3

I am working on a medical application which will be implemented for USA patients and health providers.

I want that there should be only 1 record of a user without any duplication. And I believe that putting a unique constraint on email across the application solves this problem. Mobile number, address, and name are subjects to change, DOB is not unique, and I believe that email (verified) can uniquely and reliably identify a user. Am I right in this assumption? Or do you have any evidences that disprove this?

naXa stands with Ukraine
  • 179
  • 9
  • 5
    Do you have any proof that it is unique and reliable? Over how long a period must the email address be useful, verifiable, correct and assigned to a single individual? – BobDalgleish Oct 11 '17 at 23:51
  • 7
    I have several active email addressees. Some people have none. Some people share email addresses, say bobandjoan@hotmail.com. I suppose your system could issue create a unique internal email address for each person, but then you've just pushed the problem to a different layer. – Charles E. Grant Oct 11 '17 at 23:58
  • 3
    E-mail addresses are equally subject to change as mobile numbers and (street) addresses, – Bart van Ingen Schenau Oct 12 '17 at 07:22
  • Some people have a bad habit of using their ISP's e-mail system. Change ISP, new address. Several of my neighbours have changed ISP in the past couple of years and their e-mail changed. Of course most of them didn't listen and still went with the ISP's system. Wash. Rinse. Repeat. – MetalMikester Oct 12 '17 at 14:27

2 Answers2

6

If your goal is that ever person is unique accross your application, email is not a suitable constraint of uniqueness. Some people do not have an email address, some people share an email address (e.g. couples), and some people have multiple email addresses.

In the USA, the best unique constraint, and the one I most often see with banks, insurance, background checks, etc. is social security number (SSN) + birthdate. Social security numbers are assigned to US citizens, residents and temporary workers. They're recycled after a person dies, so it's not good enough on its own. You should be careful about how you store SSNs. You should treat them as protected information because they can be used to steal a person's identity. They should not be stored in plaintext in a database. Further, patients and health providers may be reluctant to share this information with your system.

It's possible, however, in the health system for patients to be undocumented or otherwise not have a social security number. You may want to support this case in your system.

Samuel
  • 9,137
  • 1
  • 25
  • 42
  • 3
    One use case of not having an SSN is for people in the US on long term work visas, who are here temporarily but not permanently, and are not required to have an SSN. So supporting lack of SSN is a reasonable thing to do. When I had an L1 visa (Intracompany Transferee) it always amused me when some clerk asked me for my SSN and I replied "I don't have one". Their moment of silence was priceless. – Peter M Oct 12 '17 at 02:35
  • Without a SSN, a combination of name, birth date and birth place should be enough to identify unique persons. – mouviciel Oct 12 '17 at 09:20
  • @mouvicel No, it's not enough in case of twins with the same name. Anyone is free to name their children however they choose. – naXa stands with Ukraine Oct 12 '17 at 17:05
  • @PeterM But I thought you need SSN if you are in L1 and you are working legally. I'd like to clear things up. There is NO law, anywhere on the books in the US, that requires everyone to have a SSN, but there are plenty of laws, regulations, customs, and corporate policies that rely on SSN for identification and if you don't have one you may not be able to purchase stocks, be an employee of a big corporation, get welfare, hold a professional license, take out a mortgage, or be used as a tax deduction by your parents. It makes life very, very inconvenient if you don’t have a number. – naXa stands with Ukraine Oct 13 '17 at 10:44
  • @naXa The requirements for an L1 visa do not specify where you are paid. In my case even though I was working in the US I was not paid in the US. As such there was no requirement for an SSN as I was not subject to the IRS etc. So while all the things that you mentioned may be true (but maybe not for my use case), that doesn't change that you can legally work long term in the US without an SSN, and I did not suffer anything because of it. But as the SSN is only legally required for social security, any other use that "requires" it is only convention and not law. – Peter M Oct 13 '17 at 11:45
3

No, email is not unique across application users. I once signed up for a free email service the day it was announced. I got an email address that was just my first name and the domain name. Later, they decided to start charging for their service. Since I didn't want to pay, I stopped using it. My email address on the service was recycled and now belongs to another user with the same first name who was willing to pay for it. It's entirely possible that I could have signed up for your service, then lost the address and then the new owner could also have signed up for your service. You would have no way to handle this if you required emails to be unique. Or worse, you could potentially end up sending private information about one person to another person.

user1118321
  • 4,969
  • 1
  • 17
  • 25