Immutable Ledger | Medical AI

Why a Ledger for Clinical Records

When a physician acts on synthesized records in a legal, adjudication, or insurance context, the provenance of every data point must be verifiable. A PDF report with no audit trail is inadmissible evidence. An assertion with no source citation is clinically unreliable.

The immutable ledger solves both problems simultaneously. Every extracted marker is linked to its source block. Every synthesis event references specific source blocks. The chain from current clinical assertion to original source document is fully traceable and cryptographically proven.

This is not a compliance feature added on top of a working system. It is the foundation the rest of the architecture is built on. Data without provenance is not clinical data — it is hearsay.

SHA3-256 Block Hash — Example

Block #4,821a3f7e2c9b1d84f560e2a9c7b3d1f8e45a2c9b7d3e1f6a4c8b2d9e7f3a1c5b8d2

Prev hash9c2f8b4e7a1d3c6f0b9e5a2c8d4f7b1e3a6c9d2f5b8e1a4c7d0f3b6e9a2c5d8f1

Record typeHbA1c extraction · Beijing Union Hospital · 2019-03-14

Source hashf4b8c2e6a9d3f7b1e5c8a2d6f0b4e8c2a6d0f4b8c2e6a9d3f7b1e5c8a2d6f0b4

Timestamp2025-04-24T14:32:07.441Z · UTC · immutable

Modifying any field changes the hash. The next block references this hash. The chain breaks. Tampering is mathematically detectable.

Consent Chain → Clinical Record creation: ARCHITECTURALLY PROHIBITED

Three-Chain Architecture

Three chains segregated by the logical orthogonality of the data types they contain. Each chain has one responsibility. No chain's data type can contaminate another chain.

Chain 01 · Clinical Record

The Source of Truth

Every clinical event entering the platform creates a block. Lab result ingestion. Imaging report processing. TCM syndrome record. Prescription extraction. Diagnosis isolation. Procedure record. Each block contains the SHA3-256 hash of the source document and the extracted structured data.

Block triggers:

Patient portal document ingested
OCR extraction completed on scanned record
FHIR resource received from EHR
DICOM metadata standardized
TCM record structured into parallel schema

This chain is the sole source of new clinical records. A record cannot appear in synthesis without a valid block here.

Chain 02 · Longitudinal

The Causal Record

Links clinical records across time, providers, and institutions. Each longitudinal synthesis transaction references specific Clinical Record Chain blocks by hash. The complete causal chain from current condition to earliest relevant clinical event is fully traceable through the block references.

Block triggers:

Longitudinal synthesis completed for a patient
Cross-provider condition isolation event
Diagnostic gap identified and flagged
TCM-Western record linked in unified timeline
Specialist output package generated

Every assertion in the synthesis has a source block reference. No clinical claim without provenance.

Chain 03 · Consent & Access

The Accountability Record

Every access authorization, every query, every output delivery is logged with the requester identity, parameters, timestamp, and output hash. Consent is logically orthogonal to the clinical record — a consent event cannot create clinical data. This is enforced at the data model layer, not by policy.

Block triggers:

Patient uploads document — access consent recorded
Cross-border data transfer — PIPL consent recorded
Specialist package delivered — delivery logged
Audit package exported — export logged
Corporate health query executed — query logged

If a record was accessed, this chain proves it. If it was not accessed, this chain proves that too.

Live Block Stream

● Chain 01 — Clinical

● Chain 02 — Longitudinal

● Chain 03 — Consent

Technical Specification

Implementation details available to qualified partners under NDA. Summary specifications below.

Parameter

Specification

Hash algorithm

SHA3-256. Applied to source documents, extracted data structures, and all output packages. Keccak-based — distinct from SHA2 family, resistant to length-extension attacks.

Chain integrity

Each block header contains the SHA3-256 hash of the preceding block. Retroactive modification of any block changes its hash, which invalidates every subsequent block's prev_hash reference. Tampering is detectable at any point in the chain.

Timestamp authority

UTC timestamps to millisecond precision. Immutable once written. Timestamp is included in the block hash computation — a timestamp cannot be altered without invalidating the block hash.

PHI storage

The ledger stores hashes only — not PHI. Patient data is stored in the encrypted PHI data store (AES-256). The ledger proves the data existed and has not changed, without exposing the data itself.

Block persistence

SQLite for pilot and early production. PostgreSQL (Supabase) for scale. Block data replicated to both China-side and US-side instances. Data sovereignty maintained — PHI replication only with Chain 03 consent authorization.

Audit export

Any block range can be exported as a signed audit package. Package includes: source block hashes, chain of custody, synthesis event references, consent log entries, and timestamp sequence. Formatted for court submission, regulatory review, or insurance adjudication.

Air-gap capability

Full ledger functionality in an air-gapped deployment. No internet connectivity required for block creation, validation, or audit export. Required for DOD and VA sensitive environment deployments.

vs. Traditional Audit Logging

Property

Traditional Audit Log

Immutable Ledger

Retroactive modification

Possible by administrator

Mathematically impossible

Proof of non-modification

Not available

SHA3-256 hash chain

Source document linkage

File path reference only

Cryptographic hash of document

Court admissibility

Requires expert witness

Hash chain self-evidencing

Jurisdiction compliance

Requires policy layer

PIPL + HIPAA by design

Air-gap operation

Typically cloud-dependent

Full local operation

Compliance Architecture

🇨🇳 China — PIPL + DSL

PIPL (2021): PHI for Chinese nationals processed on China-side infrastructure using self-hosted DeepSeek. Cross-border transfer only after explicit consent recorded on Chain 03. Data localization by default.

DSL (2021): Health data classified as Important Data. Security assessment required for cross-border transfer. Chain 03 provides the required audit trail for regulatory review. Consent events are timestamped and immutable.

🇺🇸 United States — HIPAA + HITECH

HIPAA Security Rule: AES-256 at rest, TLS 1.3 in transit. PHI never stored in the ledger — hashes only. Business Associate Agreement framework for US-side processing partners.

HITECH Breach Notification: Every access event on Chain 03 is time-stamped and identity-bound. Full breach analysis from access log export in any time range. Breach surface is minimized because PHI is in the encrypted store, not the ledger.