Integrating Electronic Health Records Using Universal

Int'l Conf. Information and Knowledge Engineering | IKE'11 |

481

Integrating Electronic Health Records Using Universal Patient Identifiers KSA Ahmed Emam, Ahmed Youssef, Samir EL-Masri, Mohammed Alnuem Dept. of Information Systems College of Computers and Information Sciences King Saud University, Riyadh, KSA

[email protected], [email protected], [email protected], [email protected]

Abstract— One of the required standards of healthcare information technology (HIT) and specially Electronic Health Records (HER) is to develop a unique patient identifier (UPI) to enable physicians, hospitals, and other authorized users to share clinical and administrative records more efficiently. Till now there is no standard format of UPI which is make it hard to exchange the patient information across the countries and to integrate among heterogeneous medical information systems. This work explores and investigates the desired attributes for any developed UPI such as Unique, Non disclosing, Invariable, Canonical, Verifiable, and Ubiquitous features. A sample case study that demonstrates how much it is necessary for Saudi Arabia to adapt and develop UPI for the patients was introduced. Also, a process framework and schema for the proposed solution was proposed to give a guideline and the basic steps toward develop a solution for adapting UPI in KSA. Keywords- Unique Patient Identifier; Electronic Health Records; Cloud Computing; Health Information Technology.

I. INTRODUCTION Good clinical decisions based on bad data guarantee bad clinical outcomes; it is very true statement and this is the main motivation behind this research. Nowadays, there are many definition of healthcare information technology (HIT) main goal are saving money and significantly improving the quality of health care. International Organization for Standardization (ISO) is a worldwide federation of national standards bodies’ aims to setup and preparing International Standards specially ISO Technical Committee 215 for setting up standard for Health informatics. Most of development countries such as European Union, Australia, and United State of America (USA) adapt special standard, for example, USA approved Health Insurance Portability and Accountability Act (HIPAA) on 1996. To replace the paper with an electronic record while maintaining all patient’s care, Electronic Medical Record (EMR) or Electronic Health Record (EHR) system become more than essential. Therefore, EHR is a computer program where patient records are created, used, exchanged, stored and retrieved. Because every healthcare provider keeps a separate paper or electronic medical record for each patient, there is no ability to integrate information between the various HER systems. When data is integrated by using EHR system, patient care

improves and HIPAA compliance is ensured. HIPAA mandated setting up special requirement to improve the quality of health care and preserve the patient right. One of required standard was development of a unique patient identifier (UPI) to enable physicians, hospitals, and other authorized users to share clinical and administrative records more efficiently. UPI has too many features: reduce errors, improve interoperability, reduce the cost of marinating HER, and prevent privacy breaches. One advantage of a properly implemented UPI system is its freedom from errors through giving each person single and unique identifier that follows them throughout their lives and is used only for health records. One advantage of adapting UPI is separating between health record information and financial records information which is target for identity thieves and can improve privacy by limiting the transmission of more sensitive identifiers (names, address, and SSN). From the above advantages of adapting UPI, USA Department of Health and Human Services (DHHS) in 2005 has moved forward with steps to investigate of development of a UPI by linking patients records across different networks. The implementation of UPI is very costly and depends on several variables, including the architecture chosen to achieve connectivity between different ERH systems. To estimate the costs of implementing UPI, it would require a onetime investment and an annual maintenance cost. But before implementing UPI, there are a several assignment should be done besides money. Establishing a legal environment will be the best protection of patient privacy and encouraging the advances that interoperability would increase the health care quality and efficiency. The current situation in Kingdom Saudi Arabia (KAS), most of health care provider works as isolated island and adapt different EHR system. So, the patient can have more than on record in different EHR system, which reduce the quality of the provided service and significantly increase the risk for treatment process. The main goal of this work is to explore the adapting UPI in KSA and proposed a framework for UPI. The healthcare researcher and industry are shift violently in adapting the use of electronic health records (EHR) in medical filed. The major priority for any healthcare provider is providing a clear and high quality data to be sharable among different departments within the organization and that can be achieved though accurate Patient Identification. Because of the enormous impact that PI Integrity has on the clinical,

