{"service":"scrimed-boundary-release-approval-matrix","route":"/boundary-release-approvals","apiRoute":"/api/boundary-release-approvals","briefRoute":"/api/boundary-release-approvals/brief","status":"boundary-release-approval-matrix-active-fail-closed","boundary":"SCRIMED Boundary Release Approval Matrix documents the approval path for preserved NO-GO boundaries. It does not grant PHI authority, clinical authority, payer submission authority, EHR writeback authority, production connector approval, certification claims, or customer go-live approval.","dataBoundary":"synthetic-metadata-only-no-live-phi","releaseAuthority":"not-authorized-boundary-release","allApprovalStepsDocumented":true,"releaseCandidateCount":9,"releasedBoundaryCount":0,"blockedBoundaryCount":9,"stepCount":29,"internallyPreparedStepCount":6,"pendingExternalOrCustomerStepCount":19,"signoffCount":40,"pendingSignoffCount":40,"evidenceWorkQueue":[{"id":"live-phi:hipaa-risk-analysis:risk-analysis-report","boundaryId":"live-phi","boundaryName":"Live PHI / ePHI processing","kind":"approval-step-evidence","sourceId":"hipaa-risk-analysis","evidenceName":"risk analysis report","owner":"Security officer and qualified HIPAA advisor","priority":"critical","status":"external-evidence-required","requiredBeforeRelease":true,"acceptsRawEvidence":false,"evidenceStorageBoundary":"Store only metadata references, reviewer names/roles, artifact fingerprints, and external evidence-room links. Do not store PHI, credentials, raw contracts, raw clinical records, bearer tokens, or raw connector payloads.","redactionRule":"Redact patient identifiers, secrets, credentials, claim numbers, payer member IDs, production connector payloads, and raw legal or clinical documents before SCRIMED metadata entry.","missingBecause":"No PHI authority until qualified security/privacy review signs the risk analysis.","proofRoutes":["/global-certification-readiness","/risk-register","/trust-center"],"workItemHash":"c4a4dbee69be23b5b093d4f9917a35148882a55b23fb990e23603b3717dbec0b"},{"id":"live-phi:hipaa-risk-analysis:risk-treatment-plan","boundaryId":"live-phi","boundaryName":"Live PHI / ePHI processing","kind":"approval-step-evidence","sourceId":"hipaa-risk-analysis","evidenceName":"risk treatment plan","owner":"Security officer and qualified HIPAA advisor","priority":"critical","status":"external-evidence-required","requiredBeforeRelease":true,"acceptsRawEvidence":false,"evidenceStorageBoundary":"Store only metadata references, reviewer names/roles, artifact fingerprints, and external evidence-room links. Do not store PHI, credentials, raw contracts, raw clinical records, bearer tokens, or raw connector payloads.","redactionRule":"Redact patient identifiers, secrets, credentials, claim numbers, payer member IDs, production connector payloads, and raw legal or clinical documents before SCRIMED metadata entry.","missingBecause":"No PHI authority until qualified security/privacy review signs the risk analysis.","proofRoutes":["/global-certification-readiness","/risk-register","/trust-center"],"workItemHash":"0643e0def3f403cbc1927b359e4cc1eb920d0f361e15be2bdbc6a29adf73afcc"},{"id":"live-phi:hipaa-risk-analysis:control-evidence","boundaryId":"live-phi","boundaryName":"Live PHI / ePHI processing","kind":"approval-step-evidence","sourceId":"hipaa-risk-analysis","evidenceName":"control evidence","owner":"Security officer and qualified HIPAA advisor","priority":"critical","status":"external-evidence-required","requiredBeforeRelease":true,"acceptsRawEvidence":false,"evidenceStorageBoundary":"Store only metadata references, reviewer names/roles, artifact fingerprints, and external evidence-room links. Do not store PHI, credentials, raw contracts, raw clinical records, bearer tokens, or raw connector payloads.","redactionRule":"Redact patient identifiers, secrets, credentials, claim numbers, payer member IDs, production connector payloads, and raw legal or clinical documents before SCRIMED metadata entry.","missingBecause":"No PHI authority until qualified security/privacy review signs the risk analysis.","proofRoutes":["/global-certification-readiness","/risk-register","/trust-center"],"workItemHash":"988f2b37f9b69dd16cba43ac3c686e4066d9a45f3b94de067d8de577dd5559df"},{"id":"live-phi:hipaa-risk-analysis:executive-acceptance-record","boundaryId":"live-phi","boundaryName":"Live PHI / ePHI processing","kind":"approval-step-evidence","sourceId":"hipaa-risk-analysis","evidenceName":"executive acceptance record","owner":"Security officer and qualified HIPAA advisor","priority":"critical","status":"external-evidence-required","requiredBeforeRelease":true,"acceptsRawEvidence":false,"evidenceStorageBoundary":"Store only metadata references, reviewer names/roles, artifact fingerprints, and external evidence-room links. Do not store PHI, credentials, raw contracts, raw clinical records, bearer tokens, or raw connector payloads.","redactionRule":"Redact patient identifiers, secrets, credentials, claim numbers, payer member IDs, production connector payloads, and raw legal or clinical documents before SCRIMED metadata entry.","missingBecause":"No PHI authority until qualified security/privacy review signs the risk analysis.","proofRoutes":["/global-certification-readiness","/risk-register","/trust-center"],"workItemHash":"42c1db0abe994c075c7983b470283f37da2713ca0cb14f893bb58361a8d9926c"},{"id":"live-phi:baa-subprocessor-coverage:executed-baa","boundaryId":"live-phi","boundaryName":"Live PHI / ePHI processing","kind":"approval-step-evidence","sourceId":"baa-subprocessor-coverage","evidenceName":"executed BAA","owner":"Legal, privacy, vendor management, and customer sponsor","priority":"critical","status":"external-evidence-required","requiredBeforeRelease":true,"acceptsRawEvidence":false,"evidenceStorageBoundary":"Store only metadata references, reviewer names/roles, artifact fingerprints, and external evidence-room links. Do not store PHI, credentials, raw contracts, raw clinical records, bearer tokens, or raw connector payloads.","redactionRule":"Redact patient identifiers, secrets, credentials, claim numbers, payer member IDs, production connector payloads, and raw legal or clinical documents before SCRIMED metadata entry.","missingBecause":"No live PHI until signed agreements exist and are retained outside public code.","proofRoutes":["/enterprise-business-ops","/boundary-resolution","/api/boundary-resolution"],"workItemHash":"ae8b69e8ad04053eda540e7f888287da55e0c40d6d0c914ab6a846298e59a33e"},{"id":"live-phi:baa-subprocessor-coverage:subprocessor-baa-dpa","boundaryId":"live-phi","boundaryName":"Live PHI / ePHI processing","kind":"approval-step-evidence","sourceId":"baa-subprocessor-coverage","evidenceName":"subprocessor BAA/DPA","owner":"Legal, privacy, vendor management, and customer sponsor","priority":"critical","status":"external-evidence-required","requiredBeforeRelease":true,"acceptsRawEvidence":false,"evidenceStorageBoundary":"Store only metadata references, reviewer names/roles, artifact fingerprints, and external evidence-room links. Do not store PHI, credentials, raw contracts, raw clinical records, bearer tokens, or raw connector payloads.","redactionRule":"Redact patient identifiers, secrets, credentials, claim numbers, payer member IDs, production connector payloads, and raw legal or clinical documents before SCRIMED metadata entry.","missingBecause":"No live PHI until signed agreements exist and are retained outside public code.","proofRoutes":["/enterprise-business-ops","/boundary-resolution","/api/boundary-resolution"],"workItemHash":"c237ddbc6c40ad64adc4980cb5048d34631ffab4cd93f1db9652dfe13ccc670e"},{"id":"live-phi:baa-subprocessor-coverage:vendor-security-review","boundaryId":"live-phi","boundaryName":"Live PHI / ePHI processing","kind":"approval-step-evidence","sourceId":"baa-subprocessor-coverage","evidenceName":"vendor security review","owner":"Legal, privacy, vendor management, and customer sponsor","priority":"critical","status":"external-evidence-required","requiredBeforeRelease":true,"acceptsRawEvidence":false,"evidenceStorageBoundary":"Store only metadata references, reviewer names/roles, artifact fingerprints, and external evidence-room links. Do not store PHI, credentials, raw contracts, raw clinical records, bearer tokens, or raw connector payloads.","redactionRule":"Redact patient identifiers, secrets, credentials, claim numbers, payer member IDs, production connector payloads, and raw legal or clinical documents before SCRIMED metadata entry.","missingBecause":"No live PHI until signed agreements exist and are retained outside public code.","proofRoutes":["/enterprise-business-ops","/boundary-resolution","/api/boundary-resolution"],"workItemHash":"e6655e4d7784dcbd9d74f3e5c46bf3579ebe94679620a00a183d4e1abef7622c"},{"id":"live-phi:baa-subprocessor-coverage:contract-owner-approval","boundaryId":"live-phi","boundaryName":"Live PHI / ePHI processing","kind":"approval-step-evidence","sourceId":"baa-subprocessor-coverage","evidenceName":"contract owner approval","owner":"Legal, privacy, vendor management, and customer sponsor","priority":"critical","status":"external-evidence-required","requiredBeforeRelease":true,"acceptsRawEvidence":false,"evidenceStorageBoundary":"Store only metadata references, reviewer names/roles, artifact fingerprints, and external evidence-room links. Do not store PHI, credentials, raw contracts, raw clinical records, bearer tokens, or raw connector payloads.","redactionRule":"Redact patient identifiers, secrets, credentials, claim numbers, payer member IDs, production connector payloads, and raw legal or clinical documents before SCRIMED metadata entry.","missingBecause":"No live PHI until signed agreements exist and are retained outside public code.","proofRoutes":["/enterprise-business-ops","/boundary-resolution","/api/boundary-resolution"],"workItemHash":"a1eb612186d2c85418ac6edf249e5025fff354f852650479f350b60857d1a938"},{"id":"live-phi:phi-tenant-isolation:rls-rbac-evidence","boundaryId":"live-phi","boundaryName":"Live PHI / ePHI processing","kind":"approval-step-evidence","sourceId":"phi-tenant-isolation","evidenceName":"RLS/RBAC evidence","owner":"Platform, security, privacy, and tenant admin","priority":"critical","status":"blocked-sensitive-storage","requiredBeforeRelease":true,"acceptsRawEvidence":false,"evidenceStorageBoundary":"Store only metadata references, reviewer names/roles, artifact fingerprints, and external evidence-room links. Do not store PHI, credentials, raw contracts, raw clinical records, bearer tokens, or raw connector payloads.","redactionRule":"Redact patient identifiers, secrets, credentials, claim numbers, payer member IDs, production connector payloads, and raw legal or clinical documents before SCRIMED metadata entry.","missingBecause":"No PHI workflow until protected runtime controls are tested with customer-specific approval.","proofRoutes":["/qa-evidence","/release-continuity","/pilot-workspace/access"],"workItemHash":"b09130aeef07e41701514653ab1cb1811566118831298a5725df86ef28e88ac2"},{"id":"live-phi:phi-tenant-isolation:audit-log-packet","boundaryId":"live-phi","boundaryName":"Live PHI / ePHI processing","kind":"approval-step-evidence","sourceId":"phi-tenant-isolation","evidenceName":"audit-log packet","owner":"Platform, security, privacy, and tenant admin","priority":"critical","status":"blocked-sensitive-storage","requiredBeforeRelease":true,"acceptsRawEvidence":false,"evidenceStorageBoundary":"Store only metadata references, reviewer names/roles, artifact fingerprints, and external evidence-room links. Do not store PHI, credentials, raw contracts, raw clinical records, bearer tokens, or raw connector payloads.","redactionRule":"Redact patient identifiers, secrets, credentials, claim numbers, payer member IDs, production connector payloads, and raw legal or clinical documents before SCRIMED metadata entry.","missingBecause":"No PHI workflow until protected runtime controls are tested with customer-specific approval.","proofRoutes":["/qa-evidence","/release-continuity","/pilot-workspace/access"],"workItemHash":"fc024d20e97ee9afbd2bbb7f1b309d542e073f778f6a93becc5c1a06c6302aa0"},{"id":"live-phi:phi-tenant-isolation:incident-response-tabletop","boundaryId":"live-phi","boundaryName":"Live PHI / ePHI processing","kind":"approval-step-evidence","sourceId":"phi-tenant-isolation","evidenceName":"incident response tabletop","owner":"Platform, security, privacy, and tenant admin","priority":"critical","status":"blocked-sensitive-storage","requiredBeforeRelease":true,"acceptsRawEvidence":false,"evidenceStorageBoundary":"Store only metadata references, reviewer names/roles, artifact fingerprints, and external evidence-room links. Do not store PHI, credentials, raw contracts, raw clinical records, bearer tokens, or raw connector payloads.","redactionRule":"Redact patient identifiers, secrets, credentials, claim numbers, payer member IDs, production connector payloads, and raw legal or clinical documents before SCRIMED metadata entry.","missingBecause":"No PHI workflow until protected runtime controls are tested with customer-specific approval.","proofRoutes":["/qa-evidence","/release-continuity","/pilot-workspace/access"],"workItemHash":"5846d2cbc8ece4fb2e889a3259ca8c66dd07bd809818dc0ce6e98523f67a0388"},{"id":"live-phi:phi-tenant-isolation:access-review-evidence","boundaryId":"live-phi","boundaryName":"Live PHI / ePHI processing","kind":"approval-step-evidence","sourceId":"phi-tenant-isolation","evidenceName":"access review evidence","owner":"Platform, security, privacy, and tenant admin","priority":"critical","status":"blocked-sensitive-storage","requiredBeforeRelease":true,"acceptsRawEvidence":false,"evidenceStorageBoundary":"Store only metadata references, reviewer names/roles, artifact fingerprints, and external evidence-room links. Do not store PHI, credentials, raw contracts, raw clinical records, bearer tokens, or raw connector payloads.","redactionRule":"Redact patient identifiers, secrets, credentials, claim numbers, payer member IDs, production connector payloads, and raw legal or clinical documents before SCRIMED metadata entry.","missingBecause":"No PHI workflow until protected runtime controls are tested with customer-specific approval.","proofRoutes":["/qa-evidence","/release-continuity","/pilot-workspace/access"],"workItemHash":"5f8208178c0d4a425fadd0d0a7dedfbc416890ca59a0e4ea1ebb4afef8115740"},{"id":"clinical-decision-support:cds-regulatory-classification:regulatory-memo","boundaryId":"clinical-decision-support","boundaryName":"Clinical