Identifying Humans
Aug 24, 2012The third requirement for interoperability is good identification policies. And the most common problem in healthcare identification is identifying people. Identifying humans, especially patients, is stupefyingly hard. Even after too many years of healthcare interoperability, I still can’t believe how hard it is. One of the reasons it’s so hard to grasp is because as humans, we are intrinsically good at identifying other humans. But it just doesn’t scale when it comes to successfully identifying humans in distributed systems with more than a few people who must perform the identification.
Many people look to biometrics to solve this problem. The common candidates are finger prints, retinal patterns, some form of phenotyping and most of all, genetic sequences. But all these suffer from problems (and see particularly http://www.schneier.com/essay-019.html). Given the expense and reliability problems associated with biometric markers, most healthcare institutions rely on social identifiers. These typically are a selection taken from the candidates listed in the following table, which briefly discusses the issues associated with them.
| Name | Patient’s change their names regularly. Names are often linked to marriage customs, and the relationship between names and marriage is changing quickly around the world. Names can be mis-spelt, or mis-reported, and people often carry multiple names for use in different circumstances, and/or have names that don’t fit with local cultural expectations. People also use aliases for a variety of reasons. |
|Date of Birth|Some people do not know their date of birth. This is more common in less developed countries, but there are immigrants everywhere. In addition, there are sometimes reasons to lie about dates of birth, and these can create persistent records that create confusion for many years
|Addresses and Telephone numbers|People change these all the time. Some people don’t have them. How people describe their address varies (is it for billing, or their actual living location?). Postal systems occasionally change addresses to suit their own processes
|Gender|Male and Female. Except when neither is perfectly applicable. There are all sorts of laws and customs about gender change and confusion that vary highly from country to country. Mostly gender doesn’t change – it’s highly reliable, but not a very good differentiator between individuals, since the vast majority of people have one of only 2 values
|Externally supplied identifiers|The classic examples are driver’s licenses and passport numbers. But these are very unreliable – they are re-issued for all sorts of reasons that are only of interest to the issuing authority. And the issuing authority is also subject to all the same identification problems as well, and also often the target of fraud
|Mother’s maiden name|This is no longer a guaranteed to be available concept due to changes in naming practices. More generally, it’s used as a shared secret, and shared secrets have no part in identifying a person (won’t be secret once you share it, which is what identification is for)
Given the expense and difficulty of these lists, the notion of some state/national identifier becomes attractive – it makes meeting the expense of doing it properly more viable. The registration authority quality is still variable, but it’s generally better than doing it locally (it’s mainly an economy of scale thing). The biggest problem with this approach is that people lose their details all the time. Until institutions or governments are able to mark people directly with a master identifier, say with a tattoo, this will be continue to be a problem (and given the historical association of identifying tattoo’s - I’ve seen one myself, from Bergen-Belsen, on a tough old Czech who had been in the resistance and was betrayed to the SS shortly after the assassination of Heydrich - it seems exceedingly unlikely that this will be acceptable in any culture at all in the foreseeable future). In addition, the registration authority rapidly becomes the target of fraud for a variety of reasons, mostly to do with how healthcare is funded, or to facilitate fraudulent access to higher quantities of prescription-only drugs. These problems can be resolved, and a successful national registry set up – it has happened in a few countries. However it appears to me that the prospects for success have more to do with national cultural factors than administration policy.
Healthcare is occasionally provided to people whose identity is completely unknown. They present unconscious, and care is hardly going to wait until they are conscious. In English speaking countries it is customary to refer to such patients as “John Doe” or “Jane Doe”. Usually their identity is resolved unless they die. (In one case at a hospital I worked at, a John Doe spent 3 weeks in ICU after an automotive accident. Even when he was conscious, he refused to provide any identifying details. Eventually he passed away, and his body was collected somewhat sheepishly by the staff from an embassy of an “unfriendly” country – still with no identification details provided)
New born babies also often do not have a name, though they are not unidentified (though identifying them is a challenge). Also there is a variety of contexts in which patients are not prepared to be identified. Sexual health clinics are a common case in the developed world, and Red Cross and other similar relief agencies often work with patients who refuse to be identified for a number of valid reasons.
All these problems are well recognized and appreciated in Healthcare Administration and Healthcare informatics texts books etc, but I cover them here because they have potential to cause difficulties in interoperability. It’s easy, when doing interoperability, to get trapped between two slightly different policies. On their own, they might each work about as well as the other – but when you try to hook up different business processes, the clash between them creates problems that are difficult to resolve.
Patient Merging
This is particularly true when it comes to patient merging. Patient Sarah Smailes attends the emergency department at Acme Hospital with an acute attack of abdominal pain. She is admitted to the hospital for a Cholecystectomy. The emergency department clerical assistant who enters her details gets her name right, but mishears her birthday as 30-Mar 1973, not 13-Mar 1973, because of a screaming match between other patients in the background. Later that year, Sarah finds herself back at the hospital with a severe flu attack (H1N1?). The clerical assistant didn’t quite catch Sarah’s surname, and Sarah can’t be bothered telling the him about the previous admission – she’s too sick, and clerical assistant can’t find a Sarah Sm*** with a birth date of 13-Mar 1973, so he just creates a new patient entry. Now Sarah has two patient records. Later, in the ward, another clerical assistant over hears Sarah complaining about her treatment during the previous stay, and goes looking. He finds that the system has two records for her.
There are several options for what happens now. One is to simply leave things as they are, with two different records. But this raises the prospect of a mistreatment due to missing information from her record, so hospital records staff are very reluctant to do this. Another is to create a “link” between the two records – an entry in the system claiming that they are the same patient. But this leaves another problem – which record should be used going forward? What happens when Sarah comes back next time? A third option is to instruct the system to merge those two records. This means that you pick one of the two records, and move all the information about it into the other record. The patient identifier associated with the first record is deprecated. All the hospital systems that have information about Sarah must follow suit, or their (potentially life-saving) information will in effect be lost.
Let’s try another scenario. Sue, a Health Information manager finds that there is a record for Sarah Ann Smailes, born 30-Mar 1973, and a record from 6 months later for Sarah Ann Petersen, born 13-Mar 1973. Both records have the same address. Are these the same person? Sue decides that this is the same person, and merges the records.
Is Sue right? Is this the same woman, now married, with a common typo in the birth date? Or is it a different person who happened to have similar details? It can be tremendously hard to tell, even upon investigation. Let’s say that in this case, Sue was wrong: they are different people, but now the records have been merged. The laboratory notices that this is in error (they have two blood groups that are incompatible, so they dig deeper and prove it’s wrong). Now what?
If the records were only linked, then the link can be broken. But if the records have been merged, and further details added to the record (which happens every few minutes in a busy hospital), now what? How do you unwind this? So merges are much more dangerous than links – except that this is misleading: if the records are linked, so that it is asserted that the two records are the same patient, how do we know that things have been done on the right record?
All we know for sure is that mistaken links or merges are trouble. Yet they happen all the time. My own experience is that in Australia, it’s extraordinarily hard to get the number of merges needed down below 1% of the admission rate, and about 2-3% of the merges will be in error for one reason or another. It seems remarkably hard to get down below these numbers.
So that’s the theory. Now imagine an interconnected system or systems, with the PAS at the hub, but many of the systems exchanging data with each other directly, not mediated by the hub, and with a variety of policies for following patient merges (or initiating their own), and the sibling problem, episodes assigned to the wrong patient. When you consider this picture, all you can say for sure is that no one who does healthcare interoperability is going to be out of work any time soon.