482

Int'l Conf. Information and Knowledge Engineering | IKE'11 | financial, and administrative business of healthcare, it is imperative that the quality of an organization’s identity integrity be addressed as a major priority within an organization and most certainly prior to sharing data externally with other stakeholders. Stakeholders should require quality data from fellow participants prior to participation in any data exchange. In development countries, health care fraud accounts for an estimated 3 to 10 percent of all health care costs, or 80 to 120 billion dollars of loss per year. Accurate identification and verification of identity is important also to reduce frauds due to medical identity theft [1]. II. RELATED WORK Carpenter [1] mentioned that the department of Health and Human Services in 1973 reported that they are object to move forward toward “Standard Universal Identification”. The proposed Universal Patient Identifier (UPI) should have the following features: uniqueness, verifiability, reliability, and tracking. The proposed UPI consists of 7 digit date code, 6 digit geographical code relate to the place of birth, 5 digit sequence code to identify born on the same date in the same geographical area, and one single check digit, which make the total size is 19 digits. For examples, 9930301^044273^00047^2 represent a person born in March 1, 1993 in Minneapolis, MN- USA. The proposed UPI can be used as Universal Provider Identification (UPI) by adding one digit refer to P(provider), or MD , or RN etc. The author assumed that the proposed UPI is reasonable and flexible and can be easily adapted using the available infrastructure. The proposed UPI will coded using base 34 digits bit base and check digit algorithm used to protect against miskey and digit inversion. Universal Healthcare IDentifier (UHID) is the result of a 2 year standards development process by ASTM committee E31.12 on medical informatics during the summer of 1994. This research work [3] consists of selective quotes in italics of portions of the proposed standard. The author mentioned the main functions of using UHID, which are: positive identification of patients when clinical care is rendered, automated linkage of various computer based records on the same patient for the creation of lifelong electronic healthcare files; providing a mechanism to support data security for the protection of privileged clinical information, and enable the use of technology for patient records handling to keep health care operating costs at a minimum. The author mentioned the most important criteria for UHID, which are Atomic, Content-free, Cost-effective, Disidentifiable, Secured , Focused, Identifiable, Permanent, Unique, and Variable. The work proposed UHID schema structure, which starts by 16 digit Sequential Identifier (SI), a single character delimiter, 6 check digits, and 6 encryption Digits and the full identifier constitutes 29 digits (0000000123456789.012345000000). An evaluation for the proposed schema against the required standard criteria and it shows that the proposed scheme appears to adequately meet

