“Method For Providing An Authenticated Digital Identity” in Patent Application Approval Process (USPTO 20210286868): Patent Application

2021 OCT 04 (NewsRx) -- By a News Reporter-Staff News Editor at Insurance Daily News -- A patent application by the inventor Kragh, James F. (Winter Park, FL, US), filed on May 27, 2021, was made available online on September 16, 2021, according to news reporting originating from Washington, D.C., by NewsRx correspondents.

This patent application has not been assigned to a company or institution.

The following quote was obtained by the news editors from the background information supplied by the inventors: “The Health Insurance Portability and Accountability Act of 1996 (HIPAA), the fundamental privacy principles of both the Data Protection Act and the Human Rights Act 1998, and the American Recovery and Reinvestment Act (ARRA) in February 2009 followed by April rulings by the Federal Trade Commission (FTC) included a standard of privacy regarding an individual’s right to privacy regarding health care data. In January 2013, a new revision of HIPAA 1996, labeled the HIPAA omnibus rule, was issued with increased emphasis on privacy, disclosure of identifiable information and tougher security provisions which comes under the 2009 HITECH Act and the Genetic Information Nondiscrimination act. Under the provisions of HIPAA, ARRA, and the FTC, health information, with few exceptions, can only be shared with the express permission, advance consent, and authorization of the patient (or the patient’s legal guardian, as appropriate), and when compromised, electronic notifications must be sent, and followed up with electronic audits and risk analysis.

“By way of example, if a patient is unconscious and has provided advance authorization and consent for a licensed health care provider to securely access and view health-related and protected health information with family, next-of-kin, friends, or others involved, the patient’s care and emergency care can be shared when in the best interest of the patient.

“In Florida, vehicle owners can securely store emergency contact information electronically, including the name and telephone number of at least one person, and link same to their driver’s licenses (DL). A law enforcement officer or first responder, if they can locate a driver’s license at an accident scene, can contact the Department of Motor Vehicles to obtain emergency contact (ER-Cont.) data. If not available and the vehicle occupants are unconscious or otherwise unable to communicate, notifying the family can be a challenge. ER-Cont. information is only available to police at a crash scene in the state of Florida.

“NLETS, the National Law Enforcement Telecommunications System, can interface with Department of Motor Vehicle sites across the country and obtain emergency contact information, but only if linked to a vehicle’s vehicle identification number (VIN) and with the driver’s consent. However, medical data cannot be collected, stored, accessed, or shared via NLETS, which can cause a loss of critical time gaining access to critical healthcare data, such as allergies, blood type, and other medical data. Such data can save lives or improve the quality of life after a life-threatening event.

“As will be addressed throughout this disclosure, attributes contain information about a subject (known also as an actor). A subject’s digital ID has a limited number of identity attributes that can be classified as an authenticated attribute such as one’s legal name, address, zip-code, age, date-of-birth, or trait features, some of which may be listed on a title or driver’s license, that are inherent such as eye color, gender or birth place, by way of example. A subject can also have acquired associated or professional title attributes (lifestyle-celebrity, self-asserted social media name, purchasing behavior, medical or banking activity/profile) which can change easily whereas personal core trait attributes most likely do not change.

“Upon being validated and authenticated with a digital ID coupled with authenticated and non-authenticated attributes that have a high trust level of assurance or having public key certificate, in good standing, then a person’s (subject) authenticated identity can be enhanced with other attributes that originate from an Attribute Certification, currently recognized as a certified Identity Provider (IdP), that provides an identity proofing process where one’s Authentication privilege is created extended to provide “certified binding attributes’ that link to a user’s primary mobile computing device or ‘hub’ such as a smartphone, smartwatch, glasses or lap top, each with a unique identifier, that is user controlled for managing activities such as access control, secure email, access privileges and associated relationships on applications that have unique identifiers. As a result of the security and auditing process incorporated into Authenticated Attribute Certification there is a strong privilege management policy monitoring effort, risk management process and an attribute/certificate revocation process. Entities, institutions, exchanges, enterprise servers and the environment (herein defined as objects) can also have attributes which are represented by defined and tagged alpha-numerical characteristics (here referred to as identifiers), Bar-QR codes and functions. Authenticated attributes can be used to establish an identity but Attribute certificates (certs) not used to establish an identity but used to extend the attributes of one’s identity. The forgoing is in concert with NIST guidelines.

