U.S.

Department of Health and Human Services

Office of the National Coordinator for Health Information Technology
HIT Policy Committee
Privacy & Security Tiger Team

Patient Linking Hearing

Thursday, December 9, 2010

Allscripts
Written Public Testimony
Richard Elmore
Vice President, Strategic Initiatives

Introduction

To Deven, Paul and the Privacy & Security Tiger Team members – thank you for
the opportunity to participate in in this vitally important hearing.

Allscripts provides electronic health records and revenue cycle management

systems – both inpatient and ambulatory - as well as analytics, ePrescribing,
financial and clinical transaction services, clinical trials, care management, ED
and home health software and services to over 180,000 physicians, 1,500
hospitals, and many thousands of post-acute care organizations across the
country. In working to best serve our clients and help advance our collective
goal of improving health for the nation’s citizens, Allscripts promotes a vision of a
connected community of health built on this foundation. As you can imagine,
with a client base this size, we do a lot of matching of individuals across
heterogeneous platforms. Identity management and matching are critical to
Allscripts.

A Clarification on Matching / Linking

The published purpose of this hearing is “to learn about experiences in linking
or matching patients to their information”. In the technical community, there
has been a debate when a patient match is established regarding the relative
merits of dynamically linking the patient information versus the merging of the
patient information. As a result, in this testimony, the word “matching” has been
used to establish when information from two systems are determined to refer to
the same person. The word “linking” is used to refer to links to information for
the same person.

Patient Linking Hearing – Allscripts – Richard Elmore Page 1

 Summary

In preparation for this hearing, we surveyed eleven larger provider organizations

(with patient populations as large as 4 million) as well as a similar number of
internal and external experts on the topic of patient matching.

The most important requirement identified by Allscripts clients when it comes to

matching is high quality patient demographic information. Data governance and
management, user workflows, provider verification and a clean patient registry
are vitally important to patient matching.

From a technology perspective, electronic health records, master patient indices,

and patient identification exchange standards are critical components to ensuring
and improving the high accuracy levels reported by our clients. Based on our
survey, electronic health records are serving as a positive safety and privacy
mechanism.

General Topics for All Panels

1. Standards for identifying individuals

Individual identification standards are established by the provider. Typically

these include “out of band” verification of identification through cards such as
driver’s licenses and health insurance certificates. Minimal basic demographics
include full name, date of birth, sex, address, zip and preferably the last 4 digits
of the social security number. For pediatrics and other special workflows,
additional demographics are required. Some states and organizations, however,
do not collect social security numbers.

One note is that discipline and completeness of demographics tends to be better

in organizations that see patients on a recurring basis, and better in revenue
cycle departments than in clinical departments. With the exception of certain
urgent care workflows, identity usually flows from the revenue cycle
demographics data capture process to the clinical departments.

2. Ensuring accuracy in matching a patient with his/her data

There are no perfectly accurate matching approaches, and there is no one-size-

fits-all approach to patient matching. The best approach for a given healthcare
organization depends on a number of factors related to the population
characteristics, the way the information is used and managed, data quality and
algorithms employed by various systems involved in information exchange,
among other factors.

Patient Linking Hearing – Allscripts – Richard Elmore Page 2

Patient information is matched in two basic ways:
• Statistical patient matching based on demographic factors, with more
advanced systems including rules, demographic weightings and
probabilistic algorithms with configurable attributes.
• Unique invariant non-disclosing patient identifiers

These linkages can be established at any number of points in the workflow, but
there are two basic methods:
• Dynamic linking, which is real-time linking based on demographics with
records kept separate, or
• Static merge, which means a link is established, with the data potentially
combined and maintained at that point in time

There are two types of errors associated with patient matching:

• A false positive – which incorrectly links or merges clinical information to
the wrong patient.
• A false negative – which fails to match information to a patient and may
result in an additional record for the same patient, with each record
missing some information.

Most legacy systems in use in the U.S. today use deterministic matching (the
most basic statistical matching looking for exact matches over 4 or 5
demographic variables). This may have been a workable solution for smaller
patient populations that resided in a society where demographic factors like
name and address were more stable, and where the collection of unique
identifiers like social security number was better tolerated. All of that has rapidly
changed, however, and many of the legacy systems haven’t kept up with the
need for advances in patient identity.

As the distance between the settings of care gets smaller, and as there is more
interconnectedness, the opportunity for error rises rapidly. In an interconnected
world, the borders get fuzzier. Patient matching was important in the 90’s as
hospitals consolidated and now, with ACO’s, Community Health Teams and other
payment reform initiatives rapidly gaining momentum, the pace of consolidation
is quickening even more, with the importance of accurate linking growing
exponentially alongside.

