SIST-TP CEN/TR 15872:2014

SLOVENSKI STANDARD
01-julij-2014
Zdravstvena informatika - Smernice za identifikacijo pacientov in njihova uporaba
v navzkrižnih povezavah
Health informatics - Guidance on patient identification and cross-referencing of identities
Medizinische Informatik - Leitfaden für die Patientenidentifikation und Kreuzrefernzierung
von Identitäten
Informatique de santé - Guide sur l'identification du patient et le référencement des
identités
Ta slovenski standard je istoveten z: CEN/TR 15872:2014
ICS:
35.240.80 Uporabniške rešitve IT v IT applications in health care
zdravstveni tehniki technology
2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.

TECHNICAL REPORT
CEN/TR 15872
RAPPORT TECHNIQUE
TECHNISCHER BERICHT
March 2014
ICS 35.240.80
English Version
Health informatics - Guidance on patient identification and cross-
referencing of identities
Informatique de santé - Guide relatif à l'identification des Medizinische Informatik - Leitfaden für die
patients et au référencement croisé des identités Patientenidentifikation und Kreuzreferenzierung von
Identitäten
This Technical Report was approved by CEN on 17 February 2009. It has been drawn up by the Technical Committee CEN/TC 251.

CEN members are the national standards bodies of Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia,
Finland, Former Yugoslav Republic of Macedonia, France, Germany, Greece, Hungary, Iceland, Ireland, Italy, Latvia, Lithuania,
Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden, Switzerland, Turkey and United
Kingdom.
EUROPEAN COMMITTEE FOR STANDARDIZATION
COMITÉ EUROPÉEN DE NORMALISATION

EUROPÄISCHES KOMITEE FÜR NORMUNG

CEN-CENELEC Management Centre: Avenue Marnix 17, B-1000 Brussels
© 2014 CEN All rights of exploitation in any form and by any means reserved Ref. No. CEN/TR 15872:2014 E
worldwide for CEN national Members.

Contents Page
Foreword .4
1 Scope .5
2 Normative references .5
3 Terms and definitions .6
4 Patient identity management .8
4.1 General .8
4.2 Concepts .8
4.2.1 Patient Identity .8
4.2.2 Patient identifier domain .9
4.2.3 Examples of patient identifier domain . 10
4.3 Identity management process . 10
4.3.1 General . 10
4.3.2 Care provision use case . 10
4.3.3 The identity management process. 12
4.3.4 Patient Identifier Domain Policy . 13
4.3.5 Basic process actions . 14
4.3.6 Identity utilization or referencing action . 15
4.3.7 Identity maintenance action . 15
4.3.8 Methods of deleting patient identity . 17
4.4 Identification anomalies . 17
4.4.1 General . 17
4.4.2 Homonymy . 17
4.4.3 Duplicates . 17
4.4.4 Collision . 17
4.5 Exceptions . 18
4.5.1 General . 18
4.5.2 Non-identified patient . 18
4.5.3 Patient with uncertain traits . 18
4.5.4 New-born . 18
4.5.5 Identification under anonymity . 18
4.5.6 Intentional use of multiple identities . 19
5 Cross-reference patient identity management . 20
5.1 General . 20
5.2 Concepts . 20
5.2.1 Cross-referencing identifier domain . 20
5.2.2 Sharing medical information between healthcare providers . 21
5.3 Identity cross-reference management process . 22
5.3.1 General . 22
5.3.2 Cross reference Patient identifier Domain policy . 23
5.3.3 Identities matching action . 23
5.3.4 Identities Query action . 24
5.3.5 Maintenance action. 24
6 Recommendations . 25
6.1 General . 25
6.2 Use Case 1: Within a healthcare organization . 26
6.2.1 Healthcare providers — Organizational requirements . 26
6.2.2 Software suppliers . 26
6.2.3 Insurance providers . 27
6.3 Use Case 2: Healthcare coordination . 28
6.3.1 General . 28
6.3.2 Between healthcare providers . 28
6.3.3 Software suppliers . 30
6.4 Use case 3: Cross-border, the Europe case . 30
6.4.1 General . 30
6.4.2 Organizational requirements . 31
6.4.3 Information system . 31
Annex A (informative) Policy charter of the patient identifier domain . 33
A.1 Policy Charter of the Patient Identifier Domain . 33
Annex B (informative) Norms, standards and other references . 36
B.1 General . 36
B.2 ISO/TS 22220:2011, Identification of subject of Healthcare . 36
B.3 IHE and profiles supporting Patient identification . 36
B.4 Netc@ard for eHIC: Electronification of Healthcare Insurance Card . 38
B.5 FIDIS Future of Identity in the Information Society . 40
Bibliography . 41

