5 October 1998: Add links to related regulations
3 October 1998
1998/09/17; ASPE Testimony; A National ID Card STATEMENT FOR THE RECORD WILLIAM R. BRAITHWAITE, M.D., PH.D. SENIOR ADVISOR ON HEALTH INFORMATION POLICY OFFICE OF THE ASSISTANT SECRETARY FOR PLANNING AND EVALUATION U.S. DEPARTMENT OF HEALTH AND HUMAN SERVICES FOR THE SUBCOMMITTEE ON NATIONAL ECONOMIC GROWTH, NATURAL RESOURCES, AND REGULATORY AFFAIRS HOUSE COMMITTEE ON GOVERNMENT REFORM AND OVERSIGHT SEPTEMBER 17, 1998 Thank you for the opportunity to present the testimony of the Department of Health and Human Services (HHS) on the topic of the Unique Health Identifier (UHI) for individuals. The Administration believes that a UHI for individuals is important to the improving the quality of care patients receive by reducing medical errors and improving the efficiency and effectiveness of the health care system by standardizing the exchange of administrative and financial data sent electronically. The UHI also has potential for improving the privacy of health care records. Today, any health record bearing an individual's name makes it "open" to anyone who deliberately or accidentally sees the record. A health record using only a unique health identifier, would display no such identifying' information and therefore would be anonymous. Since 1993, this Administration has emphasized the need to ensure individuals have greater protection of their health information. The Secretary and the Vice President have recently reiterated that message in light of public discussions on privacy concerns regarding the UHI. However, the Administration has an obligation to help bring the many clinical and administrative advantages of electronic medical records to the American people. We look forward to working with Congress to achieve this goal. Background The UHI is one of a larger set of national standards for electronic exchange of health information that HHS is required to adopt pursuant to the administrative simplification provisions of the Health Insurance Portability and Accountability Act of 1996 (HIPAA). These provisions were enacted with the widespread support of the health care industry, and bipartisan support in Congress. They require HHS to adopt a number of uniform, national standards for the electronic interchange of health information for a specified set of administrative transactions, including: health claims or equivalent "encounter" information enrollment and disenrollment in a health plan eligibility for a health plan health care payment and remittance advice health plan premium payments The goals of these provisions are to improve the efficiency and effectiveness of the health care system by standardizing the electronic exchange of administrative and financial data and to protect the security of transmitted information. The industry estimates that billions of dollars can be saved each year by moving from paper forms to uniform electronic transactions. Among the standards that HIPAA directs the Secretary to adopt are four unique identifier for use in the health care system, one each for: health care providers, health plans, employers, and individuals. HIPAA also requires HHS to promulgate security standards for organizations that maintain and transmit health information electronically. HIPAA instructs the Secretary to adopt existing standards developed by the industry through an open, consensus process whenever possible. The privacy implications of enabling electronic exchange of health information and of national identifiers were recognized when these provisions were being drafted. At that time, Congress envisioned enacting omnibus privacy legislation prior to the effective date of the standards. Congress also included a contingency plan in HIPAA. If a Federal privacy law is not enacted by August 1999, HIPAA requires the Secretary to issue regulations to protect the confidentiality of information maintained or transmitted in connection with the standardized transactions listed in the statute. The Department has no intention of implementing the UHI standard before comprehensive privacy protections are in place. To adopt the health care transaction standards required by HIPAA, HHS is in the process of issuing notices of proposed rule making (NPRMs) for public comment in the Federal Register. (Addendum). Where industry standards don't already exist, HHS has been working in close cooperation with industry to develop such standards. In each NPRM, HHS has proposed standards supported by broad consensus. Advantages of the UHI As privacy concerns have assumed center stage, the many compelling advantages of the UHI including aspects of a UHI that will promote privacy are getting lost in the debate. A unique identifier would allow for more rapid and accurate identification and integration of the proper patient records, so patients can receive safer and higher quality health care. Every aspect of health care from making sure the right person gets the right blood transfusion to making sure the right insurance company pays for care requires accurate identification of individuals. A unique identifier is desirable because the identifier used today is a person's name. Since names are not unique we have to collect additional information to identify an individual such as birth date, gender, SSN, and mother's maiden name. As more information is collected error rates increase. It is currently estimated that there is an error rate of 5 to 8 percent in identifying patients. In addition, the information many people have an opportunity to see personally identifiable information. Replacing a name with an identifier could reduce errors and provide greater privacy protection. A UHI can improve confidentiality, by providing accurate identification without unnecessarily disclosing a patient's identity. For example, it can eliminate the need to use names on many claims forms and clinical records. It can replace the multiple pieces of identifying information (e.g., name, birth date, gender, SSN) about a patient that today must accompany clinical and financial information to ensure positive identification. Being able to accurately and rapidly identify information about a patient, regardless of the health care environment in which it was generated, would make the detection of health care fraud more effective. In investigations