5 October 1998: Add links to related regulations

3 October 1998
Source: http://www.hhs.gov/progorg/asl/testify/t980917a.txt


1998/09/17; ASPE Testimony; A National ID Card

STATEMENT FOR THE RECORD
WILLIAM R. BRAITHWAITE, M.D., PH.D. 
SENIOR ADVISOR ON HEALTH INFORMATION POLICY
OFFICE OF THE ASSISTANT SECRETARY FOR PLANNING
AND EVALUATION
U.S. DEPARTMENT OF HEALTH AND HUMAN SERVICES
FOR THE
SUBCOMMITTEE ON NATIONAL ECONOMIC GROWTH,
NATURAL RESOURCES, AND REGULATORY AFFAIRS
HOUSE COMMITTEE ON GOVERNMENT REFORM AND
OVERSIGHT

SEPTEMBER 17, 1998


Thank you for the opportunity to present the testimony of the
Department of Health and Human Services (HHS) on the topic of the
Unique Health Identifier (UHI) for individuals.    The Administration
believes that a UHI for individuals is important to the improving the
quality of care patients receive by reducing medical errors and
improving the efficiency and effectiveness of the health care system
by standardizing the exchange of administrative and financial data
sent electronically.  The UHI also has potential for improving the
privacy of health care records.  Today, any health record bearing an
individual's name makes it  "open" to anyone who deliberately or
accidentally sees the record.  A health record using only a unique
health identifier, would display no such  identifying' information and
therefore would be anonymous.  Since 1993, this Administration has
emphasized the need to ensure individuals have greater protection of
their health information.  The Secretary and the Vice President have
recently reiterated that message in light of public discussions on
privacy concerns regarding the UHI.  However, the Administration
has an obligation to help bring the many clinical and administrative
advantages of electronic medical records to the American people.  We
look forward to working with Congress to achieve this goal.

Background

The UHI is one of a larger set of national standards for electronic
exchange of health information that HHS is required to adopt pursuant
to the administrative simplification provisions of the Health Insurance
Portability and Accountability Act of 1996 (HIPAA).  These
provisions were enacted with the widespread support of the health
care industry, and bipartisan support in Congress.  They require HHS
to adopt a number of uniform, national standards for the electronic
interchange of health information for a specified set of administrative
transactions, including: 

          health claims or equivalent "encounter" information
          enrollment and disenrollment in a health plan
          eligibility for a health plan
          health care payment and remittance advice
          health plan premium payments

The goals of these provisions are to improve the efficiency and
effectiveness of the health care system by standardizing the electronic
exchange of administrative and financial data and to protect the
security of transmitted information.  The industry estimates that
billions of dollars can be saved each year by moving from paper
forms to uniform electronic transactions. 

Among the standards that HIPAA directs the Secretary to adopt are
four unique identifier for use in the health care system, one each for:
health care providers, health plans, employers, and individuals.
HIPAA also requires HHS to promulgate security standards for
organizations that maintain and transmit health information
electronically.  HIPAA instructs the Secretary to adopt existing
standards developed by the industry through an open, consensus
process whenever possible.

The privacy implications of enabling electronic exchange of health
information and of national identifiers were recognized when these
provisions were being drafted.  At that time, Congress envisioned
enacting omnibus privacy legislation prior to the effective date of the
standards.  Congress also included a contingency plan in HIPAA.  If a
Federal privacy law is not enacted by August 1999, HIPAA requires
the Secretary to issue regulations to protect the confidentiality of
information maintained or transmitted in connection with the
standardized transactions listed in the statute.  The Department has no
intention of implementing the UHI standard before comprehensive
privacy protections are in place. 

To adopt the health care transaction standards required by HIPAA,
HHS is in the process of issuing notices of proposed rule making
(NPRMs) for public comment in the Federal Register.  (Addendum). 
Where industry standards don't already exist, HHS has been working
in close cooperation with industry to develop such standards.  In each
NPRM,  HHS has proposed standards supported by broad consensus.

Advantages of the UHI

As privacy concerns have assumed center stage, the many compelling
advantages of the UHI   including aspects of a UHI that will promote
privacy   are getting lost in the debate.  A unique identifier would
allow for more rapid and accurate identification and integration of the
proper patient records, so patients can receive safer and higher quality
health care.  Every aspect of health care   from making sure the right
person gets the right blood transfusion to making sure the right
insurance company pays for care   requires accurate identification of
individuals.  A unique identifier is desirable because the identifier
used today is a person's name.  Since names are not unique we have
to collect additional information to identify an individual such as birth
date, gender, SSN, and mother's maiden name.  As more information
is collected error rates increase.  It is currently estimated that there is
an error rate of  5 to 8 percent in identifying patients.  In addition, the
information many people have an opportunity to see personally
identifiable information.  Replacing a name with an identifier could
reduce errors and provide greater privacy protection. 

A UHI can improve confidentiality, by providing accurate
identification without unnecessarily disclosing a patient's identity.  
For example, it can eliminate the need to use names on many claims
forms and clinical records.  It can replace the multiple pieces of
identifying information (e.g., name, birth date, gender, SSN) about a
patient that today must accompany clinical and financial information
to ensure positive identification.

