AU2011247850B2

AU2011247850B2 - Mediated data encryption for longitudinal patient level databases

Info

Publication number: AU2011247850B2
Application number: AU2011247850A
Authority: AU
Inventors: Mark E. Kohan; Clinton J. Wolfe
Original assignee: IMS Software Services Ltd
Current assignee: IMS Software Services Ltd
Priority date: 2004-05-05
Filing date: 2011-11-07
Publication date: 2014-12-18
Anticipated expiration: 2025-05-05
Also published as: AU2015201415A1; AU2011247850A1

Abstract

C:\NRPonbNDCCVIRNG973437_ .DOC-4/1 1/2011 A process for cracking a light hydrocarbon feedstock containing non-volatile components and/or coke precursors, wherein a heavy hydrocarbon feedstock is added to the contaminated light hydrocarbon feedstock to form a contaminated hydrocarbon feedstock 5 blend which is thereafter separated into a vapor phase and a liquid phase by flashing in a flash/separation vessel, separating and cracking the vapor phase, and recovering cracked product. The heavy hydrocarbon feedstock allows operation of the flash/separation vessel at a higher temperature, within the operating temperature range of the separation vessel.

Description

Australian Patents Act 1990 - Regulation 3.2A ORIGINAL COMPLETE SPECIFICATION STANDARD PATENT Invention Title "Mediated data encryption for longitudinal patient level databases" The following statement is a full description of this invention, including the best method of performing it known to me/us: C:\NRPortbl\DCC\TRN\3973472_.DOC - 7/11/11 H:\ixpolnrenovcn\NRPor1bl\DCC\IXP\6250418I.doc-1105/2014 - lA MEDIATED DATA ENCRYPTION FOR LONGITUDINAL PATIENT LEVEL DATABASES This is a divisional of Australian Patent Application No. 2005241561, the originally filed specification of which is incorporated herein by reference in its entirety. 5 CROSS REFERENCE TO RELATED APPLICATIONS This application claims the benefit of U.S. provisional patent application Serial No. 60/568,455 filed May 5, 2004, U.S. provisional patent application serial No. 60/572,161 filed May 17, 2004, U.S. provisional patent application Serial No. 60/571,962 filed May 17, 2004, U.S. provisional patent application Serial No. 60/572,064 filed May 17, 2004, and U.S. provisional 10 patent application Serial No. 60/572,264 filed May 17, 2004, all of which applications are hereby incorporated by reference in their entireties herein. TECHNICAL FIELD The present invention generally relates to the management of personal health information 15 or data on individuals. The invention in particular relates to the assembly and use of such data in a longitudinal database in manner, which maintains individual privacy. Electronic databases of patient health records are useful for both commercial and non commercial purposes: Longitudinal (life time) patient record databases are used, for example; in epidemiological or other population-based research studies for analysis of time-trends, causality, 20 or incidence of health events in a population. The patient records assembled in a longitudinal database are likely to be collected from a multiple number of sources and in a variety of formats. An obvious source of patient health records is the modem. health insurance industry, which relies extensively on electronically-communicated patient transaction records for administering insurance payments to medical service providers. The medical service providers (e.g., 25 pharmacies, hospitals or clinics) or their agents (e.g., data clearing houses, processors or vendors) supply individually identified patient transaction records to the insurance industry for compensation. The patient transaction records, in addition to personal information data fields or attributes, may contain other information concerning, for example, diagnosis, prescriptions, treatment or outcome. 30 Such information acquired from multiple sources can be valuable for longitudinal studies. However, to preserve individual privacy, it is important that the patient records integrated to a longitudinal database facility are "anonymized" or "de identified". 5 A data supplier or source can remove or encrypt personal information data fields or attributes (e.g., name, social security number, home address, zip code, etc.) in a patient transaction record before transmission to preserve patient privacy. The encryption or standardization of certain personal information data fields to preserve patient privacy is now mandated by statute and government regulation. 