Every AI surface on the CaraLoom platform is listed here — what it does, what data it sees, who reviews its output, and the active guardrails in place. We refresh each clinician-validated badge every 6 months. No marketing language, no hidden surfaces.
All PHI-touching AI calls route through Google Vertex AI under an active BAA. A runtime guard in _ai_send_phi blocks any OpenAI fallback. Whisper STT is wrapped in the same BAA chain for voice-to-SOAP.
Identifying fields (names, addresses, contact, IDs) are scrubbed at prompt-interpolation. Clinical values (vitals, diagnoses, scores) are preserved so the AI has the signal it needs without seeing identifiers.
Every AI call against patient data emits an audit-log entry — caller, patient, surface, timestamp, request id — into the tamper-evident audit collection. Admins can produce a full chain-of-custody for any audit.
AI never autonomously charts, prescribes, submits a claim, or escalates care. A licensed clinician signs every final clinical record. AI outputs are drafts and advisory signals, not autonomous actions.
8 surfaces total. Each runs under the platform-wide guardrails above plus the per-surface guardrails listed below.
POST /api/auth/register (patient flow)POST /api/clinician/assessmentPOST /api/appointments/{id}/generate-soapPOST /api/voice/transcribe-to-soapPOST /api/risk/assessPOST /api/clinical-notes/ai-summaryPOST /api/rcm/claims/{claim_id}/scrubPOST /api/care-library/navigateMethodology: each clinician-validated badge is signed by a licensed clinician (MD, DNP, NP, or RN with relevant specialty) after a standardized review of golden-set test cases (typically 24–40 per surface). Pass-rate is the fraction of cases scored ≥3/5 on the per-surface rubric. Refreshes are scheduled every 6 months. See /app/memory/CLINICAL_VALIDATION_BRIEF.md for the rubric and golden cases.