Inferensys

Glossary

Federated Cohort Discovery

A privacy-preserving query process that allows researchers to identify and count patient populations matching specific clinical criteria across multiple institutional databases without moving or exposing individual-level data.
Engineer reviewing vector database search results on laptop, embeddings visualization on screen, home office coding session.
PRIVACY-PRESERVING PATIENT IDENTIFICATION

What is Federated Cohort Discovery?

A decentralized query mechanism enabling researchers to count eligible patient populations across multiple institutional databases without moving or exposing protected health information.

Federated Cohort Discovery is a privacy-preserving query process that allows researchers to identify and count patient populations matching specific clinical criteria across multiple institutional databases without moving or exposing individual-level data. It transforms the traditional model of centralized data aggregation by sending the query to the data rather than the data to the query, returning only aggregate counts that satisfy the inclusion and exclusion rules.

The architecture typically relies on a distributed network of honest broker nodes that translate a common query language into local database dialects, execute the search behind each institution's firewall, and return de-identified summary statistics. This approach is foundational for multi-site clinical trial feasibility assessments and rare disease patient recruitment, enabling research networks to rapidly determine whether a sufficient cohort exists across participating sites before investing in full-scale data harmonization or institutional review board approvals.

PRIVACY-PRESERVING ARCHITECTURE

Key Features of Federated Cohort Discovery

Federated Cohort Discovery enables researchers to query patient populations across multiple institutions without moving or exposing protected health information. The following architectural components ensure regulatory compliance, query accuracy, and cross-site interoperability.

01

Distributed Query Execution

A central orchestrator dispatches a standardized query to each participating site's local database. The query executes entirely within the institution's firewall, scanning structured clinical data—diagnosis codes, lab values, medications—without any raw data leaving the site. Only aggregate counts are returned.

  • Site-level autonomy: Each institution retains full control over its data
  • No data centralization: Eliminates the need for a single pooled data warehouse
  • Real-time feasibility: Returns preliminary cohort counts in seconds to minutes
Zero
Patient Records Moved
02

Threshold-Based Disclosure Control

To prevent re-identification through small cell sizes, the system enforces a minimum aggregate count threshold—typically 10 or 11. If a query returns fewer patients than the threshold, the result is suppressed and reported as "<10" rather than revealing the exact count.

  • Blurred counts: Protects against differencing attacks across multiple queries
  • Configurable policies: Each site can set its own disclosure risk tolerance
  • Audit logging: Every query and response is recorded for compliance review
03

Common Data Model Harmonization

Participating sites map their local data schemas to a shared Common Data Model (CDM) such as OMOP or i2b2. This semantic normalization ensures that a query for "HbA1c > 7.0" translates correctly across different EHR systems, lab coding conventions, and unit representations.

  • OMOP: Observational Medical Outcomes Partnership standard
  • i2b2: Informatics for Integrating Biology and the Bedside
  • Terminology mapping: LOINC, SNOMED-CT, and RxNorm alignment
04

Cryptographic Secure Aggregation

When sites must jointly compute statistics beyond simple counts—such as average age or gender distribution—secure multi-party computation (SMPC) protocols ensure no individual site's intermediate values are exposed. The central aggregator learns only the final combined result.

  • Secret sharing: Each site's contribution is split into encrypted shares
  • Zero-knowledge proofs: Verifies computation correctness without revealing inputs
  • Differential privacy integration: Optional noise injection for formal privacy guarantees
05

Iterative Cohort Refinement

Researchers rarely define the perfect cohort on the first attempt. Federated systems support interactive, multi-step refinement—broadening or narrowing criteria based on initial aggregate counts—without ever seeing individual-level data. Each iteration triggers a new distributed query cycle.

  • Inclusion/exclusion criteria: Age ranges, diagnosis windows, medication history
  • Temporal constraints: "Diagnosed within 6 months of first lab"
  • Boolean logic: Complex AND/OR/NOT combinations across data domains
06

Phenotype Definition Portability

Cohort definitions are expressed as executable, version-controlled phenotype algorithms using standard formats like PheKB or OHDSI's ATLAS. These computable definitions ensure reproducibility—the same logic runs identically at every site, eliminating subjective interpretation of free-text inclusion criteria.

  • PheKB: Curated library of validated electronic phenotype algorithms
  • ATLAS: OHDSI's open-source cohort definition and analysis tool
  • Version tracking: Enables audit trails for protocol amendments
FEDERATED COHORT DISCOVERY

Frequently Asked Questions

Clear answers to the most common technical and operational questions about privacy-preserving patient cohort identification across distributed clinical data networks.

Federated Cohort Discovery is a privacy-preserving query process that enables researchers to identify and count patient populations matching specific clinical criteria across multiple institutional databases without moving or exposing individual-level data. The process works by distributing a standardized query—typically expressed in a common data model like OMOP or i2b2—to each participating site's local database. Each site executes the query locally behind its own firewall and returns only aggregate counts (e.g., "Site A has 342 matching patients") to a central coordinating node. The coordinating node sums these obfuscated counts to provide the researcher with a total eligible cohort size across the entire network. Critically, no protected health information (PHI) leaves any institution, and the querying researcher never sees individual patient records. Advanced implementations may incorporate differential privacy noise injection or secure multiparty computation to further protect against inference attacks that could potentially reconstruct patient-level information from repeated aggregate queries.

Prasad Kumkar

About the author

Prasad Kumkar

CEO & MD, Inference Systems

Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.

His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.