Patient matching technologies are employed in a variety of systems. Reviewing

recent strategic decisions by Allscripts clients, we can generalize how these
matching approaches are being applied today including:

• Patient identity management systems (community patient registries and

EMPI’s) with robust probabilistic matching are found in health information

Patient Linking Hearing – Allscripts – Richard Elmore Page 3

 exchange settings – both public and private. Health information exchange
can rely on dynamic linking of patient records, thus ensuring as
demographics are updated, patient record matches resolve to the most
currently appropriate individual (recognizing that in some cases,
demographic changes can also degrade the accuracy of a match, as in legal
name or address changes).

• Strong statistical matching and fuzzy logic algorithms can be applied to

traditional operational interfaces and bulk uploads.

• Unique patient identifiers are applied for system-to-system patient

matching, in the limited cases where there is strong organizational control
of the patient identifier to ensure it is unique, invariant and non-disclosing.

• Patient communication solutions start with a unique invariant patient

identity established in the EHR and result in an email invitation being sent
to the patient to participate in a portal / EHR. The patient email address is
established outside of the system in communication between the provider
and the patient.

• Providers with low tolerance for matching errors have implemented unique,
invariant, non-disclosing patient biometric identification techniques like
palm vein scanning.

• Patient identification for devices is typically driven from the EHR to the
device using web services.

3. Problems with patient-matching, internally and/or for information

exchange. Source of those problems.

Issues that have adversely affected patient matching performance include:

o Source data quality, completeness and consistency – these are by far and
away the most often reported sources of patient matching problems.

o Local population characteristics and social factors that impede good quality
data including common names, sharing of identity information (or in the
case of drug abuse – the use of multiple identities), and other factors

o State level differences such as opt-in or opt-out consent requirements for

health information exchange and varying policies regarding exclusions of
sensitive health information (e.g., Psych, HIV, etc.).

Patient Linking Hearing – Allscripts – Richard Elmore Page 4

 o Accuracy of the management of demographics information in source
systems

o Acute care environments with numerous ancillary systems and medical

devices (key problem is that there are multiple points of demographic data
entry with varying degrees of accuracy)

o Pediatric workflows

o Multi-organization sharing where many organizations are sending patient

information into a single repository.

o Changes in marital status (with name change)

o Dirty MPI’s resulting historically from less sensitivity to patient identity

accuracy

As an example, Steven Anderman, Bronx Lebanon Hospital’s COO has led major
advances in care coordination and technology at Bronx Lebanon, as well as
health information exchange through the Bronx RHIO. Many of the “externalities”
listed above are applicable at Bronx Lebanon and these adversely impact patient
registry quality. Bronx Lebanon Hospital’s patient population is two thirds
Medicaid and is subject to frequent moves, often provide bad addresses and
phone numbers, and creates a tremendous burden in terms of collecting good
demographics. And patient identity sharing is common. The process repeats
itself at each health care organization in the community. This places an
undue burden on the provider to be the regulator of patient identity.

3a) Handling patient matching problems (wrong/ambiguous match)

Providers use a variety of tools and processes for handling patient matching
problems, including:

o Workflow and reporting solutions to evaluate possible duplicated patients.

o Follow-up user workflow solutions to analyze, identify and resolve potential

duplicates.

o Corrections in source systems.

o Improvements to the rules / weightings based on specific usage, data

quality and population characteristics.

Patient Linking Hearing – Allscripts – Richard Elmore Page 5

 o Upstream workflow process improvement to accurately capture
demographic information the first time.

o False negatives can be resolved through dynamic linking solutions or

merge capabilities.

o Logic to detect common mistakes and alert users of possible match or

mismatch.

o When no match is found, user workflows and tools for research and
resolution are typically applied.

o Also, "cleansing" techniques can be applied such as removal (from

database and/or from searches) of obsolete records (e.g., deceased
patients)

Who’s doing this well today?

One example is North Shore Long Island Jewish. They identify the potential
duplicates centrally and then are able to communicate with various Medical
Records Departments electronically to obtain the information necessary to
resolve them. They can also assign the resolution to the respective Medical
Records departments. Currently they have at least 8 systems feeding the
Allscripts EMPI and are adding additional participants at a steady pace.

