Abstract
Objective: The sharing of personally identifiable information across organizational boundaries to facilitate patient identification in Utah presents significant policy challenges. Our objective was to create a focus area maturity model to describe and evaluate our progress in developing a policy framework to support a statewide master person index (sMPI) for healthcare and public health operations and research in Utah.
Materials and Methods: We used various artifacts, including minutes from policy guidance committee meetings over a span of 18 months, a report from Utah’s Digital Health Services Commission, and a draft technical requirements document to retrospectively analyze our work and create a focus area maturity model describing the domain of policy needed to support the sMPI. We then used our model to assess our progress and future goals.
Conclusions: The focus area maturity model provides an orderly path that can guide the complex process of developing a functional statewide master person index among diverse, autonomous partners. While this paper focuses on our experience in Utah, we believe that the arguments for using a focus area maturity model to guide the development of state or regional MPIs is of general interest.
Keywords : (MeSH): Medical Record Linkage, Systems Interoperability, Organizational Policy, Confidentiality
Objective
This paper describes efforts in Utah to create a statewide Master Person Index (sMPI) to uniquely identify each individual in the state receiving healthcare or public health services to support healthcare and public health operations and research. The sMPI is a collaborative effort between diverse partners with different missions, goals, and stakeholders, including the University of Utah (UU), Utah Department of Health (UDOH), Intermountain Healthcare and the Utah Health Information Network (UHIN). A description of these organizations is given below. The sharing of personally identifiable information required to create a sMPI across organizational boundaries presents significant policy challenges and requires new models for data sharing [1,2]. We present a focus area maturity model [3], developed retrospectively, as a means of documenting, organizing, and understanding our work on the sMPI. Our maturity model can serve to guide discussions, identify challenges, establish priorities, and assess progress in this and other cross-enterprise information sharing initiatives.
Background and Significance
The need to exchange patient-specific clinical data among autonomous healthcare entities to improve care has been the driving force behind Health Information Exchange (HIE) [4]. Patient-specific data exchanges are also important for treatment [5] and public health purposes [6] and are increasingly vital for biomedical research. Notable examples include comparative effectiveness and translational research [7], the Shared Health Research Information Network (SHRINE) [8], the cancer Biomedical Informatics Grid (caBIG) [9], and the Federated Utah Research and Translational Health eRepository (FURTHeR) [10]. Emerging infrastructures like these, critically depend on the ability to correctly link patients and their records across heterogeneous electronic systems operated under different administrative domains. The goal of the sMPI project, initially funded by an award from the NIH National Library of Medicine, is to create a cross-enterprise resource to uniquely identify all individuals receiving health care or public health services in Utah to support clinical care, clinical and translational research, and public health practice. Subsequent to the NIH grant award a multi-disciplinary Policy Governance Committee (PGC) was created to begin identifying and documenting high level policy and governance issues inherent in this effort. The PGC met 24 times in a span of 18 months between November, 2009 and April, 2011. Meeting agendas focused on a broad spectrum of topics including legal authority, trust, consent, governance, security, confidentiality, and sustainability. These meetings produced several artifacts, including meeting minutes and a draft technical requirements document.
At the same time, to secure public policy support, the sMPI project was presented to Utah’s Digital Health Service Commission (DHSC), a statutory advisory board that was created by the Utah Legislature in 2000 to advise and make recommendations to UDOH and state executive and legislative leaders on matters related to digital health. Its members, appointed by the governor and confirmed by the state Senate, consist of stakeholders in digital health, including physicians, non-physician providers, health insurance agencies, healthcare institutions and members of the public. A subcommittee of the DHSC conducted public meetings for 15 months and developed a comprehensive set of policy recommendations regarding the sMPI. In August 2011, the DHSC submitted a document titled, “Recommendations for establishing a statewide Secure Patient Directory”, to UDOH. (This document is included in supplementary materials.)
The PGC included diverse professional perspectives including attorneys, healthcare operations managers, privacy and security risk managers, health system representatives, Institutional Review Board representatives, researchers, public policy experts, consumers and record linkage experts. Attendees were not compensated for their participation in this effort. They came from the University of Utah, UDOH, UHIN, Intermountain Healthcare, the Utah Population Database, Utah Telehealth Network, a third-party provider organization, and consumer advocates, but they did not officially represent their institutions.