“Anonym ization and Pseudonym ization are specific de-identification processes, each with a unique identifier, that follow the intent of HIPAA 1996 and the HIPAA omnibus rules of January 2013. For a user to have Anonymity or Pseudonymity, they first must be known electronically by a trusted third party and have a verified and validated identity with an identifier. Anonym ization is the process that removes the identifying characteristics (HIPAA defined as Protected Identifiable Information (PII) and Protected Health Information (PHI) associated with protected health/clinical information and generates a not so unique health data set with a non-linkable identifier. The value of such allows a subject/patient to make a part of or subset of their clinical data (PHI) available for a range of secondary purposes without having to access identifiable clinical information. The same applies to health insurance information that is represented by PII. Such data will be made available on a need to know or on an arranged basis and risk of identity is greatly minimized. The activity is handled through a trusted third party who attests to the validity of the clinical information. Pseudonym ization is a specialized class of Anonym ization that removes the association and then adds an association between a particular set of data characteristics relating to the data subject in addition to adding more pseudonyms. This is a means by which information can be linked together to the same group of persons over time and across multiple data records without revealing the identity of the person and subject data. A trusted third-party play’s a critical role if there needs to be a re-identification event that is in response to a major public health event. (Activities defined in HIPAA and HITSP).

“As the market place transitions to a digital economy, technical advances in mobile devices like smartphones, watches, tablets and laptops that are becoming a user’s secure hub for managing their personal network of relationships, applications, devices and sensors that are all connected via linked identifiers that are opening up new frontiers of convenience, speed and transparency for consumers. Simultaneously, it has also resulted in privacy and security breaches in all markets with healthcare in the lead having over 25% of all patient accounts compromised in 2015. Consumer’s, in adopting digital technology, are recognizing they are part of the solution in needing to control and managing their identity, privacy and access to their personal data to guard. They also recognize the beneficial value in using digital tools to enhance their safety, engaging a user’s defined healthcare ecosystem or ecosystems and privacy by monitoring personal and related health activities especially during untimely medical events.

“By way of example, and as will herein be addressed, an ecosystem in the digital world is a community of interconnected online elements or attributes formed by interactions of entities and users. As digital transformation and data distribution accelerated along with cyberattacks and users embraced smartphones and adopted IOTs, NIST launched the development of trust framework, an identity ecosystem and guidelines for authenticated identities

“There is a need to provide medical help for a patient using a smart device such as a smart phone. By way of example, if the patient is unconscious and has provided advance authorization and consent for a licensed health care provider to securely access and view health-related and protected health information with family, next-of-kin, friends, or others involved , the patient’s care and emergency care should be able to be shared when in the best interest of the patient, and in particular during a medical emergency situation where a smartphone provides time access to patient medical information.

“By way of example of needs, and as will herein be addressed, human resource departments are challenged in trying to validate the identities of potential ‘mobile’ employees using their smartphones, lap tops and or tablets as part of the job screening process; BYOD (bring your own device) to work. Considering cybersecurity threats and access controls functions, businesses are even more cautious since candidates are becoming their own personal body network with smartphones and sensors. Consequently, more businesses are starting to engage trusted notaries to validate the credentials of candidate employees.

“Therefore, it would be beneficial to provide a secure system and method for making both VIN and emergency medical data available on an as-needed basis to licensed emergency medical responders, in order that care be provided in a more efficient, safe, and secure fashion if such data can be voluntarily provided and stored in a secure and separate, non-law-enforcement repository, and linked to the NLETS secure infrastructure.”

In addition to the background information obtained for this patent application, NewsRx journalists also obtained the inventor’s summary information for this patent application: “A system and method are provided for establishing and administering an online secure data sharing network, in particular, for use in emergency situations wherein a patient is unconscious or otherwise unable to communicate. A secure network enables first responders to identify victims, reach next-of-kin, reach their medical doctor, and access emergency medical data at a crash scene or other life-threatening event, the emergency data having previously been authorized for access by the patient.

“The secure network may include an emergency medical data registry for each person who elects to participate, by validating, authenticating their identity, and consenting to securely provide emergency medical data on themselves and, if applicable, their children, that the patient has digitally signed. Such emergency medical data can include, for example, blood type, allergies, current medications, surgeries, and emergency medical contact information. The emergency medical data may only be presented in a read-only standards-based format and viewed by a licensed healthcare worker, such as an emergency medical technician (EMT) or emergency department staff member. The data may be owned and controlled by the participant, and may only be modified or deleted by that person. A real-time audit trail is available to the participant, documenting all access events, and a qualified and licensed security professional must be able to access a specific emergency event audit trail for independent auditing purposes without having access to or the ability to view any protected health data.

