ABA Health eSource
 August 2006 Volume 2 Number 12

We Know Where You Are: RFID In Healthcare
by Melissa L. Markey, Esq., Hall, Render, Killian, Heath & Lyman, Troy, MI

Melissa L. MarkeyAnyone who has spent time in a healthcare institution knows that one of the recurring themes is the difficulty of locating assets. Staff can frequently be seen roaming the hallways looking for everything from an available infusion pump to a missing nurse. As hospitals become more focused on using technology to improve efficiency, Radio Frequency Identification devices ("RFID") are becoming more common in healthcare.

RFID is one type of automatic identification and tracking technology. Originally promoted primarily to assist retail operations in tracking inventory flow, new integration of RFID into healthcare systems is expanding its potential to include the ability to track the location of patients and staff.

RFID tags are actually miniature radio transponders, typically small silicon microchips with an attached antenna, which are capable of transmitting data, ranging from a simple identification number associated uniquely with that tag, to more complex event and environmental data, to a receiving device. RFIDs may be either active, semi-passive or passive. Active RFIDs have a small battery, are capable of transmitting spontaneously, and typically can collect and transmit more complex data. Transmission by passive RFIDs is triggered by a query from a receiving device. Semi-passive tags do not initiate communication with a reader, but are able to monitor and record more data than are pure passive tags. 1 Because RFIDs use radio transmission technology, line-of-sight between the RFID tag and reader is not required, and transmissions can penetrate clothing, walls, and other objects. 2 RFID systems also typically include a database, which collects, maintains, and analyzes the information transmitted by the RFID tag. Databases, in turn, may be networked together, creating a "web" of information from RFID deployment.

RFIDs may operate on the low frequency ("LF"), high frequency ("HF"), ultra-high frequency ("UHF") or microwave spectrum. UHF tags offer greater range and faster data transmission, but are more likely to experience interference, particularly in high-fluid environments such as the human body. 3 HF tags have much shorter transmission ranges and tend to be larger; however, they are less likely to suffer interference due to water. 4 LF tags have very short read ranges, but are most resistant to interference from fluids and tissues. Because RFIDs operate using radio waves, the Federal Communications Commission regulates both the frequency ranges and the power limits associated with RFID devices. As unlicensed industrial-scientific-medical or short-range devices, RFIDs are prohibited from causing interference with other frequencies, and must accept any interference received. 5

Proposed Uses in Healthcare

Use with Patients/Individuals

Although RFID technology is not new (the concept has existed since the 1940s) 6 its use in healthcare is just beginning to gather momentum. In October 2004, the Food and Drug Administration ("FDA") approved an implantable RFID chip and reader system, called the VeriChip, for human use. 7 The FDA determined that the device, generically referred to as an "Implantable Radiofrequency Transponder System for Patient Identification and Health Information", was properly regulated as a Class II device, 8 and issued a Special Controls Guidance Document. 9 The implantable VeriChip system uses passive RFID technology. 10

The VeriChip, about the size of a grain of rice, is implanted into subcutaneous fat using a syringe, and contains a unique identification number. When scanned with a compatible reader, the VeriChip transmits the identification number to a secure, associated database which has recorded medical information regarding the patient. This capability is seen by some as facilitating the national goal of electronic medical records. New pilot projects are underway, including one involving chronically ill patients insured by Horizon Blue Cross Blue Shield of New Jersey. 11 The trial is intended to investigate whether use of the VeriChip system "can reduce costs associated with misdiagnosis, drug reactions and duplicated or unnecessary medical tests." 12

When coupled with a positioning system component, RFID may also used by companies to locate people or equipment within the facility. Companies are promoting the use of RFID tags embedded in patient wristbands or staff identification badges to track movement of staff and patients through the institution, in an attempt to gain efficiencies. 13 Using active RFID, these systems monitor and record the location of tagged individuals at any given point in time. The goal is to improve both efficiency and safety. Proponents urge that patient safety is improved by better matching the actual location of the patient to the anticipated location. 14 Tracking patient location in real-time can also be used to streamline workflow and prevent log-jams in departments.

