niche

HIPAA-compliant AI automation for clinics paying $300–$1,000 per patient

Recall, intake, no-show recovery, and reactivation built on BAA-covered rails, Twilio, Paubox, Claude on AWS Bedrock, with PHI mapped at every hop.

HIPAA-compliant automation for private and specialty clinics: patient recall, intake, no-show recovery, and dormant-chart reactivation on BAA-covered infrastructure most agencies will not touch.

The agency excuse that costs clinics patients

Private clinics pay $300–$1,000 to acquire a single new patient, depending on specialty (MFG Wellness, December 2025), yet most practices spend only 2–4% of revenue on marketing against a 6–12% benchmark (Patient10x). The cause is specific: the moment a workflow touches protected health information, the standard agency stack, consumer email tools, cloud Zapier, an off-the-shelf chatbot, becomes a HIPAA liability. Most generalist agencies respond by refusing to sign a Business Associate Agreement and retreating to your homepage.

So the highest-value automations never get built: recall lists in a front-desk spreadsheet, voicemail at 5:01pm, dormant charts, while a patient you paid up to $1,000 to acquire books elsewhere.

75% of enterprises rolled back customer-facing AI agents by May 2026, with data exposure the leading cause at 31% (Sinch, n=2,500+). In most industries that is a bad headline; in a clinic it is an OCR-reportable breach. We documented why those rollbacks happen and build in the order that survives: compliance architecture first, workflows second.

Workflows we build for clinics

Six workflows, all administrative, scheduling, communications, intake. Nothing clinical.

Recall and recheck sequences. Overdue-recall extracts from athenahealth, Tebra, ModMed, Nextech, Jane, or WebPT feed multi-touch sequences on BAA-covered rails, Twilio for SMS, Paubox for email. Annual skin checks, diabetic eye exams, PT plan-of-care completions: appointments your schedule already owes you.

No-show recovery and waitlist backfill. A cancellation fires a waitlist offer within minutes, ordered by rules your staff set.

After-hours and overflow answering. An AI receptionist scoped to scheduling: it books, reschedules, confirms, and answers location and insurance questions. Symptom or medication questions trigger an immediate handoff and a tagged callback task. Category pricing is in what an AI receptionist costs.

Referral-loop closing. Specialty practices live on PCP referrals, which leak between the fax inbox and the booked appointment. Every inbound referral is tracked to a terminal state, booked, declined, or unreachable-after-N-attempts, with a weekly exception report.

Dormant-chart reactivation. Patients inactive 18+ months get a compliant re-engagement sequence; responders route to your scheduler, and opt-outs write back to the PM system so nobody is contacted twice.

Intake and insurance capture. Digital intake that writes into your PM system and flags eligibility mismatches before the visit.

The compliance architecture is the product

Every PHI-touching component is covered by a Business Associate Agreement, including ours, and you keep the data-flow document proving it.

  • We sign your BAA before any system access, so does every vendor in the chain: Twilio (SMS, voice), Paubox (email), AWS (model calls).

  • LLM calls run on HIPAA-eligible endpoints, Claude via AWS Bedrock under AWS's BAA, configured for zero data retention. Patient data never trains a model.

  • The workflow engine is self-hosted n8n in your own cloud, so PHI never transits a third-party automation service.

  • Minimum-necessary scoping: workflows read only the fields they need, and every automated message lands in an exportable audit log.

  • Tracking-pixel hygiene: HHS OCR's December 2022 bulletin put ad pixels on booking pages and patient portals in scope. We audit what Meta and Google tags see on your booking flow before any paid ads work begins.

  • Voice and chat agents identify themselves as AI by default, law for clinics serving EU patients from August 2, 2026 under EU AI Act Article 50, and basic patient trust everywhere else.

