Use case · Healthcare assistant

Patient context across visits, with the audit trail

Q: Why is patient memory for AI healthcare assistants harder than other verticals?

Healthcare data is special-category under GDPR. Every read and every write needs a lawful basis, an audit log, and a defined retention policy. On top of that, EU-based clinics typically cannot accept CLOUD Act exposure, which rules out most US-hosted vendors.

Q: Where is the data physically stored?

You choose. On-prem inside the clinic infrastructure, or on EU-only servers in Helsinki. The container can run fully air-gapped if the deployment requires it.

Q: Is there an audit log?

Yes. Every add and every search records timestamp, agent_id, lawful basis, and the patient identifier in a tamper-evident log. The log is exportable for inspection.

Q: How does lawful-basis tagging work?

Every memory carries a lawful_basis field: vital-interest, contract, consent, legal-obligation. Search and export operations can filter by basis, useful when responding to subject access requests.

Q: Is Korely a covered entity or business associate under HIPAA?

Korely is software, not a service provider. For HIPAA deployments in the US, the on-prem option keeps you in control of the BAA. We do not offer a managed HIPAA-covered service today.

Pre-existing conditions, medication mentions, follow-up notes. On-prem or EU-hosted. Every read and write logged with a lawful-basis tag.

The pain

Patient mentions chest pain. Next visit, the AI does not know.

A clinic in Berlin runs an AI triage assistant. During an April appointment, the patient mentions intermittent chest pain. The note ends up in a free-text field in the patient record system. The AI assistant moves on to the next visit.

Three months later, the same patient returns for a routine follow-up. The assistant has no recall of the chest-pain mention. The doctor has to scroll the record manually, hope it surfaces, and pretend the assistant has helped. The assistant is a transcription tool, not memory.

Building real memory for a clinic is not just a technical problem. The data is special-category under GDPR. Every read needs a lawful basis. The audit log needs to be tamper evident. The infrastructure has to satisfy NIS2 and the upcoming EU AI Act. CLOUD Act exposure rules out US-hosted vendors before the conversation starts.

The shape of the fix

On-prem deployment, lawful-basis tags, audit log for every operation

Inside the clinic

Triage AI handles the visit

Reads patient context, drafts notes
Optionally syncs a summary to the EHR

Korely vault — on-prem

Memory stays inside the clinic network

Encrypted at rest and in transit
Every fact carries a lawful_basis tag
No outbound traffic by default

Audit log

Every read and write is recorded

Timestamp, agent_id, lawful basis, patient_id
Exportable for inspection
Tamper-evident, retention configurable

The vault never leaves the clinic. The audit log is the GDPR record-of-processing for the AI tier.

How Korely fits

On-prem container, EU-only fallback, audit log built in

The Korely container ships ready for restricted deployment. Set deployment="on-prem" and the entire stack — vault, MCP server, search index, audit log — runs inside the clinic network. No outbound traffic by default.

If on-prem is too heavy, the EU-hosted option keeps everything in Helsinki under Finnish data-protection authority. No US transit, no CLOUD Act exposure.

Every memory operation records the lawful basis. The lawful_basis field accepts the GDPR Article 6 grounds: vital-interest, contract, consent, legal-obligation, public-task, legitimate-interest. Audit exports filter by basis, making subject access requests tractable.

Show me the code

On-prem config, lawful-basis-tagged memory

clinic_assistant.py python

from korely_memory import Korely

# On-prem deployment inside the clinic network
korely = Korely(
    deployment="on-prem",
    audit_log=True,
    encryption="at-rest-and-in-transit",
)

# Patient ID is hashed before being written
patient_id = hash_patient("PAT-2026-04812")

korely.add(
    "Patient mentioned intermittent chest pain during visit on "
    "2026-04-12. Pre-existing: hypertension. Medication: lisinopril 10mg.",
    agent_id="clinic-charlottenburg",
    metadata={"patient_id": patient_id},
    lawful_basis="vital-interest",
)

# Three months later, follow-up visit
context = korely.search(
    "clinically significant mentions",
    agent_id="clinic-charlottenburg",
    metadata_filter={"patient_id": patient_id},
)

# Every search/add is in the audit log:
#   timestamp, agent_id, lawful_basis, patient_id, op_type

   
Frequently asked
 
Healthcare deployment, common questions
    Why is patient memory for AI healthcare assistants harder than other verticals? +− 
 Healthcare data is special-category under GDPR. Every read and every write needs a lawful basis, an audit log, and a defined retention policy. On top of that, EU-based clinics typically cannot accept CLOUD Act exposure, which rules out most US-hosted vendors.
 
  Where is the data physically stored? +− 
 You choose. On-prem inside the clinic infrastructure, or on EU-only servers in Helsinki. The container can run fully air-gapped if the deployment requires it.
 
  Is there an audit log? +− 
 Yes. Every add and every search records timestamp, agent_id, lawful basis, and the patient identifier in a tamper-evident log. The log is exportable for inspection.
 
  How does lawful-basis tagging work? +− 
 Every memory carries a lawful_basis field: vital-interest, contract, consent, legal-obligation. Search and export operations can filter by basis, useful when responding to subject access requests.
 
  Is Korely a covered entity or business associate under HIPAA? +− 
 Korely is software, not a service provider. For HIPAA deployments in the US, the on-prem option keeps you in control of the BAA. We do not offer a managed HIPAA-covered service today.
 
 
 
 
   
Talk to us about on-prem
 
Healthcare deployments need bespoke setup, a signed DPA, and
          an audit-log retention agreement. Reach out and we'll scope it.
  hello@korely.ai Join the API early access 
 
Looking for a different shape?
See the other five use cases →