ClearPulse
Architecture Whitepaper · v2026.06
REFERENCE ARCHITECTURE PHII · forensic-grade 2026-06-02
Forensic AI for Healthcare · Reference Architecture

The platform doesn't detect anomalies. It proves them.

ClearPulse is the reference implementation of Provable Healthcare Intelligence Infrastructure (PHII) — a category defined by traceable identity, relationship-aware investigation, and cryptographically anchored audit lineage. This whitepaper specifies the architecture: pipeline, data model, the four upgrade priorities, and the six-month execution roadmap.

§1Design Pillars

Every architectural decision in ClearPulse is validated against these pillars. They are non-negotiable and they compose the platform's defensibility.

P1
Traceability-first
UUID7 trace_id minted at ingestion, propagated through every stage. Every dashboard cell replays back to the originating byte.
P2
Explainable scoring
Every Risk Envelope carries weighted factors, contributing facts, and rule version. No black-box scores reach an analyst surface.
P3
Unified signal plane
Billing, behavior, and at-rest PHI exposure converge into one stream, one schema, one investigation graph.
P4
Forensic-grade lineage
Hash-chained, append-only, Merkle-anchored. The audit trail itself is the product.
P5
Deterministic-first, ML-augmented
Rules carry compliance weight. ML widens recall on novel patterns without surrendering defensibility.
P6
Identity-aware
Every event resolves to a stable EID — patient, provider, device, payer. Not transient source identifiers.
P7
Relationship-aware
The graph is a first-class store. Fraud rings and insider collusion live in edges, not rows.
P8
Tenant-isolated
Per-tenant streams, ledgers, KMS CMKs. Hard separation, by construction.

§2Reference Pipeline

Eight stages, one envelope schema, end-to-end trace_id propagation. Stages 5–8 are the four upgrade priorities specified in this whitepaper.

Pipeline · trace_id flow
FHIR → AUDIT-ANCHORED INCIDENT
01 · INGEST
Parser
FHIR / HL7v2 / 837 validate, mint UUID7 trace_id, write Parquet ledger.
02 · STREAM
Redis
stream:tx:new · stream:access · stream:phi:scan — at-least-once, replayable.
03 · SCORE
Risk Engine
Rules + ML overlay. Sliding 15-min windows, weighted factors, Risk Envelope emit.
04 · BEHAVIOR
Access Engine
Bloom + HLL sketches. Per-EID Z-score volume anomaly on access patterns.
05 · RESOLVE
Entity Resolver · P1
Deterministic + Fellegi-Sunter probabilistic MPI. Stable EIDs for patient, provider, device.
06 · GRAPH
Graph Intelligence · P2
Neo4j / Memgraph. Rings, collusion, geographic impossibility. Graph as feature store.
07 · INCIDENT
Incident Aggregator · P4
1 incident ⇆ N events. Entity / graph / pattern affinity. Risk decay.
08 · ANCHOR
Cryptographic Audit · P3
SHA-256 hash chain, 5-min Merkle roots, RFC 3161 timestamps, WORM mirror.
Trace ID: UUID7 Envelope schema: v2026.06 Anchor cadence: 5 min Replay p95: ≤ 3 s Throughput: ≥ 5k eps

§3The Risk Envelope

Every signal is normalized into one envelope before it enters scoring. This contract is what makes ClearPulse explainable end to end — every UI field is sourced from here, every audit query is keyed on it.

Canonical Envelope
v2026.06.01
{
  "trace_id": "018f9b2e-7c41-7a40-ae21-f9c2d2c43e1a",
  "envelope_version": "2026.06.01",
  "source": {
    "system": "epic.audit",
    "ledger_offset": 884213,
    "ledger_hash": "sha256:9af3…e21c"
  },
  "subject": {
    "patient_eid":  "eid:pat:7c1a…09",
    "provider_eid": "eid:prv:0044…b2",
    "device_eid":   "eid:dev:ws-42",
    "resolution_confidence": 0.97
  },
  "score": 78,
  "severity": "CRITICAL",
  "factors": {
    "temporal_overlap": { "weight": 40, "ratio": 0.71 },
    "access_spike":     { "weight": 28, "z": 4.3 },
    "off_hours":        { "weight": 10 }
  },
  "ml_overlay": { "model": "iforest-v3", "p_anomaly": 0.94 },
  "incident_id": "inc:2026-06-02:0007",
  "audit": {
    "prev_hash": "sha256:71d2…c0aa",
    "self_hash": "sha256:bb40…91ef",
    "merkle_root_ref": "anchor:2026-06-02T14:10:00Z"
  }
}
Why one envelope
CONTRACT
  • Single contract across rules, ML, graph, UI, and audit chain.
  • No phantom data: if it appears on screen, it has a trace_id and a hash.
  • Versioned: every envelope carries the rule_version and envelope_version it was scored under.
  • Forensic replay: reconstruct any historical decision from envelope + ledger byte + rule_version.
  • Identity-keyed: downstream baselines, graph features, incident grouping all key on EIDs.
  • Audit-self-contained: prev_hash + self_hash + merkle_root_ref let an independent verifier check integrity offline.
The Risk Envelope is the molecule of ClearPulse. Every macro behavior of the platform — explainability, defensibility, ML governance, multi-tenant safety — reduces to invariants we enforce on this object.

