• January 2009 FEATURE ARTICLES •
Authentication/Biometrics: Case History
Identity in the Palm of Your Hand
When a single biometric authentication device can ensure patient safety,
prevent fraud and improve billing, it’s worth considering.
By Michael McBride, Editor-in-Chief
Driven by legislation and government policy
makers, patient safety has motivated healthcare organizations
large and small around the nation since the mid-1990s. From
preventing medication and surgical errors to combating hospital
acquired infections, much healthcare information technology
(HIT) has been designed and dedicated to this effort. However, a
recent survey of senior IT executives given at the 2008 HIMSS
Conference and Exhibit indicates that access to patient records
and compliance with HIPAA regulations has joined patient safety
at the top of their lists.
Possibly motivated by several high-profile
security breaches, IT executives now consider protecting patient
privacy and securing access to private patient data as important
as protecting patients’ health. For in a world where identity
theft and insurance fraud are daily occurrences, hospitals find
themselves both responsible and exposed.
Fortunately, there’s no need for hospitals to
"switch gears" from protecting patient safety to securing
patient data. Technology exists that provides both, is easily
installed and is affordable.
New Ground
One healthcare pioneer that’s adopted such a
system is ValleyCare Health System in Pleasanton, Calif., a
northern Calif.-based not-for-profit health system with 212 beds
on two campuses that’s been providing family care to the
tri-valley and surrounding areas since 1961. Led by CEO Marcy
Feit, who began her career at
ValleyCare more than 30 years ago as a Nurse’s Aid, the intrepid
staff of 300 dedicate themselves each day to advancing patient
care. Feit considers ValleyCare to be a medium-sized hospital in
competition with healthcare giants Kaiser Permanente and Sutter
Health, among others, but acknowledges that the organization’s
efficient use of resources enables her to adopt technologies
quickly, which she feels gives ValleyCare an advantage.
Improper patient identification can have tragic consequences. Conversely,
a dependable patient identification method has the reverse effect — patients are safer, and fraud and identity theft are averted.
"When you’re a stand alone, your ability to
make decisions and to respond quickly is better than in
mega-organizations," she says. "Usually, they want to do things
globally — for all hospitals simultaneously — so there’s a lot
more that goes into it."
Like most healthcare organizations in America
today, Feit’s top priorities for ValleyCare include ensuring
patient safety and preventing identity theft and fraud; however,
unlike many CEOs who primarily focus on growing the business
side of their organizations, Feit’s experience in nursing roots
her strongly on the patient safety side.
"We’ve spent a great deal of time making sure
that we’re treating the right patient," she says. "We want to
confirm that we’re treating John R. Jones and not
J. Ruben Jones, because if one is a diabetic and the other
isn’t, and we’re treating one of them in the ED, and we’ve
pulled the wrong medical record, we could be providing
inappropriate treatment."
One way this happens involves duplicate
medical records, which are created when patients give alternate
variations of their names during registration. A patient might
give John R. Jones on one visit and J. Richard Jones on another,
and J. R. Jones on another. Without a method for preventing
this, duplicate records can be created that hinder caregivers
and threaten the patient’s safety.
"People don’t realize that those kinds of
inconsistencies can be very dangerous," says Feit. "I think in
the future, identification will become critical for conducting
business in healthcare."
Authentication
Improper patient identification can have
tragic consequences. Conversely, a dependable patient
identification method has the reverse effect — patients are
safer, and fraud and identity theft are averted. To ensure these
outcomes, ValleyCare installed Fujitsu’s PalmSecure palm-vein
scanners at all ingress and egress points, and implemented a
patient registration and security system that they call Patient
Access Lifetime Match, or PALM, for short.
The noninvasive, contactless biometric
technology authenticates patients during registration using
near-infrared light to illuminate the veins in the patient’s
palm and record an image of the "print." This identification
method is considered highly accurate, since each person’s vein
pattern is unique. Even between identical twins, enough
variation exists to create a unique identifier that’s stored and
associated with the patient’s medical records. This identifier
fulfills one of the two forms of authentication that are
required under HIPAA regulations when hospitals register
patients.
Originally developed to authentic bank
customers at ATMs in Japan, the diminutive healthcare version
connects to the registration workstation computer, which also
connects it to the hospital’s network and the organization’s
master patient index (MPI) database. During registration, staff
offers patients the opportunity to have their palms scanned and
added to their electronic medical record. Once added, even
unconscious patients can be instantly identified and treated,
making palm scanning not only a beneficial tool during
registration but in the ED as well.
"Many patients arrive in a delirium, so
they’re not reliable sources for giving us their
identification," says Feit. "It takes time to find a family
member or a neighbor to tell us who we’re treating, and many
times the ambulance drivers aren’t successful in bringing
identification. The patient is in such extreme condition the
drivers are anxious to get the patient to us and can’t spend the
time searching the house for an ID."
Implementation
ValleyCare differs in another way from many
larger healthcare organizations — the hospital outsources nearly
all of its IT needs, including staff, to a 3rd-party
organization. In this case that’s Siemens, which keeps IT
personnel on site who report to Ken Jensen,
ValleyCare’s CFO, who manages all IT contracts.
ValleyCare leases its hospital information system (HIS) from
Siemens, which maintains the network technology off site.