decision support","kind":"approval-step-evidence","sourceId":"cds-regulatory-classification","evidenceName":"regulatory memo","owner":"Regulatory counsel, clinical safety, and executive approver","priority":"high","status":"external-evidence-required","requiredBeforeRelease":true,"acceptsRawEvidence":false,"evidenceStorageBoundary":"Store only metadata references, reviewer names/roles, artifact fingerprints, and external evidence-room links. Do not store PHI, credentials, raw contracts, raw clinical records, bearer tokens, or raw connector payloads.","redactionRule":"Redact patient identifiers, secrets, credentials, claim numbers, payer member IDs, production connector payloads, and raw legal or clinical documents before SCRIMED metadata entry.","missingBecause":"No public clinical authority claim until regulatory classification is complete.","proofRoutes":["/global-certification-readiness","/boundary-resolution","/risk-register"],"workItemHash":"9952613dddb499e22c50656b190b590c4b7b1269490ae3dd13344da15fea2f01"},{"id":"clinical-decision-support:cds-regulatory-classification:samd-cds-assessment","boundaryId":"clinical-decision-support","boundaryName":"Clinical decision support","kind":"approval-step-evidence","sourceId":"cds-regulatory-classification","evidenceName":"SaMD/CDS assessment","owner":"Regulatory counsel, clinical safety, and executive approver","priority":"high","status":"external-evidence-required","requiredBeforeRelease":true,"acceptsRawEvidence":false,"evidenceStorageBoundary":"Store only metadata references, reviewer names/roles, artifact fingerprints, and external evidence-room links. Do not store PHI, credentials, raw contracts, raw clinical records, bearer tokens, or raw connector payloads.","redactionRule":"Redact patient identifiers, secrets, credentials, claim numbers, payer member IDs, production connector payloads, and raw legal or clinical documents before SCRIMED metadata entry.","missingBecause":"No public clinical authority claim until regulatory classification is complete.","proofRoutes":["/global-certification-readiness","/boundary-resolution","/risk-register"],"workItemHash":"17d898ad8de9e2179b73c4746cf7085341c87a17ba77ac8ccbdd3de6e9bbfd4b"},{"id":"clinical-decision-support:cds-regulatory-classification:excluded-regulated-rationale","boundaryId":"clinical-decision-support","boundaryName":"Clinical decision support","kind":"approval-step-evidence","sourceId":"cds-regulatory-classification","evidenceName":"excluded/regulated rationale","owner":"Regulatory counsel, clinical safety, and executive approver","priority":"high","status":"external-evidence-required","requiredBeforeRelease":true,"acceptsRawEvidence":false,"evidenceStorageBoundary":"Store only metadata references, reviewer names/roles, artifact fingerprints, and external evidence-room links. Do not store PHI, credentials, raw contracts, raw clinical records, bearer tokens, or raw connector payloads.","redactionRule":"Redact patient identifiers, secrets, credentials, claim numbers, payer member IDs, production connector payloads, and raw legal or clinical documents before SCRIMED metadata entry.","missingBecause":"No public clinical authority claim until regulatory classification is complete.","proofRoutes":["/global-certification-readiness","/boundary-resolution","/risk-register"],"workItemHash":"522265f06734fa4f79b283257d731a65edd1d47dbea305e9f105ef698488d85f"},{"id":"clinical-decision-support:cds-regulatory-classification:external-counsel-review","boundaryId":"clinical-decision-support","boundaryName":"Clinical decision support","kind":"approval-step-evidence","sourceId":"cds-regulatory-classification","evidenceName":"external counsel review","owner":"Regulatory counsel, clinical safety, and executive approver","priority":"high","status":"external-evidence-required","requiredBeforeRelease":true,"acceptsRawEvidence":false,"evidenceStorageBoundary":"Store only metadata references, reviewer names/roles, artifact fingerprints, and external evidence-room links. Do not store PHI, credentials, raw contracts, raw clinical records, bearer tokens, or raw connector payloads.","redactionRule":"Redact patient identifiers, secrets, credentials, claim numbers, payer member IDs, production connector payloads, and raw legal or clinical documents before SCRIMED metadata entry.","missingBecause":"No public clinical authority claim until regulatory classification is complete.","proofRoutes":["/global-certification-readiness","/boundary-resolution","/risk-register"],"workItemHash":"8fe3403cc516fad6556e5e8945d1bb8a3adbfc864100ca15d1e0b06b4e377f0c"},{"id":"clinical-decision-support:clinical-validation-protocol:validation-protocol","boundaryId":"clinical-decision-support","boundaryName":"Clinical decision support","kind":"approval-step-evidence","sourceId":"clinical-validation-protocol","evidenceName":"validation protocol","owner":"Clinical QA, specialty reviewer, data science, and safety officer","priority":"high","status":"external-evidence-required","requiredBeforeRelease":true,"acceptsRawEvidence":false,"evidenceStorageBoundary":"Store only metadata references, reviewer names/roles, artifact fingerprints, and external evidence-room links. Do not store PHI, credentials, raw contracts, raw clinical records, bearer tokens, or raw connector payloads.","redactionRule":"Redact patient identifiers, secrets, credentials, claim numbers, payer member IDs, production connector payloads, and raw legal or clinical documents before SCRIMED metadata entry.","missingBecause":"No clinical validation claim until protocol results are reviewed and approved.","proofRoutes":["/clinical-robustness-lab","/scrimed-os","/api/scrimed-os/upgrade-batch"],"workItemHash":"a6cd7d7e6c8cef3ec5cf592cde90dcb7b280a35dc97b2453347d4681b7a9da45"},{"id":"clinical-decision-support:clinical-validation-protocol:synthetic-and-retrospective-test-plan","boundaryId":"clinical-decision-support","boundaryName":"Clinical decision support","kind":"approval-step-evidence","sourceId":"clinical-validation-protocol","evidenceName":"synthetic and retrospective test plan","owner":"Clinical QA, specialty reviewer, data science, and safety officer","priority":"high","status":"external-evidence-required","requiredBeforeRelease":true,"acceptsRawEvidence":false,"evidenceStorageBoundary":"Store only metadata references, reviewer names/roles, artifact fingerprints, and external evidence-room links. Do not store PHI, credentials, raw contracts, raw clinical records, bearer tokens, or raw connector payloads.","redactionRule":"Redact patient identifiers, secrets, credentials, claim numbers, payer member IDs, production connector payloads, and raw legal or clinical documents before SCRIMED metadata entry.","missingBecause":"No clinical validation claim until protocol results are reviewed and approved.","proofRoutes":["/clinical-robustness-lab","/scrimed-os","/api/scrimed-os/upgrade-batch"],"workItemHash":"2c9db3db2bcc6210a914a1ab277d9aaf851df548a59bb823c189c56c5c095bf1"},{"id":"clinical-decision-support:clinical-validation-protocol:bias-analysis","boundaryId":"clinical-decision-support","boundaryName":"Clinical decision support","kind":"approval-step-evidence","sourceId":"clinical-validation-protocol","evidenceName":"bias analysis","owner":"Clinical QA, specialty reviewer, data science, and safety officer","priority":"high","status":"external-evidence-required","requiredBeforeRelease":true,"acceptsRawEvidence":false,"evidenceStorageBoundary":"Store only metadata references, reviewer names/roles, artifact fingerprints, and external evidence-room links. Do not store PHI, credentials, raw contracts, raw clinical records, bearer tokens, or raw connector payloads.","redactionRule":"Redact patient identifiers, secrets, credentials, claim numbers, payer member IDs, production connector payloads, and raw legal or clinical documents before SCRIMED metadata entry.","missingBecause":"No clinical validation claim until protocol results are reviewed and approved.","proofRoutes":["/clinical-robustness-lab","/scrimed-os","/api/scrimed-os/upgrade-batch"],"workItemHash":"8434cc99c86d15eae481e6c382adf4e65f919ec751cf6668aab43f7b0822102f"},{"id":"clinical-decision-support:clinical-validation-protocol:clinical-safety-case","boundaryId":"clinical-decision-support","boundaryName":"Clinical decision support","kind":"approval-step-evidence","sourceId":"clinical-validation-protocol","evidenceName":"clinical safety case","owner":"Clinical QA, specialty reviewer, data science, and safety officer","priority":"high","status":"external-evidence-required","requiredBeforeRelease":true,"acceptsRawEvidence":false,"evidenceStorageBoundary":"Store only metadata references, reviewer names/roles, artifact fingerprints, and external evidence-room links. Do not store PHI, credentials, raw contracts, raw clinical records, bearer tokens, or raw connector payloads.","redactionRule":"Redact patient identifiers, secrets, credentials, claim numbers, payer member IDs, production connector payloads, and raw legal or clinical documents before SCRIMED metadata entry.","missingBecause":"No clinical validation claim until protocol results are reviewed and approved.","proofRoutes":["/clinical-robustness-lab","/scrimed-os","/api/scrimed-os/upgrade-batch"],"workItemHash":"bff32e64213e9da1d81e6e03ea8658afe9f9fa621841102b1ecae3dd6123bea6"},{"id":"clinical-decision-support:clinician-final-authority:human-in-the-loop-policy","boundaryId":"clinical-decision-support","boundaryName":"Clinical decision support","kind":"approval-step-evidence","sourceId":"clinician-final-authority","evidenceName":"human-in-the-loop policy","owner":"Medical director, clinical governance, Trust Engine owner, and product owner","priority":"high","status":"internal-evidence-required","requiredBeforeRelease":true,"acceptsRawEvidence":false,"evidenceStorageBoundary":"Store only metadata references, reviewer names/roles, artifact fingerprints, and external evidence-room links. Do not store PHI, credentials, raw contracts, raw clinical records, bearer tokens, or raw connector payloads.","redactionRule":"Redact patient identifiers, secrets, credentials, claim numbers, payer member IDs, production connector payloads, and raw legal or clinical documents before SCRIMED metadata entry.","missingBecause":"High-risk clinical outputs remain blocked unless reviewed.","proofRoutes":["/scrimed-trustops","/trust-center","/clinical-care-activation"],"workItemHash":"2a00362a5243d0a330ccc483eb0321f48a81acf2500d3f8b12bc063e54507b15"},{"id":"clinical-decision-support:clinician-final-authority:review-queue-evidence","boundaryId":"clinical-decision-support","boundaryName":"Clinical decision support","kind":"approval-step-evidence","sourceId":"clinician-final-authority","evidenceName":"review queue evidence","owner":"Medical director, clinical governance, Trust Engine owner, and product owner","priority":"high","status":"internal-evidence-required","requiredBeforeRelease":true,"acceptsRawEvidence":false,"evidenceStorageBoundary":"Store only metadata references, reviewer names/roles, artifact fingerprints, and external evidence-room links. Do not store PHI, credentials, raw contracts, raw clinical records, bearer tokens, or raw connector payloads.","redactionRule":"Redact patient identifiers, secrets, credentials, claim numbers, payer member IDs, production connector payloads, and raw legal or clinical documents before SCRIMED metadata entry.","missingBecause":"High-risk clinical outputs remain blocked unless reviewed.","proofRoutes":["/scrimed-trustops","/trust-center","/clinical-care-activation"],"workItemHash":"585fda25ec9daca0d44f03c7be7612fd6ed73bb3c1603ffc736401c0a77be7b8"},{"id":"clinical-decision-support:clinician-final-authority:escalation-policy","boundaryId":"clinical-decision-support","boundaryName":"Clinical decision support","kind":"approval-step-evidence","sourceId":"clinician-final-authority","evidenceName":"escalation policy","owner":"Medical director, clinical governance, Trust Engine owner, and product owner","priority":"high","status":"internal-evidence-required","requiredBeforeRelease":true,"acceptsRawEvidence":false,"evidenceStorageBoundary":"Store only metadata references, reviewer names/roles, artifact fingerprints, and external evidence-room links. Do not store PHI, credentials, raw contracts, raw clinical records, bearer tokens, or raw connector payloads.","redactionRule":"Redact patient identifiers, secrets, credentials, claim numbers, payer member IDs, production connector payloads, and raw legal or clinical documents before SCRIMED metadata entry.","missingBecause":"High-risk clinical outputs remain blocked unless reviewed.","proofRoutes":["/scrimed-trustops","/trust-center","/clinical-care-activation"],"workItemHash":"253eedabeca9044d8e7b5bf30123e8d40fd7c3ea0ab766d7f94d01a174096525"},{"id":"clinical-decision-support:clinician-final-authority:evidence-card-requirements","boundaryId":"clinical-decision-support","boundaryName":"Clinical decision support","kind":"approval-step-evidence","sourceId":"clinician-final-authority","evidenceName":"evidence card requirements","owner":"Medical director, clinical governance, Trust Engine owner, and product owner","priority":"high","status":"internal-evidence-required","requiredBeforeRelease":true,"acceptsRawEvidence":false,"evidenceStorageBoundary":"Store only metadata references, reviewer names/roles, artifact fingerprints, and external evidence-room links. Do not store PHI, credentials, raw contracts, raw clinical records, bearer tokens, or raw connector payloads.","redactionRule":"Redact patient identifiers, secrets, credentials, claim numbers, payer member IDs, production connector payloads, and raw legal or clinical documents before SCRIMED metadata entry.","missingBecause":"High-risk clinical outputs remain blocked unless reviewed.","proofRoutes":["/scrimed-trustops","/trust-center","/clinical-care-activation"],"workItemHash":"ce67e2174fa857d53d482b40c302ca0054ef03d5eceb44b650e2891509abd925"},{"id":"autonomous-clinical-action:regulated-product-pathway:regulatory-strategy","boundaryId":"autonomous-clinical-action","boundaryName":"Autonomous diagnosis, treatment, prescribing, or imaging interpretation","kind":"approval-step-evidence","sourceId":"regulated-product-pathway","evidenceName":"regulatory strategy","owner":"Regulatory counsel, medical director, quality, and executive sponsor","priority":"critical","status":"external-evidence-required","requiredBeforeRelease":true,"acceptsRawEvidence":false,"evidenceStorageBoundary":"Store