HIPAA-Compliant AI Clinical Decision Support Using Amazon Bedrock
AWS Partner EFS Networks
AWS AI Competency
Agentic AI Consulting Services

ABOUT THE CUSTOMER

A Mid-Atlantic regional healthcare system operating 12 hospitals and 45+ outpatient clinics, serving over 1.5 million patients annually. The organization employs 2,000+ clinicians and runs an AWS-first cloud strategy with a HIPAA Business Associate Agreement in place across production accounts.

CUSTOMER CHALLENGE

Clinicians spent an average of 96 minutes per day on manual clinical data lookups – querying EHR systems, cross-referencing lab results, and synthesizing patient timelines. At an average clinician hourly rate of $150, this represented a $4,800/month opportunity cost per clinician and over $115 million annually across the system.

The customer wanted to deploy an AI assistant to accelerate clinical queries, but faced a fundamental conflict: foundation models need clinical context (patient names, diagnoses, medication histories) to provide useful answers, yet HIPAA’s “minimum necessary” standard prohibits sending Protected Health Information (PHI) to shared inference endpoints without structural safeguards. Previous attempts using policy-based approaches – prompt engineering and vendor contractual agreements – were rejected by the HIPAA Privacy Officer as insufficient. The organization needed a solution where it is structurally impossible for PHI to reach the foundation model, not merely policy-prohibited.

PARTNER SOLUTION

EFS Networks designed and deployed an autonomous AI agent on AWS that provides HIPAA-compliant clinical decision support through a dual-zone architecture enforced by IAM boundaries.

Architecture: The solution uses the AWS Strands Agents SDK deployed on Amazon AgentCore Runtime, with Amazon Bedrock (Claude 3.5 Sonnet for complex reasoning, Claude 3 Haiku for simple lookups) as the foundation model layer. The architecture separates the system into an AI Zone (agent + Bedrock) and a PHI Zone (Lambda functions + DynamoDB + S3), with IAM policies that structurally prevent the agent runtime from accessing PHI storage.

How it works: When a clinician submits a query, the agent orchestrates a multi-step anonymization pipeline:

1. Amazon Comprehend Medical extracts PHI entities (18 HIPAA-relevant types) from clinical text
2. Deterministic tokenization replaces PHI with synthetic tokens (e.g., [NAME_001]), with mappings stored in DynamoDB within the PHI Zone
3. Amazon Bedrock Guardrails provide defense-in-depth – a PII filter in BLOCK mode applied on both input and output catches any entities that Comprehend Medical may miss
4. The agent reasons over the tokenized (PHI-free) text using Bedrock, producing a clinical response
5. Reconciliation maps tokens back to real patient data within the PHI Zone before returning the response to the clinician

The agent autonomously selects tools, plans its anonymization strategy, and routes queries between Sonnet and Haiku based on complexity – reducing inference costs by 19-31% with no clinical accuracy degradation for simple queries.

Key AWS services: Amazon Bedrock (Claude 3.5 Sonnet/Haiku), Amazon Bedrock Guardrails, Amazon AgentCore, AWS Strands Agents SDK, Amazon Comprehend Medical, AWS Lambda, Amazon DynamoDB, Amazon S3, Amazon Cognito, AWS KMS, Amazon CloudWatch, AWS CloudTrail, Amazon VPC.

Infrastructure as Code: All resources deployed via AWS CDK (Python) with CDK Nag for automated security validation.

RESULTS AND BENEFITS

– Zero PHI exposure incidents – No Protected Health Information has reached Bedrock inference endpoints, verified via CloudTrail audit
– 3.2-second response time (p95) for the full anonymization-inference-reconciliation pipeline, against a 5-second target
– 99.94% anonymization accuracy – 6 rare PHI entities missed by Comprehend Medical in the first month were all caught by Bedrock Guardrails, validating the defense-in-depth approach
– 73% clinician adoption at month 3, trending ahead of the 80% six-month target, with highest adoption in emergency medicine (89%)
– 99.97% system availability with only one planned 20-minute maintenance window in the first quarter
– 78 minutes saved per clinician per day, reducing manual lookup time from 96 minutes to 18 minutes
– $5.7 million annualized productivity gain (run rate at month 3) at a system operating cost of approximately $2,900/month

ABOUT EFS NETWORKS

EFS Networks is an AWS Advanced Tier Services Partner (Top 1%) founded in 2005 and headquartered in Philadelphia, PA. With approximately 50 employees and over 10 years of AWS experience, EFS holds AWS Well-Architected Partner, Lambda Delivery Partner, and Serverless Delivery Partner designations. EFS specializes in building production agentic AI solutions on AWS across healthcare, enterprise software, and manufacturing verticals.