Thoughts and Recommendations on a National Health Safety Identifier

Feb. 24, 2016
Why do we need a national health safety identifier? David S. Muntz, former Principal Deputy National Coordinator, ONC, lays out the problem and his vision in this exclusive guest piece.

Why do we need a national health safety identifier?  Don’t we already provide enough information to allow our healthcare providers to easily identify us when we interact with them as consumers, members, and/or patients?  If we create another identifier, won’t that just complicate an already complex situation? 

The current problem is easily understood by looking at one well-known use case, patient registration, at a caring, well-intended and effective health system. Harris County Health District (HCHD) is focused on helping all residents in and around the Houston, TX area.  HCHD traditionally did what so many other facilities do to make sure they are pulling the right records for the right person for the right treatment.  Every patient trusts HCHD to start with the most basic step—properly identifying the person who has come for services. 

Traditionally, the patient identification process started with a registration person (sometimes a provider) entering into the registration computer patient- or family-provided data, such as name and date of birth in combination with other available data elements to ensure the records retrieved were selected for the correct patient.  A dramatic set of statistics published by HCHD on April 5, 2011, however, helps illustrate the challenge of this patient matching process without a unique identifier.  Here are their statistics:

  • Number of patients in HCHD’s database: 3,428,925
  • Number of times when two or more patients share the same last and first names: 249,213
  • Number of times when five or more patients share the same last and first names: 76,354
  • Number of times when two or more patients share the same last and first names, and date of birth: 69,807
  • Number of patients named Maria Garcia: 2,488 
  • Number of Maria Garcia’s sharing the same date of birth: 231 

With these challenges, HCHD solved the problem for all of their multiple facilities by implementing a biometric palm-scanning device. The combination of patient- or family-provided data in combination with biometrics has solved the problem at their facilities, but the biometric identifier isn’t readily shareable at this time throughout Houston at non-HCHD facilities, and certainly not across the nation.  There are many contributing factors, not the least of which is cost.

David Muntz

There are numerous problems identified by other use cases associated with consumers, members, and patients (which we’ll refer to collectively as consumers for the remainder of this document except in special cases), and almost all start with identification.  That initial identification has ripple effects for both the provider and consumer across the healthcare continuum and often impacts dozens of different facilities and care sites.  For all participants in the continuum to be as clinically effective and cost efficient as possible, they must be able to share and, more importantly, use information with complete confidence in a secure and private fashion. 

The goal to create a health system that uses enabling health information technology (HIT) to avoid dangerous medical mistakes, reduce costs, and improve care has received bipartisan endorsement from Presidents Bush and Obama, multiple members of the Executive branch, and Congress.  The government has published regulations and currently spent more than $31 billion in incentive payments to encourage the adoption of certified electronic health records (EHRs) and mandated interoperability (information sharing and use).  The basis for achieving interoperability, like so many other activities in healthcare, requires certainty about the identity of the individual for whom information is being gathered, distributed, and used.

The adoption of certified EHRs has been successful for both primary targets of the Meaningful Use program (eligible professionals and eligible hospitals), yet consumer matching continues to frustrate and create barriers to information sharing among the participants. The promise of interoperability has not been realized, and the associated benefits of such have been delayed or diminished, thereby adversely impacting expected improvements in cost, quality, and satisfaction. It is not an exaggeration to say that this lack of practical and pragmatic interoperability has a negative impact on the safety of the consumers, that the potential of the investments not just in EHRs, but all of HIT has not been fully realized and will not until the primary step in every process, consumer matching, is completely reliable and repeatable. Can we really say we are meaningfully using health information as it was envisioned and proposed by President Bush and funded during President Obama’s administration?

Many organizations are sharing their concerns with what they refer to as “patient matching” to members of Congress, particularly members of the House Committee on Energy and Commerce and the Senate Health, Education, Labor, and Pension (HELP) and Finance Committees. These Committees and their staff have made many inquiries, conducted multiple meetings and hearings, and expressed very clear expectations in regards to this and related matters.  Many of the healthcare providers and the HIT professionals are asking the legislators for money and support to discuss a national patient identifier. Ironically, however, there is language in the Congressional appropriations bills that prohibits the funding of any activity by the Federal government specific to the discussion of a national patient identifier. 

