Identity in the PALM of your hand

Feb. 1, 2009

Driven by
legislation and government policy makers, patient safety has motivated
healthcare organizations large and small around the nation since the
mid-1990s. From preventing medication and surgical errors to combating
hospital-acquired infections, much healthcare-information technology
(HIT) has been designed and dedicated to this effort. A survey of senior
IT executives given at the 2008 HIMSS Conference and Exhibit indicates,
however, that access to patient records and compliance with HIPAA
regulations has joined patient safety at the top of their lists.

In a world where identity theft and insurance fraud
are daily occurrences, hospitals find themselves both responsible and
exposed. IT executives now consider protecting patient privacy and securing
access to private patient data as important as protecting patients’ health.
Fortunately, there is no need for hospitals to “switch gears” from
protecting patient safety to securing patient data. Technology exists that
provides both, is easily installed, and is affordable.

New ground

One healthcare pioneer that has adopted such a system
is ValleyCare Health System in Pleasanton, CA, a northern CA-based
not-for-profit health system with 212 beds on two campuses that has been
providing family care to the tri-valley and surrounding areas since 1961.
Led by CEO Marcy Feit, who began her career at ValleyCare more than 30 years
ago as a nurse’s aide, the staff of 300 dedicate themselves each day to
advancing patient care. Feit considers ValleyCare to be a medium-sized
hospital in competition with healthcare giants Kaiser Permanente and Sutter
Health, among others; she acknowledges that the organization’s efficient use
of resources enables her to adopt technologies quickly, which she believes
gives ValleyCare an advantage.

“When you are a stand alone, your ability to make
decisions and to respond quickly is better than in mega-organizations,” she
says. “Usually, they want to do things globally — for all hospitals
simultaneously — so there is a lot more that goes into it.”

Feit’s top priorities for ValleyCare, like those of
most healthcare organizations in America today, include ensuring patient
safety and preventing identity theft and fraud; however, unlike many CEOs
who primarily focus on growing the business side of their organizations,
Feit’s experience in nursing roots her strongly on the patient-safety side.

“We have spent a great deal of time making sure that
we are treating the right patient,” she says. “We want to confirm that we
are treating John R. Jones and not J. Ruben Jones. If we are treating one of
them in the emergency department (ED), and John R. is a diabetic and J.
Ruben is not, if we have pulled the wrong medical record, we could be
providing inappropriate treatment.”

One way this happens involves duplicate medical
records, which are created when patients give alternate variations of their
names during registration. A patient might give John R. Jones on one visit
and J. Ruben Jones on another, and J. R. Jones on another. Without a method
for preventing name variations, duplicate records can be created that hinder
caregivers and threaten the patient’s safety.

“People do not realize that those kinds of
inconsistencies can be very dangerous,” says Feit. “I think in the future,
identification (ID) will become critical for conducting business in


Improper patient identification can have tragic
consequences. Conversely, a dependable patient identification method has the
reverse effect — patients are safer, and fraud and identity theft are
averted. To ensure these outcomes, ValleyCare installed palm-vein scanners
at all ingress and egress points, and implemented a patient registration and
security system that it calls Patient Access Lifetime Match, or PALM, for

The non-invasive, contactless biometric technology
authenticates patients during registration using near-infrared light to
illuminate the veins in a patient’s palm and record an image of the “print.”
This identification method is considered highly accurate, since each
person’s vein pattern is unique. Even between identical twins, enough
variation exists to create a unique identifier that is stored and associated
with a patient’s medical records. This identifier fulfills one of the two
forms of authentication required under HIPAA regulations when hospitals
register patients.

Originally developed to authenticate bank customers
at ATMs in Japan, the diminutive healthcare version connects to the
registration-workstation computer, which also connects it to the hospital’s
network and the organization’s master patient-index database. During
registration, staff offers patients the opportunity to have their palms
scanned and added to their electronic medical record. Once added, even
unconscious patients can be instantly identified and treated, making palm
scanning not only a beneficial tool during registration but in the ED as

“Many patients arrive in a delirium, so they are not
reliable sources for giving us their identification,” says Feit. “It takes
time to find a family member or a neighbor to tell us who we are treating,
and many times the ambulance drivers are not successful in bringing
identification. When the patient is in such extreme condition, the drivers
are anxious to get the patient to us and cannot spend time searching a house
for an ID.”


ValleyCare differs in another way from many larger
healthcare organizations — the hospital outsources nearly all of its IT
needs (including staff) to a third-party organization whose on-site IT
personnel report to Ken Jensen, ValleyCare’s CFO and manager of IT
contracts. ValleyCare leases its hospital-information system (HIS) from the
same organization which maintains the network technology off site. According
to Jensen, the symbiotic relationship serves ValleyCare well and contributed
to the successful integration of the palm-scanning technology into
ValleyCare’s HIS.