3b) Consequences of a Wrong Match – to Patient Safety, Privacy

We can find a powerful real world example of the dangers of wrong matches in a
recent case where a patient had an EKG at her local clinic. While she was at the
clinic, they misplaced her EKG and mistakenly evaluated her based on another
person’s EKG. The wrong EKG, with her name hand-written on top, incorrectly
indicated that she was on the verge of a heart attack. The ensuing clinical
response ultimately resulted in coma and then her death. In this simple case,
where the patient match involved data only intended to move from the device to
the physical patient in the same clinical setting, during the same encounter,
without an EHR and without any health information exchange technology, had
deadly consequences.

This story is very revealing for those of us who are engaged in the policy
conversation. In fact, it’s a bit of a Rorschach test. As you tell this story, there
is a tendency for listeners to jump to their pre-conceived notions of what’s
important about patient matching depending on their role in the healthcare
ecosystem.

Patient Linking Hearing – Allscripts – Richard Elmore Page 6

Providers recognize the risks to safety and privacy, but up until now, among
those polled, error rates have been generally extremely low. Providers also
recognize that as they engage with more outside entities, the risk of patient
matching errors rises.

Providers are very aware of the potential for patient safety issues in the event of
a wrong match. Typical of the issues include the need to review/change
medications, inform pharmacies, manage rework of the records, and
communicate with providers, consulting providers and patients.

The providers did identify privacy concerns, as well, in the event of a wrong
patient match. This includes the risk of privacy exposures when the wrong
information is entered into a patient’s chart and the potential need to explain this
to a patient.

There are privacy considerations, as well, in connection with larger data bases,
unique patient identifiers (not including VUHID – more on this below) and
potentially non-essential information being shared in connection with patient
matching.

4. Level of Accuracy for Patient Matching

The fact of the matter is that the industry doesn’t have consistent measurement
and performance standards for patient matching accuracy. The Allscripts
providers interviewed on this topic generally reported overall accuracy rates of
99.9+% or 100% after human review and ~97+% on automated match.
However, they acknowledge the presence of some errors, and this more
consistently aligns with the findings of the RAND study, in which statistical
matching generated a false-negative error rate of approximately 8%, meaning
that there can be data gaps needed for identification around 8% of the time.

A false positive that results in incorrectly merged patient information is more

likely to be a hidden error and therefore more serious for patient safety. To
strictly limit false positives, standards for matching are high. So generally, in
our client base, a false negative is more likely to occur than a false positive.

Allscripts’ goal is to avoid any false positives, to minimize false negatives, to

ensure upfront accuracy and to provide resiliency by putting the tools in place to
cost-effectively and timely handle issue resolution and merges.

Matching accuracy is favorably affected by the presence of more unique

demographic attributes. The Rand study found that in a database of 80 million
unique patients, false positives could be avoided with a composite key consisting
of name, DOB, zip code and the last 4 digits of the social security number.

Patient Linking Hearing – Allscripts – Richard Elmore Page 7

Conversely, Rand found that removing the unique 4 digits from the SSN reduced
accuracy from 1 in 39 million, to 1 in 8. Allscripts in general provides more
demographic fields, options and rules than this to ensure false positives are
avoided. Unique demographic factors are vitally important to patient matching
accuracy.

Note that this also points out that when social security number is shared among
patients, or otherwise mis-used, the risk substantially increases of mixed
records.

5. Lessons Learned

Demographic data quality: Secure technology exists for accurate matching –

the key is the data behind the match. Source data quality, completeness and
consistency are by far and away the most often reported sources of patient
matching problems.

Process: Workflows, processes, training and best practices including the

individual provider as a last stop-gap are vitally important to accurate source
data used for patient matching.

As an example, Scott Whyte at Catholic Healthcare West is very aware of the

need to be on top of processes to ensure data quality. In addition to deploying
the technology, Catholic Healthcare West has placed a major emphasis on
people, policies, executive sponsorship and monitoring.

Dynamic linking: Changes in demographics can resolve in different matching.

This can improve accuracy when the changes are corrections in the underlying
data and can diminish accuracy when the changes are, for example, changes in
name or address. Holding individual records separately and dynamically linking
– effectuated by the HIE strategies of record locator and linking to records offers
greater transparency than merging of records.

Regional differences: Population and regional differences result in disparate

problems. For example, a community with a large uninsured population, a large
immigrant population, or a large transient (e.g., university) population all have
slightly different weightings based on their population characteristics.

Persons: Guarantors & Subscribers are typically difficult to match with

traditional statistical / deterministic techniques. While the Tiger Team hearing is
focusing on the patient, Allscripts would recommend that you consider any
individual person matching, whether they’re a patient or fill a financial role in
connection with the patient.