“Embodiments of the invention may comprise a computer implemented system or method to verify and validate a user identity for enrollment in a secure personal dataset accessing system, wherein a personal dataset is electronically received and includes identifiable attributes with unique identifiers of the user. Using a computer, authenticity of an asserted identity of the user including the identifiable attributes may be electronically verified and a personal dataset formed. A verified biometric identifier of the user may be automatically captured on the computer for validating the identifiable attributes. The validating may include confirming that the asserted identity matches the identifiable attributes that have unique identifiers. An e-audit trail is provided having a traceable electronic enterprise infrastructure that is part of the National Identity Ecosystem Trust Framework and bench mark performance indicator.

“A digital security element, a generated number as example, may be generated as a result of the verifying, validating and authentication process and results in the user electronically receiving a number or code on user’s primary device such as their smartphone with a unique identifier, wherein a unique electronic address may also be assigned to the user on that device and bound to the IP address. The digital security element, a one-time number or password/code (OTP-see 0019) may then be transmitted to the user from the user primary device-smartphone (computer or laptop) and enables secure electronic access to the user’s Personal Emergency Medical and Contact Application and Personal Health Record that have been prepopulated with their personal dataset relating to the user, the personal dataset having been authenticated through the verifying and validating steps.

“The FCC regulates the telecommunications industry that is the distribution hub for all types of communication devices including smartphone which the FCC recognizes as the defector standard for secure digital internet communication between government agencies and the private sector when incorporating Multi-Factor communication using NIST’s identity proofing guidelines. This smart mobile device, having the ability to recognize, when fully verified, validated, authenticated and bound (through a series of connected identifiers) to a user, an individual’s previously captured digital biometric(s) that has been validated such as speech, iris, facial, finger-print(s) and other behaviors (FIG. 7B). This process can allow smartphone device to serve as a personal identifier in unlocking the device while also enabling it to serve as a user’s hub.

“A step to enhance the security in a secure data exchange may include Multi-Factor communication.

“By way of example: Two Factor Authentication. The process described above, where a one-time number/password is shared is referred to as Two-Factor Authentication or Multifactor Authentication. It is a process that uses two pieces, or factors with unique identifiers, of previously verified and validated attribute information to verify the identity of a user trying to access (current event) a service or an account. The first factor may include a user’s established password and the other factor(s) is commonly used for identity and can include, (if already verified and validated) one or several of the following devices (authenticators) depending on the event; biometric finger prints, voice prints, retina scans, numeric codes, a unique password, portable tokens some with bar or QR codes, facial scan or a graphic image with pre-defined phrase (something known), PIV, mag-strip-smartcard or a bank issued smart EMV card along with a smart watch and glasses. The foundation is set for developing a personal Identity with a user defined, body network of digitally connected ‘smart’ things and sensors compiled of identifiers, user controlled, which creates an authenticated user attribute profile that securely interfaces with their identity ecosystem. Using two or more of these factors together provides a much stronger identity verification process than just a password alone. This process keeps information safe by requiring the user to enter a second layer of security, usually in the form of a generated number, or other factors, before accessing a protected application. Because the second authentication is independent from the username and password, if user’s password is stolen, the web application using two-factor authentication is safe from attempted hackers. If at any time a user questions an unusual activity or an elevated risk, they can add a third form factor. In light of internet activity noted in 0010 the need to enhance privacy and security for consumers and patients, the digital market is converting to Multi-Factor Authentication where 2 or more factors could be used and directly linked to a user’s primary mobile hub device such as a smartphone, possibly a laptop. All validated form factors already have a preassigned unique identifier.

“It is important to note that the same Multi-Factor Authentication process detailed above may be used by the same authenticated user in granting access to their defined or general PII and or PHI based the 3^rd party’s digital credentials. OTP’s can be granted by the user for defined pre-approved access times or based on a condition such as a not responding user/patient, an environmental event such a FEMA emergency, a healthcare compliance monitoring schedule, coordinating a plan of care, patient safety issues or a user defined event.

“Consider a process that may include: Part 1, One time Password (OTP) where the user provides the password/code: An authenticated user is seeing a medical specialist for the first time and elects to grant permission to the doctor to review the user’s medical records for the past twelve months, read only, by providing the Doctor a One-Time-Password (OTP): generating a digital security element. Several months later the user plans to take a cross country trip and during the travel time the user wants to provide the companion a functional password for a time-specific period just in case of an untimely event. The Companion should have an equivalent authenticated identity, preferably with an equal trust value and both user and companion must execute an authorization consent document.

