`
`Transcript of Aviel D. Rubin, Ph.D.
`
`Date: February 17, 2025
`Case: Datavant, Inc. -v- Vigilytics LLC (PTAB)
`
`Planet Depos
`Phone: 888.433.3767 | Email: transcripts@planetdepos.com
`www.planetdepos.com
`Michigan #8598 | Nevada #089F | New Mexico #566
`
`WORLDWIDE COURT REPORTING & LITIGATION TECHNOLOGY
`
`Datavant Exhibit 1025
`Datavant v. Vigilytics, IPR2024-00311
`
`
`
` UNITED STATES PATENT AND TRADEMARK OFFICE
` ______________
` BEFORE THE PATENT TRIAL AND APPEAL BOARD
` ______________
` DATAVANT, INC.,
` Petitioner,
` v.
` VIGILYTICS LLC,
` Patent Owner.
` ______________
` IPR2024-00311, IPR2024-00381, & IPR2024-00382
` Patent Nos. 9,965,651, 10,109,375,
` 10,886,012 and 9,665,685
` ______________
` Deposition of AVIEL D. RUBIN, Ph.D.
` Conducted Virtually
` Monday, February 17, 2025
` 9:30 a.m. EST
`
`Job No.: 571619
`Pages 1 - 93
`Reported by: Debra A. Whitehead
`
`1 2 3 4 5 6 7 8 9 1
`
`0
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`
`
`
`Transcript of Aviel D. Rubin, Ph.D.
`Conducted on February 17, 2025
`
`2
`
` Deposition of AVIEL D. RUBIN, Ph.D., conducted
`virtually.
`
` Pursuant to notice, before Debra Ann Whitehead,
`E-Notary Public in and for the Commonwealth of
`Virginia.
`
`1 2 3 4 5 6 7 8 9 1
`
`0
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`
`PLANET DEPOS
`888.433.3767 | WWW.PLANETDEPOS.COM
`
`
`
`Transcript of Aviel D. Rubin, Ph.D.
`Conducted on February 17, 2025
`
`3
`
` A P P E A R A N C E S
` ON BEHALF OF PETITIONER:
` JUSTIN J. OLIVER, ESQUIRE
` VENABLE LLP
` 600 Massachusetts Avenue, NW
` Washington, DC 20001
` (202) 344-4000
`
`ON BEHALF OF PATENT OWNER:
` NICHOLAS W. STEPHENS, ESQUIRE
` FISH & RICHARDSON, PC
` RBC Plaza
` 60 South 6th Street
` Suite 3200
` Minneapolis, Minnesota 55402
` (612) 355-5070
`
`1 2 3 4 5 6 7 8 9 1
`
`0
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`
`PLANET DEPOS
`888.433.3767 | WWW.PLANETDEPOS.COM
`
`
`
`Transcript of Aviel D. Rubin, Ph.D.
`Conducted on February 17, 2025
`
`4
`
` C O N T E N T S
`EXAMINATION OF AVIEL D. RUBIN, Ph.D. PAGE
` By Mr. Oliver 5
` By Mr. Stephens 73
`
` EXHIBITS MARKED IN TODAY'S SESSION
` (None)
`
` EXHIBITS MARKED IN PRIOR SESSIONS
` (Not attached)
`DEPOSITION EXHIBIT PAGE
` Exhibit 1005 37
` Exhibit 1009 48
` Exhibit 2001 8
` Exhibit 2006 19
`
`1 2 3 4 5 6 7 8 9 1
`
`0
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`
`PLANET DEPOS
`888.433.3767 | WWW.PLANETDEPOS.COM
`
`
`
`Transcript of Aviel D. Rubin, Ph.D.
`Conducted on February 17, 2025
`
`5
`
` P R O C E E D I N G S
` AVIEL D. RUBIN, Ph.D.,
` having been duly sworn, testified as follows:
` EXAMINATION BY COUNSEL FOR PETITIONER
`BY MR. OLIVER:
` Q Good morning, Dr. Rubin. How are you?
` A Good morning. I'm fine. How are you?
` Q Fine, thank you. I'm just going to go
`through a little administrative things first.
` Is there any reason you cannot give
`truthful testimony today?
` A No.
