VUHID & Privacy
Balancing Privacy and Information Exchange
In the national discussion about improving access to care and ultimately creating an NHIN, the topic of privacy must be addressed. Too often, the concepts of 1) sharing clinical information across provider sites and geographies and 2) protecting the privacy of that information are presented as "either/or" propositions. That is, if you are going to share information you have to give up your privacy; or if you want to protect the privacy of your medical information, you can't share it. VUHID can drastically reduce this assumed contention by both improving the accuracy of patient identification to ensure linkages to all clinical information for a patient across participating provider sites — and providing privacy protections to any aspect of that information that a patient chooses to share selectively or not at all.
Healthcare deals with sensitive information that should remain private. The VUHID system is designed to help support these privacy needs through its ability to issue as many PVIDs as a person may need to protect various elements of his or her medical record. The fundamental improvement in medical privacy offered by PVIDs lies in the ability to link various pieces of medical information together but — unless the patient or physician specifically chooses to reveal patient identity — anyone receiving this information will not know who the information is about.
Privacy Considerations
Improving patient control over the privacy of their clinical information is one of our primary goals. The entire design of the VUHID system has been established to ensure that it does not increase privacy risks but instead significantly enhances patient control of the privacy of their clinical information. We recognize that we must prove that VUHID is "safe" from a privacy perspective or very few provider organizations or patients will opt to use the VUHID solution to accurate patient identification. We at GPII believe that the use of VUHID identifiers will enable you to do a much better job of managing the privacy of clinical information through a number of capabilities:
- VUHID Open Identifiers and Private Identifiers
- No Central Database of Patient Information or External Control of Identifiers
- Unique Approach to Clinical Information Retrieval
- Reduced Risk of Medical Identify Theft
- Anonymization of Patient Information
- Management of Identifiers
VUHID Open Identifiers and Private Identifiers
Much of a person's medical information is material that they will wish to be openly available to all of their healthcare providers. Data concerning vaccinations, an episode of pneumonia, the treatment of a broken arm or a bout of appendicitis are examples of such information. Open voluntary identifiers (OVIDs) are meant to be used to identify such information. In general, a patient should only need one OVID to link all clinical data that they want to be available to physicians and nurses across provider sites. Once a patient receives an OVID, it should remain with that patient for life and become the primary mechanism by which his or her medical information is assembled.
Private voluntary identifiers (PVIDs) are used to manage medical information that a patient wishes to keep private, revealing it only to one or a selected group of caregivers. Examples of such situations might include psychiatric information, sexually transmitted diseases, cancer data and the like. Each PVID is intended to link one set of confidential information such as data concerning an episode of cancer. PVIDs are anonymous in that only the patient, the EMPI or registration system that issued the PVID, and the caregivers that the patient chooses to inform are aware of the identity of a person associated with a PVID. Because each person may have many separate situations requiring enhanced privacy, the VUHID system assumes that each person may have as many PVIDs as their medical circumstances require.
No Central Database of Patient Information or External Control of Identifiers
An obstacle to the pursuit of a unique patient identifier system has long been the fears association with the creation of a massive central database where patient information resides. GPII agrees that such a database would be a threat to patient privacy. So, in order to avoid any such threat, the VUHID system is designed so that it is never aware of the patient identity nor any clinical or demographic information associated with any specific VUHID identifier. No patient identification information is ever received by VUHID from any source. This means it will never be possible for the VUHID database to be a threat to the privacy of such data. It simply doesn't exist within the VUHID system.
The VUHID system is controlled by Global Patient Identifiers Inc. (GPII). GPII is a non-profit corporation that is dedicated exclusively to healthcare and the success of the VUHID project. There is no external agency involved. Specifically, there is no control exercised by the United States government or any other political agency. This arrangement ensures that the VUHID system will be permanently dedicated to the needs of healthcare around the world. This governance structure, taken in conjunction with the fact that there is no database of patient identification or clinical information, represents a strong assurance for participants that VUHID identifiers can never be turned to their disadvantage.
Unique Approach to Clinical Data Retrieval
The VUHID system is never aware of the identity of a person associated with any VUHID identifier, nor does it ever receive patient demographic or clinical information. Despite this fact, VUHID plays a role in retrieving all relevant clinical information concerning a patient. For each identifier, VUHID acts as a directory service. Although VUHID does not know who is linked to an identifier, VUHID knows which HIE(s) and EMPI system(s) processed that identifier. Thus VUHID can facilitate retrieval of clinical information. When a clinical information request is received, VUHID identifies the EMPI systems that have information on that identifier and enables them to establish communication with the requester. The requesting HIE and the HIE which has information on the patient can then initiate whatever transactions are necessary — with no further involvement by VUHID — to transfer the relevant data. Note that clinical data is exchanged between by the two EMPI systems and is never sent to VUHID.
Reduced Risk of Medical Identity Theft
Medical identity theft is becoming a serious healthcare problem. It is defined as a circumstance in which one person misuses another person's information to obtain or bill for medical services or medical goods. Personal information is routinely repeated, either verbally or on paper forms, at every point of service in order to obtain medical services, for billing purposes and for other activities such as research studies. This repetition and low-tech management of sensitive personal information increases the risk of medical identity theft. Use of VUHID identifiers to perform these identification functions can eliminate the need to repetitively provide this information, and because the VUHID identifier has no personal information associated with it, the opportunities for medical identity theft are dramatically reduced.
Anonymization of Patient Information
There are situations where healthcare information is manipulated and analyzed — medical research, outcomes analyses and biosurveillance — but it is not necessary for the user to know the identity of the patient. The VUHID system addresses these situations by supporting the assignment and use of identifiers to create anonymous data sets. The goal of these anonymous data sets is to provide enough information for a healthcare worker to complete specific tasks without revealing the identity of the persons involved. This “anonymization" approach enables healthcare workers to have the information they need to complete their work rapidly, safely and efficiently while at the same time shielding the identity of the persons involved. HIEs can use these VUHID capabilities to remove identifying information from records so that information can be obtained without compromising patient privacy.
Management of Identifiers
VUHID identifiers are intended to be permanently assigned. However, inevitably errors may occur and an identifier may no longer be considered valid. In these circumstances, the identifier can be retired or terminated. Retired identifiers are no longer considered valid to have new information added — e.g. in the case of patient death — but may still be valid for information retrieval. Terminated identifiers are not valid for any clinical use. If a VUHID identifier is terminated — e.g. because of duplicate assignment or a potential compromise of patient privacy, its associated medical information can be transferred to an existing or new identifier. These tools are available to authorized VUHID users who are subject to the policies and procedures of their organizations.
The use of VUHID identifiers helps organizations provide maximum privacy protections to their patients. However, even under optimal circumstances, mistakes occur that can lead to a violation of individual privacy. The VUHID system cannot prevent such incidents but it can support mitigation of these situtations. If an identifier or a set of identifiers for a person become compromised, those identifiers can be terminated. VUHID, working through an HIE's EMPI system, can then issue replacement identifiers as needed to support future medical activities without concern about previous privacy violation incidents.