U.S. Department of Health and Human Services
Office of the National Coordinator for Health Information Technology
HIT Policy Committee
Privacy & Security Tiger Team
Patient Linking Hearing
Thursday, December 9, 2010
To Deven, Paul and the Privacy & Security Tiger Team members – thank you for the opportunity to participate in in this vitally important hearing.
Allscripts provides electronic health records and revenue cycle management systems – both inpatient and ambulatory - as well as analytics, ePrescribing, financial and clinical transaction services, clinical trials, care management, ED and home health software and services to over 180,000 physicians, 1,500 hospitals, and many thousands of post-acute care organizations across the country. In working to best serve our clients and help advance our collective goal of improving health for the nation’s citizens, Allscripts promotes a vision of a connected community of health built on this foundation. As you can imagine, with a client base this size, we do a lot of matching of individuals across heterogeneous platforms. Identity management and matching are critical to Allscripts.
A Clarification on Matching / Linking
The published purpose of this hearing is “to learn about experiences in linking or matching patients to their information”. In the technical community, there has been a debate when a patient match is established regarding the relative merits of dynamically linking the patient information versus the merging of the patient information. As a result, in this testimony, the word “matching” has been used to establish when information from two systems are determined to refer to the same person. The word “linking” is used to refer to links to information for the same person.
In preparation for this hearing, we surveyed eleven larger provider organizations (with patient populations as large as 4 million) as well as a similar number of internal and external experts on the topic of patient matching.
The most important requirement identified by Allscripts clients when it comes to matching is high quality patient demographic information. Data governance and management, user workflows, provider verification and a clean patient registry are vitally important to patient matching.
From a technology perspective, electronic health records, master patient indices, and patient identification exchange standards are critical components to ensuring and improving the high accuracy levels reported by our clients. Based on our survey, electronic health records are serving as a positive safety and privacy mechanism.
General Topics for All Panels
1. Standards for identifying individuals
Individual identification standards are established by the provider. Typically these include “out of band” verification of identification through cards such as driver’s licenses and health insurance certificates. Minimal basic demographics include full name, date of birth, sex, address, zip and preferably the last 4 digits of the social security number. For pediatrics and other special workflows, additional demographics are required. Some states and organizations, however, do not collect social security numbers.
One note is that discipline and completeness of demographics tends to be better in organizations that see patients on a recurring basis, and better in revenue cycle departments than in clinical departments. With the exception of certain urgent care workflows, identity usually flows from the revenue cycle demographics data capture process to the clinical departments.
2. Ensuring accuracy in matching a patient with his/her data
There are no perfectly accurate matching approaches, and there is no one-size-fits-all approach to patient matching. The best approach for a given healthcare organization depends on a number of factors related to the population characteristics, the way the information is used and managed, data quality and algorithms employed by various systems involved in information exchange, among other factors.
Patient information is matched in two basic ways:
· Statistical patient matching based on demographic factors, with more advanced systems including rules, demographic weightings and probabilistic algorithms with configurable attributes.
· Unique invariant non-disclosing patient identifiers
These linkages can be established at any number of points in the workflow, but there are two basic methods:
· Dynamic linking, which is real-time linking based on demographics with records kept separate, or
· Static merge, which means a link is established, with the data potentially combined and maintained at that point in time
There are two types of errors associated with patient matching:
- A false positive – which incorrectly links or merges clinical information to the wrong patient.
- A false negative – which fails to match information to a patient and may result in an additional record for the same patient, with each record missing some information.
Most legacy systems in use in the U.S. today use deterministic matching (the most basic statistical matching looking for exact matches over 4 or 5 demographic variables). This may have been a workable solution for smaller patient populations that resided in a society where demographic factors like name and address were more stable, and where the collection of unique identifiers like social security number was better tolerated. All of that has rapidly changed, however, and many of the legacy systems haven’t kept up with the need for advances in patient identity.
As the distance between the settings of care gets smaller, and as there is more interconnectedness, the opportunity for error rises rapidly. In an interconnected world, the borders get fuzzier. Patient matching was important in the 90’s as hospitals consolidated and now, with ACO’s, Community Health Teams and other payment reform initiatives rapidly gaining momentum, the pace of consolidation is quickening even more, with the importance of accurate linking growing exponentially alongside.