` Q You're not taking any medication that
`would affect your ability to give truthful
`testimony?
` A No.
` Q As you know since we've done this before,
`I will endeavor to take a break about every hour
`or so. If at some point you need a break before I
`have called for one, please let me know. All I
`ask is that you answer any pending question before
`we take a break.
`
`1 2 3 4 5 6 7 8 9 1
`
`0
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`
`PLANET DEPOS
`888.433.3767 | WWW.PLANETDEPOS.COM
`
`
`
`Transcript of Aviel D. Rubin, Ph.D.
`Conducted on February 17, 2025
`
`6
`
` Is that all right?
` A Yes.
` Q And you understand that your attorney may
`object to questions, but absent an assertion of
`privilege you are still required to answer the
`questions posed. Correct?
` A Yes.
` Q I'll try to be clear in my questions.
`That doesn't always happen. If there's any reason
`that you don't understand a question that I've
`asked please let me know, and I'll try and make it
`more clear.
` A Okay.
` Q I'll often be asking questions today
`relative to the perspective of the person of
`ordinary skill in the art. And I believe you're
`familiar with that concept. Correct?
` A Yes.
` Q For simplicity sake, I will likely refer
`to the person of ordinary skill in the art as the
`POSA, just the acronym P-O-S-A.
` Is that all right with you?
`
`1 2 3 4 5 6 7 8 9 1
`
`0
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`
`PLANET DEPOS
`888.433.3767 | WWW.PLANETDEPOS.COM
`
`
`
`Transcript of Aviel D. Rubin, Ph.D.
`Conducted on February 17, 2025
`
`7
`
` A Yes.
` Q Great. Absent me specifying otherwise,
`please use the POSA's perspective in answering my
`questions.
` How did you prepare for this deposition?
` A I reread my reports and the patent -- the
`patents and the prior art references, and I had a
`couple of meetings with counsel.
` Q About how many meetings with counsel did
`you have?
` A Two.
` Q Two. Do you have any notes with you?
` A No.
` Q Are you emailing, texting, or otherwise
`in contact with anyone else during the course of
`this deposition?
` A No.
` Q I have uploaded and we can provide a link
`to for exhibits, but, you know, if you already
`have certain documents in front of you, that would
`be easier, that's fine with me. So why don't you
`let me know what you have before you before we go
`
`1 2 3 4 5 6 7 8 9 1
`
`0
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`
`PLANET DEPOS
`888.433.3767 | WWW.PLANETDEPOS.COM
`
`
`
`Transcript of Aviel D. Rubin, Ph.D.
`Conducted on February 17, 2025
`
`8
`
`through the whole downloading process.
` A Sure. I have open my report on the '012
`patent, but I have access to all the others. I
`have Settimi, Evenheim, Landi open. I have the
`'012 and the '651 patents open, but I also have a
`folder with other patents and other reports if I
`need them.
` Q Great. Well, we'll go with the copies
`you have for now. And if we need to transfer
`anything to you, we will.
` Just if you would confirm that the
`versions you're looking at don't have any markings
`or notes or highlighting.
` Is that correct?
` A Yes.
` Q In that case, can you open your
`declaration, Exhibit 2001 for the '651 patent,
`which is for IPR2024-00307.
` A Just a second. Let me find that.
` (Exhibit 2001, previously marked, not
`attached.)
` A Okay, that's open.
`
`1 2 3 4 5 6 7 8 9 1
`
`0
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`
`PLANET DEPOS
`888.433.3767 | WWW.PLANETDEPOS.COM
`
`
`
`Transcript of Aviel D. Rubin, Ph.D.
`Conducted on February 17, 2025
`
`9
`
` Q And if you go to Paragraph 54 of your
`declaration.
` A Okay.
` Q And if you look at the last sentence of
`Paragraph 4 of your declaration --
` A Oh, I thought you said 54. I'm sorry.
` Q I'm sorry, I did say 54, 54 of your
`declaration.
` A Okay.
` Q The last sentence says, "Although
`tokenized health data has been used for other
`purposes prior to the '651 patent, it has not been
`used in the particular context or manner described
`in the '651 patent."
` Do you see that?
` A Yes.
` Q And what do you mean by "tokenized health
`data has been used before"?
