# SCRIMED Approvals Readiness Brief

Status: approvals-readiness-operating-ladder-active
Authorization status: public-operations-only-no-regulated-approval
Clinical care authority: not-authorized-live-care
PHI authority: not-authorized-production-phi
Security certification: not-security-certified
Regulatory authority: external-review-required
Reimbursement authority: no-reimbursement-guarantee

## Boundary
SCRIMED Approvals Readiness organizes public operating posture, HIPAA/BAA preparation, SOC 2 and HITRUST readiness, FDA/CDS/SaMD classification, ONC and connector certification planning, state care-delivery review, and buyer-specific release evidence. It does not grant legal approval, HIPAA compliance certification, SOC 2/HITRUST certification, FDA clearance, ONC certification, reimbursement certainty, PHI processing authority, production connector approval, public customer permission, or live clinical care authority.

This brief is not legal advice, regulatory approval, HIPAA certification, SOC 2 certification, HITRUST certification, FDA clearance, ONC certification, reimbursement advice, PHI processing approval, or live clinical authorization.

## Approval Tracks
- Public claims and intended-use boundary (public-operations-ready): Keep SCRIMED publicly sellable as healthcare operations intelligence, governed synthetic pilots, evidence organization, and buyer diligence. Boundary: Public copy cannot claim diagnosis, treatment, clinical triage, PHI processing, compliance certification, reimbursement certainty, production connector approval, or live clinical care. Workaround: Use operations-first language and route regulated claims through Claim Guard, Boundary Resolution, and qualified release authority. Next: Create the first founder-approved Intended Use Memo and use it as the source of truth for website, deck, demo, and buyer-room language.
- HIPAA, BAA, and Security Rule readiness (evidence-build-required): Prepare SCRIMED to handle healthcare buyer diligence and future PHI/ePHI scopes without enabling PHI by default. Boundary: SCRIMED does not currently claim HIPAA compliance certification or production PHI processing authority. Workaround: Keep public/product flows synthetic-only or metadata-only while building risk analysis, safeguards, BAA/DPA, breach, access, and vendor evidence. Next: Stand up a HIPAA readiness evidence room with policy owners, risk register, access review cadence, incident runbook, and BAA/DPA templates.
- SOC 2, HITRUST, and security assurance (evidence-build-required): Create a buyer-trust path from readiness controls to independent assurance evidence. Boundary: SCRIMED has security and procurement readiness surfaces, but it is not SOC 2 certified, HITRUST certified, ISO certified, FedRAMP authorized, or penetration-test approved unless issued evidence exists. Workaround: Use a readiness packet, control inventory, audit logs, vendor-risk responses, and no-sensitive-artifact references before formal attestation. Next: Run SOC 2 readiness first, collect 60 to 90 days of control evidence, then choose SOC 2 Type I/Type II timing and HITRUST i1/r2 only when buyer demand justifies it.
- FDA CDS/SaMD classification (external-review-required): Keep clinical-regulatory exposure controlled while deciding whether any SCRIMED function should intentionally pursue regulated clinical authority. Boundary: SCRIMED must not make patient-specific diagnosis, treatment, triage, or autonomous clinical action claims before intended-use and FDA classification review. Workaround: Frame current product as operations intelligence and synthetic evaluation; keep clinical outputs draft-only, transparent, and human-reviewed. Next: Hire a digital-health regulatory advisor to classify SCRIMED modules before clinical claims, patient-specific pilots, or medical-device language are used.
- ONC, interoperability, and connector approval (external-review-required): Prepare connector, EHR, FHIR, HL7, DICOM, X12, and health IT claims without implying certification or live exchange authority. Boundary: Synthetic conformance kits do not equal ONC certification, EHR marketplace approval, payer connection approval, or production data exchange authority. Workaround: Use synthetic fixtures, connector contracts, conformance evidence, and partner/customer acceptance gates before live integration. Next: Pick one connector path and build a certification/marketplace decision memo before claiming certified health IT or production integration.
- State care-delivery and telehealth review (blocked-before-approval): Prevent product, agent, or workflow expansion from accidentally becoming unauthorized care delivery. Boundary: SCRIMED does not provide care, prescribe, contact patients, route emergencies, employ clinical judgment, or operate as a telehealth provider. Workaround: Keep workflows as enterprise operations planning and clinician-reviewed support until care-delivery counsel, licensed governance, and customer approval exist. Next: Keep this track blocked and only reopen it after the Intended Use Memo deliberately includes care-delivery scope.
- Buyer-specific release chain (evidence-build-required): Convert protected proof into shareable buyer evidence only after external approvals, release decisions, reviewers, recipient controls, and audit logs are retained. Boundary: Buyer diligence can use protected no-PHI evidence, but buyer-specific external sharing is blocked until release-control gates are satisfied. Workaround: Use the protected Buyer Release Control Runbook, verifier, remediation plan, metadata drafts, and checklist without bypassing AAL2 or human review. Next: Complete the buyer release-control chain before any customer-specific public proof, case study, distribution, or external room sharing.

