Scenarios · Access center

Triage portal messages with AI — without adding another inbox.

A care coordination desk pulls patient-portal messages from partner systems, lets an agent draft the routine replies, and routes everything through a single approval queue. A supervisor releases each draft. Edge cases escalate to legal or compliance with the full message history attached. Every release records who approved what, against which message.

Where the work happens

  • Agent SDK — classifies inbound messages and drafts the routine replies.
  • Studio — approval queue with SLA timers, so nothing sits unrouted.
  • Assistant — escalation review where legal or compliance pick up an ambiguous message with its full history attached.

How it works

  1. Messages arrive from partner systems.

    Inbound messages land through an authenticated endpoint. You choose how PHI flows — sent under your BAA, or detected and masked before it leaves your environment. Either way, the receiving coordinator, identifiers found, and timestamp land on the audit chain.

  2. An agent classifies and drafts a reply.

    Urgency scoring, category routing, and a draft response — recorded as an agent action tied to a specific agent identity, with input and output hashed on the same audit chain as the message itself.

  3. A supervisor approves before anything sends.

    Drafts land in a Studio queue with SLA timers. The coordinator reviews, edits, and releases. Who released which draft, after which edits, lands on the chain before the reply leaves HASP.

  4. Edge cases escalate to legal or compliance.

    Ambiguous symptoms or medication-interaction flags route the message to legal or compliance with its full history attached — nothing forwarded, nothing lost. Their review is signed and appended to the chain before routing.

Try this as a Studio template.

Use this template → Start free →

Why this survives governance

  • Portal messages are PHI — the routing system has to prove it.

    HIPAA's Security Rule applies the moment a name, symptom, or medication shows up. A classification system that touches PHI without a BAA covering the model call, and without an attributable record of the routing decision, is non-compliant even at 99% accuracy. The model call sits under your BAA; the routing decision sits on the audit chain.

  • Regulators distinguish "AI suggests" from "AI decides."

    State AI rules and CMS guidance on clinical decision support increasingly require documentation of who released the response and on what basis — not just a log that a response went out. Agent-action attribution records the supervisor identity, timestamp, and edits behind every release, so the human-in-the-loop is verifiable, not asserted.

  • Cross-team escalation stops being a forwarding chain.

    When legal or compliance need to weigh in, the message reaches them with its full history attached instead of as a forwarded email with no context. The audit chain shows who reviewed the routing call — and what evidence they saw.

Deploy this workflow in your environment.

Talk to us → See HASP Agent SDK → View pricing →