Following is a brief description of the main partner organizations involved in the sMPI project.
UDOH, as Utah’s public health agency, has numerous systems that receive identified patient-specific data from healthcare entities. These systems, which are not integrated, include vital records (births and deaths), hospital inpatient, outpatient and emergency department encounters, newborn hearing screening, metabolic screening, and the statewide immunization registry.
Intermountain Healthcare is a not-for-profit, integrated healthcare delivery system based in Salt Lake City, Utah. Intermountain provides healthcare throughout the state and covers over half of the healthcare market in Utah, with 22 inpatient facilities, including 12 rural hospitals, and over 200 ambulatory clinics. Intermountain has significant experience maintaining an electronic medical record (EMR) and enterprise MPI (EMPI).
University of Utah Health Care (UUHC) is an academic, integrated healthcare delivery system. UUHC, associated with the medical school of the University of Utah, has four hospitals, 10 community clinics, and several specialty clinics throughout the Salt Lake Valley and adjoining metropolitan area. UUHC has a mature EMR system.
The Utah Health Information Network (UHIN) is a coalition of Utah healthcare insurers, providers, the Utah Department of Health, and other interested parties that have collaborated to build a statewide network for electronic data interchange. UHIN is a not-for-profit network that currently serves all the hospitals, ambulatory surgery centers, national laboratories, and approximately 90% of the medical providers in Utah. UHIN is also a state-designated Health Information Exchange (HIE) entity to implement the clinical Health Information Exchange (cHIE) for the state of Utah.
As the name of the PGC indicates, its purpose and charter was not to authorize or approve policy, but rather to explore and formalize governance and policy issues as they related to the sMPI. Figure 1 is an illustration of the sMPI.
Methods
We created a focus area maturity model for the sMPI using the following artifacts to inform our work:
Meeting minutes from 24 PGC meetings between November, 2009 and April, 2011
sMPI draft Technical requirements document
DHSC Recommendations (Included in supplementary materials)
Maturity models are conceptual frameworks that have been used to describe levels of progress in many different domains [11,12]. These models provide a framework with which to understand, assess and improve processes or products. A typical model describes maturity as a series of plateaus, each of which represents a significant advancement in system or product capability. Such models have been criticized as being too simple to represent the complexity of modern systems [13], but Focus Area Maturity Models (FAMM) overcome this limitation by describing levels of capability in multiple distinct, interrelated focus areas. Therefore the resulting model can be used to assess incremental advancements in system maturity [3].
Here we used a modified version of the method identified by van Steenbergen et al., to create our FAMM, which proceeds as follows: 1) identify the scope and functional domain; 2) identify focus areas; 3) determine capabilities; 4) determine dependencies; 5) create matrix [3]. Once the maturity model was created we used it to assess the progress of our efforts toward building the sMPI.
Step 1—Domain and scope of model
Our model’s functional domain is the policy framework needed to support information exchange across organizational boundaries to support the sMPI for both healthcare operations and research. The field of Information Policy defines the policy domain to include laws, regulations, and practices involving information creation, processing, flows, access, and use [14]. Thus, the functional domain and scope of our maturity model is the set of laws, regulations and practices involving the creation, processing, flow, access and use of information in the sMPI.
Step 2—Identify focus areas
Within a functional domain, focus areas may be thought of as groups of activities, events, deliverables or other products that are closely related by a single purpose in support of the overall domain. Policy issues involved with real-time information exchange in support of biomedical research were studied by researchers associated with the cancer Biomedical Informatics Grid (caBIG). In an effort to understand the regulatory challenges posed by the real-time federation of clinical data for caBIG, researchers interviewed decision-makers from participating research centers and identified several policy concerns grouped around a number of broad themes, including governance, legal and financial, technical infrastructure, trust, auditing, risk management, and patient consent [15]. We have chosen these themes as initial focus areas for our model. We then analyzed PGC meeting minutes and the DHSC report to determine the completeness of our focus areas. We reviewed the minutes from the PGC meetings and documented answers to the following questions:
Which of our proposed focus areas were addressed in the meeting described by the minutes?
Were there any topics in the meeting that did not fall into our focus areas?
For each focus area mentioned, what capabilities, if any, were discussed?
