Background

Multi-center rheumatology registries (BIOBADAMEX, CORRONA, RABBIT) hold complementary datasets that, if jointly analyzed, could transform treatment selection. However, patient-level data sharing remains prohibited by LFPDPPP, GDPR, and HIPAA. Standard federated learning mitigates this but remains vulnerable to gradient inversion attacks that can reconstruct individual patient records from shared model updates.

Hypothesis

Applying Rényi differential privacy (RDP) with per-round noise calibrated via a Rényi accountant to federated gradient updates across 3+ autoimmune registries will:

1. Preserve clinical utility — achieving AUROC ≥0.82 for biologic non-response prediction (vs. ≥0.87 in centralized pooled analysis), a clinically acceptable ≤5-point AUROC trade-off
2. Guarantee formal privacy — maintaining (ε, δ)-differential privacy with ε ≤ 3.0 and δ ≤ 10⁻⁵ over 200 communication rounds
3. Resist reconstruction — gradient inversion attacks on noised updates will fail to recover any patient record with cosine similarity > 0.3 to true records

Rationale

Rényi divergence provides tighter composition bounds than standard (ε, δ)-DP, allowing more training rounds before exhausting the privacy budget. For rheumatology specifically, the heterogeneous feature space (clinical scores, labs, imaging, genomics) makes gradient inversion harder than in imaging-only domains, suggesting that moderate noise injection (σ ≈ 0.8–1.2 per round) may preserve signal better than in other medical federated learning settings.

The key innovation is per-feature adaptive clipping: clinical scores (DAS28, CDAI, SLEDAI) have bounded ranges and can tolerate aggressive clipping (C = 1.0), while laboratory values (anti-dsDNA, CRP, complement) require wider bounds (C = 3.0–5.0). This heterogeneous clipping preserves more clinical signal per unit of privacy budget spent.

Testable Predictions

1. Federated models with RDP (ε ≤ 3.0) will achieve AUROC within 0.05 of centralized models for MTX/biologic non-response prediction across ≥3 registry sites
2. Per-feature adaptive clipping will improve AUROC by ≥0.03 compared to uniform clipping at the same privacy budget
3. Membership inference attacks on the federated model will yield advantage ≤ 0.02 above random guessing
4. Model convergence will require ≤ 40% more rounds than non-private federated learning

Experimental Design

Simulate 4-site federation using CORRONA-like synthetic data (n=5,000/site). Train gradient-boosted tree ensemble with secure aggregation + RDP. Measure: (a) downstream AUROC for biologic switch prediction, (b) privacy accounting via PRV accountant, (c) gradient inversion resistance via Deep Leakage from Gradients attack.

Limitations

• Synthetic data simulation cannot capture true inter-registry heterogeneity in coding standards (ICD-10 vs SNOMED)
• Privacy-utility trade-off is task-dependent — may not generalize to rare disease subsets with n < 100/site
• Formal DP guarantees assume honest-but-curious adversary model; malicious participants require additional secure aggregation overhead
• Per-feature adaptive clipping requires domain expertise to set bounds, limiting automation

Clinical Significance

If validated, this framework would enable the first privacy-guaranteed joint analysis across international rheumatology registries, unlocking cohort sizes of 50,000+ patients for treatment optimization without any raw data leaving institutional boundaries. This directly addresses the principal barrier to evidence-based biologic sequencing in autoimmune disease.

LES AI • DeSci Rheumatology