File Index
Files in Folder 07 related to the Clinician Portal:
System Purpose & Scope
The Clinician Portal Problem Statement
The Clinician Portal is a role-based view into the Moonlitic Healthcore Intelligence Platform, designed for providers (physicians, nurses, pharmacists, care coordinators) who spend an average of 2+ hours daily outside of patient hours gathering data from disparate EHR systems, imaging archives, lab platforms, pharmacy networks, and prior authorization services.
Solving the "14-Hour Day" Problem
Instead of context-switching between 12+ systems to prepare for patient appointments, review imaging studies, check lab trends, coordinate with specialists, and evaluate clinical trial eligibility, clinicians use a unified intelligent interface that:
- Consolidates patient data from EHR, imaging, labs, medications, and claims in one morning briefing
- Visualizes the care team (12 specialists, 8 disciplines) with a hub-spoke model and pending action items
- Matches patients to clinical trials with FHIR-mapped eligibility criteria
- Provides FDA-compliant AI insights (CDS exemption) with evidence chains and audit trails
- Integrates marketplace trial enrollment with payout workflows (Folder 03)
Architecture Overview — 4-Layer Stack
The Clinician Portal operates as a distributed, stateless, cloud-native system across four layers:
1. Presentation Layer
Views: Morning Briefing, Care Team Board, Clinical Trials, AI Co-Pilot
Responsive: Surface Pro, iPad, iPhone, Android tablets
Demo (Current):
- Static HTML/CSS/JavaScript
- Mock data in JS arrays
- MoonliticAPI stubs
- Deployed on Netlify
Production (SaaS):
- React/Next.js frontend
- TypeScript with strict typing
- Server-side rendering (SSR) for SEO
- CDN distribution (Vercel, AWS CloudFront)
2. API Service Layer
RESTful endpoints + SMART on FHIR OAuth2 + WebSocket realtime
Core Endpoints (10 routes):
Auth: SMART on FHIR OAuth2, JWT bearer tokens, DICOMweb WADO-RS proxy
Realtime: wss://api.moonlitic.ai/v2/realtime (WebSocket)
3. Intelligence Layer
Engine: MoonliticClinicalLM (proprietary fine-tuned model)
Capabilities:
- Pattern detection (lab trends, imaging findings)
- Cross-specialty correlation (cardiology ↔ nephrology)
- HEDIS care gap detection (diabetes, hypertension)
- Drug interaction & allergy analysis
- Clinical trial eligibility matching
- Evidence-graded recommendations (A/B/C)
Execution: Azure Confidential Computing TEE (Trusted Execution Environment)
Data never leaves enclave. All inference logged to Azure Confidential Ledger.
4. Data Layer
Formats: FHIR R4, DICOMweb, EDI, CSV
FHIR Resources:
- Patient (identity, demographics)
- Condition (diagnoses, ICD-10)
- Observation (lab results, vital signs)
- MedicationRequest (active medications)
- DiagnosticReport (imaging, pathology)
Sources (Folder Dependencies):
- Folder 01: Consent gate (aclTransactionId)
- Folder 02: Clinical bundles
- Folder 04: Claims, HEDIS gaps
- Folder 07: Trial listings, literature DB
View Architecture — 4 Core Views
Each view is optimized for a specific clinical workflow:
Morning Briefing
Purpose: Next-day appointment prep in 15 minutes
Structure:
- Schedule Strip: Tomorrow's appointments with patient photos, chief complaint, last visit date
-
Patient Click → Detail View:
- Overview: Age, gender, allergies, active problems
- Imaging: Recent radiology with carousel viewer
- Labs & Trends: Last 6 months of critical labs with sparklines
- Timeline: Medications, hospitalizations, surgery history
- AI Brief: Top 3 insights with evidence links
- KPIs: At-risk count, new diagnoses, overdue preventive care
Care Team Board
Purpose: Visualize specialist involvement & pending actions
Structure:
- Hub-Spoke SVG: Patient (center) connected to 12 specialists across 8 disciplines
- Specialist Cards: Name, next appointment, active problem count, pending sign-off
- Unified Timeline: All disciplines' notes, orders, results in chronological storyboard
- Pending Actions: Reviewed with urgency levels (Critical, High, Medium, Low)
Clinical Trials
Purpose: Point-of-care trial enrollment & IRB compliance
Structure:
- Eligibility Matching: FHIR-mapped criteria against patient's Observation/Condition resources
- Data Source: ClinicalTrials.gov API + Folder 07 literature database
- Consent Gate: Folder 01 aclTransactionId verified before trial match display
- Enrollment Payout: Folder 03 integration for provider compensation tracking
- Patient Action: One-click enrollment with consent workflow
AI Co-Pilot
Purpose: CDS-compliant clinical insights with evidence & liability mitigation
Structure:
- Insight Cards: Claim, evidence chain, recommendation level (A/B/C), folder citations
- Actions: Accept (adopt into plan), Dismiss (with required rationale), Escalate (to reviewer)
- Evidence Links: Click to view underlying Observation, lab result, or literature reference
- Audit Trail: SHA-256 hash chain of all clinician actions logged to Azure Confidential Ledger
Security Architecture — 6 Checkpoints
Defense-in-depth zero-trust model:
SMART on FHIR OAuth2
Clinician identity derived from EHR launch context (app launch, redirect URI, client ID). No hardcoded credentials. Refresh tokens with 1-hour expiry.
