Feature brief and evidence base for the shipped platform intelligence layer: cross-context RAG available to AI chat, onboarding, and the provider portal; a secure clinical notes-to-learning-path engine; and a patient compliance report patients can share with their provider to demonstrate between-session engagement.
Start with the clinical workflow: provider notes enter the portal, the system runs a privacy scan, recommends courses, sends the student a learning-path link, and later supports a student-owned progress share link.
Three things separate a platform from a Claude-shell-with-prompts
Where AI is bounded out. How research enters the build. What the gate looks like that says no. Each item below maps to a published framework, not a vibe.
01 · AI bounded OUT of the crisis path OWASP LLM06 · NIST 600-1 G-9
MAIA classifies signals. A deterministic state machine with 7 PMHNP-curated templates generates every crisis response. No LLM ever writes the safety reply. Excessive-agency risk is closed at the architecture layer, not patched at the prompt layer.
02 · Promotion gate has already rejected models NIST AI RMF MS 2.1
A model can clear in-distribution accuracy and still fail real-world spot-check. That has happened here. Receipts live in the repo. Strong benchmark numbers do not ship to users until the human gate signs off.
03 · Research tiers gate every clinical claim ISO 42001 A.5 · A.7
Four-tier evidence hierarchy. Tier-1 (peer-reviewed) and Tier-2 (clinical guideline) are required to ground any shipped clinical or behavioral claim. Vendor blogs sit at Tier-4 and cannot back a production assertion. Research briefs carry an expires date and are re-reviewed on cadence.
Input sanitization, delimiter hardening, output validation. Tenant-leak harness in CI. PHI-aware logging redacts automatically when compliance.phi: true. Per-conversation cost tracking with automatic model swap at $0.15/conversation. Per-user and per-session token budgets with hard caps.
Frameworks aligned · not certified
Alignment + readiness against published standards; ISO 42001 certification is a 3-year audit cycle and is on the roadmap, not claimed today. EU AI Act readiness is tracked against the August 2, 2026 enforcement date.
Control · Framework Mapping
Every shipped control maps to a named, versioned framework
Reviewers and enterprise buyers do not have to take a vibe-check on credibility. Each control below ties to an external reference document and an evidence location in the repo.
Shipped Control
Framework + ID
Evidence Location
Deterministic crisis state machine (7 PMHNP templates)
OWASP LLM06 · NIST AI 600-1 G-9
/screening/state-machine/
MAIA classifier-before-LLM routing
OWASP LLM01 · NIST AI RMF MG 1.1
/maia/router/
Prompt injection three-layer defense
OWASP LLM01:2025
/middleware/prompt-guard/
Tenant isolation harness (CI-enforced)
OWASP LLM06 · LLM08 · CSA AISMM IAM
/tests/tenant-leak.spec.ts
PHI-aware structured logging
ISO 42001 A.7 · NIST AI 600-1 G-4 · HIPAA
/lib/log/redact.ts + manifest compliance.phi
Per-conversation cost tracking + auto-swap
OWASP LLM10 (Unbounded Consumption)
/cost/budget-guard/
Promotion gate (real-world spot-check)
NIST AI RMF MS 2.1 · MEASURE
/registry/active.json + /promotion-gate/
Research tier classification (T1-T4)
ISO 42001 A.5 · A.7
/docs/research/briefs/ with frontmatter source_quality
Versioned system prompts, PR-reviewed
OWASP LLM07 · NIST SSDF PW.4
/prompts/ with git history
SBOM + signed releases (Syft + cosign)
NIST SSDF PS · G7 SBOM-for-AI · SLSA L2
CI artifact store
AI model inventory + provider allowlist
NIST AI RMF GV 2.1 · MAP 4.1
/docs/ai-governance/model-inventory.yaml
Quarterly governance review checklist
CSA AISMM (target L3) · ISO 42001 A.6
/docs/ai-governance/quarterly-review.md
Threat models per AI feature
NIST AI RMF MAP · MITRE ATLAS
/docs/ai-governance/threat-models/
AI transparency disclosure (UI labels)
EU AI Act Art. 50 · ISO 42001 A.8
UI components + footer disclosure
Current maturity target
CSA AI Security Maturity Model Level 3 (Defined): full OWASP LLM Top 10 controls, automated prompt-injection testing in CI/CD, guardrail layer in production, AI audit logging active, quarterly governance reviews running. L4 (Capable) is the next-quarter target: red-team cadence, provider assessments, ISO 42001 impact assessments per feature.
