Clinical workflow agents that meet HIPAA requirements and stay running.

Your patient scheduling agent reduces no-shows by 30%. It handles rescheduling, sends reminders, and triages urgent requests. Your clinical team loves it. Your compliance team won't sign off. Hatch bridges that gap.

The problem.

EHR APIs are not reliable. When your scheduling agent calls Epic's FHIR endpoint to confirm a slot and gets a 503, the standard retry sends the same POST twice. Epic's /Appointment endpoint is not idempotent by default — the patient gets booked twice, receives two confirmation SMS messages, and your ops team spends 20 minutes untangling it. Multiply that by open enrollment volume — 10,000 patients in a week — and you have a dedicated ops queue just for scheduling de-duplication.

Clinical triage agents have a harder failure mode. The agent reads a patient message, classifies urgency as 'non-urgent,' and routes it to a 48-hour callback queue. If the classification was wrong and the patient deteriorates, your liability exposure depends entirely on whether you can prove what the agent read, what features it extracted, what model version ran, and why it scored the case as non-urgent. A CloudWatch log with 'routed to queue: standard' does not satisfy that standard.

PHI handling in agent workflows creates a specific infrastructure problem that HIPAA's technical safeguards section (45 CFR §164.312) forces you to solve before production: every system that touches PHI must have access controls, audit controls, integrity controls, and transmission security. Your agent's context window contains PHI for the duration of each workflow. If the process crashes and the context is serialized to a message queue or a Redis key without encryption at rest, you have a reportable breach vector — not a theoretical one.

What Hatch handles.

Hatch makes all EHR writes idempotent by keying each step to a workflow ID and a step index. The Epic FHIR POST at step 3 carries a client-request-id derived from the workflow ID. If the agent retries step 3 after a timeout, Epic returns the existing appointment rather than creating a new one. The patient receives exactly one confirmation. The idempotency key is stored in the WAL so it persists across process restarts.

Agent context containing PHI is encrypted at rest using AES-256 before serialization to the workflow state store. In-transit communication between agent steps uses mTLS. Access to workflow state is gated by IAM role — your agent's service account gets read/write; your compliance team's role gets read-only. Every access to a workflow record containing PHI is logged with the principal, timestamp, and fields accessed.

Immutable audit logs record every agent action at the step level: the input received, the classification applied, the model version and inference ID, the routing decision, and the timestamp. Logs are written to an append-only store (S3 with Object Lock or equivalent) with a retention policy you configure. When a patient's case is reviewed six months later, you pull the full execution trace by patient ID in under a second.

Human approval gates pause the workflow at a configured step — before sending a clinical recommendation, before routing to a high-acuity queue — and wait for a nurse or care coordinator to act on a task in your existing care management system via webhook. The approval is logged with the approver's ID. If no approval arrives within the configured SLA, the workflow escalates to the next tier. The agent never silently times out.

Agents that run on Hatch.

Patient scheduler

Receives scheduling requests from an inbound webhook, calls Epic FHIR to check availability, books the slot with an idempotent client-request-id, sends a single confirmation via your SMS gateway, and handles rescheduling requests by canceling the existing appointment before booking a new one — so the EHR never shows duplicate bookings regardless of retry behavior.

10,000+ patients/day with zero duplicate messages

Clinical triage agent

Reads patient messages from a HIPAA-compliant SQS queue, extracts structured urgency signals using a fine-tuned classification model, routes to one of four care pathways, and writes a structured triage record with full reasoning to your clinical data warehouse. Every routing decision is retained for 7 years and queryable by patient ID, model version, or triage outcome.

Continuous triage across multiple care pathways

Documentation agent

Pulls clinical notes from the EHR after each encounter, runs NLP extraction for diagnoses, medications, and care plan items, writes structured data back to the FHIR record, and generates a care summary for the next provider. Each extraction step is logged with the source note ID and the extracted fields so any downstream error can be traced to its source.

500+ clinical documents/day across specialties

The 2-week PoC.

Take one patient communication flow — appointment reminders with rescheduling. Deploy it as a Hatch agent. In two weeks, it runs across real patient volume with idempotent EHR writes, PHI-encrypted state, and an immutable HIPAA-compliant audit log of every agent action.

10,000 patients/day processed with zero duplicate bookings or messages under simulated EHR API retry conditions

PHI-at-rest encryption verified via independent audit of workflow state store — AES-256, key rotation configured

Full step-level audit log queryable by patient ID and workflow version with sub-second retrieval

Automatic recovery from Epic FHIR 503s with idempotent retry — no manual de-duplication queue needed

Why now.

OCR enforcement of the HIPAA Security Rule has increased audit volume since 2023. The new HTI-1 rule (ONC, effective 2024) adds information blocking and algorithmic transparency requirements that apply to certified health IT using AI for clinical decision support. If your triage agent is making routing decisions that affect care access, it qualifies. Logging that satisfies HTI-1 transparency requirements is not optional — it's a condition of certification.

Have an agent stuck in staging?

Tell us what it does and where it's stuck. We'll scope a 2-week PoC and show you what production looks like.

book a call →