Patient matching technologies are employed in a variety of systems. Reviewing recent strategic decisions by Allscripts clients, we can generalize how these matching approaches are being applied today including:
· Patient identity management systems (community patient registries and EMPI’s) with robust probabilistic matching are found in health information exchange settings – both public and private. Health information exchange can rely on dynamic linking of patient records, thus ensuring as demographics are updated, patient record matches resolve to the most currently appropriate individual (recognizing that in some cases, demographic changes can also degrade the accuracy of a match, as in legal name or address changes).
· Strong statistical matching and fuzzy logic algorithms can be applied to traditional operational interfaces and bulk uploads.
· Unique patient identifiers are applied for system-to-system patient matching, in the limited cases where there is strong organizational control of the patient identifier to ensure it is unique, invariant and non-disclosing.
· Patient communication solutions start with a unique invariant patient identity established in the EHR and result in an email invitation being sent to the patient to participate in a portal / EHR. The patient email address is established outside of the system in communication between the provider and the patient.
· Providers with low tolerance for matching errors have implemented unique, invariant, non-disclosing patient biometric identification techniques like palm vein scanning.
· Patient identification for devices is typically driven from the EHR to the device using web services.
3. Problems with patient-matching, internally and/or for information exchange. Source of those problems.
Issues that have adversely affected patient matching performance include:
- Source data quality, completeness and consistency – these are by far and away the most often reported sources of patient matching problems.
- Local population characteristics and social factors that impede good quality data including common names, sharing of identity information (or in the case of drug abuse – the use of multiple identities), and other factors
- State level differences such as opt-in or opt-out consent requirements for health information exchange and varying policies regarding exclusions of sensitive health information (e.g., Psych, HIV, etc.).
- Accuracy of the management of demographics information in source systems
- Acute care environments with numerous ancillary systems and medical devices (key problem is that there are multiple points of demographic data entry with varying degrees of accuracy)
- Pediatric workflows
- Multi-organization sharing where many organizations are sending patient information into a single repository.
- Changes in marital status (with name change)
- Dirty MPI’s resulting historically from less sensitivity to patient identity accuracy
As an example, Steven Anderman, Bronx Lebanon Hospital’s COO has led major advances in care coordination and technology at Bronx Lebanon, as well as health information exchange through the Bronx RHIO. Many of the “externalities” listed above are applicable at Bronx Lebanon and these adversely impact patient registry quality. Bronx Lebanon Hospital’s patient population is two thirds Medicaid and is subject to frequent moves, often provide bad addresses and phone numbers, and creates a tremendous burden in terms of collecting good demographics. And patient identity sharing is common. The process repeats itself at each health care organization in the community. This places an undue burden on the provider to be the regulator of patient identity.
3a) Handling patient matching problems (wrong/ambiguous match)
Providers use a variety of tools and processes for handling patient matching problems, including:
- Workflow and reporting solutions to evaluate possible duplicated patients.
- Follow-up user workflow solutions to analyze, identify and resolve potential duplicates.
- Corrections in source systems.
- Improvements to the rules / weightings based on specific usage, data quality and population characteristics.
- Upstream workflow process improvement to accurately capture demographic information the first time.
- False negatives can be resolved through dynamic linking solutions or merge capabilities.
- Logic to detect common mistakes and alert users of possible match or mismatch.
- When no match is found, user workflows and tools for research and resolution are typically applied.
- Also, "cleansing" techniques can be applied such as removal (from database and/or from searches) of obsolete records (e.g., deceased patients)
Who’s doing this well today?
One example is North Shore Long Island Jewish. They identify the potential duplicates centrally and then are able to communicate with various Medical Records Departments electronically to obtain the information necessary to resolve them. They can also assign the resolution to the respective Medical Records departments. Currently they have at least 8 systems feeding the Allscripts EMPI and are adding additional participants at a steady pace.
