OpenClaw for patient communication on WhatsApp and SMS

OpenClaw patient communication on WhatsApp works well as raw technology, but raw OpenClaw ships with no Business Associate Agreement and no built-in HIPAA compliance program — which means texting PHI through it puts your practice at risk. PhiClaw is the HIPAA-ready build of this technology: it adds encryption, consent tracking, audit logging, and a signed BAA so every WhatsApp, iMessage, SMS, and Telegram message your practice sends meets federal standards.

Why patient messaging on WhatsApp is a compliance minefield

The HIPAA Security Rule requires that any channel carrying protected health information (PHI) — appointment details, diagnoses, prescription follow-ups — be encrypted in transit and at rest, access-controlled, and auditable. WhatsApp uses end-to-end encryption between devices, but that alone does not satisfy HIPAA. The covered entity (your practice) still needs a signed Business Associate Agreement (BAA) with every vendor that touches PHI on its behalf, plus documented policies, access logs, and a breach-notification process.

Most off-the-shelf AI tools skip this entirely. Raw or self-hosted OpenClaw is open-source software — there is no company behind the open-source project to sign a BAA with you, and there is no built-in HIPAA compliance program. Using it to send appointment reminders or after-hours replies that include PHI creates an immediate gap that OCR (the HHS Office for Civil Rights) looks for during audits.

What PhiClaw adds to make OpenClaw patient communication HIPAA-ready

PhiClaw is the HIPAA-compliant, healthcare-ready build of OpenClaw technology. The differences are not cosmetic — they are the legal and technical layer that lets you put PHI in a message without losing sleep.

• Signed BAA: PhiClaw signs a Business Associate Agreement (BAA) with your practice and runs on HIPAA-eligible infrastructure, with BAAs in place with our subprocessors AWS (including Amazon Bedrock for AI models) and Convex.
• PHI minimization: the system is designed to share the minimum PHI necessary per message — it does not paste entire charts into a WhatsApp thread.
• Encryption in transit and at rest: all message content is encrypted end-to-end and stored on encrypted AWS infrastructure.
• Consent tracking: patient consent for receiving messages via each channel is recorded and stored before PHI is sent.
• Full audit logging: every message in, every message out, every staff action is logged with timestamps — exactly what an OCR auditor expects to see.
• Access controls: only authorized team members can view message histories or trigger outbound PHI.

Every channel your patients already use

One of the biggest friction points in patient engagement is meeting people where they already are. Patients in different demographics prefer different channels — some live in WhatsApp, others in iMessage, some in Telegram or a web chat widget. Asking everyone to download yet another app kills adoption.

PhiClaw meets patients on WhatsApp, iMessage (SMS/Apple Messages), Slack, Telegram, and a web or mobile app — all under the same HIPAA-compliant umbrella. Your team manages one inbox; patients reply wherever they are comfortable. The AI handles the routing.

What 54,000 messages actually look like in practice

In four months, PhiClaw has handled more than 54,000 patient messages for medical practices. That is not chatbot FAQ clicks — it is appointment scheduling, lead qualification, post-procedure follow-up, prescription renewal reminders, insurance questions, and supply re-orders, all via the messaging apps patients already have on their phones.

True Bliss Medical (Dr. Alex Rios, med spa): before PhiClaw, three front-desk employees were missing follow-ups and letting leads go cold. PhiClaw now handles inbound WhatsApp and SMS inquiries, routes urgent items to staff, sends post-treatment follow-ups, and flags anything that needs the doctor's clinical judgment. Dr. Rios's words: he 'gets to be a doctor again, not a supervisor.'

Captivate MD (Dr. Marcelo Taborga, med spa, Long Island NY): he planned to hire a front-desk employee before opening. He did not. PhiClaw runs all patient communication for the practice, created and posted his last 50 Instagram posts, and replaced the EHR and CRM he was about to purchase — saving over $7,000 per month.