§4Priority 1 · Entity Resolution

Without identity, every other layer is fragmented. This is the single highest-leverage upgrade in the platform.

Hybrid MPI
DETERMINISTIC + PROBABILISTIC
  • Deterministic pass. Exact match on NPI, government-issued patient identifier, verified SSN hash.
  • Probabilistic pass. Fellegi-Sunter scoring on name n-grams, DOB, address tokens, phone hash, device fingerprint.
  • Active-learning loop. Borderline pairs (0.65 ≤ p < 0.92) surface to compliance reviewers; decisions retrain weights weekly.
  • Provider / device parallel pipeline. Workstation MAC, browser fingerprint, badge swipe, shift schedule.
KPI Targets · 90 days
PHASE 1
MetricTarget
Patient match precision≥ 0.995
Patient match recall≥ 0.92
Provider duplicate collapse≥ 85%
Manual reviewer queue / 1M events≤ 50
Mean EID resolution latency≤ 120 ms

§5Priority 2 · Graph Intelligence

Event correlation is linear thinking. Relationship intelligence is the multiplier — fraud rings, insider collusion, credential sharing, kickback schemes are graph-shaped problems.

Fraud ring · shared-patient collusion
CYPHER
MATCH (p1:Provider)-[:BILLED]->(c1:Claim)
        -[:DERIVED_FROM]->(e:Encounter)
        <-[:DERIVED_FROM]-(c2:Claim)
        <-[:BILLED]-(p2:Provider)
WHERE p1.eid < p2.eid
  AND duration.between(c1.ts, c2.ts).seconds < 900
WITH p1, p2, count(DISTINCT e) AS overlap
WHERE overlap >= 12
RETURN p1.eid, p2.eid, overlap
ORDER BY overlap DESC
Insider collusion · shared workstation
CYPHER
MATCH (w:Workstation)-[l1:LOGGED_IN]->(p1:Provider),
      (w)-[l2:LOGGED_IN]->(p2:Provider)
WHERE p1.eid <> p2.eid
  AND abs(duration.between(l1.ts, l2.ts).seconds) < 300
RETURN w.id, p1.eid, p2.eid, l1.ts, l2.ts
Graph as Feature Store
REAL LEVERAGE

The graph is not a side database — it is the feature store for ML. For every (provider, 15-min window) we materialize:

  • degree_patients_15m / _24h / _7d
  • pagerank_in_billing_subgraph
  • co_billing_jaccard_max
  • shared_device_count_24h
  • ring_membership_score — Louvain community detection on co-billing edges

Every prediction carries a graph-context vector an investigator can interrogate.

KPI Targets
PHASE 2
MetricTarget
Multi-entity ring detection≥ 1 / quarter
Investigative depth (avg hops)3 → 7
Anomaly recall lift vs. rules-only+25–40%
False-positive delta≤ +10%

§6Priority 3 · Cryptographic Audit Chain

This is the legal moat. SIEM vendors compete on dashboards; ClearPulse competes on admissible evidence.

Hash-linked, Merkle-anchored
FORENSIC
record_n = {
  payload:   <Risk Envelope, canonical JSON (RFC 8785)>
  prev_hash: SHA-256(record_{n-1}.self_hash)
  self_hash: SHA-256(payload || prev_hash)
  ts:        monotonic ingest timestamp
}

// every 5 minutes
merkle_root = Merkle(self_hash[ window_t ])
write_postgres(merkle_root, window_t)
mirror_s3_object_lock(merkle_root)     // WORM, 7-year
anchor_rfc3161(merkle_root)            // public TSA
Compliance mapping
CONTROLS
ControlCoverage
HIPAA §164.312(b) AuditHash-linked ledger of every PHI access
HIPAA §164.312(c)(1) IntegritySHA-256 + Merkle anchoring
HIPAA §164.312(c)(2) AuthenticityRFC 3161 timestamps
SOC 2 CC7.2Continuous immutable evidence stream
21st Century Cures §4004Verifiable access trail per request
FRE 901 / 902(13)–(14)Self-authenticating records
An auditor independently recomputes self_hash, walks the chain back to the most recent anchored Merkle root, verifies that root against the public timestamp authority, and confirms the WORM ledger copy matches. If any byte changed, verification fails — without trusting the runtime.

