Automation near PHI,
scoped to the minimum
Provider organizations use govern.sh to let scheduling and intake agents work inside the EHR under minimum-necessary scopes — every access allowed, denied, or escalated with a signed record your privacy officer can hand to OCR.
Where autonomy breaks down today
EHR tokens grant far too much
A FHIR credential broad enough to reschedule appointments is usually broad enough to read full charts. The gap between what an agent needs and what its token allows is a reportable incident waiting.
Minimum necessary has no enforcement point
HIPAA's minimum-necessary standard is a policy document in most organizations, not a runtime control. Nothing technical stops an agent from touching records outside its task.
Disclosure accounting is manual
When a patient or auditor asks who accessed a record and why, the answer is assembled by hand from EHR access logs that were never designed to explain automated activity.
A reschedule, inside the lines
A patient replies to a reminder asking to move Thursday's cardiology visit. intake-agent handles it without ever seeing more than the schedule.
intake-agent authenticates with a scoped passport
PassportThe agent's identity carries exactly two scopes: read appointment slots, write appointment bookings. Chart contents, labs, and notes are outside its world entirely.
It reads availability and proposes a slot
PolicyThe policy engine allows the schedule read in 6 ms — in scope, in hours, for a patient with an active care relationship. No PHI beyond the appointment record is returned.
A chart read is denied before it executes
PolicyReasoning about prep instructions, the agent attempts to read the cardiology note. phi-minimum-necessary denies the call pre-execution, and the denial itself is signed into the trail.
The after-hours change goes to a human
ApprovalThe patient wants a 7:20 a.m. slot — outside standard booking hours, which policy treats as sensitive. The nurse coordinator reviews and approves from the queue.
The disclosure record writes itself
ReceiptAllowed reads, the denied chart access, and the approved booking are chained as signed receipts — a complete, verifiable account of every PHI touchpoint in the interaction.
The technical safeguards, made real
govern.sh turns the access-control and audit language of the Security Rule into enforcement that runs on every single EHR call.
Grant each agent exactly the FHIR resources its task requires. Everything else is denied at the enforcement point, not discouraged in a policy PDF.
Out-of-scope attempts produce signed deny receipts — proof your controls fired, which is precisely what an OCR investigator asks to see.
Route record amendments, after-hours changes, and anything touching restricted charts to clinical staff for one-tap approval.
Generate a per-patient accounting of automated access in minutes, with signatures that verify independently of govern.sh.
Representative outcomes reported by govern.sh customers in healthcare.
Aligned with the Security Rule
Scoped passports operationalize the minimum-necessary standard, and the hash-chained receipt trail implements the audit controls of 45 CFR §164.312(b) for agent activity. govern.sh signs a BAA on Scale plans, and receipts contain identifiers and verdicts — never clinical content.
The deny receipts changed the conversation with our privacy officer. We could show not just that intake-agent stayed in its lane, but that the one time it drifted, the control caught it before the EHR ever saw the request.
Related use cases
Put a verified agent to work in healthcare.
Mint a passport, attach a policy, and watch the first signed receipt land — free for your first three agents.