Mercy Ridge Health is a fictional regional health system — one of ten companies we built and ran, in full, through the live Bylaw system before any real client touched it. It is fictional. The run was not: real documents, the real engine, every action hash-chained. If you run a health system, read this as a mirror.

Picture the organization. Mercy Ridge is a mid-sized regional health system: a few hospitals, a network of clinics, a billing operation, a vendor bench of labs and clearinghouses, and a small, senior compliance team that is very good and very tired. It has ten governing documents that matter — information security, access control, data retention and privacy, incident response, vendor management, an HR handbook, a code of conduct, finance controls, business continuity, and training. Each was written at a different time, by a different owner, for a different reason. On paper, Mercy Ridge looks governed.

What Mercy Ridge wants is simple and human: to take care of patients, to grow without drama, and to never be the organization that ends up in a press release. What stands in the way is a single question it cannot answer quickly — can you prove it? — asked by an OCR investigator, a hospital-system partner’s diligence team, a cyber-insurer, or an enterprise customer’s security desk. The policies exist. The proof that they operate does not, at least not in any form you can hand someone in an afternoon.

What a health system is actually being asked

Healthcare carries the heaviest evidentiary load of any industry we modeled, and it is getting heavier. The HIPAA Security Rule requires administrative, physical, and technical safeguards — and, critically, evidence that they operate, not just that they were written down. The Privacy Rule and the HITECH breach-notification clock turn a quiet misconfiguration into a reportable event on a deadline. The HHS Office for Civil Rights does not investigate intentions; it investigates documentation and evidence of operation. State law stacks on top: California’s CMIA, Texas’s and New York’s health-privacy regimes, each with its own retention and access expectations.

Then there is the law most health systems have not yet priced in: the EU AI Act. Its high-risk obligations are now enforceable, and Annex III names AI used in healthcare contexts as high-risk by default. The moment Mercy Ridge turns on an AI scheduling optimizer, a triage assistant, an ambient-scribe tool, or a vendor’s AI-powered prior-authorization feature — or simply lets Copilot loose inside Microsoft 365 where PHI lives — it inherits logging-over-lifetime, human-oversight, and post-market-monitoring duties that are, at root, evidence duties. Add the 21st Century Cures Act information-blocking rules, and the pattern is unmistakable: every regulator now asks the same thing in a different dialect. Not “do you have a policy?” but “show me it ran.”

This is the stakes, stated plainly. Fail to prove it and the costs are not abstract: OCR settlements that run into seven figures, a breach-notification cycle that consumes a quarter, a partnership that quietly stalls in diligence, an insurer that declines a claim because controls could not be evidenced, an EU-facing product line that cannot launch. None of these is a technology failure. Each is a proof failure.

Where the cracks were

When we ran Mercy Ridge’s ten documents through the system, the first thing the engine did was the thing humans never quite finish: it read all of them at once and compared them to each other. It split the prose into atomic, tagged statements and looked for places where the organization had, in effect, promised two different things.

It found them. Mercy Ridge’s data-retention policy said patient billing records are retained for seven years; its finance-controls document said five. Its retention policy set financial transaction records at five years; finance controls said seven. A vendor’s certificate-of-destruction was to be kept five years per the vendor policy and three years per the retention policy. These are not typos — they are the ordinary sediment of documents written years apart by different owners, and they are exactly what an auditor finds and an organization cannot explain in the room. Across the set, the engine surfaced 107 items of orphan data — lines that could not be cleanly governed as written — and routed every genuine contradiction to a human for a ruling rather than guessing. Nothing was mapped across an unresolved conflict.

The live evidence index for Mercy Ridge Health, drawn from the running workspace.
mercy ridge · home live data

How Bylaw stepped in

This is the part that should feel like someone competent arriving. We did not hand Mercy Ridge a dashboard and wish it luck. We ran the office. The ten documents were cleaned into atomic statements, fitted to a governed template, and mapped to 84 live controls — each one a plain sentence, one operator, one expected value, and the live signal it should read. The contradictions went to the Ruling Guide, where a person with authority decided which rule wins; of seventy-one issues raised, forty-six were ruled and recorded, the rest queued with an owner. Nothing reached the live record without three signatures — a department admin, a tenant admin, and Bylaw — bound to the exact accepted control set, so that editing anything afterward visibly voids the sign-off and reopens the gate.

The result was an Evidence Index of 86 across the organization: a single, color-coded map of every control, what it proves, and where the proof comes from. A compliance lead could click one control and follow its lineage in a straight line — document, section, control, signal, source, framework — without ever opening a spreadsheet. And throughout, Bylaw held no patient data. The record carries statuses, timestamps, and hashes. The PHI never moved.

The Explorer: every control as a tile, red to green, grouped by department, with straight-line lineage.
mercy ridge · explorer live data

The difference is not that Mercy Ridge worked harder. It is that the organization finally knew its own rules and could prove they were followed — in an afternoon, not a quarter.

