Email Infrastructure for Telehealth AI Agents

Send appointment reminders, lab notifications, and care-plan follow-ups with full audit trails and human-in-the-loop approval before anything patient-specific leaves your system.

Telehealth and digital health platforms increasingly rely on AI agents to handle appointment scheduling, care-plan follow-ups, intake coordination, and lab result routing. The operational upside is significant — agents can respond at 3am, catch scheduling gaps, and keep care coordinators from drowning in administrative email. The compliance exposure is equally significant. HIPAA and HITECH impose strict requirements on how protected health information (PHI) travels across systems, who can see it, and how long access logs must be retained. State telehealth laws add a patchwork of additional requirements that vary by jurisdiction. AI agents operating in this environment need email infrastructure that enforces human review before any patient-specific content is sent, maintains immutable audit logs, and never exposes PHI in subject lines or message previews where it could be captured by email scanners or notification previews. MultiMail's gated_all oversight mode was designed specifically for risk profiles like this — every outbound action requires explicit human approval, while the agent handles drafting, routing logic, and queuing.

Challenges

Email challenges in Telehealth & Digital Health

PHI exposure in subject lines and previews

Standard email APIs send whatever string you pass as the subject. In telehealth workflows, agents drafting messages from EHR data frequently include patient names, diagnoses, or appointment details in subjects — which then appear in mobile lock screens, email scanners, and server-side logs outside your HIPAA boundary.

No human review before clinical communications send

Fully autonomous agents can draft and send triage escalations, lab result notifications, or care-plan adjustments without any licensed professional reviewing the content first. One mistaken send — a result routed to the wrong patient, or triage advice that doesn't account for a contraindication — creates both clinical and legal liability.

Audit trails that satisfy HIPAA access log requirements

HIPAA requires covered entities to log who accessed PHI, when, and what action was taken. Most email APIs record delivery events but not the approval chain — who reviewed the draft, when they approved it, and whether the final sent content matched the approved draft.

Cross-state licensing and communication routing

A care coordination agent handling patients across multiple states must respect different telehealth practice laws. A message appropriate to send from a licensed provider in California may require different handling in Texas. Routing logic needs to be auditable and correctable without rebuilding the agent.

Separating educational nudges from individualized clinical direction

Automated health messaging — reminders to take medication, prompts to complete intake forms — is permissible. Individualized clinical direction from an AI without licensed professional oversight is not. The same agent can produce both types of content, and the email layer must enforce the distinction.

Solutions

How MultiMail helps

gated_all mode for all patient-facing sends

With oversight_mode set to gated_all, every outbound email drafted by your agent is queued for human review before delivery. Care coordinators see the full draft — subject, body, recipient — and approve or reject via the approval API or MCP tool. The agent never sends unilaterally. Approval decisions are logged with timestamp, reviewer identity, and the exact content that was approved.

gated_all

Immutable audit log for every action

MultiMail logs every API call — draft creation, approval request, approval decision, send — with cryptographic event ordering. The log includes the full message content at approval time so you can demonstrate to auditors that what was approved and what was sent match exactly. Retention is configurable to meet your HIPAA records schedule.

gated_all

Read-only inbox access for triage agents

Intake and triage agents that only need to classify inbound patient messages — routing to the right care team, flagging urgent requests, extracting structured data for the EHR — can operate in read_only mode. The agent reads and analyzes email content but cannot reply, forward, or take any action that would expose PHI to additional recipients.

read_only

Monitored mode for administrative workflows

Non-clinical administrative emails — scheduling confirmation, billing inquiries, general health education content with no PHI — can run in monitored mode. The agent sends autonomously, and care operations staff receive notification copies. This keeps low-risk volume off the approval queue while maintaining observability.

monitored

Pending queue management for approval workflows

The list_pending endpoint lets your care coordination dashboard surface all queued approvals in one place, ordered by patient, care team, or urgency tag. Reviewers can approve, reject, or edit drafts via decide_email without leaving the queue view. Agents can check the status of specific pending messages using the MCP list_pending tool.

gated_all
Code examples

Implementation

Queue a lab result notification for approval
python
import multimail

client = multimail.Client(api_key="mm_live_...")

"cm"># oversight_mode=gated_all means this queues for approval, never auto-sends
result = client.send_email(
    mailbox="[email protected]",
    to="[email protected]",
    subject="Your recent lab results are ready",  "cm"># no PHI in subject
    body="""Hi,

Your lab results from your visit on April 18 are now available.
Your care team has reviewed them and has a note for you.

Please log in to your patient portal to view your results, or reply
to this message if you have questions.

Care Coordination Team
Your Clinic""",
    tags=["lab-result", "requires-clinician-review"],
    oversight_mode="gated_all",
    metadata={
        "patient_id": "pt_01HX...",   "cm"># internal reference, not in email
        "lab_order_id": "ord_7823",
        "routing_state": "CA"
    }
)

print(f"Queued for approval: {result[&"cm">#039;message_id']}")
print(f"Status: {result[&"cm">#039;status']}")  # => 'pending_approval'

An agent drafts a lab result notification and queues it for clinician review before delivery. The subject contains no PHI — the actual result context is in the body, visible only to the reviewing clinician.