10 Concern for the civil rights of individuals has led to government regulation of the collection and use of personal health data for electronic transactions. For example, regulations issued under the Health Insurance Portability and Accountability Act of 1996 (HIPAA), involve elaborate rules to safeguard the security and confidentiality of personal health information. The HIPAA regulations cover entities such as health 15 plans, health care clearinghouses,. and those health care providers who conduct certain financial and administrative transactions (e.g., enrollment, billing and eligibility verification) electronically. (See e.g., http://www.hhs.gov/ocr/hipaa). Commonly invented and co-assigned patent application Serial No. 10/892,021, "Data Privacy Management Systems and Methods", filed July 15, 2004 (Attorney Docket No. 20 AP3 5879), which is hereby incorporated by reference in its entirety herein, describes systems and methods of collecting and using personal health information in standardized format to comply with government mandated HIPAA regulations or other sets of privacy rules. For further minimization of the risk of breach of patient privacy, it may 25 be desirable to strip or remove all patient identification information from patient records that are used to construct a longitudinal database. However, stripping data records of patient identification information to completely "anonymize" them can be incompatible with the construction of the longitudinal database in which the stored data records or fields are necessarily updated individual patient-by-.patient. 30 Consideration is now being given to integrating "anonymized" or "e identified" patient records from diverse data sources in a longitudinal database. In particular, attention is paid to systems and methods for preserving patient privacy in a data collection and processing enterprise for assembling the longitudinal database H: ixp\Interoven.\NRPortbl\DCC\IXP\6992043_1.doc-19/11/2014 -3 where the enterprise may extend over several data supplier sites and the longitudinal database facility. It is desired to address or ameliorate one or more disadvantages or limitations associated with the prior art, or to at least provide a useful alternative. 5 SUMMARY In accordance with the present invention there is provided a process for assembling a longitudinally linked database from individual patient healthcare transaction data records, the process comprising: 10 receiving, at a longitudinal database facility, data records from more than one data sources, each of the data records having patient-identifying attributes and non-identifying attributes, whereby at least the patient-identifying attributes in the data records are doubly encrypted so that the data records are de-identified and can be securely transmitted to a longitudinal database facility, wherein the patient-identifying attributes in the data records 15 are first encrypted using a first encryption key specific to the longitudinal database facility, and wherein the patient-identifying attributes are further two-way encrypted with a second encryption key specific to the respective data source, wherein the longitudinal database facility is a neutral third party with regard to the more than one data sources such that the second encryption key specific to the respective data source remains unknown to the 20 longitudinal database facility; decrypting, using the second encryption key, the patient-identifying attributes, while retaining the encryption of the patent-identifying attributes by the first encryption key; encrypting, using a third encryption key, the patient-identifying attributes encrypted 25 using the first encryption key; assigning, by one or more computers and based on the patient-identifying attributes encrypted using the first encryption key, a tag for a respective data record deterministically linking the respective data record to at least one data record other than the respective data record having the same encrypted patient-identifying attributes; and 30 providing the tag for the respective data record that deterministically links data records having the same encrypted patient-identifying attributes.