only metadata references, reviewer names/roles, artifact fingerprints, and external evidence-room links. Do not store PHI, credentials, raw contracts, raw clinical records, bearer tokens, or raw connector payloads.","redactionRule":"Redact patient identifiers, secrets, credentials, claim numbers, payer member IDs, production connector payloads, and raw legal or clinical documents before SCRIMED metadata entry.","missingBecause":"No autonomous action until applicable regulator and clinical governance path is complete.","proofRoutes":["/global-certification-readiness","/risk-register"],"workItemHash":"c170ad673d44eeb931effbd54ab2bcb7d84aa873fc57be0a09d4214b5c96ea19"},{"id":"autonomous-clinical-action:regulated-product-pathway:quality-management-plan","boundaryId":"autonomous-clinical-action","boundaryName":"Autonomous diagnosis, treatment, prescribing, or imaging interpretation","kind":"approval-step-evidence","sourceId":"regulated-product-pathway","evidenceName":"quality management plan","owner":"Regulatory counsel, medical director, quality, and executive sponsor","priority":"critical","status":"external-evidence-required","requiredBeforeRelease":true,"acceptsRawEvidence":false,"evidenceStorageBoundary":"Store only metadata references, reviewer names/roles, artifact fingerprints, and external evidence-room links. Do not store PHI, credentials, raw contracts, raw clinical records, bearer tokens, or raw connector payloads.","redactionRule":"Redact patient identifiers, secrets, credentials, claim numbers, payer member IDs, production connector payloads, and raw legal or clinical documents before SCRIMED metadata entry.","missingBecause":"No autonomous action until applicable regulator and clinical governance path is complete.","proofRoutes":["/global-certification-readiness","/risk-register"],"workItemHash":"8783e011d1989fa48ad51da92cb1f9c4df96d603d3e0adf1bca9603c19891757"},{"id":"autonomous-clinical-action:regulated-product-pathway:clinical-evaluation-plan","boundaryId":"autonomous-clinical-action","boundaryName":"Autonomous diagnosis, treatment, prescribing, or imaging interpretation","kind":"approval-step-evidence","sourceId":"regulated-product-pathway","evidenceName":"clinical evaluation plan","owner":"Regulatory counsel, medical director, quality, and executive sponsor","priority":"critical","status":"external-evidence-required","requiredBeforeRelease":true,"acceptsRawEvidence":false,"evidenceStorageBoundary":"Store only metadata references, reviewer names/roles, artifact fingerprints, and external evidence-room links. Do not store PHI, credentials, raw contracts, raw clinical records, bearer tokens, or raw connector payloads.","redactionRule":"Redact patient identifiers, secrets, credentials, claim numbers, payer member IDs, production connector payloads, and raw legal or clinical documents before SCRIMED metadata entry.","missingBecause":"No autonomous action until applicable regulator and clinical governance path is complete.","proofRoutes":["/global-certification-readiness","/risk-register"],"workItemHash":"e699f229452daf4d2691b81626af4fbaebd18c047398c5a048bc7cd3a27bae9c"},{"id":"autonomous-clinical-action:regulated-product-pathway:post-market-monitoring-plan","boundaryId":"autonomous-clinical-action","boundaryName":"Autonomous diagnosis, treatment, prescribing, or imaging interpretation","kind":"approval-step-evidence","sourceId":"regulated-product-pathway","evidenceName":"post-market monitoring plan","owner":"Regulatory counsel, medical director, quality, and executive sponsor","priority":"critical","status":"external-evidence-required","requiredBeforeRelease":true,"acceptsRawEvidence":false,"evidenceStorageBoundary":"Store only metadata references, reviewer names/roles, artifact fingerprints, and external evidence-room links. Do not store PHI, credentials, raw contracts, raw clinical records, bearer tokens, or raw connector payloads.","redactionRule":"Redact patient identifiers, secrets, credentials, claim numbers, payer member IDs, production connector payloads, and raw legal or clinical documents before SCRIMED metadata entry.","missingBecause":"No autonomous action until applicable regulator and clinical governance path is complete.","proofRoutes":["/global-certification-readiness","/risk-register"],"workItemHash":"5f45f0f5c4dad6e049e170a26973b5335d170fea1f75efb6e11e8703b73d9c4e"},{"id":"autonomous-clinical-action:prescribing-ehr-pharmacy-compliance:epcs-e-prescribing-review","boundaryId":"autonomous-clinical-action","boundaryName":"Autonomous diagnosis, treatment, prescribing, or imaging interpretation","kind":"approval-step-evidence","sourceId":"prescribing-ehr-pharmacy-compliance","evidenceName":"EPCS/e-prescribing review","owner":"Medical director, legal, pharmacy compliance, and customer clinical lead","priority":"critical","status":"external-evidence-required","requiredBeforeRelease":true,"acceptsRawEvidence":false,"evidenceStorageBoundary":"Store only metadata references, reviewer names/roles, artifact fingerprints, and external evidence-room links. Do not store PHI, credentials, raw contracts, raw clinical records, bearer tokens, or raw connector payloads.","redactionRule":"Redact patient identifiers, secrets, credentials, claim numbers, payer member IDs, production connector payloads, and raw legal or clinical documents before SCRIMED metadata entry.","missingBecause":"No prescribing or medication action without licensed clinician and required legal/compliance evidence.","proofRoutes":["/health-records","/boundary-resolution"],"workItemHash":"45b290b2508dfa1224255b605e9826e21f2c3abeaeb832c47fa3dce8a820e4ff"},{"id":"autonomous-clinical-action:prescribing-ehr-pharmacy-compliance:order-entry-controls","boundaryId":"autonomous-clinical-action","boundaryName":"Autonomous diagnosis, treatment, prescribing, or imaging interpretation","kind":"approval-step-evidence","sourceId":"prescribing-ehr-pharmacy-compliance","evidenceName":"order-entry controls","owner":"Medical director, legal, pharmacy compliance, and customer clinical lead","priority":"critical","status":"external-evidence-required","requiredBeforeRelease":true,"acceptsRawEvidence":false,"evidenceStorageBoundary":"Store only metadata references, reviewer names/roles, artifact fingerprints, and external evidence-room links. Do not store PHI, credentials, raw contracts, raw clinical records, bearer tokens, or raw connector payloads.","redactionRule":"Redact patient identifiers, secrets, credentials, claim numbers, payer member IDs, production connector payloads, and raw legal or clinical documents before SCRIMED metadata entry.","missingBecause":"No prescribing or medication action without licensed clinician and required legal/compliance evidence.","proofRoutes":["/health-records","/boundary-resolution"],"workItemHash":"161de8e9ca745dd131c99a667304a1f491aaf657e907f0e1ea3da9394956d0b6"},{"id":"autonomous-clinical-action:prescribing-ehr-pharmacy-compliance:malpractice-coverage","boundaryId":"autonomous-clinical-action","boundaryName":"Autonomous diagnosis, treatment, prescribing, or imaging interpretation","kind":"approval-step-evidence","sourceId":"prescribing-ehr-pharmacy-compliance","evidenceName":"malpractice coverage","owner":"Medical director, legal, pharmacy compliance, and customer clinical lead","priority":"critical","status":"external-evidence-required","requiredBeforeRelease":true,"acceptsRawEvidence":false,"evidenceStorageBoundary":"Store only metadata references, reviewer names/roles, artifact fingerprints, and external evidence-room links. Do not store PHI, credentials, raw contracts, raw clinical records, bearer tokens, or raw connector payloads.","redactionRule":"Redact patient identifiers, secrets, credentials, claim numbers, payer member IDs, production connector payloads, and raw legal or clinical documents before SCRIMED metadata entry.","missingBecause":"No prescribing or medication action without licensed clinician and required legal/compliance evidence.","proofRoutes":["/health-records","/boundary-resolution"],"workItemHash":"7ead5cc7396d613d644b149df00dcd48c304d296fd8fe724358f6f610b020418"},{"id":"autonomous-clinical-action:prescribing-ehr-pharmacy-compliance:pharmacy-workflow-approval","boundaryId":"autonomous-clinical-action","boundaryName":"Autonomous diagnosis, treatment, prescribing, or imaging interpretation","kind":"approval-step-evidence","sourceId":"prescribing-ehr-pharmacy-compliance","evidenceName":"pharmacy workflow approval","owner":"Medical director, legal, pharmacy compliance, and customer clinical lead","priority":"critical","status":"external-evidence-required","requiredBeforeRelease":true,"acceptsRawEvidence":false,"evidenceStorageBoundary":"Store only metadata references, reviewer names/roles, artifact fingerprints, and external evidence-room links. Do not store PHI, credentials, raw contracts, raw clinical records, bearer tokens, or raw connector payloads.","redactionRule":"Redact patient identifiers, secrets, credentials, claim numbers, payer member IDs, production connector payloads, and raw legal or clinical documents before SCRIMED metadata entry.","missingBecause":"No prescribing or medication action without licensed clinician and required legal/compliance evidence.","proofRoutes":["/health-records","/boundary-resolution"],"workItemHash":"037243ee9c8da3b0999c81107adf87d3b14846c48556dcd7d301db40254b6770"},{"id":"ehr-writeback:ehr-read-only-sandbox:sandbox-app-registration","boundaryId":"ehr-writeback","boundaryName":"EHR writeback and production connector activation","kind":"approval-step-evidence","sourceId":"ehr-read-only-sandbox","evidenceName":"sandbox app registration","owner":"Interoperability, platform, and customer IT","priority":"high","status":"internal-evidence-required","requiredBeforeRelease":true,"acceptsRawEvidence":false,"evidenceStorageBoundary":"Store only metadata references, reviewer names/roles, artifact fingerprints, and external evidence-room links. Do not store PHI, credentials, raw contracts, raw clinical records, bearer tokens, or raw connector payloads.","redactionRule":"Redact patient identifiers, secrets, credentials, claim numbers, payer member IDs, production connector payloads, and raw legal or clinical documents before SCRIMED metadata entry.","missingBecause":"No writeback until read-only sandbox behavior is proven.","proofRoutes":["/interoperability","/clinical-data-fabric","/health-records"],"workItemHash":"0a84a2bca859691b4c91f8ad204c362bbe30d563e7f08e6d924b4fc42988c8a6"},{"id":"ehr-writeback:ehr-read-only-sandbox:read-only-scope-list","boundaryId":"ehr-writeback","boundaryName":"EHR writeback and production connector activation","kind":"approval-step-evidence","sourceId":"ehr-read-only-sandbox","evidenceName":"read-only scope list","owner":"Interoperability, platform, and customer IT","priority":"high","status":"internal-evidence-required","requiredBeforeRelease":true,"acceptsRawEvidence":false,"evidenceStorageBoundary":"Store only metadata references, reviewer names/roles, artifact fingerprints, and external evidence-room links. Do not store PHI, credentials, raw contracts, raw clinical records, bearer tokens, or raw connector payloads.","redactionRule":"Redact patient identifiers, secrets, credentials, claim numbers, payer member IDs, production connector payloads, and raw legal or clinical documents before SCRIMED metadata entry.","missingBecause":"No writeback until read-only sandbox behavior is proven.","proofRoutes":["/interoperability","/clinical-data-fabric","/health-records"],"workItemHash":"1c7484e9d0ab558066c09e092933408e36b1842911fa73bf3e0d4831921f6ed4"},{"id":"ehr-writeback:ehr-read-only-sandbox:fhir-conformance-results","boundaryId":"ehr-writeback","boundaryName":"EHR writeback and production connector activation","kind":"approval-step-evidence","sourceId":"ehr-read-only-sandbox","evidenceName":"FHIR conformance results","owner":"Interoperability, platform, and customer IT","priority":"high","status":"internal-evidence-required","requiredBeforeRelease":true,"acceptsRawEvidence":false,"evidenceStorageBoundary":"Store only metadata references, reviewer names/roles, artifact fingerprints, and external evidence-room links. Do not store PHI, credentials, raw contracts, raw clinical records, bearer tokens, or raw connector payloads.","redactionRule":"Redact patient identifiers, secrets, credentials, claim numbers, payer member IDs, production connector payloads, and raw legal or clinical documents before SCRIMED metadata entry.","missingBecause":"No writeback until read-only sandbox behavior is proven.","proofRoutes":["/interoperability","/clinical-data-fabric","/health-records"],"workItemHash":"b4124097290b86fe65ce776760bf6a74dd0cc90977f1e0ea0a5ff63a0db4c30c"},{"id":"ehr-writeback:ehr-read-only-sandbox:audit-trace","boundaryId":"ehr-writeback","boundaryName":"EHR writeback and production connector activation","kind":"approval-step-evidence","sourceId":"ehr-read-only-sandbox","evidenceName":"audit trace","owner":"Interoperability, platform, and customer IT","priority":"high","status":"internal-evidence-required","requiredBeforeRelease":true,"acceptsRawEvidence":false,"evidenceStorageBoundary":"Store only metadata references, reviewer names/roles, artifact fingerprints, and external evidence-room links. Do not store PHI, credentials, raw contracts, raw clinical records, bearer tokens, or raw connector payloads.","redactionRule":"Redact patient identifiers, secrets, credentials, claim numbers, payer member IDs, production connector payloads, and raw legal or clinical documents before SCRIMED metadata entry.","missingBecause":"No writeback until read-only sandbox behavior is proven.","proofRoutes":["/interoperability","/clinical-data-fabric","/health-records"],"workItemHash":"f7bbb5147f4528a5845f9a48b2e02abcf511c84322b9a4355aa417074d860830"},{"id":"ehr-writeback:write-scope-approval:scope-request","boundaryId":"ehr-writeback","boundaryName":"EHR writeback and production connector activation","kind":"approval-step-evidence","sourceId":"write-scope-approval","evidenceName":"scope request","owner":"Customer IT, clinical informatics, security, and SCRIMED platform","priority":"high","status":"customer-evidence-required","requiredBeforeRelease":true,"acceptsRawEvidence":false,"evidenceStorageBoundary":"Store only metadata references, reviewer names/roles, artifact fingerprints, and external evidence-room links. Do not store PHI, credentials, raw