The Personal Immutable Properties proposal as described by the ANSI HISB Inventory of Standards is designed as a 19-digit number. The identifier would have 3 immutable values, plus a check digit, with each separated by a delimiter. The first value is a 6-digit geographic code based on degrees of longitude and latitude. The third value is a 5-digit sequence number assigned by an area jurisdiction, with an international registry administered by an organization such as the World Health Organization. Temporary assignments would have a leading "T". In general, the proposals based on personal immutable properties involve an identifier based on a combination of a person’s characteristics that would not change (for example, birth name, date of birth, place of birth, gender, mother’s maiden name). Positive attributes include: the individual would not have to remember a new number, since the identifier would contain known elements; it is a new choice that provides a new start and can be designed to exclude known defects or limitations; and it avoids crossover problems from an existing system. Negative attributes are that it would require the creation of a new system for assigning and maintaining the number as well as technology infrastructure and administrative structures; it could be assembled by someone who knows personal details about the individual and then could be used fraudulently; it remains only as an untested concept; is not content-free; and the development and implementation would require a huge investment of financial resources.

The Civil Registration System proposal uses records established in the current system of civil registration as the basis to assign a unique, unchanging 16-position randomly-generated (in base 10 or 16) identifier. Uniqueness would be established based on data, such as name, date of birth, place of birth, and mother’s first name, present in the civil records. 16-digit identifier would link person’s human services to medical treatments. A system would be developed to track these and other encounters with the civil system. To guard against unauthorized access of records and to ensure voluntary participation of tracking, the individual would choose a personal identification number (PIN). Has not been pilot tested and no cost estimates are available. One positive attribute is that it meets the requirements of HIPAA for a standard, unique health identifier for each individual. However, the negative attributes are that it would not allow for an identifier specifically limited to health care; coordination among the State-based birth registration agencies would be a major barrier to implementation; cost of implementing new system would be high; and the proposal would likely raise very strong privacy objections.

The Bank Card Method would consist of a) a 13 to 15 digit identifier with a set of digits to identify the practitioner or the medical group, b) another set of digits to identify payers, and c) a set of digits to identify conditions, such as allergies, disease, etc. A credit card-type plastic card would be used as the identification medium with an authenticator such as mother’s maiden name or date of birth "woven" into the card along with the individual’s name as an easily read identifier for convenience. Positive attributes include: it is a new choice and can be designed to exclude known defects or limitations; provides an opportunity to develop the required specifications and design precisely for the system to efficiently meet the industry's need; avoids crossover problems from an existing system; the capability to implement such a system is already in the private sector; and the necessary technology has already been developed. Negative attributes are that it remains only as a concept and its fruition depends upon significant planning, preparation, specification, design and development; the purpose and scope of Bank Card is limited; it is untested; it lacks technology infrastructure; requires Central Trust Authority; and will entail a substantial investment of money.

The Lifetime Human Service & Treatment Record (LHSTR) Number Based on a Birth Certificate proposal is relies on birth certificates, which are personally specific and uniquely enumerated. The proposal consists of linking birth documents to a randomly assigned 16-digit number. The method includes a six-digit check-digit verification and a public-key/private-key-based encryption on an as needed basis. A three tier approach is explained in the proposal as follows: first order of documents - a set of seven core data elements; second order of documents – includes a longitudinal component supplementing the basic record to corroborate over time to protect against error or fraud of the association between the individual and the record; and third order of documents – consists of medical or social service record. Purpose is to facilitate event-by-event tracking of all health and human services provided to an individual on an explicit and consensual basis. Positive attributes include: it meets both the basic functions criteria and the privacy and security criteria effectively; avoids crossover problems; the three (3) components of the civil registration have the maximum potential to enumerate all individuals living in the nation for the issue of the 16 digit LHSTR Number; the three (3) level data segments can provide reliable identification about a patient's medical records; provides patient participation with PIN security; and provides an opportunity to design an identification system that can take advantage of emerging technologies. The negative attributes are that it is at a conceptual level; is untested; lacks existing infrastructure; lacks existing plan and procedures; and will entail significant cost.

III.PROPOSALS THAT DO NOT REQUIRE UNIVERSAL/UNIQUE IDENTIFIERS

The Identification Methods Based on the Master Patient Index (MPI) Concept incorporates a commonly used system in healthcare that links a patient medical record number with a limited set of common identification elements known to a patient, such as patient first/last name, sex, birth date, SSN and mother’s maiden name. The MPI system matches the common data elements across its index to identify the patient’s medical record number, which is required to retrieve medical record. Other proposals based on the MPI include: Directory Service, Common Object Request Broker Architecture, Healthcare Domain Task Force (CORBAmed) Person Identification Service (PIDS), Health Level Seven (HL7) Master Patient Index Mediator and, Sequoia Software Award for Research and Development of a National Mater Patient Index. Positive attributes include: these proposals would not require any changes to implement a unique health identifier; existing numbering systems would continue to be used, reducing costs associated with changing over to a unique health identifier and eliminating the effort, time and investment that will be required for developing and implementing a new identifier. The negative attributes of the proposal are that: it depends upon search, match, and link functions that have not been implemented in the health system on a national scale; depends upon provider organizations’ participation in the processes to update directories and to link and match information; matching depends upon the probability that records having certain data characteristics in common belong to the same individual; human intervention is required in some cases to confirm the final match; and proposals depend to some extent on new technology that has not been tested on a national scale.

The Identification System Based on Existing Medical Record Numbers with a Practitioner Prefix as discussed in the Notice of Intent calls for a practitioner prefix to be added to the medical record number. The medical record is unique only within the provider organization. The two-position practitioner prefix would indicate a practitioner that maintains medical records on the individual. The NCVHS document also includes a proposal on the practitioner prefix that would not change the current practice of patient identification. Neither proposal creates a permanent unique identifier.

The San Francisco Family Health Organization’s (FHOPs) Core Data Elements-Based Patient Identification has opted for data standardization and unique client identification instead of establishing a unique client ID. The identifying data elements consist of two sets – Core Data Elements (birth name, birth date, birth place, mother’s first name, and gender) and Confirmatory Data Elements (Social Security Number, other client number, father’s name, mother’s maiden name, current name, county of client’s residence, and zip of client’s residence) The proposal uses object oriented software technology and a blocking technique (used to determine the relative weighting order an alphanumeric string value is derived). The Common Patient Identifier value can be destroyed after linkage, serving as a virtual identifier. Positive attributes include: it uses a common set of data elements from which an alphanumeric value can be derived; patients are familiar with data elements; and it eliminates the effort, time and investment that will be required for developing and implementing a new identifier. The negative aspects are that it is not a unique patient identifier; it does not replace existing identifiers, but is used in addition to existing identifier; and the use of patient's personal information for identification has inherent risk for violation of privacy.

IV.HYBRID PROPOSALS

The UHID/SSA Proposal suggests an identifier based on properties of the Sample, UHID as described in the ASTM’s Standard Guide, with the SSA as the trusted authority for assignment and maintenance. The identifier would consist of four parts: (a) a sequential number that identifies an individual uniquely, (b) a delimiter, (c) one or more check digits, and (d) an encryption scheme identifier to allow for extra protection of a patient’s identity in sensitive situations. It does not specify the lengths of each component of the identifier and people who do not have an SSN would be issued UHIDs as they generate their first encounter with the health system. UHID would maintain the database linking the SSN with the health identifier for its internal verification process, but other unauthorized users would be prohibited from linking the two numbers. Positive attributes include: it meets the requirements of HIPAA for a standard, unique health identifier for each individual; designating the SSA as the responsible authority builds on the present infrastructure for issuing SSNs; incorporates check digit and encryption capabilities; and would restrict the identifier to health care uses that can be protected with legislation or regulation. The negative attribute associated with this proposal is that it would be costly to the industry to modify its systems and adding another, longer identifier would be significant.

The Veterans Health Administration (VHA) Hybrid Model is currently being pilot tested. Method involves the use of a master patient index system that identifies patients using VHA services based on several identifying properties, including SSN, and the assignment of a unique identifier that is based on the ASTM Sample UHID. VHA terms this unique identifier an Integration Control Number (ICN). When a person does not have an ICN goes in for care, the central system assigns a temporary ICN. If person is later identified and has an ICN, the temporary ICN becomes an alias to the principal ICN. Positive attributes include the use of the ICN to correct deficiencies in use of the SSN as an identifier and the ICN is used only for health care. Negative attributes are that some of the negatives of the UHID/SSA proposal, such as length and cost to implement, carry over to this system due to their similarities; and it would not be cost effective to implement on a national scale if an entirely new agency had to be created to provide governance.

V.CRYPTOGRAPHY METHODS THAT ARE NOT IDENTIFIERS