In the previous post, we looked at the challenges the industry has faced when it comes to balancing data security and privacy, and the steps that have been taken to mitigate them. This piece will focus on the urgency for a national patient identification system.
The use of a national medical ID would facilitate the secure transfer of medical records from providers to specialists and log the transactions. We could replace processes that can’t be logged with transparent ones that empower the patient by letting them see who has seen their records. We give them the ability to move and take their records with them.
Until this happens, patient privacy remains a major issue that has significant reputational risk for providers, while the lack of it erodes trust between provider and patient. The risk is clearly seen in numerous cases of hospital employees who get caught looking at the medical records of celebrities such as Kim Kardashian and Jussie Smollett. One challenge is that patient privacy software can be prohibitively expensive; although it is required to detect fraud in EMR systems, software that can automatically do so is the provenance of larger health systems and practices that can afford the price tag.
Even these sophisticated systems cannot protect privacy or integrity when we transfer information through paper or electronically via flash drive, email, or CD/DVD. We run the risk of introducing fraud into the medical record, even inadvertently. We need to do better.
We also must reduce provider credential overload. Providers are forced to remember usernames and passwords for their main EMR, network, HR/benefits, HIE, and maybe multiple other EMR systems. Several years ago a neurosurgeon customer showed me a lanyard of ID badges for several different hospitals in the Philadelphia area where he had credentials. He also needed multiple accounts to log into all of their EMRs. This was overwhelming him.
Faced with credential overload, people tend to use the same simple password for multiple sites, sometimes scrawled on a sticky note. No surprise that we see data breaches involving unprotected passwords, such as one recently involving LinkedIn. Two-factor authentication that does not involve text messaging, using a secure product such as Cisco Duo, Imprivata, Symantec, or Entrust Datacard, in combination with one set of credentials for the EMR and HIE, will reduce the risk of password hacking.
It’s not going to be easy. Significant qualified resources are required to match the numerous patient records across TEFCA entities, known as Qualified Health Information Networks (QHINs). This will take years to accomplish, during which time the SSN will have to be used along with a national medical ID to reconcile records. When the old End Stage Renal Disease (ESRD) networks had a similar initiative 20 years ago to consolidate systems as part of the CROWN initiative, multiple team members were needed to reconcile patient records nationally. This will take training and reallocating nursing and HIM resources to succeed, and will require organizational change management and champions who can communicate a sense of urgency and importance.
There’s a lot more to a medical ID than adding a field to an EMR, and it should be done in conjunction with TEFCA to establish a national HIE so patients can best realize the benefits. It will take a mobilization and educational effort similar to the one that made EMR usage pervasive in the first place. This is going to be a long-term effort that is part of the overall TEFCA plan.
One way to make this initiative succeed is with Robotic Process Automation (RPA) or more efficient, updated systems that are able to free up underutilized resources to accomplish more productive and imperative tasks involving patient matching and a national ID. The changeover isn’t easy, and can’t be accomplished with automation alone. Initially it will require intensive resources and communication on how to reconcile numerous EMRs. The goal is fewer needed resources and standard work once the difficult parts are completed.
The New Normal
As we progress toward TEFCA and a corresponding national ID becoming ubiquitous, it will become part of normal business activity and a new equilibrium. One that is respectful of patient privacy, doesn’t collect information that can be used for nefarious purposes, allows us to track and address potential medical ID fraud much more easily, and reduces the demands on patients, guardians and caregivers to maintain accurate records needed for treatment.
We can’t let the outlooks and practices of 20 years ago; the corresponding issues of the decision that prevented federal funding for a national patient ID separate from the Social Security Number as part of HIPAA continue. Our patients deserve better protections. The adoption of a national medical ID and TEFCA are two ways we can help.