all but two of the criteria (cost and ability to "split") listed in the standard. Kohane [3] mentioned that use of SSN is not safe and provided some article support his vision and he proposed a framework Health Information Identification and DeIdentification Toolkit (HIIDIT). HIIDIT is not an identification system but a generator of identification systems and it take into consideration the following dimensions that are encompassed by HIIDIT : Directory local to determine the degree of patient consent in information ( for example, 1 for Patients, 2 for Provider, 3 for Provider organization, 4 for Trusted escrow and third party, and 5 for Governmental authority), Scope of Identification to represent the geographical or organizational scope of the identification and the nature of the data linked to a particular identifier, Certifying Authority (CA) to certifies varying degrees of authority and credibility correspond to a particular patient, Scope of Identifier Secrecy to keep a patient identifier confidential and disclosed (for example, 1 for Just the patient, 2 for Patient & family, friends or guardians, 3 for Provider, 4 for Class of Providers, 5 for All providers, 6 for Healthcare institution, 7 for Insurer, 8 for Government, 9 for any combinations). The research work explained how HIIDIT system work and he claims that the HIIDIT's function matched and adequate of the required four dimensions of identification systems. Finally, he recommends using HIIDIT for sharing data between health care institutions that are competing in the market. Integrated Advanced Information Management Systems (IAIMS) and Unified Medical Language System (UMLS) projects involved large amount of useful patient data, clinical information, and biomedical knowledge in electronic and it increased dramatically since the 1980s. Besty [2] stated that, in a 1998 the National Committee on Vital and Health Statistics (NCVHS) described three types of computer-based health records: patient, personal, and population health records are needed to facilitate coordination, research, and assessment for clinical care. Since, digital library term was introduced by National Science Foundation in 1994 and can be focus on information accessible via the Internet and encompasses. Since the digital library is not a single entity and it need technology to link different resources. Nowadays, Identity is a key concept in the global world and the report stated that, “In 2000 the UNICEF has calculated that 50 million babies (41% of births worldwide) were not registered and thus without any identity document at all”. The European Union tried to cover this gap through EURODAC system, which consists of a Central Unit equipped with a computerized central database for comparing the fingerprints of asylum applicants and a system for electronic data transmission between Member States and the database. EURODAC enables Member States to identify asylum‐seekers by comparing fingerprints to determine whether an asylum‐seeker or a foreign national found illegally present within a Member State [5]. In 2004 the European Commission has funded a project called Biometric Identification Technology Ethics (BITE)

Int'l Conf. Information and Knowledge Engineering | IKE'11 | (www.biteproject.org) and the purpose of the BITE project was to provide a forum to initiate the public conversation on ethical and policy issues raised by the deployment and the application of biometric identification technology in various fields. BITE report defined the potential weak point of any biometric scheme, which is a liveness check (technological countermeasure to spoofing using artifacts). Latex finger, a prosthetic eye, a plaster hand, or DAT voice recordings are good examples for liveness checks. In 2004, French government decided by law to start a national project for an electronic health record called the personal medical record (PMR). Ouantin [6] proposed this research work to establish and reassure French patients regarding the security of their medical data which will be stored at a national level through creation of a secure patient identifier. The author stated that hashing the social security number would help to meet the confidentiality of personal information contained in the PMR and provide access to patient or to public health bodies. Double hashing proposed to provide anonymity safely and a portal of the application from health professional will provide a reversible encryption coding HIN. The research proposed using of a smart card attributed to professionals in both the private sector and public hospitals. For the security of exchanges among health professionals, the author strongly recommends using of networks like virtual private network. For mobility and interoperability concern, the author suggested adapting Europeans Regulation (EC No 883/2004). In [7], authors propose the fingerprint, iris, retina scan, and DNA (FIRD) framework that utilizes a patient’s biometric characteristics to uniquely associate them to their medical data. The framework establishes an infrastructure that will distinctively identify a patient to his or her complete electronic healthcare record (EHCR) with exact precision and accuracy. The framework’s inner workings collect records that are not properly assigned to the unique patient identifier (UPI), remove records that do not belong to the patient, and correct errors and omissions within the patient’s EHCR. The authors suggested that creation of a standardized nationwide electronic healthcare record system in the United States would require a way to match a composite of an individual’s recorded healthcare information to an identified individual patient out of approximately 300 million people to a 1:1 match, resulting in a final information compilation that provides a complete healthcare history to the healthcare provider, while reducing medical errors and lowering healthcare cost. III. APPROACHES FOR PATIENT IDENTIFICATION Usually, patients visiting healthcare providers identify themselves in person at the reception point and authenticate their identity by ways of picture ID, insurance card, doctor’s name and/or appointment time. A patient, typically, may have many healthcare providers, including primary care physician, specialists, therapists and other medical practitioners. In addition, a patient may use multiple healthcare insurance companies for different types of insurances, such as dental, vision and so forth. Several visits

