Clinical MCP Server

Clinical MCP Server

A governed, audited Model Context Protocol server that provides AI agents with secure, read-only access to a clinical knowledge base through least-privilege tools, policy validation, and append-only audit logging.

Category
Visit Server

README

<div align="center">

Clinical MCP Server

A governed, audited Model Context Protocol server that gives any AI agent secure, read-only access to a clinical knowledge base. Least-privilege tools · policy validation · append-only audit trail.

Python MCP FastMCP License

English · Italiano

<br>

Live demo — an AI agent (Claude Desktop) calls the governed tools, gets a least-privilege patient summary, and is blocked when it requests a real patient name

</div>


Why this exists. Connecting an AI agent to enterprise data is easy. Connecting it safely is the hard part — and the part regulated organizations actually pay for. The risk is not the model; it is an agent with an open execute_query(sql) hatch over patient data. This server is the opposite: a small set of named, typed, least-privilege tools, every call validated against a policy and written to an append-only audit log. The agent can only do what the server deliberately exposes — nothing more.

This is the agent-facing front door to the Clinical RAG Engine. Where the RAG engine answers natural-language questions, this MCP server lets an autonomous agent decide when and how to query it — under strict, auditable constraints.

Data disclaimer. All clinical records are 100% synthetic, generated with scripts/generate_synthetic_data.py. No real patient data is present, referenced, or required.


What an agent can (and cannot) do

The agent never sends raw SQL or free text identifiers. It calls capabilities, not queries.

Tool Validated input Returns Guardrail
search_clinical_notes query: str, limit: int ≤ 10 grounded answer + cited snippets delegates to the RAG engine; citations capped
get_patient_summary patient_pseudo_id matching PT-\d{4} age, sex, diagnosis, therapy pseudo-IDs only; never returns the free-text note
aggregate_diagnoses top_n: int ≤ 20 counts per diagnosis aggregation only, no row-level export

Every call passes through the policy layer before execution and is appended to the audit log (ts / tool / params / row_count).


Architecture

   ┌──────────────┐      MCP (stdio / HTTP)      ┌──────────────────────────────┐
   │   AI Agent    │  ───────────────────────▶   │      Clinical MCP Server       │
   │ (Claude       │                              │                                │
   │  Desktop,     │  ◀───── tool results ─────   │  ┌──────────────────────────┐ │
   │  Cursor, ...) │                              │  │  TOOL REGISTRY (allow-list)│ │
   └──────────────┘                               │  │  • search_clinical_notes  │ │
                                                   │  │  • get_patient_summary    │ │
                                                   │  │  • aggregate_diagnoses    │ │
                                                   │  └────────────┬─────────────┘ │
                                                   │               ▼                │
                                                   │  ┌──────────────────────────┐ │
                                                   │  │  POLICY + AUDIT LAYER      │ │
                                                   │  │  • typed param validation  │ │
                                                   │  │  • pseudo-ID enforcement    │ │
                                                   │  │  • append-only audit log    │ │
                                                   │  └────────────┬─────────────┘ │
                                                   └───────────────┼────────────────┘
                                                                   ▼
                                       ┌──────────────────────────────────────────┐
                                       │  READ-ONLY data access                     │
                                       │  • semantic search → Clinical RAG Engine    │
                                       │  • structured view → local JSON snapshot    │
                                       └──────────────────────────────────────────┘

Key principle: least privilege by construction. Three narrow tools beat one powerful one. There is no generic query escape hatch anywhere in the codebase.


Tech Stack

Layer Technology Notes
Language Python 3.11+ Type-hinted, ruff-clean.
Protocol Model Context Protocol Official mcp Python SDK (FastMCP).
Transport stdio + streamable HTTP stdio for local agents, HTTP for remote.
Semantic search Clinical RAG Engine Reached over HTTP — services stay decoupled.
Structured data local JSON view Read-only; no write/update/delete path.
Validation Pydantic Typed tool schemas and models.
Governance policy + audit modules Allow-listed tools, capped limits, audit trail.

Quickstart

Prerequisite: Python 3.11+. The semantic-search tool also needs the companion Clinical RAG Engine running; the structured tools work standalone.