Being able to accurately and rapidly identify information about a
patient, regardless of the health care environment in which it was
generated, would make the detection of health care fraud more
effective.  In investigations focused on providers, use of the UHI
would permit the patients' identities to remain anonymous.   The
added accuracy of the UHI would also be helpful for research and
public health activities.   
Concerns About the UHI

Opinion about a standard for the unique health identifier for
individuals, however, is deeply divided.  The UHI has become a
lightening rod for a set of privacy concerns that stem from many
sources.   Even without this identifier, there are legitimate reasons to
be concerned that sensitive health information is not adequately
protected.   While the administrative simplification standards,
including the UHI, are intended to increase the accuracy and
efficiency with which health information can be exchanged, having
access to the UHI can lead to serious privacy concerns.

The media has reported that the unique individual identifier will be
used to create a national database containing everyone's medical
records.  Even immigration advocates have been involved, out of
concern that a health identifier could become a de facto national
identification number.  There is no intent to tie the UHI to a national
database or to use it as a national identifier, and we intend to address
this issue in the context of privacy legislation.

Among those who do not oppose adoption of a UHI, there is
significant disagreement about which potential UHI would be the
most appropriate for individuals.  The different UHI options   the
SSN, an encrypted or enhanced SSN, and a new number   each have
different cost and privacy implications.  They would function equally
well as identifiers, so the choice will be based on these cost and
privacy concerns.

Some people believe that the choice of identifier will have no effect
on privacy.  Others believe that privacy can be enhanced by choosing
a UHI with certain characteristics.  For example, using an identifier
unrelated to the SSN could improve privacy protection (but would be
more costly). 
Because the SSN is already ubiquitous, opponents of the SSN stress
how it could be used to link financial, consumer behavior,
employment, law enforcement, and health care records by those who
wish to violate our privacy.  Another significant fear is that, if we
create a new, non-SSN identifier for health care, Congress will later
enact legislation requiring it to be used for purposes other than health
care, as it has many times with the SSN.

Others are concerned about any identifier that requires a trusted third
party for administration, because they fear the administrator will be
the government, and that the government will thereby have open 
access to everyone's medical records.  While we are sensitive to this
issue, it will be critical for the public to understand that, like bank
records, a single administrator is not required.  Biometric identifiers,
while often viewed as still in the realm of fantasy, are rapidly
becoming more accurate and cheaper, and would not require a trusted
third party.   HHS intends to publish a "Notice of Intent" (NOI) which
would discuss these and other technical issues in considerable detail
to get public feedback before proceeding further on a standard for the
UHI.

The Administration's Response

In September 1997, the National Committee on Vital and Health
Statistics (NCVHS), an advisory committee to HHS,  recommended
that the agency not adopt a standard for a unique identifier for
individuals until after privacy legislation is enacted.   In light of this
recommendation and in response to the lack of consensus, HHS
decided against issuing an NPRM for the individual identifier, and
instead opted for lengthening the public process for discussion of the
issues surrounding the UHI.  Instead of a proposed rule, HHS is
preparing a Notice of Intent (NOI).  The NOI would not make any
recommendations or proposals.  It would describe the UHI options,
including their administrative, cost and privacy implications, and ask
for public input on concerns, possible approaches, and alternatives. 
We will publish the NOI in the Federal Register  with a 60-day public
comment period.

In addition, HHS asked the NCVHS to hold a series of public
hearings on the individual identifier and its associated issues.  Three
to four public meetings are planned.  The first hearing was held in
Chicago on July 20-21, accompanied by national media attention. 
Based on its hearings, the NCVHS plans to make recommendations to
the Secretary regarding the unique health identifier for individuals. 

Secretary Shalala has been at the forefront urging Congress to enact
privacy legislation.  More recently, Vice President Gore announced in
July that the Administration would not implement the UHI for
individuals until Congress has enacted comprehensive medical
information privacy legislation.  "[A]cting on this requirement before
Congress has enacted strong, tough, meaningful medical records
privacy legislation could compromise the privacy of Americans in
many ways.  Therefore, on behalf of President Clinton, I am
announcing that we will not put this new provision into place until we
are certain that Americans' basic privacy is absolutely protected."  

Next Steps

We believe that the best approach is to find a way to address
industry's desire that we move forward with technical standards for
the UHI and to obtain more public input and build consensus about
the technical standard while we work with Congress to develop
comprehensive federal privacy legislation.  By setting technical
standards for the UHI but waiting until appropriate privacy
protections are in place to assign numbers, we can achieve both goals
of this legislation: enhanced efficiency for the health care system and
enhanced privacy for individuals.



                     Addendum

 Status of HIPAA Administrative Simplification
Regulations
           (As of September 17, 1998)

National Provider Identifier (NPI) -- HCFA-0045P [275K]

     NPRM published in the Federal Register on May 7,
     1998.  Comment period ended on July 6.

Transaction and Coding Sets -- HCFA-0149P [344K]

     NPRM published in the Federal Register on May 7,
     1998.  Comment period ended on July 6. 

Employer Identifier -- HCFA-0047P [99K]

     NPRM published in the Federal Register on June 16,
     1998.  Comment period ended on August 17.

Security--HCFA-0049P [272K]

     NPRM published in the Federal Register on August
     12, 1998.   Comment period ends on Oct 13.

Plan Identifier (PAYERID)--HCFA-4145P

     NPRM in Departmental Clearance.