Is the agent ever giving clinical advice — and if not, where exactly is the line?
No. Repliant handles administrative and logistical conversations — scheduling, refills against your active list, prior-auth callbacks, post-discharge structured assessments, billing, financial assistance. Symptom triage, dosage adjustment, abnormal lab interpretation, and any conversation tagged "clinical" by your policy holds until a licensed clinician is on the call. The agent will say, in plain language, that it cannot interpret a symptom and will route to a nurse. Most systems run this as a hard wall, not a configurable threshold.
Can it actually write back to Epic / Cerner, or just read? Our analyst team is asking.
Both. Native read/write through FHIR R4 (US Core), HL7 v2 where FHIR coverage is incomplete, and vendor-specific APIs where they're current. The agent operates within scoped tools — it can book an appointment in Cadence, post a charge-corrected balance in Hyperspace billing, file a TCM-coded follow-up note (99495/99496) under the configured proxy provider, or push a prior-auth status to the order. It cannot, for example, edit a clinical note or change a problem-list entry. Scope changes flow through your existing Epic / Cerner change-management process and your interface team's QA.
How does this handle 42 CFR Part 2 records? Half our population sees behavioral health.
Substance-use-disorder records are flagged at the FHIR resource level (or HL7 segment level on legacy interfaces) and excluded from the agent's context window by default. If the patient has executed a Part 2 consent — verified against your consent registry on every read — the relevant resources become accessible to the workflow that consent covers, and no broader. The patient's right to revoke is wired to your existing consent management. A Part 2 disclosure log is part of the standard audit export.
What about hallucinated coverage rules or invented dosages? My CMO will not move past this.
The agent quotes only from your formulary, your provider directory, your fee schedule, and your eligibility responses — never from training data. Dosages are not produced by the model; they are read from the active medication list. Coverage rules are read from Availity / payor responses, not summarized from training. Where the model does not have a deterministic answer, it says so and routes to a human. We can walk your CMO through the prompt-construction policy and the tool-grounding contract in a single session.
TCPA — can it actually make outbound calls about appointments without exposing us?
Yes — within the healthcare-treatment exemption. Outbound is restricted to appointment reminders, post-discharge follow-up, refill confirmation, prior-auth and care-coordination contacts. Marketing requires recorded opt-in. Quiet hours, STOP / HELP keywords, frequency limits, and per-state restrictions are enforced at the channel layer. The agent does not initiate outbound to a number without a documented consent record — and the record is exportable for plaintiff-defense purposes.
What happens when a patient describes chest pain or suicidal ideation on a routine call?
The workflow stops. The agent acknowledges the patient with the protocol your clinical team has approved (typically a Joint Commission–aligned script), directs to 911 or 988 with the local PSAP routing on file, and — if the patient is willing — stays on the line until handoff to emergency services or a crisis clinician. The encounter is flagged in the chart with a "red-flag escalation" disposition for clinical review. We do not triage acute presentations. The agent does not provide reassurance, advice, or interpretation.
We have a BAA template our legal team wrote. Will you sign it, or do you push your own?
We sign yours. Repliant has executed BAAs against the templates of 11 health systems, including three integrated delivery networks with bespoke breach-notification windows tighter than the HIPAA default. Our standard BAA is available if you would prefer it. Subcontractor BAAs (LLM hosting, telephony, KMS) are in force and disclosed in the BAA exhibit before kickoff.
What's in the audit trail and can our privacy officer actually use it in an OCR review?
Every session emits a signed, immutable record: channel, patient context, tools called with arguments, policies evaluated, the PHI scope read, the chart fields written, the model trace, and the final disposition. Records are exportable to your existing GRC (ServiceNow IRM, MetricStream, RSA Archer) on whatever schedule your privacy officer configures. We have walked health systems' privacy officers through OCR-style audit samples in fifteen minutes. Right-to-access and right-to-amend workflows are wired to the same record.