SMART HEALTH CARD

Here’s a polished, hackathon-style write-up tailored to the SMART HEALTH CARD for migrant workers, aligned with the previous technical design.

Inspiration

Migrant workers face fragmented care across states, paper-based records, and language barriers; a portable, privacy-preserving card with verifiable records restores continuity and trust.
Pandemic-era verifiable credentials showed that QR-based, digitally signed health artifacts can be both secure and usable at scale.

What it does

Issues a SMART HEALTH CARD (physical QR + digital wallet entry) bound to a PS-HID that enables fast, consented access to a person’s longitudinal health history anywhere.
Ensures integrity and provenance with a permissioned ledger that stores only immutable proofs and consent artifacts while keeping all clinical data encrypted off-chain.
Provides patient notifications and multilingual voice guidance after visits, and generates de-identified signals for real-time public health intelligence.

How we built it

Identity and biometrics: Certified fingerprint/iris capture with liveness; raw captures are converted to cancelable templates and then hashed; only the hash is stored, never raw biometrics.
Data model and interop: Clinical data serialized as FHIR Bundles (Patient, Encounter, Condition, Observation, MedicationRequest, DiagnosticReport, DocumentReference); a canonical JSON hash is computed for integrity.
Backend services:
- Registration issues PS-HID and prints the QR SMART HEALTH CARD.
- Consent service mints signed consent artifacts with scope, purpose, and TTL; exposes a revocation and full audit trail.
- Records service validates FHIR, encrypts payloads, stores blobs, and writes ledger anchors (recordHash, prevHash, consentId).
- Access service performs biometric match + explicit consent, issues a short-lived token, retrieves pointers from the ledger, decrypts off-chain payloads, and renders to the HCP portal.
Ledger layer: Permissioned blockchain with private data collections and endorsement policies; only non-PII anchors and consent references go on-chain; sensitive inputs pass via transient fields.
Storage and crypto: Encrypted object storage (per-record DEKs wrapped by KMS/HSM); PostgreSQL for profiles, biometric hashes, consents, and audits; provider-signed clinical bundles verified on read.
Notifications and TTS: Data-minimal push; encrypted multilingual audio summaries available via short-lived URLs; the app never stores PHI persistently.
Analytics: Anonymized event stream with k-anonymity and differential privacy; time-series and spatial models generate outbreak alerts without handling raw identifiers.

Challenges we ran into

Balancing privacy with utility: Keeping PHI off-chain while still producing verifiable, low-latency access required careful pointer design, hashing, and private collections.
Consent UX in clinical flow: Ensuring explicit, session-scoped consent without slowing care; solved with streamlined UI, short-lived tokens, and cached consent artifacts within TTL.
Biometrics security: Achieving revocability and unlinkability demanded cancelable templates, domain-separated keys, and strict liveness detection.
Interoperability: Mapping diverse clinical payloads to FHIR profiles and validating them reliably in real time.
Performance tuning: Hitting sub-2-second end-to-end retrieval meant optimizing ledger queries, CouchDB indexes, blob fetch/decrypt paths, and device-side biometric matching.

Accomplishments that we're proud of

End-to-end pilot: Issued PS-HIDs and SMART HEALTH CARDS, enabled cross-facility record retrieval with explicit consent, and anchored encounters immutably.
Strong privacy posture: No raw biometrics stored; no PHI on-chain; per-record encryption with HSM-backed keys; transparent, patient-facing audit trails.
Clinically usable latency: Sub-2s record retrieval with <5s ledger finality; multilingual notifications that improved comprehension for low-literacy users.
Public health value: Near real-time, privacy-preserving trend and cluster alerts using de-identified event streams.

What we learned

Consent must be explicit, granular, and understandable; biometrics can initiate authentication, but consent needs a clear scope and duration with easy revocation.
On-chain minimalism is key; storing only proofs, hashes, and consent references avoids scalability and confidentiality pitfalls while preserving verifiability.
FHIR rigor pays off; strict validation and canonical hashing improved interoperability, deduplication, and downstream analytics quality.
Operability matters: device attestation, mTLS, and zero-trust networking reduced operational risk without compromising clinic throughput.

What’s next for SMART HEALTH CARD

Interoperability and certification: Expand FHIR profiles and certify exchanges with national consent gateways; map PS-HID to federated health IDs where applicable.
Ecosystem scale-out: Add labs, pharmacies, and mobile clinics as permissioned peers; refine private data collections for bilateral exchanges.
Privacy and crypto hardening: HSM-only keys, periodic rotations, confidential computing for decryption, and attribute-based encryption for role-scoped reads.
Product evolution:
- Patient app: offline-first QR, caregiver/delegate access, consent presets, and multilingual education.
- Clinician UX: SMART-on-FHIR launch in EMRs, CDS Hooks for alerts, and e-prescription integration.
Analytics roadmap: Seasonality-aware models, spatial scan statistics, and advanced differential privacy for sparse geographies; publish de-identified research datasets under governance.
Reliability and governance: Consortium governance (endorsement policies, SLAs, incident response), chaos testing, DR drills, and continuous compliance monitoring.