Using Privacy-Preserving (Blinded) Mode

Within the Identity service, demographic data is irreversibly hashed upon submission. Only the hashed version is stored, and subsequent operations are performed only on the hashed data. For more information, see How Identity Secures Data.

While this system is already highly secure, clients seeking an additional layer of security can use Privacy-Preserving (Blinded) mode to perform the cryptographic hashing operation before the data is even sent.

In the normal workflow, you send raw demographics to the Identity service, which will hash them before linking or storing the record.

In the privacy-preserving (blinded) workflow, you install a hashing service (provided by CareEvolution) on your local network. This service performs the standardize/hash actions completely outside of the Identity service. Only the hashed data ever leaves your network security boundary (with the exception of source system/identifier, which is never hashed as explained in Using Identifiers).

Installing the Local Hashing Service

See Local Hashing Service Hosting for complete instructions on how to install your own copy of the local hashing service.

Blinded Workflow

When using blinded mode to add or update a record, you will:

  1. Call hash demographics on your local hashing service to obtain the hashed data.
  2. Upload the hashed data using the Add/Update Record (Blinded) operation.

The Match Demographics operation also requires you to use the hashing service first:

  1. Call hash demographics on your local hashing service to obtain the hashed data.
  2. Use the Match Demographics (Blinded) operation to query for matched records.

The other operations (get, delete, match guidance) are unaffected by blinded mode, since they operate using unhashed Person IDs or source systems/identifiers.