The “debate” over patient identifiers in the context of a regional health information exchange

In the US there is no national patient identifier (NPI) that all medical records (whether they are in paper form or electronic form) are required to use. This causes major problems. The most visible of the problems is the inability to correctly link clinical information that is independently generated for the same patient. Such linking can save lives. An allergy noted in one location made available to another provider has the potential to avoid a potentially fatal anaphylactic reaction. A medication that was given and being actively taken by a patient may have adverse consequences if not known in the other location of care.

Let’s drill deeper into the problem of non-matched clinical information. For example, a patient is given a medical record number (MRN) 122 by his primary care physician. The same patient had an ER visit and the ER system assigned him a MRN 155. These two records belong to the exact same individual however they cannot be linked with 100% certainty because there is no NPI to link these records with 100% certainty. It is noteworthy that even within one institution; there is ample possibility that there can be multiple MRN identifiers for the same patient. This may be further complicated by the fact that sometimes duplicate records may be established for a given patient during different visits as the admitting person did not accurately identify the pre-existing record.

At the outset, it seems aparent that a single unique national patient identifier could solve these problems. Before we jump to conclusion, let's study this a bit more...

Disadvantages of NPI

1. There is a perception that patient privacy interests may be better served by keeping data in islands. Patients can protect medical records that they don’t want to share by not revealing the existence to such data. E.g. a patient may have had a substance abuse treatment or Planned Parenthood visit that they don’t want to reveal to other clinicians. By keeping all data in silos, no record is available without the patient telling about it or actually physically (by way of paper copies) moving it by herself.
2. The chance that such data may fall in the hands of undesirable elements increases when an NPI exists. E.g. someone in government getting access to the records; commercial businesses using the information for screening potential employees; insurance carriers screening such data and selecting healthy patients etc.
3. Medical identity theft may become easier. Social security numbers (which serve as unique identifiers for many things including financial credit history, federal tax filing, federal entitlement benefits such as social security payments and Medicare coverage  etc) have had a checkered history of identity theft.

Advantages of NPI

1. Medical information can be easily requested by either the patient or by the provider. And the provider can be assured that indeed the information received absolutely belongs to the exact patient.
2. Research studies can be much more easily performed. E.g. population based studies that require large data sets are much easily performed when silos of data are accurately correlated.
3. Electronic systems can be built to manage healthcare information much more easily. This can save costs by improving efficiency and by reducing redundant tests.

However attractive the NPI maybe, it is just not going to happen in the US. The political will is not there. The people themselves will not get behind it. Medical information is so sensitive that we all want explicit control over where it is stored and how it is shared. So, we have to live in a world where NPIs will never exist. What would a solution look like that gives us the positive benefits of having a NPI without the problems associated with it? We will describe such a solution next.

Solution

1. First and foremost we need all clinical information gathered at the point of care (physician office, hospital, lab etc) to be clearly marked with a medical record number (albeit a locally unique number). If information is stored electronically then it is much easier to achieve this. By doing this, a patient can walk to the provider who has this information as say, “I need a copy of my medical record with MRN 123.” The alternative would sound more like this, “I need a copy of my medical record. My name is Bob Smith.” There can be several Bob Smith records. There is a small probability that the wrong record may be given out to the wrong Bob Smith.
2. We need the end systems where such records are stored to be able to secure the information at least at the entire chart level if not at a more grannular record level. Imagine a big “Do not share this chart to anyone without explicit patient permission” sign on the chart. The electronic equivalent of such a mark will have at least two levels. A) "do not send this info to anyone outside Yes/No" and B) "do not accept any further information for this patient Yes/No". The latter lets patients that see a physician for a one time consultation (say a second opinion visit) to tell the physician, “thanks for your help…but in the future I don’t want you to continue to get access to my health information…” Most of the systems in use today do not support both A) and B). The closest they come to supporting this is the use of a “VIP” identifier that can be used to mark an entire record as belonging to a VIP and hence it needs to be protected from being shared.
3. Electronic medical record systems should have complete and accurate demographics. The demographics that do not change with the change in a person’s life are especially important. It is preferable that they contain accurate and consistent first and last name (although last names can change with a person getting married for example; first name can change with a person giving different versions such as Bob and Robert at different instances). Date of birth and mother’s maiden name are strong, non-unique identifiers and hence they need to be 100% accurately recorded. Alternate unique identifiers such as social security numbers, driver’s license number and passport number will help match records with certainty and they serve as surrogates to the lack of NPI. These generally do not change during the lifetime of a patient.
4. Use of common identifiers in systems within administrative control of a provider is encouraged. Large providers invest in master patient indexing solutions to achieve this. For example, a provider that runs multiple locations of care can use a common MRN at each of these locations of care. 
5. Sensitivity of records (e.g. “mental health” is one such sensitivity marking. There are at least 10 different sensitivity markings that are commonly required) needs to be marked appropriately on the record itself. Different classes of data have different protection depending on the jurisdiction where they are stored. For example, most states provide much stricter sharing permission requirements when it comes to mental health data. If all mental health related visit data were to be marked with the moniker “mental health data” then electronic systems can easily afford a higher degree of protection to such data and hence help with complying with the laws that are applicable.

Data sharing scenarios

Now let us describe some common patient scenarios and test how a system that meets the above criteria will be able to meet all of these scenarios.

1. A VIP patient would like to keep all of her records confidential except select primary care visits and one emergency care visit

- At the PCP location, the entire record is marked as belonging to a VIP

- The select documents that she would like to share are marked as “normal to be shared” for sharing

- All other records are marked with appropriate sensitivity or marked as “normal not to be shared.”

2. A patient uses different identities at different providers to keep his information from being matched by computer programs. He however would like two specific records that are located in two different providers (Provider A and B) to be shared

- At Provider A, he has been assigned a MRN (lets say it is MRN A-111)

- At Provider B, he receives another MRN (lets say it is MRN B-144)

- At B, he tells the receptionist to link MRN A-111 with MRN B-144. The receptionist verifies that both records belong to the same individual (how this is done is beyond the scope of this article but is available from the author) and links up the records. From this point forward all information marked for sharing (or permitted for sharing) will be shared. Protected data with specific protected sensitivity will not be shared without explicit patient permission.

3. A senior patient who is completely computer illiterate wants the system to work behind the scenes to share her medical information for better care. She is not interested in how this is done but wants the system to work within the privacy and security laws to provide a solution that delivers better quality of care

- At each of the providers the patient sees, she provides accurate demographics information including her SSN. The one or two locations where she did not provide accurate demographics will still be flagged for matching but with manual intervention to complete the matching.

- The data sharing network accurately matches her different medical records located in the different systems at provider locations.

- Data sharing can proceed in an automated manner

- Sensitive data such as mental health records are automatically provided a higher degree of protection. Such protected data will only be shared on explicit permission or under explicit “need to know” guidelines.

Author: Prem Urali, CEO and CTO, HealthUnity Corp