Design and implementation of a privacy preserving electronic health record linkage tool in Chicago

From Clinfowiki
Jump to: navigation, search

First Review

This is a review for Abel N Kho et. al's Design and implementation of a privacy preserving electronic health record linkage tool in Chicago. [1]


“Objective To design and implement a tool that creates a secure, privacy preserving linkage of electronic health record (EHR) data across multiple sites in a large metropolitan area in the United States (Chicago, IL), for use in clinical research.

Methods The authors developed and distributed a software application that performs standardized data cleaning, preprocessing, and hashing of patient identifiers to remove all protected health information. The application creates seeded hash code combinations of patient identifiers using a Health Insurance Portability and Accountability Act , (HIPAA) compliant SHA-512 algorithm that minimizes re-identification risk. The authors subsequently linked individual records using a central honest broker with an algorithm that assigns weights to hash combinations in order to generate high specificity matches.

Results The software application successfully linked and de-duplicated 7 million records across 6 institutions, resulting in a cohort of 5 million unique records. Using a manually reconciled set of 11 292 patients as a gold standard, the software achieved a sensitivity of 96% and a specificity of 100%, with a majority of the missed matches accounted for by patients with both a missing social security number and last name change. Using 3 disease examples, it is demonstrated that the software can reduce duplication of patient records across sites by as much as 28%.

Conclusions Software that standardizes the assignment of a unique seeded hash identifier merged through an agreed upon third-party honest broker can enable large-scale secure linkage of EHR data for epidemiologic and public health research. The software algorithm can improve future epidemiologic research by providing more comprehensive data given that patients may make use of multiple healthcare systems.” (p. 1072,[1]).


The authors created a matching application to link medical records from 4 large medical centers, 1 large county healthcare system and 1 network of community health centers with multiple outpatient care sites. The algorithm uses rules to match patient identifiers such as first name, last name, and date of birth to create matches among records.


The application was able to de-duplicate 7 million records that were provided by the participating institutions and turned it into 5.3 million records. The sensitivity of the matching algorithm was 0.9569 and the specificity was 0.9999. Errors made by the algorithm can be attributed to patients who did not have a social security number and patients who changed their last name.


It is possible for a matching application to link medical records through the use of patient identifiers.


This article is an example of how health records can be matched by using a combination of patient identifiers. The national patient identifier could be a combination of things considering that SSNs are not guaranteed to be identical and are reused over time.

Second Review

Add next review here.


  1. 1.0 1.1 Kho, A. N., Cashy, J. P., Jackson, K. L., Pah, A. R., Goel, S., Boehnke, J., … Galanter, W. L. (2015). Design and implementation of a privacy preserving electronic health record linkage tool in Chicago. Journal of the American Medical Informatics Association, 22(5), 1072–1080. (Links to an external site.)