How To Build a Safe, Secure Medical AI Platform
Date: October 22, 2025 * Topic: Healthcare
Stanford Health Care launched ChatEHR-a clinician-facing AI chat interface inside Epic that lets staff query a patient's chart in plain language. Underneath the UI is the ChatEHR Platform, a set of services that connect AI models to real-time clinical data while keeping privacy and security front and center.
The goal: bring useful AI into daily clinical workflows without exposing patient data, slowing clinicians down, or breaking existing systems. Here's the architecture and the practical lessons learned building it.
Why Healthcare AI Is Harder Than Typical LLM Apps
Healthcare isn't a playground for demos. Systems need current data, traceability, and tight integration with EHR workflows. Every feature must meet security, compliance, and reliability expectations-on day one.
Real-Time Data Access That Clinicians Can Trust
Nightly reporting databases were too slow for care decisions. Mixing that with HL7v2 events created reconciliation headaches. The team standardized on FHIR for consistent, vendor-neutral retrieval.
Adopting FHIR at enterprise scale brought its own work: completeness across sources, low latency, and reliability. Cross-team engineering delivered a near real-time foundation that ChatEHR uses today.
Processing Data Quickly (Without Losing Clinical Context)
Raw FHIR is great for systems, not for conversations. The platform transforms FHIR into LLM-ready structures while keeping source metadata for auditability. That preserves meaning and traceability.
Responses stay fast by splitting work across concurrent LLM calls tuned to clinical domains-meds, labs, imaging, procedures. This parallel flow supports large patient histories while keeping response times tight.
Translate Tech Data Into Clinician Language
Clinicians think in episodes, plans, and notes-not resource types. The platform reshapes system-level data into clinician-friendly views before displaying it, while retaining system IDs behind the scenes.
Connect LLMs to the EHR-Securely
A self-hosted gateway sits in front of all model calls. It centralizes authorization, audit logging, and monitoring across model vendors. One door in, one standard, one place to watch.
The ChatEHR Platform: Four Pillars
Pillar 1: LLM Router
All AI traffic flows through a router that selects the right model per request and normalizes calls into a standard format. Centralized logging simplifies support and observability.
Pillar 2: Real-Time Data Access via FHIR
A serverless service fetches and organizes clinical data using FHIR, with smart caching for common patterns. It breaks complex queries into parallel operations to keep performance steady at scale.
Pillar 3: Function Server
Task-specific endpoints turn general AI into healthcare functions. For ChatEHR, custom chat completion endpoints combine LLM reasoning with patient data retrieval. The same layer also powers workflow automations and NLP tasks.
Pillar 4: EHR Integration
An enterprise integration service manages the link between the platform, Epic, and other systems-authentication, rate limits, and detailed logs included. It also handles process automation and scheduling for application logic.
ChatEHR UI: How Clinicians Use It
ChatEHR lives inside Epic. It inherits user credentials and patient context, so clinicians start in the right chart with the right permissions. When a chat starts, the UI calls the function server, which taps the LLM router and FHIR data access to generate an answer with relevant context.
Clinicians can set date ranges and data sources up front. That keeps responses focused and clinically useful.
What's Next: Evaluation and a Scalable Vendor Model
A fifth capability is in development: responsible evaluation. Using the MedHELM framework, teams will continuously test safety and performance with real usage signals. Insights from anonymized logs help identify high-value use cases and guardrails.
The platform is also becoming the standard on-ramp for external AI tools. PHI stays inside the enterprise, and vendors plug into existing integration, model access, and evaluation services-no new one-off builds.
Practical Takeaways for Health Systems
- Pick one data backbone for low-latency reads. FHIR works well for standardization; add event streams only where they clear a clear accuracy or timeliness gap.
- Normalize all model calls behind a single router. Centralize auth, rate limits, and logging to simplify governance.
- Preprocess clinical data into LLM-ready views. Keep original metadata for traceability and audits.
- Parallelize by domain (meds, labs, imaging) to handle large charts without slowing down.
- Embed directly into the EHR so context and permissions flow automatically.
- Instrument everything: model selection, prompts, responses, and data fetches. You can't improve what you can't see.
- Stand up an evaluation pipeline tied to real usage. Safety and usefulness are moving targets.
- Create a vendor integration pattern that keeps identifiable data inside your perimeter.
Further Reading
Skills and Training
If you're building clinical AI teams, explore focused learning paths by role at Complete AI Training.
Acknowledgments
- Nerissa Ambers
- Juan M. Banda
- Timothy Keyes
- Connor O'Brien
- Abby Pandya
- Carlene Lugtu
- Dev Dash
- Wencheng Li
- Jarrod Helzer
- Vicky Zhou
- Bilal Mawji
- Joshua Ge
- Travis Lyons
- Srikar Nallan
- Vikas Kakkar
- Patrick Sculley
- Nigam Shah
- Michael Pfeffer
Your membership also unlocks:
