Healthcare Information Security

Cybersecurity News

Patient identity matching: Addressing privacy questions

By Patrick Ouellette

- As healthcare technology innovation and interoperability needs continue to grow in areas such as healthcare information exchange (HIE) or accountable care organizations (ACOs), ensuring that patient data is accurate is a key consideration. Among the biggest privacy challenges will be patient identity matching across disparate systems that have different matching standards and methods. Micky Tripathi, CEO of the Massachusetts eHealth Collaborative (MAeHC), weighed in on some of these concerns with

Tripathi has presented recently on maintaining the integrity of health information when matching patients’ identities and said that based on MAeHC’s ground work, there are certainly issues related to patient matching but they seemed to be getting resolved incrementally. The healthcare industry is getting to the point where technology can solve most problems when presented with the right information, but getting that right information every time hasn’t been a straightforward process to this point. “That’s where you start to get into that caveat of having a fragmented industry landscape,” Tripathi said. “The issue is more about organizations each keeping their medical records in their own silos and the challenge of exactly what information is put in and how accurate is that information? From there, the question is on what basis can you make patient matches with the accuracy that the technologies promise?”

Tripathi serves as a member of the HIT Policy Committee’s Tiger Team and it had hearings a couple of years ago on patient matching with regard to the privacy and security aspects of the process. Within these hearings, the Tiger Team was trying to determine whether the federal government, through the meaningful use and EHR certification program or HIPAA or other statutes, should take a more affirmative approach toward patient identity matching. Tripathi explained the ways that the government could step in, such as standardizing the [patient matching] algorithms or even the data inputs, where the government would say to base the inputs on certain demographics. Or, for example, it could have regulated the threshold for patient matching, such as saying organizations need to have 90 percent certainty that that is the same patient before you merge records.

One of the things that came out of those Tiger Team hearings was a clear sense that the federal government should not weigh in on patient identity matching because the technology and individual processes are too fluid. And the biggest concern was that it would also stifle innovation. Lastly, as I said before, the problems seem to be getting resolved year by year.

Tripathi added that the better solution in the long run may be a command-driven process with patient expectations in mind. When analyzing a command-driven process, whether it’s because of meaningful use or accountable care, the demand for interoperability as it relates to HIEs will create a better demand for patient matching, according to Tripathi.

When does innovation line up with standardization?

As Tripathi made clear, healthcare isn’t close to hitting an innovation plateau, but at what point can standardization kick in on at least some level to make patient record matching less of a privacy and security concern? Tripathi believes there is going to be a lot of messiness as the industry begins to figure out best practices, but that alignment may happen just with greater market experimentation. In Massachusetts, for example, the state is attempting to build a state-wide record locator service. With their permission, would allow patients to have the location of their records that would include their names and certain demographics that would be sent to that state database to be matched with your name and patient records with the records already in the system.

One of the things we’ve talked about is this disconnect where the record locator service makes matches, but those matches may not be the source of truth because each organization participating is going to do their own internal matching. Because there may be two different patient matching systems, querying someone’s name from organization using the state-wide record locator service may not work at times. We’ve said that we’re going to have to live with that in Massachusetts for a while because processes and technologies don’t support individual matching services at the moment.

Organizations need to match records on their own for now, but over time Tripathi would like to think patients would want their individual patient records at different organizations to match up with the state service.


SIGN UP and gain free access to articles, white papers, webcasts and exclusive interviews on

HIPAA Compliance
Data Breaches

Our privacy policy

no, thanks