Foreword
This document (CEN/TR 15872:2014) has been prepared by Technical Committee CEN/TC 251 “Health
informatics”, the secretariat of which is held by NEN.
Attention is drawn to the possibility that some of the elements of this document may be the subject of patent
rights. CEN [and/or CENELEC] shall not be held responsible for identifying any or all such patent rights.
1 Scope
This Technical Report addresses the issue of multiple identifiers that may refer to the same person. It
describes the management of patient identification and cross-referencing of identities and provides some
practical guidance for addressing implementation of standards, reports, guidelines, methods, etc. The need to
identify a person unambiguously is an important component for the interoperability of health information
systems.
Within healthcare there is an essential requirement for good quality information, not least to uniquely identify
an individual to ensure that the appropriate and relevant care can be delivered irrespective of geography, time
and situation. To ensure that health care providers have access to information about an individual patient, it is
vital that the patient can be reliably identified within a Health Care Information System. Currently, a given
patient may have several identifiers corresponding to different geographical locations, different health care
organisations or various specialities. The allocation of multiple identifiers and related processes increases the
risk of identification error within one or more information systems and as a result, might compromise the safety
of a patient.
The quality of identification ensures that health care providers have access to patient information, facilitating
closer coordination and continuity of care, improving service in terms of prevention and follow-up. Quality will
be pursued within the framework of:
— medical care in a hospital information system (HIS): covering all the stages from patient identification to
admittance to the health care organization or directly to the care unit or emergency care, through to the
issuing of reports by the different health care services (medical and medico-technical services);
— continuity of care;
— patient mobility.
Because electronic heath care records may be updated by several and various healthcare providers over a
long period of time, the patient identification needs to be formalized in such a way to ensure that the correct
patient’s healthcare record is being accessed.
In the regions or the countries where a national unique patient identifier is not used, the patient is identified by
using patient identifiers for each healthcare system, wherever the patient is registered. Even within an
individual healthcare organization, the patient may be identified by a specific identifier for an individual ward or
a medical support unit. To ensure the continuity of care and the sharing of patient information, it is necessary
to reliably link together the different patient identities within what we will call a “patient identifier cross-
reference domain”.
The need to cross-reference identities appears when a healthcare provider wants to access all the healthcare
information for one patient and that information is contained in different healthcare systems managed by
several healthcare professionals or organisations.
In recent years, many research studies and implementations have taken place to try to resolve this issue. This
document provides an overview and proposals for the management of the patient identities and the cross
referencing of identities and provides guidance for authorities, organisations, project managers and users.
2 Normative references
The following documents, in whole or in part, are normatively referenced in this document and are
indispensable for its application. For dated references, only the edition cited applies. For undated references,
the latest edition of the referenced document (including any amendments) applies.
ISO/TS 22220:2011, Health informatics — Identification of subjects of health care
3 Terms and definitions
For the purposes of this document, the following terms and definitions apply.
3.1
alias
assumed name that can be specifically applied to disguise identity, which, in a healthcare situation, might be
used to protect a famous person receiving treatment or an individual receiving sensitive treatment in, for
example, a drug or alcohol rehabilitation unit or sexual health clinic
[SOURCE: ISO/TS 22220:2011]
3.2
collision
case in which two or more different patients are represented by the same patient identity
EXAMPLE In the cardiology service, the nurse who is consulting the record of Mr Jean Martin, finds that some data
are not consistent between then (for example, in the same day, two effort trainings were done). She suspects a collision of
th
two patients. After checking the patient identification server, she detects two Mr Jean Martin; one is born in January 25 ,
th
1950 and the second on June 25 , 1950.
[SOURCE: IHE-PIX]
3.3
duplicate
case in which several identities represent the same patient in the same patient identifier domain
3.4
federation cross-referencing index
index that carries the federative identities within a federation cross-referencing domain
3.5
healthcare provider
person or organization who is involved in, or associated with, the delivery of healthcare to a patient, or caring
for patient wellbeing
