Healthcare Data Federation Through Scoped Governance

1. Regulatory Framework

Healthcare data is the most heavily regulated information class in the modern economy, and the regulatory regimes are deliberately heterogeneous because they reflect deep differences in how societies allocate authority over the patient relationship. In the United States, HIPAA's Privacy Rule, Security Rule, and Breach Notification Rule define a federal floor for protected health information (PHI), with state-level overlays that frequently impose stricter requirements (California's CMIA, Texas HB 300, New York's SHIELD Act, and the patchwork of state genetic-privacy and reproductive-health statutes). The 21st Century Cures Act and ONC's information-blocking rule add an affirmative duty to share data when sharing is permitted, creating a two-sided regulatory pressure: protect when required, share when required, and prove the difference at every interface.

The European Union layers GDPR's Article 9 special-category protections over the EHDS (European Health Data Space) regulation, which mandates cross-border secondary use of health data under tightly scoped governance. The UK's Data Protection Act and NHS Digital's data-sharing framework operate in parallel. Canada's PIPEDA and provincial PHIPA, Australia's My Health Records Act, and Japan's Act on the Protection of Personal Information each define distinct consent frameworks, breach-notification thresholds, and cross-border transfer rules. Where research is involved, IRB and Research Ethics Committee oversight imposes institution-specific governance that sits inside the regulatory regime rather than alongside it. Where payment is involved, the rules tighten further: PCI-DSS for card data, ERISA for self-insured plans, Medicare and Medicaid fraud-and-abuse statutes, and a parallel set in every other jurisdiction.

The newer overlays compound the requirement. The HHS HTI-1 and HTI-2 rules tighten algorithmic transparency for clinical decision support. The EU AI Act classifies certain clinical AI as high-risk and demands data-governance documentation that traces every training and inference observation back to its source. State reproductive-health and gender-affirming-care statutes impose conflicting disclosure obligations across state lines. Sanctions and export-control regimes touch genomic data through dual-use research oversight. Each regime presumes that the institution holding the data can answer, with evidence, "who saw this, under what authority, on whose behalf, and for what purpose?" and can do so across institutional, jurisdictional, and vendor boundaries. The regulatory direction of travel is unambiguous: patient data governance must be auditable as a structural property of the data itself.

2. Architectural Requirement

The architectural requirement implied by these regimes is a federated namespace in which every patient identity, clinical observation, consent record, and access event is a credentialed observation produced by an authority whose scope is explicit and whose policy is enforced at the boundary of that scope. A hospital must govern its patient namespace under its HIPAA Notice of Privacy Practices and its state-specific overlays. A laboratory must govern its result namespace under its CLIA certification and its contractual relationships with ordering providers. A pharmacy must govern its prescription namespace under DEA and state board of pharmacy authority. An EU institution must govern its namespace under GDPR Article 9 and its national derogations. None of these scopes can be subordinated to any other, because each rests on a distinct legal and contractual foundation and on consent obtained from the patient under terms specific to that scope.

Yet the namespace must be traversable, because patients do not stay within a single scope. A patient who visits three health systems, fills prescriptions at two pharmacies, has labs drawn at an independent reference laboratory, and travels across state and national lines must remain identifiable to the institutions that legitimately need to identify them, while remaining shielded from those that do not. The traversal must be authority-credentialed at each crossing, evidentially weighted by the consent in force, admissibility-tested against the destination scope's regulatory regime, executed by a governed actuator that distinguishes intent from execution, and lineage-recorded so that the patient, the institutions, and the regulators can reconstruct after the fact who saw what, when, under whose authority, and on what consent.

This is the architectural shape that the EHDS regulation describes in regulatory prose, that ONC's information-blocking rule presupposes, and that no current healthcare interoperability architecture exhibits. FHIR, HL7, IHE profiles, and HIE infrastructure standardize transport and format. They do not standardize the governance shape, and the governance shape is what the regulatory regimes are converging on.

