Skip to main content
Back to case studies
Healthcare

Prior Authorization Decision Support for a Specialty Pharmacy

How we replaced a multi-day manual prior-authorization review process with an AI-assisted decision-support system that keeps a clinical pharmacist in the loop.

Services

AI DevelopmentHIPAA-Compliant ArchitectureWorkflow Automation

Key Results

  • Reduced average review time from days to hours on common drug classes
  • Decision rationale fully traceable from policy text to recommendation
  • All PHI confined to BAA-eligible AWS services end-to-end

The situation

A specialty pharmacy was reviewing prior authorization requests by hand against a library of payer policies and clinical guidelines. Each case required a pharmacist to read the request, locate the applicable policy sections, evaluate clinical criteria against the patient's history, and document the rationale. Volume was growing faster than the team could hire.

The team did not want to remove the pharmacist from the decision. They wanted to remove the time spent finding policy text, drafting rationale paragraphs, and reformatting the same data for downstream systems.

What we built

A decision-support system that proposes a recommendation and a draft rationale, then waits for the pharmacist to approve, edit, or reject before anything takes effect.

The data path was the constraint. PHI never leaves the covered cloud. We used Amazon Bedrock under the existing AWS BAA for the model layer, Bedrock Knowledge Bases for retrieval over the policy corpus, and DynamoDB for case state. The pharmacist's review and final decision are the source of authority — the AI's output is a draft until they sign off.

[Intake] → [Policy retrieval] → [Drafted recommendation]
                                      ↓
                      [Pharmacist review (HITL)]
                                      ↓
                      [Decision recorded + rationale logged]

Decisions that mattered

Retrieval-grounded, not free-form. The model never invents a clinical criterion. Every recommendation cites the specific policy section it relied on, and the citations are clickable into the source document. If retrieval comes back empty, the system tells the pharmacist that — it does not fall back to the model's training data.

Audit logging from day one. Every model invocation is logged with the requesting pharmacist's identity, the case ID, the retrieved chunks, the prompt, the output, the latency, and the final disposition. Logs are written to an immutable store and retained per HIPAA's six-year minimum.

Tight tools. The agent has access to exactly the tools it needs: policy retrieval, case-state read, draft writes. No outbound network. No write access to the production case record without a pharmacist's signed approval.

Fail loudly. Edge cases — missing data, ambiguous criteria, conflicting policy versions — surface as explicit "this case needs human review without AI assistance" rather than a low-confidence recommendation. The team chose to take the productivity hit on edge cases rather than hide them.

Outcome

The pharmacist team reviews the same volume in a fraction of the time, with the same — or better — clinical rigor. Auditors get a complete trail of which policy text drove which decision, signed off by which pharmacist, on which date.

What did not change: the pharmacist is still the decision-maker. The licensure obligation still rests with them. The AI accelerates them; it does not replace them.

Working with us

We engaged on a fixed-scope architecture review first — a four-week engagement that produced the data-flow diagram, the BAA boundary map, the audit logging design, and the rollout plan. The build followed in phases, starting with read-only retrieval before introducing any drafting capability.

If you have a similar review-heavy workflow in healthcare and want to know what a HIPAA-aligned AI assist looks like in production, let us know.

Architecture Review