HHS unveils patient matching standards, guidance to boost patient privacy

Cyber Security News

Medical personnel at an urgent care facility review records while testing patients for the coronavirus April 15, 2020 in Woodbridge, Virginia. A draft guidance is out for public comment, designed to develop a unified standard for patient matching across the health sector. (Chip Somodevilla/Getty Images)

The Department of Health and Human Services unveiled the first draft of its Project USA technical specification guidance for public comment, designed to develop a unified standard for patient matching across the health sector to bolster data security and patient safety and privacy.

HHS developed the standards in coordination with industry stakeholders and standards development entities, including HL7, the National Council for Prescription Drug Programs, and other members of the Health Standards Collaborative.

“With a clear target and industry-wide commitment, it’s been amazing to see how much progress has been made in six short months,” said Steve Posnack, deputy national coordinator for health information technology, said in a statement. “We really appreciate everyone’s efforts thus far, and we encourage additional comment on the draft specification.”

Industry stakeholders have long made the case for the health care sector to employ a unique patient identifier to improve patient safety and reduce security risks, as the use would ensure the correct identification of individuals at the point of care.

World Health Organization data show patient misidentification has been tied to an increased patient safety risk, due to incorrect drug administration, blood transfusions, and other medical errors.

At the moment, medical records numbers and similar identifiers are commonly tied to Social Security numbers, which poses obvious risks to patient privacy and security.

It’s well-established that the industry needs a better way to identify patients, but opponents to employing a unique patient identifier number consistently point to supposed patient privacy risks.

In fact, HIPAA actually features a mandate for HHS to create a unique patient identifier. But prior to being enacted in 2009, former Rep. Ron Paul, R-Texas, introduced a funding ban that, in effect, banned the agency from using funds to build the identifier.

The College of Healthcare Information Management Executives (CHIME), a professional organization for senior health care IT leaders, has led the effort to build a case for a unique patient identifier in the last few years, while a range of Congressional actions have continued attempts to remove the funding ban. However, as it stands, the funding ban is still intact.

The continued rise in health care data breaches is furthering the argument in support of a much-needed unique identifier. According to the Office of the National Coordinator, the Project USA and proposed standards for patient matching are designed to tackle these critical challenges.

ONC received public comments on proposed patient matching solutions as part of the 21st Century Cures Act, which aimed to establish current challenges and ways ONC could support coordination of these efforts, including interoperability.

The guidance contains insights on the privacy and security of patient data, verification and validation, and the format of contact details, as well as the use of special characters and abbreviations, among other elements.

The agency also partnered with the American Health Information Management Association on a companion guide on operational best practices for accurate and timely capturing and management of patient addresses, in conformance with the newly proposed patient matching standards.

“We are engaging a wide range of stakeholders to help ensure that there is broad agreement on Project USA’s resulting specification and build industry commitment around its implementation from the ground up,” ONC officials explained.

“Together, we hope to establish a lasting, industry-wide approach to representing patient addresses that is consistent across a spectrum of clinical and administrative transactions,” they added.

Industry stakeholders are encouraged to provide feedback on the proposed standards during the comment period, which will last from July 1-31.