Cover: Patient Privacy, Consent, and Identity Management in Health Information Exchange

Patient Privacy, Consent, and Identity Management in Health Information Exchange

Issues for the Military Health System

Published May 22, 2013

by Susan D. Hosek, Susan G. Straus


Download eBook for Free

Full Document

FormatFile SizeNotes
PDF file 0.5 MB Best for desktop computers.

Use Adobe Acrobat Reader version 10 or higher for the best experience.

ePub file 1.8 MB Best for mobile devices.

On desktop computers and some mobile devices, you may need to download an eBook reader to view ePub files. Calibre is an example of a free and open source e-book library management application.

mobi file 0.6 MB Best for Kindle 1-3.

On desktop computers and some mobile devices, you may need to download an eBook reader to view mobi files. Amazon Kindle is the most popular reader for mobi files.

Summary Only

FormatFile SizeNotes
PDF file 0.1 MB

Use Adobe Acrobat Reader version 10 or higher for the best experience.


Purchase Print Copy

 Format Price
Add to Cart Paperback102 pages $19.95

Research Question

  1. What are the key research and policy issues involving patient privacy, patient consent, and patient identity management as relevant to health information exchange in the Department of Defense?

The Military Health System (MHS) and the Veterans Health Administration (VHA) have been among the nation's leaders in health information technology (IT), including the development of health IT systems and electronic health records that summarize patients' care from multiple providers. Health IT interoperability within MHS and across MHS partners, including VHA, is one of ten goals in the current MHS Strategic Plan. As a step toward achieving improved interoperability, the MHS is seeking to develop a research roadmap to better coordinate health IT research efforts, address IT capability gaps, and reduce programmatic risk for its enterprise projects. This report contributes to that effort by identifying gaps in research, policy, and practice involving patient privacy, consent, and identity management that need to be addressed to bring about improved quality and efficiency of care through health information exchange. Major challenges include (1) designing a meaningful patient consent procedure, (2) recording patients' consent preferences and designing procedures to implement restrictions on disclosures of protected health information, and (3) advancing knowledge regarding the best technical approaches to performing patient identity matches and how best to monitor results over time. Using a sociotechnical framework, this report suggests steps for overcoming these challenges and topics for future research.

Key Findings

Research is needed to determine how to best implement established principles for ensuring the protection of patient privacy and rights over personal information while realizing the benefits of health information exchange (HIE).

  • A large majority of Americans support health information exchange to improve health care.
  • Many individuals feel they "own" their health records and should be asked for permission to release protected health information, but there is no consensus about the meaning of consent and the most effective mechanisms for obtaining it.
  • Successful HIE requires identifying the same individual across health care organizations using specified identifiers, but there is a gap in knowledge regarding the approaches to accurate patient matching.

Methods for protecting patient privacy, obtaining patient consent, and ensuring accurate patient matching in HIE need to be tested in a realistic environment.

  • The predominant technical challenge with respect to patient consent is recording patients' preferences and designing procedures to reliably implement restrictions on disclosures of protected health information.
  • Meaningful patient consent requires determining how to effectively educate patients about their consent options and the procedures for recording consent.
  • There are many different types of patient identifiers and algorithms to perform patient identity matches, but there is very little information from clinical settings to guide the choice of patient identifier, matching algorithm, match criteria, and procedures to review results of automated matching.


  • If the Department of Defense (DoD) determines there should be some kind of consent for HIE through the Virtual Lifetime Electronic Record, research addressing people, process, and organizational issues will be needed to guide decisions about the type of consent, beneficiary outreach and education, and procedures to administer and verify consent at the point of care.
  • More research on patient identity matching is needed to evaluate the performance of approaches involving different combinations of identifiers and algorithms. The research should use actual identifying data from DoD data systems, test performance at scale, and pilot promising approaches in clinical settings.

Research conducted by

The research described in this report was sponsored by the United States Army Medical Research and Materiel Command, Telemedicine and Advanced Technology Research Center (TATRC). It was conducted jointly by RAND Health and RAND Arroyo Center, a federally funded research and development center for the U.S. Army.

This report is part of the RAND research report series. RAND reports present research findings and objective analysis that address the challenges facing the public and private sectors. All RAND reports undergo rigorous peer review to ensure high standards for research quality and objectivity.

This document and trademark(s) contained herein are protected by law. This representation of RAND intellectual property is provided for noncommercial use only. Unauthorized posting of this publication online is prohibited; linking directly to this product page is encouraged. Permission is required from RAND to reproduce, or reuse in another form, any of its research documents for commercial purposes. For information on reprint and reuse permissions, please visit

RAND is a nonprofit institution that helps improve policy and decisionmaking through research and analysis. RAND's publications do not necessarily reflect the opinions of its research clients and sponsors.