Regulators in the executive branch are meeting with a wide range of constituencies to discuss the matter of interoperability. The requirements for Meaningful Use, the program jointly managed by the Centers for Medicare and Medicaid Services (CMS) and the Office of the National Coordinator for Health Information Technology (ONC), mandate interoperability. The regulations associated with the distribution to date of the aforementioned $31 billion should have encouraged more information sharing, but the successes are quite limited. 

To avoid the prohibitions in the appropriations language, yet increase information sharing, the ONC is leading efforts at patient matching, which does not require a national patient identifier.  They suggest an arithmetic solution will improve the chances for matching, but such an approach will not solve the problem, particularly the one described for Harris County Hospital District.  To provide context, the Bipartisan Policy Center in 2012 reported, “Error rates, which average eight percent and can range up to 20 percent—can result in sub-optimal care and medical errors.  Incorrectly matching a patient to a health record may also have privacy and security implications, such as wrongful disclosure—in addition to treatment based on another patient’s health information.” In the same article a member of CHIME (College of Healthcare Information Management Executives reported, “Moreover, 19 percent of respondents indicated that their hospital had experienced an adverse event during the past year due to a patient information mismatch results from a CHIME survey.”

The ONC published its final report on patient matching in February 2014.  “Health systems with a tightly managed data quality program and feedback loop appeared to be most successful in attaining match rates of 90 percent or higher. The match rates tended to decrease as organizations began sharing records with systems that are managed differently or have different EHR systems.”  They reported match rates as low as 50 percent.

Even a small percentage rate of error has enormous impact when you consider the millions of patients seen throughout this country every year.  Today, if all facilities were able to achieve a very optimistic one-tenth of a percent (0.1%) error rate (that’s a 100 fold improvement from ten percent), the adverse impact would still be significant.  According to the CDC, there are 136.3 million visits to Emergency Departments (ED) each year.  A one-tenth percent (0.1%) error rate means more than 136,300 patients are being misidentified.  If you apply the previously mentioned 19 percent adverse event rate to those 136,300 mismatched patients, the number of adverse events originating from patient matching in the ED would approach 26,000.  The safety implications of mismatches in the Emergency Departments are staggering.  When you add the more than 35 million admissions to hospitals, and visits to clinics, the total number of interactions by patients exceeds 1 billion.  The call to action is imperative. 

Among the organizations who are most concerned, vocal, and active in this discussion are membership organizations that represent the providers who must meaningfully use HIT to deliver health and wellness, the HIT and health information management (HIM) professionals who must implement and manage data and information flows, and the payers who must ensure and insure proper care. There is a great deal of overlap in their views, but all share the goal of improving existing systems – the combination of processes and technologies. The suggestions are all good and include, but are not limited to: collection of standardized data elements (both traditional and non-traditional), open source algorithms for patient matching, testing labs to ensure a certain level of matching performance, and educating consumers about the importance of and issues associated with patient matching. Most, if not all, of them are looking for opportunities to improve.    

We need certainty, not approximation.  We need consumer selected and managed health safety identifiers that can be shared when and where appropriate.  We already do that with e-mail and countless other Internet-based applications and websites. We need biometrics.

The HIM professionals who are custodians of the legal medical record and manage the records in both large and small facilities know these problems only too well. The challenge has been around since the collection of medical information began.  Manual and paper-based systems have been plagued by the lack of consistent and reliable patient identification.  Automation and digitization of medical information has produced mixed results.  Consistency and reliability have improved, and error rates for patient matching have dropped but are not low enough to minimize safety risk.  The best way to get to the lowest rate is by using a voluntary, patient-managed health safety identification scheme based on something that already exists, is widely adopted, can be easily remembered, and will be shared when and where the patient chooses to do so. The adoption of a universal identifier facilitates moving the role of custodian of records to the consumer, makes sharing information across the continuum practical, and gets the right information to the right people at the right time to deliver the right level of care in a safe, cost-effective, and efficient manner.  Biometrics ensures the consumer is present and involved.