Folder 01 Consent Gate
Every patient data request requires aclTransactionId verification. ACL checked before any Observation, Condition, or imaging renders. Patient consent can be revoked in real-time.
Zero-Trust API
Every request carries JWT (clinician identity) + consent token (patient access). API gateway validates both at service mesh. Rate-limited per clinician (100 req/min).
Azure Confidential Computing
AI inference runs in TEE (Trusted Execution Environment). Patient data never leaves enclave. Models protected by Intel SGX attestation.
Audit Trail
Every clinician action (view, accept, dismiss, escalate) logged with timestamp, user ID, patient MRN hash, action type, and SHA-256 hash chain to Azure Confidential Ledger. Immutable.
PII Isolation
Patient identifiers (name, DOB, SSN) never stored in analytics or AI pipeline. Only de-identified feature vectors. Reverse mapping held in separate encrypted database.
AI Co-Pilot — Liability Architecture
FDA 21st Century Cures Act compliance & learned intermediary doctrine:
FDA §3060 CDS Exemption — 4 Criteria
| Criterion | Implementation in Moonlitic |
|---|---|
| Transparency | Every insight includes source FHIR resources, folder citations, and evidence chain. Clinician can drill down to original lab result or literature reference. |
| No Patient Override | Clinician controls final decision. AI suggests; clinician confirms in chart. Dismiss action is mandatory audit-enforced rationale entry. |
| Open Data Formats | FHIR R4 (patient data), DICOMweb (imaging), HL7 (messages). No proprietary EHR lock-in. Data portability in <24 hours. |
| No Patient Targeting | Algorithm treats all patients equally. No cohort discrimination. Bias audits quarterly; results in Folder 08 governance board. |
Insight + Evidence + Escape Hatch Design Pattern
Example Insight:
Insight: "Possible warfarin-NSAIDs interaction detected."
Evidence: Patient on warfarin (MedicationRequest-123) since 2025-11-15. Prescribed ibuprofen (MedicationRequest-456) on 2026-03-28. Interaction severity: HIGH (folder 02 drug-drug interaction matrix).
Evidence Grade: A (FDA-rated interaction database)
Recommendation: Switch to acetaminophen; monitor INR weekly × 4 weeks (Uptodate link: [evidence])
Escape Hatch: Clinician clicks ACCEPT → adds to plan; DISMISS → enters rationale (e.g., "NSAIDs required for post-op pain, INR will be monitored"); ESCALATE → sends to pharmacist for review.
Learned Intermediary Doctrine
Liability stays with the clinician, not Moonlitic, because:
- Clinician is the learned intermediary who understands the patient's full context
- AI is a clinical decision support tool, not an autonomous agent
- Clinician can override, dismiss, or escalate any insight
- Audit trail proves clinician reviewed and made conscious decision
Audit Requirements & Hash Chain
Every insight interaction logged:
| Field | Example |
|---|---|
| Timestamp | 2026-04-03T09:23:47.123Z |
| Clinician ID | dr-jane-smith-npi-1234567890 |
| Patient MRN (hashed) | SHA-256: a3f9e2c1... |
| Insight ID | insight-warfarin-nsaid-456 |
| Action | ACCEPT | DISMISS | ESCALATE |
| Rationale (if dismiss) | "NSAIDs required; INR monitored weekly" |
| Previous Hash | SHA-256: f2d8c9a4... |
| Current Hash | SHA-256: 7e1b3f8d... |
All entries logged to Azure Confidential Ledger (immutable, cryptographically verified). Chain cannot be altered without detection.