Our review indicated 11 significant discussions of new legislation and existing legal constraints, 11 discussions of patient consent issues, 8 discussions of governance issues, 5 of financial sustainability, 5 of technical infrastructure, and 1 of auditing. The ability of users to audit system use, a key issue in trust management, was considered to be a capability of the technical infrastructure and was not included as a focus area. The issue of consent was not as straightforward. While the capability to enforce consent could be considered a technical capability, core issues of patient consent underlie the very ability to exchange data. Therefore consent was retained as a focus area. Our final list of focus areas included: Governance, Legal, Financial, Technical Infrastructure, and Patient Consent.
Step 3—Identify capabilities
For each of the focus areas established in Step 2 we identified specific capabilities, or evolutionary levels of maturity, based on expert discussions, experience, and where possible relevant literature.
Governance
The term governance describes the existence of a governing board or committee that develops, implements, and enforces policies and procedures [16]. These functions include adding new member organizations or dropping existing ones, oversight, auditing and other operational aspects of the exchange. Governance maturity defines the level to which the governance policies and procedures are formalized, authorized, and implemented. Following are the levels of governance maturity:
Informal—governance by an ad hoc committee, formed for a specific purpose and consisting of very little guidance (e.g. PGC)
Formal—a standing committee with a charter giving it authority, powers, establishing membership, procedures. Derives authority from trust agreement between partners. (e.g. Institutional Review Board)
Legal Authority
The legal focus area encompasses both existing legislation that authorizes and limits the exchange of protected health information as well as enabling legislation for a new resource. We identified three capabilities for the legal focus area:
Existing legislation—Information exchange and disclosure is authorized under existing Federal and State laws.
Delegated legislation—Regulations created by an agency of the executive branch of government to enforce legislation. For example, UDOH has authority to implement and administer laws passed by the Utah legislature through administrative rulemaking.
Administrative rulemaking—Delegated legislation enables UDOH to use its administrative rulemaking authority to establish a governance structure under the broad authority of the law.
Financial
Development of the sMPI, like many similar projects, was initiated with grant funding that was limited in time, amount, and scope. Its ongoing operation will depend on the development of a viable funding mechanism, most likely from payments from the participating entities that benefit from it. We identified the following capabilities for the financial focus area:
Startup funding—development and operation are funded through funding that is limited in size and time, such as government or private grants.
Sustainable funding—The resource has a sustainability model that provides value to participating programs and ensures its ongoing operation.
Value-added funding—More mature resources may develop new funding streams that reduce the financial burden on participating programs and increase revenues for system enhancement. For example, the sMPI could provide identity resolution for approved research projects or other purposes as allowed by law as a fee for service
Technical Infrastructure
Limited by the scope of our model, technical infrastructure refers only to that infrastructure needed to protect the privacy and security of sensitive information in an information exchange. In a cross-enterprise exchange such as the sMPI it includes privacy and security infrastructure already in place at participating programs, and that developed specifically for the exchange. The sMPI is complicated by the need to provide provisioning, access control, auditing and other security-related functions related to trust.
Capabilities for technical infrastructure include:
Existing infrastructure—Participating programs use existing infrastructure to enforce privacy and security.
Dedicated infrastructure—Dedicated hardware and /or software components are put into place solely to meet the basic needs of the exchange, such as user authentication, authorization and auditing.
Enhanced infrastructure—While a dedicated infrastructure meets the basic needs of the exchange, an enhanced infrastructure provides additional functionality such as automated policy enforcement and consent management to streamline the real-time flow of information.
Patient Consent
Exchanges of patient data for operational or research purposes, though authorized by law, often require patient consent. The multi-institution nature of the sMPI complicates the issue of managing consent by creating the need to manage multiple and possibly conflicting consents from a single individual received from multiple participating programs. Levels of capabilities include:
No consent –The system does not enforce patient consent.
Simple consent—The system supports enforcement of simple consent decisions, such as opt-in, opt-out.
Complex consent—The system supports enforcement of complex consent decisions (opt in or out with exceptions), with conflict resolution or finer granularity of consent decisions enforced.
Figure 2 illustrates the final focus areas and associated capabilities.
Step four—Determine Dependencies
For each capability in each focus area we determined those that fully depend on completing capabilities in other focus areas. The starting point for this analysis was sustainability.