Testing tomorrow before it arrives

Most governance answers yesterday’s question. The part of the Mercy Ridge run that matters most for a growing health system is the part that answered tomorrow’s. In the Simulation Lab, we introduced rules that did not exist in Mercy Ridge’s world yet and watched what they would break — on a model, not on the business. We saved five territory packs — California, Texas, New York, the EU, and Canada — and ran them against the live controls. We ran a “combined-entity vs. EU expansion” shock test: what happens to this health system’s control set the day it has to answer the EU AI Act and GDPR at once. The ledger came back with each conflict, what it collided with, and a ripple count of the downstream controls affected — the early warning, surfaced while it is still cheap to fix.

Then we connected partners. Mercy Ridge issued evidence-scoped keys to two partner organizations — the kind of reference lab and billing processor every health system depends on — and ran partner-versus-organization simulations in which only evidence crossed: control sentences, verdicts, hashes. Never a document, never a name, never a patient record. When the test was done, the key was revoked and the partner lost access to evidence it never actually held. Across its sessions Mercy Ridge ran fourteen simulations in total and exercised a real M&A diligence scenario both ways.

A simulation ledger: an introduced rule cross-mapped against live controls, with conflicts and ripple counts.
mercy ridge · sim lab live data

Proven, not asserted

By the end, Mercy Ridge was proving roughly 88% of its controls — the strongest pass rate of the mature companies, and an honest one: the gaps that remained were named, owned, and queued, not hidden. Every action across the run — every clean, every ruling, every signature, every simulation, every report, every key issued — passed through a single audited door that recorded it first and chained each record to the one before it. By the final session the workspace held more than three hundred chained audit records, and the chain verified end to end.

We did not grade our own homework. Three independent audits re-checked the work from different angles — one rebuilt the hash chain from the specification and re-counted every record, one proved the system cannot bypass its own audit gate and recomputed every verdict against the sealed engine, and one recomputed every published statistic against the raw snapshots. The verdict across all three: no fabrication. What you have just read is what actually ran.

If this were your health system

Here is the honest part. If you run an organization like Mercy Ridge, you already have the policies. You already have good people. What you do not have is the office that keeps the proof — reads every document, reconciles the contradictions, wires the rules to the systems where they live, keeps the evidence current, and has the answer ready before OCR, a partner, an insurer, or the EU asks. Standing that office up in-house is a Chief Governance Officer, support staff, counsel, and systems — commonly half a million dollars a year. Embedded through Bylaw, it is a fraction of that, and it arrives already knowing your world.

Mercy Ridge is fictional so that we could show you the whole thing — the contradictions, the rulings, the simulations, the audit — without a real client’s name on it. The machinery is real and it is running. The next case study could be a system shaped like yours. The fastest way to find out where your own proof stands is a governance review.

What it looks like when the call comes

Run the scenario forward. An OCR data request arrives, or a health-system partner’s diligence team sends the security packet, or a cyber-insurer asks for evidence that access reviews actually happen. In the world before Bylaw, that email starts a quarter: someone opens a shared drive, hunts for the most recent screenshots, asks three departments for exports, and assembles a binder that represents a handful of moments across a year of operation. The auditor sees the gaps immediately, because point-in-time exhibits cannot answer a question about a period.

In the governed world, the same email is an afternoon. The compliance lead opens the record, filters to the control in question — privileged access to PHI systems, retention enforcement, incident-response readiness — and reads the lineage in a straight line: the document that set the rule, the control it became, the live signal it reads, the source system, the framework it answers, and the hash that proves the record was not edited after the fact. They export exactly what was asked for, with the integrity hashes embedded, and nothing else. The patient data never enters the exchange. The answer is not assembled; it is pulled.

That is the whole difference, and it is why a health system that can prove itself moves faster on everything else, too — the partnership clears diligence, the insurer writes the policy, the EU-facing line launches, the enterprise customer’s security desk signs off. Proof stops being a cost center and starts being the thing that lets the organization grow without holding its breath.

If this were your company

We’re ready to step in.

Every figure in this study came from the live system, run against a company built to look like a real one. The fastest way to see where your own proof stands — strong, fragile, and missing — is a structured governance review. No data required; findings in weeks, and yours to keep whatever you decide.

Talk to a Bylaw SpecialistSee how it works
Brandon JunkinFounder, Bylaw Evidence

Brandon spent years alongside hundreds of mid-market companies at GoDaddy and watched the same story on repeat: good teams unable to prove the good work they did, governance buried under tools that demanded data and returned screenshots. He founded Bylaw Evidence to be the guide those teams were missing — someone who maps the rules, keeps the record, and has the answer ready when the auditor asks. BA in Philosophy of Law, Politics and Ethics, Arizona State University; ARM candidate.