Conversational AI Assistants — CMS Pledge

TendTo participates in the CMS Health Tech Ecosystem as a pledged Patient-Facing App in the Conversational AI Assistants category. This page is the canonical disclosure for CMS reviewers, patients, and caregivers.

The Pledge (verbatim)

We pledge to build conversational AI assistants that connect to CMS Aligned Networks or personal health record apps, and with patient consent, securely access relevant health information and use this information to deliver personalized, helpful support. Our tools will clearly distinguish educational content from clinical guidance, assist patients directly when appropriate and guide them to care from a health professional when needed.

The Assistant — Tali

Tali is TendTo's AI care companion. It assists family caregivers managing the health of an adult loved one. Tali is designed for non-emergent education, coordination, and care planning — never as a replacement for clinical judgment.

Connection to a CMS Aligned Network

TendTo connects directly to Medicare Blue Button 2.0, the CMS-operated FHIR R4 endpoint for Medicare beneficiaries. Caregivers grant access via OAuth 2.0 with PKCE; access and refresh tokens are encrypted at rest with AES-256-GCM. From this CMS Aligned Network, TendTo imports Patient demographics, MedicationStatement, Coverage, ExplanationOfBenefit, AllergyIntolerance, Condition, Appointment, and Observation resources into the caregiver's care circle.

Data Sources Tali May Read (with consent)

FHIR-imported clinical data from Medicare Blue Button 2.0 — claims, Part D medications, Coverage, EOBs.
Caregiver-entered data — medications, allergies, conditions, providers, appointments, journal notes, uploaded documents (insurance, legal, medical).

Tali never reads FHIR-imported data without explicit, opt-in consent recorded per care circle. Consent is revocable at any time from Settings → Connections. Every grant or revocation creates an entry in the activity log so the change is auditable.

AI Providers

Anthropic Claude (primary) — chat, insights, OCR. TendTo operates under a Business Associate Agreement (BAA) with Anthropic.
Google Gemini (backup) — automatic failover on rate limit, timeout, or 5xx response.

Caregiver and patient data is never used to train these providers' foundation models. Direct identifiers are stripped from messages before they leave TendTo's servers and are restored client-side after the model responds.

Educational Content vs. Clinical Guidance

Every Tali response is labeled with one of three channels:

Educational — definitions, concepts, general information.
Clinical guidance — context-specific suggestions for the caregiver about this patient.
See a clinician— escalation when the question is beyond Tali's scope or when curated red-flag symptoms are detected.

Each response also carries an "AI-generated" badge and a per-conversation medical disclaimer.

Crisis & Emergency Routing

For life-threatening symptoms (chest pain radiating to arm, sudden severe headache, anaphylaxis, suicidal ideation, loss of consciousness, GI bleeding, sepsis signs), Tali routes immediately to 911, 988 Suicide & Crisis Lifeline, or Crisis Text Line. This routing is deterministic — implemented in server-side red-flag detectors that run before and around model output, so it cannot be overridden by the model. The same detector also forces an actionable "See a clinician" card on any matched red flag.

Security & Compliance

HIPAA-aligned operation; BAAs in place with all subprocessors that touch PHI.
Postgres row-level security on every table, scoped to care-circle membership.
AES-256-GCM encryption for FHIR OAuth tokens; TLS 1.2+ in transit.
Per-user and per-circle audit logging (activities, fhir_activity_log, ai_usage).
Per-circle AI rate limiting.
CSRF double-submit cookie on every mutating endpoint.
Crisis routing runs deterministically before model invocation.
HITRUST i1 self-assessment is on the roadmap (target Q3 2026).

Reviewer Contact

For CMS review, security questions, or HIPAA inquiries: [email protected]