Design and implementation of a privacy preserving electronic health record linkage tool in Chicago

Abel N. Kho; John P. Cashy; Kathryn L. Jackson; Adam R. Pah; Satyender Goel; Jörn Boehnke; John Eric Humphries; Scott Duke Kominers; Bala N. Hota; Shannon A. Sims; Bradley A. Malin; Dustin D. French; Theresa L. Walunas; David O. Meltzer; Erin O. Kaleba; Roderick C. Jones; William L. Galanter

doi:10.1093/jamia/ocv038

Design and implementation of a privacy preserving electronic health record linkage tool in Chicago

Abel N. Kho^*, John P. Cashy, Kathryn L. Jackson, Adam R. Pah, Satyender Goel, Jörn Boehnke, John Eric Humphries, Scott Duke Kominers, Bala N. Hota, Shannon A. Sims, Bradley A. Malin, Dustin D. French, Theresa L. Walunas, David O. Meltzer, Erin O. Kaleba, Roderick C. Jones, William L. Galanter

^*Corresponding author for this work

Research output: Contribution to journal › Article › peer-review

92 Scopus citations

Abstract

Objective To design and implement a tool that creates a secure, privacy preserving linkage of electronic health record (EHR) data across multiple sites in a large metropolitan area in the United States (Chicago, IL), for use in clinical research. Methods The authors developed and distributed a software application that performs standardized data cleaning, preprocessing, and hashing of patient identifiers to remove all protected health information. The application creates seeded hash code combinations of patient identifiers using a Health Insurance Portability and Accountability Act compliant SHA-512 algorithm that minimizes re-identification risk. The authors subsequently linked individual records using a central honest broker with an algorithm that assigns weights to hash combinations in order to generate high specificity matches. Results The software application successfully linked and de-duplicated 7 million records across 6 institutions, resulting in a cohort of 5 million unique records. Using a manually reconciled set of 11 292 patients as a gold standard, the software achieved a sensitivity of 96% and a specificity of 100%, with a majority of the missed matches accounted for by patients with both a missing social security number and last name change. Using 3 disease examples, it is demonstrated that the software can reduce duplication of patient records across sites by as much as 28%. Conclusions Software that standardizes the assignment of a unique seeded hash identifier merged through an agreed upon third-party honest broker can enable large-scale secure linkage of EHR data for epidemiologic and public health research. The software algorithm can improve future epidemiologic research by providing more comprehensive data given that patients may make use of multiple healthcare systems.

Original language	English (US)
Pages (from-to)	1072-1080
Number of pages	9
Journal	Journal of the American Medical Informatics Association
Volume	22
Issue number	5
DOIs	https://doi.org/10.1093/jamia/ocv038
State	Published - Sep 2015

Funding

The authors would like to acknowledge the exceptional work of Ariadna Garcia, Pravin Babu, Shazia Sathar, and Ulas Keles in drafting an initial version of the hashing and matching software. Kominers gratefully acknowledges the support of the Harvard Milton Fund.

Keywords

Health information exchange
Privacy protection
Record linkage

ASJC Scopus subject areas

Health Informatics

UN SDGs

This output contributes to the following UN Sustainable Development Goals (SDGs)

Access to Document

10.1093/jamia/ocv038

Cite this

Kho, A. N., Cashy, J. P., Jackson, K. L., Pah, A. R., Goel, S., Boehnke, J., Humphries, J. E., Kominers, S. D., Hota, B. N., Sims, S. A., Malin, B. A., French, D. D., Walunas, T. L., Meltzer, D. O., Kaleba, E. O., Jones, R. C., & Galanter, W. L. (2015). Design and implementation of a privacy preserving electronic health record linkage tool in Chicago. Journal of the American Medical Informatics Association, 22(5), 1072-1080. https://doi.org/10.1093/jamia/ocv038

@article{827d5c7329d8421e8c3e6cd5b4e16174,

title = "Design and implementation of a privacy preserving electronic health record linkage tool in Chicago",

abstract = "Objective To design and implement a tool that creates a secure, privacy preserving linkage of electronic health record (EHR) data across multiple sites in a large metropolitan area in the United States (Chicago, IL), for use in clinical research. Methods The authors developed and distributed a software application that performs standardized data cleaning, preprocessing, and hashing of patient identifiers to remove all protected health information. The application creates seeded hash code combinations of patient identifiers using a Health Insurance Portability and Accountability Act compliant SHA-512 algorithm that minimizes re-identification risk. The authors subsequently linked individual records using a central honest broker with an algorithm that assigns weights to hash combinations in order to generate high specificity matches. Results The software application successfully linked and de-duplicated 7 million records across 6 institutions, resulting in a cohort of 5 million unique records. Using a manually reconciled set of 11 292 patients as a gold standard, the software achieved a sensitivity of 96% and a specificity of 100%, with a majority of the missed matches accounted for by patients with both a missing social security number and last name change. Using 3 disease examples, it is demonstrated that the software can reduce duplication of patient records across sites by as much as 28%. Conclusions Software that standardizes the assignment of a unique seeded hash identifier merged through an agreed upon third-party honest broker can enable large-scale secure linkage of EHR data for epidemiologic and public health research. The software algorithm can improve future epidemiologic research by providing more comprehensive data given that patients may make use of multiple healthcare systems.",