` A The concept of replacing personally
`identifiable information with a token was known.
` Q All right. And what were some of the
`contexts in which that was used or known in the
`
`1 2 3 4 5 6 7 8 9 1
`
`0
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`
`PLANET DEPOS
`888.433.3767 | WWW.PLANETDEPOS.COM
`
`
`
`Transcript of Aviel D. Rubin, Ph.D.
`Conducted on February 17, 2025
`
`10
`
`past?
` A I'm not sure specifically, but it had to
`do with anonymizing the data, or deidentifying it.
` Q And just so we're clear on the term
`"tokenizing healthcare data," I think you
`mentioned that personally identifying information
`was removed.
` In that usage before, what would a POSA
`typically do to tokenize healthcare data? And
`I'll be more specific.
` What is converted into a token and what
`remains from -- relative to the original record?
` A I'm not sure specifically. If you show
`me a reference, I could discuss it.
` Q Well, I'm just asking you what the
`understanding of tokenizing healthcare data meant?
` A Replacing identifying information with a
`token.
` Q And by "identifying information," that's
`information that would identify the particular
`patient at issue?
` A Right.
`
`1 2 3 4 5 6 7 8 9 1
`
`0
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`
`PLANET DEPOS
`888.433.3767 | WWW.PLANETDEPOS.COM
`
`
`
`Transcript of Aviel D. Rubin, Ph.D.
`Conducted on February 17, 2025
`
`11
`
` Q So that could be a name or Social
`Security number or address or something similar.
` Correct?
` A Yes.
` Q So what information of the record would
`typically remain after tokenization?
` A I guess it depends on the hypothetical or
`on the specific example that you have in mind. If
`whatever was there that you didn't tokenize I
`suppose would remain.
` Q So if the example was a person's
`healthcare record from a particular doctor's
`office, would what remains after tokenization be
`the specifics of the diagnoses and other details
`relating to the medical treatment received?
` A It depends on what was done, what that
`particular system did to tokenize.
` Q But generally speaking, tokenization of
`healthcare data generally involved removing
`information that would identify the patient.
` Correct?
` A That's my understanding of what could
`
`1 2 3 4 5 6 7 8 9 1
`
`0
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`
`PLANET DEPOS
`888.433.3767 | WWW.PLANETDEPOS.COM
`
`
`
`Transcript of Aviel D. Rubin, Ph.D.
`Conducted on February 17, 2025
`
`12
`
`have been done with tokenization.
` Q Can you turn to Paragraph 70 of your
`declaration.
` A Okay.
` Q And in the second sentence of Paragraph
`70 you say, "In my analysis here I use the same
`constructions relied upon by the petitioner."
` Do you see that?
` A Yeah, "relied on."
` Q Yeah. So just for clarity, you're not
`offering any alternative constructions for the
`terms listed in Paragraph 70. Correct?
` A Correct.
` Q In that chart of claim terms from
`Paragraph 70, or in Paragraph 70, the fourth one
`down is similarly encrypted.
` Do you see that?
` A Yes.
` Q And what would be a POSA's general
`understanding of encryption?
` A Are you asking me within the context of
`this patent or just out in the world outside of
`
`1 2 3 4 5 6 7 8 9 1
`
`0
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`
`PLANET DEPOS
`888.433.3767 | WWW.PLANETDEPOS.COM
`
`
`
`Transcript of Aviel D. Rubin, Ph.D.
`Conducted on February 17, 2025
`
`13
`
`this case?
` Q Well, why don't you answer both, and to
`the extent that there's a difference.
` A Yeah. So as we can see from the
`construction, generated such that tokens generated
`from corresponding information can be compared to
`one another to detect a match, so that is -- the
`idea there is that if you have a function that can
`allow you to compare things, then that satisfies
`similarly encrypted. So that could be, for
`example, a hash function.
` In the world outside of this case where
`we're not using the context of any patent,
`encryption has to do with making information
`unreadable to anyone other than someone who has
`the key.
` Q Do you understand the patents at issue
`here to be using the term "encryption" in a manner
`contrary to the regular understanding of the term
`"encryption"?
