The hype: deploy a fleet of AI agents across scheduling, coding, documentation, and clinical decision support. They coordinate, share context, and get smarter together.
The reality: new research shows that when agents talk to agents, they leak information across boundaries with no concept of who should—or shouldn't—see it.
In healthcare, that's not a bug report. That's a HIPAA violation.
The Boundary Problem, Explained
Researchers studying multi-agent interactions identified a fundamental architectural flaw: agents disclose "artifacts"—information pulled from email servers, databases, messaging platforms—without any reliable mechanism for determining access boundaries. Their finding was blunt: there is no "reliable private deliberation surface in deployed agent stacks."
Translation: when Agent A hands context to Agent B, there's no enforceable policy layer governing what gets shared, what gets redacted, and what stays siloed.
For a fintech company, this might mean a customer's transaction history leaks into a marketing agent's context window. Annoying. Maybe a compliance headache.
For a health system running multi-agent workflows across clinical documentation, scheduling, and billing? You just gave the scheduling agent access to a patient's psychiatric notes. Or the coding agent shared diagnosis details with a third-party billing service agent that has no BAA in place.
Why This Is Architecturally Hard
The problem isn't prompt engineering or guardrails. It's structural.
Modern agent frameworks—LangGraph, CrewAI, AutoGen—treat context as fluid. That's the point. Agents share memory, pass state, and build on each other's outputs. But healthcare data isn't fluid. It's segmented by regulation, consent, and access policy.
Consider a real workflow:
- A clinical documentation agent processes a physician's dictation
- A coding agent receives the note and assigns ICD-10 and CPT codes
- A prior auth agent takes the codes and submits to the payor
- A scheduling agent books the follow-up based on the care plan
Each handoff is a potential PHI boundary violation. The coding agent needs diagnosis info but shouldn't retain the full clinical narrative. The prior auth agent needs codes and maybe supporting documentation—not the patient's social history. The scheduling agent needs appointment type and urgency. Nothing else.
No mainstream agent orchestration framework enforces this today.
What Healthcare-Grade Multi-Agent Architecture Actually Requires
Context-aware data minimization at every handoff. Each agent receives the minimum viable context for its task. This isn't optional filtering—it's an architectural pattern. Think column-level security applied to agent context windows. You define a schema for each inter-agent interface, and everything outside that schema gets dropped before it touches the next LLM call.
Enforceable information boundaries, not advisory ones. Prompt-level instructions like "do not share PHI" are not controls. They're suggestions to a stochastic system. You need programmatic redaction and policy enforcement at the orchestration layer—before context hits the LLM. This means NER-based PHI detection, deterministic redaction pipelines, and policy-as-code governing every agent-to-agent data exchange.
Audit trails that capture inter-agent data flow. HIPAA requires accounting of disclosures. When Agent A shares data with Agent B, that's a disclosure. Your agent orchestrator needs to log what was shared, with whom, under what authority, and for what purpose. Most agent frameworks log token counts and latency. Almost none log data lineage.
Role-based agent scoping tied to your existing IAM. Agents should inherit access policies from the roles they serve, not operate with god-mode access to your data layer. If the scheduling department can't see psychiatric notes in your EHR, neither can the scheduling agent. Full stop.
This Is a Data Engineering Problem
Here's where healthcare data teams need to pay close attention. The boundary problem isn't an AI problem—it's a data architecture problem.
Your agent layer will only be as safe as the data layer underneath it. If your Snowflake warehouse has no row-level security, no dynamic data masking, no fine-grained access controls, you cannot expect the agent orchestration layer to magically enforce boundaries that don't exist in your platform.
Teams building multi-agent healthcare workflows need to design for:
- Data contracts between agents—explicit schemas defining what goes in and what comes out of each handoff
- Policy-as-code for PHI segmentation enforced at the orchestration layer, not the prompt layer
- Integration with existing consent management and access control systems—42 CFR Part 2 doesn't disappear because you added an LLM
- Real-time audit logging that maps inter-agent data flows to HIPAA disclosure requirements
The Race Without the Foundation
The industry is sprinting. AWS just launched Amazon Connect Health, embedding agentic AI directly into healthcare contact center workflows. Every major EHR vendor is building agent capabilities. Startups are shipping multi-agent clinical workflows monthly.
But the foundational question remains unanswered: how do you let agents collaborate on a patient's care journey without violating the privacy boundaries that govern that journey?
If your team is building agentic AI in healthcare and you haven't designed your inter-agent data governance model yet, you're not building a product. You're building a liability. The organizations that solve the boundary problem first—that build healthcare-grade agent orchestration with privacy-by-design baked into every handoff—will define the next era of clinical AI. Everyone else will be explaining their architecture to OCR investigators.