483 for different healthcare providers result in patient’s health information distributed among different healthcare providers in the form of disparate Electronic Medical Records (EMR). The above scenario raises a problem of how to integrate medical records belonging to the same patient from different healthcare providers that are disparate nationwide. What is actually needed is a national healthcare information network that allows authorized practitioners to collect and share health information about patients from different healthcare providers all over the country. One of the most challenging questions in this case is how would such system uniquely identify each patient and link him/her to composite medical records in one-to-one match. Currently, each provider has its own centralized database of EMR and, typically, assigns unique record locators (often called medical-record numbers) to the records resulting from a patient’s visits. Such record locators vary widely, from simple patient and family names to modified Social Security or insurance numbers, to provider-generated alphanumeric codes. Properly identified patients can approve the sharing of these medical records with other providers and insurers by signing an authorization form, clearly identifying the provider of record, the individual or entity to receive the record, and the boundaries or limitations on the information to be shared. The migration from traditional EMR systems to national healthcare information systems as described above involves three requirements: authenticating individuals, unambiguously linking individuals to their records, and authorizing controlled access to those records. Implementing these requirements creates new challenges, for example, face-to-face methods of identifying and authenticating patients, providers, or others logging onto a network no longer applies; methods of electronic identification and authentication are required. Likewise, knowing a patient’s name or medical-record number from a single provider is not sufficient to unambiguously access that patient’s records from other providers or a regional health information organization (RHIO); each entity may be using different numbering schemes or name constructions. Furthermore, demographic information either change over time such as address or are not unique such as SSN and names; the larger the network, the more likely it is that more than one person will have the same name and other demographic data. Finally, compromised data integrity, widespread unauthorized distribution, and other network security attacks are very common for the national health network, new security measures are needed [8]. IT proponents assure us that these challenges can be overcome, but doing so demands new solutions. This paper focused mostly on one component of these new challenges: defining the best electronic patientidentifier system for the purpose of sharing personal health information through a national health network which will improve the privacy and efficiency of the health care system and the quality of healthcare itself. There are these two approaches to accomplish this task (1) statistical matching and (2) Unique Patient Identifier (UPI) [8]. We will discuss each of these two approaches and the advantages and disadvantages of each one.

484

Int'l Conf. Information and Knowledge Engineering | IKE'11 | A) Statistical Matching :Statistical matching attempts to integrate enough information about an individual to form a unique key used to locate his/her electronic health record. It strings attributes such as: last name, first name, date of birth (DOB), phone number, address, zip code, and gender. It may also use medical record numbers and all or parts of social security number (SSN). The problem in such key is that some attributes, such as name, DOB, and zip code, are not unique to the individual; others, such as address, may change overtime. As the database of records gets larger, more personal attributes must be added to keep the key unique. A nearly unique and relatively stable attribute, such as SSN, patient identity, and healthcare provider name, may be used to reduce ambiguity in large databases. The difficulty to distinguish between first and last names, the usage of different format, and data entry errors, such as misspellings and number transposition, may also cause ambiguities in linking patient to their records. Searching algorithms used in this approach vary from requiring an exact match on a specific set of attributes or to more advanced probabilistic pattern matching. The development of statistical matching depends on human to clarify questions and reduce ambiguity this is called disambiguation. Advanced algorithms preprocess the health-records database to determine the frequency of every attribute and score the match according to the discriminating ability of the specific attributes of that database. For example, a match of the name Smith typically would not score nearly as well as a match of a less-common name. The scores can be used with threshold values of acceptance and rejection, as well as with regions of possible matches that can be adjudicated by humans. However, setting the acceptance and rejection limits higher or lower affects false positive, false negative, and indeterminate results. Minimizing one type of error comes at the cost of increasing other types of error. B) Unique Patient Identifier :Unique patient identification is a method for linking patients to their electronic medical records that are exist globally in a domain (state, country, region, or world). Unique Patient Identifier (UPI) is a unique, non changing alphanumeric key for each patient that associated with every health record belonging to that patient. Finding the patient’s records anywhere within the healthcare system is then a matter of verifying that the patient is the person owning the key (authentication) and asking each healthcare system or provider in the domain whether it has information associated with that key [8]. The American Society for Testing and Materials (ASTM, 2000) Standard Guide lists desirable attributes of a UPI, including that it be: • Unique: Each UPI is associated with only one person; different individuals can not share the same UPI; this attribute permits the collection and aggregation of health information into one complete medical record. • Non disclosing: This means the UPI should not contain any personal information such as name, address or mobile number. This attribute aims to prevent revealing patient confidential information or data inquiry. The

