OpenClaw for doctors: what it is and how to use it safely

OpenClaw for doctors is a question worth answering precisely: OpenClaw is a powerful open-source AI agent platform, but it ships with no Business Associate Agreement and no built-in HIPAA compliance program. You cannot use raw OpenClaw with patient data. PhiClaw is the HIPAA-compliant build of this technology — it signs a BAA with your practice, runs on HIPAA-eligible infrastructure, and handles the whole practice, not just one task.

What OpenClaw actually is

OpenClaw is an open-source AI agent platform. Think of it as a sophisticated engine for building AI workers that can read, reason, and take action — answering messages, filling out forms, drafting documents, routing tasks, and more. Because it is open-source, anyone can download and run it.

That openness is its strength and its limitation. Open-source software does not come with a vendor standing behind it, ready to sign a legal agreement about how your patients' protected health information (PHI) is handled. A Business Associate Agreement (BAA) — the contract required by HIPAA before any vendor can touch PHI — simply does not exist for a raw open-source project. The project cannot sign one; there is no company to enforce it.

So doctors land on OpenClaw, get excited about what AI agents can do, and then face a hard stop: this is not a HIPAA-ready product out of the box.

Why doctors are searching for OpenClaw

The underlying capability is genuinely compelling. AI agents can answer patient messages at any hour, draft clinical notes, manage scheduling, send follow-up reminders, generate SEO content, handle prescription refill requests, and route leads from your website — all without a human in the loop for every task.

Doctors who have heard about OpenClaw are usually looking for exactly this: an AI that can run the operational side of a practice so the clinician can practice medicine instead of managing tasks. That is a real, solvable problem. The issue is that open-source software alone cannot be the answer when patient data is involved.

The HIPAA gap in raw OpenClaw

HIPAA requires every vendor who stores, processes, or transmits PHI to sign a BAA with your practice. Without it, you are in violation the moment patient data touches that system — even if the data never leaves your building. There is no workaround.

Raw or self-hosted OpenClaw has no BAA, no HIPAA-eligible infrastructure guarantee, no encryption-at-rest policy enforced by a vendor, no audit logging managed to HIPAA standards, and no PHI minimization controls. If you run it on a standard cloud server or your own hardware without building those controls yourself, the platform is not HIPAA-compliant.

• No Business Associate Agreement available from the open-source project
• No vendor-managed encryption in transit and at rest for PHI
• No built-in audit logging to HIPAA standards
• No access controls or PHI minimization enforced by default
• No subprocessor BAAs (cloud provider, AI model API) arranged for you

Building all of that on top of raw OpenClaw is possible in theory. In practice it requires a dedicated security and compliance engineering effort most medical practices cannot sustain — and it still leaves you without a vendor to sign the BAA your attorney and malpractice insurer will ask for.

PhiClaw: the HIPAA-compliant build of OpenClaw for doctors

PhiClaw is built on this same AI agent technology and adds everything a medical practice needs to use it legally and safely with patient data. PhiClaw signs a Business Associate Agreement (BAA) with your practice and runs on HIPAA-eligible infrastructure, with BAAs in place with our subprocessors AWS (including Amazon Bedrock for the AI models) and Convex.

That means the full stack — the AI models, the database, and the platform — is covered under a proper compliance structure, not just the front-end interface you see.

• BAA signed with your practice before any PHI touches the system
• Runs on AWS with encryption in transit and at rest
• PHI minimization: the system only processes what it needs
• Full audit logging for every action the AI agent takes
• Access controls so only the right people see the right data
• Amazon Bedrock for the underlying AI models, also covered by BAA
• On-premises deployment option available for enterprise practices

This is not a checkbox compliance product. PhiClaw also ships with a built-in HIPAA-compliant EHR and CRM, so you can replace the stack you already pay for, not just add another tool on top.

