RankShieldMD
RANKSHIELDMD Request access
HIPAA AUDIT CONTROLS · CLINICAL AI

Is your clinical-AI
trail HIPAA-ready?

A record you can edit is not an audit control. HIPAA §164.312(b) is only met when the trail is operation-level and tamper-evident, and done right it holds no PHI at all.

When AI reads charts and drafts orders at machine speed, the only record is usually an inference log: mutable, and full of patient identifiers. A HIPAA-defensible clinical-AI audit trail is different. It captures every access as a structured event, seals it to an append-only, post-quantum-signed log keyed by a one-way sha256 digest, and lets an auditor verify it, supporting HIPAA §164.312(b) and §164.528 without storing PHI.

§164.312(b)§164.528tamper-evidentPHI-free
RANKSHIELDMD LEDGER
LIVE · PHI-FREEsealed 0
01 // THE GAP

A log you can edit
isn't a control.

HIPAA §164.312(b) requires audit controls: mechanisms that record and examine activity in systems with electronic PHI. But conventional API and inference logs have two weaknesses. They are mutable, so anyone with enough access can rewrite what the model did. And they sit with the PHI they track, enlarging your breach surface. When OCR or a patient asks what your AI accessed, an editable log full of identifiers is the wrong answer to be holding.

02 // §164.312(b)

Record and examine.
Provably.

The audit-controls standard asks you to record and examine activity in systems with electronic PHI. RankShieldMD does it at the operation level: every access, human or AI, becomes a structured event carrying the verified actor identity under RFC 9421, the action, the purpose of use, the outcome, and a one-way sha256 digest of the patient reference. It is sealed to an append-only, post-quantum-signed log. Recording activity and proving the recording wasn't altered are different guarantees.

03 // THE STRUCTURAL ADVANTAGE

Auditing AI access
shrinks the footprint.

Most security tooling ingests clinical data to work, and every copy of PHI enlarges your breach exposure. This is built the other way. The patient reference is reduced to a one-way digest at the guard, so the ledger holds no protected data to secure and breach-report. Auditing AI access to PHI this way reduces the protected data in play while increasing the strength of your evidence, and speeds vendor assessments and BAAs.

04 // §164.528

Who accessed
this patient?

Section §164.528 gives patients the right to an accounting of certain disclosures. Because every access is purpose-tagged as treatment, payment, operations, disclosure, or research, and the patient reference is a deterministic one-way digest, RankShieldMD assembles a sealed, verifiable who-accessed-this trail that includes AI inferences alongside human access. You answer the request with evidence, not another copy of protected data to secure.

05 // GET STARTED

Prove the access.
Protect the data.

Give every AI and EHR access to PHI a tamper-evident, PHI-free receipt: evidence you can verify and hand to OCR or an auditor, without ever expanding your protected-data footprint. Run an access flow from your environment through the ledger and verify the result yourself.

SCROLL TO DESCEND
THE DIRECT ANSWER

Is a clinical-AI audit trail HIPAA-compliant?

A clinical-AI audit trail supports HIPAA §164.312(b) audit controls when it is operation-level and tamper-evident, and, done right, it holds no PHI at all: only one-way digests, verified identities, and event metadata. HIPAA §164.312(b) requires covered entities to implement mechanisms that record and examine activity in information systems that contain or use electronic PHI.[1] That standard is deliberately technology-neutral, but its intent is specific and operation-level. The problem is that clinical AI now reads charts, drafts orders, and touches PHI at machine speed, and the only record of it is usually an inference log. Ordinary API and inference logs are mutable, and they usually sit with the very PHI they track, so they satisfy the letter of "record activity" without meeting its intent. A defensible trail has to be tamper-evident, cryptographically chained or write-once, so the record survives the person who might want to alter it. Independent security guidance on AI-agent and audit-trail design converges on the same point: to be meaningful, logs must be tamper-evident and captured at the operation level.[2] RankShieldMD is built the other way from a conventional log. Every access, human or AI, becomes a structured event carrying the verified actor identity, the action, the purpose of use, the outcome, and a one-way sha256 digest of the patient reference, sealed to an append-only, post-quantum-signed transparency log. It supports §164.312(b) and §164.528. It does not by itself make an organization HIPAA compliant, and any vendor that claims a product can is worth a hard second look.

