In support of National Health IT Week (#NHITweek) and Patient ID Day (#PatientIDNow), we offer the following amended excerpt authored by Scott Stuewe from the “August 2019 President’s Report to the Board of Directors” regarding the topic of a national patient identifier.

Probabilistic Matching Has Failed – will a National ID Help, or for that matter, even happen?

The challenge for all of our interoperability goals is that as long as patient matching is managed “probabilistically”, (meaning it is probable, but not assured, the patient is the same) the costs of improving match rates may exceed the industry’s capacity to pay for it.  Improving the probability that a record provided by one system matches one provided by another requires standing up systems that are expensive to deploy and maintain; the best such systems today only result in match rates around 90%. New studies have shown that if there were standards for collecting demographics in a standard way this match rate percentage could get better, but nobody claims this would solve the problem totally – and such “master patient index” systems would still be required.[1]  New algorithms that use “referential match” as an approach bring data from other sources, like credit data, to link disparate records still probabilistically with additional costs for the licensure of the data as well as having the effect of sweetening the identity theft target the system represents.

If there were a more “deterministic” approach to identity, where we always knew who we were treating in the healthcare system, and we had reliable ways to associate records to this identity, there would be far less dependence upon chance.  Such deterministic models are black and white – records either match or they don’t and are based on a few, reliably captured data elements.  The idea is to focus on reliability of the system of identification rather than comparing multiple data elements and calculating probabilities.  Federal employees (and lots of other employees) have such identification cards to get access to physical locations and systems.  Such cards could be issued by multiple authorities and universally trusted as long as the right framework were in place.  Issuing cards like this is also an expensive proposition.

A solution that solves for “identity” instead of “patient matching” is teasing us in the rule making and elsewhere - the numerous governmental patient matching RFIs, industry “challenges” and most recently in the actions of the House of Representatives.  The tiny Foster amendment to the appropriations bill HR 2740 which contains only the words “Amendment strikes Section 510, which currently prohibits HHS from spending any federal dollars to promulgate or adopt a national patient identifier” is the ultimate taunt. This ban has been in place since 1999, introduced in an HHS appropriations bill with language modified slightly in 2015 and every year thereafter[2].  Once Section 510 is struck, the language in HIPAA that immediately becomes law reads: “The Secretary [of Health and Human Services] shall adopt standards providing for a standard unique health identifier for each individual, employer, health plan and health care provider for use in the health care system.”

With a conversation just to begin again on the subject of a standard to create such a unique patient identifier (UPI), with identity-proofing requirements for consumers using apps written into the information blocking rule and with patient matching percentages stubbornly only slightly better than when I first installed an Enterprise Master Patient Index system in 1999, you would think we were about to witness a sea-change in terms of identity.  So far, reversing the ban seems to have some bipartisan support. CHIME, AHIMA, AMIA and other prominent organizations have lined up to support reversing the ban. We have offered our support on social media. I have written my Senator.  Have you? There are a few organizations that are concerned with how this is done, but there is broad agreement that interoperability doesn’t really work if we don’t solve the “patient-matching problem”. The question is, will the issuance of a unique health identifier solve this problem by itself? Will master patient index technologies still be needed?  Will anything happen even if the ban is lifted? Well, it depends…

Many observers have offered that the new Medicare number is good a model for a UPI.  The only change the new number brought forward is the removal of the Social Security Number from the Medicare card, which is a step in the right direction to prevent identity theft, but nothing else was done to “modernize” the card or the way it is used. The scope of use for the Medicare number and card is limited to providing evidence of eligibility for benefits and to aid in the payment of claims.  As a mechanism for ensuring effective patient matching and for that matter, eliminating Medicare fraud, the new model isn’t really an answer and doesn’t actually claim to be.