contracts, raw clinical records, bearer tokens, or raw connector payloads.","redactionRule":"Redact patient identifiers, secrets, credentials, claim numbers, payer member IDs, production connector payloads, and raw legal or clinical documents before SCRIMED metadata entry.","missingBecause":"No write scope without customer and EHR governance approval.","proofRoutes":["/clinical-care-activation","/release-continuity","/qa-evidence"],"workItemHash":"496d9a14187a7c156f2593271239316253ccb7351f72bcf5475a88e58ecfb051"},{"id":"ehr-writeback:write-scope-approval:change-control-ticket","boundaryId":"ehr-writeback","boundaryName":"EHR writeback and production connector activation","kind":"approval-step-evidence","sourceId":"write-scope-approval","evidenceName":"change-control ticket","owner":"Customer IT, clinical informatics, security, and SCRIMED platform","priority":"high","status":"customer-evidence-required","requiredBeforeRelease":true,"acceptsRawEvidence":false,"evidenceStorageBoundary":"Store only metadata references, reviewer names/roles, artifact fingerprints, and external evidence-room links. Do not store PHI, credentials, raw contracts, raw clinical records, bearer tokens, or raw connector payloads.","redactionRule":"Redact patient identifiers, secrets, credentials, claim numbers, payer member IDs, production connector payloads, and raw legal or clinical documents before SCRIMED metadata entry.","missingBecause":"No write scope without customer and EHR governance approval.","proofRoutes":["/clinical-care-activation","/release-continuity","/qa-evidence"],"workItemHash":"6404d9b53e4743de5bd00c9412d06daf6519b6bc0eb7c2e9b0d39bfa7dee6ca5"},{"id":"ehr-writeback:write-scope-approval:rollback-plan","boundaryId":"ehr-writeback","boundaryName":"EHR writeback and production connector activation","kind":"approval-step-evidence","sourceId":"write-scope-approval","evidenceName":"rollback plan","owner":"Customer IT, clinical informatics, security, and SCRIMED platform","priority":"high","status":"customer-evidence-required","requiredBeforeRelease":true,"acceptsRawEvidence":false,"evidenceStorageBoundary":"Store only metadata references, reviewer names/roles, artifact fingerprints, and external evidence-room links. Do not store PHI, credentials, raw contracts, raw clinical records, bearer tokens, or raw connector payloads.","redactionRule":"Redact patient identifiers, secrets, credentials, claim numbers, payer member IDs, production connector payloads, and raw legal or clinical documents before SCRIMED metadata entry.","missingBecause":"No write scope without customer and EHR governance approval.","proofRoutes":["/clinical-care-activation","/release-continuity","/qa-evidence"],"workItemHash":"b01ca37c03bc6c75a5eb45d0e00178eee43763b3946e657f1be488979c84e714"},{"id":"ehr-writeback:write-scope-approval:human-signoff-policy","boundaryId":"ehr-writeback","boundaryName":"EHR writeback and production connector activation","kind":"approval-step-evidence","sourceId":"write-scope-approval","evidenceName":"human signoff policy","owner":"Customer IT, clinical informatics, security, and SCRIMED platform","priority":"high","status":"customer-evidence-required","requiredBeforeRelease":true,"acceptsRawEvidence":false,"evidenceStorageBoundary":"Store only metadata references, reviewer names/roles, artifact fingerprints, and external evidence-room links. Do not store PHI, credentials, raw contracts, raw clinical records, bearer tokens, or raw connector payloads.","redactionRule":"Redact patient identifiers, secrets, credentials, claim numbers, payer member IDs, production connector payloads, and raw legal or clinical documents before SCRIMED metadata entry.","missingBecause":"No write scope without customer and EHR governance approval.","proofRoutes":["/clinical-care-activation","/release-continuity","/qa-evidence"],"workItemHash":"ef06c16d53295f39e840229b31ddfc6403b6faab09e1560e321ff5f473afcca4"},{"id":"ehr-writeback:ehr-production-connector-review:vendor-approval","boundaryId":"ehr-writeback","boundaryName":"EHR writeback and production connector activation","kind":"approval-step-evidence","sourceId":"ehr-production-connector-review","evidenceName":"vendor approval","owner":"Customer IT, vendor relations, security, and release engineering","priority":"high","status":"external-evidence-required","requiredBeforeRelease":true,"acceptsRawEvidence":false,"evidenceStorageBoundary":"Store only metadata references, reviewer names/roles, artifact fingerprints, and external evidence-room links. Do not store PHI, credentials, raw contracts, raw clinical records, bearer tokens, or raw connector payloads.","redactionRule":"Redact patient identifiers, secrets, credentials, claim numbers, payer member IDs, production connector payloads, and raw legal or clinical documents before SCRIMED metadata entry.","missingBecause":"No production connector activation without external approval evidence.","proofRoutes":["/pilot-workspace/access","/release-continuity","/boundary-resolution"],"workItemHash":"b951a318bd5ed5cec95c1d1b630988ed63e1a8a4cf4642ca3abe087925014102"},{"id":"ehr-writeback:ehr-production-connector-review:security-review","boundaryId":"ehr-writeback","boundaryName":"EHR writeback and production connector activation","kind":"approval-step-evidence","sourceId":"ehr-production-connector-review","evidenceName":"security review","owner":"Customer IT, vendor relations, security, and release engineering","priority":"high","status":"external-evidence-required","requiredBeforeRelease":true,"acceptsRawEvidence":false,"evidenceStorageBoundary":"Store only metadata references, reviewer names/roles, artifact fingerprints, and external evidence-room links. Do not store PHI, credentials, raw contracts, raw clinical records, bearer tokens, or raw connector payloads.","redactionRule":"Redact patient identifiers, secrets, credentials, claim numbers, payer member IDs, production connector payloads, and raw legal or clinical documents before SCRIMED metadata entry.","missingBecause":"No production connector activation without external approval evidence.","proofRoutes":["/pilot-workspace/access","/release-continuity","/boundary-resolution"],"workItemHash":"e72e2eeb3765d43a9f81be6add0dd5b7c323cf564a3d90ebfe4fb42ef941111b"},{"id":"ehr-writeback:ehr-production-connector-review:secret-handling-proof","boundaryId":"ehr-writeback","boundaryName":"EHR writeback and production connector activation","kind":"approval-step-evidence","sourceId":"ehr-production-connector-review","evidenceName":"secret-handling proof","owner":"Customer IT, vendor relations, security, and release engineering","priority":"high","status":"external-evidence-required","requiredBeforeRelease":true,"acceptsRawEvidence":false,"evidenceStorageBoundary":"Store only metadata references, reviewer names/roles, artifact fingerprints, and external evidence-room links. Do not store PHI, credentials, raw contracts, raw clinical records, bearer tokens, or raw connector payloads.","redactionRule":"Redact patient identifiers, secrets, credentials, claim numbers, payer member IDs, production connector payloads, and raw legal or clinical documents before SCRIMED metadata entry.","missingBecause":"No production connector activation without external approval evidence.","proofRoutes":["/pilot-workspace/access","/release-continuity","/boundary-resolution"],"workItemHash":"465f616cd88eab600200ce3cac5abd399b83d11e57b16473243558f3c77b2c5b"},{"id":"ehr-writeback:ehr-production-connector-review:tenant-admin-approval","boundaryId":"ehr-writeback","boundaryName":"EHR writeback and production connector activation","kind":"approval-step-evidence","sourceId":"ehr-production-connector-review","evidenceName":"tenant admin approval","owner":"Customer IT, vendor relations, security, and release engineering","priority":"high","status":"external-evidence-required","requiredBeforeRelease":true,"acceptsRawEvidence":false,"evidenceStorageBoundary":"Store only metadata references, reviewer names/roles, artifact fingerprints, and external evidence-room links. Do not store PHI, credentials, raw contracts, raw clinical records, bearer tokens, or raw connector payloads.","redactionRule":"Redact patient identifiers, secrets, credentials, claim numbers, payer member IDs, production connector payloads, and raw legal or clinical documents before SCRIMED metadata entry.","missingBecause":"No production connector activation without external approval evidence.","proofRoutes":["/pilot-workspace/access","/release-continuity","/boundary-resolution"],"workItemHash":"30c5cca227afb55dac1a3990fc8e9f5fa58d2ce9d75913764de95d956e1a524f"},{"id":"payer-submission:trading-partner-approval:trading-partner-agreement","boundaryId":"payer-submission","boundaryName":"Payer submission, prior authorization, claims, and appeals","kind":"approval-step-evidence","sourceId":"trading-partner-approval","evidenceName":"trading partner agreement","owner":"Customer RCM, payer relations, clearinghouse/vendor owner, and legal","priority":"high","status":"external-evidence-required","requiredBeforeRelease":true,"acceptsRawEvidence":false,"evidenceStorageBoundary":"Store only metadata references, reviewer names/roles, artifact fingerprints, and external evidence-room links. Do not store PHI, credentials, raw contracts, raw clinical records, bearer tokens, or raw connector payloads.","redactionRule":"Redact patient identifiers, secrets, credentials, claim numbers, payer member IDs, production connector payloads, and raw legal or clinical documents before SCRIMED metadata entry.","missingBecause":"No payer submission without payer/clearinghouse authorization.","proofRoutes":["/enterprise-business-ops","/boundary-resolution"],"workItemHash":"2069267b80af8b530d7be021fa798ac26d580c5de67a771387096d1b83338db2"},{"id":"payer-submission:trading-partner-approval:payer-enrollment","boundaryId":"payer-submission","boundaryName":"Payer submission, prior authorization, claims, and appeals","kind":"approval-step-evidence","sourceId":"trading-partner-approval","evidenceName":"payer enrollment","owner":"Customer RCM, payer relations, clearinghouse/vendor owner, and legal","priority":"high","status":"external-evidence-required","requiredBeforeRelease":true,"acceptsRawEvidence":false,"evidenceStorageBoundary":"Store only metadata references, reviewer names/roles, artifact fingerprints, and external evidence-room links. Do not store PHI, credentials, raw contracts, raw clinical records, bearer tokens, or raw connector payloads.","redactionRule":"Redact patient identifiers, secrets, credentials, claim numbers, payer member IDs, production connector payloads, and raw legal or clinical documents before SCRIMED metadata entry.","missingBecause":"No payer submission without payer/clearinghouse authorization.","proofRoutes":["/enterprise-business-ops","/boundary-resolution"],"workItemHash":"9de37f6a3807c4b85ff5ded0ca4ab4d1488896554ae9b63c2ecb2cb5e871cfef"},{"id":"payer-submission:trading-partner-approval:clearinghouse-approval","boundaryId":"payer-submission","boundaryName":"Payer submission, prior authorization, claims, and appeals","kind":"approval-step-evidence","sourceId":"trading-partner-approval","evidenceName":"clearinghouse approval","owner":"Customer RCM, payer relations, clearinghouse/vendor owner, and legal","priority":"high","status":"external-evidence-required","requiredBeforeRelease":true,"acceptsRawEvidence":false,"evidenceStorageBoundary":"Store only metadata references, reviewer names/roles, artifact fingerprints, and external evidence-room links. Do not store PHI, credentials, raw contracts, raw clinical records, bearer tokens, or raw connector payloads.","redactionRule":"Redact patient identifiers, secrets, credentials, claim numbers, payer member IDs, production connector payloads, and raw legal or clinical documents before SCRIMED metadata entry.","missingBecause":"No payer submission without payer/clearinghouse authorization.","proofRoutes":["/enterprise-business-ops","/boundary-resolution"],"workItemHash":"86973711fd29458388d15a077d8783e8a3c355f62623245df72cb5ace5c8e8cb"},{"id":"payer-submission:trading-partner-approval:test-transaction-evidence","boundaryId":"payer-submission","boundaryName":"Payer submission, prior authorization, claims, and appeals","kind":"approval-step-evidence","sourceId":"trading-partner-approval","evidenceName":"test transaction evidence","owner":"Customer RCM, payer relations, clearinghouse/vendor owner, and legal","priority":"high","status":"external-evidence-required","requiredBeforeRelease":true,"acceptsRawEvidence":false,"evidenceStorageBoundary":"Store only metadata references, reviewer names/roles, artifact fingerprints, and external evidence-room links. Do not store PHI, credentials, raw contracts, raw clinical records, bearer tokens, or raw connector payloads.","redactionRule":"Redact patient identifiers, secrets, credentials, claim numbers, payer member IDs, production connector payloads, and raw legal or clinical documents before SCRIMED metadata entry.","missingBecause":"No payer submission without payer/clearinghouse authorization.","proofRoutes":["/enterprise-business-ops","/boundary-resolution"],"workItemHash":"6b1786590ce927fb754b25c754e78ec1b7b32102b7866f5cc06e9f865584eef4"},{"id":"payer-submission:x12-fhir-validation:x12-fhir-conformance","boundaryId":"payer-submission","boundaryName":"Payer submission, prior authorization, claims, and appeals","kind":"approval-step-evidence","sourceId":"x12-fhir-validation","evidenceName":"X12/FHIR conformance","owner":"Interoperability, RCM operations, and human submitter","priority":"high","status":"blocked-sensitive-storage","requiredBeforeRelease":true,"acceptsRawEvidence":false,"evidenceStorageBoundary":"Store only metadata references, reviewer names/roles, artifact fingerprints, and external evidence-room links. Do not store PHI, credentials, raw contracts, raw clinical records, bearer tokens, or raw connector payloads.","redactionRule":"Redact patient identifiers, secrets, credentials, claim numbers, payer member IDs, production connector payloads, and raw legal or clinical documents before SCRIMED metadata entry.","missingBecause":"No automated submission until conformance and human review evidence exist.","proofRoutes":["/clinical-data-fabric","/workflows/execution-attempts","/qa-evidence"],"workItemHash":"88f044fc716f282f8bb989022557bac3a4c48ef52336f8fd94272682cb32322b"},{"id":"payer-submission:x12-fhir-validation:attachment-validation","boundaryId":"payer-submission","boundaryName":"Payer