Privacy-Preserving Agentic Clinical Decision Support

Inspiration

My journey as a caregiver for a cancer patient motivated me to find alternatives to the paper-intensive process of fetching patient history, tests, scans for a patient's tumor board which results in proposed standards of care or clinical trials.

What it does

PP-MACDS is a framework — a complete set of reusable components that any healthcare organization can adopt to deploy AI agents with full HIPAA compliance, structurally enforced. It is not a single-purpose application; it provides the identity layer, authorization pipeline, differential privacy engine, consent management, and audit infrastructure needed to make any clinical AI use case provably compliant.

Our first use case is oncology — multi-domain treatment planning that coordinates radiology, pharmacy, and genomics agents — because it represents the hardest privacy problem: multiple specialists, highly sensitive data, and the greatest clinical urgency. If the framework can protect oncology patients, it can protect any clinical domain.

The framework solves the HIPAA compliance problem through three interlocking structural guarantees — each mathematically verifiable, each enforced mechanically rather than by policy.

1. Differential Privacy: Mathematical Privacy Guarantees

Every query result is perturbed with calibrated noise before it leaves the system. This is not ad-hoc masking — it is differential privacy (DP), the gold standard in privacy-preserving computation, deployed by the U.S. Census Bureau, Apple, and Google.

• Per-query noise: Each clinical query (tumor staging, renal function, genomic variants) receives independent noise calibrated to the data's sensitivity
• Hard budget caps: Each agent has a fixed privacy budget (epsilon). When the budget is exhausted, the agent halts — mechanically, not by policy. No override is possible.
• Formal guarantee: The mathematical property ensures that no adversary, regardless of auxiliary information or computational power, can determine whether a specific patient's data was included in any output

Practical calibration: The system operates at a session-total epsilon of 17.0 — within NIST's "robust privacy protection" tier (5-20), below the 2020 U.S. Census deployment (19.6), and comparable to Apple and Google's production deployments (8-16 per day). Genomic queries, carrying the highest re-identification risk, receive the strictest treatment: the agent-level budget cap is ε=3.0 (vs. ε=8.0 radiology, ε=6.0 pharmacy), and the EGFR mutation status query operates at ε=1.0 — a 73% truth rate under randomized response.

2. Capability-Based Authorization: Structural Minimum Necessary

Instead of broad database access controlled by policies, each agent receives a cryptographically signed capability token (ZCAP-LD) that specifies exactly what data it can access, for how long, and with what privacy budget.

• Three-level delegation chain: Patient root capability → session capability (time-bounded) → agent capability (action-restricted, budget-capped)
• Structural enforcement: A radiology agent cannot query pharmacy data — not because a policy says so, but because its cryptographic token does not authorize those actions
• Per-query token narrowing: The Patient Consent Mediator issues FHIR access tokens scoped to exactly one resource type, one LOINC code, one patient, with a 60-second TTL. There is no broad access token anywhere in the system.
• Non-repudiation: Every capability delegation and every invocation is signed with Ed25519. The chain is independently verifiable by any party.

3. Patient-Controlled Consent: Cryptographic, Live, Revocable

Patient consent is not a checkbox — it is a self-sovereign identity (SSI) credential held in the patient's digital wallet.

• Live binding: The patient's wallet creates a session-scoped DID (decentralized identifier) and delegates capabilities to the system. The wallet then goes offline — the patient's private key never leaves their device.
• Instant revocation: If the patient revokes consent, the root capability is invalidated. Every downstream capability immediately fails cryptographic verification. No propagation delay, no manual intervention.
• Session non-correlation: Each evaluation session uses a fresh, ephemeral DID. An observer cannot determine whether two sessions belong to the same patient. This prevents longitudinal inference attacks across sessions.

How we built it

We leverage W3C standards for Decentralized Identifiers and Authorization Capabilities for Linked Data to provide cryptographically provable consent, authorization/delegation, scope, expiration and revocation for multi-agent systems.

Challenges we ran into

-Creating synthetic data that provided structurally sound cancer patients. -PromptOpinion is a blackbox which means it is very hard to troubleshoot integrations with external agents.

Accomplishments that we're proud of

-We validated our idea with actual oncologists and we identified a real market need. -Our differential privacy approach combined with cryptography is a novel way of making HIPAA compliant agents.

What we learned

-The complex world of FHIR and Electronic Health Records. -Expanded our knowledge in Differential Privacy

What's next for Privacy-Preserving Agentic Clinical Decision Support

-We will demo this tool to actual oncologists and help them help us craft our tool to solve their real needs. -We will provide a user experience based on SMART on FHIR for a seamless integration with any compliant EHR system.

Built With

• c#
• did
• langchain
• opendp
• python
• zcap-ld