June 21, 2010
National MPI — Why Such a Numbering System Raises Concerns
By Elizabeth S. Roop
For The Record
Vol. 22 No. 12 P. 10
The prospect of identifying patients by a single number across all care spectrums sounds enticing, but HIT experts question whether there really is a need.
In 1997, the U.S. Commerce Department’s National Institute of Standards and Technology awarded a multimillion-dollar research and development grant to Sequoia Software Corporation to develop a national master patient index (MPI). The stated goal was to form an MPI for a “massively distributed medical records system” across a national computer backbone, the need for which had dramatically increased due to provider consolidations and collaborations.
Fast forward 13 years. While Sequoia, acquired in 2001 by Citrix Systems, did ultimately introduce Interchange98, touted as healthcare’s first XML transaction server, it would appear that we are no closer to a true national MPI today than we were when NBC’s Thursday nights were must-see TV.
It’s easy to point fingers at a lack of technical capabilities, ironclad security standards, or even leadership willing to drive development. However, the reality likely is far simpler: A true national MPI is neither needed nor wanted.
“I don’t think there will be a national MPI, and I don’t think we need one in order to manage patient identification at a national, state, or regional level,” says Lorraine Fernandes, RHIA, vice president and healthcare industry ambassador with Initiate Systems. “You don’t hear many advocating a national MPI or record locator service for the obvious reasons—privacy, security, consent management, risk management, etc. Does the industry really need it? No. Most interoperable healthcare use cases are satisfied with regional or state patient identification solutions.”
Where you do see demand for and progress on an MPI system that extends beyond the boundaries of individual hospitals and health systems is at the state and regional levels, where a number of health information exchanges (HIEs) and other data-sharing initiatives have worked out many of the bugs that would plague a national system.
“Almost all regional HIEs have a record locator service. They’ve demonstrated how to build it, which data elements are necessary, and how to mesh it with managing consent [requirements]. They’ve dealt with the privacy issues and educated consumers on how their data will be shared. They’ve been there, done that,” says Fernandes, whose company serves as the state or regional MPI for approximately 45 information exchanges in the United States and Canada.
Drawbacks Edge Out Benefits
Most agree that should a national MPI ever come to fruition, it would deliver several significant benefits. The most-often cited is the ability to accurately identify patients and access their complete medical records regardless of where they have been or are being treated.
According to Beth Just, president and CEO of the HIM and informatics consulting firm Just Associates, that capability is particularly important in today’s highly mobile society. “I also believe there will be cost advantages created by decreased repetitive testing and more accurate treatment based on historical patient information being available to the treating physician,” adds Just, an AHIMA board member and fellow.
However, she notes that the complexity involved with utilizing a single identifier to connect a patient’s medical data across multiple providers will cause significant delays in achieving suitable levels of accuracy across the overall national system. “There is no single identifier available to be used to connect the records for one patient across multiple providers, regions, and states, let alone nationally. Without this, we rely on demographic data, which is often error prone. I think we’ll see a high degree of inaccuracy for several years,” says Just.
Victoria Wheatley, senior manager of identity management solutions for QuadraMed, an HIM solutions provider, cites the ability to link records and track clinical information across the spectrum of care as another substantial benefit. However, like many others, she is skeptical about the feasibility of a true national MPI given its complexity.
For example, she notes that the massive volume of information that would be involved in a national program would make it nearly impossible to efficiently manage, maintain, and secure.
“Hospitals and healthcare systems don’t really have a good track record of being able to do that kind of identifier management accurately and consistently,” Wheatley says. “There are a lot of challenges with administration of the database, and privacy and security concerns would definitely be a drawback.
“The identifiers, just by virtue of the huge volume of information, would have to be kept separate from all the information they connect to,” she adds. “That’s pretty much what we have now [in hospitals], but it would be on a larger scale. It’s hard to imagine all that in one central repository.”