submission, prior authorization, claims, and appeals","kind":"approval-step-evidence","sourceId":"x12-fhir-validation","evidenceName":"attachment validation","owner":"Interoperability, RCM operations, and human submitter","priority":"high","status":"blocked-sensitive-storage","requiredBeforeRelease":true,"acceptsRawEvidence":false,"evidenceStorageBoundary":"Store only metadata references, reviewer names/roles, artifact fingerprints, and external evidence-room links. Do not store PHI, credentials, raw contracts, raw clinical records, bearer tokens, or raw connector payloads.","redactionRule":"Redact patient identifiers, secrets, credentials, claim numbers, payer member IDs, production connector payloads, and raw legal or clinical documents before SCRIMED metadata entry.","missingBecause":"No automated submission until conformance and human review evidence exist.","proofRoutes":["/clinical-data-fabric","/workflows/execution-attempts","/qa-evidence"],"workItemHash":"9d02e80c336984045f06cf35821504c7e05115a9a2d647c4c6ed752618bce29d"},{"id":"payer-submission:x12-fhir-validation:audit-envelope","boundaryId":"payer-submission","boundaryName":"Payer submission, prior authorization, claims, and appeals","kind":"approval-step-evidence","sourceId":"x12-fhir-validation","evidenceName":"audit envelope","owner":"Interoperability, RCM operations, and human submitter","priority":"high","status":"blocked-sensitive-storage","requiredBeforeRelease":true,"acceptsRawEvidence":false,"evidenceStorageBoundary":"Store only metadata references, reviewer names/roles, artifact fingerprints, and external evidence-room links. Do not store PHI, credentials, raw contracts, raw clinical records, bearer tokens, or raw connector payloads.","redactionRule":"Redact patient identifiers, secrets, credentials, claim numbers, payer member IDs, production connector payloads, and raw legal or clinical documents before SCRIMED metadata entry.","missingBecause":"No automated submission until conformance and human review evidence exist.","proofRoutes":["/clinical-data-fabric","/workflows/execution-attempts","/qa-evidence"],"workItemHash":"7f1768cf90b099a83c9444d2b28a47fd94af8a2e5d68e775f311b3c218a2cd87"},{"id":"payer-submission:x12-fhir-validation:human-reviewer-signoff","boundaryId":"payer-submission","boundaryName":"Payer submission, prior authorization, claims, and appeals","kind":"approval-step-evidence","sourceId":"x12-fhir-validation","evidenceName":"human reviewer signoff","owner":"Interoperability, RCM operations, and human submitter","priority":"high","status":"blocked-sensitive-storage","requiredBeforeRelease":true,"acceptsRawEvidence":false,"evidenceStorageBoundary":"Store only metadata references, reviewer names/roles, artifact fingerprints, and external evidence-room links. Do not store PHI, credentials, raw contracts, raw clinical records, bearer tokens, or raw connector payloads.","redactionRule":"Redact patient identifiers, secrets, credentials, claim numbers, payer member IDs, production connector payloads, and raw legal or clinical documents before SCRIMED metadata entry.","missingBecause":"No automated submission until conformance and human review evidence exist.","proofRoutes":["/clinical-data-fabric","/workflows/execution-attempts","/qa-evidence"],"workItemHash":"c9aecdadd01c5670c18b783793c771ea38e6db74ce65a282accdf2b0b9810a6e"},{"id":"clinical-research-outcomes-learning:research-purpose-protocol:research-operations-determination","boundaryId":"clinical-research-outcomes-learning","boundaryName":"Clinical research, outcomes learning, and human-subject data","kind":"approval-step-evidence","sourceId":"research-purpose-protocol","evidenceName":"research/operations determination","owner":"Research lead, clinical operations, privacy, and principal investigator if required","priority":"medium","status":"internal-evidence-required","requiredBeforeRelease":true,"acceptsRawEvidence":false,"evidenceStorageBoundary":"Store only metadata references, reviewer names/roles, artifact fingerprints, and external evidence-room links. Do not store PHI, credentials, raw contracts, raw clinical records, bearer tokens, or raw connector payloads.","redactionRule":"Redact patient identifiers, secrets, credentials, claim numbers, payer member IDs, production connector payloads, and raw legal or clinical documents before SCRIMED metadata entry.","missingBecause":"No live outcomes learning until protocol classification is complete.","proofRoutes":["/scrimed-os","/clinical-robustness-lab","/risk-register"],"workItemHash":"d5d3640ba7099673c0877e1b3dd70a8b670de83cd0174f4c4e48bd00e049e9ff"},{"id":"clinical-research-outcomes-learning:research-purpose-protocol:protocol","boundaryId":"clinical-research-outcomes-learning","boundaryName":"Clinical research, outcomes learning, and human-subject data","kind":"approval-step-evidence","sourceId":"research-purpose-protocol","evidenceName":"protocol","owner":"Research lead, clinical operations, privacy, and principal investigator if required","priority":"medium","status":"internal-evidence-required","requiredBeforeRelease":true,"acceptsRawEvidence":false,"evidenceStorageBoundary":"Store only metadata references, reviewer names/roles, artifact fingerprints, and external evidence-room links. Do not store PHI, credentials, raw contracts, raw clinical records, bearer tokens, or raw connector payloads.","redactionRule":"Redact patient identifiers, secrets, credentials, claim numbers, payer member IDs, production connector payloads, and raw legal or clinical documents before SCRIMED metadata entry.","missingBecause":"No live outcomes learning until protocol classification is complete.","proofRoutes":["/scrimed-os","/clinical-robustness-lab","/risk-register"],"workItemHash":"d2989b1fb71e1871a68b4de910f4ea294430f332ded976ef303b1b5f10cc1981"},{"id":"clinical-research-outcomes-learning:research-purpose-protocol:dataset-description","boundaryId":"clinical-research-outcomes-learning","boundaryName":"Clinical research, outcomes learning, and human-subject data","kind":"approval-step-evidence","sourceId":"research-purpose-protocol","evidenceName":"dataset description","owner":"Research lead, clinical operations, privacy, and principal investigator if required","priority":"medium","status":"internal-evidence-required","requiredBeforeRelease":true,"acceptsRawEvidence":false,"evidenceStorageBoundary":"Store only metadata references, reviewer names/roles, artifact fingerprints, and external evidence-room links. Do not store PHI, credentials, raw contracts, raw clinical records, bearer tokens, or raw connector payloads.","redactionRule":"Redact patient identifiers, secrets, credentials, claim numbers, payer member IDs, production connector payloads, and raw legal or clinical documents before SCRIMED metadata entry.","missingBecause":"No live outcomes learning until protocol classification is complete.","proofRoutes":["/scrimed-os","/clinical-robustness-lab","/risk-register"],"workItemHash":"e807e927718a1f757c27322ac37edb941c8c1a11f92bd58eaf8df57c7900916f"},{"id":"clinical-research-outcomes-learning:research-purpose-protocol:analysis-plan","boundaryId":"clinical-research-outcomes-learning","boundaryName":"Clinical research, outcomes learning, and human-subject data","kind":"approval-step-evidence","sourceId":"research-purpose-protocol","evidenceName":"analysis plan","owner":"Research lead, clinical operations, privacy, and principal investigator if required","priority":"medium","status":"internal-evidence-required","requiredBeforeRelease":true,"acceptsRawEvidence":false,"evidenceStorageBoundary":"Store only metadata references, reviewer names/roles, artifact fingerprints, and external evidence-room links. Do not store PHI, credentials, raw contracts, raw clinical records, bearer tokens, or raw connector payloads.","redactionRule":"Redact patient identifiers, secrets, credentials, claim numbers, payer member IDs, production connector payloads, and raw legal or clinical documents before SCRIMED metadata entry.","missingBecause":"No live outcomes learning until protocol classification is complete.","proofRoutes":["/scrimed-os","/clinical-robustness-lab","/risk-register"],"workItemHash":"5b507f7cb896134aa673f1d52b7de43d53ade6f5a6a777d79fdb3a03393d2599"},{"id":"clinical-research-outcomes-learning:irb-consent-review:irb-determination","boundaryId":"clinical-research-outcomes-learning","boundaryName":"Clinical research, outcomes learning, and human-subject data","kind":"approval-step-evidence","sourceId":"irb-consent-review","evidenceName":"IRB determination","owner":"IRB, principal investigator, privacy, and legal","priority":"medium","status":"external-evidence-required","requiredBeforeRelease":true,"acceptsRawEvidence":false,"evidenceStorageBoundary":"Store only metadata references, reviewer names/roles, artifact fingerprints, and external evidence-room links. Do not store PHI, credentials, raw contracts, raw clinical records, bearer tokens, or raw connector payloads.","redactionRule":"Redact patient identifiers, secrets, credentials, claim numbers, payer member IDs, production connector payloads, and raw legal or clinical documents before SCRIMED metadata entry.","missingBecause":"No human-subject data use until IRB/consent path is resolved.","proofRoutes":["/global-certification-readiness","/boundary-resolution"],"workItemHash":"97c066cc73c771354ec48fa0eb6869e34058a75c52f3a2e754a050006b61e552"},{"id":"clinical-research-outcomes-learning:irb-consent-review:consent-or-waiver-memo","boundaryId":"clinical-research-outcomes-learning","boundaryName":"Clinical research, outcomes learning, and human-subject data","kind":"approval-step-evidence","sourceId":"irb-consent-review","evidenceName":"consent or waiver memo","owner":"IRB, principal investigator, privacy, and legal","priority":"medium","status":"external-evidence-required","requiredBeforeRelease":true,"acceptsRawEvidence":false,"evidenceStorageBoundary":"Store only metadata references, reviewer names/roles, artifact fingerprints, and external evidence-room links. Do not store PHI, credentials, raw contracts, raw clinical records, bearer tokens, or raw connector payloads.","redactionRule":"Redact patient identifiers, secrets, credentials, claim numbers, payer member IDs, production connector payloads, and raw legal or clinical documents before SCRIMED metadata entry.","missingBecause":"No human-subject data use until IRB/consent path is resolved.","proofRoutes":["/global-certification-readiness","/boundary-resolution"],"workItemHash":"0a04bab35fbf514729a7e4ef4e917a717b505a2499318fb660e1eecd10732138"},{"id":"clinical-research-outcomes-learning:irb-consent-review:data-use-agreement","boundaryId":"clinical-research-outcomes-learning","boundaryName":"Clinical research, outcomes learning, and human-subject data","kind":"approval-step-evidence","sourceId":"irb-consent-review","evidenceName":"data-use agreement","owner":"IRB, principal investigator, privacy, and legal","priority":"medium","status":"external-evidence-required","requiredBeforeRelease":true,"acceptsRawEvidence":false,"evidenceStorageBoundary":"Store only metadata references, reviewer names/roles, artifact fingerprints, and external evidence-room links. Do not store PHI, credentials, raw contracts, raw clinical records, bearer tokens, or raw connector payloads.","redactionRule":"Redact patient identifiers, secrets, credentials, claim numbers, payer member IDs, production connector payloads, and raw legal or clinical documents before SCRIMED metadata entry.","missingBecause":"No human-subject data use until IRB/consent path is resolved.","proofRoutes":["/global-certification-readiness","/boundary-resolution"],"workItemHash":"9b3928e21d659c1c6e9d6190f8a33da17ef83c9af49d3d9a4ab1cfbf4b02b04d"},{"id":"clinical-research-outcomes-learning:irb-consent-review:privacy-review","boundaryId":"clinical-research-outcomes-learning","boundaryName":"Clinical research, outcomes learning, and human-subject data","kind":"approval-step-evidence","sourceId":"irb-consent-review","evidenceName":"privacy review","owner":"IRB, principal investigator, privacy, and legal","priority":"medium","status":"external-evidence-required","requiredBeforeRelease":true,"acceptsRawEvidence":false,"evidenceStorageBoundary":"Store only metadata references, reviewer names/roles, artifact fingerprints, and external evidence-room links. Do not store PHI, credentials, raw contracts, raw clinical records, bearer tokens, or raw connector payloads.","redactionRule":"Redact patient identifiers, secrets, credentials, claim numbers, payer member IDs, production connector payloads, and raw legal or clinical documents before SCRIMED metadata entry.","missingBecause":"No human-subject data use until IRB/consent path is resolved.","proofRoutes":["/global-certification-readiness","/boundary-resolution"],"workItemHash":"66eddca61a289676356ea1f16cb0bbe52674352d5bc21be8a26ed60e38e06a5b"},{"id":"clinical-research-outcomes-learning:outcome-learning-governance:model-update-policy","boundaryId":"clinical-research-outcomes-learning","boundaryName":"Clinical research, outcomes learning, and human-subject data","kind":"approval-step-evidence","sourceId":"outcome-learning-governance","evidenceName":"model update policy","owner":"MLOps, clinical QA, privacy, and research governance","priority":"medium","status":"blocked-sensitive-storage","requiredBeforeRelease":true,"acceptsRawEvidence":false,"evidenceStorageBoundary":"Store only metadata references, reviewer names/roles, artifact fingerprints, and external evidence-room links. Do not store PHI, credentials, raw contracts, raw clinical records, bearer tokens, or raw connector payloads.","redactionRule":"Redact patient identifiers, secrets, credentials, claim numbers, payer member IDs, production connector payloads, and raw legal or clinical documents before SCRIMED metadata entry.","missingBecause":"No continuous learning from live data until governance and monitoring are approved.","proofRoutes":["/scrimed-trustops","/api/scrimed-build-roadmap/strategic-execution","/observability"],"workItemHash":"43d25ebb64d0660e9b931028ba9397772f3a9ecc2f9d3b37cfb15382ae72d34a"},{"id":"clinical-research-outcomes-learning:outcome-learning-governance:dataset-lineage","boundaryId":"clinical-research-outcomes-learning","boundaryName":"Clinical research, outcomes learning, and human-subject data","kind":"approval-step-evidence","sourceId":"outcome-learning-governance","evidenceName":"dataset lineage","owner":"MLOps, clinical