Identity vigilance: The key to health data security and quality of care.

In the digital age, where health data is increasingly accessible and shared, identity vigilance is a fundamental pillar for ensuring the security of patient information and the quality of care pathways. Ensuring that each piece of data is correctly associated with the right patient is an ethical, legal, and clinical imperative. This article explores in depth the concept of identity vigilance, its regulatory framework in France around the National Health Identity (INS), the key procedures to implement, the role of the various stakeholders, the essential security measures, and the expected benefits for the healthcare system.

What is identity vigilance? Definition and issues

Identitovigilance encompasses all procedures and measures implemented to guarantee the unique and reliable identification of a person throughout their healthcare journey. It aims to prevent identification errors, such as duplicates, identity collisions, or data misattribution, which can have serious consequences for patient management.

In a context where digital health services are rapidly expanding, the issue of identity vigilance has become crucial. The ability to securely and permanently associate personal health data with the individual to whom it relates is essential for several reasons:

• Care safety: An incorrect identification can lead to errors in diagnosis, treatment, medication administration, or even surgical procedures on the wrong patient. Identity vigilance helps minimize these risks and ensure the safety of care.
• Data quality: By guaranteeing the correct association of data, identitovigilance contributes to the creation of reliable and complete patient files, facilitating the continuity and coordination of care.
• System Interoperability: The use of a unique and qualified identity facilitates the secure exchange and sharing of health data between the various actors in the care pathway, thereby improving the efficiency of the system.
• Respect for patient rights: Identity vigilance ensures that patients have access to their own health data and that their right to confidentiality and protection of their privacy is respected.
• Risk management: Identification errors can have significant legal and financial implications for healthcare facilities and professionals. Identity vigilance contributes to the management of these risks.

Faced with these challenges, France has implemented a regulatory framework and specific tools, including the National Health Identity (INS), to strengthen identity vigilance within the health system.

The National Health Identity (INS): Foundation of identity vigilance in France

The National Health Identity (INS) is the reference identifier for individuals receiving healthcare and medico-social care in France. It is based on the use of the registration number in the national directory for the identification of natural persons (NIR), more commonly known as the social security number, or the waiting registration number (NIA) for individuals in the process of being assigned a NIR.

It is crucial to distinguish the INS registration number, which is the NIR or NIA used for referencing health data for care or medico-social monitoring purposes, from the NIR used for other administrative purposes. The use of the NIR as an INS registration number is strictly regulated and limited to the health and medico-social sphere.

The main objective of the INS (National Health Identifier) is to enable reliable and unambiguous referencing of user health data across the entire country. It consists of several elements:

• The INS registration number (NIR or NIA).
• The INS characteristics, which are the reference identity elements associated with the NIR/NIA in the national reference databases (birth name, list of birth first names, gender, date of birth and official geographic code of the place of birth).
• The organization that assigned the INS, in the form of an OID (Object Identifier).

The use of the INS (National Health Identifier) has become mandatory for professionals, hospitals, services, and organizations involved in the healthcare or medico-social care of individuals. Any other identifier can only be used if it is impossible to access the INS, in order not to hinder care.

The INS, associated with identity traits, has emerged as the most suitable solution for identifying users of the healthcare system, referencing their data, and promoting its secure dissemination among care providers, while respecting confidentiality rules.

The National Health Identity Vigilance Framework (RNIV): The normative framework and best practices

The National Identity Vigilance Repository (RNIV), annexed to the INS repository, is an essential document that specifies all the rules and procedures to be implemented by the organizations responsible for referencing health data with the INS in the field of identity vigilance. It was developed in close collaboration with the association of regional identity vigilance referents (3RIV), healthcare professionals, and digital health companies.

The RNIV aims to guarantee the quality of user identification through the implementation of rigorous procedures. In particular, it defines the rules for determining the INS status, distinguishing between non-qualified INS and qualified INS (with "qualified identity" status).

An INS is considered qualified if it meets two conditions:

• The identity of the person has been validated in compliance with the identity vigilance procedures described in the RNIV.
• The INS (INS registration number and associated identity traits) was retrieved from the national reference databases (RNIPP or certified copy) via the INSi teleservice or the Vitale card App.

The RNIV describes the identity vigilance procedures to be implemented during primary (first contact) and secondary (subsequent contacts) identification with the user. It also addresses the management of homonyms, the correction of identification errors, and the measures to be taken in the event of suspected identity fraud.

The INS framework, in its version 2.1 of December 2024, cancels and replaces the previous version and specifies the rules for integrating and "qualifying" the INS in professionals' software, particularly in the liberal sector. The changes made take into account feedback from healthcare professionals and aim to simplify qualification procedures in certain situations.

Key steps and procedures for identity vigilance

The implementation of identity vigilance relies on a set of key steps and procedures, from the initial identification of the patient to the management of errors and updates to their identity.

1. Primary identification: During the initial care of a user, it is essential to carry out a rigorous identification to create a unique digital identity in the health information system. This step generally includes:

• Collection of the user's identity traits (last name, first names, date and place of birth, gender).
• The verification of this information using supporting documents (identity card, passport, etc.).
• Searching the information system to verify whether the user has already been identified (avoiding duplicates).
• In the absence of a qualified INS, an attempt to recover the INS via the INSi teleservice (by reading the health insurance card or entering identity details) or the Health Insurance Card App must be made as soon as possible.
• Assigning a level of confidence to the recorded identity, in accordance with the procedures defined in the RNIV.

2. Secondary identification: During subsequent contacts with the user, it is necessary to verify their identity before any consultation or treatment. This can be done by various methods (questioning the user, reading their health insurance card, etc.) and must ensure that it is indeed the person concerned.