I propose a combination of factors.  The first is the use of a national health safety identifier in the form of an e-mail address, i.e. username@domain. It is difficult to quantify just how many U.S. citizens have e-mail addresses, though estimates of people with access to the Internet exceeds 85 percent.  The idea of an e-mail identifier is very controversial.  Some proponents propose a number or an alphanumeric string as an identifier.  The rationale for an e-mail identifier is the ease of remembering it.  That could be true of other alphanumeric strings.  During stressful times, finding or remembering a string of numbers can be difficult, perhaps easier for an alphanumeric string.  Length, however, is critical to ensure that we don’t run out of identifiers and the ideal string would accommodate all citizens for centuries to come.  A consumer selected and managed identifier minimizes the chances of forgetting.  It also eliminates errors such as using someone else’s identifier (a problem with spouses who might offer the other spouse’s social security number during registration).  Though it would need to be backed up by a study, an e-mail identifier would likely reduce the errors associated with transcription and transposition.  If the readers of this document feel strongly that an e-mail address won’t work, please read the remainder with the idea that your form of identifier could be used in place of the consumer selected and managed e-mail address.  Please note that Facebook now has a membership of more than one billion users based on a consumer selected and managed e-mail address.

Assignment of a national health safety identifier has a secondary benefit. It should help the U.S. close the digital divide.  Educating people about something as personal as their health and wellness will serve as an inducement for everyone to begin using digital technology.  Most people have at least a smart phone, if nothing else.  Hopefully, the industry will develop tools to allow all citizens access to their health information regardless of their location or form factors.  With those tools in place and readily available, everyone could choose a national health safety identifier that a trusted broker could authenticate to ensure the consumer who wants to accurately communicate their health information can do so with confidence.  If everyone had an e-mail address stored in a consent registry, the digital divide would disappear.

Today, many people use multiple e-mail addresses to segregate their business and personal communications. The use of an existing e-mail address is the most commonly employed method for registration on websites.  Not surprisingly, some consumers might want to segregate records via the use of different e-mail addresses, e.g. behavioral health records versus internal medicine records.  Consumers already make decisions about how much information to share with caregivers.  An approach that preserves the consumer’s sense of control is important to earn trust for the widespread adoption of a national health safety identifier.

As a practical matter, most people will use an existing e-mail address as their national health safety identifier, the same one they use for their important transactions.  And as many people have discovered, there can be challenges associated with multiple e-mail accounts, not the least of which is remembering passwords.  Most sophisticated e-mail providers do allow forwarding.  That forwarding capability can include all e-mail or the consumer can establish rules to control which e-mails to send to the consolidating account.  If safety is the ultimate driver of adoption, the providers really do need access to all relevant information.  The determination of that relevance is not always understood by the consumer, so consumer education about the advantages and drawbacks of multiple identifiers will need to be provided by a trusted and authoritative source.

Though a consumer managed identifier is good, a second and more important factor has to be added to ensure safety.  As has been demonstrated in Houston and at so many other security conscious organizations, a biometric is critical for validation.  The use case to support the need for a biometric identifier, or better yet a collection of biometric identifiers, is the patient who arrives in the Emergency Department naked and unconscious without any identification, a not infrequent occurrence.  A biometric factor may be the only identification available to the staff. 

For health safety, a biometric(s) should be collected for every living being.  The cost of gathering such information is dramatically decreasing and the variety of technologies to collect them is increasing in accuracy and availability.  Adding a biometric field(s) to the database that holds the health safety identifier provides the desirable 2-factor authentication.   Ideally, the collection of biometrics should begin before someone needs a provider.  Imagine a system that registers every child while they are still in the birthing center.  Today, for example, a baby’s footprints are often placed on a birth record and given to parents for sentimental reasons.  Imagine putting that biometric into the national health safety identifier database that could serve for both health and security purposes such as helping identify lost children at large public events. 

Our collective goal should be to ensure that we use practical and pragmatic solutions from readily available, secure technologies with reliable, repeatable processes to ensure that we provide the safest care that is humanly and technologically possible, and that we should evolve as technologies and processes improve.  We have a public duty to create a system of safety whose first step is to ensure every consumer presenting for health services is properly identified.