H: ixp\Interwoven\NRPortbl\DCC\IXP\6992043_1.doc-19/11/2014 -4 The present invention also provides a system comprising: one or more computers and one or more storage devices storing instructions that are operable, when executed by the one or more computers, to cause the one or more computers to perform operations comprising: 5 receiving, at a longitudinal database facility, data records from more than one data sources, each of the data records having patient-identifying attributes and non identifying attributes, whereby at least the patient-identifying attributes in the data records are doubly encrypted so that the data records are de-identified and can be securely transmitted to a longitudinal database facility, wherein the patient-identifying attributes in 10 the data records are first encrypted using a first encryption key specific to the longitudinal database facility, and wherein the patient-identifying attributes are further two-way encrypted with a second encryption key specific to the respective data source, wherein the longitudinal database facility is a neutral third party with regard to the more than one data sources such that the second encryption key specific to the respective data source remains 15 unknown to the longitudinal database facility; decrypting, using the second encryption key, the patient-identifying attributes, while retaining the encryption of the patent-identifying attributes by the first encryption key; encrypting, using a third encryption key, the patient-identifying attributes encrypted 20 using the first encryption key; assigning, by one or more computers and based on the patient-identifying attributes encrypted using the first encryption key, a tag for a respective data record deterministically linking the respective data record to at least one data record other than the respective data record having the same encrypted patient-identifying attributes; and 25 providing the tag for the respective data record that deterministically links data records having the same encrypted patient-identifying attributes. The present invention also provides a non-transitory computer-readable medium storing software comprising instructions executable by one or more computers which, upon such execution, cause the one or more computers to perform operations comprising: 30 receiving, at a longitudinal database facility, data records from more than one data sources, each of the data records having patient-identifying attributes and non-identifying H: ixp\Interoven.\NRPortbl\DCC\IXP\6992043_1.doc-19/11/2014 - 4A attributes, whereby at least the patient-identifying attributes in the data records are doubly encrypted so that the data records are de-identified and can be securely transmitted to a longitudinal database facility, wherein the patient-identifying attributes in the data records are first encrypted using a first encryption key specific to the longitudinal database facility, 5 and wherein the patient-identifying attributes are further two-way encrypted with a second encryption key specific to the respective data source, wherein the longitudinal database facility is a neutral third party with regard to the more than one data sources such that the second encryption key specific to the respective data source remains unknown to the longitudinal database facility; 10 decrypting, using the second encryption key, the patient-identifying attributes, while retaining the encryption of the patent-identifying attributes by the first encryption key; encrypting, using a third encryption key, the patient-identifying attributes encrypted using the first encryption key; 15 assigning, by one or more computers and based on the patient-identifying attributes encrypted using the first encryption key, a tag for a respective data record deterministically linking the respective data record to at least one data record other than the respective data record having the same encrypted patient-identifying attributes; and providing the tag for the respective data record that deterministically links data 20 records having the same encrypted patient-identifying attributes. BRIEF DESCRIPTION OF THE DRAWING Preferred embodiments of the present invention are hereinafter described, by way of non-limiting example only, with reference to the accompanying drawings, in which: 25 FIG. 1, which is reproduced from U.S. patent application S/N 11/122,581, is a block diagram of an exemplary system for assembling a longitudinal database from multi sourced patient data records. The privacy management procedures described herein may be implemented in the system of FIG. 1, in accordance with the embodiments of the present invention.