•

•

•

•

combination of selected personal attributes used in statistical matching violates this attribute. Invariable: The UPI should not change in the person’s lifetime (except in case of identity theft or similar problem). This attribute solve the main problem in statistical matching which is the changes in some of the personal attributes, such as name and address, making it difficult to find previous records. Canonical: Each individual should have only one UPI. Multiple UPIs have actually been proposed as a means of giving a patient control of disclosure, but they can also lead to fragmentation of the individual’s healthcare data. Verifiable: This aims to validate of the UPI and is done generally through the use of additional check digits— numbers that must match some mathematical combination of the UPI’s remaining digits without additional information. Verifiability helps to prevent input errors that exist in statistical matching method. Ubiquitous: Every patient should have one. This is difficult to achieve, particularly if participation is voluntary, but the alternative is a hybrid system, in which some patient data cannot be found using a UPI.

IV. ERRORS IN LINKING TO MEDICAL RECORDS There are two types of errors in statistical matching: false positives, in which there is a link to the wrong patient’s records, and false negatives, in which not all of a patient’s records are found. Figure 1, which is adopted from [8], shows a representation of these types of errors. The horizontal scale shows the score of a particular match. As more and more attributes match and as the match is weighted by its score, or value, the higher is the probability that the patient is correctly matched to that record. A low score indicates a low probability of match (and a high probability that it does not match). It is possible to use a threshold above which the record is assumed to match and below which it is not assumed to match, which leads to the shaded areas above and below the threshold. The area shaded to the right of the threshold is the region corresponding to false positives, or picking up the wrong patient’s records. The shaded area to the left of the threshold is the region of false negatives, or the records of the patient that are not picked up because of some non matching personal attributes. Another approach illustrated in this figure is to define a region of ambiguity within which possible matches are tagged for human resolution or disambiguation [8].


485 in many applications, ensuring a low rate of false-positive errors becomes quite difficult in such large databases and UPI became an insisting need to reduce the error.

Fig. 1: False positive and false negative errors [8]

A) False-Positive Errors Linking to the wrong health information about a patient can cause wrong treatment based on wrong condition, perform wrong operation, serve wrong patient, mistakes on blood types, errors in lab test, or wrong medications and diagnosis. This kind of error is the result of healthcare ID theft, accidental record overlay (more than one distinct individual assigned to the same record), a threshold set too low, or a set of personal attributes used in the search that, in combination, are inadequately unique for the size and nature of the population being examined [8]. An important cause of false positives is the use of an insufficient number of attributes in a search for matches. In [8] an experiment was conducted to illustrate this problem. In this experiment, a large personal-attribute database of 80 million individuals, similar in size to a large RHIO or state-sized records database was used to evaluate false positive errors. First, a 42,000-record subset of this database is used, similar to the size of a small hospital or large clinic. For a random individual, there would be about a 2-in-3 chance (1/1.44) of finding another person’s record with the same last name. However, if first name, birth year, and zip code are added, the number of possible false matches is reduced to only one in 3,500 (1/3.5E3). The use of a unique part of the SSN in the stream of keys quickly reduces the probability of a false match to near zero. This, of course, assumes that the keys for matching are entered correctly. When using the larger database of 80 million records, it is a bit more difficult to eliminate false positives. There would be a 98% chance that a false-positive match would occur with just the last name compared to roughly 66% for the small-population analysis in small database, this shows how the false-positive rate is sensitive to factors such as population size. When date of birth is added to the key, the chance of a false positive match drops to 33%. And, finally, after the last four digits of the SSN, the first name, and the zip code have been used to form the composite key, the rate of false positives drops to 1 in 39 million. In conclusion, with enough correct personal-attribute keys, the false positives can be controlled to occur with very low probability. However, eliminating the almost-unique SSN key dramatically increases the false-positive rate. If the database gets much larger, as in an NHIN, additional attributes or some, almost unique, key, such as the SSN, is certainly required to keep this error rate small. If the use of an SSN as a key is ruled out, as it increasingly appears to be