Executive Summary
Three capabilities that turn the research thesis into shipped product evidence
The previous platform architecture already contained the infrastructure to improve patient outcomes — MBC instruments, AI coaching, MAIA safety pipeline, and a retrain flywheel. The three capabilities specified here are the data and clinical integration layer that makes those mechanisms work across every surface of the platform, not just the coaching session.
High-performance RAG transforms the AI coach from a generic responder into a context-saturated clinical expert. Hybrid vector + BM25 retrieval with cross-encoder reranking means the coach, onboarding engine, and provider portal all answer from DWA's own evidence-linked content corpus — not from generic LLM training data. Research confirms that RAG with clinical domain data dramatically outperforms base LLM accuracy (Mayo Clinic: general LLMs hit under 40% accuracy on medical questions without RAG).
The clinical notes-to-learning-path engine is the feature that makes the provider the highest-leverage user of the platform. A clinician uploads or pastes session notes; the system parses clinical themes (symptoms, goals, barriers, interventions), maps them to DWA's lesson corpus via RAG, and generates a draft personalized learning path — in under 60 seconds, shareable to the patient with one click. This mirrors the two-stage RAG-based MedPlan architecture (350,000+ SOAP notes training corpus) and is the direct operational implementation of the "between-session care" outcome driver in the clinical evidence base.
The patient compliance report closes the loop. Every lesson completed, thought record submitted, assessment answered, and AI coaching session logged becomes the evidence that the patient brings back to their provider. A signed URL or downloadable PDF — generated on demand, scoped to a date range, never stored permanently in that form — makes between-session engagement observable and documentable. Research shows text-based compliance reporting in CBT significantly shapes homework adherence, and compliance with between-session work is independently predictive of better outcomes.
DWA's current RAG pipeline is correct in architecture (2,400+ embedded content chunks, cosine similarity retrieval, injected into coaching context). Adding high-performance retrieval upgrades this from a single-context lookup into a full-platform intelligence layer available to four distinct surfaces: the AI wellness coach, the onboarding intake flow, the provider portal session-prep brief, and the clinical notes-to-learning-path engine. The same corpus serves all four — with per-surface retrieval configuration and strict per-patient/per-practice PHI isolation.
Why RAG Over Fine-Tuning Here
Fine-tuning encodes knowledge into model weights and requires retraining on every content update. RAG "augments capabilities by retrieving and incorporating external information at runtime," meaning the content library can be updated — new lessons added, evidence grades revised, new assessments mapped — without any model update. For a 922-lesson corpus that grows with each new clinical school, RAG is the correct architectural choice. Fine-tuning is reserved for the MAIA distress classifier, where domain-specific behavioral signals genuinely require weight-level learning.
High-performance production RAG in clinical settings requires three retrieval layers. Pure vector search captures semantic meaning but misses exact term matches — critical when a patient mentions "PHQ-9" or "GAD-7" or a specific diagnosis. Pure BM25 keyword search captures exact terms but misses paraphrase and concept-level matches. Hybrid search via Reciprocal Rank Fusion (RRF) combines both, then a cross-encoder reranker re-evaluates the top-N candidates against the original query to surface the single most relevant chunk.
1
Query Reception
User query (patient message, onboarding answer, provider note fragment) arrives at the retrieval orchestrator. Tenant ID and patient ID are injected from the auth layer — never from the user input. Per-session context window is loaded.
↓
2
Dual Retrieval (Parallel)
Vector path: query embedded → cosine similarity against 2,400+ content chunks in the vector store, filtered by tenant_id + patient_id metadata. Returns top-20 candidates. BM25 path: keyword index search on same corpus, same metadata filter. Returns top-20 candidates. Both run in parallel.
↓
3
Reciprocal Rank Fusion
RRF merges the two ranked lists into a single ordered set without requiring raw score normalization. A document ranked #1 in both lists scores highest. Documents appearing in only one list are still included — recall is preserved, not sacrificed for precision.
↓
4
Cross-Encoder Reranking (Clinical Accuracy Gate)
The fused top-10 candidates are passed to a cross-encoder reranker (bge-reranker-base or equivalent). Unlike bi-encoder embeddings that score query and document independently, a cross-encoder jointly encodes the full query + each candidate — producing the most accurate relevance judgment. This is the layer that catches ranking errors before context injection.