3.6
identifier
sequence of characters which is used by one or more systems to represent a person (a patient) and reference
individual information within his care process and which is unique within a Patient Identifier Domain and linked
to the traits of the Patient
Note 1 to entry: The identifier is called Subject of Care identifier in ISO/TS 22220.
EXAMPLE They are many types of identifiers: Person identifier, Patient identifier, Unit record Number.
3.7
linked identities
case in which, for a given patient, several identities (duplicates: see above) were created, which can lead to a
clash between them
Note 1 to entry: The identification system will have the capability of keeping track of these duplicate identities. After
correction, the duplicate identities are linked and one of the identity becomes the primary and the others become “ghost”
identities. When new healthcare information is recorded, they will be attached to the Patient Identity Source.
EXAMPLE Ms Alice Berthon got married between two stays in hospital. She prefers now to use the name of her
husband Mr. Martin. It is possible that within EHRs, she has two records: one with one identifier and the name of Berthon
and a second record with another identifier and the name of Martin. This is a duplication and these need to be kept track
of and solved. After correction, the duplicate identities are linked and one of the identities (Miss Berthon) becomes the
primary and the others becomes “ghost” identities.
3.8
Patient Identifier Domain
domain in which, in the ideal world, the patient has one and only one Patient identifier and a common
identification scheme which is used between systems for sharing healthcare information within the domain,
and in which the identifier is assigned by the assigned authority
EXAMPLE 1 Hospital St Vincent is a Patient Identifier Domain. The patient of the Hospital St Vincent is identified at the
entrance with one and only identifier. All systems in hospital share the same patient identity delivered by one system: the
Patient Identity Source.
EXAMPLE 2 The Insurance which delivers an Insurance card with identifier is an Insurance Identifier Domain. The
country which delivers a citizen card is a citizen Identifier Domain.
[SOURCE: IHE-PIX]
3.9
Patient Identifier Cross-reference Domain
domain which consists of a set of Patient Identifier Domains, known and managed by a Patient Identifier
Cross-reference Manager Actor who is responsible for creating, maintaining and providing lists of identifiers
that are aliases of one another across different Patient Identifier Domains
Note 1 to entry: The Patient Identifier Cross-reference Domain embodies the following assumptions about agreement
within the group of individual Identifier Domains:
• they have agreed to a set of policies that describe how patient identities will be cross-referenced across participating
domains;
• they have agreed to a set of processes for administering these policies;
• they have agreed to an administration authority for managing these processes and policies.
Two models of implementation of a Patient Identifier cross-reference domain can be managed:
• Federation Patient Identifier cross-reference domain, where one member of the identities in the Cross Referencing
Information System is always the federative identity (the Master),
• Correlation Patient Identifier cross-reference domain, where the Cross Reference manager actor manages a list of
identities defined in the cross referenced identification domains where all patient identities are in the same level.
EXAMPLE 1 In England and in the Netherlands, at the country/regional level, the NHS number or the BSN are the
federative identifier. When two healthcare providers want to share medical information for a patient, they refer to the NHS
number in UK or BSN in the Netherlands.
EXAMPLE 2 In a country where the national identifier does not exist, a patient who has several medical records split in
several healthcare provider systems, the mechanism to link all the records is based on a correlation model where the list
of all patient identifiers linked to the patient identifier domains is available.
3.10
Patient Identity
representation of a real person within a Patient Identifier domain (called also Patient identifier Assigning
Authority), which, by extension, could also represent a fictional person for some purposes (testing or training)
Note 1 to entry: The patient identity is composed of:
— an identifier, ID;
— a set of traits, {T}.
EXAMPLE The person named M. Jean Martin is represented in the hospital St Vincent in Paris by the record
(sample): “23654, Martin, M., Jean, Male,19500125”.
3.11
Patient Identity versions
patient's traits that are changed because of events during the life and that then need to be modified or
corrected
Note 1 to entry: The author of the modification will have the permission to update the record and the modification will
be done in a controlled procedure and audited.
EXAMPLE 1 Ms Alice Berthon was represented in hospital St Vincent as “23478, Berthon, Miss, Alice, Female,
19800325, v1”.
She got married and now she preferred to be named Ms Alice Martin. The representation will be changed
on “23478, Martin, Ms, Alice, Female, 19800325, v2”
EXAMPLE 2 Mr. Richard Louis Kerren was an outpatient in hospital St Vincent and he was represented as “43542,
Kerrene, Male., Richard, Louis, Male,19540613,v1”.

