By Scott Stuewe, DirectTrust President and CEO
As I mentioned in my introduction, patient matching doesn’t work terribly effectively today.
The problem has its root in the identity challenges we have been discussing, although it is important to separate the patient matching challenge from trust-in-identity – these are related, but not congruent topics.
For patient matching to work better with identity, there are two basic approaches – more reliable identity sovereignty – or more effective identity surveillance.
Identity sovereignty relies on identity-proofing, issued identifiers (preferably digital), transparency and consumer involvement and the second on the collection and distribution of more data about the person. While most references to patient matching relate to accurately associating the artifacts of care (like shared medical records) there are numerous circumstances where accurate patient matching is needed.
- At presentation for care – “is this the same person I saw last time?”
- When aggregating records – “are the records from two data sources on the same person?”
- At query time – “does your patient match mine?”
- Before associating a record received – “does this incoming record match a patient of mine?”
- At log-in or authentication – “are you the person whose records you want to see?”
The state-of-the-art for patient matching yields up to a 20% error rate (or 80% success) of record matching in electronic systems using demographics and available shared identifiers. Most errors are false negatives – records that are on the same person are different enough that they can’t be automatically associated reliably by algorithm. Far fewer of these errors are false positives – that is when two records are erroneously treated as if they are on the same person and combined.
A 2018 report from the Pew Charitable Trust suggested that improvements in effectiveness will rely on four mechanisms.
- “Unique Identifiers – Development of a unique identifier system that unambiguously identifies an individual and can link that person to his or her records associated with that identifier. This approach could include a unique number, use of a smart card with an encoded number, or biometrics.” This maps more to our concept of identity sovereignty. Since 2009 the US government has been prohibited from promoting or even exploring the idea of a unique patient ID. This year Congressman Bill Foster was able to ease this ban so that the ONC has begun to explore the “state of the art” but the lifting the ban outright was rejected.
- “Patient-empowered approaches: Establishment of a process for patients to ensure their records are matched completely and correctly. Under this approach, patients would bear some ability to help health care facilities match their records.” Interestingly, this approach was part of the original design of the CommonWell Health Alliance process for resolving identity – the patient would confirm that they had care at the facility where a “likely match” occurred before patient links were confirmed. This has moved to more algorithmic approaches that operate “probabilistically” to facilitate more links.
- “Demographic standards: Refinement of demographic data standards. Many experts have recommended that organizations use the same demographic data elements—formatted in the same way—to improve matching. Pew tested whether standardizing each data element yields benefits.” This can improve things, but according to the article, perhaps only to about 90%. This is also on the road to collecting and sharing more data to aid in matching. Addresses, cell-phone numbers and email addresses and the last 4 digits of the Social Security Number correctly formatted are prime candidates.
- “Referential matching: Use of data collected outside of health care. Data from credit bureaus and other organizations contain demographic data for individuals. This information can be used to help match individuals’ records, including when information changes.” This model comes closest to the notion of identity surveillance. Use of such inference approaches are said to yield 98% success rate at the cost of both the technology and its erosion of privacy that results from aggregating two different classes of data.
As a part of the expectations for electronic health record systems (EHRs) under the information blocking rule, patients can get access to their own health records through an “app of their choosing” through the use of smartphones that connect through APIs to servers put up by the EHR companies. Enabling access of this type requires both the identity-proofing of the person with access to the app and matching that person’s identity with the attributes on the record held in the EHR.
Unless there is some linkage between the information in the record and the identity of the person using the app, the patient matching part of this equation fails. As we mentioned before, once the person has access to their own records privacy protections under HIPAA no longer apply.
If we want to solve for the question of identity for all the patient matching use cases without resorting to a full-on surveillance approach involving the aggregation of mountains of data on persons, a lot of infrastructure will be needed, and a lot of identity-proofing will need to be done.
If, however, we can figure out how to make an issued digital identifier portable and usable in multiple contexts, the fact that identity-proofing is hard (as we pointed out in Series Part 4) and as a result costly won’t be as troublesome.
If the REAL ID had a digital identifier it could be the basis of for a unique identifier. There are lots of contexts where an issued digital identity could help. Is anybody thinking about this?
Join us for the next post in this series, we will review a couple of case studies and propose a privacy-preserving approach to trust-in-identity which might work in our society.