In 2004, President George W. Bush signed an executive order directing that all Americans should have an Electronic Health Record (EHR) within 10 years. This order created the Office of the National Coordinator (ONC) for Health Information Technology and mandated updating of the nation’s medical information systems, including networked systems, to use EHR and to be able to share them securely. As a result, the Nationwide Health Information Network Initiative (NHIN) was begun which connects national Health Information Exchanges (HIE) storing EHR and to facilitate searches and exchanges of these records. A HIE could be an individual healthcare provider or an entity formed to aggregate multiple healthcare providers (gateway).

Clearly, a critical factor in the success of the NHIN (and a major responsibility for any HIE connected by the NHIN) is the ability to protect the confidentiality of medical information. This is highlighted by the high-level NHIN goal: “Ensuring that consumer’s health information is secure and confidential.” It is reinforced by the existence of the Health Information Portability and Accountability Act (HIPAA) which provides very stringent protections for health information and which has created a huge amount of turmoil in healthcare information technology departments.

One only has to skim through the newspaper on any given day to find a story about medical information being stolen or compromised and affecting thousands of people. The reason these attacks are productive is that, once you get past the security systems, the data contains identifying information that makes it useful. This presents a conundrum: the data is only useful because it represents information about someone but the fact that it is identifiable makes it vulnerable to any attack which can defeat the system’s security.

The NHIN architecture acknowledges this issue and discusses the need for something called pseudonymization as a way to solve this problem. Wikipedia defines pseudonymization as “a procedure by which all person-related data within a data record is replaced by one artificial identifier (like a hash value) that maps one-to-one.” In other words, the identifying information is modified in a way which still uniquely identifies the data but provides no information about the actual identity of the person.

This concept is hard to understand but actually implementing such a solution is even harder. Essentially, pseudonymization requires the ability to generate random but unique identifiers and, when needed, convert these identifiers back to something identifying the person it represents. Put within the context of the NHIN, it becomes even more challenging. For example, several different parties (NHIE) have medical records for the same individual each with different, anonymous identifiers. What happens when a doctor at another clinic or hospital (using yet another anonymous identifier for this person) wants to query the NHIN for all of the information available? How about the EMT in the field?

IDfusion

Clearly, a sophisticated system capable of performing the pseudonymization function is needed. The NHIN Prototype Architecture calls for it but the Trial Implementation phase has, to our knowledge, not produced a good solution. The NHIN Trial Implementations Subject Discovery Service Interface Specification describes a process which involves using demographic information (age, height, weight, sex, race, etc.) to describe characteristics about an individual and subsequently narrowing the search down to the point where a match is either found or not. This is a non-deterministic function which seems highly impractical, at best.

The reasons for a non-deterministic solution are not specifically stated but there are several likely ones. First, managing hundreds of millions of identifiers is very difficult. Second, the federal government has not given support for creating a national ID card so there is no standard way of identifying people on a national scale. Third, there are well-known security vulnerabilities associated with the central management of identifiers such that there are daily announcements of social security, credit card, and other identifiers being stolen. Fourth, federal policy precludes the use of cryptographic hashing which is a common solution for creating unique identifiers that are hard to guess or trace back to their owner.

IDfusion’s identity solution is a perfect match for this situation and provides a deterministic way to solve this problem. IDfusion’s solution (as described in United States Patent 7,325,143) provides a mechanism to create unique identifiers that can be used to obtain critical medical information from disparate sources but simultaneously preserve patient privacy. In our solution, organizations are grouped into hierarchies (Identity Domains) and establish trust relationships using their own local identifiers. For the healthcare information portability solution, two hierarchies would be created: an intrastate and interstate identity domain. Existing state controls and relationships would be preserved in the intrastate domain while new trust relationships would be established inter-state.

With IDfusion’s identity management solution, a simple ID card could be used to store an IDfusion-generated identifier for each individual. When visiting a clinic or hospital for the first time a local identifier for the patient would be generated using the identifier on the card. With IDfusion, there is no risk to the patient’s confidentiality because there is no way to use the identifier stored on the card to map to the identifier used by the clinic or hospital. As part of the first meeting with the patient and with their permission, the doctor can use the local identifier to send a query via the NHIN to get EHR from other caregivers the patient has seen before. IDfusion handles the process of converting this identifier to the local identifier at other sites and facilitating the retrieval of the EHR data. An additional benefit of IDfusion is that control of access resides with the national HIE. IDfusion provides for the means to prevent access as well as to facilitate it.