focused on providers, use of the UHI would permit the patients' identities to remain anonymous. The added accuracy of the UHI would also be helpful for research and public health activities. Concerns About the UHI Opinion about a standard for the unique health identifier for individuals, however, is deeply divided. The UHI has become a lightening rod for a set of privacy concerns that stem from many sources. Even without this identifier, there are legitimate reasons to be concerned that sensitive health information is not adequately protected. While the administrative simplification standards, including the UHI, are intended to increase the accuracy and efficiency with which health information can be exchanged, having access to the UHI can lead to serious privacy concerns. The media has reported that the unique individual identifier will be used to create a national database containing everyone's medical records. Even immigration advocates have been involved, out of concern that a health identifier could become a de facto national identification number. There is no intent to tie the UHI to a national database or to use it as a national identifier, and we intend to address this issue in the context of privacy legislation. Among those who do not oppose adoption of a UHI, there is significant disagreement about which potential UHI would be the most appropriate for individuals. The different UHI options the SSN, an encrypted or enhanced SSN, and a new number each have different cost and privacy implications. They would function equally well as identifiers, so the choice will be based on these cost and privacy concerns. Some people believe that the choice of identifier will have no effect on privacy. Others believe that privacy can be enhanced by choosing a UHI with certain characteristics. For example, using an identifier unrelated to the SSN could improve privacy protection (but would be more costly). Because the SSN is already ubiquitous, opponents of the SSN stress how it could be used to link financial, consumer behavior, employment, law enforcement, and health care records by those who wish to violate our privacy. Another significant fear is that, if we create a new, non-SSN identifier for health care, Congress will later enact legislation requiring it to be used for purposes other than health care, as it has many times with the SSN. Others are concerned about any identifier that requires a trusted third party for administration, because they fear the administrator will be the government, and that the government will thereby have open access to everyone's medical records. While we are sensitive to this issue, it will be critical for the public to understand that, like bank records, a single administrator is not required. Biometric identifiers, while often viewed as still in the realm of fantasy, are rapidly becoming more accurate and cheaper, and would not require a trusted third party. HHS intends to publish a "Notice of Intent" (NOI) which would discuss these and other technical issues in considerable detail to get public feedback before proceeding further on a standard for the UHI. The Administration's Response In September 1997, the National Committee on Vital and Health Statistics (NCVHS), an advisory committee to HHS, recommended that the agency not adopt a standard for a unique identifier for individuals until after privacy legislation is enacted. In light of this recommendation and in response to the lack of consensus, HHS decided against issuing an NPRM for the individual identifier, and instead opted for lengthening the public process for discussion of the issues surrounding the UHI. Instead of a proposed rule, HHS is preparing a Notice of Intent (NOI). The NOI would not make any recommendations or proposals. It would describe the UHI options, including their administrative, cost and privacy implications, and ask for public input on concerns, possible approaches, and alternatives. We will publish the NOI in the Federal Register with a 60-day public comment period. In addition, HHS asked the NCVHS to hold a series of public hearings on the individual identifier and its associated issues. Three to four public meetings are planned. The first hearing was held in Chicago on July 20-21, accompanied by national media attention. Based on its hearings, the NCVHS plans to make recommendations to the Secretary regarding the unique health identifier for individuals. Secretary Shalala has been at the forefront urging Congress to enact privacy legislation. More recently, Vice President Gore announced in July that the Administration would not implement the UHI for individuals until Congress has enacted comprehensive medical information privacy legislation. "[A]cting on this requirement before Congress has enacted strong, tough, meaningful medical records privacy legislation could compromise the privacy of Americans in many ways. Therefore, on behalf of President Clinton, I am announcing that we will not put this new provision into place until we are certain that Americans' basic privacy is absolutely protected." Next Steps We believe that the best approach is to find a way to address industry's desire that we move forward with technical standards for the UHI and to obtain more public input and build consensus about the technical standard while we work with Congress to develop comprehensive federal privacy legislation. By setting technical standards for the UHI but waiting until appropriate privacy protections are in place to assign numbers, we can achieve both goals of this legislation: enhanced efficiency for the health care system and enhanced privacy for individuals. Addendum Status of HIPAA Administrative Simplification Regulations (As of September 17, 1998) National Provider Identifier (NPI) -- HCFA-0045P [275K] NPRM published in the Federal Register on May 7, 1998. Comment period ended on July 6. Transaction and Coding Sets -- HCFA-0149P [344K] NPRM published in the Federal Register on May 7, 1998. Comment period ended on July 6. Employer Identifier -- HCFA-0047P [99K] NPRM published in the Federal Register on June 16, 1998. Comment period ended on August 17. Security--HCFA-0049P [272K] NPRM published in the Federal Register on August 12, 1998. Comment period ends on Oct 13. Plan Identifier (PAYERID)--HCFA-4145P NPRM in Departmental Clearance.