# 1. Clone and enter
git clone https://github.com/dianapopovici/clinical-mcp-server.git
cd clinical-mcp-server

# 2. Environment
python -m venv .venv && source .venv/bin/activate    # Windows: .venv\Scripts\activate
pip install -r requirements.txt
pip install -e .    # install the clinical_mcp package itself (src/ layout)

# 3. Generate the synthetic read-only data view
python scripts/generate_synthetic_data.py --records 200

# 4a. Run over stdio (for local agents like Claude Desktop)
python -m clinical_mcp --transport stdio

# 4b. Or run over HTTP (for remote agents)
python -m clinical_mcp --transport http

Windows note: there is no make here — run the commands above directly.


Connect it to Claude Desktop

Add this to your Claude Desktop claude_desktop_config.json (an example lives in examples/claude_desktop_config.json):

{
  "mcpServers": {
    "clinical": {
      "command": "python",
      "args": ["-m", "clinical_mcp", "--transport", "stdio"],
      "cwd": "/absolute/path/to/clinical-mcp-server"
    }
  }
}

Restart Claude Desktop and the three clinical tools become available to the agent.


Governance, concretely

  • Least privilege. An agent literally cannot request a capability the server does not expose. No execute_query, no raw note dumps, no real identifiers.
  • Policy before execution. Limits are capped (≤ 10, ≤ 20); patient lookups must match PT-\d{4}; violations are rejected with a clear message and nothing is touched.
  • Auditability. Every call appends one JSON line to audit.logts / tool / params / row_count. In a regulated setting, that trail is a feature, not an afterthought.
  • Decoupling. Semantic search is delegated to the RAG engine over HTTP. Swap either side freely; the contract is the protocol, not a vendor.

Project Structure

clinical-mcp-server/
├── src/clinical_mcp/
│   ├── __main__.py        # CLI: python -m clinical_mcp --transport {stdio,http}
│   ├── server.py          # FastMCP server + the 3 governed tools
│   ├── policy.py          # validation guardrails (the governance core)
│   ├── audit.py           # append-only audit trail
│   ├── data_access.py     # read-only local data view
│   ├── rag_client.py      # HTTP client for the Clinical RAG Engine
│   ├── config.py          # 12-factor settings
│   └── models.py          # Pydantic models
├── scripts/
│   └── generate_synthetic_data.py
├── tests/                 # deterministic units for policy / audit / data
├── examples/
│   └── claude_desktop_config.json
├── DECISIONS.md           # why it is built this way
└── requirements.txt

See DECISIONS.md for the engineering rationale behind every major choice.


Roadmap

  • [ ] OAuth-scoped HTTP transport for multi-tenant deployments.
  • [ ] Per-tool rate limiting + token-budget enforcement.
  • [ ] Tamper-evident (signed) audit log.

<div align="center">

Built by Diana Popovici — AI systems that actually work in production.

</div>

Recommended Servers

playwright-mcp

playwright-mcp

A Model Context Protocol server that enables LLMs to interact with web pages through structured accessibility snapshots without requiring vision models or screenshots.

Official
Featured
TypeScript
Magic Component Platform (MCP)

Magic Component Platform (MCP)

An AI-powered tool that generates modern UI components from natural language descriptions, integrating with popular IDEs to streamline UI development workflow.

Official
Featured
Local
TypeScript
Audiense Insights MCP Server

Audiense Insights MCP Server

Enables interaction with Audiense Insights accounts via the Model Context Protocol, facilitating the extraction and analysis of marketing insights and audience data including demographics, behavior, and influencer engagement.

Official
Featured
Local
TypeScript
VeyraX MCP

VeyraX MCP

Single MCP tool to connect all your favorite tools: Gmail, Calendar and 40 more.

Official
Featured
Local
graphlit-mcp-server

graphlit-mcp-server

The Model Context Protocol (MCP) Server enables integration between MCP clients and the Graphlit service. Ingest anything from Slack to Gmail to podcast feeds, in addition to web crawling, into a Graphlit project - and then retrieve relevant contents from the MCP client.

Official
Featured
TypeScript
Kagi MCP Server

Kagi MCP Server

An MCP server that integrates Kagi search capabilities with Claude AI, enabling Claude to perform real-time web searches when answering questions that require up-to-date information.

Official
Featured
Python
E2B

E2B

Using MCP to run code via e2b.

Official
Featured
Neon Database

Neon Database

MCP server for interacting with Neon Management API and databases

Official
Featured
Exa Search

Exa Search

A Model Context Protocol (MCP) server lets AI assistants like Claude use the Exa AI Search API for web searches. This setup allows AI models to get real-time web information in a safe and controlled way.

Official
Featured
Qdrant Server

Qdrant Server

This repository is an example of how to create a MCP server for Qdrant, a vector search engine.

Official
Featured