New: give any agent a live, governed query engine over your data, no warehouse required.Get started
Nightshift

Nightshift for Healthcare

Answers across the chart, claims, and ops. Minimum necessary by default.

Connect the EHR, claims, and your operational systems once: clinical and analytics teams and their agents query live data without standing up a warehouse. A governed view redacts identifiers before any response leaves, so each agent gets only the fields its task needs and the rest never reaches the model.

Get started freeTalk to sales
At the sourceehr.patients
PatientJordan Rivera
MRNMRN-88421
DOB1984-03-12
SSN521-44-9087
Care teamCardiology, Team B
DiagnosisI50.9 Heart failure
NotesPsychotherapy
What the agent receivesehr.patients
PatientJordan Rivera
MRN•••• masked
DOB•••• masked
SSN•••• masked
Care teamCardiology, Team B
DiagnosisI50.9 Heart failure
Notesdenied

See it work

Attribute readmissions no single system can see.

An agent connects Nightshift over MCP and pins $2.8M of 30-day penalties to the units, DRGs, and follow-up gaps behind them, across Epic, ServiceNow, Workday, and Salesforce Health Cloud.

Minimum necessary

Each agent sees only its part.

Minimum-necessary is a view, not a hope. Each role reads through a governed view granted read-only, so the same catalog answers each agent differently.

Care-coordination agentIts assigned panel, with identifiers masked
Analytics agentAggregates only, no record-level PHI
Any agentPsychotherapy notes and restricted fields: out of the view

What agents do

Care agents under minimum necessary.

Coordinate care

Read the chart its team is assigned to, with SSN, MRN, and date of birth masked before anything leaves.

Work the claim

Read and draft against claims data, with restricted notes left out of the view entirely.

Brief the clinician

Summarize a patient’s relevant history, scoped to the care relationship, never the whole record.

Governance in plain SQL

Scope to a care team, redact the identifiers, grant read.

A governed view scopes an agent to its care team, redacts SSN, MRN, and date of birth, and drops sensitive notes. Grant the agent read on that view, and it is the only data the agent can reach.

  • Scope rows and columns with a governed view
  • Redact identifiers, leave restricted notes out
  • Agents get read grants, never write
views/encounters_safe.sqlview
-- encounters_safe: cardiology panel, identifiers and notes dropped
create view encounters_safe as
  select encounter_id, care_team, diagnosis_code,
         'REDACTED' as patient_name   -- PHI not exposed
  from encounters
  where care_team = 'cardiology';     -- ssn, mrn, dob, notes not selected
grantcare-agent → encounters_safe · read

Questions privacy officers ask

What compliance wants to know.

Does the agent ever see full PHI?
Only the fields a role needs. A governed view redacts identifiers and drops restricted fields, and the agent reads through that view, so the model never receives them.
Is minimum-necessary enforced or assumed?
Enforced. Each role reads through a governed view that exposes only its fields and rows, granted read-only, so the same catalog answers each agent with only its part.
How is access audited?
Every read is recorded with who, what, and when, and streams to your existing log of record for the same review any access gets.

Agents read. They don’t write.

Access is a read or write grant on a table or view. Care and analytics agents get read, so they can query the chart but never change it. Write stays with your clinicians and systems of record.

Put an agent on clinical data, within your rules.

Start free, connect an EHR or claims warehouse, and watch minimum-necessary reads reach your agent in minutes.

Get started freeTalk to sales

Want to look first? Take the product tour