` A Yes. In the patents in this case there's
`a construction that both sides are using for
`
`1 2 3 4 5 6 7 8 9 1
`
`0
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`
`PLANET DEPOS
`888.433.3767 | WWW.PLANETDEPOS.COM
`
`
`
`Transcript of Aviel D. Rubin, Ph.D.
`Conducted on February 17, 2025
`
`14
`
`encryption, and it has to do with being able to
`compare things to each other. And also within the
`patents in this case you actually do not include
`the ability to reverse the encryption function;
`whereas outside of this case an encryption
`function would have the ability to be reversed.
` Q Are you aware of anyplace in the patents
`at issue where there's a specific definition of
`encryption given?
` A I'm going to look at the patent.
` Q And for ease of our discussion here
`today, if you could use the '651 patent as the
`example so that we're just being consistent when
`we refer to --
` A Right. That's the one I opened up.
` Q Great.
` A There are several discussions I think
`that led to the definition that's being used in
`this case. These have to do with descriptions of
`the functionality of the encryption server, as
`well as Column 7 at the top where it says, "To
`produce tokens and request tokens, one or more
`
`1 2 3 4 5 6 7 8 9 1
`
`0
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`
`PLANET DEPOS
`888.433.3767 | WWW.PLANETDEPOS.COM
`
`
`
`Transcript of Aviel D. Rubin, Ph.D.
`Conducted on February 17, 2025
`
`15
`
`encryption techniques may be utilized, for
`example, hash functions and other methodologies
`may be implemented."
` Q Well, sticking with the Column 7 language
`that you just pointed out, that simply refers to
`one or more encryption techniques. Correct?
` A Yes.
` Q And hash functions are just offered as
`one example.
` Is that correct?
` A Yes.
` I should add that the word "encryption"
`in this patent is used in two different ways. One
`of them has to do with the functionality of an
`encryption server, which is to create tokens. And
`the other is, if you look in Column 7, for example
`Line 35, it's talking about encryption for sending
`a request message.
` And in that context it's talking about
`the generally understood type of encryption;
`whereas when it's talking about the functionality
`of the encryption server that encrypts information
`
`1 2 3 4 5 6 7 8 9 1
`
`0
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`
`PLANET DEPOS
`888.433.3767 | WWW.PLANETDEPOS.COM
`
`
`
`Transcript of Aviel D. Rubin, Ph.D.
`Conducted on February 17, 2025
`
`16
`
`into tokens, that's using the definition that was
`provided in this case. That does not involve
`reversible function; it just has to do with the
`ability to compare.
` Q So I'm sorry, Column 7, what you pointed
`out was Lines 35 through 43. Is that right?
` A Yes. So it says, The request message may
`be encrypted prior to being transmitted over a
`computer network. The request message is
`unencrypted.
` So this is a different type of -- its's
`using the same word "encryption," but it is a
`different function than the one that's described
`earlier where it talks about creating tokens.
` Q And the place earlier where it talks
`about creating tokens is what we just talked about
`at the top of Column 7, Lines 2-5?
` A Well, also, if you look at Column 6, like
`around 54, "Each token obtained from the source
`sites may have been created using the same token
`generator used by the encryption server or using
`any other means that generates the identical token
`
`1 2 3 4 5 6 7 8 9 1
`
`0
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`
`PLANET DEPOS
`888.433.3767 | WWW.PLANETDEPOS.COM
`
`
`
`Transcript of Aviel D. Rubin, Ph.D.
`Conducted on February 17, 2025
`
`17
`
`for the same personally identifiable information."
` That is a different type of encryption
`than the transmission -- than encrypting for
`transmission.
` Q And -- well, I'll come back to that.
` Is there any place in the patent where
`the term "encryption" is defined in two different
`ways, one for the tokenization and one for
`transmission? For instance, there any place in
`the patent that says, For encryption I mean, and
`then there is a definition given?
` A It's going to take me a moment, because a
`question like is there anywhere in the patent that
`X occurs, I have to look at the whole patent.
` Q Well, let me -- I'll rephrase it.
` Are you aware in your preparation today
`of any place that you already saw that has such a
`specific definition?