B) False-Negative Errors False negative errors imply not finding some of the patient records. They represent a fragmentation of a patient’s health history and can lead to missing or incomplete information about medical conditions, previous surgeries, medications, or allergies, which in turn lead to possible life-threatening treatment errors and potential lawsuits. Missing information can also lead to inefficiencies, such as the cost of reordering of diagnostic tests and of delays and errors in treatment. Such inefficiencies have been estimated to cost the healthcare system more than $8 billion annually [3]. It is also much more difficult to analyze patient data for research or clinical quality and process improvement when some of the patient data are not found because of such fragmentation. False negatives may be the result of changing personal attributes, such as name or address; of keying errors; and of changes in format, such as the order of first and last names. All of these situations can cause the recording of some of the patient’s data as new records, effectively fragmenting potentially important health information. Another false negative problem is record duplication – records are found that falsely appear to be those of another patient when in fact they should be identified as belonging to the reference patient. V. HEALTHCARE SYSTEM IN KSA According to the Ministry of Health in Saudi Arabia, the healthcare system consist of a network of primary healthcare centers and clinics that provide basic and advanced services with some mobile clinics for remote rural areas. The Ministry of Health operates most of the hospitals and the clinics and centers. While the reset remaining facilities are operated by government agencies, including the Ministry of Defense, the National Guard, the Ministry of the Interior, and several other ministries. Some researcher classifies Saudi health care system as a mixture of the American health care system and Canadian system. On other words, there are free government hospitals like in Canada and they have private hospitals for insured and cash paying patients with instant care like America. Since health care is free for Saudi’s, the Saudi government forces the companies to provide health insurance for its employees and their families. The quality of health care in Saudi generally can be classified as high and equal to that in some Europe countries, except for highly specialized treatment. In the following section, we will explore a sample case study that demonstrates how much diversity among the current health care provider in KSA. For example, King Saud University delivered health care services through two large University Hospitals; King Abdul-Aziz University Hospital (KAUH) and King Khalid University Hospital (KKUH) in conjunction with two big clinic centers. Both hospitals and clinics provide primary and secondary care services for Saudi

486

Int'l Conf. Information and Knowledge Engineering | IKE'11 | patients from Northern Riyadh area with free of including some medications [KSU website]. The current running medical information in the both hospitals and clinics centers used a sequential assignment number for any new patient as shown in figure (2).

VI. FRAMEWORK FOR UPI IN KSA With the differences and specific nature of the proposed UPI system, we developed the UPI system process framework. An overview of the UPI process framework is visualized in figure (5). Our framework copes with different issues raised from related work section. The UPI process framework can be seen as three managerial levels; the strategic, tactical and operational level. For each level, processes are designed consisting of relevant activities and the relations between activities and the data produced in the activities can be achieved through SOA web service.

Fig. 2. Health care card from King Khalid University

Fig.3. Health care card from National Guard

Fig. 5. UPI Process Framework Fig.4. Health care card from King Saud University

As shown in figure (2), there is NO patient number but the name of the patient and identification number is given by adding the last patient ID number with 1. Another sever problem is some patient can have been treated in either/both hospital(s) and/or some clinic center, that patient can have a different ID number in all different location. Therefore, there is NO way for physician to electronically access the patient information expect through printed report carried by the patient or by his family. The same situation or close exists in the second big hospital in Riyadh, National GuardHealth affairs. Figure (2) shows the patient ID for National Guard hospital at Riyadh branch. Since National Guard has many hospitals scattered around big cities in KSA, the patient identification consist of the first three letters of hospital name and the remaining is numeric number represent the sequential number given by the medical information system as shown in figure (3). Figure (4) shows the patient ID for King Saud University and the patient identification consist of 10 digits that represent the sequence number and a bar code that contain all the patient information such as nationality, gender, incurrence class, and a file number.