Cross-Folder Dependency Map
How the Clinician Portal integrates with other Moonlitic folders:
| Folder | Content | Clinician Portal Integration |
|---|---|---|
| Folder 01 | Consent Architecture & ACL Framework | Every patient data request checked against aclTransactionId before rendering. Revocation tested in real-time. Clinician sees only patients with active consent. |
| Folder 02 | FHIR Clinical Data Model & Bundles | Source of all patient data: Observation (labs, vitals), Condition (diagnoses), MedicationRequest (active meds), DiagnosticReport (imaging, pathology). DICOMweb for radiology. |
| Folder 03 | Trial Enrollment & Provider Payout | When clinician enrolls patient in trial, Folder 03 payout engine calculates provider compensation. Real-time earnings dashboard (optional). |
| Folder 04 | Claims Data & HEDIS Care Gaps | Claims data feeds HEDIS gap detection. Morning Briefing highlights overdue preventive care (e.g., diabetic eye exam). AI Co-Pilot recommends addressing gaps. |
| Folder 05 | Payout Reconciliation & Settlement | Trial enrollment payout amounts reconciled in Folder 05. Clinician sees realized earnings in portal dashboard (read-only). |
| Folder 06 | Demo Data & EDI Samples | Demo mode uses Folder 06 synthetic patients (HIPAA-safe test data) for development and clinician training. QA automation runs against Folder 06 scenarios. |
| Folder 07 | Marketplace Trial Listings & Literature | This folder. Portal pulls trial listings, drug profiles, and clinical guidelines from Folder 07 literature database. Real-time integration with marketplace. |
Consent-Gated View Access — 3-Tier Model
Clinician data access varies by institutional relationship and patient consent. The 3-tier model ensures HIPAA compliance while enabling cross-institutional care coordination.
Same Institution, Treatment Team
HIPAA TPO Exception Applies
No additional Moonlitic consent needed beyond baseline. Both clinicians are covered under Treatment, Payment, Operations.
Example
Dr. Chen (Oncology) and Dr. Patel (Cardiology) at Texas Cancer Center both treating Maria Santos. Full access to consented categories.
UI Experience
- Green "Tier 1" badge visible
- No locked panels
- Instant access to all shared data
Cross-Institutional, Referred Provider
Data Crosses Organizational Boundary
Requires explicit per-category per-institution consent via Folder 01. Request flows through Moonlitic marketplace.
Example
Dr. Morton (Nephrology) at Houston Methodist, referred by Dr. Chen. Access levels:
- Unlocked: Labs, Vitals, Medications, Diagnoses
- Locked: Imaging, Procedures, Clinical Trials (not yet consented)
UI Experience
- Orange "Tier 2" banner
- Locked panels with blur overlay
- "Request Patient Consent" button
- Patient receives push notification via Moonlitic app
Non-Treating, Research/Secondary Use
Absolutely Requires Explicit Granular Consent
De-identified or identified based on consent scope. Core marketplace data brokering use case.
Example
Researcher studying checkpoint inhibitor cardiotoxicity. Access requires IRB documentation and explicit patient consent for research.
UI Experience
- Red "Tier 3" badge
- Most panels locked by default
- Consent request requires IRB documentation
- Audit trail logged with timestamp + researcher credentials
Consent Request → Approval Flow
Request Initiated
Non-authorized provider clicks "Request Patient Consent" on locked panel
Request Generated
Moonlitic generates consent request record: provider NPI, institution, category, SHA-256 hash
Audit Logged
Request logged to Azure Confidential Ledger audit chain (Folder 01)
Patient Notified
Patient receives push notification via Moonlitic app with request details
Patient Decision
Patient approves/denies per category. Decision logged with timestamp + hash
Real-Time Rendering
If approved: data renders via WebSocket. If denied: locked panel persists with "Patient Denied" status
SaaS Deployment Architecture
From demo to production scaling:
Demo Mode (Current)
Hosting: Netlify (static site)
Frontend: HTML/CSS/JavaScript
Data: Mock JS arrays + JSON fixtures
API Stubs: MoonliticAPI.mockBriefing(), .mockCareTeam(), etc.
