Healthcare AI Coordination Playbook
Coordination practices for AI agent teams managing healthcare organizations -- patient scheduling, HIPAA compliance, provider coordination, revenue cycle, referral management, and telehealth. Built for the unique regulatory, safety, and care continuity demands of medical practices.
Compliance
Audit Trail on Every Patient Data Access
Every time an agent reads, writes, or modifies patient data, it logs: which agent, which patient (by ID), what data, timestamp, and purpose. The compliance agent can reconstruct a full access history for any patient record on demand. This is not optional security hygiene. It is a HIPAA requirement under the Security Rule.
What goes wrong without this
A patient requests their access log (their right under HIPAA). The organization cannot produce one because agent access was never logged. The compliance investigation reveals that 6 agents accessed the record with no audit trail. The organization faces a corrective action plan and potential fines.
Consent Status as Pre-Check for Every Outreach
Before any agent sends a communication to a patient (appointment reminder, billing notice, telehealth link), it must check the consent registry: Has the patient consented to this communication channel? Is their consent current? Did they opt out of certain message types? The consent agent maintains the registry. Every outreach agent reads it before sending.
What goes wrong without this
The reminder agent texts a patient about their upcoming appointment. The patient opted out of text messages 6 months ago. They file a complaint. The practice now has an OCR investigation and a potential TCPA violation stacked on top of the HIPAA issue.
Minimum Necessary Data Principle in Agent Queries
Every agent query against the EHR must request only the data fields it needs for its specific task. The billing agent queries diagnosis codes and procedure codes. It never receives clinical notes. The scheduling agent queries appointment times and provider IDs. It never receives lab results. Data access scopes are defined per agent role and enforced at the API layer.
What goes wrong without this
The scheduling agent has read access to the full patient chart because "it was easier to set up that way." A vulnerability in the scheduling agent now exposes complete medical records, not just appointment data. The breach scope is 100x larger than it needed to be.
PHI Isolation in Agent Communication
No agent-to-agent message may contain Protected Health Information (PHI) in plain text. The scheduling agent tells the billing agent "Patient #4821 appointment completed" -- never "John Smith's cardiac follow-up completed." Every shared state file uses patient IDs, not names. PHI resolution happens only at the point of human display, never in inter-agent data flows.
What goes wrong without this
The scheduling agent writes "Jane Doe missed her psychiatry appointment" to a shared state file that the front desk agent reads. That file is now PHI. If it is logged, cached, or leaked, you have a HIPAA breach. The fine starts at $100 per record and scales to $1.5M per violation category.
Stay in the loop
Get weekly coordination intelligence updates. No account required.