MeshFlow
  • Cloud PlatformDeployIntegrationsInit CLIWhy MeshFlow
  • DocsLearn
  • CustomersCertificationBlogChangelogCommunity
  • Pricing
Sign inGet started
Pricing
Sign inGet started
MeshFlow

The production-safe standard for agentic AI.
Apache 2.0 — free forever.

Product
  • Pricing
  • Cloud
  • Compare
  • Init CLI
  • Changelog
Docs
  • Quickstart
  • Core concepts
  • Compliance guide
  • Token optimization
  • API reference
Resources
  • Blog
  • Customers
  • Community
  • PyPI
  • GitHub
Company
  • Discord
  • Twitter
  • Security
  • License
MeshFlow © 2026 · Yaya Systems · Apache 2.0
All systems operational
Blog
TutorialMay 14, 202612 min read

Build a HIPAA-Compliant Patient Intake Agent in 45 Minutes

Step-by-step: a 3-agent crew that processes patient intake forms, redacts PII automatically, generates a SHA-256 audit trail, and applies token controls from the first run.

AT
Anteneh Tessema
Founder, MeshFlow

What we're building

A 3-agent pipeline that: 1. Receives a raw patient intake form (freeform text) 2. Extracts structured data (demographics, chief complaint, medications) 3. Generates a clinical summary for the care team 4. Produces a SHA-256 audit trail of every step

The pipeline runs in under 60 seconds, redacts PHI before any LLM call, and generates a tamper-evident ledger entry suitable for an OIG audit. No external API keys needed for the tutorial — we run in sandbox mode.

Prerequisites: Python 3.11+, `pip install meshflow`

Step 1: Install and verify

bash
pip install meshflow
python -c "import meshflow; print(meshflow.__version__)"
# → 1.13.0

Step 2: Set up the HIPAA workflow

python
import os

from meshflow import Workflow, Agent, CostCap, compliance_profile

wf = Workflow( compliance_profile=compliance_profile("hipaa"), cost_cap=CostCap(usd=0.10), # hard cap — enforced in kernel ) ```

The `compliance_profile("hipaa")` activates: - `PIIBlocker` on all agents (strips PHI before any LLM call) - SHA-256 audit chain on every StepRecord - 6-year retention policy flag on the ledger - Minimum-necessary access enforcement

Step 3: Add the three agents

python
# Agent 1: Extract structured data from the intake form
extractor = Agent(
    name="extractor",
    role="researcher",
    model="claude-haiku-4-5-20251001",  # fast + cheap for extraction
    system_prompt="""Extract the following fields from the patient intake form.
Return JSON with keys: patient_name, dob, chief_complaint, medications, allergies.
If a field is not present, return null for that key.""",

# Agent 2: Flag clinical risks reviewer = Agent( name="reviewer", role="critic", model="claude-sonnet-4-6", system_prompt="""Review the extracted patient data. Flag any drug interactions, allergy alerts, or high-risk conditions. Be specific. Cite the exact medications or conditions you are flagging.""", )

# Agent 3: Generate the care team summary summarizer = Agent( name="summarizer", role="executor", model="claude-haiku-4-5-20251001", system_prompt="""Write a 3-sentence clinical summary for the care team. Include the chief complaint, key findings from the review, and recommended next steps. Use clinical terminology. Do not include the patient's name or date of birth.""", )

wf.add(extractor, reviewer, summarizer) ```

Step 4: Run with a sample intake form

python
intake_form = """
Patient: Sarah Johnson
DOB: March 15, 1972

Chief complaint: Persistent chest pain for 3 days, radiating to left arm. History: Hypertension (diagnosed 2018), Type 2 Diabetes (diagnosed 2020). Current medications: Metformin 500mg twice daily, Lisinopril 10mg once daily, Aspirin 81mg daily. Allergies: Penicillin (hives), Sulfonamides (anaphylaxis).

Pain scale: 6/10 at rest, 8/10 with exertion. Vitals: BP 148/92, HR 88, SpO2 97%, Temp 98.6°F. """

result = wf.run(intake_form)

print("=== Clinical Summary ===") print(result.output) print() print("=== Audit Trail ===") print(f"Total cost: {result.total_cost_usd:.4f} USD") print(f"Audit entries: {result.audit_entries}") print(f"PII events blocked: {result.pii_events}") ```

Step 5: Inspect the audit trail

python

ledger = ReplayLedger()

for record in ledger.all_records(): print(f"[{record.agent_name}] {record.action[:40]}") print(f" Hash: {record.entry_hash[:16]}...") print(f" Prev: {record.prev_hash[:16]}...") print(f" Verified: {record.verify()}") ```

Each record carries `prev_hash` pointing to the previous record's hash, and `entry_hash` — the SHA-256 of the current record's canonical fields. Modifying any record breaks the chain. This is the same structure that satisfies HIPAA §164.312(b) audit controls.

Step 6: Add RFC 3161 timestamps (cloud mode)

In sandbox mode, the chain is self-signed. For production deployments, anchor the chain to a trusted timestamp authority:

python

gate = DascGate.create(run_id="intake_run_001", db_path="meshflow_hipaa.db") anchor = gate.anchor() # calls FreeTSA — free RFC 3161 TSA

print(f"Anchored at: {anchor.anchored_at}") print(f"Verified: {anchor.verified}") # Verify independently: openssl ts -verify -in anchor.tsr -CAfile tsa.crt ```

What you just built

In 45 minutes you have a pipeline that: - Processes patient intake with three specialized agents - Blocks PHI before any LLM call (PIIBlocker) - Writes a tamper-evident SHA-256 audit chain (StepRuntime) - Enforces a hard cost cap (CostCap) - Generates RFC 3161 timestamps suitable for HIPAA audit evidence

The same pattern scales to any regulated workflow. Replace the intake form with a radiology report, a prior authorization request, or a discharge summary — the governance layer stays the same.

Back to all posts