A Laundry List of Dangers
Some are more than just skeptical about the viability of a national MPI. They see no realistic scenario under which such a system could work due to a laundry list of issues, ranging from poor data quality to privacy barriers and what is certain to be a protracted battle over ownership and governance.
Barry R. Hieb, MD, chief scientist with Global Patient Identifiers, Inc (GPII) is one such critic. Though he admits to a certain level of bias—GPII sponsors the Voluntary Universal Healthcare Identifier project making unique healthcare identifiers available to any patient who uses the services of a regional health information organization or HIE—he also makes a strong case against a stand-alone national MPI as unfeasible.
“The problem is not the sophistication of the matching. The problem is the data,” he says. “There is no way to validate an identity with just an MPI.”
The volume of data involved in a national MPI would make it not only an expensive endeavor but also fraught with accuracy problems, increasing exponentially with the size of the database.
Further exacerbating the situation is the fact that the data elements commonly utilized in setting up an MPI are often population or geography based, which, notes Hieb, will not work on a national scale. Further, most eMPI systems enable end users to set an upper and lower parameter that the system uses to determine whether the record returned is a true match.
“In between is this area of uncertainty, a gray area where the system says ‘I don’t know.’ You have to have people to work on those ambiguous matches to figure out are they or aren’t they,” Hieb says. “Who is going to do that?”
Someone must also be responsible for setting those parameters and deciding on an acceptable error rate. Hieb notes that the current industry match rate has an average error margin of 8% to 10%. That may be considered acceptable on a local level but is probably unlikely to be embraced for a national system.
“We would argue that it would be hard to justify putting in place a national MPI with a 10% error rate,” he says, adding that “you might need five matches a year, and one of those is going to be wrong. Whoever makes that decision is going to be heavily criticized.”
Ownership is also a significant roadblock, says Hieb. If the federal government controls the system, a certain segment of the population will view it as a Big Brother situation. He also has serious concerns surrounding security, privacy (see sidebar), and confidentiality.
“If the system is created, not only will hackers want to get into it … but lawyers could conceivably walk in with a subpoena and say we need to see everyone who had an abortion in New Jersey because we’re doing a class action lawsuit,” he says. “Legislators are also a problem. A corollary of that is, as far as I can tell, a national MPI could not be limited to just healthcare uses. As soon as such a thing exists, Congress could use it to track citizenship, libraries could track overdue books, etc. It would be a huge database that is incredibly appealing to all sorts of different elements, both legal and criminal.”
Other obstacles Hieb identifies include a lack of an acceptable standard governing the demographic information that would be used for matching as well as inconsistent naming conventions such as the use of two surnames by some ethnic populations.
Merging and unmerging records present yet another challenge. For example, who dictates when it’s done and who is responsible for policing the system?
“We are talking about almost an intractable problem at the national level,” says Hieb. “It’s a daunting, daunting task.”
If the Impossible Happened
Despite the nearly insurmountable obstacles standing in the way of a national MPI, several of the experts interviewed for this article were unwilling to suggest it is an outright pipe dream. In fact, most agree that the technology exists, to a point, and that work already under way on the National Health Information Network (NHIN) could ultimately result in some form of a national patient identification program.
Wheatley predicts that the final architecture will be based on a federated rather than centralized model. Her reasons are twofold. First, hospitals and health systems already have MPI systems in place with identifiers matched to their patient populations. Second, this is the direction the NHIN is already taking.
“I don’t see the U.S. healthcare system replacing the existing patient indexing systems. Those identifiers are too important. They are linked to a lot of important information, so we need to link them up to another system rather than replace them,” she says, adding that a federated model also has the potential to get past the ownership and control issues that have plagued other aspects of HIE. “You see what is going on in those hospital systems without a common governance structure. They say they want to collaborate, but they really don’t because they compete. There are interesting dynamics going on there.”
Just concurs that the final structure will likely be made up of interconnected state and regional initiatives rather than a single, centralized database. She also believes the leadership necessary to move the process forward will come from within the HIM sector rather than HIT or even the federal government.
