Artificial Intelligence

AWS and Bluesight’s new AI layer slashes hospital 340B compliance from weeks to minutes

Published

on

Why hospital pharmacy teams spend 4,000 hours a year on a single compliance task

Every year, a single hospital covered under the federal 340B drug pricing program can burn more than 4,000 staff hours just checking whether Group Purchasing Organisation (GPO) drug purchases qualify for an exception. That is nearly two full-time employees dedicated to comparing purchase data against FDA shortage notices, ASHP records, inventory levels, machine-learning shortage forecasts, and back-order reports from other hospitals. It is manual, repetitive, and expensive.

Now Amazon Web Services and Bluesight say they have built an AI layer that can do most of that work in minutes. The product, called Prism, connects hospital pharmacy and compliance data across Bluesight’s existing suite of tools. Its first module, Prism Assistant for ControlCheck, has reached general availability and is already operating across 20 health systems.

A second, more ambitious agent—designed to handle full 340B GPO compliance—is scheduled for release later in 2026.

How Bluesight built Prism Assistant in three days

Bluesight started with ControlCheck, its controlled-substance monitoring product. Hospital diversion teams use it to spot unusual medication transaction patterns. But compliance staff still had to manually assemble reports, review dashboards, and correlate findings. That is where Prism Assistant comes in.

It offers a conversational interface that can query ControlCheck data, generate charts, and produce report material. AWS claims Bluesight built the first version during a three-day Experience-Based Acceleration engagement in September 2025. Eight Bluesight engineers worked alongside seven AWS specialists. While those rapid timelines highlight the agility of the tools, they remain vendor-reported metrics—independent verification from the active health systems is still pending.

The technical architecture is worth unpacking. The team used Strands Agents with Amazon Bedrock and hosted the application through Amazon Bedrock AgentCore Runtime. AgentCore Gateway exposed more than 10 ControlCheck APIs as MCP tools, allowing the agent to discover and call them during a user request.

Crucially, Bluesight avoided giving the language model direct database access. Instead, engineers wrapped existing ControlCheck API endpoints in AWS Lambda functions that return structured data suited to agent processing. Business logic stayed inside the application layer. The agent simply interpreted questions, selected tools, gathered records, and presented results.

AWS reports that design reduced query latency from five minutes to 10 seconds. The deployment also includes a frontend with chart generation, observability controls, cost attribution, encryption, authentication, and infrastructure-as-code.

“This is exactly what diversion program leaders have been waiting for—it gets them to answers faster and takes the manual grind out of every investigation,” said Samir Neyazi, Director of Product Management at Bluesight.

The 340B GPO compliance agent: multi-product orchestration

The bigger challenge is GPO compliance. Federal 340B rules prohibit Disproportionate Share, Children’s, and Free-Standing Cancer hospitals from buying outpatient drugs through GPO contracts when non-GPO channels can supply the drug. Compliance teams must document the exception when supply conditions prevent that purchase route.

Bluesight’s planned GPO agent brings together records from three products: CostCheck (purchase information), ShortageCheck (drug availability evidence), and 340BCheck (eligibility data). The proposed architecture uses Anthropic Claude Sonnet 4.6 as the primary model and Claude Haiku 4.5 for lower-latency operations, both running through Amazon Bedrock.

A coordinating GPO agent directs specialist data workers. One retrieves purchase records, another gathers supply evidence, and another checks 340B eligibility. The coordinator assembles the evidence and produces an audit-oriented report.

March 2026 brought a second AWS acceleration engagement focused on that architecture. AWS says the team connected the system by the end of its first day and completed every planned feature by day two. The company tested the agent against synthetic data, where it reported a 100 percent invoice discovery rate and 93 percent evidence justification accuracy—above its 85 percent target.

But enterprise buyers should exercise caution. Those figures do not represent production performance across hospital customers. Synthetic testing can demonstrate whether tool calls, matching logic, and report generation work against prepared scenarios. It cannot establish how the system handles local data gaps, delayed shortage updates, unusual drug identifiers, or disputed purchasing cases.

Why compliance scoring stays outside the language model

Bluesight assigns the language model a constrained role in the GPO workflow. The model gathers records, calls product tools, and drafts the explanation. A deterministic scoring service calculates the compliance determination.

That service evaluates 13 evidence inputs, applies priority-based matching, and uses configurable time windows. The design gives compliance teams a repeatable scoring process rather than an LLM-generated judgement. An auditor can inspect the source records, the rules applied, and the sequence of tool calls behind each determination.

Despite the automated assistance, hospital pharmacy, legal, and compliance teams still need absolute ownership of those policy settings. A supplier shortage threshold, acceptable inventory period, or purchase-date window can alter a compliance outcome. Bluesight’s approach gives customers a technical mechanism to configure those decisions, but each organisation must set and approve its own policy rules.

HIPAA controls, audit trails, and real-world performance

Amazon Bedrock holds HIPAA eligibility, and Bluesight operates under a Business Associate Agreement with AWS. AWS says it does not train foundation models on customer data processed through Amazon Bedrock.

Bluesight uses Amazon Cognito for OAuth2 client-credential authentication and JSON Web Token validation. AgentCore Runtime provides session isolation for concurrent customer requests. AWS Key Management Service encrypts data at rest and in transit, while AWS Secrets Manager manages credentials for downstream services.

Amazon CloudWatch records agent decisions, tool invocations, data-access events, alarms, and performance metrics. That audit trail matters when a hospital needs to explain why it permitted a GPO purchase or escalated a drug-diversion pattern.

Bluesight’s internal measurements across 20 health systems report up to 97 percent faster report generation and analysis in ControlCheck workflows. Recurring reports reportedly dropped from about six hours of manual assembly to 15 minutes—a 96 percent reduction. Pre-investigation triage dropped from three hours to about 10 minutes, while controlled-substance variance analysis fell from 30 minutes to less than one minute.

Teams should strictly run historical purchasing cases in parallel with existing review processes before allowing an agent-assisted result to affect compliance decisions. Local testing should rigorously examine data completeness, drug-code matching, shortage timing, exception rules, and cases where human reviewers previously disagreed. Each production finding should retain the scoring-rule version, source evidence, and tool trace that produced it.

For more on how AI is reshaping healthcare operations, see our coverage of AWS GraphRAG deployment cuts drug research cycles by 87% and AI for hospital pharmacy automation trends.

Leave a Reply

Your email address will not be published. Required fields are marked *

Trending

Exit mobile version