When he comes back to hospital for a second visit, the administrative staff searches his name and they
do not find the record. After a careful research, they discover that the name was not correctly registered.
They update his name: the new representation is “43542, Kerren, Male, Richard, Louis,
Male,19540613,v1”.
3.12
traits
characteristics defined in a Patient Identifier domain, and “commonly” used in the real world, as a part of a
patient identity
Note 1 to entry: These could be criteria in the query of patient identity in the Patient. The Patient Identity Source Actor
is retrieved when the criteria of the query meet the traits in the Patient Identity Source Actor.
Note 2 to entry: See Service Functional Model for the Entity Identification Service.
4 Patient identity management
4.1 General
In this section, we will provide the definition of the concepts used by the management process of the patient
identity. It is following by a section on the cross-referencing management which completes the description by
the management of patient identity between several healthcare providers within a cross reference domain.
4.2 Concepts
4.2.1 Patient Identity
Within a Patient Identifier Domain, the patient is a real person represented by an identifier and a set of identity
characteristics called traits:
Figure 1 — Definition of the qualified identity
In the case where the identification of the domain is not explicitly given, the identity is called unqualified
identity.
The traits are characteristics as name or subject of care name (ISO/TS 22220), first name, sex, date of birth,
address, etc. However some traits are more constant than the others. The constant traits form the strict traits.
Other traits can be categorized:
— extended traits: traits describing the patient such as Insurance number, mobile phone number, etc;
— specific traits such as food habit, medical specificities, etc;
— technical traits such as status of the patient identity, validity, indicators, etc.
4.2.2 Patient identifier domain
The Patient Identifier Domain is the context in which the identities described above are managed. It may be all
or part of a single organization, or a group of organizations. The Patient Identifier Domain is associated with a
Patient Identifier Assigning Authority, an organization, agency or provider that allocates patient identifier
designation.
In the identification process (see Figure 2), the arrow shows that the actor A accesses the identity id = D: ID -
{T} and uses it to point the patient information (e.g. the patient record) in order to consult and update it.