In another patient-care use, the FDA approved a surgical marker system, the SurgiChip Tag Surgical Marker system, which uses an RFID tag to mark proper surgical sites. 15 In this technology, the patient participates in programming certain information, such as patient name and surgical site, into the RFID device well before surgery. The RFID tag is attached to the patient, and the information is queried when the patient is taken to the operating room. 16 There are several different "check" points built into the system to minimize risk of wrong-site or wrong-patient surgery.

Some facilities are using RFID to track the location of staff as well. Theoretically, this capability may benefit both the facility and patients by minimizing the need to page overhead, being able to locate personnel quickly when necessary, and developing reliable time and location statistics for caregivers, thus permitting better staffing decisions. RFID could also be used to restrict access to high-security areas, and as a forensic tool for investigations. Other proposed uses include use as a tool to improve compliance with medication regimens, 17 prevent infant abduction 18 and better monitor Alzheimer's and other dementia patients who have a tendency to wander.

Use with Equipment and Medications

Returning to its roots in supply chain control, RFID tags have been deployed to track and trace the location of equipment in hospitals, and projects are underway to use RFID to fight drug counterfeiting. 19

A common problem in hospitals is "wandering equipment syndrome." This occurs when a necessary piece of equipment cannot be located in a unit, either because it has been transported to another location or all of those items are already in use. Symptoms of this syndrome including caregivers wandering the hallways looking for equipment, and increased levels of adrenaline as equipment needed for patient care is not available. This is also contagious - whenever one piece of equipment suffers from wandering equipment syndrome, similar pieces of equipment will also go missing, most commonly in an ever-widening concentric ring. Wandering equipment syndrome is dangerous for three reasons. First, equipment is only found to have wandered when it is needed. Thus, by definition, patient care is hindered by the missing equipment. Second, someone has to be pulled from primary job duties to wander the hallways, looking for equipment, thus causing loss of available caregivers. Finally, equipment that has gone missing may miss proper maintenance, causing increased risk of malfunction or failure, as well as loss of compliance with regulatory and accreditation standards for maintenance of equipment.

RFID shows great promise as a cure for wandering equipment syndrome. Since RFID tags are extremely small, they can be affixed to items that typically are not otherwise tracked, such as electrode wires. Used with a positioning system, the location of each piece of equipment, including whether that equipment is in use, can be seen on a computer screen. Some RFID tags can even transmit information regarding most recent service and other environmental information, helping ensure properly functioning equipment.

Another area of promise for RFID is to decrease drug diversion and counterfeiting, a major problem in the United States. To encourage increased adoption of RFID technology in the pharmaceutical chain of supply, the FDA issued a Compliance Policy Guide entitled "Radiofrequency Identification Feasibility Studies and Pilot Programs for Drugs" 20 indicating the FDA's intent to exercise prosecutorial discretion for certain studies investigating the use of RFID track-and-trace technology for pharmaceuticals. Despite the mandates of the Prescription Drug Marketing Act of 1987 (the "PDMA") 21 and state laws requiring drug companies, distributors, and retailers to implement "pedigree" systems, 22 and despite the suspension of enforcement of the final PDMA rule based on representations by the pharmaceutical industry that voluntary compliance was forthcoming, the FDA is unhappy with the level of adoption of RFID to track-and-trace pharmaceutical products through the supply chain. 23

Exchanging the carrot of encouragement for the stick of increased enforcement of the requirements, the FDA issued Draft Compliance Policy Guide 160.900, "Prescription Drug Marketing Act – Pedigree Requirements under 21 CFR Part 203" in June (the "Draft Compliance Guidance"). 24 Pursuant to the Draft Compliance Guidance, FDA will begin enforcing the pedigree requirements of the PDMA based on perceived risk, as demonstrated by four factors.

