Kosyn

Healthcare data is broken. The average breach costs $10.93M, 78% of EHR systems are proprietary silos, and patients have zero control over their own records. HIPAA compliance is enforced through audits and trust, not cryptography. Kosyn changes this with four innovations no traditional EHR can replicate.

First: patient-controlled encryption. Records are encrypted client-side using WebAuthn PRF (Face ID / Touch ID as a key derivation oracle) into HKDF-SHA256 into AES-256-GCM. The key is derived fresh from biometric on each use and never stored anywhere. Encrypted records are pinned to IPFS via CRE using consensusIdenticalAggregation - multiple independent DON nodes call Pinata separately and must return the same IPFS CID. A single compromised node cannot substitute ciphertext. Zero PHI ever touches the blockchain.

Second: verifiable AI inside TEE. During consultations, real-time speech (AssemblyAI) flows into a CRE workflow that sends the transcript to Nillion nilAI via CRE ConfidentialHTTP. The API key is injected as a CRE Vault secret - node operators running the workflow never see it, it decrypts only inside the AMD SEV-SNP enclave. Nillion returns SOAP notes, ICD-10/CPT codes, drug interaction flags, and a secp256k1 ECDSA attestation signature proving the inference ran in that specific enclave. That signature is hashed and stored in HIPAAComplianceRegistry on Avalanche Fuji - a verifiable AI audit trail that no existing healthcare system has.

Third: on-chain HIPAA compliance. Every provider access request runs through an ACE PolicyEngine chaining 4 independently-deployed contracts: ProviderAllowlistPolicy (SS164.312(a)(1)), ConsentExpiryPolicy (SS164.312(a)(1)), MinimumNecessaryPolicy (SS164.514(d)), AuditPolicy (SS164.312(b)). Every attempt, approved or denied, writes a 4-bit bitmask attestation plus keccak256(CRE report) permanently on-chain. Any compliance officer can audit years of access logs via a single blockchain query instead of a manual HIPAA review.

Fourth: a live x402 data marketplace. The platform exposes three research endpoints (/demographics, /conditions, /outcomes) that return HTTP 402 with standard x402 payment instructions when hit without a payment header. Researchers approve KUSD and call submitQuery() on the DataMarketplace contract on Fuji - a single on-chain tx. They retry the endpoint with the tx hash as the x-payment header, and the API verifies on-chain (tx succeeded, recipient correct, KUSD amount sufficient) before serving de-identified aggregated data. No API keys, no accounts, no billing setup - any wallet with KUSD on Fuji can query. HIPAA Safe Harbor de-identification (all 18 PII categories: provider names stripped, free-text clinical notes removed, dates reduced to year only, lab results stripped to clinical values) runs inside the CRE TEE before any data exits. A Chainlink CRE workflow then distributes the KUSD payment proportionally to every patient who contributed records. KosynUSD itself is an ERC-20 minted by CRE only after Stripe payment is verified inside the TEE via ConfidentialHTTP - the amount comes from Stripe's response, never from the user's request body.

We built 7 Solidity contracts on Avalanche Fuji using Foundry. HealthRecordRegistry and KosynUSD both inherit ReceiverTemplate so CRE can write to them directly without a permissioned oracle in between. HIPAAComplianceRegistry is where every access attempt lands - it stores the bitmask of which HIPAA safeguards passed and a keccak256 hash of the CRE report, making the audit trail tamper-evident. On top of that we wired an ACE PolicyEngine that chains 4 composable policy contracts, one per HIPAA regulation.

The CRE layer is 9 TypeScript workflows. The most involved is consultation-processing: it takes a doctor's transcript, sends it to Nillion nilAI via ConfidentialHTTP (so the API key never leaves the enclave), gets back SOAP notes and a secp256k1 proof of inference, uploads to IPFS using consensusIdenticalAggregation so no single node can tamper with the result, then writes the proof hash on-chain. payment-mint does something similar but for Stripe - it calls the Stripe API from inside the TEE to verify a payment actually happened, then mints KosynUSD. The amount comes from Stripe's response, not from the user's request body.

On the frontend we used Next.js 16 with Thirdweb Connect for auth - patients get an in-app smart account wallet (email/Google/passkey, gas sponsored), doctors connect MetaMask. AssemblyAI handles live speech transcription during consultations. The client-side encryption uses WebAuthn PRF - Face ID or Touch ID acts as a key derivation oracle rather than a stored password. For the data marketplace, we use a separate ECDH scheme where the patient wraps their AES key against CRE's public key so only the TEE can ever unwrap it.

The data marketplace API follows the x402 standard. Hit /api/data/demographics with no header and you get a 402 with a JSON payload describing what to pay, to which contract, in which token, on which chain. Approve KUSD, call submitQuery() on the DataMarketplace contract, send the tx hash back as x-payment - the API checks the receipt on-chain and serves the data. We also ship a kosyn-x402-skill.md machine-readable skill file so any MCP-compatible AI agent can auto-discover and use the API without any human setup.