↓
5
Context Injection + Prompt Assembly
Top-3 to top-5 reranked chunks are injected into the surface-specific prompt template (coach, onboarding, provider portal, notes engine). Each surface has a different system prompt — the same retrieval layer, different instruction framing.
↓
6
MAIA Safety Gate (Coach Only)
For AI coaching surfaces, the assembled prompt passes through the MAIA distress classifier before LLM inference. Non-coaching surfaces (provider portal, onboarding summary) are not subject to MAIA — they don't involve real-time patient emotional content.
PHI Isolation in Multi-Tenant RAG
Multi-tenant RAG is a well-documented attack surface: a misconfigured retrieval query can surface one patient's clinical data to another. DWA's isolation model follows the metadata-filter pattern established in production PHI-safe RAG implementations: every embedded document is tagged at ingest with tenant_id (practice) and optionally patient_id. Every retrieval call filters on these metadata fields — pulled from the auth/session context on the backend, not from user input.
Content vs. Patient Chunks — Two Index Segments
The 2,400+ DWA lesson/content chunks are tenant-agnostic and shared across all practices. Patient-specific chunks (learning path notes generated from clinical notes, compliance summaries) are patient-scoped and never cross-retrieved. The vector store uses two logical namespaces: content_corpus (shared, read-only for all tenants) and patient_context (per-patient, write-restricted to the generating session). This eliminates the risk of patient A's clinical note fragments appearing in patient B's AI coaching response.
RAG Across the Four Surfaces
Surface
Query Source
Retrieval Config
Context Injected Into
PHI Scope
AI Wellness Coach
Patient message + WellnessProfile keywords
Hybrid + reranking, top-3 chunks
Coaching system prompt, per-turn
Patient-scoped
Onboarding Engine
Symptom intake answers + presenting concern
Hybrid, top-5 chunks (no reranking — latency priority)
The content corpus is a living index. When new lessons are added to DWA's 922-lesson library — new therapeutic schools, updated evidence grades, new assessment instruments — they are embedded and indexed without any model retraining required. The chunk size strategy (approximately 300–400 tokens per chunk, with 20% overlap for boundary context preservation) is already in place. The addition of hybrid search and reranking is a retrieval-layer upgrade, not a re-embedding event.
Evidence Citation
A Nature Digital Medicine study (2026) validated fine-tuned embedding models on real-world clinical documents and found domain-specific embeddings significantly outperform general-purpose embeddings for healthcare retrieval. JMIR 2026 and arXiv 2025 both confirm that RAG with clinical domain knowledge reduces hallucination and improves factual accuracy over base LLM responses. Mayo Clinic benchmark: general LLMs below 40% accuracy on medical questions without RAG augmentation. The hybrid search + reranking pattern is now the production standard for high-accuracy RAG, outperforming pure vector search in both recall and precision for clinical terminology queries.
Capability 2 of 3
Clinical Notes → Learning Path Engine
The Clinical Problem This Solves
A PMHNP completes a session with a patient presenting with generalized anxiety, sleep disruption, and avoidance behaviors. The provider now knows what the patient needs to work on between sessions. Without DWA, that knowledge lives in the session note and reaches the patient only if the clinician remembers to recommend specific resources at the end of the visit. With the clinical notes engine, the provider pastes or uploads the session note and DWA's engine does the following in under 60 seconds: extracts clinical themes, maps them to the lesson corpus via RAG, drafts a learning path, and surfaces a "Share with Patient" button.
Research Anchor: MedPlan Architecture
The MedPlan framework (arXiv 2025, trained on 350,000+ SOAP notes) demonstrates that a two-stage RAG-based pipeline — Assessment Generation from SOAP subjective/objective data, then Plan Generation from the assessment — significantly outperforms prior methods in generating clinically sound treatment plans. DWA's engine adapts this architecture for the specific task of learning path generation from behavioral health notes, replacing "treatment plan generation" with "personalized educational path generation from DWA's evidence-linked lesson corpus."
Feature Specification: What the Provider Sees
The feature lives in the Provider Portal as a new panel titled "Learning Path Generator." It is accessible only to NPI-verified providers. The workflow has five distinct steps from the provider's perspective:
1
Input: Upload or Paste
Provider pastes clinical note text (any format: SOAP, DAP, BIRP, free narrative) or uploads a file (PDF, .txt, .docx — no audio; no session recording required). The input field is clearly labeled: "Session notes are encrypted in transit, processed in an isolated pipeline, and never stored in their original form after processing." Character limit: 8,000 tokens (approximately 6,000 words — a full SOAP note).