Patient Linking Hearing – Allscripts – Richard Elmore Page 8

Demographic data management: Data quality management is challenging in
enterprises and even more so in collaborating, decentralized organizations. Data
ownership is ambiguous when multiple organizations are seeing the same
patient. The reputation and quality of participating organizations enters into
providers’ willingness to accept another’s information. Best practice involves
ensuring that there is zero tolerance for errors at the source, due to the
extremely high cost of rework and low level of capability for undoing propagated
changes. The very credibility of the HIEs (or any EMPI service for that matter)
rests in large part on ensuring a high quality error free patient registry.

Priorities for Health Information Exchange using IHE Profiles: Allscripts is

very supportive of the identity-related IHE profiles for Health Information
Exchange. Like MU, where there is a logical progression for the industry, the
following progression should be considered:
• PIX for HL7 v2 typical use case involves an HIT system with a registration
system communicating with the HIE. It is a well-established mature
profile. PIX V3, using Web Services, is widely used internationally and is
gaining market share in the US.
• PDQ (demographic query) typical use case involves using patient
demographic information to communicate with the registry to establish the
patient’s identifier. It is less well established than PIX.
• Pediatric Profiles typical use case involves a hospital maternity or pediatric
department already using PIX communicating with the HIE. These profiles
are undergoing trial implementations.
• Cross Community Patient Discovery (XCPD) typical use case involves
support for snow birds, patient moves, multiple homes, etc., where the
provider needs to establish a new patient’s global identifier across the
network of HIE’s. Through gateways, using XDPD, in combination with
IHE’s Cross Community Access Gateway (XCA) – a request can be sent out
across HIE’s to determine a patient’s id in other exchange networks. XCPD
is promising technology for these “edge cases”, which should be prioritized
once core HIE functions are well established.
• With all patient matching, as with any exchange of PHI, there is the need
for secure transmissions as well as auditing.

Support for the small provider: Patient registries for health information
exchange will of necessity be dealing with multiple and various clinical and
administrative systems, large and small, that all must be able to participate.
70% of healthcare is provided in small practices, and these providers must have
access to the same levels of capability, performance and supporting tools for
patient matching as those available to an enterprise.

Patient Linking Hearing – Allscripts – Richard Elmore Page 9

Innovation isn’t necessarily government work: Much of the innovation
around patient matching (including EMPI’s and surround workflows and tools)
has its roots in advanced healthcare organizations.

For example, Bill Spooner’s IT team at Sharp Healthcare supports seven

hospitals and 2,500 physicians. A small team of five handles patient matching
and duplicates, running a tight ship, where any mismatch is a critical error. In
2009, on a base of four million patients, they identified and managed 260
manual registration errors. In the same timeframe, 2,740 duplicates were
generated off of enrollment tapes. As more of healthcare becomes risk bearing,
there is clearly a lesson to be learned around Sharp’s experience with
enrollment.

The bottom line is, ONC should look to these experienced healthcare
organizations for continuing innovation. As the rest of this testimony suggests, it
isn’t about the match as much as it is about the quality, consistency, resilience
and recovery capabilities around the match. ONC should consider how to provide
the platform for innovation and allow the market to develop.

6. Cost Implications of Various Solutions

In all cases cited, the high performance solutions will be cost-effective compared
to current operational costs managing errors and rework.

7. Recommendations for ONC to address patient matching problems in

information exchange

ONC recommendations in support of Meaningful Use Stage 2 & 3 should be made

as early as possible to ensure that vendors and providers have time to develop
and implement the recommendations. In the context of patient matching, in
support of public and private health exchanges, the extended rules should
include, in our opinion:

• Robust probabilistic patient matching capabilities

• “Possible duplicate” identification

• Merge (or link) functionality to correct the MPI and through HL7 ADT-type
transactions to communicate the corrections to participating organizations.

• Progressive adoption over several stages of the IHE profiles (in sequence:
PIX, PDQ, Pediatric, XCA/XCPD).

Patient Linking Hearing – Allscripts – Richard Elmore Page 10

ONC should provide support to the innovators in complex environments that are
piloting the new generation of patient registries.

These are emerging at places like Hartford Healthcare System where Steve
O’Neill’s IT team is in pilot with four acute care facilities, several federal qualified
health centers, and independent Connecticut physician organizations. The
strategy calls for leveraging the patient registry and health information exchange
infrastructure to create a patient throughput platform, providing a variety of
services across heterogeneous provider platforms.

ONC may also want to give due consideration to two excellent published works
on this topic: Connecting for Health’s 2005 Linking Health Care Information:
Proposed Methods for Improving Care and Protecting Privacy and the HIMSS
2009 Patient Identity Integrity (PII) work group recommendations which
included developing demographic data standards, medical device standards for
identification and HIT workflow support for analysis and correction of duplicates.

