HIPAA compliance by design: how ClaimZen builds it into the architecture
Most software treats HIPAA as a layer you add on top — audit logs, access reviews, a policy binder. ClaimZen was built the other way around: the tamper-evident audit trail, record integrity, and human accountability the Security Rule asks for are properties of the kernel itself, not features bolted beside it.
Every dental practice that bills insurance handles protected health information (PHI), which puts it squarely under HIPAA — and puts every vendor that touches that data under HIPAA too. The uncomfortable truth is that most software satisfies the HIPAA Security Rule the way it satisfies any checklist: with logging that can be switched off, access controls that drift, and an audit trail that lives in a table someone with enough privilege could quietly rewrite. It passes the questionnaire. It doesn’t always hold up under investigation.
ClaimZen takes a different position: the parts of HIPAA most likely to fail silently — the technical safeguards — should be structural, not configurable. Here is what that means, and, just as importantly, what it doesn’t.
First, there is no such thing as “HIPAA certified”
It’s worth clearing this up before anything else. HHS does not certify, endorse, or accredit any product or vendor as HIPAA compliant. Compliance is an ongoing program that a covered entity (your practice) and its business associates (the vendors that handle PHI) run together. The Security Rule (45 CFR Part 164) sorts its safeguards into three families — administrative, physical, and technical — and no piece of software can make an organization compliant on its own.
What the software does decide is how much of the technical burden is built-in versus something you have to configure, monitor, and hope stays that way. That’s the whole argument for “by design.”
The technical safeguards — and where architecture carries the weight
The Security Rule’s technical safeguards live in 45 CFR §164.312. Here is how each maps to the way ClaimZen’s kernel is actually built.
| Safeguard (§164.312) | What it requires | How the architecture meets it |
|---|---|---|
| Audit controls (b) | Record and examine activity in systems that hold ePHI. | Every state change is an append-only, hash-chained, Ed25519-signed ledger entry. The audit log is the system of record — not a side channel that can be turned off. |
| Integrity (c)(1) | Protect ePHI from improper alteration or destruction. | Each entry’s digest covers the one before it. Edit, reorder, or truncate any event and the chain stops verifying — tampering is detectable by anyone, offline. |
| Access control (a)(1) | Limit ePHI access to authorized people and software. | One tenant silo per practice, each with its own key, ledger, and evidence. Nothing acts on the outside world until a human authorizes the exact approved bytes. |
| Authentication (d) | Verify the person or entity acting is who it claims. | Only deterministic code promotes a verdict to a decision, and it is signed; outbound actions require a human authorization sealed by digest. Every conclusion carries a signature. |
| Transmission security (e)(1) | Guard ePHI as it moves across a network. | Encrypted at the transport layer, then the single network adapter freezes the exact received bytes into a content-addressed blob — so what crossed the wire is provable later, not just protected in transit. |
An audit trail nobody can quietly rewrite
The most common audit finding isn’t a missing log — it’s a log that could have been altered. A conventional audit table can be updated or deleted with enough privilege; its integrity rests on trusting the administrator and the database. ClaimZen’s ledger is append-only and hash-chained: every entry’s digest includes the previous entry’s, and the chain is Ed25519-signed with a key sealed at rest (XChaCha20 · Argon2id). Remove, reorder, or edit a single event and the math stops verifying.
In an investigation — an OCR audit, a breach forensic, an internal review — you don’t assert the record is complete. You prove it.
Integrity as a proof, not a promise
A case’s state is a pure function of its events: fold them with deterministic code and you get a BLAKE3 state root, a single fingerprint over everything derived from the record. Anyone holding the exported evidence packet can replay it and confirm they reach the identical root, byte-for-byte, without ClaimZen in the loop. The Security Rule’s integrity requirement stops being a control you re-audit every quarter and becomes a property you can check on demand.
Minimum necessary — and no model acting on its own
HIPAA’s minimum-necessary standard (§164.502(b)) and the Security Rule’s access controls come down to the same thing: only the right actor touches PHI, only for what’s needed. ClaimZen treats its AI as an untrusted coprocessor. It reads ambiguity and proposes; a deterministic gate corroborates every proposed value against the source; a human authorizes before anything leaves the system, through a two-phase digest gate that refuses anything but the exact approved bytes.
The model never manufactures a fact and never executes an action. An autonomous mistake with PHI isn’t a policy you have to enforce — it’s a path that doesn’t exist. And because each practice is its own tenant silo, isolated by key and ledger, one tenant’s PHI is structurally separated from another’s.
What “by design” does not replace
Be clear-eyed about the boundary: no architecture makes an organization HIPAA compliant. Compliance is a shared responsibility, and the design above covers the technical core — not the whole program. Your practice still owns:
- Administrative safeguards — a designated security officer, a documented risk analysis, workforce training, and sanction policies.
- Physical safeguards — facility access controls, workstation security, and device and media handling.
- A Business Associate Agreement — any vendor that handles your PHI, ClaimZen included, must operate under a signed BAA before a single record is shared. The BAA, not a badge, is what binds a vendor to HIPAA.
- Ongoing operations — encryption of PHI at rest and in transit, access provisioning and de-provisioning, breach notification, and periodic re-assessment.
What “HIPAA by design” buys you is that the technical layer — the part most likely to fail quietly between assessments — is built to be provable rather than merely configured. When an auditor asks how you know your records weren’t altered, the answer isn’t a screenshot of a settings page. It’s math.
Frequently asked questions
Is ClaimZen “HIPAA certified”?
There is no official HIPAA certification — HHS does not certify or endorse products. A vendor claiming to be “HIPAA certified” is describing a private third-party assessment, not a government stamp. Compliance is maintained by an organization, not carried as a badge by a product.
Does a vendor like ClaimZen need to sign a BAA?
Yes. A business associate that creates, receives, maintains, or transmits PHI on a covered entity’s behalf must enter a Business Associate Agreement before PHI is shared. It’s a legal prerequisite, not a formality.
Does the AI see PHI, and is that a problem?
The model is a contained, propose-only coprocessor: it can read case context to draft and suggest, but it never decides, acts, or promotes its own output to a fact — deterministic code and a human do that. HIPAA doesn’t prohibit AI on PHI; doing it without controls and auditability is the risk, and containment addresses it directly.
How does the signed ledger help during an audit or breach investigation?
It turns assertions into evidence. Rather than testifying that your audit log is complete and unaltered, you demonstrate it — the hash chain proves no entry was edited, reordered, or removed, and each case exports as a signed packet a third party can verify offline.
Sources
- HHS, HIPAA Security Rule, 45 CFR Part 164, Subpart C — technical safeguards at §164.312 (audit controls, integrity, access control, authentication, transmission security).
- HHS, HIPAA Privacy Rule, minimum-necessary standard, 45 CFR §164.502(b).
- HHS, Business Associate Contracts, 45 CFR §164.502(e) and §164.308(b).
- HHS Office for Civil Rights guidance: HHS does not certify HIPAA compliance; there is no official “HIPAA certification.”
- NIST, SP 800-66 Rev. 2, Implementing the HIPAA Security Rule.
- ClaimZen, system architecture, for the kernel properties described (event-sourced state, hash-chained signed ledger, AI containment, two-phase actions, offline-verifiable evidence packets).
General information, not legal or compliance advice. HIPAA obligations depend on your organization, your data, and your contracts — consult your privacy/security officer and counsel.
Proof you can hand to an auditor.
ClaimZen makes the technical core of HIPAA — audit trail, integrity, accountability — provable by design. See how the kernel works, or get early access.
Get early access