New: give any agent a live, governed query engine over your data, no warehouse required.Get started
Nightshift

Nightshift for Healthcare

Minimum necessary, before the model sees a thing.

The hard part of a care copilot is not the EHR, it is everything in it the agent should not see. Nightshift masks identifiers in the compiler before any response leaves, so each agent gets only the fields its task needs and the rest never reaches the model.

Get started freeTalk to sales
At the sourceehr.patients
PatientJordan Rivera
MRNMRN-88421
DOB1984-03-12
SSN521-44-9087
Care teamCardiology, Team B
DiagnosisI50.9 Heart failure
NotesPsychotherapy
What the agent receivesehr.patients
PatientJordan Rivera
MRN•••• masked
DOB•••• masked
SSN•••• masked
Care teamCardiology, Team B
DiagnosisI50.9 Heart failure
Notesdenied

See it work

Attribute readmissions no single system can see.

An agent connects Nightshift over MCP and pins $2.8M of 30-day penalties to the units, DRGs, and follow-up gaps behind them, across Epic, ServiceNow, Workday, and Salesforce Health Cloud.

Minimum necessary

Each agent sees only its part.

Minimum-necessary is a policy, not a hope. Scope follows the identity, so the same catalog answers each agent differently.

Care-coordination agentIts assigned panel, with identifiers masked
Analytics agentDe-identified aggregates, no record-level PHI
Any agentPsychotherapy notes and restricted fields: denied

What agents do

Care agents under minimum necessary.

Coordinate care

Read the chart its team is assigned to, with SSN, MRN, and date of birth masked before anything leaves.

Work the claim

Read and draft against claims data, with restricted notes denied outright.

Brief the clinician

Summarize a patient’s relevant history, scoped to the care relationship, never the whole record.

Break-glass

Emergency access, fully accounted for.

Care does not wait for a ticket. When a clinician needs data outside their normal scope, break-glass opens it for the moment, time-boxed and scoped, then logs every field and flags the access for review.

Emergency override
1

Outside normal scope

A clinician needs a record their role would not otherwise see.

2

Granted for the moment

Access opens, time-boxed and scoped to the emergency, not the chart.

3

Logged and flagged

Every field is recorded, expires on its own, and is queued for review.

Policy in plain rules

Scope to a care team, mask the identifiers, gate the export.

Limit an agent to its care team, mask SSN, MRN, and date of birth, deny sensitive notes outright, and route any export to a human. It compiles into every endpoint, so there is no path around it.

  • Scope by care team, facility, or role
  • Mask identifiers, deny restricted notes
  • Exports wake an approver on their phone
policies/care-agent.policypolicy
# care-agent: assigned panel only, PHI minimized
policy "care-coordination-agent" {
  identity = "care-agent"
  source   = ehr.patients
  allow where care_team = current_identity
  mask column ssn, mrn, dob
  deny column psychotherapy_notes
  require approval when export
}

Questions privacy officers ask

What compliance wants to know.

Does the agent ever see full PHI?
Only the fields a role needs. Identifiers are masked in the compiler before the response leaves, so the model never receives them.
Is minimum-necessary enforced or assumed?
Enforced. Scope attaches to the identity and compiles into every endpoint, so the same catalog answers each agent with only its part.
How is access audited?
Every read is recorded with who, what, and why, and streams to your existing log of record for the same review any access gets.

Exports wake a human.

When an agent tries to move PHI out, the request pauses and a clinician approves or denies it from their phone, with the full context of what was asked.

Put an agent on clinical data, within your rules.

Start free, connect an EHR or claims warehouse, and watch minimum-necessary reads reach your agent in minutes.

Get started freeTalk to sales

Want to look first? Take the product tour