ClearPulse is the reference implementation of Provable Healthcare Intelligence Infrastructure (PHII) — a category defined by traceable identity, relationship-aware investigation, and cryptographically anchored audit lineage. This whitepaper specifies the architecture: pipeline, data model, the four upgrade priorities, and the six-month execution roadmap.
Every architectural decision in ClearPulse is validated against these pillars. They are non-negotiable and they compose the platform's defensibility.
trace_id minted at ingestion, propagated through every stage. Every dashboard cell replays back to the originating byte.Eight stages, one envelope schema, end-to-end trace_id propagation. Stages 5–8 are the four upgrade priorities specified in this whitepaper.
Every signal is normalized into one envelope before it enters scoring. This contract is what makes ClearPulse explainable end to end — every UI field is sourced from here, every audit query is keyed on it.
{
"trace_id": "018f9b2e-7c41-7a40-ae21-f9c2d2c43e1a",
"envelope_version": "2026.06.01",
"source": {
"system": "epic.audit",
"ledger_offset": 884213,
"ledger_hash": "sha256:9af3…e21c"
},
"subject": {
"patient_eid": "eid:pat:7c1a…09",
"provider_eid": "eid:prv:0044…b2",
"device_eid": "eid:dev:ws-42",
"resolution_confidence": 0.97
},
"score": 78,
"severity": "CRITICAL",
"factors": {
"temporal_overlap": { "weight": 40, "ratio": 0.71 },
"access_spike": { "weight": 28, "z": 4.3 },
"off_hours": { "weight": 10 }
},
"ml_overlay": { "model": "iforest-v3", "p_anomaly": 0.94 },
"incident_id": "inc:2026-06-02:0007",
"audit": {
"prev_hash": "sha256:71d2…c0aa",
"self_hash": "sha256:bb40…91ef",
"merkle_root_ref": "anchor:2026-06-02T14:10:00Z"
}
}
Without identity, every other layer is fragmented. This is the single highest-leverage upgrade in the platform.
| Metric | Target |
|---|---|
| Patient match precision | ≥ 0.995 |
| Patient match recall | ≥ 0.92 |
| Provider duplicate collapse | ≥ 85% |
| Manual reviewer queue / 1M events | ≤ 50 |
| Mean EID resolution latency | ≤ 120 ms |
Event correlation is linear thinking. Relationship intelligence is the multiplier — fraud rings, insider collusion, credential sharing, kickback schemes are graph-shaped problems.
MATCH (p1:Provider)-[:BILLED]->(c1:Claim) -[:DERIVED_FROM]->(e:Encounter) <-[:DERIVED_FROM]-(c2:Claim) <-[:BILLED]-(p2:Provider) WHERE p1.eid < p2.eid AND duration.between(c1.ts, c2.ts).seconds < 900 WITH p1, p2, count(DISTINCT e) AS overlap WHERE overlap >= 12 RETURN p1.eid, p2.eid, overlap ORDER BY overlap DESC
MATCH (w:Workstation)-[l1:LOGGED_IN]->(p1:Provider), (w)-[l2:LOGGED_IN]->(p2:Provider) WHERE p1.eid <> p2.eid AND abs(duration.between(l1.ts, l2.ts).seconds) < 300 RETURN w.id, p1.eid, p2.eid, l1.ts, l2.ts
The graph is not a side database — it is the feature store for ML. For every (provider, 15-min window) we materialize:
degree_patients_15m / _24h / _7dpagerank_in_billing_subgraphco_billing_jaccard_maxshared_device_count_24hring_membership_score — Louvain community detection on co-billing edgesEvery prediction carries a graph-context vector an investigator can interrogate.
| Metric | Target |
|---|---|
| Multi-entity ring detection | ≥ 1 / quarter |
| Investigative depth (avg hops) | 3 → 7 |
| Anomaly recall lift vs. rules-only | +25–40% |
| False-positive delta | ≤ +10% |
This is the legal moat. SIEM vendors compete on dashboards; ClearPulse competes on admissible evidence.
record_n = {
payload: <Risk Envelope, canonical JSON (RFC 8785)>
prev_hash: SHA-256(record_{n-1}.self_hash)
self_hash: SHA-256(payload || prev_hash)
ts: monotonic ingest timestamp
}
// every 5 minutes
merkle_root = Merkle(self_hash[ window_t ])
write_postgres(merkle_root, window_t)
mirror_s3_object_lock(merkle_root) // WORM, 7-year
anchor_rfc3161(merkle_root) // public TSA
| Control | Coverage |
|---|---|
| HIPAA §164.312(b) Audit | Hash-linked ledger of every PHI access |
| HIPAA §164.312(c)(1) Integrity | SHA-256 + Merkle anchoring |
| HIPAA §164.312(c)(2) Authenticity | RFC 3161 timestamps |
| SOC 2 CC7.2 | Continuous immutable evidence stream |
| 21st Century Cures §4004 | Verifiable access trail per request |
| FRE 901 / 902(13)–(14) | Self-authenticating records |
self_hash, walks the chain back to the most recent anchored Merkle root, verifies that root against the public timestamp authority, and confirms the WORM ledger copy matches. If any byte changed, verification fails — without trusting the runtime.
Analysts do not investigate alerts. They investigate incidents. ClearPulse collapses 30–200 contributing events into a single incident with deterministic narrative, root-cause event, graph context, and audit anchor.
Incident
├── incident_id inc:2026-06-02:0007
├── status OPEN | TRIAGED | INVESTIGATING
│ | CLOSED | ESCALATED
├── severity max-decay over events
├── primary_entities[] provider_eid · patient_eid
│ · device_eid
├── root_cause_event_id earliest trace_id
├── contributing_events [trace_ids w/ weights]
├── graph_context subgraph snapshot
├── narrative deterministic + LLM draft
└── audit_chain_ref Merkle root covering all
contributing events
severity = max(event.score) · e^(-λ · age)ClearPulse is deterministic-first. ML augments — it does not replace.
final = clamp_0_100( rule_score + α · ml_lift(p_anomaly, rule_score) + β · graph_context_score ) α = 0.30, β = 0.20 // per-tenant, ledger-anchored
| Domain | Implementation |
|---|---|
| Encryption in transit | TLS 1.3, mTLS between internal services |
| Encryption at rest | AES-256-GCM, per-tenant DEK wrapped by KMS CMK |
| Key management | AWS KMS / Azure Key Vault with HSM, SoD on CMK rotation |
| Tenancy | Per-tenant Redis namespaces, ledgers, CMKs |
| AuthN | OIDC + SCIM; FIDO2 enforced for admin |
| AuthZ | ABAC; minimum-necessary enforced at envelope field level |
| PHI minimization | Field-level redaction; break-glass is itself a ledger event |
| Self-audit | Every read of an envelope by a ClearPulse user produces an envelope |
| Region | US · Canada (PIPEDA / Ontario PHIPA) · EU |
| Certifications target | SOC 2 Type II (Y1) · HITRUST CSF (Y2) · FedRAMP Moderate (Y2–3) |
ClearPulse does not compete with SIEM. It absorbs it.
| Layer | Vendor today | Under ClearPulse |
|---|---|---|
| Endpoint / network telemetry | CrowdStrike, Splunk | Data source |
| Payer fraud heuristics | Optum, Codoxo | Signal input |
| Compliance reporting | Internal GRC, vendor toolchains | Downstream consumer |
| Investigative truth | — | ClearPulse |