Federated Cohort Discovery is a privacy-preserving query process that allows researchers to identify and count patient populations matching specific clinical criteria across multiple institutional databases without moving or exposing individual-level data. It transforms the traditional model of centralized data aggregation by sending the query to the data rather than the data to the query, returning only aggregate counts that satisfy the inclusion and exclusion rules.
Glossary
Federated Cohort Discovery

What is Federated Cohort Discovery?
A decentralized query mechanism enabling researchers to count eligible patient populations across multiple institutional databases without moving or exposing protected health information.
The architecture typically relies on a distributed network of honest broker nodes that translate a common query language into local database dialects, execute the search behind each institution's firewall, and return de-identified summary statistics. This approach is foundational for multi-site clinical trial feasibility assessments and rare disease patient recruitment, enabling research networks to rapidly determine whether a sufficient cohort exists across participating sites before investing in full-scale data harmonization or institutional review board approvals.
Key Features of Federated Cohort Discovery
Federated Cohort Discovery enables researchers to query patient populations across multiple institutions without moving or exposing protected health information. The following architectural components ensure regulatory compliance, query accuracy, and cross-site interoperability.
Distributed Query Execution
A central orchestrator dispatches a standardized query to each participating site's local database. The query executes entirely within the institution's firewall, scanning structured clinical data—diagnosis codes, lab values, medications—without any raw data leaving the site. Only aggregate counts are returned.
- Site-level autonomy: Each institution retains full control over its data
- No data centralization: Eliminates the need for a single pooled data warehouse
- Real-time feasibility: Returns preliminary cohort counts in seconds to minutes
Threshold-Based Disclosure Control
To prevent re-identification through small cell sizes, the system enforces a minimum aggregate count threshold—typically 10 or 11. If a query returns fewer patients than the threshold, the result is suppressed and reported as "<10" rather than revealing the exact count.
- Blurred counts: Protects against differencing attacks across multiple queries
- Configurable policies: Each site can set its own disclosure risk tolerance
- Audit logging: Every query and response is recorded for compliance review
Common Data Model Harmonization
Participating sites map their local data schemas to a shared Common Data Model (CDM) such as OMOP or i2b2. This semantic normalization ensures that a query for "HbA1c > 7.0" translates correctly across different EHR systems, lab coding conventions, and unit representations.
- OMOP: Observational Medical Outcomes Partnership standard
- i2b2: Informatics for Integrating Biology and the Bedside
- Terminology mapping: LOINC, SNOMED-CT, and RxNorm alignment
Cryptographic Secure Aggregation
When sites must jointly compute statistics beyond simple counts—such as average age or gender distribution—secure multi-party computation (SMPC) protocols ensure no individual site's intermediate values are exposed. The central aggregator learns only the final combined result.
- Secret sharing: Each site's contribution is split into encrypted shares
- Zero-knowledge proofs: Verifies computation correctness without revealing inputs
- Differential privacy integration: Optional noise injection for formal privacy guarantees
Iterative Cohort Refinement
Researchers rarely define the perfect cohort on the first attempt. Federated systems support interactive, multi-step refinement—broadening or narrowing criteria based on initial aggregate counts—without ever seeing individual-level data. Each iteration triggers a new distributed query cycle.
- Inclusion/exclusion criteria: Age ranges, diagnosis windows, medication history
- Temporal constraints: "Diagnosed within 6 months of first lab"
- Boolean logic: Complex AND/OR/NOT combinations across data domains
Phenotype Definition Portability
Cohort definitions are expressed as executable, version-controlled phenotype algorithms using standard formats like PheKB or OHDSI's ATLAS. These computable definitions ensure reproducibility—the same logic runs identically at every site, eliminating subjective interpretation of free-text inclusion criteria.
- PheKB: Curated library of validated electronic phenotype algorithms
- ATLAS: OHDSI's open-source cohort definition and analysis tool
- Version tracking: Enables audit trails for protocol amendments
Frequently Asked Questions
Clear answers to the most common technical and operational questions about privacy-preserving patient cohort identification across distributed clinical data networks.
Federated Cohort Discovery is a privacy-preserving query process that enables researchers to identify and count patient populations matching specific clinical criteria across multiple institutional databases without moving or exposing individual-level data. The process works by distributing a standardized query—typically expressed in a common data model like OMOP or i2b2—to each participating site's local database. Each site executes the query locally behind its own firewall and returns only aggregate counts (e.g., "Site A has 342 matching patients") to a central coordinating node. The coordinating node sums these obfuscated counts to provide the researcher with a total eligible cohort size across the entire network. Critically, no protected health information (PHI) leaves any institution, and the querying researcher never sees individual patient records. Advanced implementations may incorporate differential privacy noise injection or secure multiparty computation to further protect against inference attacks that could potentially reconstruct patient-level information from repeated aggregate queries.
Enabling Efficiency, Speed & Accuracy
Intelligent Analysis, Decision & Execution
We build AI systems for teams that need search across company data, workflow automation across tools, or AI features inside products and internal software.
Talk to Us
Search across company data
Give teams answers from docs, tickets, runbooks, and product data with sources and permissions.
Useful when people spend too long searching or get different answers from different systems.

