Home / Features / MCP Integration

Among the First EHRs With Native MCP Integration

Connect Claude Desktop, Claude.ai, or any MCP-compatible AI client. Read your patient data, draft chart notes, send messages — directly from the AI you already use. Production-ready. BAA-covered. Audit-logged.

Book a Demo How It Works

For Clinic Owners

Your AI, Plugged Into Your Clinic

If you already use Claude — to draft emails, work through spreadsheets, plan your week, write SOPs — you know how much faster a good AI makes you. The frustration is that the AI lives in one window and your EHR lives in another, and the only way to bridge them is copy-paste, screenshots, and CSV exports. Half the value of an AI assistant evaporates the moment your data lives somewhere it can't reach.

MCP fixes that. With one paste of a credential into Claude's Connectors panel, the same Claude session you already use plugs into your clinic. Ask "which patients are due for labs?" and Claude reads your real schedule and lab history. Ask "draft a follow-up note for John Smith from today's visit" and Claude pulls his chart, drafts a SOAP note, and drops it into your review queue. No copy-paste. No screenshots. No CSV exports.

Most EHRs sell you "AI features" that are chat boxes inside their app. We built our EHR to plug into whatever AI you want to use.

90-Second Connection

How It Works

From "I want to try this" to "Claude is reading my clinic data" in under two minutes.

1. Open Connectors in Claude

In Claude Desktop or Claude.ai, go to Settings → Connectors → Add custom connector. Or use the MCP SDK in your own tool.

2. Paste Your Credentials

Server URL: api.moonshotclinic.com/api/mcp/v1. Bearer token issued from /admin/ai-mcp/. One credential per user, one tenant.

3. Ask Your First Question

"Which patients are due for labs?" "Draft a follow-up message for everyone who missed their appointment last week." Production tenants sign the AI Access Addendum (clickwrap, 2 minutes) before real PHI is exposed.

What You Can Do

~30 Tools, Two Categories

Read tools surface your data. Write tools propose changes that a clinician signs. Everything respects the same RBAC as staff accounts.

Patient Search & Lookup

search_patients, get_patient, get_chart_notes, get_medications, get_allergies, get_problem_list.

Labs & Vitals

get_labs, get_vitals, find_abnormal_labs_across_panel, find_lab_trend_outliers.

Schedule & Inbox

get_inbox, get_appointments, get_no_shows_and_cancellations.

Financial & Operational

get_billing_summary, get_patient_profit, get_lead_funnel, get_membership_metrics.

draft_chart_note WRITE

SOAP-formatted draft into the clinician review queue. Commits to chart_notes only on Sign by a user with the edit_charts permission.

draft_patient_message WRITE

Portal or SMS draft. A clinician with the send_messages permission signs to send. Nothing leaves the system without a human in the loop.

search_clinical_protocols

Semantic search over your uploaded PDFs — protocols, formularies, SOPs. Titan v2 embeddings + pgvector, tenant-isolated. Ask "what's our TRT titration protocol?" and Claude cites your own docs.

Permission-Gated

Every tool is scoped to the credential-holder's role. Same RBAC as staff accounts. A front-desk credential can't draft chart notes. A provider credential can't see other providers' financial metrics if their role doesn't.

Two Tiers

Sandbox in 90 Seconds. Production With One Signature.

Try it on synthetic data before you commit. When you're ready, the production gate is a clickwrap addendum and a permission grant.

Sandbox Tier

Auto-provisioned demo tenant pre-loaded with 36 synthetic patients (no real PHI). No AI Access Addendum required. 30-day TTL, renewable on click. Best for evaluation, demos, and developer testing. Free.

Production Tier

Real PHI under BAA. Gated by a clickwrap AI Access Addendum (365-day, cryptographic evidence of consent, annual re-sign). Revocable instantly from /admin/ai-mcp/. Included with all paid plans.

Security & Compliance

Built For Clinical Data From Day One

Every control below applies whether you use MCP, in-app AI, or both.

BAA-Covered Subprocessors

AWS Bedrock + Anthropic Claude, AWS infrastructure, Stripe, Spruce, AWS End User Messaging. Every link in the chain that can touch PHI is under a signed BAA.

Tenant Isolation at the DB Layer

Postgres row-level security on every PHI-bearing table. A misconfigured credential cannot read another tenant's data — the database itself refuses.

Audit Log On Every Tool Call

Every MCP call writes a row: user, tool name, arguments, response size, latency, timestamp. Queryable from /admin/ai-mcp/. Same audit pipeline as the rest of the EHR.

Prompt-Injection Containment

Tool outputs that ingest user-authored text (chart notes, intake forms, inbound messages) are wrapped in untrusted-content delimiters. Write tools are blocked in any turn-chain that includes those outputs. Injection attempts get logged, not executed.

