PHI Compliance Infrastructure
The audit chain your
OCR investigator
can actually read.
Hermes produces a per-token, CFR-cited, SHA-256 hash-chained record of every PHI scrubbing decision — inside your environment, never leaving it. Built for MSPs serving HIPAA-covered entities.
Zero-egress architecture. Data never leaves your environment.
✓ Chain integrity verified — tamper-evident since block #000001
The Documentation Gap
Every tool detects PHI.
None of them can prove
what they did with it.
When OCR investigates a business associate, they do not ask whether you had a scrubbing tool. They ask you to produce the evidence — exactly what was found, under which regulation, by which method, in an unbroken chain from scan to audit. Cloud-based competitors run ML models that cannot answer that question. Their architecture makes honest attestation impossible.
What carriers ask
Is MFA enforced for privileged access? How many PHI records do you handle? Can you document what was found and how it was handled?
Coalition Application Q4, Q6 — verbatim
What OCR demands
Produce documentation of your de-identification method, the specific identifiers found, and the regulatory basis for each classification decision.
45 CFR §164.514(b) — Safe Harbor standard
What MSPs cannot produce
A per-token, CFR-cited, cryptographically signed record that proves Safe Harbor compliance was actively maintained — not just assumed.
OCR Risk Analysis Initiative — 2026
The Travelers v. ICS ruling voided a $1M policy because attestations did not match reality. For MSPs serving healthcare clients, the documentation gap is not a compliance problem. It is an existential liability.
How Hermes Works
Deterministic. Zero-egress.
Court-defensible by design.
ARCHITECTURE
Zero-egress
Hermes runs entirely inside your environment. PHI never transits external infrastructure — making your attestations technically accurate, not just aspirational.
METHOD
Deterministic
Every classification is driven by rule-based regex and a fixed-version spaCy model — never a hosted LLM. The same input produces the same output, every run, with the same CFR citation attached.
EVIDENCE
Court-defensible
Each decision is recorded as a per-token, CFR-cited event and sealed into a SHA-256 hash chain. The result is an unbroken, tamper-evident record an OCR investigator can verify byte by byte.
Why competitors cannot replicate this
The attestation is only
legally accurate if the
architecture is zero-egress.
Nightfall, Strac, Private AI, AWS Comprehend Medical, Azure Text Analytics — all transit your PHI through external infrastructure. They can produce a log. They cannot produce a truthful attestation that data never left your environment. The BAVR they would generate would be a false statement.
Microsoft Presidio, spaCy pipelines, CliniDeID — powerful detection, zero compliance layer. No audit chain, no CFR citations, no BAA support, no evidence artifact. A library is not a compliance system.
Deterministic architecture means every decision is explainable. Zero-egress means every attestation is accurate. Hash-chained audit trail means every record is independently verifiable. Built by a founder with genuine HIPAA, DSCSA, and 21 CFR Part 11 regulatory depth — not a checklist.
Pilot program — East Tennessee MSPs serving HIPAA-covered entities
One pilot.
Your environment.
Your audit chain.
Hermes is currently accepting one design partner in the East Tennessee market. 30-day pilot, your infrastructure, full compliance evidence record output from day one.
Zero-egress architecture · Data never leaves your environment · SHA-256 independently verifiable · HIPAA Safe Harbor 45 CFR §164.514(b)