This work addresses the privacy risks associated with the reuse of patient identifiers in healthcare systems by proposing a patient-centric identity management framework. The framework innovatively integrates anonymous pseudonyms with a conditional traceability mechanism and is grounded in a security architecture built upon a hardware-rooted trust anchor. Through rigorous evaluation—including MSRA architectural analysis, formal verification, and simulation-based assessment—the study demonstrates that the proposed approach is both feasible and secure under typical clinical workflow latency constraints. It effectively balances stringent privacy protection, regulatory compliance, and operational efficiency in real-world medical environments.

Effective healthcare delivery depends on accurate longitudinal health records and addressing patients'concerns regarding the privacy of their information. While patient authentication is essential, reusing patient identifiers exposes individuals to linkability (associating multiple visits) and traceability (tying visits to real-world identities) risks. This paper presents a privacy-preserving, patient-centric identity management framework specifically tailored to the operational and regulatory requirements of healthcare. The framework balances operational reliability with strong privacy protections through a rooted trust anchor, anonymous pseudonyms, and a conditional traceability mechanism. It is formally specified, and its security and privacy properties are evaluated through MSRA-based architectural analysis and complementary formal verification. Simulation-based evaluation demonstrates that the framework's identity workflows are operationally feasible within the latency bounds typical of clinical environments.