Advantages:
- Zero infrastructure cost
- Deploy in seconds
- HIPAA-safe (no real PHI)
- Perfect for vendor pilots
Production Mode (SaaS)
Frontend: Next.js + React on Vercel or AWS Amplify
Backend: Node.js/Express on AWS ECS, GCP Cloud Run, or Azure Container Instances
Database: PostgreSQL (patient lookup, session cache) + Redis (distributed cache)
Key Services:
- FHIR Server: HAPI FHIR (Tomcat) or Cerner CDS Hooks
- DICOMweb: Orthanc + DICOMweb plugin
- AI Enclave: Azure Confidential Computing (DCsv3 VMs)
- Audit: Azure Confidential Ledger
- WebSocket: Socket.io cluster
Authentication & Authorization
EHR-Embedded Launch (Epic, Cerner, Meditech):
SMART on FHIR OAuth2 launch flow. User clicks "Moonlitic" button in EHR. EHR sends signed JWT containing clinician NPI, patient MRN, clinic context. No login needed.
Standalone Access:
OAuth2 confidential client. Clinician logs in with credentials. Requests list of their patients from FHIR server. Pulls patient-specific data after consent verification.
Scaling & Reliability
- Stateless API: Every request self-contained. JWT carries identity & consent. Horizontal pod autoscaling (Kubernetes) based on CPU/memory.
- Cache Layer: Redis for patient briefing summaries (TTL: 5 min), care team hierarchy (TTL: 15 min), trial matches (TTL: 1 hour). Cache invalidation on new clinical data.
- CDN: CloudFlare or AWS CloudFront for static assets (CSS, JS, images). Geo-distributed for <100ms latency in US/EU/APAC.
- Monitoring: Prometheus + Grafana for API latency, error rates, AI inference time. PagerDuty alerts for SLA breaches (99.9% uptime SLA).
- Disaster Recovery: PostgreSQL automated snapshots (hourly), FHIR server backup to S3 (daily). RTO = 1 hour, RPO = 15 min.
Design Decisions
Key architectural choices and trade-offs:
Standalone vs. Integrated
Chosen: Standalone-first architecture (Option C) with future marketplace role integration.
Rationale: Clinician portals live outside the EHR to avoid performance drag. Loose coupling via FHIR APIs. Can upgrade portal independently of EHR releases. Future: Embed as deep link in EHR (Epic in-basket, Cerner CDS Hooks).
Tabs vs. Scrolling
Chosen: Hybrid model: pinned alert bar + tabbed detail sections.
Rationale: Clinicians need quick scanning (tabs prevent information overload). But also need context switching (sub-tabs within detail view: Overview, Imaging, Labs, Timeline, AI Brief). Mobile: tabs collapse to accordion.
AI Insights Placement
Chosen: Embedded in patient detail view (Option 1) + dedicated deep-dive tab (AI Co-Pilot).
Rationale: Embedded insights stay with patient context (reduce context switch). But power users want deep analysis (AI Co-Pilot tab). Reduces cognitive load for busy clinicians.
DICOM Viewer
Chosen: Simulated for demo (canvas carousel), Cornerstone.js + DICOMweb for production.
Rationale: Full DICOM viewer too heavy for demo (build complexity, licensing). Cornerstone mature, open-source, HIPAA-ready. Production integrates with Orthanc DICOMweb server.
Consent-Gated View Rendering
Options considered: (1) All-or-nothing access per patient, (2) Category-level consent per provider, (3) Category × Institution matrix.
Chosen: Option 3 — most granular, enforces cross-institutional boundaries, enables marketplace data brokering.
Rationale: HIPAA TPO covers same-institution. Cross-institutional requires explicit consent per §164.508. The matrix model scales to N institutions × M categories.
Future Roadmap & Extensions
Planned enhancements for Phase 2 (Q3 2026) and Phase 3 (Q4 2026):
Phase 2 Enhancements
- Mobile App Native iOS/Android (React Native) with offline caching
- Voice Integration "Hey Moonlitic, what's the status on my 2 PM?" via Alexa Skills Kit
- EHR Deep Links Epic In-Basket, Cerner CDS Hooks, Meditech Commerce
- Pharmacy Co-Pilot Pharmacist-specific view: medication reconciliation, interaction analysis, P&T committee integration
- Advanced Analytics Population health cohorts, quality measure dashboards (CMS MIPS)
Phase 3 Extensions
- Marketplace Roles Provider admin console (trial management, payout dashboard, team settings)
- Revenue Cycle Claims tracking, denied claim automation, appeals workflow
- Patient Portal Link Secure patient view: upcoming appointments, shared insights, trial invitations
- AI Model Personalization Fine-tune MoonliticClinicalLM per practice specialty
- Blockchain Audit Trail Immutable ledger for regulatory compliance (HIPAA, SOX)