` A I think that, you know, when there's a
`construction being used by the parties, then that
`is a definition that's given. And I'm not aware
`of anywhere in the patent that has the words, you
`
`1 2 3 4 5 6 7 8 9 1
`
`0
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`
`PLANET DEPOS
`888.433.3767 | WWW.PLANETDEPOS.COM
`
`
`
`Transcript of Aviel D. Rubin, Ph.D.
`Conducted on February 17, 2025
`
`18
`
`know, Encryption means X, and defines it that way.
` But I think it's pretty clear from the
`two different uses of encryption that that's what
`is the case in the patent.
` Q Can one create a token using the same
`type of encryption technique that would be used to
`encrypt a message for transmission?
` A Can I please hear that repeated.
` Q Sure. Could one -- could a POSA use the
`same type of encryption that's used for message
`transmission to form a token?
` A No.
` MR. STEPHENS: Objection. Form. Scope.
` Q And are you talking about within the
`context of this patent or just anywhere in the
`field?
` A In this patent.
` Q Talking about generally in the field, if
`one says encryption for data transmission, could a
`similar encryption technique be used to tokenize
`data just in the field of cryptography?
` A I think it depends on whether you're
`
`1 2 3 4 5 6 7 8 9 1
`
`0
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`
`PLANET DEPOS
`888.433.3767 | WWW.PLANETDEPOS.COM
`
`
`
`Transcript of Aviel D. Rubin, Ph.D.
`Conducted on February 17, 2025
`
`19
`
`operating in a regulated environment like HIPAA.
`HIPAA does not allow for reversible encryption of
`tokens. So if you're asking could you program a
`computer to do it, you could do that. But it
`wouldn't be -- if you were working in a domain
`that required compliance with HIPAA, then no.
` Q With respect to your mention of within
`HIPAA, what specific regulation are you relying
`upon for the idea that only certain types of
`encryption can be used?
` A So I don't have handy, but if you have to
`share with me the HIPAA privacy rule, I could show
`you.
` Q Okay. I'm going to put the -- I'll put
`that document, again just put it in the chat and
`you can download it.
` A Yeah, that's easiest.
` Q So I'm putting in the chat Exhibit 2006.
` (Exhibit 2006, previously marked, not
`attached.)
` A Okay, I've got it. I just need a moment
`to look through it.
`
`1 2 3 4 5 6 7 8 9 1
`
`0
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`
`PLANET DEPOS
`888.433.3767 | WWW.PLANETDEPOS.COM
`
`
`
`Transcript of Aviel D. Rubin, Ph.D.
`Conducted on February 17, 2025
`
`20
`
` So if you look at Page 2, under C.
` Q Uh-huh.
` A It says that, "A covered entity may
`assign a code or other means of record
`identification to allow information deidentified
`under this section to be reidentified by the
`covered entity provided that," and then 1 it says,
`"The code or other means of record identification
`is not derived from or related to information
`about the individual."
` And so that if you use information about
`the individual to create the token, then this
`would not qualify. And also the last part of 2,
`says that it does not disclose the mechanism for
`reidentification.
` And so if the code is reversible, then
`that would allow for reidentification. So I'm
`relying on the Section C of the privacy rule.
` Q Under C.2 that you just mentioned, The
`covered entity does not use or disclose the code
`or other means of record identification, in a
`reversible encryption system where there is a key
`
`1 2 3 4 5 6 7 8 9 1
`
`0
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`
`PLANET DEPOS
`888.433.3767 | WWW.PLANETDEPOS.COM
`
`
`
`Transcript of Aviel D. Rubin, Ph.D.
`Conducted on February 17, 2025
`
`21
`
`that can decrypt, would the key that decrypts be
`the code or other means to reidentify the
`information?
` A One more time, please?
` Q Sure. In a public/private key system,
`you can use one key to encrypt information.
` Correct?
` A Right.
` Q And then there's a second key that's kept
`private, in theory, that can be used to decrypt
`that information. Correct?
` A Yes.
` Q And in that system is the private key a
`means of reidentifying or decrypting information?
` A I haven't considered that question. But
`I'm also relying here on the second part, which
`says, And does not disclose the mechanism for
`reidentification.
` And so using that other key would be the
`mechanism for reidentification.
` Q But that second part does not disclose.