QA, privacy, and research governance","priority":"medium","status":"blocked-sensitive-storage","requiredBeforeRelease":true,"acceptsRawEvidence":false,"evidenceStorageBoundary":"Store only metadata references, reviewer names/roles, artifact fingerprints, and external evidence-room links. Do not store PHI, credentials, raw contracts, raw clinical records, bearer tokens, or raw connector payloads.","redactionRule":"Redact patient identifiers, secrets, credentials, claim numbers, payer member IDs, production connector payloads, and raw legal or clinical documents before SCRIMED metadata entry.","missingBecause":"No continuous learning from live data until governance and monitoring are approved.","proofRoutes":["/scrimed-trustops","/api/scrimed-build-roadmap/strategic-execution","/observability"],"workItemHash":"89772b3505c0d8a2759073c1d633aab3b765e65f5e41ab8e25b501d4e6c00a3d"},{"id":"clinical-research-outcomes-learning:outcome-learning-governance:drift-monitoring","boundaryId":"clinical-research-outcomes-learning","boundaryName":"Clinical research, outcomes learning, and human-subject data","kind":"approval-step-evidence","sourceId":"outcome-learning-governance","evidenceName":"drift monitoring","owner":"MLOps, clinical QA, privacy, and research governance","priority":"medium","status":"blocked-sensitive-storage","requiredBeforeRelease":true,"acceptsRawEvidence":false,"evidenceStorageBoundary":"Store only metadata references, reviewer names/roles, artifact fingerprints, and external evidence-room links. Do not store PHI, credentials, raw contracts, raw clinical records, bearer tokens, or raw connector payloads.","redactionRule":"Redact patient identifiers, secrets, credentials, claim numbers, payer member IDs, production connector payloads, and raw legal or clinical documents before SCRIMED metadata entry.","missingBecause":"No continuous learning from live data until governance and monitoring are approved.","proofRoutes":["/scrimed-trustops","/api/scrimed-build-roadmap/strategic-execution","/observability"],"workItemHash":"712f23f03089094926ef4c5c9034aa490f4311a9f6c11fcffddde1162c9acfb8"},{"id":"clinical-research-outcomes-learning:outcome-learning-governance:human-review-queue","boundaryId":"clinical-research-outcomes-learning","boundaryName":"Clinical research, outcomes learning, and human-subject data","kind":"approval-step-evidence","sourceId":"outcome-learning-governance","evidenceName":"human review queue","owner":"MLOps, clinical QA, privacy, and research governance","priority":"medium","status":"blocked-sensitive-storage","requiredBeforeRelease":true,"acceptsRawEvidence":false,"evidenceStorageBoundary":"Store only metadata references, reviewer names/roles, artifact fingerprints, and external evidence-room links. Do not store PHI, credentials, raw contracts, raw clinical records, bearer tokens, or raw connector payloads.","redactionRule":"Redact patient identifiers, secrets, credentials, claim numbers, payer member IDs, production connector payloads, and raw legal or clinical documents before SCRIMED metadata entry.","missingBecause":"No continuous learning from live data until governance and monitoring are approved.","proofRoutes":["/scrimed-trustops","/api/scrimed-build-roadmap/strategic-execution","/observability"],"workItemHash":"fff0b34ad6bbc5931e1d63f8dad38cfa563fcc8c95fbbf3b915b5b7208c18be8"},{"id":"security-certification-claims:soc2-readiness-audit:control-matrix","boundaryId":"security-certification-claims","boundaryName":"SOC 2, HIPAA, HITRUST, ISO, FDA, ONC, and certification claims","kind":"approval-step-evidence","sourceId":"soc2-readiness-audit","evidenceName":"control matrix","owner":"Security, compliance, finance, legal, and independent CPA auditor","priority":"medium","status":"external-evidence-required","requiredBeforeRelease":true,"acceptsRawEvidence":false,"evidenceStorageBoundary":"Store only metadata references, reviewer names/roles, artifact fingerprints, and external evidence-room links. Do not store PHI, credentials, raw contracts, raw clinical records, bearer tokens, or raw connector payloads.","redactionRule":"Redact patient identifiers, secrets, credentials, claim numbers, payer member IDs, production connector payloads, and raw legal or clinical documents before SCRIMED metadata entry.","missingBecause":"No SOC 2 claim until the independent report exists.","proofRoutes":["/enterprise-readiness","/risk-register","/release-continuity"],"workItemHash":"9ef29f731cd318fc7216945566074ae5c6ca5395944722e958d7f83958ee4dcd"},{"id":"security-certification-claims:soc2-readiness-audit:evidence-vault","boundaryId":"security-certification-claims","boundaryName":"SOC 2, HIPAA, HITRUST, ISO, FDA, ONC, and certification claims","kind":"approval-step-evidence","sourceId":"soc2-readiness-audit","evidenceName":"evidence vault","owner":"Security, compliance, finance, legal, and independent CPA auditor","priority":"medium","status":"external-evidence-required","requiredBeforeRelease":true,"acceptsRawEvidence":false,"evidenceStorageBoundary":"Store only metadata references, reviewer names/roles, artifact fingerprints, and external evidence-room links. Do not store PHI, credentials, raw contracts, raw clinical records, bearer tokens, or raw connector payloads.","redactionRule":"Redact patient identifiers, secrets, credentials, claim numbers, payer member IDs, production connector payloads, and raw legal or clinical documents before SCRIMED metadata entry.","missingBecause":"No SOC 2 claim until the independent report exists.","proofRoutes":["/enterprise-readiness","/risk-register","/release-continuity"],"workItemHash":"3a8f2a9201e81d99751b35c3e628fa72f08e75dac7a3d08fa613fc6d44f1fc3c"},{"id":"security-certification-claims:soc2-readiness-audit:auditor-engagement","boundaryId":"security-certification-claims","boundaryName":"SOC 2, HIPAA, HITRUST, ISO, FDA, ONC, and certification claims","kind":"approval-step-evidence","sourceId":"soc2-readiness-audit","evidenceName":"auditor engagement","owner":"Security, compliance, finance, legal, and independent CPA auditor","priority":"medium","status":"external-evidence-required","requiredBeforeRelease":true,"acceptsRawEvidence":false,"evidenceStorageBoundary":"Store only metadata references, reviewer names/roles, artifact fingerprints, and external evidence-room links. Do not store PHI, credentials, raw contracts, raw clinical records, bearer tokens, or raw connector payloads.","redactionRule":"Redact patient identifiers, secrets, credentials, claim numbers, payer member IDs, production connector payloads, and raw legal or clinical documents before SCRIMED metadata entry.","missingBecause":"No SOC 2 claim until the independent report exists.","proofRoutes":["/enterprise-readiness","/risk-register","/release-continuity"],"workItemHash":"261bcfc8903dce1a5bee18608bc9c60d9506a8ca1c14d0a811888a460e45577c"},{"id":"security-certification-claims:soc2-readiness-audit:management-assertion","boundaryId":"security-certification-claims","boundaryName":"SOC 2, HIPAA, HITRUST, ISO, FDA, ONC, and certification claims","kind":"approval-step-evidence","sourceId":"soc2-readiness-audit","evidenceName":"management assertion","owner":"Security, compliance, finance, legal, and independent CPA auditor","priority":"medium","status":"external-evidence-required","requiredBeforeRelease":true,"acceptsRawEvidence":false,"evidenceStorageBoundary":"Store only metadata references, reviewer names/roles, artifact fingerprints, and external evidence-room links. Do not store PHI, credentials, raw contracts, raw clinical records, bearer tokens, or raw connector payloads.","redactionRule":"Redact patient identifiers, secrets, credentials, claim numbers, payer member IDs, production connector payloads, and raw legal or clinical documents before SCRIMED metadata entry.","missingBecause":"No SOC 2 claim until the independent report exists.","proofRoutes":["/enterprise-readiness","/risk-register","/release-continuity"],"workItemHash":"fa78e5d087debddb8fc8225b9a465e39fc7357bebc46fce0fd372447a8437a72"},{"id":"security-certification-claims:regulatory-certification-review:scope-memo","boundaryId":"security-certification-claims","boundaryName":"SOC 2, HIPAA, HITRUST, ISO, FDA, ONC, and certification claims","kind":"approval-step-evidence","sourceId":"regulatory-certification-review","evidenceName":"scope memo","owner":"Regulatory counsel, compliance, assessor, and executive approver","priority":"medium","status":"external-evidence-required","requiredBeforeRelease":true,"acceptsRawEvidence":false,"evidenceStorageBoundary":"Store only metadata references, reviewer names/roles, artifact fingerprints, and external evidence-room links. Do not store PHI, credentials, raw contracts, raw clinical records, bearer tokens, or raw connector payloads.","redactionRule":"Redact patient identifiers, secrets, credentials, claim numbers, payer member IDs, production connector payloads, and raw legal or clinical documents before SCRIMED metadata entry.","missingBecause":"No certification or clearance language until independent authority is retained.","proofRoutes":["/global-certification-readiness","/approvals-readiness","/boundary-resolution"],"workItemHash":"9cfcd5c89a900866602bd645ce79bcc86a5534ac5884690a30bc6132324110ad"},{"id":"security-certification-claims:regulatory-certification-review:assessor-regulator-evidence","boundaryId":"security-certification-claims","boundaryName":"SOC 2, HIPAA, HITRUST, ISO, FDA, ONC, and certification claims","kind":"approval-step-evidence","sourceId":"regulatory-certification-review","evidenceName":"assessor/regulator evidence","owner":"Regulatory counsel, compliance, assessor, and executive approver","priority":"medium","status":"external-evidence-required","requiredBeforeRelease":true,"acceptsRawEvidence":false,"evidenceStorageBoundary":"Store only metadata references, reviewer names/roles, artifact fingerprints, and external evidence-room links. Do not store PHI, credentials, raw contracts, raw clinical records, bearer tokens, or raw connector payloads.","redactionRule":"Redact patient identifiers, secrets, credentials, claim numbers, payer member IDs, production connector payloads, and raw legal or clinical documents before SCRIMED metadata entry.","missingBecause":"No certification or clearance language until independent authority is retained.","proofRoutes":["/global-certification-readiness","/approvals-readiness","/boundary-resolution"],"workItemHash":"bb444cf749f67863b4f0321673907cee584d0361d4e6775f59eb6ec00201f60f"},{"id":"security-certification-claims:regulatory-certification-review:scope-limitations","boundaryId":"security-certification-claims","boundaryName":"SOC 2, HIPAA, HITRUST, ISO, FDA, ONC, and certification claims","kind":"approval-step-evidence","sourceId":"regulatory-certification-review","evidenceName":"scope limitations","owner":"Regulatory counsel, compliance, assessor, and executive approver","priority":"medium","status":"external-evidence-required","requiredBeforeRelease":true,"acceptsRawEvidence":false,"evidenceStorageBoundary":"Store only metadata references, reviewer names/roles, artifact fingerprints, and external evidence-room links. Do not store PHI, credentials, raw contracts, raw clinical records, bearer tokens, or raw connector payloads.","redactionRule":"Redact patient identifiers, secrets, credentials, claim numbers, payer member IDs, production connector payloads, and raw legal or clinical documents before SCRIMED metadata entry.","missingBecause":"No certification or clearance language until independent authority is retained.","proofRoutes":["/global-certification-readiness","/approvals-readiness","/boundary-resolution"],"workItemHash":"2ec7bbe703ff8c48ec75a140e5851309178b38ff2ea1844efef48245debbd636"},{"id":"security-certification-claims:regulatory-certification-review:approved-public-language","boundaryId":"security-certification-claims","boundaryName":"SOC 2, HIPAA, HITRUST, ISO, FDA, ONC, and certification claims","kind":"approval-step-evidence","sourceId":"regulatory-certification-review","evidenceName":"approved public language","owner":"Regulatory counsel, compliance, assessor, and executive approver","priority":"medium","status":"external-evidence-required","requiredBeforeRelease":true,"acceptsRawEvidence":false,"evidenceStorageBoundary":"Store only metadata references, reviewer names/roles, artifact fingerprints, and external evidence-room links. Do not store PHI, credentials, raw contracts, raw clinical records, bearer tokens, or raw connector payloads.","redactionRule":"Redact patient identifiers, secrets, credentials, claim numbers, payer member IDs, production connector payloads, and raw legal or clinical documents before SCRIMED metadata entry.","missingBecause":"No certification or clearance language until independent authority is retained.","proofRoutes":["/global-certification-readiness","/approvals-readiness","/boundary-resolution"],"workItemHash":"322d2c5cb4700dc253ad283b7cf408e30491006fdbabdd4a2ba5ca369e5e863c"},{"id":"global-operation:regional-data-map:regional-data-map","boundaryId":"global-operation","boundaryName":"Global operation, data residency, GDPR, EHDS, and EU AI Act readiness","kind":"approval-step-evidence","sourceId":"regional-data-map","evidenceName":"regional data map","owner":"Privacy, legal, regional counsel, and customer sponsor","priority":"medium","status":"internal-evidence-required","requiredBeforeRelease":true,"acceptsRawEvidence":false,"evidenceStorageBoundary":"Store only metadata references, reviewer names/roles, artifact fingerprints, and external evidence-room links. Do not store PHI, credentials, raw contracts, raw clinical records, bearer tokens, or raw connector payloads.","redactionRule":"Redact patient identifiers, secrets, credentials, claim numbers, payer member IDs, production connector payloads, and raw legal or clinical documents before SCRIMED metadata entry.","missingBecause":"No regional launch claim until the data map and lawful basis are reviewed.","proofRoutes":["/global-reach","/global-certification-readiness","/deployment-profiles"],"workItemHash":"4e75e74d429cc9fdfdd5c2384006827c1f9755cf62db1b80e95e6fb6dc7924f3"},{"id":"global-operation:regional-data-map:lawful-basis-memo","boundaryId":"global-operation","boundaryName":"Global operation, data residency, GDPR, EHDS, and EU AI Act readiness","kind":"approval-step-evidence","sourceId":"regional-data-map","evidenceName":"lawful basis memo","owner":"Privacy, legal, regional counsel, and customer