I am certain that by the time a Medicare recipient gets their new number they have been identity proofed acceptably.  However, since the ID is just a “string on a card” and has no associated biometric (not a picture or even a signature for example) or a digital authenticator it’s not even up to date with the “chip” cards the banking industry has just universally adopted or even with the Federal Real-ID standard. Are we to assume that recipients are expected to remember the 11-digit string with both letters and numbers? Not likely.  Providers will enter the numbers manually as there is no mechanism for “reading” the card by any means with an opportunity for “fat-fingering” of the number and associated demographics. For some of the 50 million or so Medicare beneficiaries, healthcare is quite important and their relationships with providers are long established.  However, a great many have only infrequent encounters with the healthcare system and will need to remember to bring their cards along wherever they might seek care.  Providers, ostensibly, can look up a Medicare beneficiary’s number as well.  The Medicare Beneficiary Identifier (MBI) has only the benefit of being a unique identifier that is not the social security number.  The process for collecting the number in the EHR along with consistent demographics and for validating the person presenting the card is who they say they are is not addressed.  In this regard, the MBI compares unfavorably with Real-IDs issued by the state Divisions of Motor Vehicles.  More on this a little later.

For the general population to learn to carry the new card if it is to be modeled after the Medicare MBI, it would need to be essential wallet cargo.  Let’s assume for a moment that we won’t have “Medicare For All” and the new card would not be utilized for establishing eligibility or adjudicating claims. Convincing the roughly 270 million people that are insured that they need to carry the new card in addition to the card they get every year from their insurance company will be hard unless it is required to receive care (as the insurance card is more-or-less).

Considerations of Scope

The first questions to be raised in the standards effort for a UPI is deciding what we are solving for and what sort of safe-guards we will require. Privacy and security need to be considered along with utility, but what will be the scope of feature we expect from the National ID?  Is its primary goal to solve today’s (and tomorrow’s) patient matching problem?  If so, what activities will require we present it?   Will it be required to receive care?  Will it be a card readable for all its demographic data easily?  Will there be a mandate that EHRs be able to read it? Will it include a digital authenticator so it could be used as a part of remote identify proofing for consumers when they log in to apps?  Is it just the unique id string the government will issue and the industry will decide what to do with it or will the government issue cards with all these features?

Additional controversial questions arise around the scope of issuance.  When will children be issued cards?  At birth?  Are familial relationships to be managed as a part of the system so that records on children can be associated with parents who will act as proxies? What Demographics/biometrics (pictures?) are to be associated with children’s records?  Even more troublesome topics - what about undocumented immigrants?  What will visitors to the country use?  How are proxies to caregivers who aren’t family members supported?  How are proxies revoked (at divorce for example)?

Features Required to Solve for (or Improve) Patient Matching

Any system that works for solving the patient matching problem needs to do the following in today’s world at a minimum:

  • At the issuance of a credential:
    1. Assuring the identity of individuals before the issuance of a credential
      1. NIST guideline 800-63-3 Identity Level of Assurance 2 – IAL2 or higher)
    2. Binding the credential to a digital authenticator assuming:
      1. The credential is to be used for self-identification at log-in to systems with access to records or
      2. The credential will be digitally authenticated at presentation
    3. A biometric (a picture can do or a fingerprint) is linked to the credential
  • Requirements for utilization of the credential at presentation and registration
    1. Use of the credential is required to receive care and alternative processes are needed for when the credential is not available for any reason
    2. Assuring the identity of individuals as they present using the credential
    3. Obligatory electronic “reading” of the credential to capture relevant data at registration – includes demographics and identifiers associated with the identity
  • Requirements for interoperable exchange
    1. All transactions about the individual must contain both the Demographics as captured at issuance as well as a unique identifier associated with the credential
    2. Transactions that do not include a unique identifier must be considered unmatchable.

The Authority Questions and Answers

If we are to tackle identity, the most complex questions will revolve around the “authority” or “authorities” that will issue these identities and what level of control consumers have over this information.  The libertarians and privacy advocates will be concerned if the federal government has control over issuance, particularly if consumers can’t exert any control.  Some believe because of the security and “cyber” issues embedded in the topic we will never get to first-base on a National ID.

