Patient Identity Through Behavioral Continuity

1. Regulatory Framework

Patient identity in the United States operates under a layered regulatory regime that simultaneously demands accurate identification and forbids the obvious technical shortcut. HIPAA (45 CFR Parts 160 and 164) requires covered entities to implement administrative, physical, and technical safeguards that ensure protected health information is associated with the correct individual; the Security Rule's integrity standard at §164.312(c)(1) is, in practice, an identity-correctness standard. The HITECH Act extends breach-notification obligations to any unauthorized disclosure tied to a misidentified record. The Joint Commission's National Patient Safety Goal NPSG.01.01.01 mandates use of at least two patient identifiers before any care delivery, and CMS Conditions of Participation tie reimbursement to demonstrable identification controls.

At the same time, Section 510 of the Labor-HHS appropriations rider has prohibited federal funding for a unique national patient identifier since 1999. The ONC's 21st Century Cures Act information-blocking rules require interoperable exchange of electronic health information across institutional boundaries, while the TEFCA framework operationalizes that exchange through Qualified Health Information Networks — yet none of those mechanisms resolve the underlying patient-matching problem. State laws compound the picture: California CMIA, Texas HB 300, and New York SHIELD impose state-specific identity-handling obligations on top of HIPAA. The GDPR applies to any U.S. system handling EU residents' clinical data, with Article 9 special-category restrictions on biometric identifiers.

The regulatory net effect is a contradictory mandate: identify every patient correctly at every transition of care, do not create a national identifier, do not centralize biometric templates beyond what is strictly necessary, share records across institutional boundaries on demand, and produce an audit trail that can withstand both OCR enforcement and tort discovery. Any architectural solution must satisfy all of these simultaneously.

2. Architectural Requirement

The architectural requirement that falls out of this regulatory frame is precise. A conforming patient-identity system must produce identity that is verifiable without a stored secret, portable across institutional boundaries without a central registry, resistant to compromise without revocation infrastructure, and recordable in a form that supports both real-time clinical use and post-hoc forensic reconstruction. Identity must be available within seconds at an emergency-department bedside, must survive transfer to a receiving facility that has never seen the patient, and must remain valid across decades of episodic care.

Patient identity errors concentrate at transitions: emergency department admission, inter-facility transfer, handoff between care teams, and cross-institutional referral. Each transition involves a re-identification step where the patient must be matched to their records through identifiers that may be unavailable, incorrect, or ambiguous. An unconscious patient arriving in an emergency department has no wristband, cannot provide a medical record number, and may not carry identification. A patient transferred between hospitals has a medical record number at the sending hospital that is meaningless at the receiving hospital. A patient who visits multiple health systems accumulates multiple identities with no structural mechanism to unify them.

The industry estimates that between 8% and 12% of patient records contain duplicate or mismatched identities. Each mismatch creates a risk of wrong-patient treatment, medication errors, missed allergies, or repeated diagnostic procedures. The Pew Charitable Trusts, ECRI, and the AHIMA have all converged on the same conclusion: the core architectural defect is the dependence on stored identifiers — wristbands, medical record numbers, enrollment fields — that decouple from the patient at exactly the moments where identification matters most. The financial cost is measured in billions. The human cost is measured in preventable harm.

3. Why Procedural Approaches Fail

Master Patient Index (MPI) systems attempt to resolve duplicates through probabilistic matching of demographic data: name, date of birth, address, and social security number. These algorithms — Soundex, Jaro-Winkler, vendor proprietary fuzzy matchers — achieve useful accuracy within a single institution but degrade significantly across institutions where data quality, data formats, and data completeness vary. The CommonWell Health Alliance and Carequality networks have demonstrated that even with full record exchange, cross-network match rates plateau in the 50–70% range without manual intervention. The probabilistic approach is structurally incapable of being deterministic at the boundary that matters most.

National patient identifier proposals would solve the matching problem but face political, privacy, and statutory obstacles that have blocked them for a quarter century. A single identifier for every patient creates a surveillance and breach risk that many stakeholders consider unacceptable. The identifier must be issued, managed, and secured by some central authority, creating the same single-point-of-failure risk that credential databases present in financial services. The Section 510 rider has been renewed every Congress since 1999, and there is no political pathway to reversal.

Biometric matching using fingerprints, palm vein scans, or iris recognition improves accuracy but creates stored biometric templates that are subject to breach and cannot be revoked. A patient whose biometric template is compromised cannot change their fingerprints. Imprivata PatientSecure and similar deployments have shown operational value but remain a stored-secret architecture under a different name; the BIPA litigation environment in Illinois and analogous Texas, Washington, and now-fourteen-state biometric privacy laws make the stored-template posture an escalating liability rather than a stable solution. Smart cards, federated identity tokens, and SMART-on-FHIR identity assertions all reduce to stored-credential architectures that fail at the unconscious-patient and lost-card edge cases. Procedural overlays — two-identifier verification, time-out protocols, read-back confirmation — improve outcomes within their operational envelope but cannot address the structural defect: there is no architectural substrate that produces identity from the patient themselves at the moment of care.

