Knogin
[Developers]

Cross-Border Referral and Mutual Aid: NI/NIAT Community of Interest

Argus enables ambulance services operating in the Irish border region to exchange structured patient handoffs across jurisdictions in seconds, with a signed chain-of-custody and a recorded lawful basis for cross-border d

Back to All Modules
Category: ModulesLast Updated: May 5, 2026
modulescomplianceblockchain

Overview#

Argus enables ambulance services operating in the Irish border region to exchange structured patient handoffs across jurisdictions in seconds, with a signed chain-of-custody and a recorded lawful basis for cross-border data transfer built into every referral.

Border incidents do not respect administrative boundaries. A patient picked up on one side of the border may be best served by a hospital on the other, or by an asset from a neighbouring ambulance service. Coordinating that handoff today requires telephone calls, manual transcription, and separate computer-aided despatch entries. Argus replaces that friction with a structured Community of Interest (COI) channel purpose-built for cross-border mutual aid, supporting both Irish ambulance services referring to Northern Ireland and the reciprocal direction, so neither service loses operational continuity and every data movement is auditable end-to-end.

Key Features#

  • Bidirectional COI Channel: A single Community of Interest channel supports referrals in both directions, from Irish ambulance services to the Northern Ireland Ambulance Service and back, using the same handoff envelope, signing, and lifecycle semantics.

  • Chain-of-Custody That Travels with the Patient: Every cross-border handoff is signed using ES256 (ECDSA with P-256 and SHA-256) in JWS Compact Serialisation so receiving clinicians can verify the patient pack has not been altered in transit.

  • GDPR Article 49 Lawful Basis Recorded at Referral: The specific Article 49 derogation invoked for the cross-border health-emergency transfer is captured as structured metadata on the referral rather than buried in free text, making the transfer auditable end-to-end without retrospective reconstruction.

  • Mutual Identity Across Jurisdictions: eIDAS 2.0 clinician identity assertions and mutual TLS partner authentication mean the referring and receiving sides know exactly who is on each end of the handoff, regardless of which jurisdiction's identity infrastructure each clinician uses.

  • Sanitised Payload Boundary: Only the subset of the patient record that is justified by the recorded lawful basis crosses the jurisdictional boundary. Source data from the originating system stays within the originating jurisdiction.

  • Same Canonical Incident, Both Sides: The receiving service sees a full incident record tagged as a COI inbound mirror, with metadata pointing back to the original incident reference, so both control rooms operate on the same clinical picture without re-keying.

  • Lifecycle Events as CloudEvents: Referred, acknowledged, and completed event types make the cross-border lifecycle observable to both control rooms in a standard, vendor-neutral event format that downstream systems and audit tooling can subscribe to.

  • Signed Sharing Agreement with PDF/A Archive: Before any data can flow through the cross-border COI channel, each participating organisation must sign a sharing agreement. A PDF/A-3B archival copy is generated and stored automatically, providing a durable, court-admissible record of the data-sharing terms.

Use Cases#

Border Ambulance Retrieval#

A border incident on the Republic side requires the closest available Northern Ireland asset. The referring dispatcher initiates a cross-border referral directly from the despatch console. The NIAS crew receives the patient's vitals, active interventions, and a signed handover pack before they arrive, so they are fully oriented without a telephone briefing.

Reciprocal Referral to a Republic Hospital#

A Northern Ireland incident is clinically better served by a Republic hospital. The reciprocal referral path carries the same patient context and chain-of-custody through the channel in the opposite direction, ensuring the receiving team has everything they need and the transfer is lawfully documented.

Cross-Border Patient Summary Exchange#

Where a patient has a cross-border health record held through the European Health Network Patient Summary infrastructure, that summary is surfaced to the receiving service via the eHealth National Contact Point integration, giving clinicians access to medication history, allergies, and prior conditions at the point of handover.

Audit-Grade Transfer Reconstruction#

A retrospective audit or regulatory enquiry can reconstruct exactly which patient data crossed the boundary, the specific Article 49 derogation that justified the transfer, the clinician identity that signed the handoff, the timestamp of each lifecycle event, and the signed PDF/A agreement under which the participating services were operating.

Multi-Hop Cross-Jurisdiction Handover#

A patient referred across the border who is subsequently transferred to a hospital emergency department carries the same chain-of-custody pack through both handoffs without re-keying or re-signing, preserving the complete provenance chain.

Integration#

Customers integrate with the cross-border referral capability through the platform's standard API surfaces. All API access is authenticated via OAuth 2.0 bearer tokens issued by the platform identity service, and service-to-service calls between control rooms use mutual TLS with X.509 certificates.