Approval queue consumer for care coordinators
python
import multimail

client = multimail.Client(api_key="mm_live_...")

"cm"># Fetch all messages pending approval for the care team
pending = client.list_pending(
    mailbox="[email protected]",
    tags=["requires-clinician-review"]
)

for message in pending["messages"]:
    msg_id = message["message_id"]
    
    "cm"># Read the full draft before deciding
    draft = client.read_email(message_id=msg_id)
    print(f"To: {draft[&"cm">#039;to']}")
    print(f"Subject: {draft[&"cm">#039;subject']}")
    print(f"Body:\n{draft[&"cm">#039;body']}")
    print(f"Metadata: {draft[&"cm">#039;metadata']}")
    
    # Clinician decision — in production this comes from your UI
    decision = "approve"  # or "reject"
    
    if decision == "approve":
        result = client.decide_email(
            message_id=msg_id,
            decision="approve",
            reviewer_id="dr_jane_smith",
            note="Reviewed — results are benign, message is appropriate"
        )
        print(f"Sent: {result[&"cm">#039;sent_at']}")
    else:
        client.decide_email(
            message_id=msg_id,
            decision="reject",
            reviewer_id="dr_jane_smith",
            note="Needs revision — include portal link"
        )

A care coordination dashboard polls the pending queue and surfaces drafts for clinician review. Approved messages send immediately; rejected messages are logged with the rejection reason.

Appointment reminder agent with triage routing
python
import multimail
from datetime import datetime, timedelta

client = multimail.Client(api_key="mm_live_...")

def send_appointment_reminder(patient_email: str, appointment_dt: datetime, provider: str):
    """Queue an appointment reminder for care coordinator review."""
    return client.send_email(
        mailbox="[email protected]",
        to=patient_email,
        subject="Appointment reminder",
        body=f"""This is a reminder of your appointment on {appointment_dt.strftime(&"cm">#039;%B %d at %I:%M %p')} with {provider}.

If you need to reschedule, reply to this message or call our office.

If you are experiencing a medical emergency, call 911.""",
        oversight_mode="gated_all",
        tags=["appointment-reminder"]
    )

def check_urgent_inbound():
    """Check inbox for replies flagged as urgent by the triage classifier."""
    inbox = client.check_inbox(
        mailbox="[email protected]",
        tags=["triage-urgent"],
        unread_only=True
    )
    
    for msg in inbox["emails"]:
        thread = client.get_thread(thread_id=msg["thread_id"])
        
        # Route to on-call clinician — still gated, clinician approves the forward
        client.send_email(
            mailbox="[email protected]",
            to="[email protected]",
            subject="Urgent patient message — review required",
            body=f"A patient has replied with an urgent concern. Thread ID: {msg[&"cm">#039;thread_id']}\n\nPlease review and respond.",
            oversight_mode="gated_all",
            tags=["triage-escalation"],
            metadata={"original_thread_id": msg["thread_id"]}
        )
        
        # Tag original as escalated
        client.tag_email(
            message_id=msg["message_id"],
            tags=["escalated-to-oncall"]
        )

# Run both in your agent loop
send_appointment_reminder(
    patient_email="[email protected]",
    appointment_dt=datetime.now() + timedelta(days=1),
    provider="Dr. Sarah Chen"
)
check_urgent_inbound()

An agent sends appointment reminders and checks for any inbound cancellation or urgent symptom reports, routing them to the appropriate care team without exposing PHI in transit.

MCP tool usage for care coordination in Claude Desktop
text
# In Claude Desktop with MultiMail MCP server configured:

# 1. Check for new inbound messages from patients
Tool: check_inbox
Parameters:
  mailbox: "[email protected]"
  unread_only: true
  tags: ["patient-inbound"]

# 2. Read a specific message thread
Tool: get_thread
Parameters:
  thread_id: "thr_01HX..."

# 3. Draft a follow-up — queued for approval because mailbox uses gated_all
Tool: send_email
Parameters:
  mailbox: "[email protected]"
  to: "[email protected]"
  subject: "Following up on your message"
  body: "Thank you for reaching out. A member of your care team will respond within one business day. If this is urgent, please call our office at (555) 000-0000."
  tags: ["care-followup"]

# Result: message queued, not sent
# Status returned: { "status": "pending_approval", "message_id": "msg_01HY..." }

# 4. Check what's pending approval
Tool: list_pending
Parameters:
  mailbox: "[email protected]"

A care coordination agent running in Claude Desktop uses MultiMail MCP tools to check for inbound patient messages and draft a follow-up without sending autonomously.