The model of using public funding to build collaborative exchanges and private funding to sustain them is common in endeavors such as the this, and underscores the need to develop a sustainability plan early to avoid the risk of failure. A survey of five not-for-profit HIE organizations conducted in 2010 found that all five relied on state and federal grant programs for the majority (65%-70%) of costs associated with implementing and operating the HIE.[23] Only one of the five indicated that it was operating under a successful organizational business plan. A review of 11 successful HIEs, both for-profit and not-for-profit, by the National eHealth Collaborative identifies critical success factors and barriers to sustainability [17]. Not surprisingly, building trust by providing accurate and reliable data was critical for engaging stakeholders and attracting new subscribers and payers, thus ensuring the long-term sustainability of the exchange. As such, financial sustainability and a successful business model depend upon adequate technical infrastructure to build trust between participants.
Sustainability also depends on the governance model selected, as operational costs can vary significantly by governance model selected. A report issued by the National eHealth Collaborative examining sustainability issues in 12 fully operational HIEs, including three public-private partnerships, three commercial and one governmental exchange, identified a wide variety of business models and value-add services employed by different governance models [18].
Figure 3 shows a matrix illustrating dependencies for our model. Note that the letters A-C denote progressively mature capabilities for each focus area in which a specific capability can only be implemented when all prerequisite capabilities for other focus areas have been previously implemented.
For example the matrix illustrates that capability B of the Governance focus area, Formal Governance, cannot be achieved without final legal authority, level C. Furthermore, financial sustainability cannot be planned until the issue of consent is resolved, and consent cannot be resolved until a governance model is chosen. Through documenting dependencies, the matrix provides the opportunity to visualize what work has been done, and what remains.
Results and Discussion
In March 2012, with the passage of Utah House Bill 25: Patient Identity Validation, the Utah Legislature amended the Utah Health Code (Title 26, Chapter 1, Utah Code) to authorize UDOH to “establish methods for health care providers, public health entities, and healthcare insurers to coordinate among themselves to verify the identity of the individuals they serve.” Under the statute, UDOH can use its administrative rulemaking authority to implement policies for governance and data ownership as consensus is reached among stakeholders. In our model, level C of the legal focus area, will be reached when UDOH finalizes administrative rules for governance. With the delegated legislation in place, UDOH must convene stakeholders and develop a governance structure and associated trust agreements to lead the sMPI to the next level.
The issue of governance generated significant discussion in both the PGC and DHSC deliberations. The DHSC report identified the need for a unique governance structure for such a unique resource as the sMPI. The report further recommended governance with a balance of representation between government, public and private sectors. Specific governance committee member organizations and interest groups recommended in the report include, in addition to the partners in this project, the state Department of Insurance, the Utah Medical Association, Utah Hospital and Health System Association, and advocates for patient privacy, consumer issues, behavioral health, and people with special healthcare needs. While the report outlined the general makeup of a governance committee it stopped short of proposing or endorsing a specific governance model.
The PGC meeting deliberations focused on the reasonable and intuitive approach that ongoing operation of the sMPI should be funded from users who pay for the value of services received for participating in the project. This raises two important questions: How much will ongoing operation of the sMPI cost? What is the value of services received by participants?
In answer to the first question, as our model illustrates, accurate estimation of the ongoing operational cost of the sMPI is not possible without first identifying a governance structure as funding needs vary considerably by the governance model selected.
Furthermore, estimating the value of services received for participants is equally challenging. Each of the healthcare systems currently devotes significant resources to manually resolving MPI records that fail automatic linkage. One Utah health system’s internal study estimated a cost of $60 per patient who required manual resolution and approximately $2 million annual cost for identity resolution for their system. In UDOH, staff in the immunization registry and child health programs also expends significant resources conducting manual linkage of patient records. Opportunities are lost for UDOH to provide services to providers’ quality improvement or the state HIE’s simplification of administration due to lack of a statewide Master Person Index. For example, UDOH could use the sMPI to identify avoidable hospital readmissions to reduce re-hospitalizations across multiple health care systems; the sMPI could be used by UHIN to coordinate health plan benefits for its members. With these potential value-added services, the PGC and DHSC agreed on the principle that who benefits is who should pay for the sMPI. As the nation moves toward healthcare reimbursement models based on fee-for-value, organizations will become increasingly dependent on patient correlations across provider organizations. Prospective de-identification strategies derived from patient-centered qualitative analytics and reporting may offset some of the current costs of retrospective correlation for research purposes.
