Unique Health Identifiers Feared as a Threat to Privacy

By Melanie R. Margolis

The administrative simplification portion of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) contains a requirement that the Department of Health and Human Services (HHS) adopt standards for health care administrative transactions (i.e., claims filing), a system of unique health identifiers for individuals, employers, health plans, and health providers, and standards for electronic transactions. The unique health identifier for individuals has recently begun to attract media attention.

HHS has issued a White Paper entitled "Unique Health Identifier for Individuals." The White Paper explains the background of the unique health identifier, discusses proposed options for the identifier to be used, and solicits public comments. On July 20-21, 1998, the National Committee on Vital and Health Statistics, which advises HHS on standards, held hearings on unique health identifiers. The information gathered at the hearings will be considered in preparing regulations implementing the HIPAA requirement.

The purpose of the unique health identifier for individuals is to reduce administrative costs and improve the quality of care. Currently, patients are assigned a different identification number by each of their health care providers, insurance companies, and health plans, while delivery and administration of health care often transcends the boundaries of these entities. Proponents of the assignment of a single identification number contend that research, continuity of care, record keeping, follow-up, preventive care, prompt payment, and detection of fraud and abuse would be improved.

Opponents feel that privacy will be jeopardized. To ensure the protection of individuals’ privacy, HIPAA addresses the wrongful disclosure of unique health identifiers and individually identifiable health information. HIPAA contains criminal sanctions that apply to a person who knowingly and in violation of HIPAA uses or causes to be used a unique health identifier or obtains or discloses individually identifiable health information. The minimum penalty is a fine of not more than $50,000 and/or a year in prison. The maximum penalty, a fine of not more than $250,000 and/or 10 years in prison, applies if the offense is committed with the intent to sell, transfer, or use individually identifiable health information for commercial advantage, personal gain, or malicious harm.

One option being considered is basing the identifier on individuals’ Social Security numbers. This option would enable public health researchers to easily link, for example, police accident records and hospital records to track effectiveness of helmets, seatbelts, and airbags. This option, however, is feared by some to be the greatest threat to privacy.  Social Security numbers are frequently used and, therefore, readily available to persons with the potential to misuse health information that would be accessible with that number. Numerous persons and entities would have a strong interest in access to individuals' health information (i.e., employers making hiring decisions). It is the fear, which is not unfounded, of opponents that a single health identifier, whether or not based on Social Security numbers, will make access to individuals’ health information and the potential to exploit such information for "commercial advantage, personal gain, or malicious harm" easier.

Opponents contend that use of unique health identifiers for individuals should not be implemented at all, or at least not until strong federal privacy legislation is in effect in addition to the HIPAA criminal protections. Congress must pass health record privacy legislation by August 21, 1999. If Congress fails to pass such legislation, HHS must promulgate privacy regulations by February 21, 2000.