“Part 2 may comprise User Receives a One Time Password (OTP) or code request. In dealing with financial transactions or exchanging confidential information, a sending third party electronic funds transfer entity elects to elevate the security level on a secure transaction and in order for the user to ‘access-to-a-transaction’, even though the authenticated user is in good standing, the user must respond to a one-time password event. The sender notifies the user that he is going to be sending the user an OTP or code within the next minute and the user will have up to 3 minutes to respond or the transaction is suspended. The sender sends the digital security notice and the user responds within the time allotted.

“A system and method for adding participants and licensed professionals to a user’s network of relationship groupings, a user ecosystem, is an important feature of the teachings of the present invention, and is hereafter further described, by way of example.

“Another registry is established for licensed emergency healthcare providers and institutions, so that their credentials, qualifications, and access privileges can be independently verified real time via a third-party source (policy and procedures) and that such validation will enable them to access the emergency medical data registry at local, regional, or national FEMA emergency events. Among the healthcare workers and institutions who may enroll are licensed and credential EMTs, physicians, nurses, hospitals, trauma centers, ambulance, walk-in urgent care clinics, EVAC and AIRVAC networks, attorneys, and therapists, although these are not intended as limitations.”

The claims supplied by the inventors are:

“1. A computer implemented method for providing an authenticated digital identity of a user, the method comprising: electronically receiving identifiable attributes of a user; electronically verifying authenticity of the identifiable attributes; validating at least a portion of the identifiable attributes by confirming each respectively matches a corresponding evidenced based identifiable attribute; assigning an internal identifier to each of the validated identifiable attributes; permitting access only by the user or designee thereof to the identifiable attributes having the internal identifiers; assigning an external identifier to each of those identifiable attributes that were not validated; determining a level of confidence from a ranking of the identifiable attributes, wherein the identifiable attributes having the internal identifiers provide a greater level of confidence than the identifiable attributes having the external identifiers; forming an authenticated digital identity from the identifiable attributes; and establishing a level of confidence therefor from the ranking of thereof.

“2. The computer implemented method according to claim 1, further comprising: designating a level of trust for the authenticated digital identity based on the level of confidence; and permitting access to the authenticated digital identity based on the level of trust.

“3. The computer implemented method according to claim 1, further comprising assigning an external identifier to a smart device resulting from privacy and consent restrictions set by the user, wherein the smart device has access only to the authenticated digital identity, and wherein the smart device does not have a general access granted to the identifiable attributes of the user.

“4. The computer implemented method according to claim 3, further comprising tagging the smart device with a numeric label for allowing the smart device to access the authenticated digital identity, wherein the numeric label is preregistered to the smart device using an external identifier and has a designated level of trust.

“5. The computer implemented method according to claim 4, wherein the tagging comprises assigning an Internet Protocol Version 6 (IPv6) address limited to a digital certificate.

“6. The computer implemented method according to claim 3, further comprising: assigning an external application identifier to a smart device application; and binding the smart device application to the smart device by a credentialed service provider for accessing the authenticated digital identity using the smart device.

“7. The computer implemented method of claim 3, wherein the smart device external identifier assigning comprises assigning an external identifier to a hub device of the user, and wherein a secondary smart device communicating with the hub device has an external identifier assigned thereto.

“8. The computer implemented of claim 3, further comprising binding the smart device with a privacy classification resulting in the user being anonymous.

“9. The computer implemented method according to claim 1, further comprising: providing user privacy selection options for protecting the identifiable attributes based on features, functions and access roles therefor; and identifying a type of the identifiable attribute permitted to be shared, with whom, and in what time frame.

“10. The computer implemented method of claim 1, wherein the verifying is made through a first independent party, and wherein the validating is made through at least one of a second independent party and the first independent party.

“11. The computer implemented method of claim 10, wherein at least one of the first and second independent parties is a notary.

“12. The computer implemented method of claim 1, further comprising the user accessing the identifiable attributes via a trust service platform, the trust service platform providing a digital user portal for access thereto.

“13. The computer implemented method of claim 1, further comprising electronically providing the identifiable attributes and their related identifiers to a relying party for authorizing access to and transactions therewith, wherein the relying party performs gatekeeping functions.