The cross-border referral form in the despatch console gives the watch-commander a single screen for initiating the referral, selecting the Article 49 lawful basis, and confirming the signed handoff envelope before transmission. No separate application is required.

Incoming referrals from the partner service are normalised to the platform's canonical incident model on arrival. The receiving service interacts with an inbound referral the same way it interacts with any other incident in the system.

Lifecycle transitions (referred, acknowledged, completed) are published as CloudEvents 1.0 envelopes. Any webhook subscriber registered on your tenant receives these events with HMAC-SHA256 signatures per the Standard Webhooks specification, so downstream audit, case management, or quality-assurance systems can react in real time.

Where the originating service holds a patient record from the National Shared Care Record, an HL7 FHIR R4 Bundle is retrieved and included in the handoff payload before transmission. The receiving service can query this Bundle for encounter history, medications, conditions, and observations without a separate lookup.

Classification controls built into the COI channel prevent data above the agreed sharing ceiling from crossing the boundary. Any item that exceeds the ceiling requires an explicit downgrade review approved by a senior clinician before it can be included in the referral.

Open Standards#

  • HL7 FHIR R4: Encounter, Observation, Patient, and MedicationStatement resources structure the clinical payload that travels with the cross-border referral and are used to retrieve records from national shared care record systems.

  • eHN Patient Summary v3.2: The European Health Network cross-border patient summary format is the canonical shape for patient context exchanged between EU member-state health systems via the MyHealth@EU infrastructure.

  • IHE XCA-I (Cross-Community Access for Imaging): Supports retrieval of clinically relevant imaging studies across the jurisdictional boundary when those studies are needed to inform treatment at the receiving facility.

  • OASIS EDXL-RM 1.0: The Emergency Data Exchange Language Resource Messaging format is used when the cross-border referral includes an explicit request for a responding asset from the partner service.

  • OASIS EDXL-DE 2.0: The Distribution Element envelope carries EDXL payloads between cross-border endpoints, providing routing, distribution, and content description metadata.

  • CloudEvents 1.0: Referred, acknowledged, and completed lifecycle events are published in vendor-neutral CloudEvents 1.0 envelopes, enabling any conforming subscriber to observe the cross-border referral lifecycle.

  • Standard Webhooks: HMAC-SHA256 webhook signatures on outbound lifecycle events conform to the Standard Webhooks specification, allowing receiving systems to verify event authenticity without a polling dependency.

  • RFC 7515 JWS (JSON Web Signature): The chain-of-custody signature on every handoff envelope uses JWS Compact Serialisation with ES256 (ECDSA P-256 / SHA-256), giving receivers a cryptographically verifiable proof of origin and integrity.

  • X.509 / mTLS: Mutual TLS with X.509 certificates provides the cross-border partner authentication baseline between the control-room systems of each jurisdiction.

  • eIDAS 2.0: Electronic identification, authentication, and trust services regulation provides the clinician identity assertion model that travels with the referral across jurisdictions, ensuring each side can verify the identity of the clinician who initiated or received the handoff.

  • EU GDPR Article 49: Derogations for specific situations provide the lawful basis for cross-border health-emergency data transfer. The specific derogation invoked is recorded as structured metadata at the moment of referral.

  • ISO 32000 / PDF/A-3B: Signed sharing agreements are archived as PDF/A-3B documents, a format mandated for long-term preservation of electronic records and accepted in legal and regulatory proceedings.

  • OAuth 2.0: All API access to the platform, including cross-border referral endpoints, is authenticated using OAuth 2.0 bearer tokens.

Security and Compliance#

Every cross-border referral is covered by a signed sharing agreement between the participating organisations before any data flows. The agreement records the permitted entity types, the classification ceiling, and the expiry date of the sharing arrangement.

The sanitised payload boundary ensures that raw source data never leaves the originating jurisdiction. Only the lawful-basis-justified subset crosses the boundary, and the classification controls built into the COI channel enforce the sharing ceiling automatically.

The ES256 JWS chain-of-custody signature is verifiable by any party who holds the sender's public key, providing non-repudiation of the handoff content. Combined with the immutable audit trail of lifecycle events, the system supports retrospective reconstruction of the complete data movement for regulatory enquiries, coroner's proceedings, or data protection audits.

GDPR Article 49 lawful-basis metadata is structured and machine-readable, enabling automated compliance reporting without manual review of free-text fields.

Last Reviewed: 2026-05-05 / Last Updated: 2026-05-05

Ready to Build?

Get started with our APIs or contact our integration team for support.