cTAKES USDHUBClinician documentation
Multi-site useComparable local extractionComparable local extraction only

Each hospital runs the same extraction without sending its notes to the other hospital

The wrapper makes the local cTAKES result comparable. The study still has to define what may leave each site and supply the training, coordination, authentication, and privacy system.

01

The same extraction runs inside each hospital

Site A has its own USDHUB note batch. Site B has a different batch. Each site keeps its source notes, SQLite database, XMI, logs, and clinician viewer in its approved environment. Both sites install the same wrapper release, dictionary bytes, recipe, schema, and WSD model.

Site A and Site B keep notes and full-note artifacts local, use the same cTAKES USDHUB analysis identity, and release only protocol-approved features or aggregates.
Figure 1. The wrapper stops at comparable local extraction and receipt generation. The protocol controls the next boundary.
02

The analysis identity includes the recipe, dictionary, schema, and WSD model

Two sites can both say “cTAKES 6.0.0” while using different dictionaries, recipes, wrapper code, SQLite schemas, or WSD settings. Those differences can change the candidates or fields before any federated model sees them.

IdentitySame across sites?Reason
release_idYesConfirms the same wrapper version, dictionary release name, and cTAKES version family.
analysis_idYesConfirms exact wrapper source, normalized recipe, dictionary DB hash, SQLite schema, and WSD model/profile.
run_idNoEach site and execution keeps its own audit identity.
Thread/heap/pathMay differResource settings can differ when they do not alter the extraction definition.
Output field headersYesBoth sites must use the same 26/34 delivery contract or the study features will not align.

analysis_id is the executable extraction definition. It is not a patient identifier and not a global batch ID.

Read the identity mechanism: scripts/release_identity.py builds the release and analysis identities, while scripts/check_run.py checks the completed local result.

03

Federated learning trains across sites without centralizing the raw records

After each site has comparable local features, a federated trainer can send a model or training task to each site. Each site calculates an approved update from its local data. A coordinator combines those updates without collecting the underlying notes.

That general design reduces central raw-data movement, but it does not automatically make the process private. Model updates, counts, rare features, small cohorts, and logs can still leak information. The study needs secure aggregation or another approved exchange, authentication, privacy accounting, minimum cohort rules, monitoring, named owners, and written study rules.

Four parts that are outside this wrapper

PartPlain-language definition
Local trainerCode that runs inside each hospital boundary, reads the approved local features, and calculates that site's model update without sending the underlying rows.
CoordinatorA service that distributes the agreed model or task, tracks eligible site rounds, combines accepted updates, and versions the resulting model.
Secure aggregationA cryptographic exchange in which the coordinator can recover an allowed aggregate, such as a sum of updates, without reading each hospital's individual update. It still needs authentication, failure rules, and an explicit threat model.
Privacy accountingThe formal record of privacy loss across releases or training rounds when a mechanism such as differential privacy is used. It is not replaced by removing note text or by keeping the trainer local.
StepcTAKES USDHUB suppliesStudy infrastructure supplies
Local source interpretationSame note-to-concept/medication extraction and receipts.Approved cohort and source-note access.
Feature definitionStable output fields and candidate evidence.The exact modeling variables, exclusions, normalization, and missing-value rules.
Local trainingNothing beyond the local extracted data.Training code, model, compute job, and update calculation.
ExchangeNothing automatically leaves the output folder.Authentication, encryption, secure aggregation or parameter exchange, and audit.
PrivacySource notes can remain local.Threat model, privacy accounting, suppression thresholds, and review.
CoordinationComparable analysis_id and local run_id.Coordinator, retry/version policy, site eligibility, and final model registry.

Review which output files still contain note text or identifiers before defining any exchange. The clinical-basics page gives the shorter orientation.

04

Full-note and identifier-bearing artifacts stay local unless the protocol explicitly permits transfer

ArtifactDefault multi-site treatmentWhy
Source .txt notesLocalFull clinical narrative and identifiers.
annotations.sqliteLocalFull notes, identifiers, concept/medication rows, and run metadata.
XMILocalFull note and complete CAS.
clinician_viewer.htmlLocalFull notes embedded in one portable file.
Concepts/drugs CSVLocal by defaultIdentifiers and original source excerpts can remain PHI.
Run receiptsShare only fields approved by protocolPaths, HubID/NoteID, counts, failures, and hashes can expose site information.
Approved aggregate/features/updateMay cross under protocolThe protocol, privacy review, and exchange system define the payload.
05

A site protocol should pin the extraction before the first cohort run

  1. Record the wrapper package hash, release_id, active dictionary manifest/database hashes, WSD model/profile hash, and expected analysis_id.
  2. Use the same strict USDHUB filename policy at every site.
  3. Use the same recipe, default WSD state, writer profile, and 26/34 field headers.
  4. Run a shared synthetic fixture and compare source spans, row identities, headers, and analysis ID.
  5. Run local representative notes and complete the agreed clinical gold review without transferring raw notes outside the approved process.
  6. Accept only batches with manifest complete and sanity pass.
  7. Keep each site’s local run_id, logs, timing, storage, and failure receipts for audit.
  8. Define the exact outbound payload, minimum cell/cohort thresholds, encryption, destination, retention, and deletion.
python3 -m json.tool /approved/usdhub/results/run_manifest.json
python3 -m json.tool /approved/usdhub/results/sanity_report.json
06

The repository does not contain the federated-training system

Implemented here

  • Local cTAKES extraction.
  • Strict input identity.
  • Versioned dictionary and WSD binding.
  • Canonical output and read-back validation.
  • Comparable analysis identity.
  • Local clinician review.

Still required outside this repo

  • Federated trainer and model code.
  • Coordinator and site enrollment.
  • Authentication and authorization.
  • Secure aggregation or approved exchange.
  • Privacy accounting and threat model.
  • Feature contract, monitoring, named owners, and study rules.
07

What the current evidence can and cannot support

ClaimCurrent support
Two sites can check whether they used the same extraction definition.Supported through exact analysis identity inputs and matching field contracts.
Raw notes can remain at the source site during extraction.Supported by local dictionary/model/JDBC runtime with no required note egress.
The wrapper itself performs federated model training.Not implemented
Matching analysis IDs prove clinical accuracy at both sites.Not supported They prove matching extraction inputs, not accuracy.
Extracted CSV rows are safe to centralize.Not automatic They can contain identifiers and note excerpts.
The current WSD model is clinically validated across sites.Not evaluated Candidate preservation and abstention are tested; clinical utility still needs gold review.