What you get

  1. A workflow audit ranking all six workflows by payback against your acquisition cost

  2. Executed BAAs, ours and every subprocessor's, before system access

  3. A PHI data-flow map: every vendor, the fields it sees, its BAA status

  4. EHR/PM integration via FHIR or REST API where available, scheduled exports where not

  5. Recall, no-show, reactivation, and referral workflows on self-hosted n8n in your cloud

  6. SMS and voice on Twilio under BAA, with TCPA consent capture and opt-out write-back

  7. HIPAA-compliant email on Paubox with SPF, DKIM, and DMARC authentication

  8. An AI receptionist on HIPAA-eligible model endpoints with tested refusal behavior for clinical topics

  9. Exception-queue dashboards, supervised automation, not blind automation

  10. Staged rollout starting with one provider's recall list

  11. Documentation plus recorded front-desk training

  12. A 30-day defect window with a named escalation path

Explicitly out of scope: anything clinical, no triage logic, no diagnosis, no treatment recommendations, no clinical-record summarization. We are not your law firm either: we implement your compliance officer's policies and produce the artifacts they audit.

How an engagement runs

  1. Scope call, 45 minutes. Specialty, acquisition cost, no-show rate, recall backlog, PM system. Output: which workflow ships first and why.

  2. BAA and access, week 1. BAAs executed before any data access. Checkpoint: your compliance officer approves the data-flow map.

  3. Build, weeks 2–4. Staging runs on synthetic patient data; real PHI enters only after compliance sign-off. Weekly demos.

  4. Pilot, weeks 4–6. One provider or location. Checkpoint: exception-queue review against baseline numbers.

  5. Rollout plus 30-day watch. Full practice, monitored, with a day-30 review against booked-appointment counts.

What this work costs in the market

These are market anchors, not our rates. At $300–$1,000 per new patient, automation that recovers four appointments a month protects $1,200–$4,000 of monthly acquisition spend, before visit revenue. What moves price in this niche:

  • The BAA premium. HIPAA-covered SMS, email, and hosting vendors price above consumer-grade equivalents, that premium flows into any honest quote.

  • Integration depth. A documented FHIR API is days of work; a flat-file workaround is weeks.

  • Volume and locations. Call minutes, language coverage, multi-site routing, and per-provider rules.

Component-level numbers are itemized in how much an AI agent costs, and the headroom exists, since practices at 2–4% of revenue are under-spending their own benchmark. Bring your specialty, volume, and PM system to /contact for a number against your scope, not a rate card.

Why Entropy & Co

  1. We sign the BAA, before access, in writing. Ask the last agency that pitched you automation to do the same and watch the scope shrink.

  2. The PHI map is an artifact you keep. Every vendor, every field, every BAA in one document. Fire us and your next vendor inherits a map, not a mystery.

  3. Agents that refuse clinical conversation. Refusal and escalation behavior is tested before launch and logged after it. AI disclosure ships ahead of the EU's August 2, 2026 Article 50 deadline.

FAQ

Do you actually sign a Business Associate Agreement?

Yes, executed before any system access, and we only deploy subprocessors that sign their own: Twilio, Paubox, AWS. You get a data-flow document listing every PHI-touching vendor and its BAA status. If a tool will not sign, it does not enter the build.

Does patient data train the AI model?

No. Model calls run on HIPAA-eligible endpoints, Claude via AWS Bedrock under AWS's BAA, configured for zero data retention. Prompts and outputs are not stored or used for training, and we walk your compliance officer through that configuration in week one.

Are automated SMS reminders legal for clinics?

Appointment and recall messages are permitted as treatment communications under HIPAA, but TCPA still requires documented consent, honored opt-outs, and sane frequency. Our workflows capture consent at intake and write opt-outs back to your PM system, making revocation permanent across every sequence.

Which practice systems do you integrate with?

athenahealth, Tebra, ModMed, Nextech, Jane, and WebPT are the common ones; anything exposing a FHIR or REST API integrates directly. Systems without an API get scheduled-export workarounds, slower, still workable. The scope call tells you which camp yours is in.

We deployed a chatbot and pulled it. Why try again?

So did 75% of enterprises, citing data exposure (31%) and hallucination (22%) (Sinch, May 2026). Those are architecture failures, not model failures. Scoped permissions, refusal behavior, and human escalation address both, and agents vs automation explains why many clinic workflows should not be agents at all.

Get a scope and quote

One 45-minute call: your numbers and PM system in, a prioritized workflow plan and quote out, with the BAA handled up front. Get a scope and quote.

Related: AI automation for the cross-industry version of this work, paid ads once the follow-up leak is fixed, and adjacent niches med spas and dental practices.

Get a scope and quote

© All right reserved

© All right reserved