Automate internal workflows
Use AI to route work, draft outputs, trigger actions, and keep approvals and logs in place.
Useful when repetitive work moves across multiple tools and teams.

Add AI to products and internal tools
Build assistants, guided actions, or decision support into the software your team or customers already use.
Useful when AI needs to be part of the product, not a separate tool.
Related Terms
Federated Cohort Discovery relies on a stack of privacy-enhancing technologies and distributed query paradigms. These related terms define the core mechanisms that enable secure, decentralized patient population analysis.
Secure Aggregation
A cryptographic protocol that allows a central server to compute the sum of model updates or query results from multiple clients while ensuring the server cannot inspect any individual client's contribution in plaintext. In cohort discovery, this enables a researcher to learn the total patient count across sites without any site revealing its local count. Techniques often involve secret sharing and pairwise masking to protect intermediate computations.
Differential Privacy (DP)
A mathematical framework that injects calibrated statistical noise into query results to provide a provable guarantee that the presence or absence of any single individual's record cannot be inferred. Applied to cohort discovery, DP ensures that even the aggregate count returned to a researcher does not leak membership information. The privacy budget, epsilon (ε) , quantifies the privacy loss—lower values indicate stronger protection at the cost of reduced statistical accuracy.
Horizontal Federated Learning
A federated learning paradigm where collaborating parties hold data with the same feature space but different sample spaces. This is the most common data partitioning scenario in healthcare cohort discovery, where multiple hospitals collect the same clinical variables (e.g., lab values, diagnoses) for entirely different patient populations. The query logic is distributed identically to each site, and only aggregate counts are returned.
Federated Record Linkage
The privacy-preserving process of identifying and linking records that correspond to the same individual across disparate, decentralized databases without revealing the individual's identity to the linking party. In cohort discovery, this is critical for accurately counting unique patients who appear at multiple institutions. Techniques include Bloom filter encoding of identifiers and secure multi-party computation to compare encrypted representations.
Non-IID Data
A data distribution characteristic where local client datasets are statistically heterogeneous and do not represent the overall population distribution. In cohort discovery, a query for 'Type 2 Diabetes patients' may return vastly different demographic profiles from a community clinic versus a tertiary referral center. Understanding site-specific distributional skew is essential for interpreting aggregate cohort counts and avoiding biased conclusions.
Trusted Execution Environment (TEE)
A hardware-enforced isolated area within a main processor that guarantees the confidentiality and integrity of code and data loaded inside it. In cohort discovery architectures, TEEs can act as a secure intermediary that receives encrypted local counts, decrypts them within the enclave, computes the total, and releases only the final aggregate—ensuring that even the coordinating server's operating system cannot inspect intermediate values.

About the author
Prasad Kumkar
CEO & MD, Inference Systems
Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.
His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.
Partnered with leading AI, data, and software stack.
How We Work
Custom AI workflows for your Business
One-fit-all AI don't work for modern businesses. At Inferensys, we aim to understand your business & custom requirements; which we use to define most efficient agentic workflows, the data, and the tools for your business.
01
Review the use case
We understand the task, the users, and where AI can actually help.
Read more02
Pick the right approach
We define what needs search, automation, or product integration.
Read more03
Build the first useful version
We implement the part that proves the value first.
Read more04
Improve from there
We add the checks and visibility needed to keep it useful.
Read moreThe first call is a practical review of your use case and the right next step.
Talk to Us