacy risk. I think that was the right decision in 1998. But is it right in 2013?
The risk-reward playing field has been significantly altered by the infusion of federal stimulus money to hasten the implementation of data exchange among collaborating providers of care. Clinically misidentified patients are patients who are not associated with their own medical histories or are mistakenly associated with someone else’s medical histories. These patients have a heightened risk for inappropriate and potentially dangerous care provision. This potential has always existed within our institutions, but the prevalence increases as our collaborative models are extended. When clinic records are shared with the collaborating specialty clinic, and then shared with hospital and then the post- acute facilities we increase both the opportunity to deliver great care, and the risk of misidentification occurring somewhere in the chain.
Washington administrators are considering a new set of standards to routinize matching algorithms in an attempt to reduce patient mismatches. To dictate standard matching criteria will compromise the very privacy safeguards they sought to maintain by eliminating the patient identifier in the first place. Standardized criteria is a weak substitute for an identifier – it weakens privacy protections and doesn’t actually solve the underlying problems of errant patient identification which stems from intentional or unintentional misreporting and recording of patient demographics.
Undoubtedly there are risks with a national patient identifier. We need to continue our efforts to bolster security and privacy. Unfortunately today security awareness and breaches both seem to be on the rise. Most CIO’s are acutely aware of the security standards they must meet and report that they are making incremental progress against multi-year agendas…perhaps foreshadowing a point in the future where breaches of PHI will become increasingly rare. Additionally, medical identity theft is estimated in the billions – Ponemon Institute suggests a high end of $30B per year. Making more money available for preventative measures rather than paying for the penalties and remedies for the lapses seems like a worthy paradigm shift. Strong, reasonably funded security and privacy requirements with repercussions for mistakes and abuse may be the path to finding the new balance of risk and benefit for a collaborative medical system based on a national patient identifier.
A patient identifier, separate and distinct from the social security number, and used as one factor in multi-factor authentication at the point of registration for services would assist in the accurate identification of patients at the point of care. The persistent use of the patient identifier in the private and public HIEs will streamline and make more accurate efforts to share data among collaborating clinicians and public health entities.
In addition to his CIO role at BIDMC, Dr. Halamka blogs at GeekDoctor.blogspot.com.