Figure 2 — Representation of the Patient Identity Source
Additionally, a Patient Identifier Domain has the following properties:
— a set of policies that describe how identities will be defined and managed according to the specific
requirements of the domain;
— an administration authority for administering identity related policies within the domain;
— a single system, known as a patient identity source system, that assigns a unique identifier to each
instance of a patient-related object as well as maintaining a collection of identity traits;
— ideally, one and only one identifier is assigned to a single patient within a given Patient Identifier Domain,
though a single Patient Identity Source; generally because of errors or safety (when there is a doubt on
the identity and to prevent a wrong assignment with an existing patient identity) during the process, it may
assign multiple identifiers to the same patient;
— a Patient Identifier Domain Identifier is unique within a Patient Identifier Cross-reference Domain.
Other systems in the Patient Identifier Domain rely upon the identifiers assigned by the patient identity source
system of the domain to which they belong. (From IHE-PIX.)
4.2.3 Examples of patient identifier domain
The nature of the Patient Identifier Domain can be various depending of the regulation of the country:
— Health domain with a clear separation with the insurance domain:
the patient identifier could be national or local;
— Insurance domain;
— Citizen domain: in this case, a passport or national ID card:
could be used in healthcare to identify the patient.

Figure 3 — Identifier domains linked to one person
When a patient travels from country to country and when he has a contact with healthcare providers, the
process of identification is different. This problem is identified and addressed in this document.
4.3 Identity management process
4.3.1 General
In this section, the processes of identification are shown and illustrated by a care provision use case in
hospital.
The term “Identity management process” is preferred to the term “identification process”. The Identification
process is in fact a part or is included in the identity management process as the sub process of the creation
or update of the patient identity.
4.3.2 Care provision use case
The interest of this use case is that many of principal actions of the identity process management are
inventoried as shown below. The scenario assumes that all systems involved in it are in the same Patient
Identifier Domain.
This scenario “Caring in In-Patient setting” is split into two different sub-scenarios:
— caring in ward unit;
— caring in medical-technical unit.
Figure 4 — Care process in hospital
Different actions are performed, related to the episode and to the services provided to the patient:
— To arrange an appointment for admission: in many countries, the appointment for admission is made
by telephone. At this stage, when the Admissions Clerk or the Consultants Secretary registers the patient
identification; Errors can occur (when the Admissions Clerk or the Consultants Secretary has not
understood the name or does not spell the name correctly and the patient information is erroneous or not
complete).
— To admit in the hospital: when the patient is admitted and to reduce errors, the clerk shall ask for a
patient document like insurance card or citizen card at the entrance or any other document, or checking
process depending of the rules in the country. The patient will be registered with the more complete
information. When the patient is not able to produce any document, the patient information are not
reliable and the clerk will registered the identity as temporary identity. In the emergency case, when the
patient is unconscious, the registration of patient information is difficult. A temporary name is given to the
patient.
— Admission to the ward: when the patient goes directly in the ward, the situation can be the same as in
admissions but that the patient registration will be done by the Medical Secretary and/or the Nurse. This
is treated as a Clinical Admission and not administrative admission. The patient identity is treated as
temporary as professional staff does not always control Patient Registration. In the case of a VIP or a
patient being admitted for sensitive treatment (e.g.de-intoxication cure) a procedure for pseudonymization
or anonymization will be applied (this procedure and the usage are not described in this document).
During the care, an alias (or pseudonym) is used. When the patient has an appointment in a radiology
department for example, he shall have with him all the information needed to identify himself (for example
a wristband with his alias and identifier, document).
— Discharge from the ward: Discharge from ward and/or hospital may require relevant information to be
collated and sent to another professional / organization. This may require an identity in a different domain.
This includes the identity in the insurance domain for billing purposes.
— Discharge from the hospital: When patients are being discharged in insurance-based healthcare
regimes, the Admissions Clerk or the Consultant’s Secretary prepares the invoice, the real patient identity
is used. In the case where information about the patient identity is not available, the invoice may be
delayed.
— Fixing a follow-up appointment following the discharge: the patient identity is used and the
Admissions Clerk or the Consultant’s Secretary should have no problems in making an appointment(s) for
the patient.
During the ward episode of care, several actions are performed:
a) in the ward:
1) clinicians send order communications to be performed by a medical technical unit (e.g. radiology,
laboratory);
2) the clinician receives reports from the medical technical unit;
b) in the medical technical unit:
1) the technical team receives the communications orders from the ward;
2) the radiologists or the laboratory professional reports on the procedures carried out and the
outcomes.
At each stage of the process, the healthcare professionals will verify the patient identity by requesting to the
patient identity source and use the identity and identifier to access to the historical or current clinical
information. The principal actions are searching, consulting and updating the patient identity when necessary.
The way of processing internally is not describing, depending of if the Patient identifier domain is unique for all
systems in the hospital or if the hospital is composed of several patient identifier domains federated by one
patient identifier domain.
4.3.3 The identity management process
Four main processes are identified as shown Figure 5:
a) the identification action, which is the action of creation of an identity for a new patient in the patient
identifier domain;
b) the referencing action, which allows using an identity in order to reference a patient information using the
identifier of the patient identity; actions in this process are, for example, “to stick a label carrying the
patient identity (identifier, names, date of birth) on an order communication or an “act on” report;
c) the identity maintenance action, which copes with:
1) traits updates;
2) reconciliation of duplicates;
3) resolving the collision;
d) the deletion of the identity in the identification action.
Figure 5 — Patient identity management process
The identity management process shall be described in the identification policy.
4.3.4 Patient Identifier Domain Policy
The Patient Identification Policy defines how the patient identity should be managed throughout all the
procedures which are written in the identity policy charter. The principles of the Patient Identification Policy
and process rules are written and saved in the Charter. Training and education need to be provided for all
users, particularly for those actors authorized to create patient identities.
The Patient Identifier Domain Policy defines:
— the scope of the Patient Identifier Domain;
— the Patient Rights and Regulation over such information: this should be available for the patient on a
separate and specific document which is given to the patient at their first visit; for application within the
European Union Member States, the disclosure and use of personal information about health are
1)
regulated by laws on privacy, confidentiality and data protection ;
— the organisations holding such information and with whom it is shared (e.g. General Practitioner Practice);
— the profiles and the roles of the actors concerned and their actions, for example four categories of actors
can be defined: patient, administrative staff (e.g. admissions clerks, medical secretaries, medical records
staff), practitioners and clinical staff (e.g. nurses);
— the patient management systems and other healthcare systems which are direct users of the patient
identity;
— identification authorities: two authorities shall be defined: the management authority and the patient
identity vigilance authority; the first structure has the responsibility to define the patient policy and the
management and the second will check the quality of the patient identity in the patient identifier domain;