One of the most intractable issues the DHSC and PGC dealt with was the issue of consent management. HIE’s have grappled with consent issues for operational sharing of data, which is a variation of the debate over who owns health data. A white paper published by the Office of the National Coordinator for Health Information Exchange (ONC) identifies four typical consent models: no consent, opt-out, opt-in, and opt-in with restrictions [19]. In our model we characterize opt-in and –out as simple, and opt-in with restrictions as complex. The exchange of data for identity resolution presents similar consent issues as data exchange for HIEs, with one important difference. In order to enforce a patient’s consent or denial thereof, the patient must be identifiable. A quote extracted from PGC meeting minutes reads, “people do not have the right to remain ambiguous.” In other words, a centralized record is needed to track the consent or non-consent of individuals. The central consent question for the sMPI was that, with the vastly different data sources contributing information, what would the system do if consent status differed across sources? In addition, the dual purposes of the sMPI as both an operational and research resource led to the question of whether patients could consent or decline consent for one purpose but not the other.
To develop a model for consent, the PGC examined the role of consent in other operational and research domains. Institutions and integrated healthcare systems have the legal authority to link their own patient records to establish identity, and patients have no ability to opt out of that process. Other operational systems such as cancer registries do not allow patients to opt out of being in the registry, but patients can opt out of sharing their data for research [20].
In the course of discussions it became apparent that issues of consent are intertwined with the issue of governance. The final resting place of the sMPI, be it under state government, the state HIE, or a non-profit administrator, could have legal ramifications for the ability of the sMPI to compile and share data with potential consumers. The governance structure makes an impact on policy decisions, and without the question of governance resolved, the issue of consent will remain unclear. To compile information on the effect of governance on consent requirements, it was suggested to look at the cooperative agreements of other state HIEs.
The final consent policy, which is included in supplementary materials, made a distinction between consent to access and consent to disclose. When consenting to access, a patient agrees to allow sMPI consumers to access his or her demographic information. With consent to disclose, a patient is authorizing his or her provider to disclose demographic information to the sMPI. The policy further specifies that consent must be obtained by sMPI data sources per transaction, or visit. For research purposes, it was agreed to use the consent requirements of the approving IRB. Implementing these consent requirements in an operational exchange requires a sophisticated technical infrastructure.
By shading in areas of the maturity matrix up to each capability that has not been reached we can see a path toward implementing sMPI. (Figure 4) While the technical infrastructure is under development UDOH must convene stakeholders to develop first a governance model and then a sustainability plan. The final consent model will depend upon governance; however the technical infrastructure requirements dictate support for simple opt-in or out consent. As use of the sMPI grows, enhanced infrastructure to support more granular consent or for automated policy enforcement can be used to support value-add services.
Conclusions
Exchanging personally identifiable information across enterprises for healthcare identity resolution requires new models for data sharing and a complex policy framework to mitigate risks to participants and ensure cooperative success. A focus area maturity model can be used to assess work and identify a path forward in developing such systems. Using the framework proposed here provides an orderly path to address interdependences that can guide the complex process of developing a functional sMPI, avoiding conflicts between policy and technology that may lead to non functional implementations.
While this paper focuses on our experience in Utah, we believe that the arguments for using a focus area maturity model to guide the development of state or regional MPIs is of general interest.
Acknowledgments
This project was funded under NIH Grant No. 1RC2LM010798-01, Development of a Statewide Master Person Index. We would like to thank members of the PGC and DHSC for their time, dedication and expertise.