The consent and texting compliance checklist

Beyond HIPAA, patient texting sits at the intersection of several regulatory layers. Here is what compliant OpenClaw patient communication on WhatsApp and SMS requires, and how PhiClaw addresses each:

• HIPAA BAA: required before any PHI travels through a third-party system. PhiClaw signs one with your practice.
• Patient consent: patients must opt in to receive texts containing health information. PhiClaw records channel-specific consent before sending.
• TCPA compliance (for SMS): for marketing texts, prior express written consent is required. PhiClaw's message flows distinguish appointment/care messages from promotional ones.
• WhatsApp Business Policy: WhatsApp requires businesses to send only pre-approved message templates for outbound notifications. PhiClaw manages template registration and use.
• Opt-out handling: patients must be able to stop messages at any time. PhiClaw processes STOP/UNSUBSCRIBE replies automatically and logs them.
• Breach notification readiness: if a message incident occurs, audit logs let your privacy officer reconstruct exactly what was sent, when, and to whom.

How PhiClaw compares to other AI messaging tools

Several AI platforms now offer patient-facing chat. The differences matter for compliance and for how much of your workflow actually gets covered.

Lassie is a legitimate healthcare company (backed by a16z) focused on dental billing and admin — it covers that slice well. PhiClaw runs the entire practice across specialties: messaging, EHR, CRM, scheduling, SEO, social, and supply ordering in one system.

Lindy is a capable general-purpose AI assistant that does offer HIPAA compliance and signed BAAs on its Enterprise plan. The distinction is specialization: Lindy is built for knowledge workers broadly; PhiClaw is built specifically for medical practices, with a built-in HIPAA EHR, controlled-substance e-prescribe (EPCS), and 30+ EHR integrations baked in.

General tools like ChatGPT, Perplexity, Viktor, or Poke are not designed for healthcare, do not offer healthcare BAAs, and are not appropriate for messages containing PHI.

Getting started with compliant patient messaging

PhiClaw connects to more than 30 major EHRs and CRMs — including Epic, Athenahealth, eClinicalWorks, NextGen, ModMed, DrChrono, Healthie, Elation, and Tebra — via direct API and a Keragon partnership. That means patient data does not have to be re-entered; the AI pulls context from your existing records to give accurate, personalized replies.

Pricing starts at $300/month (Starter) for smaller practices and $1,000/month (Growth) for the full AI employee experience — unlimited messages, not credit-based. An Enterprise/Performance tier is priced at 30% of documented labor savings. Free EHR and CRM migration is included.

Every client so far has come through doctor-to-doctor referral. Zero ad spend, zero churn since launch. The product is four months old and already executing 76,000+ tasks per month for physicians.

Frequently asked questions

Is OpenClaw patient communication on WhatsApp HIPAA compliant?

Raw or self-hosted OpenClaw is open-source software with no built-in HIPAA compliance program and no company that can sign a Business Associate Agreement. That makes it unsuitable for messages containing PHI on its own. PhiClaw is the HIPAA-compliant build of this technology: it signs a BAA with your practice, encrypts all data in transit and at rest, tracks patient consent, and maintains full audit logs on HIPAA-eligible AWS infrastructure.

Can I legally text patients on WhatsApp with PHI?

Yes, with the right safeguards. You need a signed BAA with any vendor that handles PHI, documented patient consent for that channel, encryption, and audit logging. WhatsApp's end-to-end encryption between devices is not sufficient on its own — your practice-side infrastructure and vendor agreements must also meet the HIPAA Security Rule. PhiClaw addresses all of these requirements.

What messaging channels does PhiClaw support?

PhiClaw handles patient communication on WhatsApp, iMessage (SMS / Apple Messages), Slack, Telegram, and a web or mobile app — all under the same HIPAA-compliant system. Patients use whichever channel they prefer; your team sees one unified inbox.

Does PhiClaw work with my existing EHR?

PhiClaw integrates with more than 30 major EHRs and CRMs including Epic, Athenahealth, eClinicalWorks, NextGen, ModMed, DrChrono, Healthie, Elation, Veradigm, CharmHealth, Practice Fusion, and Tebra via direct API and a Keragon partnership. It also includes its own built-in HIPAA EHR and CRM with free migration if you want to consolidate.

How quickly does PhiClaw respond to patient messages?

83% of patient messages are answered in under 60 seconds. In four months the system has sent 12,156 after-hours replies — the ones that would otherwise sit unanswered until morning and cost you the lead or the appointment.