3b) Consequences of a Wrong Match – to Patient Safety, Privacy
We can find a powerful real world example of the dangers of wrong matches in a recent case where a patient had an EKG at her local clinic. While she was at the clinic, they misplaced her EKG and mistakenly evaluated her based on another person’s EKG. The wrong EKG, with her name hand-written on top, incorrectly indicated that she was on the verge of a heart attack. The ensuing clinical response ultimately resulted in coma and then her death. In this simple case, where the patient match involved data only intended to move from the device to the physical patient in the same clinical setting, during the same encounter, without an EHR and without any health information exchange technology, had deadly consequences.
This story is very revealing for those of us who are engaged in the policy conversation. In fact, it’s a bit of a Rorschach test. As you tell this story, there is a tendency for listeners to jump to their pre-conceived notions of what’s important about patient matching depending on their role in the healthcare ecosystem.
Providers recognize the risks to safety and privacy, but up until now, among those polled, error rates have been generally extremely low. Providers also recognize that as they engage with more outside entities, the risk of patient matching errors rises.
Providers are very aware of the potential for patient safety issues in the event of a wrong match. Typical of the issues include the need to review/change medications, inform pharmacies, manage rework of the records, and communicate with providers, consulting providers and patients.
The providers did identify privacy concerns, as well, in the event of a wrong patient match. This includes the risk of privacy exposures when the wrong information is entered into a patient’s chart and the potential need to explain this to a patient.
There are privacy considerations, as well, in connection with larger data bases, unique patient identifiers (not including VUHID – more on this below) and potentially non-essential information being shared in connection with patient matching.
4. Level of Accuracy for Patient Matching
The fact of the matter is that the industry doesn’t have consistent measurement and performance standards for patient matching accuracy. The Allscripts providers interviewed on this topic generally reported overall accuracy rates of 99.9+% or 100% after human review and ~97+% on automated match. However, they acknowledge the presence of some errors, and this more consistently aligns with the findings of the RAND study, in which statistical matching generated a false-negative error rate of approximately 8%, meaning that there can be data gaps needed for identification around 8% of the time.
A false positive that results in incorrectly merged patient information is more likely to be a hidden error and therefore more serious for patient safety. To strictly limit false positives, standards for matching are high. So generally, in our client base, a false negative is more likely to occur than a false positive.
Allscripts’ goal is to avoid any false positives, to minimize false negatives, to ensure upfront accuracy and to provide resiliency by putting the tools in place to cost-effectively and timely handle issue resolution and merges.
Matching accuracy is favorably affected by the presence of more unique demographic attributes. The Rand study found that in a database of 80 million unique patients, false positives could be avoided with a composite key consisting of name, DOB, zip code and the last 4 digits of the social security number. Conversely, Rand found that removing the unique 4 digits from the SSN reduced accuracy from 1 in 39 million, to 1 in 8. Allscripts in general provides more demographic fields, options and rules than this to ensure false positives are avoided. Unique demographic factors are vitally important to patient matching accuracy.
Note that this also points out that when social security number is shared among patients, or otherwise mis-used, the risk substantially increases of mixed records.
5. Lessons Learned
Demographic data quality: Secure technology exists for accurate matching – the key is the data behind the match. Source data quality, completeness and consistency are by far and away the most often reported sources of patient matching problems.
Process: Workflows, processes, training and best practices including the individual provider as a last stop-gap are vitally important to accurate source data used for patient matching.
As an example, Scott Whyte at Catholic Healthcare West is very aware of the need to be on top of processes to ensure data quality. In addition to deploying the technology, Catholic Healthcare West has placed a major emphasis on people, policies, executive sponsorship and monitoring.
Dynamic linking: Changes in demographics can resolve in different matching. This can improve accuracy when the changes are corrections in the underlying data and can diminish accuracy when the changes are, for example, changes in name or address. Holding individual records separately and dynamically linking – effectuated by the HIE strategies of record locator and linking to records offers greater transparency than merging of records.
Regional differences: Population and regional differences result in disparate problems. For example, a community with a large uninsured population, a large immigrant population, or a large transient (e.g., university) population all have slightly different weightings based on their population characteristics.
Persons: Guarantors & Subscribers are typically difficult to match with traditional statistical / deterministic techniques. While the Tiger Team hearing is focusing on the patient, Allscripts would recommend that you consider any individual person matching, whether they’re a patient or fill a financial role in connection with the patient.