How do you make a clinical-AI audit trail HIPAA-compliant?

You make it defensible by separating the proof from the data and making the record tamper-evident: capture verifiable statements about each AI access to PHI rather than its clinical contents, and seal them so they cannot be silently rewritten.

The requirement to satisfy is §164.312(b) audit controls, and its intent is only met when the record survives the person who might want to alter it.[1] RankShieldMD does this in a fixed shape. When a model runs an inference against PHI, it captures the verified identity of the actor under RFC 9421, the action, the purpose of use, the outcome, and a one-way sha256 digest of the patient reference. The name, MRN, and every other identifier are rejected at the guard before anything is sealed. It then chains that event, seals it to an append-only transparency log, signs it with composite ML-DSA-65 and Ed25519, and anchors the log root externally so the whole structure is pinned in time. An auditor can recompute the hash chain and confirm the signed root with standard tools, without access to your systems and without trusting RankShieldMD. Tamper with the model, the record, or the order of events, and verification returns false. The honest boundary matters here: this produces evidence that supports §164.312(b), but no software makes a trail HIPAA compliant on its own, because compliance is your organization's overall posture across administrative, physical, and technical safeguards.

What does HIPAA §164.312(b) require?

It requires audit controls: hardware, software, or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information. The standard is technology-neutral, but its intent is operation-level and data-specific.

You must be able to reconstruct who did what to ePHI, including what an AI model did, and you must be able to examine that record when misuse is suspected.[1] Most organizations satisfy this today with application logs, database logs, EHR access reports, or model inference logs. Those mechanisms record activity, but they carry two structural weaknesses the standard never anticipated. First, they are mutable: an insider or an attacker with sufficient privileges can alter or delete the record, and the audit trail meant to catch misuse becomes editable by the person misusing it. Second, they usually live with the PHI they track, so the control that is supposed to reduce risk becomes another copy of protected data to secure and breach-report. RankShieldMD supports the requirement while closing both gaps. It records every access, human and AI, as a structured, examinable event on a tamper-evident, append-only log that contains no PHI at all. Recording the activity and being able to prove the recording was not altered are different guarantees, and the standard's intent is served far better by the second. The related standards travel with it: §164.312(a) access control and §164.312(e) transmission security are supported by the verified identity bound to every event.

Why aren't ordinary application logs HIPAA-compliant?

Because a log you can edit is not a control, it is a convenience. HIPAA §164.312(b) asks you to record and examine activity, but it says nothing about whether the record can be trusted once someone with access decides to rewrite it.

Conventional API logs, database logs, and LLM inference logs are mutable by design: they are optimized for operations and debugging, not for surviving a hostile insider or a determined attacker. Anyone who can reach the log store can often alter timestamps, delete entries, or reorder events, and nothing about the log itself reveals that it happened. A tamper-evident record is fundamentally different. It relies on cryptographic chaining and write-once, append-only storage, so every event is bound to the ones before it. Altering or removing a single sealed entry breaks the chain and fails verification. Ordinary logs are neither chained nor write-once, which is precisely why they cannot answer the one question that matters after an incident: can you prove this record was not changed. Independent AI-agent and audit-trail guidance reaches the same conclusion, that logs must be tamper-evident and operation-level to be meaningful.[2] There is a second problem. Because normal logs sit alongside the PHI they describe, they enlarge your breach surface. A log full of names and MRNs, and with clinical AI a log dense with prompts and outputs, is one more protected-data store to encrypt, monitor, and report on if it is exposed. RankShieldMD's ledger holds only digests and verified identities, so it is worthless to a thief and adds no protected data to defend.

How do you audit AI access to PHI without storing PHI?

By recording verifiable statements about an access rather than its protected contents, so the audit trail holds no PHI to breach. The instinct behind an audit control is protective, but the conventional implementation is quietly self-defeating.

