HAREMed
HAREMed is designed to provide runtime governance for healthcare AI—producing cryptographic evidence intended to support HIPAA compliance workflows, patient consent enforcement, and PHI access tracking.
Sector Disclaimer: Vertical examples illustrate intended application domains. Sector-specific compliance requires independent legal and technical validation.
The Challenge
You're deploying AI to assist with clinical workflows. But when your compliance officer asks "What patient data did the AI access for this decision?"—you can't answer.
HAREMD Workflow
Every clinical AI operation passes through the Arbiter. Every decision produces cryptographic proof.
Nurse creates patient encounter capsule with demographics, intake notes, and vitals. Capsule carries policy and consent bindings from creation.
EXECUTE + PoAPhysician uses AI assistant to summarize patient history, risk factors, recent labs. Read-only mode—no state changes. Evidence of what was retrieved.
PLAN modeAI proposes assessment and treatment plan. Validation Gate checks against ground truth (labs, allergies, medications). Nothing committed yet—proposals only.
EVALUATE modeValidation Gate confirms: consent covers this use, PHI access is within scope, policy permits this action. If PASS, physician can proceed.
Validation GatePhysician commits the finalized assessment and plan. Proof-of-Action generated with: actor identity, RLTA timestamp, validation result, policy snapshot.
EXECUTE + PoACompliance can export the full proof bundle: all PoAs, lineage entries, policy snapshots. Verifiable without trusting mutable logs.
Evidence ExportCapabilities
Every AI operation is checked against the patient's consent bindings. No consent for research use? AI can't access that data for research queries.
Every piece of PHI accessed by AI is recorded with cryptographic proof. Not a log entry—an Evidence Artifact that proves what was accessed, when, and under what policy.
The Arbiter enforces minimum necessary access. AI can only access the specific data elements required for the current operation—nothing more.
Emergency access paths exist but are heavily evidenced. Break-glass produces enhanced proof artifacts for audit and review.
Separate consent rails for treatment vs. research. IRB requirements enforced at runtime. Data use agreements tracked and enforced.
Patient exercises right to revoke? Data access is crypto-shredded but lineage preserved. You can prove the revocation happened and was enforced.
Compliance Mapping
HAREMed mechanisms are designed to align with healthcare regulatory requirements. Regulatory interpretation and compliance determination remain deployer responsibility.
| Regulation | Requirement | HARE Mechanism |
|---|---|---|
| HIPAA §164.502 | Minimum necessary | Lane-scoped access with role-based filtering |
| HIPAA §164.524 | Access to records | Patient-facing audit bundles with lineage |
| HIPAA §164.528 | Accounting of disclosures | Evidence Artifacts as disclosure records |
| GDPR Article 17 | Right to erasure | Revocation with crypto-shred, lineage preserved |
| GDPR Article 30 | Records of processing | Evidence chain as processing record |
| 21 CFR Part 11 | Electronic records | Signed Evidence Artifacts, RLTA timestamping |
Use Cases
AI assistants helping physicians with diagnosis, treatment planning, medication review—with proof of what patient data informed each recommendation.
AI-assisted coding with evidence of what clinical data was accessed. Audit-ready documentation for billing compliance.
AI querying research datasets with IRB-approved consent enforcement. Proof of data use agreement compliance.
Contact us to discuss pilot programs and integration with your clinical AI systems.
med@hareprotocol.ai
HARE