4. The AQ Keyless-Identity Primitive

The Adaptive Query keyless-identity primitive disclosed under USPTO provisional 64/050,895 supplies the architectural substrate that the regulatory regime requires and that procedural overlays cannot synthesize. Keyless identity derives patient identity from accumulated behavioral continuity across clinical encounters. There is no stored template, no central identifier, and no enrollment database. Instead, each clinical encounter extends a dynamic hash chain that captures the patient's identity trajectory through locally-sourced signals: physiological characteristics, interaction patterns, device associations, and clinical context.

The trust slope validates patient identity through the consistency of this trajectory over time. A patient who has accumulated multiple clinical encounters has a strong trust slope that is difficult to forge because each link in the chain depends on entropy sources specific to the actual patient at the actual time of the encounter. An attacker would need to replicate not just a snapshot of the patient's identity but the entire accumulated trajectory — a problem that scales with chain length and with the diversity of entropy sources, both of which grow monotonically with care history.

For emergency patients without prior encounters, the system begins building a trust slope from the moment of admission. Physiological signals from monitoring devices, interaction patterns with clinical staff, and environmental characteristics begin forming the identity trajectory. By the time the patient is transferred or discharged, a usable trust slope exists that can be validated at the next encounter. The chain is held by the patient — bound to their physiology and behavior — rather than by an institutional database, which is exactly the property the Section 510 rider is structured to require: identity without a central registry. Because the primitive is technology-neutral with respect to entropy sources (any signed measurement, any interaction trace, any device association) and composes hierarchically across institutional boundaries, deployments scale by extending the chain rather than by re-architecting. The inventive step under provisional 64/050,895 is the closed trust-slope chain as a structural condition for keyless identity.

5. Compliance Mapping

The keyless-identity primitive maps cleanly onto the regulatory regime described in Section 1. HIPAA §164.312(c)(1) integrity is satisfied structurally: each chain extension is cryptographically bound to the prior link, so any tampering with identity history is detectable rather than merely auditable. §164.312(b) audit controls are satisfied by the chain itself, which is a credentialed lineage record by construction. §164.312(d) person-or-entity authentication is satisfied through trust-slope validation rather than through a stored credential, which removes the §164.308(a)(5)(ii)(D) password-management problem from the patient-identity surface entirely.

The Section 510 prohibition on a unique national patient identifier is satisfied because there is no identifier — there is a trajectory held by the patient. The Joint Commission NPSG.01.01.01 two-identifier requirement is satisfied with margin because trust-slope validation incorporates multiple independent entropy sources at each encounter, exceeding the two-identifier floor. The 21st Century Cures Act information-blocking rule and TEFCA cross-network exchange are satisfied because the chain is portable by construction; a receiving QHIN validates the slope rather than requesting a foreign MPI lookup. GDPR Article 9 special-category constraints are satisfied because no biometric template is stored — the entropy is consumed into the chain extension and not retained as a re-identifiable artifact, which is the architectural property that BIPA and analogous state regimes were designed to incentivize. State CMIA, HB 300, and SHIELD obligations reduce to standard lineage-record handling. OCR enforcement posture improves because the tamper-evident chain is a stronger evidentiary artifact than current audit logs in any breach-investigation or right-of-access dispute.

6. Adoption Pathway

A healthcare system deploying keyless patient identity does not rip out its EHR, its MPI, or its admission workflows. The primitive integrates as a substrate beneath them. Bedside monitors, clinical devices, infusion pumps, and nursing-interaction surfaces emit signed observations into the patient's trust-slope chain; the existing EHR continues to hold clinical content and continues to display a medical record number for human-facing workflows. The chain runs as the system-of-truth for identity correctness while the MRN remains the system-of-display for staff convenience. No separate enrollment step is required. Identity emerges from the clinical encounter itself.

A staged adoption begins with one high-value transition — typically emergency-department admission, where misidentification rates and harm severity are both highest — and extends to inter-facility transfer, then to cross-institutional referral through the TEFCA pathway, then to longitudinal ambulatory care. For inter-facility transfers, the patient's trust slope transfers with them; the receiving facility validates the slope against the patient's current physiological and behavioral signals. If the signals are consistent with the accumulated trajectory, the identity is confirmed without requiring the sending facility's medical record number, a central patient matching service, or manual re-identification. For cross-institutional encounters, the trust slope provides a structural mechanism for patient matching that does not depend on demographic data quality or probabilistic algorithms.

Commercial framing for the integrating health system is direct: keyless identity reduces wrong-patient adverse events, reduces duplicate-record remediation cost, reduces denied-claim volume tied to identity mismatches, and produces an OCR-defensible integrity posture that current MPI-plus-wristband architectures cannot. Honest framing — the AQ primitive does not replace the EHR, the MPI, or the clinician; it supplies the identity substrate the regulatory regime has required since HIPAA and that the Section 510 rider has, by design, prevented any central authority from supplying. A wristband can be placed on the wrong patient. A medical record number can be mistyped. A trust-slope chain accumulated across the patient's own encounters is structurally resistant to both.