Most of the public hasn’t wrapped its head around the questions related to this issue much less the answers. To understand the spectrum of approaches here I like a blog post by Christopher Allen on the subject[3] that describes “The Evolution of Identity”. You might prefer to think of this as a range of choices on the authority question starting with centralized authority all the way through “self-sovereign identity” at the other extreme where the individual has ultimate control.  A recent Carin Alliance event I attended explored a current theory about how the modern world should (or could) work with regard to identity.

User-Centric Identity and FIDO2

The current thinking exemplified by OpenID, OAuth and FIDO/FIDO2 is referred to by Allen as “User-Centric Identity” where the industry boot-straps off IDs created on the consumer digital platforms.  He dismisses this approach with the following statement – “…it’s central authorities all over again. Worse, it’s like state-controlled authentication of identity, except with a self-elected “rogue” state.”  In point of fact though, multiple authorities could operate in a User-Centric Identity approach, again just depending upon an open and trusted framework.  In fact, a FIDO2 model allows users to maintain a “personal PKI” on their smart phone where a digital certificate and both public and private keys are stored on the same device.  This could solve some of the cost problems for the issuance of cards with digital authenticators embedded – but would require everyone has a smartphone.  Today according to Pew[4], 81% of American adults have smart phones. Younger demographics (18-29) the percentage is 96%.   Roughly 200 million of the total population of 330 million have smart phones and could potentially take advantage of a cell-phone based digital authenticator.  Roughly 25 million of those that don’t have smart phones are children.  Also, you still need to identity-proof everyone before issuing a FIDO2 Credential.

A Real ID Approach

If we get super-tactical and ignore the requirement for a digital authenticator, there are roughly 200 million drivers in the US which will be eligible to receive a Real ID by the end of 2020.  The problem is, not every driver will get the Real ID. The very reason it’s usable as an approach for identity (people who get it are already ID proofed to IAL2) is the reason not everyone wants it.  Getting a Real ID requires 4 different pieces of identity evidence in the worst case.  A lot of folks just decide it’s not worth the trouble particularly if they don’t fly a lot.  Others don’t get it because they are worried about the government having this information.  If, however, a Real-ID were required to get healthcare, adoption would really improve.  All Real ID drivers’ licenses have photos, “readable” barcodes and tamper resistant features.  If providers were required to be able to read the barcodes and push both the demographics and the identifier to the EHR we would be halfway there – well, nearly.

Both approaches have the potential to solve a big chunk of the “card issuance” problem for about 40% of the population.  Both approaches leave children to be solved as well as those without a smart phone or non-drivers.  A hybrid approach, where Real IDs are used as an easy mechanism to get identity proofed in order to instantiate a FIDO credential could allow both models to function alongside one another.  EHRs would need to be able to interact with both the barcode and the Digital authenticator on the smart phone.  Whew.

This conversation may stop before it starts, but this is what we will need to grapple with. 

Resources:

[1] https://www.pewtrusts.org/en/research-and-analysis/articles/2019/03/22/standardized-demographic-data-aids-patient-matching-rates-study-shows Pew Trusts - “Standardized Demographic Data Aids Patient Matching Rates, Study Shows”

[2] https://chimecentral.org/wp-content/uploads/2014/10/UPI-Language-Chart-FY15-18.pdf Chime, Comparison of Unique Patient Identifier Ban Language, FY99- FY18

[3] http://www.lifewithalacrity.com/2016/04/the-path-to-self-soverereign-identity.html?source=post_page, The Path to Self-Sovereign Identity, Christopher Allen, April 25, 2016 lifewithalacrity.com

[4] https://www.pewinternet.org/fact-sheet/mobile/ PewInternet Mobile Fact Sheet June 12, 2019