Demographic data management: Data quality management is challenging in enterprises and even more so in collaborating, decentralized organizations. Data ownership is ambiguous when multiple organizations are seeing the same patient. The reputation and quality of participating organizations enters into providers’ willingness to accept another’s information. Best practice involves ensuring that there is zero tolerance for errors at the source, due to the extremely high cost of rework and low level of capability for undoing propagated changes. The very credibility of the HIEs (or any EMPI service for that matter) rests in large part on ensuring a high quality error free patient registry.
Priorities for Health Information Exchange using IHE Profiles: Allscripts is very supportive of the identity-related IHE profiles for Health Information Exchange. Like MU, where there is a logical progression for the industry, the following progression should be considered:
- PIX for HL7 v2 typical use case involves an HIT system with a registration system communicating with the HIE. It is a well-established mature profile. PIX V3, using Web Services, is widely used internationally and is gaining market share in the US.
- PDQ (demographic query) typical use case involves using patient demographic information to communicate with the registry to establish the patient’s identifier. It is less well established than PIX.
- Pediatric Profiles typical use case involves a hospital maternity or pediatric department already using PIX communicating with the HIE. These profiles are undergoing trial implementations.
- Cross Community Patient Discovery (XCPD) typical use case involves support for snow birds, patient moves, multiple homes, etc., where the provider needs to establish a new patient’s global identifier across the network of HIE’s. Through gateways, using XDPD, in combination with IHE’s Cross Community Access Gateway (XCA) – a request can be sent out across HIE’s to determine a patient’s id in other exchange networks. XCPD is promising technology for these “edge cases”, which should be prioritized once core HIE functions are well established.
- With all patient matching, as with any exchange of PHI, there is the need for secure transmissions as well as auditing.
Support for the small provider: Patient registries for health information exchange will of necessity be dealing with multiple and various clinical and administrative systems, large and small, that all must be able to participate. 70% of healthcare is provided in small practices, and these providers must have access to the same levels of capability, performance and supporting tools for patient matching as those available to an enterprise.
Innovation isn’t necessarily government work: Much of the innovation around patient matching (including EMPI’s and surround workflows and tools) has its roots in advanced healthcare organizations.
For example, Bill Spooner’s IT team at Sharp Healthcare supports seven hospitals and 2,500 physicians. A small team of five handles patient matching and duplicates, running a tight ship, where any mismatch is a critical error. In 2009, on a base of four million patients, they identified and managed 260 manual registration errors. In the same timeframe, 2,740 duplicates were generated off of enrollment tapes. As more of healthcare becomes risk bearing, there is clearly a lesson to be learned around Sharp’s experience with enrollment.
The bottom line is, ONC should look to these experienced healthcare organizations for continuing innovation. As the rest of this testimony suggests, it isn’t about the match as much as it is about the quality, consistency, resilience and recovery capabilities around the match. ONC should consider how to provide the platform for innovation and allow the market to develop.
6. Cost Implications of Various Solutions
In all cases cited, the high performance solutions will be cost-effective compared to current operational costs managing errors and rework.
7. Recommendations for ONC to address patient matching problems in information exchange
ONC recommendations in support of Meaningful Use Stage 2 & 3 should be made as early as possible to ensure that vendors and providers have time to develop and implement the recommendations. In the context of patient matching, in support of public and private health exchanges, the extended rules should include, in our opinion:
- Robust probabilistic patient matching capabilities
- “Possible duplicate” identification
- Merge (or link) functionality to correct the MPI and through HL7 ADT-type transactions to communicate the corrections to participating organizations.
- Progressive adoption over several stages of the IHE profiles (in sequence: PIX, PDQ, Pediatric, XCA/XCPD).
ONC should provide support to the innovators in complex environments that are piloting the new generation of patient registries.
These are emerging at places like Hartford Healthcare System where Steve O’Neill’s IT team is in pilot with four acute care facilities, several federal qualified health centers, and independent Connecticut physician organizations. The strategy calls for leveraging the patient registry and health information exchange infrastructure to create a patient throughput platform, providing a variety of services across heterogeneous provider platforms.
