Standardizing Patient Addresses: Privacy, Security IssuesHHS Proposal Aims to Improve Patient Record Matching, But What Are the Risks?
With a goal of better matching the right patients to all the right medical records, federal regulators have issued new draft technical specifications for standardizing how patients' physical addresses are formatted and represented in health IT systems.
But while the effort aims to help reduce the risk that clinicians might access the wrong records when treating a patient, some experts say the move toward standardized addresses could also potentially present new security and privacy risks.
"Given the many different ways in which addresses are represented, from past and present formats, this could be quite challenging," says Rebecca Herold, CEO of The Privacy Professor consultancy and co-founder of Privacy & Security Brainiacs.
"The potential for degrading data privacy and creating security incidents and breaches could be as great as the potential to improve them."
Other experts, however, say standardizing address formats will help improve accuracy of matching patients to records and help reduce errors that could lead to patient safety and privacy issues.
"It most definitely would help," says Susan Lucci, privacy and security senior consultant at tw-Security. "We have seen with duplicate records that a difference in Avenue to Ave. would not necessarily match on that data element," she notes. "Also things like P.O Box or PO Box make a difference. Not to mention numbered streets when they are done different ways: 1234 42nd Street vs. 1234 42 St. vs. 1234 Forty-Second Street," she says.
"With duplicate records, there is always a chance that the record may not contain all the important patient data. Because of address and other causes of duplicates, it is not unusual for one patient to have three or more records each containing only part of their medical history. Limited information can lead to medication errors and other serious problems in treatment."
The Department of Health and Human Services' Office of the National Coordinator for Health IT on Wednesday released the Project US@ Draft Technical Specification Version 1.0 for review. It will accept comments through July 31 in anticipation of releasing a final version later this year.
"People move - some quite often. What protections will be in place for not degrading patient data integrity by associating someone new at a physical address with the actual patient who used to live there?"
ONC developed the 64-page technical specification document in collaboration with standards development organizations, including Health Level 7, and healthcare industry experts to create a "unified, cross-standards, healthcare industrywide specification for representing patient addresses to improve patient matching," ONC says in a statement.
The technical specification document aims to create a uniform approach to handling addresses to help improve patient record matching, interoperability and exchange.
Address Format, Content Detailed
The document describes in detail standardized patient address formats and content. Format describes how the various patient address elements appear in a patient record, while content describes the characters that constitute the various address elements.
"Our objective in compiling a unified standard for patient address is twofold - to facilitate adoption and alignment through an industrywide approach to representing patient addresses that is consistent across a spectrum of clinical and administrative transactions and to enhance performance of patient matching algorithms through improved address quality," the document states.
National Unique Patient ID Ban
ONC's work involving standardizing patient addresses comes in lieu of more dramatic moves that some industry groups have been calling for - most notably, creation of a national patient ID.
Congress for more than 20 years has banned funding for HHS to develop or adopt a unique national patient identifier.
HIPAA, which was enacted in 1996, required the creation of patient identifiers and other uniform standards for electronic data transmission to improve the reliability of health information.
But in 1999, Congress banned HHS from expending funds to develop a unique patient identifier system, mainly because of privacy concerns.
The House of Representatives has twice voted to lift the ban, but the Senate rejected that action (see: House Again Votes to Lift National Patient ID Ban).
In a statement provided to Information Security Media Group, an ONC spokesperson says: "No part of Project US@ violates [public law] prohibiting HHS from using any of its appropriated funds to promulgate or adopt any final standard providing for, or providing for the assignment of, a unique health identifier for an individual."
Aside from a national patient ID, "patient matching can be improved through the standardization of patient demographic data used for matching and linking patient records, including patient addresses," the ONC spokesperson says.
"Remaining in the current state of limited standards development and lack of adoption, disparate matching efforts and lack of healthcare industry consensus and alignment, and a lack of transparency, governance and oversight is actually placing more patients at risk for misidentification, accidental merges of health records representing different patients, and inaccurately matched records resulting in inappropriate data exposure," the ONC spokesperson adds.
One privacy-focused component proposed in the draft specification is the ability to indicate if a patient chooses to flag an address as "confidential," restricting its use, the ONC spokesperson notes.
"The Project US@ AHIMA Companion Guide, which will be released at the end of 2021, will contain operational guidance and best practices aimed at protecting the privacy and security of patient data, supporting conformance to the Project US@ Technical Specification, and improving patient matching," he says.
New Breach Risks?
Some experts are concerned that the draft technical specification document does not adequately address privacy and security challenges that could arise when standardizing the formatting of patient addresses.
"People move - some quite often," Herold says. What protections will be in place for not degrading patient data integrity by associating someone new at a physical address with the actual patient who used to live there?" she asks.
"Consistency is essential. Whatever is done in admitting must be done in billing and so on."
—Susan Lucci, tw-Security
Herold also says she's concerned that the draft technical specification lacks security and privacy detail and depth.
The document notes: "Although this specification does not mandate a single technical approach to security and privacy, it can be included in appropriate technical standards to create secure, private systems. If entities handle patient addresses in the service to, or on behalf of, a covered entity, then HIPAA compliance is not optional. Any data element more specific than state, including street address, city, and in many cases ZIP codes and their equivalent geolocation data, is considered protected under HIPAA law."
Herold observes: "We live in a world where new technologies - computing devices and storage devices - are emerging continuously, while being incorporated within the vast health data ecosystem that contains the current storage and processing devices, along with legacy devices, often from many decades ago, that are still being used. I wonder if those writing this realize the complexity of actually meeting HIPAA requirements in general, but also the large number of other regulations, inside and outside of the U.S. - for example, the General Data Protection Regulation - and all the hundreds of state and local laws that also need to be considered. This issue is much larger than simply a consideration of HIPAA."
Consistency Is Crucial
Lucci of tw-Security suggests standardization could help improve patient matching in many ways that go beyond standard addresses.
"Standardize how patients with hyphenated last names are handled. What about patients with names like O’Reilly? If you don’t use the apostrophe, the name comes out differently," she says.
"Consistency is essential. Whatever is done in admitting must be done in billing and so on," she says. "Right now, admitting is the start of the process. Generally, admitting wants to match the information on the health plan identification card so as not to delay processing. So it is important to ensure that all of this is the same with every subsequent admission to minimize creating duplicate charts."