InboxMD is an AI-powered tool that helps physicians draft replies to patient InBasket messages. It learns your writing style and generates responses in your voice.

Is InboxMD HIPAA compliant?

Yes. InboxMD never stores patient messages or AI drafts. All PHI exists only in your browser during the active session. Infrastructure runs on AWS with a signed Business Associate Agreement.

Does InboxMD work with Epic?

Yes. InboxMD works with Epic, Cerner, and any EHR. Simply copy a patient message, paste it into InboxMD, and copy the AI draft back to your EHR.

How much does InboxMD cost?

InboxMD costs $35/month or $299/year. There is a 14-day free trial with no credit card required.

Does InboxMD store patient data?

No. InboxMD has a zero-PHI-persistence architecture. Patient messages and AI drafts are never written to any database. They exist only in your browser during the active session.

InboxMDAPI Documentation

InboxMD API

Integrate AI-powered InBasket drafting into your EMR or health system. Same HIPAA-compliant infrastructure, zero PHI persistence.

Base URL: https://inboxmd.ai/api/v1Auth: Bearer tokenFormat: JSON

Authentication

All API requests require a Bearer token. Generate API keys in Settings.

curl https://inboxmd.ai/api/v1/draft \
  -H "Authorization: Bearer inmd_live_your_key_here" \
  -H "Content-Type: application/json" \
  -d '{"patient_message": "..."}'

HIPAA: All API calls are encrypted via TLS. PHI is never stored — it exists only during the inference request. API keys are hashed at rest (SHA-256).

Endpoints

POST/v1/draft— Generate a draft reply

POST/v1/draft/refine— Refine an existing draft

POST/v1/ocr— Extract text from a medical screenshot

GET/v1/usage— Get usage statistics

POST /v1/draft

Generate an AI draft reply to a patient message. Uses Claude Sonnet 4.6.

Request

{
  "patient_message": "Hi Doctor, I need a refill on my lisinopril 10mg.",
  "chart_context": "Hx: HTN, well-controlled. Last BP 118/76.",
  "direction": "approve refill",
  "tone": "concise",
  "stream": false
}

Field	Type	Required
patient_message	string	Yes
chart_context	string	No
direction	string	No — physician's intent (e.g. "approve refill")
tone	string	No — professional, concise, friendly, formal
stream	boolean	No — default false. If true, returns SSE stream

Response

{
  "draft": "I'll send a refill for your lisinopril 10mg to your pharmacy today. Please allow 24-48 hours for processing. Take care!",
  "model": "sonnet-4.6",
  "tokens_used": 142,
  "request_id": "req_a1b2c3d4e5f6"
}

curl Example

curl -X POST https://inboxmd.ai/api/v1/draft \
  -H "Authorization: Bearer inmd_live_xxxxxxxxxxxx" \
  -H "Content-Type: application/json" \
  -d '{
    "patient_message": "I need a refill on my blood pressure medication.",
    "direction": "approve refill"
  }'

POST /v1/draft/refine

Refine an existing draft. Uses Claude Haiku 4.5 (faster, cheaper).

curl -X POST https://inboxmd.ai/api/v1/draft/refine \
  -H "Authorization: Bearer inmd_live_xxxxxxxxxxxx" \
  -H "Content-Type: application/json" \
  -d '{
    "draft": "I will send a refill for your lisinopril...",
    "action": "shorten"
  }'

Field	Type
draft	string (required) — the current draft text
action	string (required) — shorten, polish, or elaborate

POST /v1/ocr

Extract text from a medical screenshot. Accepts multipart form or base64 JSON.

# Multipart form upload
curl -X POST https://inboxmd.ai/api/v1/ocr \
  -H "Authorization: Bearer inmd_live_xxxxxxxxxxxx" \
  -F "image=@screenshot.png"

# Base64 JSON
curl -X POST https://inboxmd.ai/api/v1/ocr \
  -H "Authorization: Bearer inmd_live_xxxxxxxxxxxx" \
  -H "Content-Type: application/json" \
  -d '{"image": "base64...", "media_type": "image/png"}'

GET /v1/usage

Get your usage statistics.

curl https://inboxmd.ai/api/v1/usage \
  -H "Authorization: Bearer inmd_live_xxxxxxxxxxxx"

{
  "today": { "drafts": 12, "refinements": 5, "ocr": 2 },
  "this_month": { "drafts": 245, "refinements": 89, "ocr": 15 }
}

Rate Limits

Endpoint	Limit
/v1/draft	100 per day
/v1/ocr	50 per day
/v1/draft/refine	No limit

Exceeded limits return 429 with a Retry-After header.

Error Codes

Code	Meaning
401	Invalid or missing API key
403	BAA not signed or subscription inactive
429	Rate limit exceeded
502	AI service temporarily unavailable

HIPAA Compliance

All API calls encrypted via TLS (HTTPS only)
Zero PHI persistence — patient messages and drafts are never stored
API keys hashed at rest with SHA-256
AI inference via AWS Bedrock (HIPAA BAA-covered, data not used for training)
Same BAA covers web app and API usage
Usage logs contain only action types and timestamps — no message content