“14. The computer implemented method of claim 13, wherein the providing step comprises providing a QR Code representative of the identifiable attributes and their related identifiers.

“15. The computer implemented method of claim 1, further comprising: assigning a coded value to each of the identifiable attributes; and storing the identifiable attributes and the coded values in a registry for providing functionality of the identifiable attributes and portability of the authenticated digital identity of the user.

“16. The computer implemented method of claim 1, further comprising: creating a registry having at least a portion of the identifiable attributes and related identifiers stored therein; selecting attributes from the registry; creating at least one unique profile from the selected attributes; and assigning an identifier to the at least one profile.

“17. The computer implemented method of claim 1, further comprising: creating a trust registry; storing only blinded authenticated attributes and related identifiers therein; encrypting the identifiers and their related attributes; designating a globally unique identifier for the registry for access by a preselected community; and requiring multifactor authentication for access to the registry, thus providing a blind identity trust registry.

“18. The computer implemented method according to claim 1, wherein the validating step comprises receiving confirmation of the evidenced based identifiable attribute from a regulated third party.

“19. The computer implemented method according to claim 1, further comprising: providing a smart device; recognizing the smart device by the Federal Communications Commission, wherein the smart device provides a secure digital internet communication between government agencies and private sectors; and assigning an internal identifier to the smart device for permitting the smart device to recognize the identifiable attributes that have been validated, thus the smart device serves as a personal identifier enabling the smart device to serve as a hub for the user.

“20. The computer implemented method according to claim 1, wherein the identifiable attributes receiving step comprises receiving at least one of a biometric, a device, a thing, an application, an object, a subject, an event, a policy, a rule, a privilege, a guideline, a signal from a device, and a personal recognition datum.

“21. The computer implemented method according to claim 1, wherein the step of determining a level of confidence for the authenticated digital identity from the ranking of the identifiable attributes comprises establishing a credential strength of the identifiable attributes from knowledge-based evidence of the user.

“22. A computer implemented method for providing an authenticated digital identity of a user, the method comprising: electronically receiving identifiable attributes of a user; providing user privacy selection options for protecting the identifiable attributes based on features, functions and access roles therefor; identifying a type of identifiable attribute permitted to be shared, with whom, and in what time frame; electronically verifying authenticity of the identifiable attributes; validating at least a portion of the identifiable attributes by confirming each respectively matches a corresponding evidenced based identifiable attribute; assigning an internal identifier to each of the validated identifiable attributes; only permitting access by the user or a designee thereof to the identifiable attributes having the internal identifiers; assigning an external identifier to each of those identifiable attributes that were not validated; determining a level of confidence from a ranking of the identifiable attributes, wherein the identifiable attributes having the internal identifiers provide a greater level of confidence than the identifiable attributes having the external identifiers; forming an authenticated digital identity from the identifiable attributes, and establishing a level of confidence therefor from the ranking thereof; assigning an external identifier to a smart device resulting from privacy and consent restrictions set by the user; and providing access to the authenticated digital identity by the smart device.

“23. The computer implemented method of claim 22, further comprising: designating a level of trust from the level of confidence for permitting access to the authenticated digital identity; establishing a level of trust for the smart device; and permitting access to the authenticated digital identity by the smart device based on the level of trust of the smart device being at least the level of trust permitting access to the authenticated digital identity.

“24. The computer implemented method according to claim 22, further comprising tagging the smart device with a numeric label for allowing the smart device to access the authenticated digital identity, wherein the numeric label is preregistered to the smart device using an external identifier and has a designated level of trust.

“25. The computer implemented method according to claim 22, wherein the identifiable attributes receiving step comprises receiving at least one of a biometric, a device, a thing, an application, an object, a subject, an event, a policy, a rule, a privilege, a guideline, a signal from a device, and a personal recognition datum.”

There are additional claims. Please visit full patent to read further.

URL and more information on this patent application, see: Kragh, James F. Method For Providing An Authenticated Digital Identity. Filed May 27, 2021 and posted September 16, 2021. Patent URL: https://appft.uspto.gov/netacgi/nph-Parser?Sect1=PTO1&Sect2=HITOFF&d=PG01&p=1&u=%2Fnetahtml%2FPTO%2Fsrchnum.html&r=1&f=G&l=50&s1=%2220210286868%22.PGNR.&OS=DN/20210286868&RS=DN/20210286868

(Our reports deliver fact-based news of research and discoveries from around the world.)