`That would only mean if you disclosed the private
`
`1 2 3 4 5 6 7 8 9 1
`
`0
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`
`PLANET DEPOS
`888.433.3767 | WWW.PLANETDEPOS.COM
`
`
`
`Transcript of Aviel D. Rubin, Ph.D.
`Conducted on February 17, 2025
`
`22
`
`key. Correct?
` What if the private key was never
`disclosed?
` MR. STEPHENS: Objection. Form.
` A So the key itself is not the mechanism;
`the decryption function is the mechanism.
` Q So let me ask this: If a doctor's office
`uses the most up-to-date secure encryption method
`possible to encrypt patient-identifying
`information and releases a record with that
`encrypted patient-identifying information, could
`someone else reidentify the patient without having
`the key, within reason?
` A I think there are techniques used by the
`NSA, such as TEMPEST and others, that could
`interfere with that. But the mere possibility of
`doing a decryption with the key is what makes
`the -- this type of tokenization not HIPAA
`compliant.
` Q Why do you say "the mere possibility"?
` A Well, in Rule 1 it talks about the
`derivation, that the key is derived from the
`
`1 2 3 4 5 6 7 8 9 1
`
`0
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`
`PLANET DEPOS
`888.433.3767 | WWW.PLANETDEPOS.COM
`
`
`
`Transcript of Aviel D. Rubin, Ph.D.
`Conducted on February 17, 2025
`
`23
`
`information. So that would be one. And the other
`is that there is a capability of reidentification.
`So when it says, you know, it does not disclose
`the mechanism for reidentification, that has to do
`with the possibility of reidentification.
` So my understanding of HIPAA is that if
`you are able to reidentify, to reverse the process
`of tokenization, then it doesn't matter if you do
`it or if you have the key, that is not compliant
`with the standard.
` Q Well, it says, so long as you do not
`disclose the mechanism for reidentification. I
`mean, if no one -- if the person never discloses
`the key for decryption, why would that be
`problematic?
` A Because, one, the key exists and it could
`be found out. Two, the encryption might get
`broken.
` The idea behind this rule is to allow for
`comparisons but not to allow for recovery of the
`information from the token.
` Q So why would you even -- why would one
`
`1 2 3 4 5 6 7 8 9 1
`
`0
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`
`PLANET DEPOS
`888.433.3767 | WWW.PLANETDEPOS.COM
`
`
`
`Transcript of Aviel D. Rubin, Ph.D.
`Conducted on February 17, 2025
`
`24
`
`even need to have, so long as they do not disclose
`the mechanism for reidentification, if under your
`interpretation the mere fact that it could be
`reidentified is prohibited? That would seem to
`render that language superfluous.
` A I don't see the language you're referring
`to. I don't see "so long as" in the language
`here.
` Q Sorry. It says, C.2, "and does not
`disclose the mechanism for reidentification."
` If the mechanism exists, doesn't that
`assume that the mechanism exists?
` A I'm not sure.
` Q Let me ask another question, then.
` If someone uses the most, you know,
`robust public-private key system that they can and
`they don't disclose the key for decryption to
`anyone, would you agree that the risk would be
`very small that someone could break the decryption
`technique?
` A And just to be clear, we're only
`discussing 2 and not 1 in this example. Right?
`
`1 2 3 4 5 6 7 8 9 1
`
`0
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`
`PLANET DEPOS
`888.433.3767 | WWW.PLANETDEPOS.COM
`
`
`
`Transcript of Aviel D. Rubin, Ph.D.
`Conducted on February 17, 2025
`
`25
`
`Because you are assuming that the token is derived
`from the user identifying information.
` Q Correct. I'm just talking about 2 now.
` A Okay. So I think the answer is, it
`depends. It depends on the security posture, on
`the random number generation source, on the lack
`of a targeted adversary.
` So, I mean, there are cases where data
`can be protected by parties. But I think the
`reason for these rules is that there are a lot of
`times -- and I've seen it in my consulting
`business -- that someone thinks that they've
`protected information but they actually didn't do
`a great job of it.
` Q But if they did do a great job and they
`did use a good encryption system and they did keep
`the key secret, then they could make it so that
`the risk is very small?
` A I don't think you could say that in a
`general context as that which must be considered
`by someone writing a standard.
