"Do Unique Identifiers Violate Patient Privacy?"

[Peter Marshall <techdiff@ix.netcom.com>]

>From Physician's News Digest
Medicine & the Law

Do Unique Identifiers Violate Patient Privacy?
Karen E. Davidson, Esq. & Dana L. Holtz, Esq.

[Physician's News Digest, October 1998. © 1998
Physician's News Digest, Inc.]

There is a dynamic transformation taking place in
the health care industry. With the emergence of
managed care, there has been an increased demand
for high quality health care, cost effectiveness,   -----------------------
increased productivity and quality assurance. The
provision of health care through geographically
disperse and functionally diverse entities-such
as group practices, management service
organizations, independent practice associations
and physician/hospital organizations-has created
a need for the effective and efficient exchange
of health information. Modern technological
advances have both supported and fostered this
trend, and will continue to do so into the
future.

Every health care organization uses some type of
identification system to identify patients and
maintain medical records. These identification
systems are unique to each organization, yet
individuals frequently traverse organizational
boundaries. Today, medical records consist of
more than paper files in the office of one
provider. Rather, there is an increasing use of
computerized records, frequently maintained in
the offices of multiple providers. As individuals
have become more mobile, frequently visiting
multiple providers, and are increasingly being
referred by primary physicians to various
specialists (especially in the managed care
arena), a growing need for the sharing of health
care information has arisen. The effective
exchange of health care information facilitates
the delivery of coordinated and continuous health
care, and enhances the management of
administrative functions, such as billing and
submission of claims and the coordination of
benefits.

Health Insurance Portability and Accountability
Act

The Health Insurance Portability and
Accountability Act enacted by Congress in 1996
(HIPAA) requires the Department of Health and
Human Services (HHS) to adopt standards which
provide for a unique health identifier (UHI) for
each individual, employer, health plan and health
care provider. In response, HHS issued a "White
Paper" summarizing the issues involved in the
development and implementation of UHIs for
individuals. The paper indicates that the
standards HHS is required to adopt on UHIs for
individuals are designed to be part of a process
to achieve uniform national health data standards
and to maintain health information privacy while
supporting the electronic exchange of health
information.

Unique Health Identifiers

The proposed adoption of UHIs for individuals has
generated much controversy, a great degree of
which surrounds the impact these identifiers may
have on the privacy of health information (i.e.,
individually identifiable health information).
Given the controversy, HHS has announced that it
will proceed cautiously in implementing UHIs for
individuals. It has requested public comment on
several issues including those associated with
confidentiality and privacy concerns.

A unique health identifier for individuals could
serve several purposes. One could be to enhance
the provision of quality health care services by
facilitating the accurate and rapid
identification and compilation of an individual's
health records. The identification of health
information can often be difficult because, at
present, each organization uses its own
identification system. Although many of these
systems are based on the same attributes (e.g.,
patient name, birth date, etc.), the information
is not necessarily captured in identical ways.

Unique health identifiers for individuals could
also facilitate the synthesis of health
information among various health care providers.
Their access to historical and other health
information can be an important component of
quality care. Thus, for example, unique health
identifiers may help to coordinate the medicating
of patients through the integration of
information on drug allergies and other
medications being taken by patients.

Privacy and Confidentiality Concerns

In addition to the establishment of UHIs for
individuals, HIPAA requires the Secretary of HHS
to submit to Congress detailed recommendations on
standards with respect to privacy of individually
identifiable health information. In September
1997, the Secretary submitted her recommendations
to Congress regarding these privacy standards. If
Congress fails to enact such privacy legislation
by August 21, 1999, the Secretary will be
required to issue final regulations to protect
the privacy of such individually identifiable
information. The Secretary's recommendations
focus on, and underscore, the need for privacy
legislation to be enacted in conjunction with the
implementation of UHIs for individuals.

Currently, there is little federal protection for
the privacy of health information. Such
information is generally protected by state law
with each state having its own set of standards
and requirements. As the Secretary noted in her
recommendation to Congress, state laws vary
greatly in both scope and effectiveness. As a
result, they cannot adequately protect the
privacy of health information moving across state
borders. Consequently, the privacy and
confidentiality of health information may be
threatened even more by interstate movement. It
is precisely because of the increased flow of
health information across interstate boundaries
that many believe there is a need for uniform
privacy standards.

Any discussion about the exchange of health
information must address the privacy and
confidentiality implications. The National
Committee on Vital Health and Statistics (the
public advisory board to HHS which helps HHS
develop policy on health data, statistics and
national health information), has recommended to
the Secretary that the selection and
implementation of UHIs be delayed in the absence
of federal legislation aimed at ensuring the
confidentiality of individually identifiable
health information. Similarly, Vice President
Gore announced that the Clinton administration
will attempt to block the implementation of UHIs
until comprehensive privacy legislation is
enacted.

Confidentiality is one cornerstone of quality
health care. Legal and ethical duties to maintain
the confidentiality of health information are
imposed on health care providers, in part, to
encourage complete disclosure by the patient. The
basis for the imposition of these duties is
premised on the notion that a patient, believing
that all communications will be held i