3. Why Procedural Approaches Fail

The dominant procedural response to healthcare federation is the master patient index (MPI). Within a single integrated delivery network, an enterprise MPI is genuinely valuable: it reconciles the multiple identities a patient accumulates across hospital admissions, outpatient encounters, and ancillary services within a single governance domain. The MPI breaks at the institutional boundary. Connecting two enterprise MPIs requires either a super-MPI that governs both, which neither institution will accept because it would surrender governance to an external authority, or bilateral matching agreements that scale quadratically with the number of participants and produce probabilistic matches that no participant can fully audit.

The second procedural response is the regional or national health information exchange. CommonWell, Carequality, eHealth Exchange, and Sequoia Project's frameworks in the US, NHS Digital's Spine in the UK, the EHDS interoperability layer in the EU, and similar regional infrastructures elsewhere attempt to create a shared resolution layer. The HIE delivers real operational value, but it depends on every participant agreeing to a uniform governance posture that none of them can actually maintain. When state law, IRB requirements, or institutional policy diverges from the HIE's posture, participants either withdraw, opt out of specific data classes, or impose institution-specific filters that recreate the fragmentation the HIE was supposed to solve.

The third procedural response is the patient-mediated exchange: the patient downloads their record from each institution and re-uploads it into a personal health record, a payer portal, or a research platform. This is structurally appealing but operationally unworkable for the population that actually needs federation: patients with complex chronic conditions, cognitive impairment, language barriers, or simply the ordinary working life that does not include managing a personal health record. It also collapses the institution's governance role onto the patient, who is the least equipped party to enforce HIPAA, GDPR, or any of the overlays.

The fourth procedural response — blockchain-based health records — fails for a structural reason that is worth stating clearly. Global consensus is incompatible with the access-control requirements of clinical data. The very existence of certain records (HIV status, mental-health diagnoses, reproductive-health encounters, gender-affirming-care, substance-use treatment under 42 CFR Part 2) is sensitive information in many jurisdictions, and a global ledger that records "this patient has a record at this institution" violates the governance requirement even when the contents are encrypted. The governance requirement is not encryption; it is scoped visibility, and scoped visibility is incompatible with global consensus.

What the procedural approaches share is the absence of a structural mechanism for governed traversal across scopes that retain their own governance. They reduce to "trust the central registry," "trust the HIE," or "trust the patient" — all of which transfer governance to a party whose authority does not actually cover the regulatory regime in force at each scope.

4. The AQ Adaptive-Indexing Primitive

The Adaptive Query adaptive-indexing primitive, disclosed under USPTO provisional 64/049,409, structures the healthcare namespace as a hierarchy of anchor-governed scopes. Each anchor is a cryptographic governance object that defines a scope, the authority entitled to mutate within that scope, the policy under which mutations are admitted, and the credentialing rules under which traversal into and out of the scope is permitted. A hospital operates as an anchor over its patient namespace. A health system operates as a parent anchor over its constituent facility anchors. A laboratory operates as an anchor over its result namespace. A pharmacy operates as an anchor over its prescription namespace. A jurisdiction operates as an anchor over the institutional anchors within its boundaries. None of these anchors subordinates to any other; each retains its own governance under its own regulatory regime.

Patient identity resolution is performed by traversal across the hierarchy. When a patient presents at a new institution, a query walks from the new institution's scope through the namespace structure toward the scopes that hold the patient's prior records. At every boundary the governing anchor evaluates the traversal credential — typically a consent observation signed by the patient under the originating scope's policy — against its own admissibility policy. The traversal is authority-credentialed at each crossing, evidentially weighted by the consent's freshness and scope, admissibility-tested against the destination scope's regulatory regime, governed at the actuator so that read versus write operations are independently policed, and lineage-recorded as an evidentiary artifact that the patient, the institutions, and the regulators can replay independently.

HIPAA enforcement happens at the US institutional anchors. GDPR enforcement happens at the EU institutional anchors. State-specific overlays happen at the state-jurisdiction anchors that contain the institutional anchors within them. Cross-border transfer rules happen at the jurisdiction-boundary anchors. The patient's identity remains globally resolvable because the hierarchy connects the scopes; data access is locally governed because each anchor enforces its own policy; and the recursive closure of the chain — every actuation produces observations that re-enter the chain as inputs to downstream evaluations — gives the system the structural property that current architectures lack.

