Ethel Markham looked into a small, rectangular camera mounted on a registration desk at Community Regional Medical Center, and a mechanical voice directed her to move closer.
Focused on the iris of the eye, the camera clicked.
The Fresno hospital now had her “eyeprint,” an identifier as unique as a fingerprint.
Markham was happy to have her eyeprint added to her medical record earlier this month. “I think it’s a good idea,” she said. “With your eyeprint, your medical record doesn’t get mixed up with anyone else’s.”
At Community Medical Centers, showing a driver’s license or insurance card to identify yourself soon will become obsolete, replaced by iris recognition captured in a high-resolution facial photo. Each time a patient registers for an appointment, a quick photo will be taken to match with the one on file.
(There is no retinal scanning, which beams a low-energy infrared light into a person’s eye).
You cannot just get another iris.
Pam Dixon, executive director of World Privacy Forum
The hospital system began a pilot program using RightPatient software technology three months ago, and has been adding the biometric devices to registration desks at Fresno Heart & Surgical Hospital in northeast Fresno, at its regional medical center in downtown Fresno and at its hospital in Clovis. By next month, the technology could be standard at most registration sites.
So far, Community Medical Centers is the only acute-care hospital system in Fresno that is using biometrics to register patients. But once the stuff of spy thriller or science fiction movies, iris recognition, along with reading the veins in the palm of the hand, are becoming more common at hospitals that over the past decade have shifted from paper to electronic medical records. Hospital executives see the technology as a tool to speed up registration, prevent expensive medical chart mix-ups, reduce errors and protect against identity fraud.
But not everyone sees biometrics as a benefit for patients. Consumer advocates and health-care law experts are concerned about patient privacy and about the information being vulnerable to cyber threats, such as the global ransomware attack that recently paralyzed hospital systems in the United Kingdom.
“Biometric identification of patients is not a cure for medical identity theft,” said Pam Dixon, executive director of the World Privacy Forum, an advocacy group in San Diego. “There are known and well-established risks in biometric systems and those risks can be exploited by bad actors who can gain access to the system.”
Judi Binderman, chief medical informatics officer at Community Medical Centers, said Community has taken steps to keep patients’ biometric information safe. The eyeprints are not stored on hospital computer servers, she said.
Michael Trader, RightPatient co-founder, said the company is aware of the sensitivity of health care information and it provides safeguards to prevent unauthorized access to the information. “We’re not storing any data in our system that puts the patient at risk,” he said. For example, patients’ Social Security numbers are not stored in the system, he said. And the demographic data Community sends to the company is encrypted to prevent unauthorized access.
Dixon said she does not comment on the security of individual biometric companies, but storing biometric information on servers separate from those that have patient demographic information is best practice.
But there’s never a guarantee that a system can’t be hacked, she said.
The Ponemon Institute, a private cybersecurity research firm, says health care data breaches are increasing. In a 2016 report, it estimated data breaches could be costing the health care industry $6.2 billion annually.
For patients, untangling a medical identity theft can be difficult, time consuming and costly. It can cost victims thousands of hours – and thousands of dollars – to undo damage from health care bills that have been racked up by people unlawfully using Social Security numbers or insurance cards.
But replacement ID cards can be issued. Dixon said patients are concerned about biometric identity theft, and rightly so. “You cannot just get another iris.”
Dixon said patients should ask to see a hospital’s notice of privacy practices and review the policy regarding biometric identification. And find out that if you give permission and change your mind that you can have the biometric information deleted, she said. “Don’t get flustered if you do not want to give your biometric to a health-care provider.”
Seema Mohapatra, a professor of health care law and bioethics at Barry University in Orlando, Florida, said making a biometric identification optional for patients is key. And it should be “very clear to the patient that it’s optional.”
We’re not storing any data in our system that puts the patient at risk.
Michael Trader, co-founder RightPatient
Binderman said Community is not forcing anyone to take a biometric photo. Patients can opt out, she said. But most have been willing.
She’s not heard that patients are worried about their rights to opt out and invasion of privacy has not been a concern, she said. “We’ve had more people wondering what happens with their iris scans.”
Only hospital staff, the patients’ doctors and others authorized partners of Community can see the photos, the hospital says in a leaflet given to patients that explains the eyeprint technology.
Markham , 61, didn’t bother to read the information sheet. A past experience with a medical chart mix-up at the now-closed Valley Medical Center came to mind. She’d gone to the hospital with a severe headache doctors pulled another patient’s chart by mistake. “They they told me I had cancer of the uterus,” Markham said. “And I said, ‘no, that’s not why I’m here.’ ” The hospital staff wanted to schedule surgery but Markham walked out. A few days later, the hospital caught the error, she said. “And they called and said ‘sorry.’ ”
It’s not known how often patient identification errors, but researchers at ECRI Institute, a nonprofit group focused on patient safety, examined 7,613 cases of wrong-patient errors at 181 organizations that occurred between January 2013 and August 2015. The cases were submitted voluntarily and researchers said they probably represented a fraction of identification mix-ups. Ninety-one percent of the errors were caught before the patient was harmed. But among the mistakes was a cardiac patient who mistakenly was not resuscitated because the wrong patient’s chart had a do-not-resuscitate order, and an infant who was given expressed breast milk from the wrong mother, who was infected with hepatitis.
Hospitals are just beginning to use biometric identification and it’s too early to know how it will affect error rates, but Community Medical Centers hopes iris recognition will reduce chart mix-ups. The hospital system serves a diverse population and many patients have multiple names, which can increase the chance of error.
Patients also borrow relatives’ or friends’ identification – sometimes with permission and sometimes not – to get care.
Binderman said it makes sense to do away with paper identification. “We are spending time correcting charts, moving results from one chart to the other and trying to correct information.”
With your eyeprint, your medical record doesn’t get mixed up with anyone else’s.
Ethel Markham, patient
Charting errors usually are caught early, before any treatment begins, but having to move information into the right chart is time consuming and expensive: Community Medical Centers spends about $190,000 a year to research and correct mismatched charts, she said. And that amount doesn’t include the approximately $300,000 a year the hospital system has estimated it loses on accounts that can’t be billed to insurance companies because the patient identification is incorrect.
A subscription to the RightPatient system costs $7,000 a month, Binderman said.
The technology has been an easy sell to most patients, although Binderman said some have asked if the photo can be re-taken when they’re dressed better.
Rosemarie Cordova, 53, of Fresno, wasn’t feeling particularly photogenic last week at Community Regional Medical Center when she came to the pre-operation registration window, but the convenience of the iris recognition appealed to her.
“It looks like something easy. Then I don’t have to fill out my ID every time. It saves me time from digging in my purse for my cards.”
Cordova would like iris scanning to become routine in all health care settings.
A few years ago she had dental fillings and returned to the dentist for a check-up. The staff grabbed a wrong file, and Cordova said she had to set them straight. “They were ready to pull three teeth out.”