// medmonk · pa_copilot · it

PA Copilot
IT Architecture & Implementation Plan

Technical overview of the Medmonk Prior Authorization AI platform — system design, data flows, infrastructure requirements, security model, and build roadmap.

$ medmonk pa-copilot --mode internal --phase 1 --hipaa true

// system_overview

System Overview

A multi-agent AI pipeline behind the Medmonk portal. The prescriber's office uploads once; six agents handle everything from OCR to payer submission and return a single status back to Medmonk.

Entry

Provider Portal

Prescriber uploads referral, chart, labs, insurance

↓

Agent 1

OCR / Intake

Parse & extract text

Agent 2

LLM Extraction

Structure clinical data

Agent 3

Payer Rules

Criteria & routing

Agent 4

QA Validation

NPI, NDC, gaps

Agent 5

Packet Build

Forms + LOMN

Agent 6

Submission

FHIR / eFax

↓

Output

Medmonk PA Queue

Status + flags surfaced to coordinators

// tech_stack

Technology Stack

Layer	Technology
document_intake	eFax inbound + cloud OCR (Textract / Document AI)
ai_extraction	GPT-4o via Azure OpenAI or self-hosted LLM
payer_rules_db	SQL + JSONB policy configs per payer / drug
validation_engine	NPI / NDC checks; dosing & completeness rules
packet_assembly	PDF generation with payer-specific templates
submission_layer	FHIR R4 PAS primary; eFax API fallback

Layer	Technology
database	PostgreSQL — PA lifecycle schema + audit log
backend_api	REST API (FastAPI / Node.js)
frontend	Web dashboard (React or lightweight JS)
auth	OAuth 2.0 + RBAC; JWT-based sessions
infra	AWS / Azure HIPAA-eligible services
observability	Cloud logs + metrics (CloudWatch / Datadog)

// data_flow

Data Flow

// PA Copilot — end-to-end

1. intake
  provider portal → POST /api/pa/upload → encrypted storage
  enqueue job → pa_intake_queue

2. ocr_agent
  fetch document → OCR engine → raw_text
  persist → pa_documents.ocr_text

3. llm_extraction
  raw_text → GPT-4o prompt → pa_data_fields (JSON)
  validate against schema

4. payer_rules
  lookup payer + drug → required_fields
  compare pa_data_fields vs required_fields

5. validation
  NPI / NDC verify → external APIs
  compute missing_fields → set status = needs_review | ready_to_submit

6. packet + submission
  build PDF packet → try FHIR PAS; else eFax
  write submission record + status back to Medmonk queue
    

// database_schema

Core Schema

// PA lifecycle
CREATE TYPE pa_status_enum AS ENUM (
  'pending_intake','processing','needs_review',
  'ready_to_submit','submitted','approved',
  'denied','appealing'
);

CREATE TABLE pa_requests (
  id            UUID PRIMARY KEY,
  patient_id    UUID,
  prescriber_id UUID,
  payer_id      UUID,
  drug_ndc      VARCHAR(11),
  icd10_codes   TEXT[],
  status        pa_status_enum,
  submitted_at  TIMESTAMPTZ,
  decision_at   TIMESTAMPTZ,
  outcome       VARCHAR(20),
  created_at    TIMESTAMPTZ DEFAULT now()
);
        

// Documents & audit
CREATE TABLE pa_documents (
  id          UUID PRIMARY KEY,
  pa_id       UUID REFERENCES pa_requests,
  doc_type    VARCHAR(50),
  s3_key      TEXT,
  ocr_text    TEXT,
  uploaded_by VARCHAR(20),
  created_at  TIMESTAMPTZ
);

CREATE TABLE pa_audit_log (
  id         UUID PRIMARY KEY,
  pa_id      UUID REFERENCES pa_requests,
  actor_id   UUID,
  action     TEXT,
  details    JSONB,
  ip_address INET,
  created_at TIMESTAMPTZ DEFAULT now()
);
        

// api_design

Internal API

POST /api/v1/pa/upload
  multipart/form-data (PDF, image)
  → { pa_request_id }

GET /api/v1/pa/:id/status
  → { status, flags, step }

GET /api/v1/pa/queue
  → list by status / payer

POST /api/v1/pa/:id/submit
  → triggers submission pipeline
        

PATCH /api/v1/pa/:id/fields
  → coordinator corrections
  → re-run validation

POST /api/v1/pa/:id/appeal
  → start appeal workflow

GET /api/v1/pa/:id/audit
  → full event history

GET /api/v1/analytics/pa
  → TAT, approval, denial reasons
        

All endpoints: Authorization: Bearer <JWT> · TLS 1.3 · role-scoped access.

