RankShield
RANKSHIELD NETWORK Get started
DIAGNOSTIC PROVENANCE LEDGER // ATTEST, DON'T EXPOSE

Prove where an AI
diagnosis came from.
The Diagnostic Provenance Ledger — verifiable AI diagnosis provenance, PHI-free.

The Diagnostic Provenance Ledger attests where an AI-assisted diagnosis came from — which model, which version, intact inputs — and that it wasn't altered, without exposing PHI. Clinicians and auditors can verify it independently. It attests; it never decides. Verifiable, private, quantum-safe.

THE THREAT

A result no one
can verify.

As AI assists diagnosis, a result travels across systems — generated, transmitted, stored, acted on. The danger isn't only a breach; it's an output no one can confirm came from the validated model, on the right version, from intact inputs. Unprovable is unsafe.

THE LEDGER

Each result,
a sealed record.

The DPL attests each AI-assisted diagnosis into a tamper-evident ledger — model, version, input integrity, time — sealed and verifiable. Anyone with authority can confirm a result is authentic and unaltered, on the record, at the beat.

WITHOUT PHI

Provable,
yet private.

The ledger records proof about a diagnosis, never the protected health information behind it. Verification never requires exposing the data — provable and confidential at once, by design and by minimum-necessary principle.

ATTEST, NOT DECIDE

It proves.
Clinicians decide.

The DPL does not diagnose or treat. It attests provenance and integrity; the clinical judgment stays with clinicians and their systems. We hold that line firmly, because in medicine, a tool overstating its role is unsafe.

PROVEN

Trusted for
a lifetime.

Each attestation is post-quantum-signed, so a proof of provenance trusted today stays verifiable for the long lifetimes health records demand. Verifiable, private, quantum-safe.

SCROLL TO DESCEND
WHAT IT IS

What is the Diagnostic Provenance Ledger?

The Diagnostic Provenance Ledger (DPL) is a tamper-evident record that attests where an AI-assisted diagnostic result came from — which model, which version, the integrity of its inputs, and when — so the result's origin and integrity can be independently verified, without exposing protected health information. It answers a question that becomes critical the moment AI enters diagnosis: when a clinician relies on an AI-assisted result, how do they, or an auditor later, confirm it genuinely came from the validated model, on the current version, from uncorrupted inputs, and that it wasn't altered along the way? As results are generated, transmitted, stored and acted upon across systems, that provenance is easy to lose and hard to prove — and an unprovable result is a liability in a setting where the stakes are a patient's health. The DPL makes provenance verifiable. When an AI-assisted diagnosis is produced, it captures attestable metadata about the result and seals it into a tamper-evident ledger that anyone with authority can check. Two principles govern it, and RankShield holds both without exception. First, attest, don't decide: the DPL proves where a result came from and that it's intact; it does not diagnose, treat, or make any clinical judgment, which remains entirely with clinicians and regulated clinical systems. Second, prove without exposing: the ledger records verifiable statements about a result, never the protected health information itself, so verification never requires revealing PHI. It is verifiable, private, and quantum-safe — provenance you can trust for the lifetime of a medical record.

How does the DPL prove provenance without exposing patient data?

By recording verifiable statements about a result rather than the result itself — separating the proof from the data so one can be checked without touching the other. This separation is the technical heart of the DPL, and it resolves what sounds like a contradiction: how can a record be both provable to outside parties and private enough for medical data? The answer is that the ledger never holds the protected health information. When an AI-assisted diagnostic result is produced, the DPL captures attestable metadata about it — which model generated it, on what version, that the inputs it relied upon were intact, and when it happened — and seals that metadata into a tamper-evident record signed with post-quantum cryptography. What it deliberately does not capture or store is the PHI: the images, the values, the identifiable clinical content. That data stays where it belongs, in the clinical systems governed for it; the DPL holds only the cryptographic proof about the result. Verification then works entirely without the PHI: a clinician or auditor can confirm that a result is authentic, came from the model it claims, is on the correct version, and has not been altered, purely by checking the attestation against the sealed ledger — no exposure of the underlying data required. Where a verifiable statement genuinely needs to reference sensitive detail, privacy-preserving techniques allow the fact to be proven without the value being revealed — the minimum-necessary principle expressed cryptographically, proving what must be proven and exposing nothing more. The result is a capability that healthcare badly needs but that sounds paradoxical until you see the mechanism: records that are simultaneously provable and private. In a domain where exposing data in order to verify it would itself be a violation, keeping the proof and the data separate isn't a nice-to-have — it's the entire point. See the broader approach on AI security for healthcare.