The first factor to be considered in determining enforcement priority is the prevalence and popularity of a drug. The FDA considers that drugs most at risk for diversion are those that are popular, have limited quantities available, or are expensive or hard to obtain. Examples include drugs for HIV and cancer, Tamiflu, Oxycontin, Lipitor and Plavix.

The second factor is prior experience of counterfeiting or diversion of a drug, presumably on the logical assumption that drugs which have been counterfeited or diverted before are likely to continue to be at risk. Examples given include Viagra, Zyprexa and Tamiflu.

The third factor focuses on newer drugs, for which there may be insufficient information to determine risk based on the first two factors. For these drugs the FDA will consider whether the drug is similar to a drug which has been subjected to counterfeiting and/or diversion, whether the drug qualified for priority review status, and whether the drug is likely to have high market demand.

Fourth, the FDA also intends to commence vigorous enforcement against "wholesale distributors and others who are engaged in conduct related to the manufacture or distribution of counterfeit drugs, or engaged in the manufacture or distribution of prescription drugs that otherwise violate the Act or other laws...regardless of the type of drug at issue or whether it falls into one of the risk-based factors..." 25

Legal Concerns

As the use of RFID grows, the legal concerns about this technology will need to be addressed. The most obvious concerns relate to consumer choice and the privacy and security of information.

Consumer Choice.

One of the advantages of RFID is that the tag itself is quite small - and it is reasonable to anticipate the size will continue to diminish. The VeriChip is approximately the size of a grain of rice. A new wireless memory chip, capable of holding 100 pages of text, has been developed, and could be used to hold an entire medical record. 26 Many products already contain RFID tags, and consumers may or may not be aware of the presence of those tags in various products. As RFID moves into healthcare, the sensitivity of information transmitted by an RFID tag may increase, and consumers may become more concerned about retaining control over this information. It is one thing for a company to track your brand of toothpaste; potentially quite another to monitor medications and activities.

Similarly, staff and patients who are in RFID-equipped facilities may object to the ability of the institution to track their movements and locations. One way to address this concern may be to vary the granularity with which movement is tracked. Even with such variations, however, some individuals may find the thought of this monitoring to be quite troublesome. Reflecting this concern, the Wisconsin legislature recently passed a bill banning the implantation of RFID tags in people without prior consent. 27

Privacy and Security

Because RFID transmits information through radio waves and the information is stored electronically, RFID is subject to many of the vulnerabilities associated with other electronic data. RFID transmissions can be picked up by receivers other than the intended receiver. 28 This suggests that transmission of sensitive information should be encrypted, and RFID tags have been developed which include encryption capabilities. 29 The smaller memory tags, however, cannot accommodate encryption, and even encrypted RFID tags have been successfully hacked. 30 Tag contents can also be attacked physically, although this would probably require a fair amount of time. Denial of service could occur, where attackers attempt to jam the applicable radio frequency channels 31 and, of course, the related database can be hacked in the same manner as other databases.

An additional privacy concern is known as "location privacy", and relates to the discussion of consumer choice above. Because movements can be tracked using RFID, there is concern that RFID tags could permit location monitoring of individuals, leading to significant intrusions into privacy. As multiple databases receiving RFID data are linked, this risk grows. This risk is also greater with highly granular location positioning systems, which can, at least theoretically, indicate not only what room, but where in a room, an individual is located.

At least one commenter has suggested the use of RFID to track-and-trace in public health emergencies. 32 While the focus of this presentation was on the use of RFID to track-and-trace drugs and supplies needed to respond to a public health crisis, which is clearly an important and laudable goal, it is not impossible that the concept could be extended to tracking and tracing individuals who were exposed to communicable disease. This use would, obviously, require stringent safeguards to avoid violation of individuals' rights, and a careful weighing of public benefit against the intrusion into private life.

