HIPAA is the floor, not the ceiling
BAAs, PHI handling, audit logging, role-based access, and de-identification shape the architecture from day one. State rules (CCPA, HITECH, 42 CFR Part 2) layer on top.
Patient data lives in EHRs, scanned PDFs, faxes, lab portals, and clinician notes. We build the intake, documentation, and triage workflows that read across all of it — under HIPAA, with audit trails, and with the people who already use the systems.
The promise of AI in clinical settings is real. The path to it is narrower than in most industries — and the failure modes are louder. Here's the terrain.
BAAs, PHI handling, audit logging, role-based access, and de-identification shape the architecture from day one. State rules (CCPA, HITECH, 42 CFR Part 2) layer on top.
Discharge summaries, lab PDFs, imaging reports, faxes, and free-text notes carry the signal. HL7/FHIR helps where it exists; the rest is parsing prose, scans, and inconsistent forms.
If AI adds steps, it dies on the floor. Anything we ship slots into the existing EHR workflow, saves time on day one, and stays auditable when something looks off.
Integrations span FHIR APIs, HL7 v2 feeds, SFTP, Direct messaging, and legacy desktop tools. We design around what you actually have, not the vendor brochure.
Pulled from real conversations with COOs, CMIOs, and ops leaders at provider groups, payers, and digital-health companies.
Patient context is split across the EHR, imaging system, scanned referrals, secure email, and a stack of PDFs. Care teams burn hours stitching it together for every encounter.
Notes, prior auth, coding, and chart prep are the largest unbilled hours in the building. Burnout follows — and generic dictation tools haven't moved the needle.
New-patient intake, referral routing, and triage still run through staff manually reading inbound faxes, forms, and emails. Volume is up and headcount isn't.
Promising AI pilots stall in legal, security, and IT review for six months. By the time approval comes, the team that championed it has moved on.
Each engagement is shaped by your data, your EHR, and your compliance posture. These are the most common entry points for healthcare clients.
Map the highest-value AI opportunities across your clinical, ops, and revenue-cycle workflows — with HIPAA and integration realities priced in.
Explore the audit →Automate intake, prior-auth packaging, referral routing, fax parsing, and chart prep — the unglamorous work that drains the most hours.
See automation →Patient-support agents, clinical-documentation assistants, and triage routers that observe, plan, and act with auditable handoffs to humans.
See agents →For digital-health builders shipping a real product — from kiosk-first telehealth to clinical document-intelligence platforms.
See product build →Three weeks to a working prototype your clinicians can react to — de-risk a use case before security review owns the next quarter.
See the sprint →Healthcare engagements almost always start with diagnosis, not building. Most provider and payer clients follow this path.
Map the highest-value AI opportunities across clinical, ops, and revenue-cycle workflows — with HIPAA and integration realities priced in.
A working prototype your clinicians can react to — de-risk the use case before security review owns the next quarter.
Ship the intake, documentation, or triage workflow into production — with audit trails and auditable human handoffs.
Measure adoption, expand to new workflows, and compound the wins across the organization.
Two examples of what "compliant, clinical, and actually shippable" looks like in practice.

We built the kiosk software, eCommerce flow, and telemedicine handoff that turned a clinical concept into live retail vision exams — two units live in Boston malls, eight more rolling out across New England.
Read the case →
A long-running partnership building and scaling the platform clinicians use to discuss cases, share evidence, and join research — with PHI-adjacent content moderation and identity verification baked in.
Read the case →Clinical AI and healthcare products we've built and shipped.
Healthcare buyers don't read marketing — they read SOC reports, BAAs, and architecture diagrams. We come prepared.
BAAs in place with the cloud and AI infrastructure we use. PHI is segmented, encrypted at rest and in transit, with role-based access and full audit trails on every read and write.
Data flows designed around the minimum-necessary standard. De-identified pipelines for training and analytics; PHI stays in your environment whenever the use case allows.
SSO, MFA, secrets management, change control, and signed BAAs with every subprocessor. Integration patterns reviewed by your IT and InfoSec before code ships.
BAAs, hallucination, EHR integration, security-review timelines, non-PHI pilots, and who owns the IP.
Yes. We sign Business Associate Agreements on any engagement that touches PHI, carry BAAs with the cloud and AI infrastructure we deploy on, and maintain a subprocessor list we can share with your security team during diligence.
No model is perfect. The mitigation isn't a better model — it's an architecture that constrains it to retrieve, summarize, and cite source documents rather than generate from memory, plus a human-in-the-loop step on anything that affects care. We design for "show your work" by default in clinical contexts.
We've worked with FHIR APIs (Epic, Cerner, athenahealth), HL7 v2 feeds, Direct messaging, and the SFTP-and-PDF reality of smaller systems. The right pattern depends on your read/write needs, your EHR vendor's API maturity, and what your IT team will actually approve.
Faster than you'd expect — because we come pre-packaged for it. Architecture diagrams, data-flow maps, BAAs, and our subprocessor list are ready on day one. Most provider security reviews close in 4–8 weeks; payer reviews take longer.
Often the right move. We'll scope a first phase against synthetic or de-identified data so you can validate the approach before legal review owns the timeline. Once the pattern works, we move into the PHI environment with the full compliance scaffold in place.
You do. All code, prompts, fine-tunes, embeddings, and trained artifacts are yours by default. We retain no rights to your data, your derivatives, or anything we build for you under the engagement.
Field notes from the studio — what we’re learning about AI products, agent UX, and the messy reality of shipping software in 2026.