↓
2
Processing: PHI Redaction + Theme Extraction
Before the note content is passed to any LLM, an on-premise NER (Named Entity Recognition) pass strips PHI identifiers (name, DOB, address, MRN). What remains is the clinical content: symptoms, presenting concerns, treatment goals, observed behaviors, interventions used. This de-identified clinical summary is what RAG and the LLM see. PHI never touches the general-purpose LLM API.
↓
3
RAG Retrieval: Theme → Lesson Mapping
Extracted clinical themes are sent to the RAG engine as structured queries: "GAD, sleep disruption, avoidance, cognitive restructuring goal." Hybrid + reranking retrieval returns the 8 most relevant DWA content chunks. These chunks include lesson metadata: lesson ID, course name, evidence grade, estimated completion time, recommended sequence order.
↓
4
Draft Generation: Learning Path with Rationale
The LLM generates a structured learning path draft with: (a) 3–7 recommended lessons in sequence order, (b) a one-sentence rationale for each lesson tied to a clinical theme from the note, (c) a suggested 2-week completion timeline, (d) one optional thought record or tracking log aligned to the primary presenting concern. The draft is editable — the provider can remove lessons, reorder, or add free-text instructions.
↓
5
Publish: Share Link or In-App Assignment
Provider clicks "Assign to Patient." The learning path is pushed to the patient's DWA dashboard as a named assignment (e.g., "Week of May 20 — Anxiety + Sleep Path"). A notification is sent to the patient's registered contact method. The provider also has the option to copy a shareable link or send via the secure message thread. The learning path is logged in the patient's timeline with a timestamp and the provider's NPI.
Privacy & HIPAA Architecture
The notes engine is the highest-PHI-risk feature in the platform, and its architecture is designed accordingly. Three distinct isolation principles apply:
PHI never leaves the provider's practice context. The note text is processed entirely within the tenant's isolated pipeline. The de-identified clinical summary — not the original note — is what reaches the RAG engine and LLM.
No original note is stored. After the learning path is generated, the original note text is discarded from working memory. What persists in the audit log is: provider NPI, timestamp, patient ID, and the generated learning path — not the input text.
Manifest-level enforcement. The compliance.phi: true flag already gates logging redaction, retention enforcement, and encryption. The notes engine is tagged in the manifest as feature: clinical_notes_engine with phi_input: true, triggering the additional PHI-input-handling pipeline that performs the NER redaction step before any external API call.
Why Not Store the Note?
HIPAA's minimum necessary standard requires that PHI handling be limited to what is necessary for the specific purpose. The purpose is learning path generation — not note archival. Storing the original note text creates unnecessary PHI liability without clinical value; the learning path and its audit trail are the actionable artifact. This design mirrors best practices for clinical AI processing: de-identify first, process the clinical abstraction, discard the source.
Existing clinical AI note tools (Clinically AI, Upheal, Freed AI) focus on generating documentation from sessions — writing SOAP notes from recordings. DWA's engine runs in the opposite direction: taking existing notes and generating patient-facing educational content. This is a distinct feature class with no direct equivalent in the behavioral health EHR market. The closest analogue is Psych Hub's "shareable psychoeducation" feature, but that requires the provider to manually browse and assign resources. DWA automates the mapping from clinical theme to evidence-linked content via RAG.
Between-session engagement is the most clinically predictive variable in digital mental health outcomes — and currently the least documented. When a patient walks into a session having completed 4 of 5 assigned lessons, logged mood data for 6 of 7 days, and submitted 2 thought records, that evidence should be visible to the provider before the session begins. When insurance reviewers ask for documentation of patient engagement in a digital therapeutic program, that evidence should be exportable in a standardized format. The patient compliance report makes both possible.
Research Basis
A 2017 JMIR study identified 6 essential features of an optimal CBT homework compliance app, including the ability to "guide therapy" and "report compliance to therapists." A 2024 systematic review in PMC found that technology-based compliance reporting solutions directly address barriers to homework implementation in mental health treatment. Text message-based compliance reporting in CBT (ProQuest 2024) was found to shape adherence and create a feedback loop that strengthens the therapeutic alliance. The compliance report feature implements these findings at the platform level.
