November 11, 2020
Covid activity assessment
October 17, 2022
The CareEvolution Blinded Master Patient Index facilitates patient matching for national scale leading health plans and provider networks. Using the BMPI API, you can easily integrate world-class patient matching into your solution, enabling privacy-preserving patient matching across a spectrum of data sources and use cases.
To ensure the accuracy of this blindfolded, two-stage approach, […] Lakeland RHIO, a SCHIEx end user, conducted an audit of 100,000 records generated in this approach and found no problems. 
Identity management, or patient record linkage, is an important and necessary step in enabling the exchange of clinical information between the healthcare information systems of disparate hospitals, payers, and clinics. This linkage must meet functional criteria for sensitivity and specificity, and must be implemented in a secure and privacy-preserving manner. To meet this need, CareEvolution has developed a Blinded Master Patient Index (BMPI) within its Interoperability Platform.
Built on top of industry-leading record linking techniques, CareEvolution’s BMPI provides a set of advanced features that improve security and link specificity. It has been designed from the ground up to meet the needs of payers, providers, and academic research institutions at regional or nationwide scale and addresses the unique functional, security, and privacy issues encountered at this scale.
The majority of healthcare data interoperability implementations utilize an MPI backed by a centralized store of accessible demographic information. This solution results in a significant security risk for any organization, however. Data aggregation required for this centralized store of information accentuates three critical risk factors that increase the potential that sensitive information will be improperly disclosed:
Given these security risks, securing centralized demographic stores should be a high priority for any company employing a health interoperability implementation.
The CareEvolution BMPI provides a robust solution for securing the demographic information that is essential for record linkage. The platform achieves a secure, performant solution to record linkage in the distributed system by using a blinded directory for centralized demographic data. A set of techniques are implemented to cryptographically hash (i.e., one-way) the aggregated data to ensure that patient demographic data stored in the centralized index is unrecoverable.
The CareEvolution BMPI uses only FIPS compliant hash functions (HMAC/SHA256) with a unique client-specific key to ensure privacy and guard against brute force or dictionary attacks.
There are two direct results of hashing the centralized index:
In addition to the critical security component, there are several other important requirements that a production MPI implementation, like CareEvolution’s BMPI, demands:
In the three years of production use, no false positive errors have been reported. 
Some of the basic components in the design of the CareEvolution record linking system include data standardization, and deterministic and probabilistic linking strategies.
Demographic information is “cleansed” so that comparing this information will yield meaningful results. Casing, white space, special characters, nicknames, and fake or invalid values must be handled uniformly for each submitted record.
After the record has been standardized and transformed, record pairs are compared to determine their similarity. There are a range of established techniques that assist in this effort. Two primary categories include deterministic linking and probabilistic linking.
The CareEvolution record linking uses multiple linking strategies that all help determine a record pair’s final link status.
CareEvolution’s BMPI record linking system builds on the solid foundation of mainstream record linking systems with advanced features, including privacy preserving record linkage, blindfolded approximate matching, and support for advanced human review.
In traditional MPI models, plaintext demographic information is centrally located to facilitate record linking. To preserve privacy, CareEvolution implements a blindfolded record linking system that cryptographically hashes record identifiers, obfuscating the information in such a way that comparisons can still be made but the original clear-text is irrecoverable. This provides the best of both worlds in that data can be freely shared for the purpose of record linking, but that same data can not be read due to the nature of this one-way hash.
Because the hashes of similar identifiers bear no correlation with each other, preprocessing of the unencrypted identifiers must be done to allow for approximate matches with identifier hashes. Standardized demographic information is transformed before blinding to allow for approximate string matching. Approximate matching in this scheme is accomplished using a technique called bigramming.  Bigramming breaks up the source string into many derived strings. Each derived string is given a similarity score that indicates how similar it is to the source. Two strings that have been bigrammed can then be compared by determining if they share a derived string. If so, the two derived similarity scores can be used to compute an overall “dice score.” Using a bigramming technique to generate derived strings and then hashing these strings enables approximate, blinded identifier matching.
Automated record linking requires a tradeoff between sensitivity and specificity. Even with advanced record linking techniques, the ultra-high specificity required by the platform means that some actual links will be left in a possible state. Therefore, CareEvolution has implemented functionality that allows administrators to weigh in, upgrading possible links to definite, and thus allowing the flow of clinical data between records. This rich interaction between the BMPI and system users enables the CareEvolution Interoperability Platform to achieve high specificity without sacrificing sensitivity.
The need for very high specificity as well as appropriately high sensitivity in patient record linkage is a challenge in the health care community today, especially considering the privacy risk posed by centralized demographic information in data interoperability solutions. By leveraging state-of-the-art record linking techniques, the CareEvolution Blinded Master Patient Index is able to address these issues. It provides secure linking with a near-zero false positive rate, while allowing human review to help find all possible links.
Gullo, K. (2013, April 4). Google Fights U.S. National Security Probe Data Demand. Bloomberg News. Retrieved September 20, 2022, from https://www.bloomberg.com/news/articles/2013-04-04/google-fights-u-s-national-security-probe-data-demand
Churches, T., Christen, P. Some methods for blindfolded record linkage. BMC Med Inform Decis Mak. 4, 9 (2004). https://doi.org/10.1186/1472-6947-4-9
Lee, Lorraine; Whitcomb, Kathleen; Galbreth, Michael; Patterson, David. “A Strong State Role in HIE: Lessons from the South Carolina Health Information Exchange.” Journal of AHIMA 81, no.6 (June 2010): 46-50