When HIPAA was enacted in 1996, the law called for development of a unique patient identifier (sometimes referred to as a “national patient identifier”). In 1999, Congress passed legislation prohibiting the Department of Health and Human Services (HHS) from funding, implementing or developing a unique patient identifier system. This ban has been in place since then.

What is a Unique Patient Identifier

Has Congress Lifted the Ban on Unique Patient Identifier Funding?

No, but Congress recently came very close to doing so, and may attempt to do so again as soon as 2020. Recently, the House of Representatives added an amendment to its Departments of Labor, Health, Human Services, Education, and Related Agencies Act of 2020, which removed the ban. Removal of the ban would allow the HHS to follow through on this HIPAA requirement to develop a unique patient identifier.

However, a Senate Appropriations Subcommittee’s 2020 fiscal budget bill draft , released in September of 2019, bans HHS from developing a unique patient identifier. In simpler terms: the ban will most likely remain for at last another year.

What is a Unique Patient Identifier?

HIPAA, upon its passage, called for the development of a unique patient identifier for individuals. The purpose of a unique patient identifier is to allow for patients to be efficiently matched with their health codes. Under a unique patient identifier system, individuals would be assigned a unique national patient identifier code, to which their health data would be tied. This system, its advocates claim, would enable patient data to flow freely between healthcare organizations. A number of covered entities have advocated for a unique patient identifier system, claiming the system is necessary for full healthcare interoperability.

Healthcare industry experts believe that the ban is unlikely to be lifted as long as privacy concerns remain. One particular sticking point for privacy advocates is that, under the unique patient identifier system, a single identifier would tie an individual to medical records from the time the individual is born until the individual dies. The fear is that such a system could allow for tracking of Americans on a scale never before seen, through Americans’ healthcare records. Privacy advocates also worry that a unique patient identifier system could facilitate the use and disclosure of protected health information (PHI) without patient authorization. Many healthcare organizations maintain that such concerns are overstated; however, as cybersecurity attacks on healthcare organizations have increased in frequency and prominence, privacy concerns and security concerns are expected to remain.