5. Compliance Mapping

The mapping from the AQ primitive to the regulatory regimes is direct. HIPAA's Privacy Rule "minimum necessary" standard maps onto admissibility evaluation at the destination anchor: the requesting scope receives only the data classes its credential authorizes. HIPAA's accounting-of-disclosures requirement maps onto the lineage-recorded property: every traversal is preserved as an evidentiary artifact that the covered entity can produce on patient or regulator demand. The Breach Notification Rule's risk-assessment provisions map onto the evidential-weighting property: the institution can demonstrate which records were exposed under which credentials, rather than presuming exposure of an entire database.

GDPR Article 9 special-category restrictions map onto anchor admissibility policy at the EU scope, with derogations expressed as scope-specific policy overlays. Article 30 records of processing activities map onto the lineage substrate. Article 32 security-of-processing requirements map onto the credentialed actuator. Cross-border transfer mechanisms (adequacy decisions, SCCs, BCRs) map onto traversal credentials between jurisdictional anchors, with the legal basis for each transfer recorded in the lineage. EHDS secondary-use governance maps onto a research-purpose anchor that admits traversals only under credentialed research purposes registered with the relevant Health Data Access Body.

ONC's information-blocking rule's exceptions (privacy, security, infeasibility, content-and-manner) map onto explicit anchor policies, so that an institution declining a request can produce the structural reason rather than relying on after-the-fact justification. 42 CFR Part 2 substance-use confidentiality maps onto a scope-specific anchor with stricter admissibility than the surrounding HIPAA scope. State reproductive-health and gender-affirming-care shield laws map onto jurisdiction-anchor policies that refuse traversal credentials originating in states with conflicting disclosure regimes. The EU AI Act's data-governance requirements for high-risk clinical AI map onto the lineage substrate that traces every training and inference observation back to its credentialed source.

The structural property that satisfies all these regimes simultaneously is the same: governed traversal across distributed-authority namespaces with admissibility, weighting, governed actuation, and lineage as architectural properties rather than vendor or HIE promises.

6. Adoption Pathway

Adoption is incremental and composes alongside existing healthcare interoperability infrastructure. The first stage is anchor onboarding within a single health system: the system stands up an anchor over its existing enterprise MPI and FHIR endpoints and publishes its admissibility policy. Existing HIE participation continues unchanged; the anchor adds a credentialed wrapper around what is already exposed. The cost is comparable to a HITRUST or SOC 2 attestation cycle, and the benefit is that the system's outputs are now structurally auditable in a way that the underlying FHIR endpoints alone cannot be.

The second stage is bilateral traversal between participating anchors. Two health systems that already exchange records through Carequality or eHealth Exchange replace the trust-the-network assumption with a direct anchor-to-anchor traversal credential. Each side retains its governance; neither side subordinates to the network's uniform policy. Carequality and similar frameworks reposition as anchor-discovery services rather than trust intermediaries. The third stage is jurisdictional anchoring: state HIEs, national health agencies, and EHDS Health Data Access Bodies stand up jurisdiction-level anchors that enforce cross-border policy at the boundary between institutional scopes.

The fourth stage is patient-facing federation. The patient holds credentials in their own scope and emits consent observations that traverse into institutional scopes under their own authority, rather than navigating a portal at each institution. This is the architectural endpoint that patient-mediated exchange was reaching toward and never achieved, because it requires structural governance rather than procedural goodwill.

The commercial alignment is straightforward. EHR vendors retain their position as the system of record and gain a structurally defensible posture against information-blocking enforcement. HIEs and frameworks reposition as anchor operators and policy curators. Regulators gain auditable lineage without imposing a national identifier that the political process will not deliver. Patients gain identity continuity across institutions without surrendering control to a central database that any single breach could compromise. The structural result is a healthcare data federation where governance scales with the number of participants rather than collapsing into a central authority that becomes the single point of governance failure.