AI for healthcare, deployed inside your perimeter.
We build HIPAA-bound AI agents for hospitals, health systems, healthcare SaaS, payers, and clinical-research organizations. Default deployment is self-hosted — VPC, dedicated cloud, or on-prem — with a compliance map your CISO signs before any code is written.
Your last AI pilot died at the compliance gate.
A clinical leader gets excited. A team builds a prototype against a public AI API. Finance approves a department-scale contract. Then security and compliance get looped in — and the project freezes for six months while the controls catch up to the workflow.
We start at the compliance gate. The map exists before the build. Every data flow, every model call, every audit log destination is documented in a one-page architectural map your CISO signs. Then we build, fast, because the contested questions have been answered.
Where healthcare AI agents actually work in 2026.
Clinical decision support agents
RAG over clinical guidelines, formulary data, and institution-specific protocols. Cited, auditable answers a clinician can defend. Always advisory, never autonomous.
Patient triage and intake
Symptom intake, urgency classification, routing to the right care setting. Multilingual where required. Strict HIPAA-aware logging and escalation paths.
EHR copilots
Note drafting, problem-list maintenance, ICD/CPT coding suggestions, longitudinal patient summaries. Embedded into Epic, Cerner, Athena, or custom EHRs.
Prior-authorization automation
Generative drafting of PA requests, cross-checking payer policies, escalating ambiguity to humans. Reduces clinician documentation burden directly.
Claims and revenue-cycle agents
Denials triage, appeal drafting, payer-specific rule matching. Same compliance posture as clinical workflows; different domain knowledge.
The regulatory map for healthcare AI.
We routinely map healthcare AI deployments against:
- HIPAA Privacy, Security, and Breach Notification Rules — the foundation. BAAs for every AI sub-processor.
- HITECH — especially the breach notification and audit-control extensions.
- Canadian PIPEDA + provincial health information acts (PHIPA, PHIA, HIA).
- 21 CFR Part 11 when the workflow touches clinical-trial data or regulated electronic records.
- State medical board guidance on AI in clinical decision-making (this is moving fast in 2026).
- FDA SaMD framework when the AI directly informs diagnosis or treatment selection.
Full compliance hub: /ai-compliance/.
How a HIPAA-bound clinical agent gets built.
A typical clinical-agent deployment lives entirely inside the customer's VPC or dedicated cloud tenancy. An open-weights model (Llama 3.3 70B or Qwen 2.5 72B) handles routine retrieval-augmented queries. A frontier model in a dedicated tenancy (Claude on AWS Bedrock or GPT on Azure) handles the long tail where reasoning matters — same compliance posture, same audit trail.
Retrieval runs over your clinical guidelines, institution-specific protocols, and the patient's longitudinal record (where minimum-necessary permits). Every model call carries an audit record; PHI scrubbing happens on the way in and the way out; outputs feed directly into your existing SIEM.
Full deployment pattern walk-through: Private LLM Deployment Guide.
A North-American healthcare SaaS deployed a HIPAA-bound clinical triage agent. Zero PHI touched a public AI vendor.
The platform required a clinical triage layer for a North-American user base with strict provincial-residency requirements. We deployed an open-weights LLM in a dedicated tenancy with the customer's audit log destination, integrated with their existing identity provider, and produced a HIPAA + provincial-act compliance map for their CISO. Anonymized at customer request.
See all case studies →Frequently asked questions
Is your healthcare AI HIPAA compliant?
HIPAA compliance is a deployment property, not a product feature. We design every healthcare AI deployment to clear the HIPAA Privacy Rule, Security Rule, and Breach Notification Rule. We sign BAAs. Every AI sub-processor (model vendor, vector database, observability tool) has its own BAA in place before any PHI flows. The compliance map is signed by your CISO before code is written.
Can we use Claude / GPT / Gemini with PHI?
Conditionally yes — but only through enterprise tenancy contracts with audited no-training, zero-retention, and BAA terms. Anthropic on AWS Bedrock, OpenAI on Azure, Google on Vertex AI all offer HIPAA-eligible configurations. Consumer endpoints (claude.ai, chatgpt.com) are never appropriate for PHI. We evaluate the actual contract terms before recommending; we don't take a vendor's compliance marketing at face value.
What about Canadian PIPEDA and provincial health acts?
Canadian healthcare adds PIPEDA, plus provincial regimes (PHIPA in Ontario, the Personal Health Information Act in Manitoba, similar acts elsewhere). For customers serving both US and Canadian patients, we produce a compliance map that satisfies both regimes simultaneously. Data residency in Canada often pushes the architecture to dedicated cloud or on-prem.
What's a realistic timeline for a HIPAA-cleared clinical agent?
A 2-3 week Discovery Sprint produces the prototype, the architecture document, and the signed compliance map. Production deployment typically takes 8-16 weeks after that, depending on the integration surface (Epic, Cerner, Athena, custom EHR) and the breadth of the audit evidence required for go-live.
Do you do BAA negotiations for us?
We bring the technical BAA terms; your legal counsel signs the document. We handle the upstream BAAs with our sub-processors. We've executed enough of these that we have template language and known-good vendor BAA flows, which speeds the legal review considerably.
Send us the workflow. We’ll send back a compliance map.
30-minute call with a healthcare-AI engineer and our compliance lead.