What the Report Contains
The compliance report is generated on demand — by the patient, by the provider, or automatically on a configurable schedule (e.g., 48 hours before a scheduled session). It covers a selectable date range and compiles the following engagement data:
Lesson Completion Log
Each lesson completed: title, date, time spent, evidence grade. Lessons assigned but not yet completed are listed with due date. Completion rate as a percentage.
Thought Records Submitted
Count of thought records submitted in the period, with framework used (CBT thought record, worry log, behavioral experiment). No content — just submission evidence.
Mood & Symptom Log Activity
Days with at least one mood or symptom log entry in the period. Trend direction (improving / stable / declining) without exposing raw scores to the export.
AI Coach Session Count
Number of AI coaching sessions initiated. Total estimated time in coaching sessions. No transcript content — engagement signal only.
Clinical Assessments Completed
Which assessments were completed (PHQ-9, GAD-7, etc.), completion date, and whether scores changed relative to prior period. Score deltas are included only if the patient has consented to score sharing.
Overall Engagement Score
A single composite score (0–100) calculated from lesson completion rate, daily log frequency, thought record count, and coaching engagement — normalized to the period length.
Sharing Architecture: Signed URL + PDF Download
The patient has two sharing options, both initiated from the patient dashboard under "My Progress Reports":
Option A
Secure Signed Link
The platform generates a time-limited signed URL (72-hour default, configurable to 7 days). The URL contains an encrypted token that resolves to the report for that patient and date range. The provider opens the link in a browser — no DWA account required to view.
The link is single-use by default (access revokes after the first load) or multi-use (provider can reload within the window). The patient can revoke the link at any time from their dashboard.
The viewing session is logged in the patient's audit trail: link generated, access timestamp, viewer IP (not stored, just logged for security). No report content is stored server-side in rendered form — it is generated at access time from the underlying engagement data.
Option B
PDF Download
The patient downloads a branded PDF of the compliance report, suitable for printing or attaching to a message to their provider. The PDF includes: DWA logo, patient name (first name only by default), date range, all six data sections above, and a digital watermark with the generation timestamp.
The PDF does not contain raw assessment scores by default — only deltas and completion dates — unless the patient explicitly enables "Include full assessment scores" in report settings.
The PDF is generated on demand and not stored server-side. Downloads are logged in the audit trail (patient ID, timestamp, file hash) but the file itself is transient.
Consent and Control Design
The patient owns the compliance report. The provider sees the same data through the provider portal (patient timeline), but the shareable report is patient-initiated. This design respects the psychotherapist-patient privilege framework confirmed by the U.S. Supreme Court (Jaffe v. Redmond) and reinforced by HHS ASPE guidelines on mental health information sharing. The patient decides what to share, when, and with whom.
Default export: engagement metrics only — no raw PHI content, no session transcripts, no assessment raw scores.
Enhanced export: patient can optionally include assessment score trends (requires explicit opt-in at report generation time).
Revocable: signed links can be revoked by the patient at any time; PDF watermarks include a revocation timestamp if the patient later flags the report as no longer valid.
Audit trail: all report generation events are logged in the patient's audit record — when generated, by whom (always the patient), and when accessed via signed link.
Manifest Configuration
# dwa.manifest additions — compliance report featurefeatures:
compliance_report:
enabled: truepatient_initiated: trueprovider_view: true# provider portal timeline also shows reportexport_formats: ["signed_url", "pdf"]
signed_url_ttl_hours: 72
pdf_include_scores_default: false# patient opt-in required for raw scoresauto_generate_pre_session: true# generates 48h before a scheduled sessionauto_generate_hours_before: 48
phi: true# inherits PHI pipelineaudit_log_access: true
MAIA distress classification runs on every AI coaching message — this does not change. The new surfaces (clinical notes engine, compliance report generation) are non-real-time, provider-initiated, or patient-administrative flows. MAIA is not applied to these surfaces because they do not involve real-time patient emotional expression to the AI. The provider notes engine has its own safety constraint: if a note fragment contains language suggesting active crisis (e.g., suicide mention in the clinical assessment), a flag is appended to the generated learning path prompting the provider to confirm crisis protocol is active.
Deployment Phasing
Capability
Dependency
Phase
Blocking?
