What You Need to Know About Patient Matching and Your Privacy and What You Can Do About It

Today, ONC released a report on patient matching practices and to the casual reader it will look like a byzantine subject. It’s not.

You should care about patient matching, and you will.

It impacts your ability to coordinate care, purchase life and disability insurance, and maybe even your job. Through ID theft, it also impacts your safety and security. Patient matching’s most significant impact, however, could be to your pocketbook as it’s being used to fix prices and reduce competition in a high deductible insurance system that makes families subject up to $12,700 of out-of-pocket expenses every year.

Patient matching is the healthcare cousin of NSA surveillance.

Health IT’s watershed is when people finally realize that hospital privacy and security practices are unfair and we begin to demand consent, data minimization and transparency for our most intimate information. The practices suggested by Patient Privacy Rights are relatively simple and obvious and will be discussed toward the end of this article.

Health IT tries to be different from other IT sectors. There are many reasons for this, few of them are good reasons. Health IT practices are dictated by HIPAA, where the rest of IT is either FTC or the Fair Credit Reporting Act. Healthcare is mostly paid by third-party insurance and so the risks of fraud are different than in traditional markets.

Healthcare is delivered by strictly licensed professionals regulated differently than the institutions that purchase the Health IT. These are the major reasons for healthcare IT exceptionalism but they are not a good excuse for bad privacy and security practices, so this is about to change.

Health IT privacy and security are in tatters, and nowhere is it more evident than the “patient matching” discussion. Although HIPAA has some significant security features, it also eliminated a patient’s right to consent and Fair Information Practice.

Patient matching by all sorts of health information aggregators and health information exchanges is involuntary and hidden from the patient as much as NSA surveillance is.

Patients don’t have any idea of how many databases are tracking our every healthcare action. We have no equivalent to the Fair Credit Reporting Act to cover these database operators. The databases are both public and private. The public ones are called Health Information Exchanges, All Payer Claims Databases, Prescription Drug Monitoring Programs, Mental Health Registries, Medicaid, and more.

The private ones are called “analytics” and sell $Billions of our aggregated data to hospitals eager to improve their margins, if not their mission.

The ONC report overlooks the obvious issue of FAIRNESS to the patient. The core of Fair Information Practice are Consent, Minimization and Transparency. The current report ignores all of these issues:

– Consent is not asked. By definition, patient matching is required for information sharing. Patient matching without patient consent leads to sharing of PHI without patient consent. The Consent form that is being used to authorize patient matching must list the actual parameters that will be used for the match. Today’s generic Notice of Privacy Practices are as inadequate as signing a blank check.

– Data is not minimized. Citizen matching outside of the health sector is usually based on a unique and well understood identifier such as a phone number, email, or SSN. To the extent that the report does not allow patients to specify their own matching criterion, a lot of extra private data is being shared for patient matching purposes. This violates data minimization.

– Transparency is absent. The patient is not notified when they are matched. This violates the most basic principles of error management and security. In banking or online services, it is routine to get a simple email or a call when a security-sensitive transaction is made.

This must be required of all patient matching in healthcare. In addition, patients are not given access to the matching database. This elementary degree of transparency for credit bureaus that match citizens is law under the Fair Credit Reporting Act and should be at least as strict in health care.

These elementary features of any EHR and any exchange are the watershed defining patient-centered health IT. If a sense of privacy and trust don’t push our service providers to treat patients as first-class users, then the global need for improved cybersecurity will have to drive the shift. Healthcare is critical infrastructure just as much as food and energy.

But what can you, as a patient. do to hasten your emancipation? I would start with this simple checklist:

Opt-out of sharing your health records unless the system offers:

  • Direct secure messaging with patients

  • Plain email or text notification of records matching

  • Patient-specified Direct email as match criterion

  • Your specific matching identifiers displayed on all consent forms

  • Online patient access to matchers and other aggregator databases

None of these five requirements are too hard. Google, Apple and your bank have done all of these things for years. The time has come for healthcare to follow suit.

Adrian Gropper, MD is Chief Technical Officer of Patient Privacy Rights and participates in Blue Button+, Direct secure messaging governance efforts and the evolution of patient-directed health information exchange.

4 replies »

  1. Well explained the scenarios where there is a chance to happen cyberattacks in healthcare field. Cybersecurity is the main concern in healthcare sector. Healthcare sector become a juicy field for hackers now-a-days.Gaining more information about cybersecurity is better than be a victim of cyberattack. If need to learn and know more about cybersecurity, this community can be helpful for you, https://www.opsfolio.com/

  2. Will – I think we’re in complete agreement but you may have over-read my 5 opt-in requirements. Your main objection seems to be that I’m linking matching ID with transport, but I’m not doing that at all. The second bullet says “plain email or text notification” is linked to the matching. This explicitly is not Direct and pretty much any form of notification would be acceptable because the content of the notification does not have to be privacy-sensitive.

    Your other point (about bullet 3) is that we should not mandate Direct as an ID match criterion because better (cyber) IDs will come along eventually. I completely agree that will happen and am actively working as vice-chair of NSTIC – IDESG Healthcare Workgroup toward exactly that future. Please check out our RLS Use Case which deals directly with patient matching.

    Today and for the next few years, the list of easily understood voluntary and routable cyberIDs is limited to email addresses, cell phone numbers, credit card numbers and bank routing / account numbers. Unique IDs that are not routable can’t be easily verified so only email and cell phone numbers are practical from that perspective. The banking related IDs are cumbersome and relatively expensive to verify control of a particular ID.

    The reason PPR suggests Direct as a match criterion is for the same reason banks use credit card numbers and routing + account numbers as financial sector match criteria. Using email and phone numbers for financial matching would be too unreliable in the current environment.

    Finance, incidentally, is, along with healthcare, the only other industry sector that has a special workgroup in IDESG.

    I think we both agree that our health information sharing and interoperability infrastructure needs to be built on fair information practices. I see patient matching as the place to start – today.

  3. Adrian – thanks for bringing up the ONC MPI report. It’s a decent first effort. I like 7 of the 10 recommendations in the ONC report, while 3 of the 10 I can do without. With regard to your post I disagree with your suggestion that “Direct” should be required for patient communication, which has nothing to do with patient matching. Mandating any transport protocol is irrelevant to identity matching. The relevant patient facing issue for identity matching is personal participation in the identity authentication process, regardless of any transport protocol that may carry personally identifiable content. The ONC 2015 Edition EHR Certification criteria now open for public comment recommends separation of transport from content (finally!), which is a step in the right direction. Mandating a specific transport protocol unnecessarily bakes in a legacy solution and hinders the rise of improved protocols or even of radically different transport protocols. But this is pretty far afield from the ONC patient matching report. I agree with your concern about consent, minimum necessary and transparency. With regard to the fair information practices, the ONC report also does not explore enforcement and redress for the patient who is a victim of a false positive identity match.