Provider-patient bubble architecture with cross-bubble re-authorization. Patient retains key custody across care transitions.
Filed · Patent pending
ABT methodology family · variant ABT-M · medical records
A patient whose oncologist can't read the cardiology notes
How department-scoped bubble keys enforce minimum-necessary access across care transitions — and why cross-department sharing requires explicit patient re-authorization.
US Provisional Patent 64/056,353 · Filed May 4, 2026 · sidratnam.com/abt/
Each care bubble holds only its tier projection · Cross-bubble access requires patient re-authorization · No department key reads another department's records
Yusuf Ibrahim — a cardiology encounter
Ibrahim presents to Regional Hospital cardiology. His health record envelope is constructed with department-scoped bubble keys. Cardiology holds its tier key. Oncology holds a separate, independent tier key.
Patient · first party
Yusuf Ibrahim
hk_ibrahim — root health key
Constructs department projections
Authorizes cardiology access
cardiology projection →
Cardiology dept.
Regional Hospital — Cardiology
Holds cardiology bubble key
Decrypts cardiology projection
Oncology tier: sealed
Health record envelope · hk_ibrahim · encounter_c8d2
patient_idYI-4417
encounterencounter_c8d2 · cardiology · 2025-03-14
cardiology_tierECG findings · medication list · cardiac risk assessment
oncology_tier[ encrypted to oncology bubble key · sealed to cardiology ]
The oncology tier exists but is empty at this encounter. The envelope architecture supports future oncology projection. At this stage no oncology data has been recorded. The cardiology bubble key can read the cardiology tier. It cannot read a tier key that does not belong to cardiology — even if a projection were present.
Cardiology records the encounter
The attending cardiologist records findings, prescribes medication, updates the cardiac risk assessment. All data is written into the cardiology tier. The oncology tier key is not involved.
Cardiology tier · encounter_c8d2 (decrypted by cardiology bubble key)
diagnosisHypertension stage II · stable arrhythmia
ECGMild ST-segment depression · QTc 432ms
medicationsMetoprolol 50mg · Lisinopril 10mg
risk_scoreASCVD 10yr risk: 8.4%
oncology_tier[ not in scope for cardiology bubble key ]
Cardiology's full encounter record is held within its bubble. If oncology later requests Ibrahim's cardiac history, it cannot read it directly — regardless of whether the two departments are in the same hospital system. Cross-bubble access requires Ibrahim's explicit re-authorization.
Oncology referral — new encounter, new bubble
Six weeks later, Ibrahim presents to the oncology department. An oncologist detects a suspicious finding and requests access to his cardiac history to assess treatment compatibility. This is a cross-bubble request.
Oncology dept.
Regional Hospital — Oncology
Holds oncology bubble key
Can read oncology tier only
Cannot read cardiology tier
cross-bubble access request →
Patient · first party
Yusuf Ibrahim
Must authorize cross-bubble projection
Constructs cardiac summary
Scoped to oncology encounter only
The request goes to Ibrahim, not to cardiology. Oncology cannot request cardiology records from the cardiology department — the cardiology bubble key is not held by oncology. The request is routed to Ibrahim, who is the only party capable of authorizing a cross-bubble projection from the cardiology tier to the oncology tier.
Ibrahim re-authorizes — a scoped cardiac summary projection
Ibrahim reviews the oncology request on his device and authorizes a scoped cardiac summary. He constructs a cross-bubble projection: a subset of his cardiac record, authored for oncology's bubble key, scoped to treatment-relevant fields only.
cross_bubble_projection:
from_tier: cardiology · encounter_c8d2
to_tier: oncology bubble key
scope: treatment_compatibility (cardiac medications + risk score)
excluded: full ECG data · detailed ST analysis
authorized_by: hk_ibrahim (patient signature)
valid_for: onco_encounter_f1a9 only
expires: 30 days
Ibrahim controls the scope of the cross-bubble projection. He authorizes cardiac medication history and risk score for treatment compatibility. He does not authorize the full ECG record. Oncology receives what Ibrahim chose to share, scoped to the specific encounter, for a defined period.
Oncology reads the scoped projection
Oncology's bubble key decrypts the cross-bubble projection. It sees the cardiac fields Ibrahim authorized. It cannot see the full ECG record. It cannot access any future cardiology encounters without a new authorization.
full_cardiology_record[ cardiology tier · not accessible to oncology bubble key ]
other_encounters[ prior and future cardiology encounters: not in scope ]
This projection expires in 30 days. After expiry, oncology cannot re-read the cross-bubble fields without a new authorization from Ibrahim. The projection is scoped to this encounter, not to a standing entitlement to Ibrahim's cardiac record.
Minimum necessary — enforced by structure
Oncology selects a chemotherapy protocol compatible with Ibrahim's cardiac profile. The protocol selection is recorded in the oncology tier. The cardiology department has no view into the oncology tier.
minimum_necessary_check:
oncology received: cardiac_medications + ASCVD_risk + QTc
oncology did NOT receive: full ECG · detailed ST-segment data · prior cardiology encounters
cardiology received from oncology: nothing
cross-bubble reads: 1 (authorized by patient)
standing access granted: none
HIPAA_minimum_necessary: satisfied by structural scope limit
access_log: AUTH-IBR-2025-0031 · encounter_c8d2→onco_encounter_f1a9 · hash-chained
Neither department can read the other's full record. Cardiology cannot see Ibrahim's cancer workup. Oncology cannot see Ibrahim's complete ECG archive. Cross-bubble access was scoped to three fields, for one encounter, for 30 days — chosen by Ibrahim. The minimum necessary standard is enforced not by a policy that can be overridden, but by the cryptographic scope of the cross-bubble projection.