Why "attest, not decide" is non-negotiable in medical AI

Because the fastest way to cause harm with medical AI is to blur who is responsible for the clinical decision — so the DPL's role is bounded to verifiable attestation, deliberately and permanently. There is real commercial and clinical pressure on AI tools to creep from assisting toward deciding, and equal pressure on vendors to imply their products do more than they safely can. RankShield draws an unambiguous line and does not cross it: the Diagnostic Provenance Ledger attests, it does not decide. Its function is to provide verifiable proof of where an AI-assisted result came from and that it hasn't been altered — to make it checkable that a given output genuinely came from a given model, on a given version, with intact inputs, at a given time. It does not diagnose, it does not treat, it does not recommend, and it does not substitute for clinical judgment; those remain with clinicians and the regulated clinical systems they use, full stop. This restraint is not modesty for its own sake — it is a safety and honesty requirement with real consequences. A provenance tool that quietly positioned itself as a decision-maker would invite exactly the over-reliance that makes AI dangerous in care, encouraging clinicians to defer to a system that was never validated or intended to decide, and it would misrepresent what the technology actually does to the patients and regulators who depend on accuracy. By keeping the DPL's role precisely bounded to verifiable attestation, its value is real and defensible while the responsibility for care stays exactly where it belongs. It's the same discipline that runs through everything RankShield builds — claim only what you can prove, and never overstate a tool's role — applied where the cost of overclaiming is highest: a patient's health. The DPL makes AI-assisted diagnosis more trustworthy precisely by not pretending to be the diagnosis. Explore the full clinical platform at RankShield Medical ↗.

ANSWERS

Ask RankShield about diagnostic provenance.

RankShieldHealthcare security assistant · online

What is a diagnostic provenance ledger?

A diagnostic provenance ledger (DPL) is a tamper-evident record that attests where an AI-assisted diagnostic result came from — which model, which version, the integrity of its inputs, and when — so the result’s origin and integrity can be independently verified. It does not store or expose the underlying medical data; it records provable metadata about the result. RankShield’s DPL lets a clinician or auditor confirm that an AI-assisted diagnosis is authentic and unaltered, without ever handling the protected health information behind it. It attests provenance; it does not make the diagnosis.

Does the Diagnostic Provenance Ledger make diagnoses?

No — and this boundary is essential and non-negotiable. The DPL does not diagnose, treat, or make any clinical decision. It attests: it provides verifiable proof of where an AI-assisted result came from and that it has not been altered. The clinical judgment stays entirely with clinicians and the regulated clinical systems they use. RankShield’s role is provenance and integrity, not decision-making, and we state that plainly because in medicine, overstating a tool’s role is unsafe.

How does the DPL protect PHI while proving provenance?

By separating the proof from the data — recording verifiable statements about a result rather than the result’s contents. When an AI-assisted diagnosis is produced, the DPL captures attestable metadata (model, version, input integrity, timestamp) and seals it into a tamper-evident record, without storing the protected health information itself. Verification then works without touching PHI: anyone with authority can confirm a result is authentic and unaltered by checking the attestation. Where a verifiable statement must reference sensitive detail, privacy-preserving techniques prove the fact without revealing the value — minimum-necessary, expressed cryptographically.

Why does an AI diagnosis need provenance?

Because trust in a clinical result depends on being able to answer "where did this come from, and is it intact?" — and AI makes that harder to answer without help. As AI assists diagnosis, a result may be generated, transmitted, stored, and acted upon across systems, and a clinician relying on it reasonably wants assurance it’s the validated model’s output, on the current version, from uncorrupted inputs, unaltered in transit. An auditor reviewing care later needs the same, without taking anyone’s word. The DPL makes that provenance verifiable rather than assumed, which is foundational to trusting AI in a setting where the stakes are a patient’s health.

How does the DPL support HIPAA and FDA expectations?

By producing verifiable, PHI-free evidence of provenance and integrity, and by following minimum-necessary and privacy-preserving principles that align with the direction of healthcare regulation — HIPAA’s protections and evolving FDA expectations for AI in medical contexts. A tamper-evident provenance record is exactly the kind of checkable artifact that supports audit and accountability. As always, RankShield supports compliance by generating verifiable evidence; it does not by itself make an organization compliant, and it never substitutes for clinical or regulatory judgment.

Is the DPL quantum-safe?

Yes. Health records and the proofs about them must remain trustworthy for decades, well within the horizon where quantum computers could threaten today’s cryptography. RankShield signs DPL attestations with composite post-quantum signatures, so a proof of provenance trusted now stays verifiable and unforgeable for the long lifetimes medical records demand. It’s quantum-safe, not quantum-proof — standards-based durability for records measured in a patient’s lifetime.

Try one of the suggested questions above.

Prove the AI. Protect the patient.

Verifiable diagnostic provenance, PHI-free and quantum-safe — it attests, it never decides. See the full clinical platform.