This is what it takes to automate a healthcare clinic without ever touching protected health information. Dental is the proving ground, because there the compliance is hardest. Below are the systems, the tools behind them, and what I'm learning getting each one to send safely.
Most of the AI tools being sold to dentists right now aren't even HIPAA compliant. That gap is the thing I started looking into.
Right now you can try all four systems yourself in the demo below. They run in shadow mode on synthetic data, wired to real Twilio with the full compliance guardrails, and I'm tightening the details before the first clinic goes live. This is where the build actually is, today.
I'm Rainier. What I like is the hard kind of building, the systems with a lot of moving parts that still have to run on their own without anyone babysitting them. Getting something complicated to just work, quietly and reliably, is the part I never get tired of.
Healthcare pulled me in for the reason most people avoid it. It's unforgiving. A broken automation somewhere else is an annoyance you fix and forget. Here it's real rules, consent, actual patient records, and plenty of ways to get it wrong. The easy stuff is everywhere. I wanted the parts that genuinely have to be right.
Dental is where I'm proving it out. Independent practices lose people in small, quiet ways, a call nobody returns, a no-show nobody chases, someone who just stops booking. It's a real and messy place to find out whether the systems actually hold. But it's a starting line, not the whole race.
What I care about most tends to be what everyone skips, the compliance, how the data is handled, and what happens the moment something breaks. In this field that isn't a detail, it's the whole point, so I'd rather go slow and get it right. It's early still, and this is just me, building things meant to last.
Follow along for what I'm building.
Not four separate tools, one architecture. The four systems share a single safety spine: the opt-out list, the frequency cap, and the audit trail. They also hand off to each other. Everything runs on synthetic data in shadow mode, no claims past what's real. This is the first stack, built for small clinics, with more as the build grows.
One page for the architecture and the shared safety spine, then one page per system. Generated from the same build data this page runs on, so it never drifts. No sign-up, no email.
This is the dashboard I've been building. My take is that being able to watch the automations run, and see where one could break, beats staring at a complicated graph of nodes. One screen per view, real layout and real field names, on a sample clinic with synthetic data. Open it to step through all four screens.
The layout, the field names, and the gates are the real build. The clinic and the numbers are a synthetic sample, not a real practice. Real data only appears once a clinic goes live and the dashboard sits behind their own login.
Five tools. Each one picked for a specific reason, usually because it's BAA-eligible, open where it can be, and cheap enough to self-fund.
The same four stages, every time. Whether it's missed-call recovery, reminders, reactivation, or reviews, the shape of the build is the same. Compliance is not the last step. It's the design constraint. Each stage carries its own safety breakers so nothing ships without them in place.
Every system starts when something real happens. The event lands at a webhook, identifiers get normalized and hashed, the right practice config loads, duplicates are silently dropped. Nothing else runs until the event is confirmed and routed to the correct tenant.
Before any outbound action, the candidate runs through a unified safety check. Opt-out, frequency caps across all systems, per-practice cost cap, quiet hours, patient-history branch. If a check errors, the system fails closed: the default is opted out, not opted in. Same gate, every system, no exceptions.
Anything the AI produces is constrained to a tight token budget. A regex scrubber strips PHI the draft might have introduced. Required language (STOP for SMS, opt-out for email) is injected at generation time and verified post-AI. A hardcoded PHI-safe fallback fires if the AI times out or returns malformed output. Shadow mode keeps the first batch of messages from any new practice from ever reaching a patient.
Outcomes are tied back to the original event so the system can measure itself. Confirmed actions only count when they actually happen in the source of truth, not when a message was sent. The practice can dispute any attribution from the dashboard, and disputed ones are excluded from KPIs. PHI is purged at 90 days. The error handler catches every unhandled exception, scrubs PHI, and writes the incident to an error log.
The part most automation builders skip, and the part a healthcare team screens for. Compliance is the design constraint here, not the last step: every system scrubs PHI and honors opt-out and consent before anything sends, all on synthetic data in shadow mode. The practices I interview are HIPAA covered entities, so I document what they do under HHS Safe Harbor anonymization, and never request, accept, or store patient-identifying information.
Read the full protocolFrom inside the build. Some are my own observations. Some are quotes from dentists I've interviewed. Some are research worth flagging. New ones go up when there's something worth saying.
Loading notes...
One patient, one inbox. Fire a missed call, a reminder, a reactivation, or a review, and watch all four systems land in the same thread, sharing one opt-out and one frequency cap, with the compliance steps running behind every message. Synthetic data, shadow mode, no real PHI, no real numbers.
One system, up close: the missed-call recovery workflow, node by node. A deterministic re-enactment of the teaching workflow, sanitized and safe to share. The same node sequence runs today in shadow mode, with real Twilio wiring and the full compliance guardrails, until a clinic goes live. The sanitized JSON lives on GitHub.
The build lives across a few channels. Each one carries something different. System walkthroughs on YouTube. The texture of building on Instagram. Written notes right here on the site. No mailing list. No follow-up sequences. Read what's useful, ignore the rest.