To record who touched a record, the log stores the record's identifiers, and now the audit trail is itself a concentrated store of protected data. If it leaks, you have a reportable breach in the very system meant to demonstrate diligence, and clinical AI makes this worse because inference logs can capture prompts and outputs dense with PHI. RankShieldMD inverts the trade. When an access occurs, it reduces the patient reference to a one-way sha256 digest at the guard, and the name, MRN, and every other identifier are rejected before anything is sealed. Around that digest it records only the verified actor identity, the action, the purpose of use, the outcome, and the time. The digest is deterministic, so the same patient always resolves to the same value, which is what lets you build a who-accessed-this trail and answer an accounting-of-disclosures request. But the function is one-way, so the digest cannot be reversed back into an identity, and the ledger reveals nothing protected even to someone who steals the whole thing. Denied, break-glass, and unverified attempts are sealed alongside successful ones, because those are exactly the events an investigator needs. Because the ledger operates on digests and identities rather than raw PHI, adopting it reduces the protected data in play while increasing the strength of your evidence, the opposite of the usual security tax. That inversion has a practical downstream benefit: vendor security assessments and business associate agreements move faster when the tool holds no PHI, because there is less to review and less to indemnify.

How does this support accounting of disclosures (§164.528)?

By producing a purpose-tagged, verifiable trail of everything, human or model, that touched a given patient reference, without exposing the identity itself. Section §164.528 gives patients the right to an accounting of certain disclosures of their PHI.

The practical difficulty is assembling that trail across systems when AI now accesses records alongside people.[1] RankShieldMD makes it tractable because every access, including each AI inference against PHI, is sealed as a structured event carrying a purpose of use, treatment, payment, operations, disclosure, or research, and a one-way sha256 digest of the patient reference. The digest is deterministic, so the same patient always resolves to the same value across the log. That is what lets you build the who-accessed-this list and separate the disclosures §164.528 concerns from routine treatment access. But the function is one-way, so the trail reveals no identity even to someone who steals the entire ledger, and the purpose is sealed with the event, so it cannot be relabeled after the fact without breaking the hash chain. You hand the requester, or OCR, a cryptographically-sealed trail that anyone can verify, rather than a log whose integrity you personally have to vouch for. And you do it without adding to your protected-data footprint, because the accounting is assembled from digests and verified identities, never from names or MRNs. It supports responding to §164.528. The response itself remains your organization's to make. One boundary is worth stating plainly on the road ahead: the HIPAA Security Rule NPRM published on January 6, 2025 proposes making measures such as multi-factor authentication and encryption mandatory rather than addressable, but that change is proposed, not final, and we describe it that way.[1]

HONEST BY DESIGN

What we are careful never to claim.

Supports, does not certify

It produces verifiable evidence that supports §164.312(b) audit controls and §164.528 accounting of disclosures. No software makes you HIPAA compliant or certified; compliance is your organization's overall posture. The January 6, 2025 Security Rule NPRM on MFA and encryption is proposed, not final.

PHI-free by construction

Patient references are reduced to one-way sha256 digests at the guard; names, MRNs, and identifiers are rejected before anything is sealed. Operating on digests shrinks your PHI footprint. The ledger is useless to anyone who steals it, because there is no protected data inside.

Tamper-evident and quantum-safe

Events are cryptographically chained and write-once, signed with composite ML-DSA-65 and Ed25519, and externally anchored. Ordinary API and inference logs are neither chained nor tamper-evident, which is why they can be rewritten without a trace. It is quantum-safe, not quantum-proof.

SOURCES

References.

  1. HHS. HIPAA Security Rule: §164.312(b) audit controls; §164.528 accounting of disclosures; and the January 6, 2025 Security Rule NPRM (proposed). U.S. Department of Health and Human Services. hhs.gov/hipaa
  2. Security guidance on AI-agent and tamper-evident audit-trail design establishing that logs must be tamper-evident and captured at the operation level to be meaningful. (Directional; represents converging industry practice, not a HIPAA rule.)