Hard Spend Caps

Per-user daily cap, per-request cap, per-tenant monthly hard cap. Stripe metered billing at 110% of Bedrock cost with idempotency keys. When the cap hits, calls return 429 — no silent overage.

Revocable, Auditable Access

Each MCP credential is one-tenant-one-role. Revoke instantly from /admin/ai-mcp/ — the bearer token is invalidated server-side and the next call returns 401. Full credential lifecycle is logged.

"Every EHR I've ever used ships an 'AI feature' that's basically a chatbot bolted onto the side. Locked into one model, one UI, one set of tools the vendor thinks you should care about. The moment a better model ships, you're stuck.

MCP fixes that. We built our EHR to be an MCP server, not just an MCP client. The same Claude session you already use to draft emails, analyze data, plan your week — now plugs into your clinic. The AI stays in your hands, not in some vendor's chat box.

We're one of the few EHRs in the country with native MCP. Probably the only one if you scope to cash-pay specialty clinics. Whether that's a moat or a head start depends on whether you sign up before the rest of the industry catches on."

— Tom Kashul, founder of Moonshot Medical & Moonshot Clinic

For Engineering & Compliance Reviewers

Technical Reference

If you're the one signing off on this integration, here's the spec. Send it to your security team.

# SERVER
endpoint:        https://api.moonshotclinic.com/api/mcp/v1
transport:       JSON-RPC over HTTP (MCP 2025 spec)
auth:            Authorization: Bearer <credential>  (one credential = one user = one tenant)
spec version:    modelcontextprotocol/2025-06-18

# READ TOOLS
search_patients(query, limit)                  → patient summary rows
get_patient(patient_id)                        → demographics, insurance, contact
get_chart_notes(patient_id, limit, since)      → signed chart notes
get_medications(patient_id, active_only)       → active + historical med list
get_allergies(patient_id)                      → coded allergy list
get_problem_list(patient_id)                   → ICD-10 problem list
get_labs(patient_id, panel, limit)             → labs with reference ranges + flags
get_vitals(patient_id, limit)                  → vitals with timestamps
find_abnormal_labs_across_panel(panel, since)  → cross-patient outlier sweep
find_lab_trend_outliers(marker, direction)     → trending-up/down patients
get_inbox(filter, limit)                       → unread messages, lab callbacks, tasks
get_appointments(date_range, provider_id)      → schedule view
get_no_shows_and_cancellations(date_range)     → ops metric
get_billing_summary(date_range)                → revenue, AR, refunds
get_patient_profit(patient_id)                 → LTV, total spend, margin
get_lead_funnel(date_range)                    → lead → consult → paying conversion
get_membership_metrics()                       → active, churned, MRR
search_clinical_protocols(query, top_k)        → pgvector semantic search (tenant-scoped)
... ~20 read tools total

# WRITE TOOLS (pending-actions table — never commits without human sign)
draft_chart_note(patient_id, soap, encounter_id)
   → INSERT INTO pending_actions (kind='chart_note_draft', payload, status='pending')
   → returns draft_id
   → clinician with edit_charts opens /admin/ai-drafts/, reviews, signs
   → on sign: INSERT INTO chart_notes (...) WHERE pending_actions.id = draft_id

draft_patient_message(patient_id, channel, body)  (channel: portal | sms)
   → INSERT INTO pending_actions (kind='message_draft', payload, status='pending')
   → returns draft_id
   → clinician with send_messages opens /admin/ai-drafts/, reviews, signs
   → on sign: enqueue to portal_messages or spruce_outbound

# AUDIT ROW SHAPE
mcp_audit_log (
  id              UUID PRIMARY KEY,
  tenant_id       UUID NOT NULL,
  user_id         UUID NOT NULL,
  credential_id   UUID NOT NULL,
  tool_name       TEXT NOT NULL,
  args_redacted   JSONB,             -- PHI fields hashed
  response_bytes  INTEGER,
  latency_ms      INTEGER,
  status          TEXT,              -- ok | error | rate_limited | blocked_injection
  created_at      TIMESTAMPTZ DEFAULT now()
)
-- append-only, immutability trigger blocks UPDATE/DELETE

# TENANT SCOPING
Every PHI table has tenant_id NOT NULL + RLS policy.
MCP middleware sets app.current_tenant + app.current_user from credential.
Postgres enforces row visibility — application code cannot bypass.