sponsor","priority":"medium","status":"internal-evidence-required","requiredBeforeRelease":true,"acceptsRawEvidence":false,"evidenceStorageBoundary":"Store only metadata references, reviewer names/roles, artifact fingerprints, and external evidence-room links. Do not store PHI, credentials, raw contracts, raw clinical records, bearer tokens, or raw connector payloads.","redactionRule":"Redact patient identifiers, secrets, credentials, claim numbers, payer member IDs, production connector payloads, and raw legal or clinical documents before SCRIMED metadata entry.","missingBecause":"No regional launch claim until the data map and lawful basis are reviewed.","proofRoutes":["/global-reach","/global-certification-readiness","/deployment-profiles"],"workItemHash":"d9f79bd064ed1500d0daf4e39b317eb9693bb32f456e035eec3d79a11af37879"},{"id":"global-operation:regional-data-map:processor-list","boundaryId":"global-operation","boundaryName":"Global operation, data residency, GDPR, EHDS, and EU AI Act readiness","kind":"approval-step-evidence","sourceId":"regional-data-map","evidenceName":"processor list","owner":"Privacy, legal, regional counsel, and customer sponsor","priority":"medium","status":"internal-evidence-required","requiredBeforeRelease":true,"acceptsRawEvidence":false,"evidenceStorageBoundary":"Store only metadata references, reviewer names/roles, artifact fingerprints, and external evidence-room links. Do not store PHI, credentials, raw contracts, raw clinical records, bearer tokens, or raw connector payloads.","redactionRule":"Redact patient identifiers, secrets, credentials, claim numbers, payer member IDs, production connector payloads, and raw legal or clinical documents before SCRIMED metadata entry.","missingBecause":"No regional launch claim until the data map and lawful basis are reviewed.","proofRoutes":["/global-reach","/global-certification-readiness","/deployment-profiles"],"workItemHash":"7ae14109a8a0efbec4b9f23493a051e6a7f7b3acbc1fb8f96b60ba9ee1fbaa8f"},{"id":"global-operation:regional-data-map:transfer-mechanism","boundaryId":"global-operation","boundaryName":"Global operation, data residency, GDPR, EHDS, and EU AI Act readiness","kind":"approval-step-evidence","sourceId":"regional-data-map","evidenceName":"transfer mechanism","owner":"Privacy, legal, regional counsel, and customer sponsor","priority":"medium","status":"internal-evidence-required","requiredBeforeRelease":true,"acceptsRawEvidence":false,"evidenceStorageBoundary":"Store only metadata references, reviewer names/roles, artifact fingerprints, and external evidence-room links. Do not store PHI, credentials, raw contracts, raw clinical records, bearer tokens, or raw connector payloads.","redactionRule":"Redact patient identifiers, secrets, credentials, claim numbers, payer member IDs, production connector payloads, and raw legal or clinical documents before SCRIMED metadata entry.","missingBecause":"No regional launch claim until the data map and lawful basis are reviewed.","proofRoutes":["/global-reach","/global-certification-readiness","/deployment-profiles"],"workItemHash":"fe0e675388e15106cda601c9a61146033751d5b99b899d9c2aeb4c1342c55b8f"},{"id":"global-operation:dpia-dpa-residency:dpia","boundaryId":"global-operation","boundaryName":"Global operation, data residency, GDPR, EHDS, and EU AI Act readiness","kind":"approval-step-evidence","sourceId":"dpia-dpa-residency","evidenceName":"DPIA","owner":"Privacy, legal, security, hosting owner, and customer data protection officer","priority":"medium","status":"external-evidence-required","requiredBeforeRelease":true,"acceptsRawEvidence":false,"evidenceStorageBoundary":"Store only metadata references, reviewer names/roles, artifact fingerprints, and external evidence-room links. Do not store PHI, credentials, raw contracts, raw clinical records, bearer tokens, or raw connector payloads.","redactionRule":"Redact patient identifiers, secrets, credentials, claim numbers, payer member IDs, production connector payloads, and raw legal or clinical documents before SCRIMED metadata entry.","missingBecause":"No regional processing until privacy and residency evidence exists.","proofRoutes":["/enterprise-scalability","/production-architecture","/risk-register"],"workItemHash":"cfc623dfb1cf6ea405c93e33bc19cab66e5b7132a3b4a6c474059d7837c620a8"},{"id":"global-operation:dpia-dpa-residency:dpa-sccs","boundaryId":"global-operation","boundaryName":"Global operation, data residency, GDPR, EHDS, and EU AI Act readiness","kind":"approval-step-evidence","sourceId":"dpia-dpa-residency","evidenceName":"DPA/SCCs","owner":"Privacy, legal, security, hosting owner, and customer data protection officer","priority":"medium","status":"external-evidence-required","requiredBeforeRelease":true,"acceptsRawEvidence":false,"evidenceStorageBoundary":"Store only metadata references, reviewer names/roles, artifact fingerprints, and external evidence-room links. Do not store PHI, credentials, raw contracts, raw clinical records, bearer tokens, or raw connector payloads.","redactionRule":"Redact patient identifiers, secrets, credentials, claim numbers, payer member IDs, production connector payloads, and raw legal or clinical documents before SCRIMED metadata entry.","missingBecause":"No regional processing until privacy and residency evidence exists.","proofRoutes":["/enterprise-scalability","/production-architecture","/risk-register"],"workItemHash":"d0279fd5534404d526dc9c10939361cbd4d6f0040150481ba077b8e9b10546b7"},{"id":"global-operation:dpia-dpa-residency:residency-decision","boundaryId":"global-operation","boundaryName":"Global operation, data residency, GDPR, EHDS, and EU AI Act readiness","kind":"approval-step-evidence","sourceId":"dpia-dpa-residency","evidenceName":"residency decision","owner":"Privacy, legal, security, hosting owner, and customer data protection officer","priority":"medium","status":"external-evidence-required","requiredBeforeRelease":true,"acceptsRawEvidence":false,"evidenceStorageBoundary":"Store only metadata references, reviewer names/roles, artifact fingerprints, and external evidence-room links. Do not store PHI, credentials, raw contracts, raw clinical records, bearer tokens, or raw connector payloads.","redactionRule":"Redact patient identifiers, secrets, credentials, claim numbers, payer member IDs, production connector payloads, and raw legal or clinical documents before SCRIMED metadata entry.","missingBecause":"No regional processing until privacy and residency evidence exists.","proofRoutes":["/enterprise-scalability","/production-architecture","/risk-register"],"workItemHash":"79ce44679d860fa009f075b4725453e136db54b1b5692f23b415127f9264a285"},{"id":"global-operation:dpia-dpa-residency:hosting-control-evidence","boundaryId":"global-operation","boundaryName":"Global operation, data residency, GDPR, EHDS, and EU AI Act readiness","kind":"approval-step-evidence","sourceId":"dpia-dpa-residency","evidenceName":"hosting control evidence","owner":"Privacy, legal, security, hosting owner, and customer data protection officer","priority":"medium","status":"external-evidence-required","requiredBeforeRelease":true,"acceptsRawEvidence":false,"evidenceStorageBoundary":"Store only metadata references, reviewer names/roles, artifact fingerprints, and external evidence-room links. Do not store PHI, credentials, raw contracts, raw clinical records, bearer tokens, or raw connector payloads.","redactionRule":"Redact patient identifiers, secrets, credentials, claim numbers, payer member IDs, production connector payloads, and raw legal or clinical documents before SCRIMED metadata entry.","missingBecause":"No regional processing until privacy and residency evidence exists.","proofRoutes":["/enterprise-scalability","/production-architecture","/risk-register"],"workItemHash":"4d30af631e6d670b5740bab22df8294c4a6087cde4c59db63d4a2b1beef49245"},{"id":"global-operation:eu-ai-act-classification:ai-act-classification","boundaryId":"global-operation","boundaryName":"Global operation, data residency, GDPR, EHDS, and EU AI Act readiness","kind":"approval-step-evidence","sourceId":"eu-ai-act-classification","evidenceName":"AI Act classification","owner":"Regulatory counsel, AI governance, clinical safety, and regional owner","priority":"medium","status":"external-evidence-required","requiredBeforeRelease":true,"acceptsRawEvidence":false,"evidenceStorageBoundary":"Store only metadata references, reviewer names/roles, artifact fingerprints, and external evidence-room links. Do not store PHI, credentials, raw contracts, raw clinical records, bearer tokens, or raw connector payloads.","redactionRule":"Redact patient identifiers, secrets, credentials, claim numbers, payer member IDs, production connector payloads, and raw legal or clinical documents before SCRIMED metadata entry.","missingBecause":"No EU AI Act or regional AI compliance claim until classification is approved.","proofRoutes":["/scrimed-os","/scrimed-trustops","/global-certification-readiness"],"workItemHash":"435286e275d463d8a56c3cd5a62d04f457d61e4380729491b17265f446bc96f8"},{"id":"global-operation:eu-ai-act-classification:high-risk-obligation-map-if-applicable","boundaryId":"global-operation","boundaryName":"Global operation, data residency, GDPR, EHDS, and EU AI Act readiness","kind":"approval-step-evidence","sourceId":"eu-ai-act-classification","evidenceName":"high-risk obligation map if applicable","owner":"Regulatory counsel, AI governance, clinical safety, and regional owner","priority":"medium","status":"external-evidence-required","requiredBeforeRelease":true,"acceptsRawEvidence":false,"evidenceStorageBoundary":"Store only metadata references, reviewer names/roles, artifact fingerprints, and external evidence-room links. Do not store PHI, credentials, raw contracts, raw clinical records, bearer tokens, or raw connector payloads.","redactionRule":"Redact patient identifiers, secrets, credentials, claim numbers, payer member IDs, production connector payloads, and raw legal or clinical documents before SCRIMED metadata entry.","missingBecause":"No EU AI Act or regional AI compliance claim until classification is approved.","proofRoutes":["/scrimed-os","/scrimed-trustops","/global-certification-readiness"],"workItemHash":"f12a6f668923e64c0b86351154db59238103f68f405ed65b2de7134ff87ceafb"},{"id":"global-operation:eu-ai-act-classification:human-oversight-plan","boundaryId":"global-operation","boundaryName":"Global operation, data residency, GDPR, EHDS, and EU AI Act readiness","kind":"approval-step-evidence","sourceId":"eu-ai-act-classification","evidenceName":"human oversight plan","owner":"Regulatory counsel, AI governance, clinical safety, and regional owner","priority":"medium","status":"external-evidence-required","requiredBeforeRelease":true,"acceptsRawEvidence":false,"evidenceStorageBoundary":"Store only metadata references, reviewer names/roles, artifact fingerprints, and external evidence-room links. Do not store PHI, credentials, raw contracts, raw clinical records, bearer tokens, or raw connector payloads.","redactionRule":"Redact patient identifiers, secrets, credentials, claim numbers, payer member IDs, production connector payloads, and raw legal or clinical documents before SCRIMED metadata entry.","missingBecause":"No EU AI Act or regional AI compliance claim until classification is approved.","proofRoutes":["/scrimed-os","/scrimed-trustops","/global-certification-readiness"],"workItemHash":"f90f217936b1cd25df9a10e6f46b641b6695c9969386854985386f91fdc92a41"},{"id":"global-operation:eu-ai-act-classification:post-market-monitoring-plan","boundaryId":"global-operation","boundaryName":"Global operation, data residency, GDPR, EHDS, and EU AI Act readiness","kind":"approval-step-evidence","sourceId":"eu-ai-act-classification","evidenceName":"post-market monitoring plan","owner":"Regulatory counsel, AI governance, clinical safety, and regional owner","priority":"medium","status":"external-evidence-required","requiredBeforeRelease":true,"acceptsRawEvidence":false,"evidenceStorageBoundary":"Store only metadata references, reviewer names/roles, artifact fingerprints, and external evidence-room links. Do not store PHI, credentials, raw contracts, raw clinical records, bearer tokens, or raw connector payloads.","redactionRule":"Redact patient identifiers, secrets, credentials, claim numbers, payer member IDs, production connector payloads, and raw legal or clinical documents before SCRIMED metadata entry.","missingBecause":"No EU AI Act or regional AI compliance claim until classification is approved.","proofRoutes":["/scrimed-os","/scrimed-trustops","/global-certification-readiness"],"workItemHash":"ab5e35d24d3b4e5bc8d3d918962326525d17769a1b2e05295658a1ecaef01207"},{"id":"customer-go-live:release-readiness-evidence:release-packet","boundaryId":"customer-go-live","boundaryName":"Customer go-live and production release","kind":"approval-step-evidence","sourceId":"release-readiness-evidence","evidenceName":"release packet","owner":"Release engineering, security, support, and customer IT","priority":"critical","status":"blocked-sensitive-storage","requiredBeforeRelease":true,"acceptsRawEvidence":false,"evidenceStorageBoundary":"Store only metadata references, reviewer names/roles, artifact fingerprints, and external evidence-room links. Do not store PHI, credentials, raw contracts, raw clinical records, bearer tokens, or raw connector payloads.","redactionRule":"Redact patient identifiers, secrets, credentials, claim numbers, payer member IDs, production connector payloads, and raw legal or clinical documents before SCRIMED metadata entry.","missingBecause":"No customer go-live until current evidence packet is complete and approved.","proofRoutes":["/release-continuity","/qa-evidence","/launch-readiness"],"workItemHash":"c9cd72f5d990fbc0d87cda75d958ed44dc370ee9dda2b2862ac4c4833380b801"},{"id":"customer-go-live:release-readiness-evidence:smoke-evidence","boundaryId":"customer-go-live","boundaryName":"Customer go-live and production release","kind":"approval-step-evidence","sourceId":"release-readiness-evidence","evidenceName":"smoke evidence","owner":"Release engineering, security, support, and customer IT","priority":"critical","status":"blocked-sensitive-storage","requiredBeforeRelease":true,"acceptsRawEvidence":false,"evidenceStorageBoundary":"Store only metadata references, reviewer names/roles, artifact fingerprints, and external evidence-room links. Do not store PHI, credentials, raw contracts, raw clinical records, bearer