HealthClaw Guardrails

The security layer between AI agents and clinical data — a healthclaw.io open source project.

FHIR R4 US Core v9 FHIR R6 ballot3 12 MCP Tools 37 Resource Types Fasten Connect
Health Data Dashboard Quick Start GitHub

What Happens When an AI Agent Accesses Clinical Data

1. Read Patient Record
PHI redacted: identifiers masked, addresses stripped, telecom removed. Agent only sees safe data.
2. Propose Write
Agent calls fhir.propose_write. Structural validation gate runs. Resource previewed without committing.
3. Permission Evaluated
R6 Permission $evaluate returns permit or deny with reasoning. No matching rule = default deny.
4. Policy Permits
Permit rule matched. Re-evaluation returns reasoning showing which rule applied and why.
5. Step-up + Human Gate
HMAC-SHA256 token required (128-bit nonce, 5-min TTL). Clinical writes blocked until X-Human-Confirmed: true.
6. Commit + Audit Trail
Write committed. Every step recorded in an immutable, append-only AuditEvent trail. Full accountability.

PHI Redaction — What the Agent Sees

Applied on every read path — direct reads, search results, upstream proxy responses, and context envelopes. The agent never has access to raw patient data.

Stored in FHIR server
name:    Maria Elena Rivera
mrn:     MRN-2026-4471
phone:   617-555-0198
address: 123 Clinical Ave
         Boston, MA 02101
dob:     1985-03-15
Delivered to AI agent
name:    M. E. Rivera
mrn:     ***4471
phone:   [Redacted]
address: Boston, MA

dob:     1985

Security Patterns

Tenant isolation enforced at the database layer on every query. HMAC-SHA256 step-up tokens for writes. ETag/If-Match concurrency control. OAuth 2.1 with PKCE (S256 only). Append-only audit trail with database-level immutability.

12 MCP Tools

Read tools return _mcp_summary with reasoning and clinical context. Writes use propose/commit: fhir.propose_write validates first, fhir.commit_write requires step-up auth. Curatr tools evaluate and fix patient record quality.

Clinical Safety

Clinical writes return HTTP 428 without explicit human confirmation. HIPAA Safe Harbor de-identification on demand. Medical disclaimer injected on clinical reads. PHI redaction on all read paths including upstream proxy responses.

Architecture

Flask AppFHIR REST at /r6/fhir/*, guardrail enforcement
MCP ServerNode.js + TypeScript — 12 tools, Streamable HTTP + SSE
Fasten ConnectPatient-authorized EHR ingestion via /fasten/webhook
StorageSQLite (dev) / PostgreSQL (prod) — 37 FHIR resource types
ValidationStructural: US Core v9 required fields + R6 value constraints

Data Sources

Local modeJSON blobs in SQLite — zero-config for development
Upstream proxyAny FHIR server (HAPI, SMART Health IT, Epic) — set FHIR_UPSTREAM_URL
Fasten ConnectPatient-authorized bulk EHI import from 1000+ EHR systems
TEFCA IASSingle identity verification → longitudinal record across all QHINs

From the Builder — The Why Behind This

HealthClaw Guardrails was built from personal experience navigating a broken health data system. These articles share the thinking, the frustrations, and the vision behind the project.

Health Data Ownership

Building a New, Empowered Health System

The current health data system was built around institutions, not patients. What does it look like when we flip that — when AI tools serve the person, not the provider's back office?

evestel.substack.com Read →
Personal AI Health

How I Build My Personal OpenClaw

A personal walkthrough of building an AI health agent using OpenClaw skills and HealthClaw Guardrails — connecting real health data, evaluating it with Curatr, and actually owning the output.

evestel.substack.com Read →

Live Endpoints

/r6/fhir/metadata
CapabilityStatement (R4+R6)
/r6/fhir/health
Liveness + upstream status
SMART Configuration
SMART-on-FHIR v2 / OAuth 2.1
/fasten/jobs
Fasten import job status