The use of RFID in healthcare with respect to patient tracking and monitoring will involve the use and, possibly, disclosure of protected health information, as that term is defined in the Health Insurance Portability and Accountability Act ("HIPAA"), and thus must comply with the HIPAA privacy and security requirements. Depending on the configuration of the system, it may be necessary to note the use of RFID in the institution's Notice of Privacy Practices.

In an attempt to address some of the privacy concerns, a consortia of interested entities collaborated to develop best practices regarding privacy for RFID deployment. 33 The best practices focus on notice, choice and consent, protection of data by downstream recipients, consumer access to information regarding the consumer collected by the tag, and appropriate security given the sensitivity of the information collected. Healthcare entities considering implementation of RFID would be well-served to consider carefully the best practices, and integrate effective responses to privacy and security concerns into the deployment from the beginning.

Recognizing both the growth of RFID, and the concerns related to it, Senators Byron L. Dorgan (D-ND) and John Cornyn (R-TX) have established an "RFID Caucus", intended to facilitate education regarding uses of RFID. 34 The first meeting of this caucus was on July 13, 2006, and the primary focus was on RFID capabilities. 35 The hope is that greater education of policymakers regarding both the benefit and issues related to RFID will help ensure that regulation is balanced to permit realization of the benefit, while adequately addressing the risks.


Despite the privacy and security risks, use of RFID is growing. As RFID and related technology continues to improve, the risks to privacy and security will be better addressed, and the benefits related to RFID tags in healthcare can be realized through greater efficiencies and safer care.

