Physician selection assistant — methodology

Patients (TR citizens or international medical-tourism visitors) looking to find a suitable physician from the MedSelect network. Multilingual — TR, EN, DE, AR, RU + 6 more. Reply language matches query language.

• NOT a diagnostic / triage tool — does not interpret symptoms.
• NOT an appointment / matching marketplace — direct contact with the physician.
• NOT a "best physician" ranking (Tabip Odası ad rules).
• NOT an emergency service — emergency indicators redirect to 112 / local ER.

1. Form submit: vertical + freeText + optional city + age. KVKK consent required.
2. Pre-guardrails:
   • PII redaction: TR ID (11 digits), phone (TR + intl regex), email, street/address patterns auto-replaced with [redacted-*].
   • Emergency keyword check (across 11 languages): "emergency", "bleeding", "notfall", "acil", "скорая", etc. → not sent to LLM, 112 redirect.
   • Mental health crisis indicators: "suicide", "self-harm", etc. → not sent to LLM, crisis-support redirect.
3. Corpus build: all active physicians from active tenants + voice card (philosophy + opinion topics) + published draft list (title + excerpt).
4. Claude Sonnet 4.6 call: strict JSON output prompt. System prompt enforces Tabip Odası ad rules (no superlative/price/testimonial/guarantee).
5. Output parsing: JSON shape validation. Slugs filtered against corpus (LLM returning unknown physician is dropped).
6. Post-guardrails: rationale bullets scanned for superlative / price / testimonial / guarantee patterns. If found, that bullet is soft-rewritten to a generic statement.
7. Persist: hash + vertical + recommendations + cost + guardrail outcome written to DB. query_text stored ONLY if visitor opted in; auto-purged after 30 days.
8. Render: 2-3 name cards + why-this-fits rationale + relevant article links + clinic canonical + MedSelect profile + disclaimer.

• Explicit consent: required at form submit (KVKK Art. 5 / GDPR Art. 6+9).
• Special category: free-text may contain health data → mitigated by PII redaction + opt-in storage + KVKK notice.
• Third-party transfer: redacted query sent to Anthropic Claude API (US). KVKK Art. 9 / GDPR SCCs apply. PII-redacted + clearly disclosed.
• Retention: query_text default NOT stored. Opt-in keeps it 30 days; auto-purge cron removes after.
• IP: stored as SHA-256 hash + server-secret salt. Not reversible. Used for rate-limit + abuse only.
• Cookies: this page sets no cookies; visitor trace is hash + timestamp only.
• Data export: if you know the email, request via /api/account/data-export (KVKK Art. 11 / GDPR Art. 15).
• Right to erasure: /api/account/erase (KVKK Art. 7 / GDPR Art. 17); audit log entries exempt (legal obligation).

System prompt instructs Claude (output rejected if violated):

• NEVER "best" / "top-rated" / "unique" / "#1" / "unbeaten"
• NEVER specific treatment recommendations / diagnoses
• NEVER price information (numbers + currency)
• NEVER patient testimonial "satisfied / happy / grateful" framing
• NEVER outcome guarantees "100% success / definitely / guaranteed"
• NEVER comparative advertising (physician A > physician B)

Post-prompt validator scans output for these patterns. Violations are soft-rewritten to a generic statement: "This physician's published list and voice card cover this topic."

• Corpus size: MVP network is small (≤10 tenants). For some specialties no good match exists → explicitly reported via decline_reason.
• Hallucination: parser filters unknown slugs; edge cases possible. First-100-query manual review by founder.
• Language matching: knowsLanguage field is placeholder; real field arrives in Phase 2.
• Bias: small network → same names may recur. Phase 3 adds round-robin within similar-fit set.
• LLM cost runaway: daily €5 cap + queue when exceeded.

Every query writes an audit log entry (action: "selection_query.served"): vertical, guardrail outcome (passed / pre_emergency / post_superlative / etc.), tokens, cost — all visible.

/transparency publishes the AI Citation Share leaderboard. The selection assistant does NOT consume that data — it only uses physician profile + published article metadata.