H: ixp\Interoven.\NRPortbl\DCC\IXP\6992043_1.doc-19/11/2014 - 4B DESCRIPTION OF THE INVENTION Systems and methods are provided for managing the privacy of individuals whose healthcare data records are assembled in a longitudinally linked database. The systems and methods may be implemented in a data collection and processing enterprise, which may be 5 geographically diverse and which may involve a several data suppliers and a common longitudinal database assembly facility. The systems and methods involve a neutral third party (i.e. an implementation partner) to mediate the processing of data records at data supplier sites and at a common longitudinal database facility where the multi-source data records are assembled in a 10 database. The systems and methods are designed so that unauthorized parties cannot have access to sensitive patient-identifying attributes or information in the data records being processed. The data records are first processed at the data supplier sites so that sensitive data attributes are doubly encrypted with two consecutive levels of encryption before the data records are transmitted to the longitudinal database facility. These doubly encrypted 15 data records are processed at the longitudinal database facility to remove one level of encryption in preparation for integrating the data records into a longitudinal database at an individual level. The data encryption and decryption at the supplier sites and the longitudinal database facility are controlled by the neutral third party operating in a secure processing environment, which reduces or eliminates the risk of deliberate or inadvertent 20 release of the sensitive patient identifying information. Further features of the invention, its nature and various advantages will be more apparent from the accompanying drawings and the following detailed description. Systems and methods are provided for managing and ensuring patient privacy in the assembly of a longitudinally linked database of patient healthcare records. 25 The systems and methods may be implemented in a data collection and processing enterprise, which may be geographically diverse and which may involve several data suppliers and other parties. The systems and methods may, for example, be implemented in conjunction with the exemplary longitudinal database assembly system described in commonly owned patent application S/N 11/122,589, filed May 5, 2005 (Atty. Docket No. 30 AP36247), which is hereby incorporated by reference herein in its entirety. The referenced patent application discloses a solution, which allows patient data H: ixp\Interoven.\NRPortbl\DCC\IXP\6992043_1.doc-19/11/2014 - 4C records acquired from multiple sources to be integrated each individual patient by patient into a longitudinal database without creating any risk of breaching of patient privacy. The solution uses a two-step encryption process using multiple encryption keys to encrypt sensitive patient-identifying information in the data records. (See e.g., FIG. 1), The 5 encryption process includes encryption steps performed at the data supplier sites (e.g., site 116, FIG. 1) and also encryption/decryption steps performed at a longitudinal database facility ("LDF") (e.g., site 130, FIG. 1). At the first step, each DS encrypts selected data fields (e.g., patient-identifying attributes and/or other standard attribute data fields) in the patient records to convert the patient records into a first "anonymized" format. With 10 continued reference to FIG. 1, each DS uses two keys (i.e., a DS-specific key K2, and a common longitudinal key KI associated with a specific LDF) to doubly encrypt the selected data fields. The doubly encrypted data records are transmitted to the LDF site. The data records are then processed into a second anonymized format, which is designed to allow the data records to be linked individual patient by patient without recovering the 15 original unencrypted patient identification information. For this purpose, the doubly encrypted data fields in the patient records received from the DS are partially de-crypted using a specific DS key K2 (such that the doubly encrypted data fields still retain the common longitudinal key encryption). A third key (e.g., a token based key, K3) may be used to further encrypt the data records, which include the now-singly (common longitudinal key) encrypted data fields or attributes, for use in a longitudinally linked database. Longitudinal identifiers (IDs) or dummy labels that are internal to the longitudinal database facility may be used to tag the data 5 records so that they can be matched and linked individual ID-by-ID in the longitudinal database. In one embodiment of invention, the privacy management procedures and models involve a business mechanism in the two-step encryption processes so that no single party (i.e., neither the data suppliers nor the LDF) has full access to the 10 entire data process or flow. Any risk of intentional or inadvertent release of patient identifying information, for example, to LDF personnel or users, is thereby minimized. The business mechanism may involve hardware, software and/or third parties. The business mechanism is invoked to conduct portions of the two-step 15 encryption processes in a secure environment, which is inaccessible to the data suppliers, the LDF, and other unauthorized parties. The business mechanism may include one or more software applications that may be deployed the data supplier sites and/or the LDF. The business mechanism may include only software configurations, or may include both software and hardware environment configurations at data 20 supplier sites and the LDF. In an exemplary implementation, tens or hundreds of data supplier sites and the LDF may be covered by the business mechanism. The business mechanism involves deployment and support of common data encryption applications across a plurality of data supplier sites and the LDF. The deployed common data encryption applications may include applications for 25 generating, using and securing several encryption and/or decryption keys. The business mechanism is configured to provide or supervise key generation, supply, administration and security functions. The longitudinal databases created or maintained using the principles of the present invention may be utilized to provide information solutions, for example, 30 to the pharmaceutical and healthcare industries. The longitudinal databases may transform billions of pharmaceutical records collected from thousands of sources worldwide into valuable strategic insights for clients. The business mechanism utilized in creating the longitudinal databases is designed to protecting the privacy and security of all collected healthcare information.