keywords = "Health information exchange, Privacy protection, Record linkage",

author = "Kho, {Abel N.} and Cashy, {John P.} and Jackson, {Kathryn L.} and Pah, {Adam R.} and Satyender Goel and J{\"o}rn Boehnke and Humphries, {John Eric} and Kominers, {Scott Duke} and Hota, {Bala N.} and Sims, {Shannon A.} and Malin, {Bradley A.} and French, {Dustin D.} and Walunas, {Theresa L.} and Meltzer, {David O.} and Kaleba, {Erin O.} and Jones, {Roderick C.} and Galanter, {William L.}",

note = "Publisher Copyright: {\textcopyright} The Author 2015.",

year = "2015",

month = sep,

doi = "10.1093/jamia/ocv038",

language = "English (US)",

volume = "22",

pages = "1072--1080",

journal = "Journal of the American Medical Informatics Association",

issn = "1067-5027",

publisher = "Oxford University Press",

number = "5",

}

Kho, AN, Cashy, JP, Jackson, KL, Pah, AR, Goel, S, Boehnke, J, Humphries, JE, Kominers, SD, Hota, BN, Sims, SA, Malin, BA, French, DD , Walunas, TL, Meltzer, DO, Kaleba, EO, Jones, RC & Galanter, WL 2015, 'Design and implementation of a privacy preserving electronic health record linkage tool in Chicago', Journal of the American Medical Informatics Association, vol. 22, no. 5, pp. 1072-1080. https://doi.org/10.1093/jamia/ocv038

TY - JOUR

T1 - Design and implementation of a privacy preserving electronic health record linkage tool in Chicago

AU - Kho, Abel N.

AU - Cashy, John P.

AU - Jackson, Kathryn L.

AU - Pah, Adam R.

AU - Goel, Satyender

AU - Boehnke, Jörn

AU - Humphries, John Eric

AU - Kominers, Scott Duke

AU - Hota, Bala N.

AU - Sims, Shannon A.

AU - Malin, Bradley A.

AU - French, Dustin D.

AU - Walunas, Theresa L.

AU - Meltzer, David O.

AU - Kaleba, Erin O.

AU - Jones, Roderick C.

AU - Galanter, William L.

PY - 2015/9

Y1 - 2015/9

N2 - Objective To design and implement a tool that creates a secure, privacy preserving linkage of electronic health record (EHR) data across multiple sites in a large metropolitan area in the United States (Chicago, IL), for use in clinical research. Methods The authors developed and distributed a software application that performs standardized data cleaning, preprocessing, and hashing of patient identifiers to remove all protected health information. The application creates seeded hash code combinations of patient identifiers using a Health Insurance Portability and Accountability Act compliant SHA-512 algorithm that minimizes re-identification risk. The authors subsequently linked individual records using a central honest broker with an algorithm that assigns weights to hash combinations in order to generate high specificity matches. Results The software application successfully linked and de-duplicated 7 million records across 6 institutions, resulting in a cohort of 5 million unique records. Using a manually reconciled set of 11 292 patients as a gold standard, the software achieved a sensitivity of 96% and a specificity of 100%, with a majority of the missed matches accounted for by patients with both a missing social security number and last name change. Using 3 disease examples, it is demonstrated that the software can reduce duplication of patient records across sites by as much as 28%. Conclusions Software that standardizes the assignment of a unique seeded hash identifier merged through an agreed upon third-party honest broker can enable large-scale secure linkage of EHR data for epidemiologic and public health research. The software algorithm can improve future epidemiologic research by providing more comprehensive data given that patients may make use of multiple healthcare systems.

AB - Objective To design and implement a tool that creates a secure, privacy preserving linkage of electronic health record (EHR) data across multiple sites in a large metropolitan area in the United States (Chicago, IL), for use in clinical research. Methods The authors developed and distributed a software application that performs standardized data cleaning, preprocessing, and hashing of patient identifiers to remove all protected health information. The application creates seeded hash code combinations of patient identifiers using a Health Insurance Portability and Accountability Act compliant SHA-512 algorithm that minimizes re-identification risk. The authors subsequently linked individual records using a central honest broker with an algorithm that assigns weights to hash combinations in order to generate high specificity matches. Results The software application successfully linked and de-duplicated 7 million records across 6 institutions, resulting in a cohort of 5 million unique records. Using a manually reconciled set of 11 292 patients as a gold standard, the software achieved a sensitivity of 96% and a specificity of 100%, with a majority of the missed matches accounted for by patients with both a missing social security number and last name change. Using 3 disease examples, it is demonstrated that the software can reduce duplication of patient records across sites by as much as 28%. Conclusions Software that standardizes the assignment of a unique seeded hash identifier merged through an agreed upon third-party honest broker can enable large-scale secure linkage of EHR data for epidemiologic and public health research. The software algorithm can improve future epidemiologic research by providing more comprehensive data given that patients may make use of multiple healthcare systems.

KW - Health information exchange

KW - Privacy protection

KW - Record linkage

UR - http://www.scopus.com/inward/record.url?scp=84953342589&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=84953342589&partnerID=8YFLogxK

U2 - 10.1093/jamia/ocv038

DO - 10.1093/jamia/ocv038

M3 - Article

C2 - 26104741

AN - SCOPUS:84953342589

SN - 1067-5027

VL - 22

SP - 1072

EP - 1080

JO - Journal of the American Medical Informatics Association

JF - Journal of the American Medical Informatics Association

IS - 5

ER -

Design and implementation of a privacy preserving electronic health record linkage tool in Chicago

Abstract

Funding

Keywords

ASJC Scopus subject areas

UN SDGs

Access to Document

Other files and links

Fingerprint

Cite this