“We found the palm-vein scanner at one of our trade
shows,” says Jensen. “One of the reasons we wanted a more unique identifier
was to make sure that we minimized duplicate medical records, but we also
wanted to rely on the Registration staff to properly identify the patient
and get all the financial information so we could bill. Patient throughput
is also important to us. The faster we get them out of the waiting room, the
faster we get them into the hospital and can treat them.”

Rogel Reyes, director of Patient Access for
ValleyCare integrated various technologies (i.e., scanning technology) with
ValleyCare’s existing HIS to create its PALM authentication and registration
system, which went live after a 90-day rollout.

“Palm-vein biometric authentication is 100 times more
accurate than a fingerprint,” says Reyes. “All of the registration areas
where patients get checked in for any type of service — whether it is the
lab, diagnostic imaging, ED, or inpatient services — all of our patient
intake rooms have the scanner. Since we went live, registration is faster
because patients returning for repeat services are not asked to provide
their ID or insurance cards each time. They just place their palms on the
scanners and, within seconds, the system displays their medical records.”

ValleyCare also implemented an infection-control
policy that requires the operator of the palm scanner to wipe it down after
each use with hospital-approved antibiotic wipes to ensure that it is free
of biological contaminants at all times.

An industry pioneer

ValleyCare is the first hospital system in the
western United States to implement such a system, motivated, in part, by a
strong focus on patient safety and identity protection but also, in part, by
the Federal Trade Commission (FTC). Beginning on Nov. 1, 2008, the FTC’s
Identity Theft Red Flag regulations went into effect, requiring healthcare
providers to establish programs that secure patient medical records and
block identity theft, as part of the Fair and Accurate Credit Transactions
Act. While it is only natural for technology to play a role in fulfilling
that mandate, there have been challenges.

“The elderly patient population is a little more
hesitant to enroll in our PALM technology,” says Reyes. ValleyCare does not
require patients to enroll, it is simply offered as an alternative to
traditional identification. Patients are free to opt out and many do.”

“Our younger patients seem to be more accepting,
while our older patients tend to ask more questions about what it is,” says
Jensen. As demand for technology increases among providers (to the point
where, without a strong technology base, hospitals can find it difficult to
attract new physicians), among patients, acceptance of technology is not an
imperative. ValleyCare, like many provider organizations, sees technology as
a necessary link to a brighter healthcare future.

Financial incentives

From a business perspective, switching from printed
registration cards to palm scanning might not present a cost benefit;
however, it is much more accurate in identifying patients and can prevent
fraud. In 2007, ValleyCare found itself in court after a mismatched blood
type alerted an insurance organization that something was amiss concerning a
$100,000 surgery bill for which the health plan had already remitted the
hospital for the claim.

“We got paid and then the insurance company took the
money back,” says Jensen. Unbeknownst to ValleyCare, a sibling of the
registered patient had switched registration cards and undergone the surgery
incognito. The health plan investigated the incident and brought criminal
charges against the fraud’s perpetrators.

“We eventually got paid, but it cost us time and
money from a legal standpoint,” he says. Had the changeling’s palm been
scanned during the initial registration process and compared against a
previously scanned palm, the authentication would have failed to match the
on-file records — and the jig would have been up prior to surgery.

“This technology is a way of specifically identifying
patients,” says Jensen. “And, long term, it has applications beyond just
registration, in terms of errors.”

Going forward

ValleyCare is considering using the palm-scanning
system to authenticate physicians as they move from floor to floor, and
patient to patient. Currently, physicians log into the hospital’s HIS and
type in their identification codes to gain access to patient medical records
during their rounds. As with most manual authentication systems, the process
is time consuming and invites error. With palm-scanning, physicians would
simply scan their palms upon entering or exiting a floor or a hospital wing,
which would increase accuracy and lower costs enterprisewide. The time/cost
savings also benefits patients.

“If patients enroll in the PALM program at the
physician’s- office level and are referred for hospital services, we do not
have to ask them the same questions again,” says Reyes. “We just physically
scan their palms; and, from there, we can positively identify them.”

Devices such as these play an important role in
healthcare, where misidentification can result in fraud or, worse, death.
Progressive healthcare organizations like ValleyCare improve the industry
overall by adopting new technologies and then sharing experiences that
corroborate reports and motivate decision making.

“If you ask each of my executive team, they will see
the value from their perspectives,” says Feit. “My CFO sees that accurately
identifying patients prevents fraud and makes sure the proper information is
collected for billing. For me, having this device means improved patient

Michael McBride
is editor-in-chief of Nelson Publishing’s Health Management Technology.