-6 An exemplary longitudinal database may include data sourced from U.S.-based prescription data suppliers. Market intelligence and analyses gleaned from the longitudinal database can provide customers (e.g., pharmaceutical drug R&D organizations or manufacturers) critical technical and business facts at every stage of the pharmaceutical life cycle ranging from 5 the early stages of research and development through product launch, product maturation and patent expiration stages. The market intelligence and analyses may, for example, include targeted forecasts and trend analyses, customized product-introduction information, pricing and promotional parameters and guidelines, competitive comparisons, market share data, evaluations of sales-force prospects and productivity, and market audits segmented by product, 10 manufacturer, geography and healthcare sector, as well as by inventory and distribution channels. In one embodiment, the business mechanism involves a neutral entity, e.g., third party implementation partner ("EP"), to conduct portions of the two-step encryption processes in a secure environment. The IP may be a suitable third party, w ho, for example, is adept at 15 developing relationships with the data suppliers and the LDF. The EP may have expertise in implementing onsite applications, and may be able to provide case examples from existing clients. The case examples may include implementations across a large number of non-standard environments. The IP may have the capability to provide application support in geographically diverse locations (e.g., across the United States) and may have a suitable organizational structure 20 to provide that support. The IP may be required to have a working understanding or command of HIPAA regulations and other standards related to collection and handling of private health information. The functions of the IP may be understood with reference to the systems and methods for constructing a longitudinal database, which are described in the referenced 25 patent application S/N 11/122,589. (See e.g., Fig 1). The processes for constructing the longitudinal database according to the referenced patent application may include three sequential components or stages 11 0a, 11 Ob and 11 Oc. In first stage 11 0a, critical data encryption processes are conducted at data supplier sites. The second (110b) and third stage (1106) processes may be conducted at a common LDF site 130, which is supplied with encrypted 30 data records by multiple data suppliers. In second stage 11 Ob, vendor-specific encrypted data is processed into LDF-encrypted data, which can be longitudinally linked across data suppliers. At -7 final stage 110c, the LDF-encrypted data is processed using various probabilistic and deterministic matching algorithms, which assign unique tags to the encrypted data records, The assigned tags, which may be viewed as pseudo or fictitious patient identifiers ("ID"), do not include explicit patient identification information, but can be effectively used to longitudinally 5 link the LDF-encrypted data records in a statistically valid manner to create the longitudinal database. Exemplary matching algorithms are described in co-pending patent application S/N 11/122,589 filed May 5, 2005 (atty. Docket No. AP36251), which is incorporated by reference herein in its entirety. The matching algorithms may assign a particular tag to a data record 10 based on the encrypted values of a select set of personally identifiable data attributes in the data record. The processes for constructing the longitudinal database require that at least the selected set of attributes must be acquired and encrypted in the data records transmitted by the data suppliers to the LDF. In accordance with the present invention, the IP may be utilized to assist the data suppliers in defining and implementing processes for the acquisition, encryption and 15 transmission of the data records, which include the select set of data attributes. A first data supplier process may be used for the identification and acquisition of the necessary attributes from the data supplier's databases/files, Once the attributes are acquired, they may processed through encryption applications, which may be coded in "C" or "JAVA." The encryption applications may standardize the attributes and further encrypt them using a dual encryption process using a 20 universal longitudinal encryption key and a vendor- specific encryption key. The encrypted attribute output then can be transmitted to the LDF in a secure manner as either part of an existing data feed or as a separate data transmission from the data supplier. Suitable applications/environments to merge the data and/or to send the encrypted data file may be defined. The IP may be utilized to assist the data suppliers in implementing the data supplier 25 components and for providing on-going production support to the data suppliers. After the data records are received at the LDF, the encrypted data attributes can processed through a secure encryption environment to generate LDF encrypted attributes. These "new" LDF encrypted attributes may be designed to be linkable across data sources. The secure encryption environment, which contains the encryption keys and software, is managed or 30 supervised by the IP. The EP ensures that the LDF has no access to this secure encryption environment. The encrypted attributes resulting from this stage can be processed in the final stage of the process by a matching application, which assigns longitudinal patient identifiers ("IDs") to tag data records for incorporation in the longitudinal database. The IP may have ownership of the encryption applications utilized. 5 The IP may deploy and manage these and other applications in both the data supplier and the LDF environments. A typical data supplier site deployment may include a startup period during which encryption applications and processes are installed, tested, and during which the data supplier and/or the IP begin "pushing" encrypted data attributes back to LDF. The IP may provide support to reduce data supplier-to 10 data supplier process variability that may result from variations, for example, in data supplier technical platforms or environments. The IP may provide this support during the startup period to bring the data supplier's processes up to acceptable standards. After processes for feeding standardized data records from the data supplier to the LDF have been established (e.g., after the startup period), the IP may 15 continue to provide maintenance, application updates, help-desk support/issue resolution, and potential process audit support. The IP may also may support deploy and manage the portions of the encryption applications at the LDF or at an intermediary site. For example, the IP may install the encryption application, coordinate the delivery of encrypted data to the 20 encryption application, and ensure security of the encryption application in the LDF environment. The IP may continue to provide maintenance, application updates, help desk support/issue resolution, and potential process audit support after the initial installation. 25 The exemplary functions, which may be performed by an IP, include: * Installation and testing of the encryption application at data supplier sites. * Assisting the supplier in acquiring the data from wherever it is 30 stored in their environment, and presenting it to the implemented encryption application.