3. INS Qualification: The INS (National Health Identifier) must be qualified as soon as possible to ensure its reliability. This qualification involves validating the user's identity through identity vigilance procedures and retrieving the INS from the reference databases via the INSi teleservice or the Carte Vitale App. An unqualified INS must not be circulated internally or externally.

4. Use of the qualified INS: As soon as a user's INS has been qualified, the INS registration number and the identity traits from the reference databases must be used for their identification, particularly during health data exchanges. The retrieved identity traits must replace the local strict traits in the corresponding fields.

5. Error and update management: Procedures must be in place to detect and correct identification errors. In the event of an INS correction, measures must be taken to ensure that the information is disseminated to the actors and systems to which the data has been transmitted. The history of a person's INS registration numbers must be kept.

6. Periodic verification of the INS: After a configurable period (approximately 5 years), an INS verification operation via the teleservice must be recalled to ensure its validity. This verification can be carried out during a care episode or an interaction with the user.

The actors of identity vigilance: Roles and responsibilities

The effective implementation of identity vigilance is a shared responsibility among the various actors in the healthcare system.

• Health professionals, hospitals, and medico-social services: They are obliged to use the INS for referencing the health data of the people they care for. They must implement the identity vigilance procedures defined in the RNIV (National Identity Vigilance Repository) and ensure the qualification of the INS. They are responsible for complying with legal requirements and security measures related to data referencing with the INS within their structures.
• Those responsible for referencing health data: They are responsible for ensuring the application of the rules relating to INS and identity vigilance within their organization. In particular, they must ensure that actors authorized to use the INS belong to the "circle of trust", define the retention period of the INS, inform the persons concerned of the use of the INS, and implement appropriate security measures.
• Service providers and software vendors: They are key players in the integration of the INS (National Health Identifier) and identity vigilance functionalities into health information systems. They can act as subcontractors to the data controller and must comply with the requirements of the INS repository. Their software solutions must facilitate the retrieval, qualification, and use of the INS, as well as the implementation of identity vigilance procedures.
• The Agence du Numérique en Santé (ANS) and the Caisse Nationale de l'Assurance Maladie (Cnam): They are co-responsible for the INSi teleservice. The Cnam is responsible for the operational implementation of the teleservice and the Appli carte Vitale, which enable the retrieval and verification of the INS. The ANS maintains the IGC-Santé certification authority, which provides the electronic identification means to access the teleservice.
• Regional identity vigilance referents (3RIV): They play an essential role in supporting and disseminating good practices in identity vigilance at the regional level.

Awareness and training of all personnel involved in referencing user identity are essential to ensure the effectiveness of identity vigilance. Particular attention should be paid to the distinction between the INS registration number and other potential uses of the NIR.

Security and identitovigilance: Protecting INS and healthcare data

Referencing health data with the INS introduces an additional risk that must be managed by implementing appropriate security measures. These measures must be integrated into the risk analysis and data protection impact assessment (DPIA) carried out by data controllers.

The main categories of risks to consider following the integration of the INS are the loss of availability, the loss of integrity, and the loss of confidentiality of data (health data and INS), as well as the loss of auditability of actions performed.

The minimum security measures to be implemented for the INS include:

• Identity management: Definition and application of identity vigilance procedures compliant with the RNIV. Non-transmission of unqualified NISs. No local modification of the NIS registration number and reference identity traits. Use of the qualified NIS for data exchange. Mandatory sending of reference identity traits with the NIS registration number during exchanges. Traceability of exchange partners. Procedures for propagating NIS rectifications. User awareness.
• Access control: Review of the access control policy to integrate the INS and access to the INSi teleservice. Strict management of authorizations. Strong electronic identification for access to the INSi teleservice via IGC-Santé certification products (CPx cards, Pro Santé Connect, organization certificates). Traceability of all access to the INS, including access to the INSi teleservice, with retention of traces for the duration recommended by the CNIL (currently 6 months) and regular analysis of these traces.
• Traceability: Implementation of an intrusion detection system. Traceability of accesses (modification, consultation) to the qualified INS within the organization. Conducting regular security audits.
• Communication security: Securing communication channels used to exchange health data containing the INS (National Identification Number).
• INSi Online Service Self-Accreditation: Mandatory internal procedure for legal entities using an organizational software certificate to access the online service. This procedure aims to certify the implementation of required security measures.

The person responsible for referencing health data must justify compliance with these measures, which may be included in the security accreditation of the information system.

The benefits of identity vigilance and future perspectives

The rigorous implementation of identity vigilance and the widespread use of qualified INS provide numerous benefits to the healthcare system:

• Significant reduction in medical errors related to identification issues.
• Improved quality and reliability of health data, promoting more informed and personalized care.
• Facilitating coordination and continuity of care through a fluid and secure exchange of information between professionals.
• Strengthening the security of health data and respect for patient privacy.
• Optimization of the efficiency of the healthcare system by reducing duplicates and administrative errors.
• Contribution to the creation of reliable health databases for research and practice evaluation.

The Digital Health Roadmap aims for widespread use of the INS in digital health services, with a significant target of 90% of qualified identities in the active file of healthcare facilities.

The arrival of the Vitale card App greatly simplifies the management of the INS for healthcare actors, by allowing the direct retrieval of the patient's qualified identity (or that of his/her beneficiaries) when opening the application. This development helps to facilitate the qualification of the INS and to achieve the set objectives.

In conclusion, identitovigilance, supported by the framework of the National Health Identity and the National Identitovigilance Repository, is a major issue for the digital transformation of the healthcare system. It is the cornerstone of data security and quality of care, ensuring that each patient is correctly identified and that their health information is protected throughout their journey. The mobilization and commitment of all stakeholders are essential to achieve robust and widespread identitovigilance for the benefit of all users of the healthcare system.

‍