ONC may also want to give due consideration to two excellent published works on this topic: Connecting for Health’s 2005 Linking Health Care Information: Proposed Methods for Improving Care and Protecting Privacy and the HIMSS 2009 Patient Identity Integrity (PII) work group recommendations which included developing demographic data standards, medical device standards for identification and HIT workflow support for analysis and correction of duplicates.
Universal Patient Identifiers
As we all know, the subject of unique identifiers is one that engenders a strong response from different constituencies, and there is even a law prohibiting simple discussion of a national patient identifier. However, it is our sense that such limits were applied at a time when health information technology and the ability to securely exchange health information was in a very different place, and it’s time to revisit the conversation
The industry should not give up on further exploration of a unique voluntary patient identifier inasmuch as it has the potential to reduce false positives and false negatives and thus improve safety for those patients who opt in to it. It’s not, however, the “silver bullet.” With any voluntary approach, like the ASTM-based Voluntary Universal Healthcare Identifier (VUHID) that is being discussed in many circles, there will always be a need for patient matching technologies. VUHID needs mass adoption seeded by a national catalyst, and well-researched best practices/policy guidance to support its implementation and use.
Should Congress elect to remove its restrictions on the conversation about patient identifiers, a private / public partnership using organizational techniques similar to the Direct Project could be a productive means of encouraging innovation and practical approaches to the implementation.
Specific Topics for Panel 2
ONC can and should play a leadership role to:
- Ensure high quality patient demographic information at the source using workflow, training, strong attention to process and EHR/MPI technology.
- Standardize on data definitions and performance standards for algorithms for patient matching.
- Encourage methods for resilience and recovery to perfect the information system.
- Encourage innovation with biometrics to get five 9s plus accuracy – with opt-in / opt-out to protect the providers and provide privacy options (at various levels of safety) to the patients. Multi-factor look-up could include biometrics, photos, etc.
- Standardize on health information exchange, using stages/roadmap to foster adoption of Integrating the Healthcare Enterprise (IHE) PIX, PDQ, Pediatric Profiles, XCPD/XCA.
- Encourage patient demographic self-verification methods.
- Establish best practices for governance of data quality in a distributed environment.
- Support implementation of the HIMSS PII workgroup recommendations for standards, interfaces, algorithms for matching, business processes, data accuracy, data quality, training and medical devices.
- Standardize device communication for patient identification.
In addition to these solutions, ONC should seek to ensure similar levels of support for small providers and support innovation that is emerging in private as well as public exchanges.
2 and 3: Status of solutions and gaps for healthcare:
While basic matching technology is well established, there are significant gaps in the solutions outlined above. These include:
· Standards for source data quality, completeness and consistency are lacking and vitally important as the healthcare system becomes more connected.
- High performance technology for patient matching exists today. Allscripts is deploying this technology to providers and health information exchanges nationally.
- Methods for resilience and recovery are inconsistently applied and inconsistently available.
- Biometrics are well established (and in fact required in Ohio). Biometrics are not however part of the usual standards for health information exchange.
- IHE profiles for PIX are well established. PDQ, Pediatric profiles and XCA/XCDP are emerging.
- Patient demographic self-verification has been implemented in several patient portal solutions.
- Best practices for governance around data quality in a distributed environment are not well established.
- HIMSS PII workgroup recommendations are generally yet to be delivered, with the exception of the strong work on EHR deployment.
- Device standardization for patient identification is a significant gap.
In summary, not all Health IT vendors deploy these technologies today. Standards and best practices aren’t in place. An improved understanding of best performing algorithms for patient matching is needed. And of course, ONC should foster the platform for experimentation, innovation and performance improvement around patient identification.
In conclusion, Allscripts believes that accurate patient identification is fundamental to health care quality, efficiency, and safety, especially as EHRs and HIEs become more embedded in the healthcare system. Adoption of appropriate standards, identifiers, technology, and processes must be put in place to minimize the costs and consequences of false positives, false negatives and an ongoing remediation of problems.
To the Privacy and Security Tiger Team members – thank you for the terrific progress that you’ve made to date, your ever mindful work to gain and keep the public’s trust, and your continued leadership on key issues in connection with privacy and security in healthcare. It will take your leadership to make the imperfect “near perfect” for patient matching. Resilience and recovery will be the key in lieu of a “perfect solution”.