Hybrid RAG (BM25 + Vector)
BM25 index build on existing 2,400+ chunks
Phase 1
No — parallel to existing vector pipeline
Cross-encoder reranking
Phase 1 complete
Phase 1
No — additive retrieval step
RAG surface routing (4 surfaces)
Phase 1 complete
Phase 1b
No — configuration change in manifest
PHI isolation metadata filtering
Vector store metadata schema update
Phase 1b
Must precede clinical notes engine
Clinical notes engine (NER + RAG + LP gen)
Phase 1b complete; NER pipeline deploy
Phase 2
Requires PHI isolation gate
Patient compliance report (signed URL)
Engagement data model (already exists)
Phase 2
No — data already collected
Patient compliance report (PDF)
PDF generation service
Phase 2b
No — can use headless HTML-to-PDF
Auto-generate pre-session reports
Phase 2 complete; session scheduling integration
Phase 3
Requires scheduling hook
Section 5
Evidence Base and Updated Outcome Claims
How These Capabilities Strengthen the Evidence Claims
Evidence Claim
New Capability That Strengthens It
Mechanism
AI coach delivers evidence-based guidance
High-performance RAG
Coach now retrieves from DWA's own evidence-linked corpus, not general LLM training data. Hybrid + reranking eliminates the <40% accuracy problem documented in the Mayo Clinic benchmark
Between-session engagement predicts outcomes
Compliance report
Engagement is now measurable, documentable, and shareable — converting the evidence claim from theoretical to operational
Clinician augmentation (67% attendance uplift)
Clinical notes engine + compliance report
The notes engine reduces the provider's session prep burden; the compliance report surfaces patient engagement data the provider previously had no visibility into
MBC outcome prediction (87%+ accuracy)
Compliance report with assessment completion data
The compliance report ensures assessments are completed and visible; the provider can see completion patterns and intervene when assessments are skipped
MAIA flywheel — intelligence compounds
RAG corpus as a second flywheel
Every patient query that retrieves content refines retrieval relevance signal; every new lesson added to the corpus extends the intelligence without model retraining
Platform vs. point tool
All three capabilities
A point tool delivers either a chatbot or a notes generator or a progress dashboard. DWA delivers all three as one integrated, PHI-safe, clinician-facing + patient-facing platform from a single manifest
Key Research Citations Supporting These Capabilities
RAG accuracy in healthcare (HealthTech Magazine, 2025): RAG "allows organizations to curate more diverse, representative knowledge bases" and trace responses to source — critical for clinical defensibility. Mayo Clinic: general LLMs under 40% accuracy without RAG augmentation.
Clinical RAG resource efficiency (arXiv 2025): A RAG framework using only the most relevant text segments matches full-context performance — validating the top-3 to top-5 chunk injection architecture.
Hybrid search in production RAG (Towards Data Science, 2026): "Hybrid search and re-ranking" is now the production standard, combining BM25 keyword scores and dense vector similarity. Documents missed by pure vector search are recovered by BM25, and vice versa.
MedPlan two-stage RAG (arXiv 2025): Two-stage SOAP-aligned RAG pipeline for personalized treatment plan generation significantly outperforms prior LLM-only methods. Trained on 350,000+ SOAP notes.
Multi-tenant RAG isolation (LinkedIn Engineering, 2025): Metadata-filter isolation at the retrieval layer gives "95% of the security with much more flexibility" compared to per-tenant indexes — validating the shared corpus + metadata filter architecture.
CBT homework compliance mobile features (JMIR, 2017): 6 essential features of optimal CBT homework apps include compliance reporting to therapists — directly validating the compliance report feature design.
Technology-based compliance solutions (PMC, 2024): Technology solutions directly address barriers to homework implementation in mental health treatment — and compliance reporting strengthens therapist-patient collaboration.
Text-based compliance reporting in CBT (ProQuest, 2024): Text message-based reporting shapes adherence and creates a feedback loop strengthening therapeutic alliance.
HIPAA-compliant RAG for medical records (Kiteworks, 2026): Healthcare RAG must implement zero-trust security, PHI-isolated pipelines, and audit trails — all reflected in the architecture spec above.
Therapy adherence and clinical outcomes (PMC, 2025): Review confirms "profound influence of adherence on clinical outcomes, healthcare costs, and patient quality of life" — making compliance measurement and reporting a direct outcome lever.
Updated Platform Pitch — With These Three Capabilities
"DWA is now the only behavioral health platform where a clinician can paste a session note, receive a personalized learning path in under 60 seconds, assign it to the patient with one click, and receive a documented compliance report before the next session — all within a PHI-safe, HIPAA-by-design architecture that gets more clinically accurate with every patient interaction."