` But I agree that there are organizations
`
`1 2 3 4 5 6 7 8 9 1
`
`0
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`
`PLANET DEPOS
`888.433.3767 | WWW.PLANETDEPOS.COM
`
`
`
`Transcript of Aviel D. Rubin, Ph.D.
`Conducted on February 17, 2025
`
`26
`
`that have more capability in security than others.
`And so if you're asking me is it possible for the
`most well-funded, you know, best-positioned entity
`to do something securely, I think they can do
`better than others. But I don't think anything is
`perfectly secured.
` Q Going back to what you pointed out, C.1
`of the HIPAA privacy rules. The code or other
`means of record identification is not derived from
`or related to information about the individual.
` Let's take the example of -- let's
`actually look at the '651 patent.
` A Okay.
` Q If you look at Column 2 of the '651
`patent, at Lines 44 to 46.
` A Okay.
` Q And that states that the request token
`for each individual may represent encrypted data
`that identifies the corresponding individual.
` Correct?
` A Yes.
` Q So that's indicating that the token
`
`1 2 3 4 5 6 7 8 9 1
`
`0
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`
`PLANET DEPOS
`888.433.3767 | WWW.PLANETDEPOS.COM
`
`
`
`Transcript of Aviel D. Rubin, Ph.D.
`Conducted on February 17, 2025
`
`27
`
`that's formed is encrypted information about the
`identify of the individual. Correct?
` A Well, it represents it.
` Q Is your understanding the '651 patent
`that the tokenization takes a personal information
`about the individual and encrypts it using some
`method, for instance, a hash function?
` A Yes.
` Q So in that way, the token created in the
`'651 patent is derived from information about the
`individual. Correct?
` A Right. So I see the tension here. And I
`think to answer that, we can look back at Section
`C of the rule.
` Q Okay.
` A And it says that, "A covered entity may
`assign a code or other means of record
`identification to allow information deidentified
`under this section to be reidentified by the
`covered entity provided that," and then 1 and 2.
` So if there is no mechanism for
`reidentifying at all, if that's not possible like
`
`1 2 3 4 5 6 7 8 9 1
`
`0
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`
`PLANET DEPOS
`888.433.3767 | WWW.PLANETDEPOS.COM
`
`
`
`Transcript of Aviel D. Rubin, Ph.D.
`Conducted on February 17, 2025
`
`28
`
`in the event of a hash function, then this
`wouldn't apply.
` Q That sort of brings us back to 2 then,
`and says, "And does not disclose the mechanism for
`reidentification."
` Why would the rule need to say anything
`about disclosing the mechanism for
`reidentification if under your interpretation it
`can't exist?
` A So when -- so Rule C applies in the
`instance where reidentification is possible. And
`so under 2, it says it doesn't disclose the
`mechanism for reidentification. I'm not sure I
`understand what the problem that you're suggesting
`is.
` Q Well, let me ask this: This Part C
`assumes or provides the manner of allowing for
`reidentification. How would one reidentify the
`individual using a hash function if they had
`encrypted using a hash function?
` A You can't.
` Q What about the doctor's office that
`
`1 2 3 4 5 6 7 8 9 1
`
`0
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`
`PLANET DEPOS
`888.433.3767 | WWW.PLANETDEPOS.COM
`
`
`
`Transcript of Aviel D. Rubin, Ph.D.
`Conducted on February 17, 2025
`
`29
`
`creates the hash function? Don't they know what
`the hash was, relative to the name they put in?
` A They don't need to recreate the hash
`function because they have the original.
` Q But they would be able to correlate the
`two?
` A They have it all together because they're
`the ones that made the hash.
` Q Just for clarity, a hash function that
`we're discussing about for tokenization would
`take, for instance, some identifying information
`about the individual, such as their name, and
`basically convert that information into the
`resulting token. Correct?
` A That's one way to describe it.
` Q So it's essentially a reconstituted form
`of the input?
` A I'm not sure all cryptographers would
`agree with that, but I see what you mean by that.
` Q And the reason I'm saying that is because
`the hash function is reproducible. Meaning if
`anybody uses the hash function on the same
`
`1 2 3 4 5 6 7 8 9 1
`
`0
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`
`PLANET DEPOS
`888.433.3767 | WWW.PLANETDEPOS.COM
`
`
`
`Transcript of Aviel D. Rubin, Ph.D.
