The proximity of two occurrences, the well-publicized Equifax breach and the less well-publicized Experian announcement that it intends to take on the unique patient identifier challenge, should concern us.
As the facts emerge, it seems clear that Equifax was lax in its security procedures and that, hopefully, Experian is much more diligent than its rival.
My concern is twofold. First, healthcare, in general, is more complex than most financial services imagine and they frequently have not thought through those complexities. Second, and more importantly, is the fact that any company that stores critical financial information is and will continue to be too attractive a target for cyber-criminals. This means that more breaches will occur with even more catastrophic consequences.
It seems clear that the safest way to reliably and safely identify patients is to separate the identifier from the data. This may be what was intended when HIPAA was first passed and included an identifier before it was removed because of privacy concerns (which may have been overblown if the identifier was properly implemented).
There already is a standard for such an identifier documented as: Universal Healthcare Identifier (UHID) ASTM E1714. Given the fact that the U.S. government is unlikely to move from its current position on identifiers, there is a follow-on Voluntary Universal Healthcare Identification System (VUHID) standard which gives greater control to the individual.
In fact, there was an experiment funded by the Robert Wood Johnson Foundation that “demonstrated the technical feasibility of using a voluntary universal healthcare identifier card to link each person with their health record,” according to a post on RWJF about the research.
Unfortunately, the Western Health Information Network, where the experiment was based, declared bankruptcy (unrelated to the experiment) before the project was completed.
There still is an organization, GPII, with the knowledge and ability to implement a VUHID. New projects of systems that allow patient identification without compromising critical patient information would avoid future ‘Equifax-like’ breaches. There already is the standard. All we lack is the resources and will to move forward.
Photo: mattjeacock, Getty Images