1) See European Standards on Confidentiality and Privacy in healthcare.
— definition of the profile of the patient identity based on the pertinent traits of the patient (for example,
groups of names, first name, date of birth, sex);
— definition of the different status and version management;
— security of the patient identity management: privacy, availability, integrity, audit trail;
— the management and quality indicators: e.g. number of patient identities created per month, numbers of
duplicates, number of updates, etc.
For more detailed information, see Annex A.
4.3.5 Basic process actions
4.3.5.1 General
Two basic process actions are used in the sub-processes presented above:
— search on the patient identifier;
— search on the patient traits.
These basic process actions can take place in the four sub-processes described above, with different contexts
for the initial and final events. They highlight actions where human beings participate in such process actions
and can pose risks for the process.
4.3.5.2 Search on the object identifier

Figure 6 — Search of Patient identity process based on Identifier
In this process action, the user (admissions or ward clerk, healthcare professional) captures the

patient ID in the identification domain D on a healthcare system. A search on identifier ID is launched
on the index and the complete unqualified identity (ID and traits) are displayed. The user should
confirm that the displayed data (defined by the identification policy) correlate to the patient's identity
(using documentation produced by the patient, e.g insurance card, identity card or other relevant
documentation.
Two events should occur:
The user decides that the displayed traits correspond (exactly or only slight variation) to those

referenced by the healthcare system: The user then determines if the produced identification
documentation corresponds to the identity registered on the healthcare system.
The user considers that the discrepancies between the displayed traits and those referenced by the

