Mennonite Health JournalArticles on the intersection of faith and health
Identity and Privacy: Healthcare Automation Essentials
Barry Hieb, MD
from Mennonite Health Journal, Vol. 15, No. 4 – November 2013
Each of us takes our identity for granted. Virtually every minute of our waking life we are aware of who we are and what our current context is. When it comes to healthcare information processing, however, things are not so clear. Healthcare information represents some of the most personal and private data concerning each one of us. As more and more of that information is captured and processed by automation systems, the ability to accurately identify the person the data is about and to honor that person’s privacy wishes have become more and more problematic.
When someone asks “Who are you?” our usual response is to give our name and perhaps where we are from. That’s a start, but for a healthcare automation system it is not nearly enough. The automation system might have a dozen persons named “Tim Smith” in its database. In order to be sure it has the right one the computer will want your birthday, your address, your Social Security Number, your mother’s maiden name; everything it can possibly learn about you to make certain it knows who you are. This is a good thing. You don’t want the computer to confuse your medical information with someone else’s! There are just two problems.
1. Inaccurate identification
Despite all the data they collect about you, computers still make identity mistakes: a lot of them. It is difficult to obtain accurate quantification but the literature indicates error rates of at least 5% and there are many reports of 10% or much higher. This is not good. If the computer doesn’t know the right person then some of your data might be lost. Even worse, someone else’s information might be mixed in with yours. Needless to say, both of these circumstances are problematic and can lead to serious consequences.
Medicine is well aware of how dangerous the situation is. There have been ongoing concerted efforts to reduce the rate of medical misidentification errors for over a decade but it has proven to be a remarkably intractable problem–and it is getting worse. As healthcare evolves to exchange clinical information across larger and larger domains–cities, states, and eventually the entire nation–identity errors become ever more frequent. An increasingly large number of healthcare organizations are involved. There are more systems to interface–with dissimilar policies, different sets of identifying data, different technologies, etc. Furthermore, identification needs to occur across larger and larger patient populations. The chance that someone else has identifying information similar to yours, what is called your “biographic profile,” increases the more people there are in the system.
2. Privacy is diminished
Despite the fact that there are good reasons for information health systems to collect all that data about you, the process can put a major dent in your ability to manage your privacy. First, the information indicates who you are and second, it is subsequently attached to your medical information, some of the most private information about you that exists. When the medical system wants to order a test about you, they use part of your biographic profile. When they want to report a result, they use part of your biographic profile. When they want to submit a bill–you guessed it– they use part of your biographic profile.
Remember, all of this use of your private data is with the best of intent. You wouldn’t want your lab result to end up in someone else’s medical chart. Nor would you want to be billed for someone else’s medical procedure. Yet, all of that information sharing puts your privacy at risk. Large parts of your biographic profile are being attached to parts of your sensitive medical information and being transmitted electronically to a variety of locations that are outside of your control. “You,” or at least enough about you to identify you, are being sent to various medical facilities, being seen by their personnel, and being stored in their databases. Is it any surprise that medical identity theft is one of the fastest growing crimes in America?
The VUHID solution
Fortunately there is a simple and straightforward way to “solve” both the identity and privacy problems for healthcare. The VUHID system creates and manages unique identifiers that can be used by healthcare organizations to manage personal identities. A healthcare organization can obtain a VUHID identifier, store it as part of your biographic profile, and hand it to you on a personal identification card.
From that point on you can hand the ID card to every new caregiver who treats you and asked them to add the identifier to your biographic profile–or the network of automation systems may be able to do this for you. Over time, all of your clinicians will be able to identify you using your VUHID identifier.
A few notes here about VUHID identifiers. They are globally unique, they are never reused, and they are issued to only one person. They are permanent and they cannot be counterfeited. Once you get your VUHID identifier card you should be able to use it for the rest of your life.
VUHID identifiers remove any ambiguity about your identity. If you are Peter Smith, it doesn’t matter if there are none, one, or one hundred other persons named “Peter Smith” in your town. Each of them can have their own unique identifier and their records should never be confused with anyone else’s. It doesn’t matter how many patients a large healthcare organization treats, the use of VUHID identifiers will help ensure that they never confuse one person with another.
VUHID privacy support
But what about privacy? Let’s look at just a few aspects of how the use of VUHID identifiers makes your privacy better. Note that once your caregiver begins to use your VUHID identifier to identify you, they can stop using most of the other data in your biographic profile. They might want to send your initials along with your VUHID identifier but they won’t need to use your name and they certainly should not send your Social Security Number. This means that your privacy can make a comeback. Your VUHID identifier is at risk as it is sent back and forth between medical facilities but your private biographic profile can stay safe at home.
It turns out that VUHID identifiers actually come in two varieties, “open” and “private.” You will want to use an open VUHID identifier (OVID) for all of the medical information that you want to be freely available to all of your caregivers, e.g. the time you had a broken arm, your immunizations, the fact that you had appendicitis, etc. However, you may also have some medical information that you want to keep private. Perhaps you are concerned that the history of your treatment for depression should not be widely known. This is when you want to use a private VUHID identifier (PVID). You can have your psychiatrist obtain a PVID, give you a PVID card, and use it to identify your psychiatric records. With a PVID as its primary link, your psychiatric data can be kept separate from the rest of your medical information. Because you control your PVID card you can decide who has access to that information. If you provide your PVID to your primary care provider then they can view your psychiatric information, otherwise not. Later, if you have some genetics testing and need to keep your genetics information separate you can get a different PVID for that. So, in the general case, you will have one open identifier and as many private identifiers as are needed for your particular medical circumstances and privacy preferences.
What about errors?
Getting privacy right can be tricky, especially since we haven’t managed it very well in the past. In addition, what one person needs for privacy of their healthcare data is likely to change over time. So we have to make provisions to correct errors when they occur and to make changes when they are needed. If you change your mind about what data you want to keep private, if you develop a new disease, if you get divorced, or any of dozens of other events; you may need to make a change in your privacy specifications.
Fortunately, with VUHID you are in control. You can acquire new private IDs as you have need. If you determine that an existing PVID can no longer meet your needs you can decide to have it terminated and/or replaced with a new one. It is important to note that you cannot turn back the clock. Although data that was previously public can be made private at any point in time, this new privacy status cannot hide this data from someone you gave it to previously. With this one major caveat, the VUHID system can support virtually any set of privacy requirements that you and your caregivers are willing and able to support. VUHID represents an example of full patient empowerment. As the user of one or more VUHID identifiers, you are in control and are able to configure them to fully meet your privacy needs.
The VUHID system represents a simple and cost-effective way to achieve accurate identification and it also enables a fundamentally different approach to patient privacy. Through the deployment of unique identifiers that are under the direct control of each patient both identification and privacy functions are easy to accomplish. By making privacy simple, VUHID gives users the best chance to get their privacy right. And by making it easy to make changes, VUHID lets patients readily correct the infrequent errors that will occur.
The twin requirements of accurate identification and improved privacy continue to increase in importance within healthcare. The VUHID approach represents a straightforward way to achieve these important goals. Hopefully VUHID will be able to play a central role as healthcare moves more deeply into the era of automation. I hope that it will not be long before you have an opportunity to use the VUHID system to improve the medical care that you receive.