H:\ixp\l nienvoven\NRPoitb1\D CCOXP\62504 18_ Ldoc- 1/05/2014 -9 e Working the with the data supplier to ensure delivery of the encrypted data results to the LDF. * Getting the "LDF side" of the encryption application installed and fully functional. e Co-ordinating the delivery of encrypted data to the encryption application. 5 e Ensuring security of the encryption application and data records in the LDF environment. Various modifications and alterations to the described embodiments will be apparent to those skilled in the art in view of the teachings herein. It will thus be 10 appreciated that those skilled in the art will be able to devise numerous techniques which, although not explicitly described herein, embody the principles of the invention and are thus within the spirit and scope of the invention. Throughout this specification and the claims which follow, unless the context requires otherwise, the word "comprise", and variations such as "comprises" and 15 "comprising", will be understood to imply the inclusion of a stated integer or step or group of integers or steps but not the exclusion of any other integer or step or group of integers or steps. The reference in this specification to any prior publication (or information derived from it), or to any matter which is known, is not, and should not be taken as an 20 acknowledgment or admission or any form of suggestion that that prior publication (or information derived from it) or known matter forms part of the common general knowledge in the field of endeavour to which this specification relates.

Claims

1. A process for assembling a longitudinally linked database from individual patient healthcare transaction data records, the process comprising: 5 receiving, at a longitudinal database facility, data records from more than one data sources, each of the data records having patient-identifying attributes and non-identifying attributes, whereby at least the patient-identifying attributes in the data records are doubly encrypted so that the data records are de-identified and can be securely transmitted to a longitudinal database facility, wherein the patient-identifying attributes in the data records 10 are first encrypted using a first encryption key specific to the longitudinal database facility, and wherein the patient-identifying attributes are further two-way encrypted with a second encryption key specific to the respective data source, wherein the longitudinal database facility is a neutral third party with regard to the more than one data sources such that the second encryption key specific to the respective data source remains unknown to the 15 longitudinal database facility; decrypting, using the second encryption key, the patient-identifying attributes, while retaining the encryption of the patent-identifying attributes by the first encryption key; encrypting, using a third encryption key, the patient-identifying attributes encrypted 20 using the first encryption key; assigning, by one or more computers and based on the patient-identifying attributes encrypted using the first encryption key, a tag for a respective data record deterministically linking the respective data record to at least one data record other than the respective data record having the same encrypted patient-identifying attributes; and 25 providing the tag for the respective data record that deterministically links data records having the same encrypted patient-identifying attributes.

2. The process of claim 1, wherein assigning a tag for a respective data record based on the patient-identifying attributes encrypted using the first encryption key comprises 30 using an attribute-matching algorithm to deterministically determine the tag. H: ixp\Interwoven\NRPortbl\DCC\IXP\6992043_1.doc-19/11/2014 - 11

3. The process of claim 1, further comprising linking the data records using the respective tags to create a longitudinally linked database of linked data records, the data records received from the more than one data source. 5

4. The process of claim 1, wherein the one or more computers comprise an implementation partner.

5. The process of claim 1, further comprising preprocessing the data records to place their data fields in a standard format. 10

6. The process of claim 1, further comprising limiting unauthorized the patient identifying attribute information in the data records.

