Standards

Access resources for in development Standards and published Standards.

Privacy-Enhancing Health Record Locator Service (PEHRLS) Ecosystem

Developing a new Standard to support a voluntary nationwide patient credential and matching ecosystem

Managing identity and health information interoperability in healthcare is a special problem unlike other identity and identifier topics. To be useful as a mechanism for assembling a longitudinal health record, a system also needs to enable access to the locations where records are available for the individual. The goal of the Privacy-Enhancing Health Record Locator Service (PEHRLS) Ecosystem Consensus Body is to identify existing standards, profile existing standards, and create new standards as needed for a privacy-enhancing record locator along with the interactions of associated actors. The model should support a nationwide patient credential and patient matching ecosystem. Prior art, draft and normative standards for consideration include OpenID Connect (OIDC), OAuth2, Universal Data Access Profiles (UDAP), ASTM/ANSI E1714 “Properties of a Universal Healthcare Identifier”, ASTM/ANSI E2553-07 – “Implementation of a Voluntary Universal Healthcare Identification System”, The Digital Currency Initiative, The Vaccine Credential Initiative (VCI), Verifiable Credentials and Decentralized Identifiers, HL7 SMART on FHIR®, The Direct Standard™ and Notifications via the Direct Standard™ which also references HL7 V2 ADT messages and Integrating the Healthcare Enterprise (IHE) XD Metadata. The new Standard will define electronic interactions between Identity Providers, Electronic Health Record Systems, Health Information Exchanges (HIEs), Health Information Networks (HINs) and a Record Locator Service which contains no demographics, only identifiers assumed to be modeled as in ASTM E1714.

Find more information about the DS2022_05: Privacy-Enhancing Health Record Locator Service (PEHRLS) Ecosystem Consensus Body on this page.

ANSI PINS Abstract

There is broad agreement that the only way to improve patient matching and health record location to a near 100% solution is a universal patient ID (UPI). Yet, the prohibition against government action on such a solution in Section 510 of the Congressional Appropriations bill has remained in place since HIPAA was enacted. There is opposition to a governmentally issued universal patient ID across the political spectrum.  High fidelity probabilistic matching of patient records based on demographics alone remains elusive, and some would say it is mathematically impossible.  The absence of a UPI in the US, 1) limits the ability for interoperability to scale, 2) will inhibit/preclude patient access to their own data with a single credential, 3) degrades privacy by requiring the collection of more patient identifiable data to ensure accurate matching, 4) prevents current and future exchange paradigms from achieving high fidelity patient matching.

This standard will define a model that could be deployed either voluntarily by the private sector or with the support of government funding or encouragement.  The deployment of such a standard could improve efficiency and reduce costs for query-based exchange, direct exchange and patient mediated exchange by reducing infrastructure requirements and computing costs. Most importantly, such a model could enable the long sought-after goal of reliably assembling a longitudinal health record for patients.

DS2022_05: Privacy-Enhancing Health Record Locator Service (PEHRLS) Ecosystem

Access current information about the PEHRLS Ecosystem Consensus Body

FAQs

Learn more about the PEHRLS Ecosystem Consensus Body below through our Frequently Asked Questions.

Forming a Consensus Body allows the formal standards development process to start. The goal of this Consensus Body is to identify existing standards, profile existing standards, and/or create new standards as needed for a privacy-enhancing record locator and how the various actors in the use case will interact. 

This standard will define a model that could be deployed either voluntarily by the private sector or with the support of government funding or encouragement.  The deployment of such a standard could improve efficiency and reduce costs for query-based exchange, Direct exchange, and patient mediated exchange by reducing infrastructure requirements and computing costs. Most importantly, such a model could enable the long sought-after goal of reliably assembling a longitudinal health record for patients.

