HIPAA AI Clinical Decision Support System
A Mid-Atlantic regional healthcare system operating 12 hospitals and 45+ outpatient clinics needed an AI-powered clinical decision support tool that made it structurally impossible for protected health information to reach the foundation model — while saving clinicians 78 minutes per day.
About the Customer
A Mid-Atlantic regional healthcare system serving over 1.5 million patients annually with 2,000+ clinicians across 12 hospitals and 45+ outpatient clinics. The organization runs an AWS-first cloud strategy with a HIPAA Business Associate Agreement in place.
Customer Challenge
Clinicians spent an average of 96 minutes per day on manual clinical data lookups — querying EHR systems, cross-referencing lab results, and synthesizing patient timelines. At $150/hour, this represented $4,800/month per clinician and over $115 million annually across the system.
The customer wanted an AI assistant to accelerate clinical queries, but faced a fundamental conflict: foundation models need clinical context (patient names, diagnoses, medication histories) to provide useful answers, yet HIPAA’s “minimum necessary” standard prohibits sending PHI to shared inference endpoints. Previous policy-based approaches were rejected by the HIPAA Privacy Officer.
The organization needed a solution where it is structurally impossible for PHI to reach the foundation model — not just policy-controlled, but architecturally enforced.
Partner Solution
EFS Networks designed a dual-zone architecture using the AWS Strands Agents SDK on Amazon AgentCore Runtime with Amazon Bedrock (Claude 3.5 Sonnet for complex reasoning, Claude 3 Haiku for simple lookups).
The architecture separates the system into an AI Zone (agent + Bedrock) and a PHI Zone (Lambda + DynamoDB + S3), with IAM policies that structurally prevent the agent from accessing PHI storage.
Pipeline
- Amazon Comprehend Medical extracts 18 HIPAA-relevant PHI entity types from clinical text
- Deterministic tokenization replaces PHI with synthetic tokens (e.g., [NAME_001]), mappings stored in DynamoDB within the PHI Zone
- Amazon Bedrock Guardrails PII filter in BLOCK mode on input and output provides defense-in-depth
- The agent reasons over tokenized (PHI-free) text using Bedrock
- Reconciliation maps tokens back to real patient data within the PHI Zone
The agent autonomously selects tools, plans anonymization strategy, and routes queries between Sonnet and Haiku based on complexity — reducing inference costs by 19–31% with no clinical accuracy degradation for simple queries.
All resources deployed via AWS CDK (Python) with CDK Nag for automated security validation.
Results and Benefits
| Metric | Result |
|---|---|
| PHI Exposure Incidents | Zero — verified via CloudTrail audit |
| Response Time (p95) | 3.2 seconds against 5-second target |
| System Availability | 99.97% (one planned 20-min maintenance window in first quarter) |
| Anonymization Accuracy | 99.94% — Guardrails caught all 6 entities Comprehend Medical missed |
| Clinician Adoption (Month 3) | 73% (ahead of 80% six-month target); 89% in emergency medicine |
| Time Saved per Clinician/Day | 78 minutes (manual lookup reduced from 96 to 18 minutes) |
| Annualized Productivity Gain | $5.7 million (run rate at month 3) |
| Monthly Operating Cost | ~$2,900 |
AWS Services Used
Amazon Bedrock (Claude 3.5 Sonnet / Haiku), Bedrock Guardrails, Amazon AgentCore, AWS Strands Agents SDK, Amazon Comprehend Medical, AWS Lambda, Amazon DynamoDB, Amazon S3, Amazon Cognito, AWS KMS, Amazon CloudWatch, AWS CloudTrail, Amazon VPC. Infrastructure via AWS CDK (Python).
About EFS Networks
AWS Advanced Tier Services Partner (Top 1%) • Founded 2005 • Philadelphia, PA • ~50 employees • 10+ years AWS experience • AWS Well-Architected Partner • Lambda Delivery Partner • Serverless Delivery Partner
Architecture Overview
Let's talk about what you're building.
Our team brings over two decades of experience to every engagement. Tell us about your project and we'll show you what's possible.