How Smart ID works
Smart ID is your identity at the Smart Health Network. It composes across three layers, with you in control of the layer that matters most.
Three layers, one identity
Smart ID composes three layers. Each layer has a distinct function, a distinct operator, and a distinct relationship to you.
Layer 1
Substrate routing
What it does: Payload-blind operation routing
Who operates it: SHN PBC operates under Smart Health Council certification
What this means for you: When something needs to flow between providers, payers, and you, Smart Health routes the request without ever reading its contents. We cannot see your data — that is enforced cryptographically, not just by policy.
Layer 2
Smart Match
What it does: Council-certified bounded service that resolves your records across multiple systems to a stable bilateral identifier (match-once-route-forever)
Who operates it: SHN PBC operates Smart Match under Smart Health Council certification. CareEvolution is the primary technology subcontractor; Verato composes via DHIN and other state HIEs; additional HIE/QHIN MPI vendors compose per catchment.
What this means for you: Your records exist at multiple providers, payers, and HIEs — often under different identifiers. Smart Match resolves them to a single match between any two participants, and that match is stable until you elect to sunset it.
Layer 3
PCI Registry
What it does: Patient-Controlled Identity Registry — where your Smart ID lives (canonical per ADR-008; Smart ID Option (c) Hybrid: biometric default + 12-word recovery passphrase)
Who operates it: Substrate-side primary; only you hold the private key. Per the NO-SHT-BACKDOOR commitment, Smart Health cannot generate or transmit your private key.
What this means for you: Your Smart ID lives here. You control it. Smart Health cannot read your records or recover your data without your authorization — by architectural design, not just by policy.
Match-once-route-forever
Once Smart Match resolves your records between two participants (say, your hospital and your insurer), the bilateral identifier is stable. Your records flow forever after on that match — without re-doing the resolution. You can sunset the match at any time per the per-patient sunset discipline.
What protects you (technical detail on each layer)
Each property below is a guarantee enforced cryptographically, not just by policy. Tap any item to see the technical detail.
Routed payload-blind — Smart Health never sees the data[How does this work?]
When a provider, payer, or AI agent needs to act on your records, Smart Health routes the request without ever reading its contents. The routing layer operates payload-blind by architectural design — Smart Health cannot read your records even if compelled. This is the NO-SHT-BACKDOOR commitment enforced cryptographically.
Substrate primitive: Substrate routing layer (Smart ID Layer 1)
Matched once across systems by a Council-certified service[How does this work?]
When your records exist across multiple providers, payers, or HIEs under different identifiers, Smart Match resolves them to a single bilateral identifier. SHN PBC operates Smart Match under Smart Health Council certification; CareEvolution is the primary technology subcontractor, with Verato (via DHIN) and other HIE/QHIN MPI vendors composing per catchment. Match-once-route-forever: once matched, the bilateral identifier is stable until you elect to sunset it.
Substrate primitive: Smart Match service (Smart ID Layer 2)
Your Smart ID lives here — only you hold the key[How does this work?]
Your Smart ID is registered at the Patient-Controlled Identity Registry. This is where Smart ID Option (c) Hybrid (biometric default + 12-word recovery passphrase) lives. The PCI Registry is canonical per ADR-008. Smart Health cannot generate or transmit your private key — that is the NO-SHT-BACKDOOR commitment enforced cryptographically.
Substrate primitive: Patient-Controlled Identity Registry (Smart ID Layer 3)
Held in your browser's secure crypto layer[How does this work?]
Your cryptographic key is held in a part of your browser that prevents the key from being copied — even by web code on the same page. The key cannot leave your device.
Substrate primitive: Non-extractable Web Crypto handle
Cleartext keys live only in your active browser session[How does this work?]
Your usable cryptographic keys exist only while your browser tab is active. When the tab closes, those keys are gone from memory; reopening requires re-authenticating.
Substrate primitive: Active-session-only crypto
Your access grant[How does this work?]
Each access you grant is signed by your Smart ID and bound to a specific request. The Smart Health Hub cannot read your data; it routes the request to the data holder and your signed grant proves you authorized it.
Substrate primitive: PPIA (PortablePatientIdentityAssertion)
Your unique cryptographic key signed by your Smart ID[How does this work?]
When you grant access, your Smart ID creates a unique signature using a cryptographic key only your browser holds. Anyone receiving the grant can verify it came from you.
Substrate primitive: ECDSA P-256 + RFC 8785 JCS + detached JWS
3 of 5 independent locations agree[How does this work?]
Every action is recorded across five independent locations. To be verified, at least three must agree. No single party (including Smart Health) can alter the record without the others detecting it.
Substrate primitive: FROST audit chain
Rendered in your browser, not on Smart Health's servers[How does this work?]
When you view your records, the rendering happens in your browser — Smart Health never holds the unencrypted version on its servers.
Substrate primitive: Pattern B (Issue #51)
The Smart Health Hub cannot read your records or recover your data without your authorization. That is enforced cryptographically across all three layers. PBC-enforced (Smart Health Network PBC operates the substrate this way) · Council-certified (the Smart Health Council certifies the architectural commitment) · Trust-advocated (the Smart Health Trust will advocate against erosion of this commitment when established).