Case Study: How an n8n Agency Deployed HIPAA-Compliant AI for a Hospital Network

This is a composite case study based on common patterns observed across healthcare AI deployments. Names, specifics, and figures are illustrative.

The Agency

MedFlow Automation is a 4-person agency specialising in healthcare workflow automation. The team: a founder with n8n and Make.com expertise, two automation engineers, and a project manager. No ML engineers. Annual revenue: approximately $400K from 12 healthcare clients on automation retainers.

The Client

Pacific Regional Health operates 3 hospitals and 14 outpatient clinics across a mid-size metro area. 2,400 staff. 180 physicians. Their IT team consists of a CTO, 2 system administrators, and a compliance officer.

The Problem

Pacific Regional was drowning in clinical documentation overhead. Physicians spent an average of 2 hours per day on documentation — progress notes, discharge summaries, referral letters, prior authorisation narratives. This was contributing to burnout and reducing the time available for patient care.

The CTO had evaluated several cloud-based AI documentation tools. All were rejected by the compliance officer for the same reason: they required sending Protected Health Information to third-party cloud APIs. Even with BAAs in place, the compliance team was not comfortable with the data leaving their network.

The CTO's requirements:

1. AI-powered clinical note summarisation and draft generation
2. All processing on Pacific Regional's infrastructure
3. HIPAA-compliant architecture with full audit trails
4. Integration with their Epic EHR system
5. Budget: $80,000 for initial deployment, $3,000/month ongoing support

The Solution Architecture

MedFlow designed an architecture using their established stack, adapted for healthcare compliance:

Infrastructure

Model Stack

• Base model: Llama 3.1 8B (quantised to 4-bit for efficient inference)
• Fine-tuned adapters:
  • Clinical note summarisation (trained on 3,000 de-identified notes)
  • Discharge summary generation (trained on 2,500 examples)
  • Referral letter drafting (trained on 1,800 examples)
• Inference engine: vLLM (chosen over Ollama for concurrent request handling across 3 hospitals)

Workflow Architecture

Epic EHR → HL7 FHIR Interface → n8n Webhook → Pre-processing →
vLLM Inference → Post-processing → Quality Queue → Epic EHR

All components running within Pacific Regional's network. No external API calls.

The Implementation

Phase 1: Data Preparation (Weeks 1-3)

MedFlow worked with Pacific Regional's IT team to:

1. Extract training data: 8,000 clinical notes from the past 2 years, exported from Epic via their reporting tools
2. De-identify: Used a combination of Microsoft Presidio and custom regex patterns to remove all 18 HIPAA PHI categories. MedFlow built the de-identification pipeline; Pacific Regional's staff ran it on their infrastructure so raw PHI never left the hospital network.
3. Quality review: Pacific Regional's compliance officer reviewed a 10% sample of de-identified records. Two records had residual identifiers — the regex patterns were updated and the full dataset was re-processed.
4. Format for training: MedFlow converted the de-identified notes into instruction-response pairs suitable for fine-tuning.

Phase 2: Fine-Tuning (Week 3-4)

MedFlow used Ertas Studio to train three LoRA adapters:

1. Clinical note summarisation: Input = full progress note, Output = structured SOAP summary

   • Training: 3,000 examples, 45 minutes training time
   • Validation accuracy: 93% (evaluated by Pacific Regional's clinical informatics team)

2. Discharge summary generation: Input = structured clinical data, Output = narrative discharge summary

   • Training: 2,500 examples, 40 minutes
   • Validation accuracy: 91%

3. Referral letter drafting: Input = referral request details + relevant clinical history, Output = formatted referral letter

   • Training: 1,800 examples, 30 minutes
   • Validation accuracy: 89%

All adapters exported as SafeTensors for vLLM deployment.

Phase 3: Infrastructure Deployment (Week 4-5)

MedFlow's automation engineers set up the stack on Pacific Regional's hardware:

1. Installed vLLM with all three adapters configured
2. Deployed n8n via Docker with PostgreSQL backend
3. Configured the Epic integration via HL7 FHIR webhooks
4. Built n8n workflows for each use case:
   • Clinical note summarisation: triggered by physician completion of a note
   • Discharge summary: triggered by discharge order
   • Referral letter: triggered by referral request
5. Set up Grafana dashboards for monitoring inference latency, throughput, and error rates
6. Configured audit logging — every inference request and response written to Pacific Regional's SIEM

Phase 4: Compliance Validation (Week 5-6)

MedFlow and Pacific Regional's compliance officer completed the HIPAA compliance checklist:

• Administrative safeguards: documented, including AI-specific policies
• Physical safeguards: GPU server in locked data centre, access-controlled
• Technical safeguards: TLS, RBAC, audit logging, encryption at rest
• Clinical governance: AI Advisory Committee approved deployment with physician override requirement

Phase 5: Pilot and Rollout (Weeks 6-10)

• Week 6-7: Pilot with 12 physicians at one hospital. AI-generated summaries reviewed by physicians before being saved to the chart.
• Week 8: Feedback incorporated, adapter retrained with corrections (50 additional examples per adapter)
• Week 9-10: Rolled out to all 3 hospitals. Monitoring dashboards tracked adoption and quality.

The Results

After 3 Months of Production Use

Cost Analysis

ROI: 503% in the first year (accounting for the $80,000 implementation fee).

Staff Satisfaction

The most significant outcome was not financial. Physician satisfaction scores for documentation workflow improved from 3.1 to 7.8 out of 10. Two physicians who had been considering leaving cited the reduced documentation burden as a factor in staying. Retaining even one physician avoids $500K-1M in recruitment and onboarding costs.

Lessons Learned

What Worked Well

1. Starting with de-identification pipeline. Building a robust, auditable de-identification process first gave the compliance team confidence in the entire project.
2. Physician involvement in evaluation. Having clinicians review model outputs during validation — not just at pilot — caught issues early and built trust.
3. n8n for orchestration. The visual workflow builder made it easy to demonstrate the data flow to the compliance officer. "Show me where the data goes" was answered by showing the n8n workflow.
4. LoRA adapters for multiple tasks. Training separate adapters for each task (summarisation, discharge, referral) was better than one multi-task model. Each adapter could be evaluated and updated independently.

What They Would Do Differently

1. More training data for referral letters. 1,800 examples was the minimum viable dataset. Quality improved noticeably when 500 additional examples were added during the pilot feedback phase.
2. Earlier integration testing with Epic. The FHIR webhook integration took longer than expected due to Epic's specific authentication requirements. Starting this in parallel with fine-tuning would have saved a week.
3. Physician champions first. Identifying 2-3 enthusiastic physician early adopters before the pilot accelerated adoption. The physicians who were sceptical were convinced by their peers, not by the agency.

Replicating This Model

For agencies considering healthcare AI deployments:

1. The technical stack is replicable — n8n + vLLM + LoRA adapters work across healthcare organisations
2. The compliance framework is standardised — HIPAA requirements are the same for every US healthcare deployment
3. The data preparation pipeline is the bottleneck — invest in building a robust de-identification process
4. Start with clinical note summarisation — it has the clearest ROI and the most straightforward evaluation criteria
5. Use Ertas Studio for fine-tuning — it removes the ML expertise requirement from the agency team

---

Further Reading

• n8n + Local LLMs: Building HIPAA-Compliant Automation — Detailed technical guide for the n8n + local LLM stack
• HIPAA-Compliant AI: On-Premise vs. Cloud — The compliance architecture and decision framework