## Agent Controls
- Claim Guard Agent: Prevents sales, investor, PR, website, and operator language from crossing into unsupported regulated claims. Output: Allowed/evidence-required/prohibited claim decision with retained gate. Human checkpoint: Founder or qualified reviewer approval before public release.
- Approval Evidence Router: Maps every future approval artifact to the right external system of record and stores only safe metadata references. Output: No-PHI evidence route, owner, status, expiration, and renewal action. Human checkpoint: Legal/security/privacy review before artifact retention or external sharing.
- Regulatory Classification Agent: Keeps intended-use and FDA/CDS/SaMD classification questions visible before clinical language enters product or sales motion. Output: Classification memo draft inputs and trigger list for qualified advisor review. Human checkpoint: Digital-health regulatory advisor sign-off.
- Security Assurance Agent: Organizes SOC 2/HITRUST readiness evidence and routes gaps to owners. Output: Control owner map, missing evidence, and readiness sequence. Human checkpoint: External auditor or customer vendor-risk acceptance.
- Buyer Release Steward: Sequences buyer-specific release gates without bypassing AAL2, qualified review, recipient control, or audit logging. Output: Gate status, blocked items, next action, and packet route. Human checkpoint: Named reviewer and release authority sign-off.

## Processes
- 1. Public operations launch: Operate publicly with operations-first language and synthetic evidence. Exit: Approved Intended Use Memo; Release-control owner assigned Hard stop: Any diagnosis, treatment, triage, HIPAA certified, FDA cleared, SOC 2 certified, or PHI-ready claim without evidence.
- 2. Healthcare trust foundation: Prepare HIPAA, BAA, security, privacy, incident, and vendor-risk evidence. Exit: Risk analysis complete; BAA/DPA templates ready; Incident and breach runbooks approved Hard stop: No production PHI/ePHI or customer credentials before signed authorization.
- 3. Independent assurance: Move from internal controls to SOC 2/HITRUST-ready external evidence. Exit: SOC 2 readiness complete; Audit scope selected; Evidence window retained Hard stop: No certification claim before issued report and scoped customer acceptance.
- 4. Clinical/regulatory classification: Decide whether any module intentionally enters FDA/CDS/SaMD or care-delivery review. Exit: Qualified regulatory classification memo; Submission/no-submission decision; Claim language approved Hard stop: No patient-specific clinical recommendation or medical-device claim before review.
- 5. Buyer-specific controlled release: Release buyer proof only through retained reviewer, recipient, access, and audit gates. Exit: Versioned release decision; Access-log reconciliation; Buyer-safe packet retained Hard stop: No external sharing, public case study, customer permission claim, or production connector claim before release authority.

## Source References
- FDA Clinical Decision Support Software Guidance: Intended use, transparency, user role, and independent clinical review determine whether CDS stays outside device regulation or needs medical-device review. https://www.fda.gov/regulatory-information/search-fda-guidance-documents/clinical-decision-support-software
- FDA How to Study and Market Your Device: If a SCRIMED function becomes a device, classification and the correct premarket pathway come before marketing regulated claims. https://www.fda.gov/medical-devices/device-advice-comprehensive-regulatory-assistance/how-study-and-market-your-device
- HHS Covered Entities and Business Associates: Healthcare customers may require SCRIMED to operate as a business associate with written contract terms and direct HIPAA obligations. https://www.hhs.gov/hipaa/for-professionals/covered-entities/index.html
- HHS HIPAA Security Rule Summary: Administrative, physical, and technical safeguards plus risk analysis are the trust foundation before ePHI processing. https://www.hhs.gov/hipaa/for-professionals/security/laws-regulations/index.html
- ONC Health IT Certification Program: Certified health IT and interoperability claims require certification criteria, test methods, and applicable acceptance evidence. https://healthit.gov/certification-health-it/about-onc-health-it-certification-program/
- AICPA SOC Suite of Services: SOC reports provide independent assurance over system-level controls; SCRIMED should complete readiness before audit. https://www.aicpa-cima.com/resources/landing/system-and-organization-controls-soc-suite-of-services
- SCRIMED protected release and boundary systems: Current controls support public operations, synthetic evaluation, no-PHI evidence, protected release gates, and future approvals preparation, not final approval.

## Next Operator Actions
- Use operations-first language as the default public launch posture.
- Create a founder-approved Intended Use Memo before expanding claims.
- Build HIPAA/BAA and SOC 2 readiness evidence before accepting PHI or certification requests.
- Route FDA/CDS/SaMD questions to qualified regulatory review before clinical claims.
- Keep buyer-specific release evidence gated behind protected AAL2 workflows and named human review.