Access resources for in development Standards and published Standards.
Learn more about the PEHRLS Ecosystem Consensus Body below through our Frequently Asked Questions.
Forming a Consensus Body allows the formal standards development process to start. The goal of this Consensus Body is to identify existing standards, profile existing standards, and/or create new standards as needed for a privacy-enhancing record locator and how the various actors in the use case will interact.
This standard will define a model that could be deployed either voluntarily by the private sector or with the support of government funding or encouragement. The deployment of such a standard could improve efficiency and reduce costs for query-based exchange, Direct exchange, and patient mediated exchange by reducing infrastructure requirements and computing costs. Most importantly, such a model could enable the long sought-after goal of reliably assembling a longitudinal health record for patients.
There are many possible benefits and opportunities of what the PEHRLS Ecosystem Consensus Body could accomplish, including:
- A privacy-enhancing record locator and shared identifier service that can be deployed incrementally at low cost to support, potentially, 100% patient-matching success.
- Identity assurance provided by Identity Providers (IdPs) that identity-proof, issue credentials, and enable access to the shared identifier service.
- Patient access to their own records from multiple locations with a single credential and match reliability that will convince reticent data holders of its safety.
- Rights of access for all parties, enabling assembly of a longitudinal patient record with existing mechanisms for exchange.
- Improved fidelity of patient matching for all mechanisms of exchange
First and foremost, a privacy-preserving model provides individuals control over their data and protection of the data from unauthorized use. We seek a model for patient matching where the replication of personally identifiable data is minimized and where centralized systems contain no data of value to identity thieves or other bad actors. Such privacy enhancement requires that the system be resilient and provide mechanisms to repair errors and breaches when these inevitably occur. A system will need to provide the patient visibility of where patient records are stored and, depending on applicable policies, make them inaccessible if they desire. Also, capabilities for “private” data should also be supported so that different privacy scenarios can be addressed.
Does this initiative mean DirectTrust intends to deploy a system compliant with the resultant specification?
While DirectTrust may in the future create or participate in a collaborative effort to deploy such a record locator system, that is not what this initial work is about. The goal of the Consensus Body is to create a forum for the substantive technical collaboration needed to create standards that could be adopted by industry.
The CARIN Alliance and DirectTrust, along with other trust frameworks have been collaborating for some time on the notion of trustworthy credentials for use by consumers using digital health apps. Such credentials and the identity assurance required for their issuance are an essential component of a functional ecosystem for consumer identity. The work of this Consensus Body layers on top of existing standards and initiatives including the CARIN Digital Identity pilot. DirectTrust will continue to participate in the pilot as one of the trust frameworks that will certify identity providers that issue trusted credentials for this use case
Patient ID Now has assembled a group of organizations and individuals that believe a national identifier is important, perhaps even essential for the success of healthcare interoperability. DirectTrust is a signatory to the Patient ID Now pledge and has been active in the effort. The first goal of the Patient ID Now coalition has been to advocate with Congress to remove the ban that prohibits federal spending on the development of a universal patient ID as was originally stipulated in HIPAA. Whether the government funds the effort or not, the industry can move forward to create the necessary standards to support a national identifier. A voluntary patient identifier can be deployed with or without government support or funding. We will continue to support the goal of advocating for the removal of the ban while working in parallel to identify and develop standards that would support such a system.
EMPIs will remain central to the way EHRs and other aggregations of data including HIEs will need to manage duplication in their systems. That said, for records that come in with a shared identifier attached, determining matching records within the system becomes much easier. We do not expect that the adoption of such a standard will change how these systems are managed or the market for such systems.
The system that might arise from the standards work we are embarking on should allow for incremental adoption over years. Once constituents see the value that will result from such a system the pace may accelerate, but small scale or regionally deployed pilots can create immediate value for participants.
DirectTrust and other non-profits may work together to deploy a record locator at some point, but capabilities for records exchange are out of scope of this specification. An alternate outcome where QHINs participate in the patient matching ecosystem the standard contemplates as an extension of what they already do is certainly possible.
No. This effort doesn’t expect to be competitive with anyone, rather, it can be a “tide that raises all boats” helping to enable a solution to the patient matching problem all agree remains beyond our grasp.
Systems that produce C-CDAs or other standards-based healthcare related payloads sent by Direct Secure Messaging would carry these identifiers with them naturally, propagating the identifiers to new locations. Senders could also use the record locator to identify locations to target locations for event notifications without any other subscription mechanism. Reliable patient matching mechanisms could increase the adoption of automated data reconciliation of Direct Secure Messaging payloads which today are mostly handled manually.
When demographics are involved in the process of patient matching, multiple attributes are compared on records from two sources. First name, last name, date of birth, gender, and address are typically always present on records, but all of these except date of birth are dynamic and/or hard to create standards for their capture. Other elements that are also changeable over time like email address and cell phone number are sometimes, but not always present. Most systems prefer not to use social security numbers since the identifier is of such value for identity theft. Because not everything is always present or entered in the same way, in order to get high match rates, algorithms that provide different weights to different attributes or that allow for “fuzzy” matches to correct for transposition or misspelling errors are usually used. Algorithms usually produce a “score” that represents the likelihood that the records are on the same person. When the score exceeds a threshold it can be used to probabilistically determine whether or not to treat two records as matching, that is, “this is probably the same person”. In deterministic matches, identifiers that are shared between systems are used to make the match. In the presence of such an identifier, probabilistic algorithms in use no longer apply as the identifier establishes the match reliably on its own, that is “this is the same person”.