The challenges of the national health identifier (INS)

Interopérabilité | 21 Jun 2010
The aim of the INS is to link a patient's health data to the correct file with complete certainty. A strategic tool, the national health identifier will enable that information to be shared within the framework of the electronic health record (DMP), the pharmaceutical record (DP) and other medical files.
Its implementation is a response to a clearly specified trajectory (see "The national health identifier : a phased implementation")
Decryption.


The legal purpose of setting up the national health identifier was to put a stop to a confusing situation: when patients were allocated an identifier for each healthcare professional or health institution, this gave rise to numerous duplication problems. In other words, some people were allocated more than one INS and, in other cases, the same INS was allocated to more than one person. France's data protection commission (the CNIL) delivered its verdict on the use of a patient's social security number, otherwise known as the national identification number (NIR), in its conclusions of 20 February 2007. It restated several principles before giving its opinion, and started by underlining the specific nature of health data: "This is not personal data like any other: because it is "sensitive", it requires additional protection". The commission was also concerned about the confidentiality of that information: "Even if special protection measures were introduced, the direct use of a number as widespread as the NIR [...] could alter the bond of trust between healthcare professionals and patients, who may wonder about the risks of uncontrolled access to their personal medical files by means of this widely known identifier". The CNIL thus delivered its verdict with the following reminder: "The most suitable method for ensuring that the appropriate guarantees are in place would be to create a new identifier, specifically for health data, generated on the basis of the NIR. This new identifier would be certified by procedures that have already been tested and are recognized and reliable, and are currently used for beneficiaries of health insurance, but would be generated by means of established anonymization techniques. This arbitrary number, which would be created by decree and submitted for the opinion of the CNIL, would be the specific health identifier which could be used throughout the healthcare system".


Guaranteeing the integrity of the link between patients and their health data

Through the application of the CNIL’s opinion, the INS unique – a single INS is set up for each person for their entire lifetime. The identifier is also arbitrary, as it must be impossible to deduce any information about the bearer from it. A person will not be allocated more than one INS, and the same INS will not be allocated to more than one person. Lastly, the identifier must not be predictable – even if a person's NIR or identity details are known, the INS should not be deductable from that information. By the same token, if a person's INS is known, it must be impossible to use it to calculate that person's NIR. Simply put, the identifier allows a patient to be recognized and not be confused with another person. The objective is for practitioners to be able to exchange information about a patient's care path, while patients are to be recognizable via their unique, non-ambiguous identifiers. In concrete terms, this means that the national health identifier will enable healthcare professionals to find the right medical file for the right patient, be it the DMP, the DP, or any other medical file. Linked up with an authentication procedure, the INS will ensure secure access to the patient's computerized file.