There are many possible benefits and opportunities of what the PEHRLS Ecosystem Consensus Body could accomplish, including:

  • A privacy-enhancing record locator and shared identifier service that can be deployed incrementally at low cost to support, potentially, 100% patient-matching success.
  • Identity assurance provided by Identity Providers (IdPs) that identity-proof, issue credentials, and enable access to the shared identifier service.
  • Patient access to their own records from multiple locations with a single credential and match reliability that will convince reticent data holders of its safety.
  • Rights of access for all parties, enabling assembly of a longitudinal patient record with existing mechanisms for exchange.
  • Improved fidelity of patient matching for all mechanisms of exchange

First and foremost, a privacy-preserving model provides individuals control over their data and protection of the data from unauthorized use. We seek a model for patient matching where the replication of personally identifiable data is minimized and where centralized systems contain no data of value to identity thieves or other bad actors. Such privacy enhancement requires that the system be resilient and provide mechanisms to repair errors and breaches when these inevitably occur. A system will need to provide the patient visibility of where patient records are stored and, depending on applicable policies, make them inaccessible if they desire. Also, capabilities for “private” data should also be supported so that different privacy scenarios can be addressed.

While DirectTrust may in the future create or participate in a collaborative effort to deploy such a record locator system, that is not what this initial work is about.  The goal of the Consensus Body is to create a forum for the substantive technical collaboration needed to create standards that could be adopted by industry.

The CARIN Alliance and DirectTrust, along with other trust frameworks have been collaborating for some time on the notion of trustworthy credentials for use by consumers using digital health apps. Such credentials and the identity assurance required for their issuance are an essential component of a functional ecosystem for consumer identity.  The work of this Consensus Body layers on top of existing standards and initiatives including the CARIN Digital Identity pilot.  DirectTrust will continue to participate in the pilot as one of the trust frameworks that will certify identity providers that issue trusted credentials for this use case

Patient ID Now has assembled a group of organizations and individuals that believe a national identifier is important, perhaps even essential for the success of healthcare interoperability. DirectTrust is a signatory to the Patient ID Now pledge and has been active in the effort.  The first goal of the Patient ID Now coalition has been to advocate with Congress to remove the ban that prohibits federal spending on the development of a universal patient ID as was originally stipulated in HIPAA.  Whether the government funds the effort or not, the industry can move forward to create the necessary standards to support a national identifier.  A voluntary patient identifier can be deployed with or without government support or funding.  We will continue to support the goal of advocating for the removal of  the ban while working in parallel to identify and develop standards that would support such a system.

EMPIs will remain central to the way EHRs and other aggregations of data including HIEs will need to manage duplication in their systems.  That said, for records that come in with a shared identifier attached, determining matching records within the system becomes much easier.  We do not expect that the adoption of such a standard will change how these systems are managed or the market for such systems.

The system that might arise from the standards work we are embarking on should allow for incremental adoption over years.  Once constituents see the value that will result from such a system the pace may accelerate, but small scale or  regionally deployed pilots can create immediate value for participants.

DirectTrust and other non-profits may work together to deploy a record locator at some point, but capabilities for records exchange are out of scope of this specification.  An alternate outcome where QHINs participate in the patient matching ecosystem the standard contemplates as an extension of what they already do is certainly possible.

No. This effort doesn’t expect to be competitive with anyone, rather, it can be a “tide that raises all boats” helping to enable a solution to the patient matching problem all agree remains beyond our grasp.

Systems that produce C-CDAs or other standards-based healthcare related payloads sent by Direct Secure Messaging would carry these identifiers with them naturally, propagating the identifiers to new locations.  Senders could also use the record locator to identify locations to target locations for event notifications without any other subscription mechanism.  Reliable patient matching mechanisms could increase the adoption of automated data reconciliation of Direct Secure Messaging payloads which today are mostly handled manually. 

When demographics are involved in the process of patient matching, multiple attributes are compared on records from two sources. First name, last name, date of birth, gender, and address are typically always present on records, but all of these except date of birth are dynamic and/or hard to create standards for their capture.  Other elements that are also changeable over time like email address and cell phone number are sometimes, but not always present. Most systems prefer not to use social security numbers since the identifier is of such value for identity theft.  Because not everything is always present or entered in the same way, in order to get high match rates, algorithms that provide different weights to different attributes or that allow for “fuzzy” matches to correct for transposition or misspelling errors are usually used.  Algorithms usually produce a “score” that represents the likelihood that the records are on the same person. When the score exceeds a threshold it can be used to probabilistically determine whether or not to treat two records as matching, that is, “this is probably the same person”.  In deterministic matches, identifiers that are shared between systems are used to make the match.  In the presence of such an identifier, probabilistic algorithms in use no longer apply as the identifier establishes the match reliably on its own, that is “this is the same person”. 

About Standards

Participate in Standards