Ertas + OpenClaw for Healthcare

Healthcare providers using OpenClaw for patient communication, clinical note processing, and appointment management face HIPAA violations when routing through cloud APIs. Ertas enables compliant deployment with fine-tuned local models that keep PHI on-premises and outperform generic models on clinical tasks.

The Challenge

Healthcare providers see immediate value in OpenClaw: automating appointment scheduling through messaging platforms, triaging patient inquiries, processing clinical notes, generating referral letters, and managing insurance pre-authorisation correspondence. These workflows consume significant administrative time — the average medical practice spends 15-20 hours per week on tasks that an AI agent could handle.

But HIPAA's Privacy Rule prohibits the disclosure of Protected Health Information (PHI) to third parties without patient consent or a Business Associate Agreement (BAA). When OpenClaw processes a patient inquiry through a cloud API, the patient's name, condition, treatment history, and contact details are transmitted as prompt input. The standard OpenAI and Anthropic APIs do not include BAAs — and even with an Enterprise BAA in place, the data flow creates audit exposure that most compliance officers will not accept.

The risk is not theoretical. OCR (Office for Civil Rights) enforcement actions have targeted organisations for transmitting PHI through systems without adequate safeguards. A healthcare provider using OpenClaw with cloud APIs is creating a data flow that sends PHI to a third-party server with every patient interaction. Each message, each note, each appointment request becomes a potential compliance violation.

Meanwhile, generic AI models frequently hallucinate on clinical terminology, misclassify triage urgency, and produce responses that do not align with a practice's specific protocols. The productivity gain from OpenClaw is undermined when staff spend time correcting AI-generated clinical content.

The Solution

Ertas enables healthcare providers to deploy OpenClaw with fine-tuned local models that eliminate the HIPAA compliance problem entirely. All inference runs on the provider's own infrastructure through Ollama — PHI never leaves the premises. No BAA is needed because no third-party processor is involved.

The fine-tuned model is trained on the provider's actual clinical workflows: their triage criteria, appointment scheduling protocols, referral letter templates, and patient communication style. A model fine-tuned on a dermatology practice's data understands the difference between urgent (suspicious lesion, rapidly changing mole) and routine (annual skin check, cosmetic consultation) in the context of that specific practice — not just general medical knowledge.

For healthcare networks and agencies managing multiple practices, Ertas's LoRA adapter system deploys a single base model with per-practice adapters. Each practice's patient communication style, clinical specialty, and scheduling protocols are captured in a lightweight adapter (50-200MB), while the shared base model handles general language capabilities.

Key Features

Studio

HIPAA-Compliant Inference

All OpenClaw inference runs locally through Ollama on the provider's infrastructure. PHI is processed on-premises — no patient data is transmitted to cloud APIs. The architecture eliminates the need for BAAs with AI providers and removes the largest HIPAA compliance risk from AI agent deployments.

Studio

Clinical Workflow Fine-Tuning

Studio enables fine-tuning on the practice's clinical data — triage protocols, appointment scheduling rules, referral templates, and patient communication patterns. The resulting model understands the practice's specific clinical context, reducing hallucinations and improving accuracy on domain-specific tasks.

Cloud

Multi-Practice Deployment

Cloud supports deploying per-practice LoRA adapters on a shared base model — ideal for healthcare networks, management groups, and agencies serving multiple practices. Each practice gets customised AI behaviour with strict data isolation between tenants.

Vault

Encrypted Data Management

Vault provides encrypted storage for training datasets, model weights, and inference logs. Access is controlled by API key with full audit logging — satisfying the access control and audit trail requirements that HIPAA mandates for systems processing PHI.

Example Workflow

A multi-location dental practice group in Melbourne (5 locations, 12 dentists) deploys OpenClaw to automate patient communication across WhatsApp and SMS. Currently, front-desk staff at each location spend 3-4 hours daily responding to appointment inquiries, sending reminders, handling rescheduling requests, and answering pre-appointment questions about procedures and insurance coverage. The practice group exports 8,000 patient communication threads (anonymised) from their practice management system, covering appointment scheduling, procedure inquiries, insurance questions, and post-procedure follow-ups. This dataset is uploaded to Ertas Studio, where a Qwen 2.5 7B base model is fine-tuned with LoRA. The resulting model achieves 93% accuracy on intent classification (booking vs. rescheduling vs. inquiry vs. emergency) and generates responses that match the practice group's communication guidelines. A per-location LoRA adapter captures each location's specific scheduling availability, dentist specialties, and insurance panels. The model is deployed on a single Mac Mini M4 Pro at the group's central office, running Ollama with adapter hot-swapping. OpenClaw instances at each location connect to the central server over the practice group's private network. After deployment, front-desk staff time on messaging drops from 3-4 hours to 30-45 minutes daily (focused on reviewing and approving AI-drafted responses for complex cases). No patient data leaves the practice group's network. HIPAA compliance is maintained by design.

Compliance & Security

Local deployment ensures PHI never leaves the provider's infrastructure. No Business Associate Agreement is required with AI providers because no third-party processor handles patient data. The architecture satisfies HIPAA Privacy Rule requirements for PHI safeguarding, HIPAA Security Rule requirements for access controls and audit trails (via Vault), and state-level health privacy regulations. For practices accepting Medicare/Medicaid, the architecture also addresses CMS requirements for data handling in automated systems.