Stats

Actions

Available In

Tags

HealthClaw Guardrails

An open reference implementation of the security and compliance layer between AI agents and clinical data — the FHIR × MCP guardrails nobody else has standardized. Built in the open as a community project, MIT-licensed. Use it, fork it, send a PR — see CONTRIBUTING.md.

FHIR standardized how health data is structured. MCP standardized how AI connects to tools. Nobody standardized the guardrails in between. This is a shared, open reference for that layer — not a product, not a pitch. If the pattern is useful, take it; if it's wrong, tell us or fix it.

This is a community effort. It's most useful if implementers, clinicians, and standards folks poke holes in it. Issues, PRs, and "you got the SDC extraction wrong" critiques are all welcome. Start with CONTRIBUTING.md and the Code of Conduct.

What's new in v1.5.0 — Security Hardening + SDC Forms

Two threads landed since v1.4.0: a read-authentication hardening pass on the guardrail core, and HL7 Structured Data Capture (SDC) support so the project can populate and extract healthcare forms the standard, interoperable way.

SDC form round-trip — implements the two halves of HL7 SDC:

Operation

What it does

Mechanisms (v1)

POST /r6/fhir/Questionnaire[/<id>]/$populate

Questionnaire + subject → pre-filled QuestionnaireResponse

expression-based (initialExpression FHIRPath) + observation-based (item.code LOINC)

POST /r6/fhir/QuestionnaireResponse/$extract

completed QuestionnaireResponse → transaction Bundle

observation-based (observationExtract) + definition-based (definitionExtract)

Pure, Flask-free transform engines in r6/sdc/ (expressions.py, populate.py, extract.py); the route layer owns auth, audit, step-up, and store I/O.

$populate is read-shaped (tenant-read-authenticated + AuditEvent); $extract reuses the existing write path — step-up + per-resource $validate on commit, with ?dryRun=true to preview the Bundle without committing.

Two new MCP tools — questionnaire_populate (read) and questionnaire_extract (write) — so an agent can fill and extract forms end-to-end.

A seeded healthclaw-intake demo Questionnaire shows the full populate → complete → extract loop.

Security hardening — X-Tenant-Id reads are now authenticated, not just tenant-scoped: non-public tenants must present a tenant-bound step-up token or a matching SMART bearer (a bare header gets 401). Plus a public-tenant-aware token-mint guard, the SMART OAuth service advertised in /metadata, and dependency CVE bumps (PyJWT, npm advisories).

Deliberate compliance postures (documented in CLAUDE.md and the design spec):

$populate returns unredacted PHI by design — a form must hold real data, and the read-auth gate is the compensating control. An optional ?redaction= opt-in is a tracked follow-up.

$extract commit is treated as an ingest-class operation (like Bundle/$ingest-context): step-up + $validate gate the write; it is exempt from the per-resource X-Human-Confirmed gate.

What's new in v1.4.0 — Multi-Connector Health Data Pipeline

One Telegram bot. All your health records. Every major source, automatically.

The v1.4.0 release wires five distinct health data pipelines into HealthClaw — each with its own auth model, transport, and data format — and exposes them as unified Telegram slash commands so you never leave the chat.

Source

Coverage

Transport

Telegram command

Fasten TEFCA

Nationwide — all QHINs (hospitals, EHRs, labs) via CLEAR/ID.me

Webhook push

/connect

HealthEx

Lab + clinical aggregator

MCP Streamable HTTP pull

/export

Health Bank One

Identity-verified records + insurance context

MCP Streamable HTTP pull

/hbo-connect, /hbo-pull

Flexpa

200+ payers/insurers (CMS-9115 mandate)

SmartHealthConnect bridge

/flexpa-connect

Health Skillz (Epic)

Epic MyChart + major patient portals

SmartHealthConnect bridge

/epic-connect

MEDENT

Small-practice EHR (SMART on FHIR direct)

Direct SMART on FHIR pull

/medent-connect, /medent-pull

New infrastructure: