The Blinded Master Patient Index (BMPI) groups disparate health records belonging to the same individual in a privacy-preserving manner. The BMPI allows you to upload patient records and then:

  • Find all records from your own source system(s) belonging to the same individual (Enterprise MPI).
  • Find whether partner institutions (also using the BMPI) have uploaded records for the same individual, without unnecessary PII exchange (privacy-preserving record linkage).

BMPI Records

When you upload records to the BMPI, you specify a source system and an internal, source-specific identifier associated with that record.

The BMPI associates (or “links”) records via a proprietary algorithm that takes into account subtle differences in formatting (e.g., “1 Main Street” vs “1 Main St.” or “O’Hare” vs “O Hare”), common transpositions, name variations, case variations, and other real-world scenarios.

In the unlikely event that you discover improperly-linked records, you can provide manual matching guidance to correct the link.

Person IDs

The system assigns a stable Person ID for each unique individual identified. This Person ID is associated with all records for that individual, irrespective of source system.

There are two primary ways to query the BMPI for records associated with an individual:

Retired Records

Due to data updates or record merges, it is possible for Person IDs to become obsolete. When this happens, the Person ID is marked as retired and any records re-associated with other Person IDs. Querying a retired Person ID will indicate that its status is retired, along with the record that superseded it.

Privacy-Preserving (Blinded) Mode

Within the BMPI, demographic data is cryptographically hashed upon submission. Only the hashed version is stored, and subsequent operations are performed only on the hashed data.

Some clients seeking additional security may not want to submit clear text data to the system at all. In this case, a local hashing service is available. This service, running on a local, highly secure system, can perform the same cryptographic hashing completely independent of the BMPI. Then, the client can use the “blinded” versions of the add/update or match operations to interact with the system using only hashed/blinded data.