Privacy and Patient Identification: Do the risks outweigh the benefits?

By Gus Malezis

October 21, 2020

Recently, Imprivata was pleased to have the opportunity to present at ONC’s Working Session on Patient Identity and Matching. We joined a group of patient identity experts including scientists, clinicians, politicians, and other healthcare IT vendors, to provide input and insight into existing challenges and promising innovations in patient identity and matching. It was a full day of discussions on topics including patient healthcare benefits, privacy, data governance, and trust frameworks, all of which served to inform ONC’s report to Congress on evaluating the effectiveness of technical and operational methods that improve identification of patients. 

I came away from the session very impressed by what this group of experts, including the Patient ID Now coalition, of which we are a member, has done and will continue to do to advance patient identification, particularly as we all work together to support the repeal of the Universal Patient Identifier (UPI) ban.  

But the session really got me thinking about patient privacy, and security.  

Specifically, a series of questions streamed into focus, relative to addressing privacy, and security, for when we adopt an effective UPI system. Here are a few of the questions: 

  • How do we define healthcare ID and privacy? 

  • Can we safeguard healthcare ID and privacy? 

  • If so, how do we ensure privacy? 

  • What are the right technology systems to safeguard privacy? 

  • What controls can we, and should we, offer the user in this system? 

  • Is patient consent required, and how would it be tracked? 

  • Should the user have control over who is authorized to view health information? 

  • What degree of granularity should we offer in the access to pertinent health information? For whom, and for how long? 

Let’s take the first question – how do we define healthcare ID privacy (HIDP – yet another acronym)? 

Is there really such a thing as privacy anymore? Many scientists, and the data available to us, would suggest, on solid ground, that privacy in the digital world is a tricky thing, and that we are all already “known.” Just about all of us who use the internet and digital universe to search, view information, read the news, play games, pay bills, conduct financial transactions, and shop are already known to the digital world, known via these online activities.  

How is this happening? This knowledge of an individual is built up via allowable and legal means as well as illegal data exfiltration actions. On the legal side, the observation of activities and collection of data such as every search we do, the news we read, the games we play – each and every one of those activities - allows online companies to build a profile on us for the purpose of identification and their interest in marketing to us. Have you ever noticed a quick casual search for something – say, a cell phone, a puppy, a backpack - magically results in a set of ads that now appear on the news page you review regularly? This is your digital identity profile in action! Of course hackers are also hard at work, exfiltrating information on users from companies that have data on you, and a quick view on this url shows there is no shortage of hacks. 

At Imprivata, we’re not in the business of puppies and backpacks; the industry we’re focused on is healthcare, and cybersecurity. What are the questions we should be asking or taking into consideration when it comes to healthcare IDs, especially patient identification? 

Let’s start with understanding some of the benefits of a positive patient identification solution. We’ll assume it’s a biometric, maybe a fingerprint,  a palm vein or even facial recognition. When a patient arrives for care, the registration desk simply scans her hand or face, and she is matched– almost instantly – to her medical record. She doesn’t have to waste time filling out forms or answering questions, and the healthcare organization doesn’t have to worry about duplicate medical records, overlays, or even insurance fraud. Everybody wins, right?   

Well, there is risk. What if that patient isn’t comfortable sharing her biometric data? How do we ensure her that her personal information will stay in the right hands? I’m confident that we can address these concerns with the right approach and the right technology. Here are a few things we should consider:  

  1. Build patient trust with transparency. What if we gave patients near real-time visibility into who is accessing their data after they scan in for care? The technology exists in other industries. If you want to see who is accessing your credit data, you can get that information from Experian or TransUnion. If you want to know who might be interested in hiring you or partnering with your business, LinkedIn can tell you who has been perusing your profile. We can work together to give patients access to the same type of consumer-driven data so they don’t have to worry about who is getting their hands on personal information.   

  2. Ensure protection with the right technology. Banks have been protecting customers’ digital identities for decades and are at the forefront of the KYC (Know Your Customer) revolution, leveraging remote identity proofing, dynamic authentication, and privacy preserving biometrics. Healthcare must do the same and deliver a KYP (Know Your Patient) experience for the current digital era.  

  3. Allow for opt-outs. If a patient is not comfortable with sharing their personal information or leveraging biometrics, let them opt out. Just as other industries allow some customers to pay bills with cash, we can let customers revert to pen and paper – filling out the forms and answering all the questions – if that’s what makes them comfortable.  

This is just the beginning of the conversation, but it’s a conversation in which we want to engage. We owe it to patients, and to our healthcare customers, to get this right from the beginning. Privacy is key, so let’s give it our best shot.  

To learn more about patient identification in healthcare today, register for the Imprivata webinar, Open for Business: Positive patient identification in today’s healthcare environment.”