// security_hipaa

Security & HIPAA Controls

Data Security

AES-256 encryption at rest for PHI in object storage and database.
TLS 1.3 enforced for all external traffic; HSTS on public endpoints.
Key management via KMS / Key Vault; keys rotated on a defined schedule.
VPC isolation: PA services in private subnets with outbound-only egress.

Access & Compliance

Role-based access control: coordinator / supervisor / admin profiles.
MFA enforced for accounts with PHI access; session timeout policies.
Immutable audit log for all PHI access and administrative actions.
BAA coverage for cloud host, LLM vendor, and eFax provider.

// external_integrations

External Integrations

Integration	Purpose	Protocol	Phase
eFax API	Inbound PA faxes and outbound fallback submission	REST / HTTPS	Phase 1
Azure OpenAI / LLM	Clinical note extraction and field structuring	REST / HTTPS	Phase 1
CMS NPI Registry	NPI verification	REST (public)	Phase 1
FDA NDC Directory	NDC validation	REST (public)	Phase 1
FHIR PAS (Da Vinci)	ePA submission for enabled payers	FHIR R4 / HTTPS	Phase 2
Payer Portals	Automated browser-based portal submission	Web automation	Phase 2+

// infrastructure

Infrastructure Layout

Public

Provider Portal

HTTPS · WAF · CDN

Public

Coordinator UI

HTTPS · auth-gated

API gateway · TLS · JWT · rate limits

Private

PA API Service

FastAPI / Node.js

Private

Agent Workers

Queue-driven pipeline

Private

LLM Connector

Azure OpenAI / self-host

↓

Data

PostgreSQL

PA records · audit

Data

Object Storage

Encrypted PHI docs

Ops

Logging / Metrics

Centralized monitoring

Outbound-only access

External

eFax

Fallback submission

External

FHIR Payers

Da Vinci PAS

External

CMS / FDA

NPI + NDC lookups

// roadmap · phase_1

Phase 1 · PA Copilot

Stand up PA engine in a dev environment and run sample provider-uploaded referrals end-to-end.
Implement full OCR + LLM extraction pipeline and persist structured PA data to the core schema.
Build payer criteria library and validation engine for a first set of high-volume payers.
Expose internal REST APIs for PA intake, status, queue, and submission.
Integrate with Medmonk non-production for provider upload and coordinator PA queue views.
Wire up eFax, NPI, and NDC integrations needed for initial programs.

// roadmap · later_phases

Later Phases · Summary & Goals

Phase 2 · ePA & Appeals

Add FHIR PAS connectivity for payers that support electronic prior auth.
Automate appeal packet generation and tracking from denial events.
Introduce basic peer-to-peer review tracking hooks.

Phase 3 · Advanced Automation

Expand payer rules coverage and automation depth across additional lines of business.
Layer in intelligent routing, prioritization, and SLA-based escalation.
Refine models based on real denial and appeal outcome data.

Phase 4 · Analytics & Insights

Build reporting for time-to-therapy, approval rates, and denial patterns.
Expose program-level KPIs for leadership and partners.
Use historical data to recommend optimal pathways and documentation upfront.

// ready_to_build

The architecture is defined.
The pipeline is clear.
Implementation can begin when you are.

        status: "ready_to_build"

        blockers: 3  // eFax + BAAs + RBAC

        eta_to_live: "60d post IT setup"

PA CopilotIT Architecture & Implementation Plan

System Overview

Technology Stack

Data Flow

Core Schema

Internal API

Security & HIPAA Controls

Data Security

Access & Compliance

External Integrations

Infrastructure Layout

Phase 1 · PA Copilot

Later Phases · Summary & Goals

Phase 2 · ePA & Appeals

Phase 3 · Advanced Automation

Phase 4 · Analytics & Insights

The architecture is defined.The pipeline is clear.Implementation can begin when you are.

PA Copilot
IT Architecture & Implementation Plan

The architecture is defined.
The pipeline is clear.
Implementation can begin when you are.