Universal Patient Identifiers

As we all know, the subject of unique identifiers is one that engenders a strong
response from different constituencies, and there is even a law prohibiting simple
discussion of a national patient identifier. However, it is our sense that such
limits were applied at a time when health information technology and the ability
to securely exchange health information was in a very different place, and it’s
time to revisit the conversation

The industry should not give up on further exploration of a unique voluntary

patient identifier inasmuch as it has the potential to reduce false positives and
false negatives and thus improve safety for those patients who opt in to it. It’s
not, however, the “silver bullet.” With any voluntary approach, like the ASTM-
based Voluntary Universal Healthcare Identifier (VUHID) that is being discussed
in many circles, there will always be a need for patient matching technologies.
VUHID needs mass adoption seeded by a national catalyst, and well-researched
best practices/policy guidance to support its implementation and use.

Should Congress elect to remove its restrictions on the conversation about

patient identifiers, a private / public partnership using organizational techniques
similar to the Direct Project could be a productive means of encouraging
innovation and practical approaches to the implementation.

Specific Topics for Panel 2

1. Solutions:

Patient Linking Hearing – Allscripts – Richard Elmore Page 11

ONC can and should play a leadership role to:

• Ensure high quality patient demographic information at the source using

workflow, training, strong attention to process and EHR/MPI technology.

• Standardize on data definitions and performance standards for algorithms

for patient matching.

• Encourage methods for resilience and recovery to perfect the information

system.

• Encourage innovation with biometrics to get five 9s plus accuracy – with

opt-in / opt-out to protect the providers and provide privacy options (at
various levels of safety) to the patients. Multi-factor look-up could include
biometrics, photos, etc.

• Standardize on health information exchange, using stages/roadmap to

foster adoption of Integrating the Healthcare Enterprise (IHE) PIX, PDQ,
Pediatric Profiles, XCPD/XCA.

• Encourage patient demographic self-verification methods.

• Establish best practices for governance of data quality in a distributed

environment.

• Support implementation of the HIMSS PII workgroup recommendations for

standards, interfaces, algorithms for matching, business processes, data
accuracy, data quality, training and medical devices.

• Standardize device communication for patient identification.

In addition to these solutions, ONC should seek to ensure similar levels of

support for small providers and support innovation that is emerging in private as
well as public exchanges.

2 & 3: Status of solutions and gaps for healthcare:

While basic matching technology is well established, there are significant gaps in
the solutions outlined above. These include:

• Standards for source data quality, completeness and consistency are

lacking and vitally important as the healthcare system becomes more
connected.

Patient Linking Hearing – Allscripts – Richard Elmore Page 12

 • High performance technology for patient matching exists today. Allscripts
is deploying this technology to providers and health information exchanges
nationally.

• Methods for resilience and recovery are inconsistently applied and

inconsistently available.

• Biometrics are well established (and in fact required in Ohio). Biometrics

are not however part of the usual standards for health information
exchange.

• IHE profiles for PIX are well established. PDQ, Pediatric profiles and
XCA/XCDP are emerging.

• Patient demographic self-verification has been implemented in several

patient portal solutions.

• Best practices for governance around data quality in a distributed

environment are not well established.

• HIMSS PII workgroup recommendations are generally yet to be delivered,

with the exception of the strong work on EHR deployment.

• Device standardization for patient identification is a significant gap.

In summary, not all Health IT vendors deploy these technologies today.

Standards and best practices aren’t in place. An improved understanding of best
performing algorithms for patient matching is needed. And of course, ONC
should foster the platform for experimentation, innovation and performance
improvement around patient identification.

Conclusion

In conclusion, Allscripts believes that accurate patient identification is

fundamental to health care quality, efficiency, and safety, especially as EHRs and
HIEs become more embedded in the healthcare system. Adoption of appropriate
standards, identifiers, technology, and processes must be put in place to
minimize the costs and consequences of false positives, false negatives and an
ongoing remediation of problems.

Patient Linking Hearing – Allscripts – Richard Elmore Page 13

 Thank You

To the Privacy and Security Tiger Team members – thank you for the terrific
progress that you’ve made to date, your ever mindful work to gain and keep the
public’s trust, and your continued leadership on key issues in connection with
privacy and security in healthcare. It will take your leadership to make the
imperfect “near perfect” for patient matching. Resilience and recovery will be
the key in lieu of a “perfect solution”.

Patient Linking Hearing – Allscripts – Richard Elmore Page 14