# PRODUCTION-TIER GATE
mcp_attestations (
  id                   UUID PRIMARY KEY,
  tenant_id            UUID NOT NULL,
  signed_by_user_id    UUID NOT NULL,
  addendum_version     TEXT NOT NULL,     -- e.g. 'ai-access-2026-01'
  signed_at            TIMESTAMPTZ NOT NULL,
  expires_at           TIMESTAMPTZ NOT NULL,   -- 365 days from signed_at
  ip                   INET,
  user_agent           TEXT,
  evidence_hash        BYTEA NOT NULL          -- sha256(addendum_text || signer_email || signed_at)
)
-- production credentials refuse to mint while expires_at < now()

# SPEND CONTROL HIERARCHY
1. Per-request cap   — input+output token budget per tool call (default 100k tokens)
2. Per-user daily    — configurable in /admin/ai-usage/ (default $5/day)
3. Per-tenant month  — hard cap, configurable, default $250/mo. Hit → 429 on all calls.
4. Free pool         — first $10/mo of underlying Bedrock cost is comped per tenant.
5. Metered billing   — Stripe usage records at 110% of Bedrock cost, idempotency keys.

Frequently Asked Questions

What is MCP and why does it matter for an EHR?
MCP (Model Context Protocol) is an open standard from Anthropic that lets AI assistants connect to external data sources and tools. For an EHR, that means the AI you already use — Claude Desktop, Claude.ai, or any other MCP-compatible client — can directly read your patient data, draft chart notes, and send messages, without copy-paste or screenshots. Your AI workflow lives outside the EHR vendor's chat box, on the model and UI you choose.
Is this actually production-ready or a tech demo?
Production-ready. The MCP server runs on the same infrastructure as the rest of the EHR, with BAA-covered subprocessors, tenant isolation at the database layer via Postgres row-level security, audit logging on every tool call, hard per-tenant spend caps, and prompt-injection containment on every tool output that ingests user-authored text. Production tenants sign an AI Access Addendum (clickwrap, 2 minutes) before real PHI is exposed.
Which AI clients work with Moonshot Clinic's MCP?
Any client that speaks MCP. That includes Claude Desktop, Claude.ai (via the Connectors UI), Cursor, Continue, custom in-house tools using the official MCP SDKs, and a growing list of third-party clients. The MCP standard is open, so the surface area grows every month without any work on our end.
What about HIPAA and the BAA?
All subprocessors that touch PHI are BAA-covered: AWS infrastructure, AWS Bedrock for Anthropic Claude inference, Stripe for billing, Spruce for SMS, AWS End User Messaging. Production-tier MCP access also requires an additional AI Access Addendum that the tenant owner clickwraps with cryptographic evidence and annual re-sign, scoped to a specific Anthropic data-handling posture.
Can the AI write to the chart, or only read?
The AI can draft, but only a human can commit. The draft_chart_note and draft_patient_message tools create pending drafts that land in a clinician review queue. A user with the appropriate permission (edit_charts to sign chart notes, send_messages to send messages) opens the draft, reviews it, edits if needed, and signs to commit. There are no autonomous writes — every change to a chart or every message that leaves the system passes through a licensed human.
What stops an MCP client from leaking patient data?
Four layers. (1) Tenant isolation: every MCP credential is scoped to one tenant via row-level security at the Postgres layer. (2) Role scoping: each credential maps to a user, and every tool call respects that user's RBAC — same permission system as the staff portal. (3) Audit logging: every tool call writes a row with user, tool name, arguments, response size, and latency. (4) Prompt-injection containment: tool outputs that ingest user-authored text (chart notes, intake forms, messages) are wrapped in untrusted-content delimiters; write tools are blocked in any turn-chain that includes those outputs.
How is this billed?
Every tenant gets a $10/month AI free pool that covers both in-app AI and MCP usage. Beyond the free pool, usage is billed at 110% of underlying AWS Bedrock cost via Stripe metered billing with idempotency keys. Per-user daily caps, per-request caps, and a per-tenant monthly hard cap are all configurable in /admin/ai-usage/ — no surprise bills.
I'm a developer. Where are the docs?
Endpoint: api.moonshotclinic.com/api/mcp/v1 over MCP 2025 spec, bearer-token auth per credential, JSON-RPC transport. Full technical reference is in the section above (server endpoint, tool list, audit row shape, tenant scoping, attestation schema). For a sandbox key, book a demo or sign up for the free sandbox tier — no addendum required for synthetic data.

Related

Pairs Well With

In-App AI Assistant

The same tools, surfaced as a chat panel inside the EHR. For staff who don't want to leave the app.

Learn more

Security & Compliance

BAA, RLS, audit, encryption-at-rest, SOC 2 posture. The whole stack.

Learn more

Pricing

Production-tier MCP is included with every paid plan. Free $10/month AI pool on every tenant.

Learn more

See MCP Working in Your Clinic

Book a 20-minute demo. We'll connect Claude to a sandbox tenant live and answer any architecture or compliance questions.

Book a Demo