Identity Crisis: An Examination of the Costs and Benefits of a Unique Patient Identifier for the U.S. Health Care System
Sep 21, 2008
Improvements in healthcare information technology (HIT), properly implemented and widely adopted, should save money and significantly improve the quality of health care in the United States. A 2005 RAND study estimated that annual savings from efficiency alone could be upwards of $77 billion. A key component of these improvements is a National Health Information Network (NHIN) that would link disparate health care information systems across the United States to allow sharing of critical health information swiftly and easily.
The Health Insurance Portability and Accountability Act (HIPAA) of 1996 mandated the development of a unique patient identifier (UPI) to enable physicians, hospitals, and other authorized users to share clinical and administrative records more efficiently. A UPI could serve as a building block for the new NHIN. Since 2004, the Department of Health and Human Services (DHHS) has moved forward with steps to develop the NHIN. However, development of a UPI, a key to linking records across the emerging network, has been completely sidetracked by privacy concerns. These concerns eventually led Congress to ban DHHS from expending funds to develop the UPI.
The congressional ban has led to reliance on the alternative approach to creating a patient identifier: the use of statistical matching techniques to identify and access patient information. This method involves the identification of patients by matching patient data, such as name, address, zip code, or other information, with medical records. Debate in policy circles continues about the relative merits of the UPI versus statistical matching approaches.
To provide a more factual basis for this debate, a RAND study team led by Richard Hillestad analyzed and compared these two approaches across a number of dimensions, including error rates, operational efficiency, costs, and privacy and security issues. The team conducted reviews of the research literature and relevant statutes, interviews with health and IT practitioners involved in patient identification and health information exchange, and discussions with key national providers, consumers, insurers, and privacy organizations. The study found that, compared with a statistical matching approach, a UPI should reduce errors and improve interoperability without significantly increasing the risk of security or privacy breaches. A UPI would be more expensive to implement, but the additional costs should be viewed in the context of potential improvements in patient safety, system efficiency, and improved privacy protection.
Potential for Errors. One advantage of a properly implemented UPI system is its freedom from errors. If patients have a single, unique identifier that follows them throughout their lives and is used only for health records, there is relatively little chance of a mismatch between individuals and their records. Because statistical matching attempts to substitute for a UPI by using other kinds of information, such as names, birth dates, addresses, zip codes, or employer information, this technique has a higher potential for error than the UPI option because the other kinds of information may not be unique to the individual, may change over time, and may also be entered in varying formats in different databases.
Because statistical matching involves the probabilistic pairing of patient data with medical records, two types of errors may occur: false positives, linking to the wrong patient's records, and false negatives, missing the link between a patient and some part of his or her record. Published analyses have found false-negative error rates of about 8 percent in medical databases, trending higher in large databases with millions of records. These errors can pose significant risks for patient safety if providers act on incorrect or incomplete patient information.
Operating Issues. There are significant operational differences between the two methods:
Costs. The cost of a patient identifier depends on several variables, including the architecture chosen to achieve connectivity. To estimate the costs of a statistical matching approach, the authors examined one proposal that would consist of a "network of networks," in which individual providers would subscribe to a hierarchical structure that allows linking of patients to patient data in a particular region. This approach would require a onetime investment of $90 million and an annual maintenance cost of about $18 million to fund the Record Locator Services required for the matching. If patients must be enrolled in this system, the enrollment cost is estimated to be $1.5 billion. In comparison, a mandatory UPI system could be substantially more expensive. One estimate, based on adapting and enhancing Social Security numbers to be more secure, for use as UPIs, put total costs at between $3.9 and $9.2 billion, depending on the security features.
Security and Privacy. Security and privacy could actually be strengthened with a UPI. A unique patient identifier, once developed, would immediately become protected health information under federal and (applicable) state law. UPIs would be sensitive information and could be a target for illicit access. Unlike the demographic components of a statistical matching algorithm (such as the Social Security number), however, the UPI would not link to financial records that are the specific target of identity thieves. If the UPI were to facilitate the development of a more efficient national network, any potential negative effects of such a network could be ameliorated directly through other aspects of systems architecture, such as encryption, access controls, and audit trails. And use of a UPI would actually improve privacy by limiting the transmission of more sensitive identifiers, such as the combination of names, address, date of birth, and Social Security numbers.
Related RAND analysis examined privacy and security issues from a legal perspective. RAND researchers Michael Greenberg and Susan Ridgely studied the implications of UPIs in the context of an NHIN (RB-9376). They found that the emerging NHIN faces legal hurdles regardless of which approach to patient identification is adopted. They contend that the controversy over UPIs has distracted from the key privacy issue connected with an NHIN: the need for stronger protection for medical information under HIPAA in the context of an NHIN. They make the case that HIPAA's privacy rules are not adequate for an NHIN, regardless of whether the network involves a uniform national system or a patchwork arising from regional health information organizations. Therefore, strengthening HIPAA rules, not patient identification schemes, should be at the center of the national debate.