Before making recommendations, it is important to recognize that a great many groups are working diligently on plans to create an interoperable health system.  Of particular interest is the work being done by NSTIC (National Strategy for Trusted Identities in Cyberspace).  The four guiding principles of their strategy are very consistent with the intent of the recommendations below.  Their “...strategy specifically calls out four Guiding Principles to which the Identity Ecosystem must adhere:

  • Identity solutions will be privacy-enhancing and voluntary
  • Identity solutions will be secure and resilient
  • Identity solutions will be interoperable
  • Identity solutions will be cost-effective and easy to use”

The limiting factor to success is the degree of participation.  Starting as a voluntary effort is important to earning trust, but to be truly effective, all consumers of healthcare need to participate.


  1. Create a standard format for a consumer-managed national health safety identifier in the form of an e-mail address.
    1. Use the current best practices in cybersecurity to secure the collection of all consumer-related data necessary for additional authentication methodologies to be employed, e.g. demographics.
    2. Employ a biometric-based validation scheme to ensure that the provided e-mail address does not belong to another person.  Collect appropriate biometrics to ensure certainty.  Since the market has not settled on a specific biometric that would work in all situations, a registry would need the ability to store a variety of biometrics for example, palm prints, retina scans, and the aforementioned footprints.
    3. Collect emergency contact information so that the people important to the unconscious patient without proper identification can be contacted and consulted about treatment options.
    4. Develop a scheme for producing an e-mail address and collecting an associated biometric at birth.  Some states initiate the process of issuing a social security number at birth. 
    5. Allow for multiple e-mail addresses and other identifiers where appropriate to be used by and associated to a particular individual.  Many Master Person Index solutions allow many different fields including other indices to be stored with the primary identifier.
    6. Allow for deletion and merging of e-mail addresses by a particular individual.
    7. Allow for separation of merged e-mail addresses when discovered.
  2. Pass legislation with a specified implementation date mandating that all HIT, not just EHRs, that are required to share information include a field for one or more national health safety identifiers.
    1. Ensure that current regulatory or sub-regulatory efforts are examined to ensure that EHRs store all the data elements that will ensure the highest achievable level of accuracy. 
  3. Identify a private sector or public/private sector organization that has or will create a registry for national health safety identifiers that can be secured and accessed by authenticated entities.
    1. Use the latest cybersecurity protection practices for the registry organization to earn and retain the trust of all consumers. Employ best practices and white hat hackers to constantly test the registry for complete reliability including human factor vulnerabilities.
    2. Ensure the registry can store the data elements from 2.a and 2.b above that will ensure the highest achievable level of accuracy. 
    3. Ensure that the registry has consent management capabilities that will allow a consumer to identify which classes of data can be shared (a form of data segmentation that was suggested by the PCAST report).
    4. Ensure the registry doesn’t contain information that would compromise the trust relationship between providers and consumers, while ensuring that we are without doubt dealing with the right individual.
    5. Create in regulation an oversight group that will be populated with cybersecurity, privacy, and patient safety professionals, consumers, providers, payers, and HIT and HIM professionals to enhance the public trust. Make sure that pediatric specialists and school representatives are included to represent the interests and challenges associated with registering children of all ages.  Consider adding government agencies that have responsibility for the safety of U.S. citizens.
    6. Ensure that whatever framework is adopted for the national health safety identifier management can and will evolve and adapt as quickly as the health and IT sectors evolve. 
    7. Look at other industries, e.g., credit management companies, to develop processes that will deal with complaints, duplicates, and misinformation that might be stored in the registry.
    8. Examine the practices in the U.S. state-based health information exchange organizations and in nations where a national registry is used.
  4. Use the Executive and Legislative branches to enact laws that limit liability for the company (or companies) that manages the registry (or federated model of registries).
  5. Use existing public and private consumer advocacy groups to educate consumers about the importance of a national health safety identifier.  Post information in registration facilities and in all venues where healthcare can be provided.
  6. Do this now.