Key Issues to HIE and Patient Identity Integrity

HIEs and Patient Matching

Noam Arzt, PhD, president and founder of HLN Consulting

Health Information Exchanges (HIEs) represent a collection of organizations that choose to work together to exchange electronic health information. While consistently identifying patients is hard enough within a single practice, clinic, hospital, or integrated delivery network (IDN), when spanning multiple organizations in an HIE the challenges become multiplied. The differences in the organizations their policies, their technologies, their activities bring some specific challenges when trying to consistently identify patients. Here are some key issues with respect to HIE and patient identity integrity, and some comments and suggestions related to resolving the issues:

Data ownership is distributed:Though it is a matter of policy which can vary, usually data is owned by the organizations that contribute it (or sometimes the patients themselves) rather than the HIE which has stewardship over data It receives. HIEs usually place high priority on maintaining the integrity of the source data in its original form, though some HIEs consolidate data together for presentation or transport. HIEs rarely have access to the patient or even the source systems. For the purposes of matching the HIE can only work with the data that is provided unless there is provision for follow-up with the organization that submitted the data. Explicit HIE policy incorporated (even if only by reference) into a data sharing agreement must identify the responsibilities and limitations of the HIE and downstream recipients of data.
Source data is inconsistent and often conflicting: Data comes from multiple, simultaneous sources. It is not possible to discern which data is correct – even data that appears to be more recent may not be more current. HIEs need to keep in mind that the purpose of the Master Patient Index (MPI) is to enable accurate matching of patients, not to necessarily be the authoritative source of demographic (or other) information. Multiple, seemingly conflicting sets of demographic data simply help build a more powerful record determining which is the correct/current data is not relevant to the task. HIEs should allow all demographic data that which is perceived to be current and that which is believed to be historical to be available and used for matching purposes. That being said, HIEs can develop and institute shared, distributed responsibility for resolving ambiguous patient matches with policies and tools that allow participating organizations to review ambiguous matches based on datathey submitted. But caution is advised: an HIE needs to determine carefully how much HIE data (ostensibly from other organizations) from possible patient matches can be shown to an organization for the purpose of trying to establish a good match to new or existing data.
HIE operations may cross state lines: State law or regulations may place differing restrictions on how patient data is treated (above HIPAA as the Federal legal floor and other Federal laws related to some specialized information). It is likely that an HIE operating in this environment has worked through these issues. Matching activities in and of themselves should not provide any additional constraints. Several ONC activities have studied issues related to interstate HIE but usually they are focused on consent and privacy issues and not patient matching.
Inconsistencies across participating organizations: The tools, business rules, policies, and training regimens used to collect and transmit the data are usually unknown to the HIE and are generally inconsistent across the participating organizations. As more organizations join HIEs these issues will only increase. An HIE should develop explicit documentation related to its expectations of member organizations, their business processes, and data. A common participation agreement for the HIE should include policies related to appropriate use, security, and treatment of data to be used for matching purposes. But the bottom line is that HIEs cannot expect consistency and must establish their policies and participant expectations accordingly.
Breach notification may become much more complex: As data leaves an organization and goes through the HIE to other organizations, breaches that occur within organizations that ultimately consume this data from the HIE may require that notifications be made by multiple parties, including potentially the original supplier of the information as well as the HIE and the organization where the breach actually occurred. HIEs should establish clear liability and breach notification processes for data that is inappropriately released both by the HIE and a participating organization after consultation with relevant Federal, State and local laws and regulations.
False positives may have much deeper ramifications: Any false positive (i.e., information for twodifferent people which appears to be a match representing the same individual) is bad, but when the match occurs some distance from the patient and the (often multiple, distributed) systems where the data originated there is often little opportunity to notice let alone correct the error. This is especially true when the recipient of the information has no prior relationship with the patient for whom data is now being presented. HIEs need to be very careful when matching and merging/linking records together and need to err on the side of caution. HIEs need to establish governance and stewardship principles and procedures that address what happens if a false positive linkage is created.

Likely these issues will require discussion within an HIO and its stakeholders Patient Identity Integrity Toolkit which will soon have an HIE subsection that will include special considerations from the HIE perspective on organizational diversity and governance, scalability, limited resources, privacy, trust, among other topics.

Noam H. Arzt, PhD, FHIMSS, is president and founder of HLN Consulting, LLC, San Diego, and does consulting in healthcare systems integration, especially in public health. This article was published on Government Health IT.