According to Jensen, the symbiotic relationship serves
ValleyCare well and contributed to the successful integration of
the palm-scanning technology into
ValleyCare’s HIS.
"We found the
Fujitsu product at one of our trade shows," says Jensen. "One of
the reasons we wanted a more unique identifier was to make sure
that we minimized duplicate medical records, but we also wanted
to rely on Registration to properly identify the patient and get
all the financial information so we could bill. Patient
throughput is also important to us. The faster we get them out
of the waiting room, the faster we get them into the hospital
and can treat them."
Rogel Reyes, director, Patient Access for
ValleyCare worked directly with Tampa, Fla.-based HT Systems to
integrate the technology company’s PatientSecure system and
Fujitsu’s PalmSecure scanning technology with ValleyCare’s
existing Siemens HIS to create the PALM authentication and
registration system, which went live on Sept. 30 after a 90-day
rollout.
"Palm vein biometric authentication is 100
times more accurate than a fingerprint," says Reyes. "All of the
registration areas where patients get checked in for any type of
service — whether it’s the lab, diagnostic imaging, emergency
department or inpatient services — all of our patient intake
rooms have the scanner. Since we went live, registration is
faster because patients returning for repeat services aren’t
asked to provide their ID or insurance cards each time. They
just place their palms on the scanners and within seconds the
system displays their medical records."
ValleyCare also implemented an infection
control policy that requires the operator to wipe down the palm
scanner each time it’s used with hospital approved antibiotic
wipes to ensure that it’s free of biological contaminants at all
times.
An Industry Pioneer
ValleyCare is the first hospital system in
the western U.S. to implement such a system, motivated in part
by a strong focus on patient safety and identity protection, but
also in part by the Federal Trade Commission (FTC). Beginning on
Nov. 1, 2008, the FTC’s Identity Theft Red Flag regulations went
into effect, which requires healthcare providers to establish
programs that secure patient medical records and block identity
theft, as part of the Fair and Accurate Credit Transactions Act.
In today’s technological world, it’s only natural for technology
to play a role in fulfilling that mandate; however, there have
been challenges.
"The population that’s a little more hesitant
to enroll in our PALM technology is the elderly patients," says
Reyes. ValleyCare does not require patients to enroll, it’s
simply offered as an alternative to traditional identification.
Patients are free to opt out and many do.
"Our younger patients seem to be more
accepting, while our older patients tend to ask more questions
about what it is," says Jensen. Skeptical older patients are a
healthcare industry reality; and though each year demand for
technology increases among providers (to the point where without
a strong technology base, hospitals can find it difficult to
attract new physicians), among patients, acceptance of
technology is not an imperative. And, since Boomers are the
fastest growing patient population, it’s questionable whether
adopting technology will be a benefit or a detriment to
hospitals going forward. Nevertheless, mandates are mandates and
ValleyCare, like many provider organizations, sees technology as
a necessary link to a brighter healthcare future.
Financial Incentives
From a business perspective, switching from
printed registration cards to palm scanning might not present a
cost benefit; however, it’s much more accurate in identifying
patients and can prevent fraud. In 2007,
ValleyCare found itself in court after a mismatched blood type
alerted an insurance organization that something was amiss
concerning a $100,000 surgery bill for which the health plan had
already remitted the hospital for the claim.
"We got paid and then the insurance company
took the money back," says Jensen. Unbeknownst to
ValleyCare, a sibling of the registered patient had switched
registration cards and undergone the surgery incognito. The
health plan investigated the incident and brought criminal
charges against the fraud’s perpetrators. "We eventually got
paid, but it cost us time and money from a legal standpoint," he
says. Had the changeling’s palm been scanned during the initial
registration process and compared against a previously scanned
palm, the authentication would have failed to match the on-file
records and the jig would’ve been up prior to surgery. At that
point, the questions would begin.
"This technology is a way of specifically
identifying patients," says Jensen. "And, long term, it has
applications beyond just registration, in terms of errors."
Going Forward
ValleyCare is considering using the
palm-scanning system to authentic physicians as they move from
floor to floor, and patient to patient. Currently, physicians
log into the hospital’s HIS and type in their identification
codes to gain access to patient medical records during their
rounds. As with most manual authentication systems, the process
is time-consuming and invites error. With palm-scanning,
physicians would simply scan their palms upon entering or
exiting a floor or a hospital wing, which would increase
accuracy and lower costs enterprisewide. The time/cost savings
also benefits patients.
Possibly motivated by several high-profile security breaches, IT executives now consider protecting patient privacy and securing access to private patient data as important as protecting patients’ health.
"If patients enroll in the PALM program at
the physician’s office level, when they’re referred for hospital
services we don’t have to ask them those questions again," says
Reyes. "We just physically scan their palms and from there we
can positively identify them."
Devices such as these play an important role
in healthcare, where misidentification can result in fraud, or
worse, death. Progressive healthcare organizations like
ValleyCare improve the industry overall by adopting new
technologies and then sharing experiences that corroborate
reports and motivate decision making.
"If you ask each of my executive team,
they’ll see the value from their perspectives," says Feit. "My
CFO sees that accurately identifying patients prevents fraud and
makes sure the proper information is collected for billing. For
me, having this device means improved patient safety. We need to
know if a patient is diabetic or on medication or has had a
stroke. Then, we can be sure we’re giving the right treatment."