7. The process of claim 1, wherein the third encryption key is a token based key. 15

8. A system comprising: one or more computers and one or more storage devices storing instructions that are operable, when executed by the one or more computers, to cause the one or more computers to perform operations comprising: 20 receiving, at a longitudinal database facility, data records from more than one data sources, each of the data records having patient-identifying attributes and non identifying attributes, whereby at least the patient-identifying attributes in the data records are doubly encrypted so that the data records are de-identified and can be securely transmitted to a longitudinal database facility, wherein the patient-identifying attributes in 25 the data records are first encrypted using a first encryption key specific to the longitudinal database facility, and wherein the patient-identifying attributes are further two-way encrypted with a second encryption key specific to the respective data source, wherein the longitudinal database facility is a neutral third party with regard to the more than one data sources such that the second encryption key specific to the respective data source remains 30 unknown to the longitudinal database facility; H: ixp\Interwoven\NRPortbl\DCC\IXP\6992043_1.doc-19/11/2014 - 12 decrypting, using the second encryption key, the patient-identifying attributes, while retaining the encryption of the patent-identifying attributes by the first encryption key; encrypting, using a third encryption key, the patient-identifying attributes encrypted 5 using the first encryption key; assigning, by one or more computers and based on the patient-identifying attributes encrypted using the first encryption key, a tag for a respective data record deterministically linking the respective data record to at least one data record other than the respective data recordhaving the same encrypted patient-identifying attributes; and 10 providing the tag for the respective data record that deterministically links data records having the same encrypted patient-identifying attributes.

9. The system of claim 8, wherein the operation of assigning a tag for a respective data record based on the patient-identifying attributes encrypted using the first encryption 15 key comprises using an attribute-matching algorithm to deterministically determine the tag.

10. The system of claim 8, wherein the operations further comprise linking the data records using the respective tags to create a longitudinally linked database of linked data records, the data records received from the more than one data source. 20

11. The system of claim 26, wherein the one or more computers and the one or more storage devices comprise an implementation partner.

12. The system of claim 8, wherein the operations further comprise preprocessing the 25 data records to place their data fields in a standard format.

13. The system of claim 8, wherein the operations further comprise limiting unauthorized access to the patient-identifying attribute information in the data records. 30

14. The system of claim 8, wherein the third encryption key is a token based key. H: ixp\Interwoven\NRPortbl\DCC\IXP\6992043_1.doc-19/11/2014 - 13

15. A non-transitory computer-readable medium storing software comprising instructions executable by one or more computers which, upon such execution, cause the one or more computers to perform operations comprising: receiving, at a longitudinal database facility, data records from more than one data 5 sources, each of the data records having patient-identifying attributes and non-identifying attributes, whereby at least the patient-identifying attributes in the data records are doubly encrypted so that the data records are de-identified and can be securely transmitted to a longitudinal database facility, wherein the patient-identifying attributes in the data records are first encrypted using a first encryption key specific to the longitudinal database facility, 10 and wherein the patient-identifying attributes are further two-way encrypted with a second encryption key specific to the respective data source, wherein the longitudinal database facility is a neutral third party with regard to the more than one data sources such that the second encryption key specific to the respective data source remains unknown to the longitudinal database facility; 15 decrypting, using the second encryption key, the patient-identifying attributes, while retaining the encryption of the patent-identifying attributes by the first encryption key; encrypting, using a third encryption key, the patient-identifying attributes encrypted using the first encryption key; 20 assigning, by one or more computers and based on the patient-identifying attributes encrypted using the first encryption key, a tag for a respective data record deterministically linking the respective data record to at least one data record other than the respective data record having the same encrypted patient-identifying attributes; and providing the tag for the respective data record that deterministically links data 25 records having the same encrypted patient-identifying attributes.

16. The medium of claim 15, wherein the operation of assigning a tag for a respective data record based on the patient-identifying attributes encrypted using the first encryption key comprises using an attribute-matching algorithm to deterministically determine the tag. 30 H: ixp\Interwoven\NRPortbl\DCC\IXP\6992043_1.doc-19/11/2014 - 14

17. The medium of claim 15, wherein the operations further comprise linking the data records using the respective tags to create a longitudinally linked database of linked data records, the data records received from the more than one data source. 5

18. The medium of claim 15, wherein the operations further comprise preprocessing the data records to place their data fields in a standard format.

19. The medium of claim 15, wherein the operations further comprise limiting unauthorized access to the patient-identifying attribute information in the data records. 10

20. The medium of claim 15, wherein the third encryption key is a token based key.