One baseline requirement to protect security in a health information exchange is to make sure the record being accessed belongs to the patient in question.
Security and identification
The Privacy & Security Tiger Team, a work group of the federally chartered Health Information Technology Policy Committee, spent a couple of hours Tuesday wrestling with some of the thornier issues of medical records matching.
Absent a national patient identifier, most health information exchanges in the U.S. use some form of probabilistic matching of a handful of data elements to link patients to their records across multiple repositories. Commonly, those data fields include first and last names, date of birth, ZIP code, street address and gender. Cell phone numbers are becoming increasingly useful; Social Security numbers are waning in importance.
One recommendation that tiger team members agreed on was the need to standardize the way these elemental data fields are recorded and represented for exchange. Sounds simple enough, but it's not.
Even names are "surprisingly complicated," said Paul Egerman, co-chairman of the tiger team. There's the matter of batting order: first name, middle initial, last name, or sometimes last name, first name and middle initial. What happens if the person uses his full middle name? What happens when a woman marries, then divorces and remarries?
Egerman said the tiger team wasn't about to make recommendations on how the Office of the National Coordinator at HHS (to which the advisory panel's recommendations will flow) will accomplish standardization. He said only that the standards should eventually be federally anointed so that developers of electronic health-record systems, health information exchange organizations and data originators get on the same page.
"The standards already exist for this, but the problem is the vendors aren't following the rules," Egerman said.
States may be part of the solution, according to Lorraine Fernandes, global healthcare ambassador for IBM. She said that tiger-team members might want to touch base with several states, such as New York and California, which already have state data-reporting requirements. Fernandes spoke during the public comment period at the end of the tiger-team meeting.
I took Fernandes' suggestion and called Denise Love, the executive director of the National Association of Health Data Organizations, the Salt Lake City-based not-for-profit that supports 35 state-level data organizations.
In October, NAHDO hosted a meeting of about 20 states and a handful of health information exchanges to address some of the problems, including matching patient records, of creating a master patient index.
The federal government could use its leverage to help standardize the formats of demographic data to improve patient record identification. "It would make all our lives simpler," Love said. But she added that "the conclusion was at our annual meeting, the states are going to be left to figure this one out.'
States are in a good position to do that because many have the authority to mandate data reporting, as of hospital-discharge information, Love said.
What NAHDO lacks is resources, and with several states in a budget crisis, that situation is not likely to improve soon.
That's a hint, ONC.
Send us a letter