“I strongly believe that AHIMA, as the professional association of members who understand medical records and MPIs, needs to be at the forefront in advising regional and state exchanges and the ONC [Office of the National Coordinator for Health Information Technology] at the federal level. Without our guidance and involvement, I believe the error rate within these MPIs will cause failures and potentially patient harm,” says Just.
She also agrees that governance and competitive concerns as well as a lack of exchange standards must be addressed if any momentum is to be gained. Other issues include politics among exchange members and the reality that data collection and storage differ among provider organizations.
Finally, the variances in data accuracy from one provider organization to the next mean that “the successful exchange of data is at the mercy of the weakest provider of information,” according to Just.
Fernandes notes that the objective of a national MPI is likely to be achieved without actually establishing a formal program, and it will happen in a manner that overcomes many of the objectives and challenges the concept currently faces.
“The objective will be met when all of the states, in two or three years, have [established] their state-designated entity that supports data exchange in whatever fashion each state executes,” she says. “The business objective will be met by the ability to do peer-to-peer queries.”
— Elizabeth S. Roop is a Tampa, Fla.-based freelance writer specializing in healthcare and HIT.
PRIVACY ADVOCATES: NATIONAL MPI A GOLD MINE FOR IDENTITY THIEVES
The most vocal opponents of a national master patient index (MPI) are typically staunch advocates of patient privacy rights—and it’s unlikely that stance will change any time soon.
“It is a very privacy-destructive idea that is totally unnecessary. The national and international privacy advocacy communities will always oppose single identifiers, especially for health information,” says Deborah Peel, MD, founder of Patient Privacy Rights. ”The only reason to employ this kind of system is to facilitate convenient access to patient records by the health data-mining industries whose businesses are based on the theft of PHI [protected health information].”
Peel notes that patients are willing to grant consent to access their PHI to legitimate users who will support and use an ethical system that protects the privacy of their patients and the Hippocratic Oath. A national MPI is not that system, she says.
“The claim that single identifiers are convenient is true. But that convenience has to be weighed against the destructive outcomes when such systems are used to enable the collections and linkage of the most sensitive data on earth. The risk is not worth the very real dangers and consequences,” says Peel.
The primary concern among privacy advocates is that a national MPI makes it easy to find comprehensive personal information. Once an individual’s MPI number is breached or stolen, it is impossible to recover his or her health privacy.
Barry R. Hieb, MD, chief scientist at Global Patient Identifiers Inc, agrees that the potential for identity theft is a particularly sticky problem for proponents of a national MPI. With instances of medical identity theft increasing by 112% from 2008 to 2009, according to Javelin Research & Strategy, the fear of a breach is very real.
“The problem with an MPI is that in order to do matching, you send your identity to every organization that has to do a match in order to make that match accurate. So what that means is that your personally identifiable information gets spread across the world,” Hieb says. “The fact that this system depends on repeatedly sending your identifiable information to many different locations is quite problematic in terms of identity theft.”
One solution that would appease privacy advocates while enabling the spirit of a national identifier is a system that uses disseminated IDs or account numbers, similar to individuals having multiple credit cards and bank accounts with different account numbers.
In this system, patients would obtain electronic copies of their health records from their various providers and deposit them into a health bank account with ironclad security and a “cubbyhole” database architecture. Thus, if security is breached, only one account is compromised. Separate account numbers at separate places holding PHI would also protect health privacy and enable the selective sharing of PHI as dictated by the patient.
“No one should be forced to give up the privacy of all personal health information to get the benefits of HIT. We have constitutional rights to privacy as well as strong rights to segment sensitive records,” says Peel. “There is no way to make [a national MPI] safe for privacy. By its nature, it destroys privacy.
“Privacy fears cannot be addressed because this method makes it so easy for anyone to get everything about you if they can steal or find your single MPI number. That is why distributed identity systems must be used,” she says. “If the security of one system is breached, say your ID at Hospital X is stolen, all the rest of your data in many other places is still safe.”