What PhiClaw does for a medical practice

The capabilities that make OpenClaw attractive to doctors are fully available in PhiClaw — with the compliance layer already built in. Based on 76,000+ tasks executed for medical practices in four months of operation, here is what the AI agent handles day to day:

• Answering patient messages — 83% in under 60 seconds, including 12,156 after-hours replies
• Drafting and posting SEO blog posts, social content, and emails (183 SEO blogs, 270+ social posts produced for clients)
• Generating clinical documents: SOAP notes, Botox templates, prior auth letters, PDFs
• Managing leads — routing inquiries, sending follow-ups, booking consultations
• Reordering supplies and medications (peptides, GLP-1s, injectables)
• Running payroll reminders and keeping staff accountable to their task queues
• Connecting to 30+ major EHRs and CRMs including Epic, Athenahealth, eClinicalWorks, NextGen, ModMed, DrChrono, and more via 300+ HIPAA-compliant integrations

The clinician remains the licensed decision-maker for all clinical judgments. PhiClaw assists with workflow — the doctor reviews, approves, and prescribes. The AI handles the administrative load that currently consumes hours of physician time every day.

Practices report saving roughly 70 hours per week per doctor in administrative time — approximately $7,000 per month in labor costs. The product is reachable on WhatsApp, iMessage, Slack, Telegram, and a web or mobile app.

Two medical practices using it right now

Captivate MD (Dr. Marcelo Taborga, med spa, Long Island, NY): Before opening his practice, Dr. Taborga planned to hire a front-desk employee and a marketing agency. After PhiClaw, he hired neither. The AI runs his med spa, has created and posted his last 50 Instagram posts, and replaced the EHR and CRM he was about to buy. Net savings: over $7,000 per month.

True Bliss Medical (Dr. Alex Rios, med spa): Dr. Rios had three employees who kept missing tasks and responding slowly to leads. PhiClaw now supervises the team, handles follow-ups, routes leads, writes SEO blogs, reorders medications including GLP-1s and peptides, turns laser hair removal readings into SOAP notes, and sends payroll reminders. In his words, he gets to be a doctor again instead of a supervisor.

Both practices came through doctor-to-doctor referrals with zero paid advertising. The product is four months old, has 10 paying practices plus more in a free pilot, and has had 0% churn since launch.

Pricing and how to get started

PhiClaw is priced to be straightforward — no credit systems, no per-message fees at the core tiers.

• Starter — $300/month: Core AI agent capabilities for smaller practices
• Growth — $1,000/month: The full AI employee with unlimited messages, ideal for active practices
• Enterprise/Performance — 30% of documented savings: For larger groups who want pricing tied to results

All plans include free migration of your existing CRM and EHR data. The BAA is signed before you go live. There is no setup fee for the migration.

Frequently asked questions

Is OpenClaw HIPAA compliant?

Raw or self-hosted OpenClaw is not HIPAA compliant. It is an open-source project with no Business Associate Agreement and no built-in HIPAA controls. PhiClaw is the HIPAA-compliant version of this technology — it signs a BAA with your practice and runs on HIPAA-eligible infrastructure with encryption, audit logging, and PHI minimization built in.

Can I use OpenClaw with patient data?

Not without building your own HIPAA compliance stack on top of it, which requires significant engineering work and still leaves you without a vendor BAA. The practical answer for most practices is to use PhiClaw, which handles all of that and provides a signed BAA before any patient data enters the system.

What is a Business Associate Agreement (BAA) and why do I need one?

A BAA is a contract required by HIPAA between your practice and any vendor that stores, processes, or transmits protected health information (PHI). Without it, using that vendor with patient data is a HIPAA violation regardless of how the data is handled. PhiClaw signs a BAA with every practice before going live.

How is PhiClaw different from just self-hosting OpenClaw?

PhiClaw adds the full compliance layer: a signed BAA, HIPAA-eligible AWS infrastructure, encryption in transit and at rest, PHI minimization, access controls, audit logging, and BAAs with subprocessors including Amazon Bedrock and Convex. It also ships with a built-in HIPAA EHR and CRM, 300+ compliant integrations, and connects to 30+ major EHR systems. Self-hosting OpenClaw provides none of those guarantees.

Does PhiClaw work with my existing EHR?

PhiClaw integrates with 30+ major EHR and CRM platforms including Epic, Athenahealth, Oracle Health (Cerner), eClinicalWorks, NextGen, ModMed, DrChrono, Healthie, Elation, and more via API and a Keragon partnership — covering 300+ HIPAA-compliant integrations in total. It also includes its own built-in HIPAA EHR with e-prescribing including controlled substances (EPCS), and provides free migration from your current system.