Creating Health ID Numbers Could Improve Patient Privacy


Oct 30, 2008

This commentary originally appeared on The Hill on October 30, 2008.

As it considers ways to improve the efficiency and quality of U.S. health care, one issue that a new Congress should reconsider is the longstanding roadblock that has stalled efforts to create a system of unique patient identification numbers for every person in the United States.

A new report from our group at the RAND Corporation suggests that while the cost of such an effort would be large (as much as $11 billion), it would likely return even more benefits to the nation's health care system by facilitating a reduction in medical errors, simplifying use of electronic medical records, increasing overall efficiency and helping to protect patient privacy.

It's the last of these issues that has held up plans to develop such a tool for the U.S. health care system. The Health Insurance Portability and Accountability Act (HIPPAA) of 1996 mandated the development of a unique patient identifier to help physicians, hospitals and other authorized users share clinical and administrative records more efficiently. However, since 1999 concerns about privacy have caused the Congress to ban the Department of Health and Human Services from spending funds to adopt standards for a unique patient identifier without Congressional approval.

With health reform discussions increasing again, as well as ongoing interest in the benefits of electronic health information, now may be the time to reconsider. Our work suggests that creating health ID numbers could actually improve patient privacy, not put it further at risk, because it avoids the use of more personally identifying information such as name, birth date and social security number, in the retrieval of health care records. Without a national unique patient identifier system, electronic medical records will be stored and retrieved using a patchwork of systems that are vulnerable to errors and governed by inconsistent safeguards. A clear and effective set of safeguards would be better.

Work done at RAND suggests one way to address privacy concerns would be to strengthen the HIPAA privacy rules and reconcile current state laws on health information privacy.

Strengthening HIPAA to create clear and strong national privacy rules would help address concerns and govern a national health information network. One change could be to expand the types of entities covered by the privacy rules. In addition to physicians and health plans, those governed should include organizations involved in collecting, storing, processing and transmitting health care information, as well as employers and insurers. The Congress also may want to put more teeth into enforcement efforts, making criminal prosecution more likely as a punishment for the misuse of protected health information. Other potential changes to the privacy rules could allow patients to decide whether they want to participate in the national health information network, or allow them to restrict electronic access to certain types of information, such as mental health or infectious disease records.

Richard Hillestad is a Senior Principal Researcher at the RAND Corporation.

This op-ed originally appeared on

More About This Commentary

Commentary gives RAND researchers a platform to convey insights based on their professional expertise and often on their peer-reviewed research and analysis.