No PHI ever lands in Beacon's database
Patient-identifying columns are stripped from every report BEFORE parsing. Beacon stores only aggregates — appointment counts, production totals, KPI roll-ups. There is no row in our database that ties a number back to a specific patient.
- Names, dates of birth, SSNs, chart numbers, contact info, addresses, insurance IDs, guardian/guarantor names — all stripped at the sanitizer layer (packages/adapters/sanitizer.ts).
- What survives sanitation: aggregated counts, financial totals, KPI values, status codes, ADA procedure codes — none of which identify a patient.
- The audit pass after every upload verifies no per-patient row was retained. Failure halts the upload.