produced identification documentations too variable to be able to determine the identity of the patient
to complete the processes without further investigation.
Several risks appear due to human actions:
A user error can alter the captured identifier and particularly if the user does not take care at the
displayed traits, the user wrongly decides that the identity matches to the captured identifier. A
collision is created.
Some traits can have changed, and then, the now displayed traits can be different from those
captured.
The risks of these occurring are in fact low: the procedures for capturing such information are usually sound or
are automated through positive methods e.g. bar code, smart card,.
4.3.5.3 Search on the traits
Figure 7 — Search of patient identity process by traits
The user captures the patient traits as search criteria in the healthcare system indexes to retrieve matching
identities. The results of such action could be:
— no candidate identity matches are found within the captured data;
— several candidate identity matches are available.
The user usually decides that no identity corresponds to the captured traits; in the second case one or more
patient identities are displayed and the user selects one of the identities on the patient list:
The user does not select any identity because he/she decides that none of the traits match exactly to any
displayed patient traits. Such decision should be made after checking all the pertinent traits which are
described in the policy.
4.3.6 Identity utilization or referencing action
The use process is enacted when the patient's identity is active, then he/she is known by his identifier ID,
which can be available on labels, cards, etc. or with automatic reading (bar-coding, RFID, etc.). The process
uses the ID to reference the patient's data existing in an order, an act report, a patient record element, etc.
It is an exception when the user cannot reference the information with the ID. Then he performs a search on
traits to obtain the ID and references the information.
4.3.7 Identity maintenance action
The traits of individual patients are generally not stable for their whole life; for example, a woman using the
surname of her husband may use a pseudonym, may have had a different name at birth and use other
identifiers e.g. insurance identifier, medical identifier, etc.; it is the reason why the need of a maintenance of
the identity is required.
Figure 8 — Maintenance process
When the identity of the patient already exists, the user shall check the data with the patient in the referencing
process, where:
1) The traits are not the same: after checking the user shall update the traits and creates a new version of
traits and/or patient identity.
2) A list of candidates is available and some of them corresponds to the patient; after checking all the data,
the user decides to merge patient identities and selects them in the Patient Identity Source. The other
patient identities are de-activated and linked to the source. They become “ghosts” (see Figure 9).
3) The identity that the user has selected corresponds in fact to one or more patients: the resolution of the
collision is more complex regarding to the medical records already existing. In that case the medical
records shall be spilt into two patient medical records linked to two patient identities. It is the role of the
relevant healthcare professionals to separate medical data (see Figure 9).
In each case, the patient identity is updated and a new version is created. The patient identity follows a life
cycle and several states are defined:

Figure 9 — Life cycle of the status of the patient identity
Identity management is supported by a Quality Policy for Identity Management. Every status update is
associated with a new version of an identity.
EXAMPLE Temporary to Validated.
4.3.8 Methods of deleting patient identity
Two methods of deleting the patient identity are available:
— Logical suppression: the patient identity is de-activated. It is not possible to access to the data. The
administrator is the only user authorized to manage this identity.
— Physical suppression: the patient identity is suppressed. This action is definite.
4.4 Identification anomalies
4.4.1 General
Several anomalies or exceptions may occur during the lifecycle of the patient identity. They shall also be
covered by the identification policy, in order to explain to the actors how to manage them when they appear.
4.4.2 Homonymy
Where two patient identities may correspond with names and traits being identical. Normally under such
circumstances the identifiers are different. The risk arising from this homonymy would be to merge the two
identities by creation of the collision. To reduce the risk, the best method is to indicate (by an indicator) that
the homonymy exists.
4.4.3 Duplicates
A duplicate exists when one patient has two identifiers. Generally this situation occurs when after a search
and even having checked a list of patient candidates, the user with caution, decides to create a new identity
with new identifier. To avoid such a situation occurring, it is necessary to educate the user to take effective
action by indicating if he/she has created a new identifier and that there is the potential for a duplicate.
To prevent and to reduce a number of duplicates occurring, the user needs to be vigilant and to check
frequently (daily, weekly) for potential duplicates by analysing the patient database.
After selecting a list of potential duplicates, the decision of merging patient identities is the responsibility and
within the role of medical staff, who are best placed to conduct an analysis of the medical records.
4.4.4 Collision
A collision occurs when two or more patients have the same identity within the Patient Identity Source. A
collision is created when after a search and even having checked a list of patient candidates, one patient
identity is chosen by default (for example in the case of homonymy) and the criteria for the
...