RankShieldMD supports HIPAA §164.312(b) and §164.528. It does not make an organization HIPAA compliant or certified. The 2025 Security Rule NPRM is proposed, not final.

Answer engine

HIPAA audit trails: questions, answered.

Is a clinical-AI audit trail HIPAA-compliant?

A clinical-AI audit trail supports HIPAA §164.312(b) audit controls when it is operation-level and tamper-evident, meaning the record of who did what to electronic PHI cannot be silently altered. Ordinary API and inference logs are mutable and usually full of patient identifiers, so they satisfy the letter of "record activity" without meeting the intent. RankShieldMD supports §164.312(b) with a tamper-evident, PHI-free record of every access, human or AI. It supports the requirement. No software by itself makes an organization HIPAA compliant, because compliance is your overall posture.

What does HIPAA §164.312(b) require for an AI audit trail?

HIPAA §164.312(b), the audit-controls standard, requires covered entities to implement hardware, software, or procedural mechanisms that record and examine activity in information systems that contain or use electronic PHI. It is deliberately technology-neutral, but its intent is specific and operation-level: you must be able to reconstruct who did what to ePHI, including what an AI model did, and examine that record when misuse is suspected. For the record to be meaningful it has to be tamper-evident. RankShieldMD supports §164.312(b) with a record that is both examinable and independently verifiable.

Why are ordinary API and inference logs not HIPAA-compliant on their own?

Ordinary API and inference logs are mutable and usually sit alongside the PHI they track. An insider or an attacker with enough access can rewrite the record of what they did, and nothing about the log reveals that it happened. The log also enlarges your breach surface because it is one more concentrated store of protected data. A PHI-free, tamper-evident ledger removes both weaknesses at once: the record cannot be silently altered, and it holds no protected data to steal. That is the difference between recording activity and being able to prove the record was not changed.

What makes an audit trail tamper-evident?

Tamper-evidence comes from cryptographic chaining or write-once, append-only storage, so every event is bound to the events before it. Altering or removing a single sealed entry breaks the hash chain, and verification returns false. RankShieldMD chains each event, seals it to an append-only transparency log, signs it with composite ML-DSA-65 and Ed25519, and externally anchors the log root so the structure is pinned in time. Ordinary logs and inference logs are neither chained nor write-once, which is exactly why they can be rewritten without leaving a trace. It is quantum-safe, not quantum-proof.

How do you audit AI access to PHI without storing PHI?

By recording verifiable statements about an access rather than its protected contents. The patient reference is reduced to a one-way sha256 digest at the guard, and only that digest, the verified actor identity, and the event metadata are sealed. The name, MRN, and every other identifier are rejected before anything is written. The digest is deterministic, so the same patient always resolves to the same value and you can build a who-accessed-this trail, but it is one-way, so it cannot be reversed into an identity. Operating on digests shrinks your PHI footprint rather than growing it.

How does this support §164.528 accounting of disclosures?

Section §164.528 gives patients the right to an accounting of certain disclosures of their PHI. Because every access is purpose-tagged as treatment, payment, operations, disclosure, or research, and the patient reference is a deterministic one-way digest, RankShieldMD assembles a cryptographically-sealed, verifiable who-accessed-this trail that includes AI inferences alongside human access. The purpose is sealed with the event, so it cannot be relabeled after the fact without breaking the hash chain. You support the accounting response without adding another copy of protected data to secure and breach-report.

Do the 2025 HIPAA Security Rule changes require MFA and encryption now?

Not yet. The HIPAA Security Rule NPRM published on January 6, 2025 proposes making measures such as multi-factor authentication and encryption mandatory rather than addressable. Those changes are proposed, not final. The rule has not been finalized, so the addressable framework in the current Security Rule still governs. RankShieldMD supports the direction of travel with verified actor identity under RFC 9421 and transmission security under §164.312(e), but we describe the NPRM accurately as proposed, and no software by itself makes you HIPAA compliant or certified.

Stronger evidence. Less PHI to defend.

Run an AI or EHR access flow from your environment through the ledger and verify the result yourself. See the PHI-free access audit built on the same fabric.