Electronic Healthcare Records
,
Governance
,
HIPAA/HITECH
New GAO Report Spotlights Problems and Potential Solutions(
HealthInfoSec) •
January 21, 2019
Matching the right patients to all the right records continues to be a significant challenge, especially as healthcare providers increasingly seek to exchange health information, posing risks to patient safety and privacy, according to a new Government Accountability Office report.
See Also: Live Webinar: Building Secure Delivery Pipelines with Docker, Kubernetes, and Trend Micro
But implementing standards for recording demographic data, and also sharing best practices, could help improve patient record matching, the study concludes.
"The 21st Century Cures Act included a provision for [GAO] to review patient record matching efforts in the context of electronic health records, including the efforts of ONC and other stakeholders," the report notes.
ONC, the Office of the National Coordinator for Health IT within HHS, leads federal efforts to promote interoperability, including setting requirements for the information that EHRs and other healthcare information systems should collect.
Record Matching Challenges
Challenges in accurately matching patient health records are a barrier to health information exchange, and inaccurately matching records can adversely affect patient safety and privacy, the GAO report notes.
Patient record matching challenges are a barrier to health data exchange, GAO says.
A survey conducted in 2017 by the American Hospital Association found that 45 percent of large hospitals reported that difficulties in accurately identifying patients across information systems limited health information exchange, according to the report.
The watchdog agency says that when it conducted interviews for its study, "stakeholders explained that when exchanging health information with other providers, they match patients' medical records using demographic information, such as the patient's name, date of birth or sex. This record matching can be done manually or automatically."
For example, several provider organizations told GAO that they rely on software that automatically matches records based on the records' demographic information. That software can also identify other potential matches, which staff must then manually review to determine whether the records correspond to the same patient.
Stakeholders also told GAO, however, that inaccurate, incomplete or inconsistently formatted demographic information in patients' records can pose challenges to accurate matching.
"They noted, for example, that records don't always contain correct information - for example, a patient may provide a nickname rather than a legal name - and that health IT systems and providers use different formats for key information, such as names that contain hyphens."
Next Steps
GAO notes in its report that stakeholders told the agency that much more could be done to improve patient record matching.
"For example, some said that implementing common standards for recording demographic data; sharing best practices and other resources; and developing a public-private collaboration effort could each improve matching," GAO writes.
Stakeholders' views varied on the roles ONC and others should play in these efforts and the extent to which the efforts would improve matching, GAO added.
"For example, some said that ONC could require demographic data standards as part of its responsibility for certifying EHR systems, while other stakeholders said that ONC could facilitate the voluntary adoption of such standards. Multiple stakeholders emphasized that no single effort would solve the challenge of patient record matching."
Bad Consequences
Kate Borten, president of the privacy and security consulting firm The Marblehead Group, notes: "Patient record matching continues to be problematic for providers. The consequences for failure to match or for a mismatch can run from time-consuming and inefficient to dangerous."
Failure to identify separate records belonging to the same patient can affect patient data integrity and lead to unnecessary, repeat testing as well as suboptimal care because providers don't have the whole picture, Borten notes.
In addition, improper matching can result in combining the records of different patients.
"This can lead to inappropriate treatment if, for example, a provider mistakenly attributes symptoms to the wrong patient," she says.
"From the privacy and security perspective, providing patient access to the record and releasing the record can lead to breaches of one patient or the other."
Patient ID Mishaps
Health records for twins are particularly vulnerable to mistakes, including being merged accidentally, says Susan Lucci, a senior privacy and security consultant at tw-Security.
"Twins are often given similar names and maybe a later admission could be mistaken as a typo - for example 'Kristen' vs 'Kirsten', 'Cody' vs 'Cory'," she says. "Extremely common names will find multiple matches not only in the name but even in the date of birth, so ... the potential for an overlaid record is high."
Privacy violations are, indeed, a big concern in inaccurate patient matching, says Joe Gillespie, a senior privacy and security consultant at tw-Security.
"One version of the patient's record may contain privacy restrictions that might not appear in another version," he notes. "The same could happen with communications with an authorized patient representative not being aware of certain health issues that were being treated due to that person's involvement not being recorded in a version of the record."
Impact on Credibility
Curt Kwak, CIO of Proliance Surgeons, a large practice in the state of Washington, says inaccurate patient record matching is a significant issue for healthcare providers because of the potential dangers. "There should never be any compromises when dealing with people's health and their lives," he says.
Other issues also develop when patient records matching problems exist, he says. "Patient safety concerns are far above anything else," he says. But other fallout with patient matching mistakes, he notes, include harm to the "credibility of the providers and the facilities that they work in."
Kwak acknowledges that progress is being made in the long-term effort to match the right patient with all the right records, but says there's still plenty of work to be done.
"With the effort to adopt electronic health record systems in the last couple of decades, I firmly believe that data standardization and synchronization have improved significantly," he says. But organizations still need to improve internal processes and provide leadership to consistently operate those processes, he argues. "Hold those who are responsible accountable and be consistent about it. Then for external data alignment, ensure good collaboration and transparency."
Efforts Underway
GOA notes that ONC in 2017 published the Patient Demographic Data Quality Framework, a tool to help providers and other organizations assess their processes for managing data quality and improving the quality of the demographic data they use in matching. It includes, for example, questions that providers can use to identify any gaps in how they manage their demographic data.
In 2017, ONC also hosted a competition for participants to create an algorithm that most accurately matched patient records. ONC selected six winning submissions and plans to report on their analysis of the competition's data, GAO notes.
In 2016, before the Patient Demographic Data Quality Framework was published, ONC began a pilot to assess how the framework could work in a clinical setting. As part of pilot study, ONC provided training on demographic data quality to staff from two community health centers, during which it shared best practices for collecting these data.
But ONC is not currently planning to assess the impact of the framework or to conduct future studies on how it works in clinical settings, GAO notes.
National Identifier Issue
HHS is somewhat limited in the steps that it can take on the patient record matching issue, especially in the context of a potential national unique patient identifier.
Originally, HIPAA, which was enacted in 1996, required the creation of patient identifiers and other uniform standards for electronic data transmission to improve the reliability of health information. But Congress later banned the HHS from expending funds to develop a unique patient identifier system, due to privacy and other concerns (see: Senators Portray Patient Matching as an Urgent Issue).
Some healthcare industry groups, including the Healthcare Information and Management Systems Society and the College of Healthcare Information Management Executives, in recent years have been urging Congress to re-examine the patient safety, security and privacy challenges created by the HHS ban on developing an unique, national patient ID standard (see: Ease Ban on Unique Patient IDs, Groups Again Urge Congress).