1 Radio Frequency Identification Technology in the Federal Government. GAO Report to Congressional Requesters, GAO-05-551 (May, 2005).
2 RSA Security - A Primer on RFID. RSA Laboratories, available at http://www.rsasecurity.com/rsalabls/node.asp?id=2116, last visited 7/19/2006.
3 RSA Security - Technical Characteristics of RFID. RSA Laboratories, available at http://www.rsasecurity.com/rsalabs/node.asp?id=2121, last visited 7/19/2006.
4 Id.
5 Id., at 10.
6 When Small Technology Is A Big Deal: Legal Issues Arising from Business Use of RFID, D. Zachary Hostetter, 2 Shidler J. L. Com. & Tech. 10 (Dec. 16, 2005), available at http://www.lctjournal.washington.edu/Vol12/a010Hostetter.html.
7 Approval notice available at http://www.accessdata.fda.gov/scripts/cdrh/cfdocs/cfPMN/pmn.cfm?ID=13527. Approval letter available at http://www.fda.gov/cdrh/pdf3/k033440.pdf.
8 69 Fed. Reg. 71702 (December 10, 2004).
9 Guidance for Industry and FDA Staff: Class II Special Controls Guidance Document: Implantable Radiofrequency Transponder System for Patient Identification and Health Information, December 10, 2004, available at http://www.fda.gov/cdrh/ode/guidance/1541.pdf.
10 VeriChip Corporation, available at h ttp://www.verichipcorp.com/content/company/1117572449, last visited 7/17/2006.
11 See, "Insurer Running VeriChip Trial", Mary Catherine O'Connor, RFID Journal, July17, 2006, available at http://www.rfidjournal.com/article/articleprint/2496/-1/1/, accessed 7/19/2006.
12 Id.
13 See, for example, Radianse, Inc., at http://www.radianse.com; AgileSense Technologies, at http://www.agilesense.com/rfid/providers.htm; InfoLogix, at http://www.infologixsys.com/products/Healthcare/Products/RFID/RFID-for-the-Hospital/default.asp.
14 See, for example, the Radiance press release at http://www.radianse.com/press-alerts-020905.html ("A care unit that knows a high-risk patient should not be leaving. A procedure room that knows the wrong patient is in the wrong place. A clinical billing system that knows when a procedure begins and ends..."
15 " FDA Clears New Surgical Marker; Uses RFID to Protect Patients", available at http://www.fda.gov/bbs/topics/ANSWERS/2004/ANS01325.html, last visited 7/19/2006.
16 "FDA Clears New Surgical Marker; Uses RFID to Protect Patients", Medical News Today, available at http://www.medicalnewstoday.com/medicalnews.php?newsid=16619.
17 See, for example, "Medixine[ is this misspelling intentional?]Tests System for Alzheimer's", RFID Journal, available at http://www.rfidjournal.com/article/articleview/1892/1/1/.
18 "RFID can be a matter of life and death in the medical world", Wisconsin Technology Network, available at http://wistechnology.com/article.php?id=2383.
19 "FDA Announces New Initiative to Protect the U.S. Drug Supply Through the Use Of Radiofrequency Identification Technology", 11/15/2004, available at http://www.fda.gov/bbs/topics/news/2004/NEW01133.html.
20 Available at http://www.fda.gov/oc/initiatives/counterfeit/rfid_cpg.html.
21 Section 503(e)(1)(A), as modified by the Prescription Drug Amendments of 1992.
22 Drug pedigree systems track pharmaceuticals from manufacturer to consumer, recording each step of the distribution process, including dates and identity of each handler of the drug.
23 See, FDA Counterfeit Drug Task Force Report: 2006 Update", available at http://www.fda.gov/oc/initiatives/counterfeit/report6_06.pdf.
24 "Draft Compliance Policy Guide 160.900, "Prescription Drug Marketing Act – Pedigree Requirements under 21 CFR Part 203", June, 2006, available at http://www.fda.gov/oc/initiatives/counterfeit/cpg.html.
25 http://www.fda.gov/oc/initiatives/counterfeit/cpg.html
26 "Tiny Wireless Memory Chip Debuts", BBC News, available at http://newsvote.bbc.co.uk/mpapps/pagetools/print/news.bbc.co.uk/2/hi/technology/518665", accessed 7/17/2006.
27 Assembly Bill 290.
28 "The reader-to-tag, or forward channel, may be monitored from a great distance…at 900 MHz, eavesdroppers could theoretically monitor the forward channel from 1 kilometer and the backward channel from 100 meters…" Radio-Frequency Identification: Security Risks and Challenges, Sanjay Sarma, Stephen Weis and Daniel Engels, RSA Laboratories Cryptobytes, Vol. 6, No. 1- Spring 2003. See also, "The RFID Hacking Underground ", WIRED Magazine, available at http://www.wired.com/wired/archive/14.05/rfid.html.
29 See, for example, "Universal Re-Encryption for Mixnets", P. Golle, M. Jakobsson, A. Juels, and P. Syverson. RSA Conference Cryptographers' Track '04, pp. 163-178. Springer-Verlag, 2004, available at http://www.rsasecurity.com/rsalabs/staff/bios/ajuels/publications/universal/Universal.pdf. See also, http://rfdesign.com/products/RFID-chips-encryption/
301 " Face and fingerprints swiped in Dutch biometric passport crack", The Register, John Lettice, 1/30/2006, available at http://www.theregister.co.uk/2006/01/30/dutch_biometric_passport_crack/.
31 Id. at 6.
32 "Potential Role of Electronic Track & Trace in Public Health Emergencies", Presentation to the FDA Anti-Counterfeit Workshop, February 8, 2006, Paul Rudolf, M.D., J.D., available at http://www.fda.gov/oc/meetings/rfid/rudolfp_files/textonly/ to the FDA Anti-Counterfeit Workshop February 8, 2006 Potential Role of Electronic Track & Trace in Public Health Emergencies.
33 Center for Democracy and Technology, "CDT Working Group on RFID: Privacy Best Practices for Deployment of RFID Technology" Interim Draft, May 1, 2006, available at http://www.cdt.org/privacy/20060501rfid-best-practices.php.
34 http://dorgan.senate.gov/newsroom/record.cfm?id=258668
35 "U.S. Senate RFID Caucus: A Good Start", RFID Insights, AIM Global, available at http://www.aimglobal.org/members/news/templates/rfidinsights.asp?articleid=1465&zoneid=24.