References
- 1.McDonald CJ, Overhage JM, Barnes M, Schadow G, Blevins L, et al. 2005. The Indiana network for patient care: a working local health information infrastructure. An example of a working infrastructure collaboration that links data from five health systems and hundreds of millions of entries. Health Aff (Millwood). 24(5), 1214-20 and . 10.1377/hlthaff.24.5.1214 [DOI] [PubMed] [Google Scholar]
- 2.Boyd AD, Hosner C, Hunscher DA, Athey BD, Clauw DJ, et al. 2007. An 'Honest Broker' mechanism to maintain privacy for patient care and academic medical research. Int J Med Inform. 76(5-6), 407-11 and . 10.1016/j.ijmedinf.2006.09.004 [DOI] [PubMed] [Google Scholar]
- 3.Steenbergen M, Bos R, Brinkkemper S, Weerd I, Bekkers W. The Design of Focus Area Maturity Models. In: Winter R, Zhao JL, Aier S, editors. Global Perspectives on Design Science Research: Springer Berlin Heidelberg; 2010. p. 317-32. [Google Scholar]
- 4.Menachemi N, Collum TH. Benefits and drawbacks of electronic health record systems. Risk management and healthcare policy. 2011;4:47-55. [DOI] [PMC free article] [PubMed]
- 5.Center BP. Challenges and Strategies for Accurately Matching Patients to Their Health Data. Bipartisan Policy Center; [cited 2013 03/28/2013]; Available from: http://bipartisanpolicy.org/library/staff-paper/challenges-and-strategies-accurately-matching-patients-their-health-data
- 6.Nangle B, Xu W, Sundwall DN. Mission-driven priorities: public health in health information exchange. AMIA Annual Symposium proceedings / AMIA Symposium AMIA Symposium. 2009;2009:468-72. Epub 2009/01/01. [PMC free article] [PubMed] [Google Scholar]
- 7.Brixner DI, Watkins JB. 2012. Can CER Be an Effective Tool for Change in the Development and Assessment of New Drugs and Technologies? J Manag Care Pharm. 18(5) (Supp A), S06-11 . [DOI] [PMC free article] [PubMed] [Google Scholar]
- 8.Weber GM, Murphy SN, McMurry AJ, Macfadden D, Nigrin DJ, et al. 2009. The Shared Health Research Information Network (SHRINE): a prototype federated query tool for clinical data repositories. J Am Med Inform Assoc. 16(5), 624-30 and . 10.1197/jamia.M3191 [DOI] [PMC free article] [PubMed] [Google Scholar]
- 9.Wang H, Yatawara M, Huang SC, Dudley K, Szekely C, et al. 2012. The integrated proactive surveillance system for prostate cancer. Open Med Inform J. 6, 1-8.http://10.2174/1874431101206010001 [DOI] [PMC free article] [PubMed]
- 10.Livne OE, Schultz ND, Narus SP. 2011. Federated querying architecture with clinical & translational health IT application. J Med Syst. 35(5), 1211-24 and . 10.1007/s10916-011-9720-3 [DOI] [PubMed] [Google Scholar]
- 11.Afshari. Information Resource Management Maturity Model. Proceedings of the World Academy of Science, Engineering and Technology. 2009;37.
- 12.Farah B. 2011. A Maturity Model for the Management of Information Technology Risk. International Journal of Technology. Knowl Soc. 7(1), 13-25 [Google Scholar]
- 13.McCormack K, Willems J, Van den Bergh J, Deschoolmeester D, Willaert P, et al. 2009. A global investigation of key turning points in business process maturity. Bus Process Manag J. 15(5), 792-815 . 10.1108/14637150910987946 [DOI] [Google Scholar]
- 14.Rowlands I. 1996. Understanding information policy: concepts, frameworks and research tools. J Inf Sci. 22(1), 13-25 . 10.1177/016555159602200102 [DOI] [Google Scholar]
- 15.Manion FJ, Robbins RJ, Weems WA, Crowley RS. 2009. Security and privacy requirements for a multi-institutional cancer research data grid: an interview-based study. BMC Med Inform Decis Mak. 9(31). . [DOI] [PMC free article] [PubMed] [Google Scholar]
- 16.Goedert J. Governance: the HIE differentiator. Health data management. 2009;17(8):26, 8, 30 passim. [PubMed]
- 17.HIE Business and Technical Profiles. Available from: http://www.himss.org/content/files/201009HIMSSHIEBusinessandTechnicalProfiles.pdf
- 18.Prestigiacomo J. HIE sustainability secrets. NeHC report shares HIE success stories of alternate revenue streams and payer buy-in. Healthcare informatics: the business magazine for information and communication systems. 2011;28(11):24, 6, 8. [PubMed]
- 19.Consumer Consent Models for HIE: Policy Considerations and Analysis. [03/25/2013]; Available from: http://www.himss.org/content/files/201009HIMSSHIEBusinessandTechnicalProfiles.pdf
- 20.Beskow LM, Sandler RS, Weinberger M. 2006. Research recruitment through US central cancer registries: balancing privacy and scientific issues. Am J Public Health. 96(11), 1920-26 and . 10.2105/AJPH.2004.061556 [DOI] [PMC free article] [PubMed] [Google Scholar]