`Conducted on February 17, 2025
`
`30
`
`person's name, they're going to get the same
`output. Correct?
` A Yes.
` Q So the output has to be based on the
`input?
` A Yes.
` Q Okay. You mentioned that hash functions
`are not reversible. Are there any other
`encryption techniques that are -- other than hash
`functions that are not reversible?
` A There is a class of functions called
`one-way hash function -- I'm sorry, one-way
`functions. And one-way functions, an example of a
`one-way function is a hash function. I'm not
`thinking as I sit here of other examples. But I
`believe in the theoretical cryptography literature
`there are other ways to achieve a one-way function
`besides a hash function.
` Q Then would it be safe to say that,
`generally speaking, when a person says a one-way
`function, they're typically talking about a hash
`function?
`
`1 2 3 4 5 6 7 8 9 1
`
`0
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`
`PLANET DEPOS
`888.433.3767 | WWW.PLANETDEPOS.COM
`
`
`
`Transcript of Aviel D. Rubin, Ph.D.
`Conducted on February 17, 2025
`
`31
`
` A I think if you're not a professional
`cryptographer, that's probably true.
` Q What about the person of ordinary skill
`in the art in this case?
` A They would likely be referring to a hash
`function.
` Q Can you turn to Paragraph 5 of the '651
`patent, specifically Lines 9 through 12.
` A Do you mean column?
` Q Yes, sorry, Column 5, Lines 9 through 12.
` A All right. Okay.
` Q And that section states, "The tokens 202
`correspond to persons treated by healthcare
`providers but do not reveal the identities of the
`treated individuals."
` Do you see that?
` A Yes.
` Q So essentially one token corresponds to
`one person?
` A Yes.
` Q And if you could turn to your declaration
`for the '651 patent, at Paragraph 56, please.
`
`1 2 3 4 5 6 7 8 9 1
`
`0
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`
`PLANET DEPOS
`888.433.3767 | WWW.PLANETDEPOS.COM
`
`
`
`Transcript of Aviel D. Rubin, Ph.D.
`Conducted on February 17, 2025
`
`32
`
` A Okay.
` Q And the first full sentence in that
`paragraph at the top of Page 21 states, "The third
`party, for example, using an encryption server,
`generates a request token for each individual in
`the group based on the personally identifiable
`information for each individual in the group."
` Do you see that?
` A Yes.
` Q So that's referring to creating a token
`based on the personally identifiable information
`for each individual. Correct?
` A Yes.
` Q So that might be their name, date of
`birth, and/or other information. Correct?
` A I just have a citation here to the
`patent, so I'm just going to review that.
` I think that's correct.
` Q So in that sense, the token is derived
`from the personally identifia
Accessing this document will incur an additional charge of $.
After purchase, you can access this document again without charge.
Accept $ Charge
Still Working On It
This document is taking longer than usual to download. This can happen if we need to contact the court directly to obtain the document and their servers are running slowly.
Give it another minute or two to complete, and then try the refresh button.
A few More Minutes ... Still Working
It can take up to 5 minutes for us to download a document if the court servers are running slowly.
Thank you for your continued patience.
This document could not be displayed.
We could not find this document within its docket. Please go back to the docket page and check the link. If that does not work, go back to the docket and refresh it to pull the newest information.
Your account does not support viewing this document.
You need a Paid Account to view this document. Click here to change your account type.
Your account does not support viewing this document.
Set your membership
status to view this document.
With a Docket Alarm membership, you'll
get a whole lot more, including:
- Up-to-date information for this case.
- Email alerts whenever there is an update.
- Full text search for other cases.
- Get email alerts whenever a new case matches your search.
One Moment Please
The filing “” is large (MB) and is being downloaded.
Please refresh this page in a few minutes to see if the filing has been downloaded. The filing will also be emailed to you when the download completes.
Your document is on its way!
If you do not receive the document in five minutes, contact support at support@docketalarm.com.
Sealed Document
We are unable to display this document, it may be under a court ordered seal.
If you have proper credentials to access the file, you may proceed directly to the court's system using your government issued username and password.
Access Government Site