The main features of the required portal management system should contains the following features : Front End and Back End for end-user and administration management, Configuration Settings for website control, Access Rights for providing hierarchy authorities, Content for content management, Templates for providing an editable visual format of the content, Extensions for future growth and changing requirements of functionality, Multilingual front end, Simple workflow system, and Administration interface that is separated from the portal homepage. Figure (6) shows a schema for the proposed solution, the schema can seen as integration among different medical information system with portal that comply with web medical content management system. The proposed portal will store and update the UPI through a secure database system for further search and to keep track of UPI usage.


487 [6]

[7]

[8]

Fig. 6. Schema for the proposed Solution.

VII. CONCLUSIONS AND FUTURE WORK Faced with many challenges of existing architectures, a growing number of organizations have taken on a private cloud approach, using server virtualization to simulate ondemand services. This hybrid approach or “cloud-like” solutions can help alleviate some of this performance, security, and other challenges but at a significant cost, time, and resource expenditure. The other important aspect of this cloud computing alternative is reviewing the cultural impact of moving data and clinical applications to the cloud. Like businesses in other industries, there is a natural predisposition for physician practices and healthcare organizations wanting to “own” and have physical control over their data. Securing applications in the cloud is limited due to the difficulty in guaranteeing effective data security and integrity controls. In a traditional environment, the ability to layer stronger authentication, access control, and auditing capabilities exists because of defined network layers. By contrast, these defined network layers don’t exist in a public cloud environment. Data restoration presents another limitation as restoring data from a backup (determining what needs to be restored, from where and deposited to) can be challenging. REFERENCES [1] [2]

[3]

[4]

[5]

Paul Carpenter and Christopher Chute, “The Universal Patient Identifier- A Discussion and Proposal”, Proc Annu Symp Comput Appl Med Care. 1993: 49–53. B. R. Hieb, “A proposal for a national health care identifier”, Proc Annu Symp Comput Appl Med Care. 1994: 469–472. PMCID: PMC2247838. . Kohane, H. Dong, and P. Szolovits, “ Health information identification and de-identification toolkit.”, Proc AMIA Symp. 1998: 356–360. PMCID: PMC2232117. Betsy L. Humphreys, “Electronic Health Record Meets Digital Library: A New Environment for Achieving an Old Goal.”, J Am Med Inform Assoc. 2000 Sep–Oct; 7(5): 444–452. PMCID: PMC79039. Emilio Mordini, MD, DPhil, “Biometric Identification Technology Ethics (BITE), FINAL SCIENTIFIC REPORT”, Centre for Science, Society and Citizenship Piazza Capo di Ferro 23 – 00186 Rome IT, February 2007.

Catherine Quantin, Franc¸ois-Andr´e Allaert, Paul Avillach, Maniane Fassa, Benoˆıt Riandey, Gilles Trouessin, and Olivier Cohen, “Building Application-Related Patient Identifiers: What Solution for a European Country?”, International Journal of Telemedicine and Applications Volume 2008, Article ID 678302, 5 pages, doi:10.1155/2008/678302. D.C. Leonard, Alex P. Pons, and Shihab Asfour, “Realization of a Universal Patient Identifier for Electronic Medical Records Through Biometric Technology”, IEEE transaction on information technology in biomedicine, vol. 13, no 4, July 2009. RAND Corporation, Identity Crisis: An Examination of the Costs and Benefits of a Unique Patient Identifier for the U.S. Health care System, 2008. RAND Health, www.rand.org.