§7Priority 4 · Incident Abstraction

Analysts do not investigate alerts. They investigate incidents. ClearPulse collapses 30–200 contributing events into a single incident with deterministic narrative, root-cause event, graph context, and audit anchor.

Incident model
1 ⇆ N
Incident
  ├── incident_id          inc:2026-06-02:0007
  ├── status               OPEN | TRIAGED | INVESTIGATING
  │                        | CLOSED | ESCALATED
  ├── severity             max-decay over events
  ├── primary_entities[]   provider_eid · patient_eid
  │                        · device_eid
  ├── root_cause_event_id  earliest trace_id
  ├── contributing_events  [trace_ids w/ weights]
  ├── graph_context        subgraph snapshot
  ├── narrative            deterministic + LLM draft
  └── audit_chain_ref      Merkle root covering all
                           contributing events
Aggregation rules
CLUSTERING
  • Entity affinity. Events sharing ≥ 1 EID within a 30-min sliding window.
  • Graph affinity. Events on a connected subgraph within 2 hops.
  • Pattern affinity. Same rule-version + factor signature within 6 hours.
  • Risk decay. severity = max(event.score) · e^(-λ · age)
  • Reopen window. Closed incidents reopen on matching events within 7 days.
KPI Targets
PHASE 1–2
Alert→Incident compression
15:1
Analyst fatigue reduction
-70%
MTTR reduction
-60%
Auto-suggest closure accuracy
≥80%

§8Dual-Layer Intelligence · Rules + ML

ClearPulse is deterministic-first. ML augments — it does not replace.

Layer 1 · Rules
DSL
  • Authored in versioned YAML DSL
  • Weighted factors compose envelope score
  • Every rule version signed, ledger-anchored
  • Regulator can read the rule and reproduce the result
Layer 2 · ML Overlay
GOVERNED
  • Isolation Forest (unsupervised baseline)
  • XGBoost on labeled incidents
  • GNN node-classification on co-billing graph
  • Features from graph store, never raw events
  • Model card + offline eval gate every deploy
Composite score
AUDITED
final = clamp_0_100(
  rule_score
  + α · ml_lift(p_anomaly, rule_score)
  + β · graph_context_score
)

α = 0.30, β = 0.20
// per-tenant, ledger-anchored

§9Security & Compliance Posture

DomainImplementation
Encryption in transitTLS 1.3, mTLS between internal services
Encryption at restAES-256-GCM, per-tenant DEK wrapped by KMS CMK
Key managementAWS KMS / Azure Key Vault with HSM, SoD on CMK rotation
TenancyPer-tenant Redis namespaces, ledgers, CMKs
AuthNOIDC + SCIM; FIDO2 enforced for admin
AuthZABAC; minimum-necessary enforced at envelope field level
PHI minimizationField-level redaction; break-glass is itself a ledger event
Self-auditEvery read of an envelope by a ClearPulse user produces an envelope
RegionUS · Canada (PIPEDA / Ontario PHIPA) · EU
Certifications targetSOC 2 Type II (Y1) · HITRUST CSF (Y2) · FedRAMP Moderate (Y2–3)

§10Six-Month Execution Roadmap

DAYS 0–60
PHASE 1
Entity Resolution v1 — deterministic + Fellegi-Sunter probabilistic MPI.
Incident Aggregator v1 — entity + pattern affinity; risk decay.
SEO pillar pages live — explainable healthcare AI audit trails, traceable PHI access architecture, forensic data lineage.
DAYS 60–120
PHASE 2
Graph Intelligence v1 — Neo4j cluster, top-5 Cypher detectors in production.
ML Overlay v1 — Isolation Forest baseline, XGBoost on labeled incidents.
First pilot conversion to paid contract.
DAYS 120–180
PHASE 3
Cryptographic Audit Chain GA — 5-min Merkle anchoring, RFC 3161, WORM mirror.
Standards engagement — HL7 / FHIR audit-extension working group submission.
Independent third-party verification report published.

§11Category Position

ClearPulse does not compete with SIEM. It absorbs it.

LayerVendor todayUnder ClearPulse
Endpoint / network telemetryCrowdStrike, SplunkData source
Payer fraud heuristicsOptum, CodoxoSignal input
Compliance reportingInternal GRC, vendor toolchainsDownstream consumer
Investigative truthClearPulse
Tagline: We don't detect anomalies — we prove them. Audience: auditors, not just analysts Output: evidence, not alerts
© ClearGlass Inc · ClearPulse Architecture Whitepaper · 2026
whitepaper (md) · live surface · home