← back to all posts
Healthcare· HIPAA · OCR · state privacy· 6 min read

The CDS override defense, cryptographic by default

An HHS OCR complaint about a documented clinical override is a question your audit chain should already have answered.

A patient's family files a complaint with the HHS Office for Civil Rights. They allege that the clinical decision support tool failed to flag a drug-drug interaction. The clinician wrote a prescription. There was an adverse event. The family's lawyer is alleging the override note was added later, after the bad outcome, to cover the clinician.

This is the worst kind of healthcare complaint to defend, because the evidence the OCR wants — the CDS state at the moment of prescription — depends on three different systems that almost never agree about timestamps. The drug-database version was managed by the pharmacy. The clinical guideline edition was managed by medical informatics. The CDS model in force was managed by IT. The override note lives in the EHR.

Reconstructing the whole reasoning state at 14:18 on January 9th is, in most hospital stacks, an eight-week project that costs about $250,000 — and at the end of it you still can't fully prove that the override note was written contemporaneously.

The three questions the OCR will ask

  1. What did the CDS know at 14:18? Reconstruct the drug database version, the guideline edition, the patient's allergies on record, the CDS model in force.
  2. What did the clinician do with the recommendation? Override or accept. Reason documented or not.
  3. When was the override note written? Contemporaneous with the prescription, or after the adverse event?

If those three questions each take a week to research, you've already lost the case in the family lawyer's eyes — even if the override was real, the appearance of incomplete records will produce a settlement.

The bitemporal reconstruction

The first OCR question — "what did the CDS know at 14:18?" — is an AT RECORDED query:

MATCH (e:Encounter) AT RECORDED '2026-01-09T14:18:00Z'
WHERE e.id = 'ENC-44712'
OPTIONAL MATCH (e)-[:USED_DRUG_DB]->(d:DrugDB)
OPTIONAL MATCH (e)-[:USED_GUIDELINE]->(g:Guideline)
OPTIONAL MATCH (e)-[:CDS_RECOMMENDED]->(r:Recommendation)
RETURN e, d.version, g.version, r

The clinical knowledge graph rolls back to 14:18. The drug DB version (FDB v18.4.2). The guideline edition (Beers Criteria 2023 — the CMS-adopted current edition that day). The recommendation: AVOID warfarin + amiodarone, severe interaction.

The CDS did flag the interaction. The clinician's override was a documented decision the record fully captures. This isn't a tool failure — it's an override decision with a documented reason (rate-control priority).

The override-timing proof

This is the question the family's lawyer cares about most. Was the override note written contemporaneously, or after the adverse event?

The audit chain answers. Every entry in the encounter's lifecycle is a SHA-256 link, signed at write time with the clinician's DEA + NPI. The override entry shows a timestamp of 14:19:03 — sixty-three seconds after the prescription. Signed by the clinician. Chained immediately into the encounter's audit log.

CALL db.verifyAclChain('encounter:ENC-44712',
                       from='2026-01-09T14:00:00Z',
                       to=now())
YIELD entries, writtenAt, tampered
RETURN entries, tampered

The chain returns zero tampered entries. The override was written within the same minute as the prescription, signed with the clinician's credentials, chained into the encounter immediately. If a single byte had been altered between then and now, the chain would break. It doesn't.

This is the proof the family's lawyer can't dispute. Not "we believe the note is original" — mathematical certainty that the note hasn't been modified since 14:19:03 on January 9th.

The HIPAA + state privacy bind

While the OCR complaint is open, the family also files a state genetic-privacy deletion request. Most hospital stacks face an impossible bind here — GDPR-equivalent state privacy laws demand deletion, but 45 CFR 164.530(j) requires retention of audit metadata for six years.

The crypto-shred resolves it. The patient's per-subject encryption key is destroyed in the HSM. The PHI becomes ciphertext no one can read. But the audit metadata — the structure, the timestamps, the signed chain entries — stays intact. The HIPAA retention requirement is met. The state genetic-privacy deletion is honored. The OCR can still verify the chain integrity for the open complaint.

Three frameworks, one graph, no broken laws.

The numbers

The eight-week, $250,000 project becomes a six-minute project. The clinician's reputation is defended with cryptographic evidence instead of incomplete records. The family gets closure either way — closure on the legal question and closure on the deletion request. The hospital's OCR exposure stays at zero.

Live walkthrough on the Healthcare tab.

See it live

The walkthrough is narrated, 90 seconds.

The full flow, ending with the chain verification and the right-to-be-forgotten resolution. Pre-rendered, runs in any browser, doesn't need an engine.

Open the Healthcare walkthrough →