Compliance

Regulatory considerations

RegulationRequirementHow MultiMail helps
HIPAA / HITECHEmail containing PHI must be transmitted securely, access must be logged, and business associate agreements (BAAs) must be in place with email service providers. Audit logs must be retained for 6 years. PHI must not appear in subject lines or headers where it could be captured by intermediate systems.MultiMail enforces TLS for all message transport. Every API action — draft creation, approval request, approval decision, delivery — is logged with timestamps and actor identity. Metadata fields let you attach internal patient references without embedding them in message content. MultiMail offers BAAs for covered entities; contact support before going to production with PHI workflows.
State Telehealth LawsMany states require that clinical communications originate from or be reviewed by a licensed provider in the state where the patient is located. Some states impose additional consent requirements for telehealth services and electronic health communications.The metadata field on every message can carry jurisdiction tags and provider license state, making routing decisions auditable. gated_all oversight ensures a human reviewer — who can verify licensing requirements — approves every patient-facing send before delivery. Rejection reasons are logged, creating a record of compliance decisions.
GDPRFor patients in EU/EEA jurisdictions, health data is a special category requiring explicit consent for processing. Patients have rights to access, correction, and erasure of their data. Cross-border transfers of health data require appropriate safeguards.MultiMail's mailbox-level configuration supports regional data residency. The tag_email and manage_contacts tools let agents maintain consent status as structured metadata rather than embedding it in unstructured message content. cancel_message allows suppression of queued messages if consent is withdrawn before approval.
FDA Guidance (Software as a Medical Device)AI systems that provide clinical decision support or diagnostic guidance via email may be subject to FDA Software as a Medical Device (SaMD) guidance, requiring that outputs be reviewable by a qualified clinician before reaching patients.gated_all oversight mode implements the human-in-the-loop requirement at the email delivery layer. The approval log — which records who reviewed, when, and what they approved — supports the audit documentation SaMD review processes require.
FAQ

Common questions

Does MultiMail sign Business Associate Agreements for HIPAA compliance?
MultiMail offers BAAs for covered entities and their business associates. Contact [email protected] before processing any PHI in production workflows. The BAA covers MultiMail's role as the email transmission and queuing infrastructure; your application's handling of PHI before it reaches the API remains your responsibility.
How does gated_all oversight prevent an agent from sending PHI without review?
With oversight_mode set to gated_all, the send_email API call returns immediately with status pending_approval — the message is queued but not transmitted. No email leaves MultiMail's system until a human calls decide_email with decision=approve. The approval event is logged with the reviewer's identity and timestamp. The agent has no API method to bypass this; the only path to delivery is explicit human approval.
Can an agent read patient emails without triggering HIPAA concerns about AI access to PHI?
Reading email via the API constitutes accessing PHI, which is subject to HIPAA minimum necessary and access control requirements. Use read_only oversight mode for agents that only need to classify or route inbound messages. Log agent access through MultiMail's audit trail. Your BAA with MultiMail covers the transmission layer; your application's data handling, access controls, and workforce training obligations remain with your organization.
How do I prevent patient names or diagnoses from appearing in email subject lines?
MultiMail does not enforce subject-line content rules automatically — that's your agent's responsibility. The standard pattern is to use generic subjects ('Your results are ready', 'Appointment reminder') and put any patient-specific context in the body or in metadata fields that never appear in the email. If you need a guardrail, add a subject-line validator in your agent before calling send_email, checking for patterns that match PHI formats before queuing.
What happens if a clinician rejects a draft in the approval queue?
Calling decide_email with decision=reject cancels the message permanently — it will not be delivered. The rejection is logged with the reviewer's identity and any note they provide. Your agent can poll message status via read_email to detect the rejection and handle it: re-draft with corrections, escalate to a human for manual handling, or log the event for review. Rejected messages are retained in the audit log but never sent.
How should I handle appointment reminders that don't contain PHI versus lab results that do?
Use different oversight modes per mailbox or per send call. Generic appointment reminders ('You have an appointment tomorrow') with no patient-specific clinical content can use monitored mode — agents send autonomously and care ops receives notification copies. Lab result notifications, care-plan communications, or anything that references a patient's health status should use gated_all. You can operate multiple mailboxes with different oversight modes from the same API key.
Can I tag emails to track consent status and patient communication preferences?
Yes. The tag_email tool lets you add structured labels to any message — consent-given, opted-out-sms, preferred-language-es, and so on. The manage_contacts endpoint supports filtering by tag, so your agent can check a patient's communication preferences before drafting. Tags are part of the audit log, so preference changes are traceable over time.
Related

Explore more industries

Healthcare

View guide →

SaaS & Technology

View guide →

Biotech & Life Sciences

View guide →
Get started

The only agent email with a verifiable sender

Email infrastructure built for AI agents. Verifiable identity, graduated oversight, and a 50-tool MCP server. Formally verified in Lean 4.

Read the Docs See Pricing