tokens, or raw connector payloads.","redactionRule":"Redact patient identifiers, secrets, credentials, claim numbers, payer member IDs, production connector payloads, and raw legal or clinical documents before SCRIMED metadata entry.","missingBecause":"No customer go-live until current evidence packet is complete and approved.","proofRoutes":["/release-continuity","/qa-evidence","/launch-readiness"],"workItemHash":"99d62290f32ca5cb9f1e4febc3206db9f4e12a50d041ff5419dbf3429c20a7ba"},{"id":"customer-go-live:release-readiness-evidence:security-review","boundaryId":"customer-go-live","boundaryName":"Customer go-live and production release","kind":"approval-step-evidence","sourceId":"release-readiness-evidence","evidenceName":"security review","owner":"Release engineering, security, support, and customer IT","priority":"critical","status":"blocked-sensitive-storage","requiredBeforeRelease":true,"acceptsRawEvidence":false,"evidenceStorageBoundary":"Store only metadata references, reviewer names/roles, artifact fingerprints, and external evidence-room links. Do not store PHI, credentials, raw contracts, raw clinical records, bearer tokens, or raw connector payloads.","redactionRule":"Redact patient identifiers, secrets, credentials, claim numbers, payer member IDs, production connector payloads, and raw legal or clinical documents before SCRIMED metadata entry.","missingBecause":"No customer go-live until current evidence packet is complete and approved.","proofRoutes":["/release-continuity","/qa-evidence","/launch-readiness"],"workItemHash":"e09e05af88384f5e4dddca6283736c7da27e479b058cfb90a11a0b9ad0894622"},{"id":"customer-go-live:release-readiness-evidence:rollback-plan","boundaryId":"customer-go-live","boundaryName":"Customer go-live and production release","kind":"approval-step-evidence","sourceId":"release-readiness-evidence","evidenceName":"rollback plan","owner":"Release engineering, security, support, and customer IT","priority":"critical","status":"blocked-sensitive-storage","requiredBeforeRelease":true,"acceptsRawEvidence":false,"evidenceStorageBoundary":"Store only metadata references, reviewer names/roles, artifact fingerprints, and external evidence-room links. Do not store PHI, credentials, raw contracts, raw clinical records, bearer tokens, or raw connector payloads.","redactionRule":"Redact patient identifiers, secrets, credentials, claim numbers, payer member IDs, production connector payloads, and raw legal or clinical documents before SCRIMED metadata entry.","missingBecause":"No customer go-live until current evidence packet is complete and approved.","proofRoutes":["/release-continuity","/qa-evidence","/launch-readiness"],"workItemHash":"ddec575afdfc7fbfd6e73836d61d869e93574e637fce388ef11c7046a5c9e09e"},{"id":"customer-go-live:release-readiness-evidence:support-runbook","boundaryId":"customer-go-live","boundaryName":"Customer go-live and production release","kind":"approval-step-evidence","sourceId":"release-readiness-evidence","evidenceName":"support runbook","owner":"Release engineering, security, support, and customer IT","priority":"critical","status":"blocked-sensitive-storage","requiredBeforeRelease":true,"acceptsRawEvidence":false,"evidenceStorageBoundary":"Store only metadata references, reviewer names/roles, artifact fingerprints, and external evidence-room links. Do not store PHI, credentials, raw contracts, raw clinical records, bearer tokens, or raw connector payloads.","redactionRule":"Redact patient identifiers, secrets, credentials, claim numbers, payer member IDs, production connector payloads, and raw legal or clinical documents before SCRIMED metadata entry.","missingBecause":"No customer go-live until current evidence packet is complete and approved.","proofRoutes":["/release-continuity","/qa-evidence","/launch-readiness"],"workItemHash":"c76abff0edc00daec4877f5bba51cf62964107c807e310feef04ebbe28d4a641"},{"id":"customer-go-live:formal-go-live-approval:release-decision","boundaryId":"customer-go-live","boundaryName":"Customer go-live and production release","kind":"approval-step-evidence","sourceId":"formal-go-live-approval","evidenceName":"release decision","owner":"Customer sponsor, SCRIMED executive, release owner, and support lead","priority":"critical","status":"customer-evidence-required","requiredBeforeRelease":true,"acceptsRawEvidence":false,"evidenceStorageBoundary":"Store only metadata references, reviewer names/roles, artifact fingerprints, and external evidence-room links. Do not store PHI, credentials, raw contracts, raw clinical records, bearer tokens, or raw connector payloads.","redactionRule":"Redact patient identifiers, secrets, credentials, claim numbers, payer member IDs, production connector payloads, and raw legal or clinical documents before SCRIMED metadata entry.","missingBecause":"No go-live before named approvals are retained.","proofRoutes":["/pilot-workspace/access","/boundary-resolution","/investor-readiness"],"workItemHash":"7d314f4369cb7c3a2e26772baba7681b2590f36382efdf36bbb41a90ab233f57"},{"id":"customer-go-live:formal-go-live-approval:named-approvals","boundaryId":"customer-go-live","boundaryName":"Customer go-live and production release","kind":"approval-step-evidence","sourceId":"formal-go-live-approval","evidenceName":"named approvals","owner":"Customer sponsor, SCRIMED executive, release owner, and support lead","priority":"critical","status":"customer-evidence-required","requiredBeforeRelease":true,"acceptsRawEvidence":false,"evidenceStorageBoundary":"Store only metadata references, reviewer names/roles, artifact fingerprints, and external evidence-room links. Do not store PHI, credentials, raw contracts, raw clinical records, bearer tokens, or raw connector payloads.","redactionRule":"Redact patient identifiers, secrets, credentials, claim numbers, payer member IDs, production connector payloads, and raw legal or clinical documents before SCRIMED metadata entry.","missingBecause":"No go-live before named approvals are retained.","proofRoutes":["/pilot-workspace/access","/boundary-resolution","/investor-readiness"],"workItemHash":"ecaaa32e0b4830147b3f66a639b3dfa1d5fb776991d5ff37a3b18822dcc1233c"},{"id":"customer-go-live:formal-go-live-approval:customer-acceptance","boundaryId":"customer-go-live","boundaryName":"Customer go-live and production release","kind":"approval-step-evidence","sourceId":"formal-go-live-approval","evidenceName":"customer acceptance","owner":"Customer sponsor, SCRIMED executive, release owner, and support lead","priority":"critical","status":"customer-evidence-required","requiredBeforeRelease":true,"acceptsRawEvidence":false,"evidenceStorageBoundary":"Store only metadata references, reviewer names/roles, artifact fingerprints, and external evidence-room links. Do not store PHI, credentials, raw contracts, raw clinical records, bearer tokens, or raw connector payloads.","redactionRule":"Redact patient identifiers, secrets, credentials, claim numbers, payer member IDs, production connector payloads, and raw legal or clinical documents before SCRIMED metadata entry.","missingBecause":"No go-live before named approvals are retained.","proofRoutes":["/pilot-workspace/access","/boundary-resolution","/investor-readiness"],"workItemHash":"0cd957c01c4801144b75e34a9462272035779e69bd23595476c2850ed2577e12"},{"id":"customer-go-live:formal-go-live-approval:communication-plan","boundaryId":"customer-go-live","boundaryName":"Customer go-live and production release","kind":"approval-step-evidence","sourceId":"formal-go-live-approval","evidenceName":"communication plan","owner":"Customer sponsor, SCRIMED executive, release owner, and support lead","priority":"critical","status":"customer-evidence-required","requiredBeforeRelease":true,"acceptsRawEvidence":false,"evidenceStorageBoundary":"Store only metadata references, reviewer names/roles, artifact fingerprints, and external evidence-room links. Do not store PHI, credentials, raw contracts, raw clinical records, bearer tokens, or raw connector payloads.","redactionRule":"Redact patient identifiers, secrets, credentials, claim numbers, payer member IDs, production connector payloads, and raw legal or clinical documents before SCRIMED metadata entry.","missingBecause":"No go-live before named approvals are retained.","proofRoutes":["/pilot-workspace/access","/boundary-resolution","/investor-readiness"],"workItemHash":"f0d5f0f77ec7aa81f3fc5501bccf63eec0bb6107bcc1be8f79277eece26960df"},{"id":"live-phi:signoff:privacy","boundaryId":"live-phi","boundaryName":"Live PHI / ePHI processing","kind":"signoff-evidence","sourceId":"privacy","evidenceName":"Privacy officer approval and live-data processing basis.","owner":"privacy approver","priority":"critical","status":"external-evidence-required","requiredBeforeRelease":true,"acceptsRawEvidence":false,"evidenceStorageBoundary":"Store only signoff metadata, approval role, external artifact reference, date, and hash. Sensitive approvals remain in the external evidence room.","redactionRule":"Never paste signatures, PHI, contracts, credential material, production tokens, legal memos, or customer-confidential artifacts into public SCRIMED surfaces.","missingBecause":"Required privacy signoff is pending_external.","proofRoutes":["/boundary-release-approvals","/api/boundary-release-approvals"],"workItemHash":"98cfe55134dc42ce9fa8eaecb6f2cdd8fa610f77376c083a642fdb4f0e825437"},{"id":"live-phi:signoff:security","boundaryId":"live-phi","boundaryName":"Live PHI / ePHI processing","kind":"signoff-evidence","sourceId":"security","evidenceName":"Security risk acceptance and remediation closure.","owner":"security approver","priority":"critical","status":"external-evidence-required","requiredBeforeRelease":true,"acceptsRawEvidence":false,"evidenceStorageBoundary":"Store only signoff metadata, approval role, external artifact reference, date, and hash. Sensitive approvals remain in the external evidence room.","redactionRule":"Never paste signatures, PHI, contracts, credential material, production tokens, legal memos, or customer-confidential artifacts into public SCRIMED surfaces.","missingBecause":"Required security signoff is pending_external.","proofRoutes":["/boundary-release-approvals","/api/boundary-release-approvals"],"workItemHash":"7c30eb52205a05c5b3f299cab98a1027e498545a8ae1fe044e7a7cadf1259a80"},{"id":"live-phi:signoff:legal","boundaryId":"live-phi","boundaryName":"Live PHI / ePHI processing","kind":"signoff-evidence","sourceId":"legal","evidenceName":"BAA/DPA and subprocessor agreement approval.","owner":"legal approver","priority":"critical","status":"external-evidence-required","requiredBeforeRelease":true,"acceptsRawEvidence":false,"evidenceStorageBoundary":"Store only signoff metadata, approval role, external artifact reference, date, and hash. Sensitive approvals remain in the external evidence room.","redactionRule":"Never paste signatures, PHI, contracts, credential material, production tokens, legal memos, or customer-confidential artifacts into public SCRIMED surfaces.","missingBecause":"Required legal signoff is pending_external.","proofRoutes":["/boundary-release-approvals","/api/boundary-release-approvals"],"workItemHash":"dfb8e3a72882f97b0fa335b3d9730c63d88a4190a9258f6d7384ef543da919b3"},{"id":"live-phi:signoff:customer","boundaryId":"live-phi","boundaryName":"Live PHI / ePHI processing","kind":"signoff-evidence","sourceId":"customer","evidenceName":"Customer tenant authorization for live PHI scope.","owner":"customer approver","priority":"critical","status":"customer-evidence-required","requiredBeforeRelease":true,"acceptsRawEvidence":false,"evidenceStorageBoundary":"Store only signoff metadata, approval role, external artifact reference, date, and hash. Sensitive approvals remain in the external evidence room.","redactionRule":"Never paste signatures, PHI, contracts, credential material, production tokens, legal memos, or customer-confidential artifacts into public SCRIMED surfaces.","missingBecause":"Required customer signoff is pending_customer.","proofRoutes":["/boundary-release-approvals","/api/boundary-release-approvals"],"workItemHash":"27e7d0295330a9b7934196970a62de51323f12389bfe970c3d826b2ed8502173"},{"id":"live-phi:signoff:engineering","boundaryId":"live-phi","boundaryName":"Live PHI / ePHI processing","kind":"signoff-evidence","sourceId":"engineering","evidenceName":"Protected runtime, RLS, audit, and incident evidence.","owner":"engineering approver","priority":"critical","status":"internal-evidence-required","requiredBeforeRelease":true,"acceptsRawEvidence":false,"evidenceStorageBoundary":"Store only signoff metadata, approval role, external artifact reference, date, and hash. Sensitive approvals remain in the external evidence room.","redactionRule":"Never paste signatures, PHI, contracts, credential material, production tokens, legal memos, or customer-confidential artifacts into public SCRIMED surfaces.","missingBecause":"Required engineering signoff is pending_internal.","proofRoutes":["/boundary-release-approvals","/api/boundary-release-approvals"],"workItemHash":"bc19cdb4e4147271c4387c67bcde97847fca4ebe99555d4f804396c00d2a3838"},{"id":"clinical-decision-support:signoff:clinical","boundaryId":"clinical-decision-support","boundaryName":"Clinical decision support","kind":"signoff-evidence","sourceId":"clinical","evidenceName":"Medical director and specialty reviewer signoff.","owner":"clinical approver","priority":"high","status":"external-evidence-required","requiredBeforeRelease":true,"acceptsRawEvidence":false,"evidenceStorageBoundary":"Store only signoff metadata, approval role, external artifact reference, date, and hash. Sensitive approvals remain in the external evidence room.","redactionRule":"Never paste signatures, PHI, contracts, credential material, production tokens, legal memos, or customer-confidential artifacts into public SCRIMED surfaces.","missingBecause":"Required clinical signoff is pending_external.","proofRoutes":["/boundary-release-approvals","/api/boundary-release-approvals"],"workItemHash":"adccc13e3dee950c90d4713d2f0c25938fb2d3245e2a907db67c70be4b1e6de5"},{"id":"clinical-decision-support:signoff:regulatory","boundaryId":"clinical-decision-support","boundaryName":"Clinical decision support","kind":"signoff-evidence","sourceId":"regulatory","evidenceName":"FDA/CDS/SaMD classification approval.","owner":"regulatory approver","priority":"high","status":"external-evidence-required","requiredBeforeRelease":true,"acceptsRawEvidence":false,"evidenceStorageBoundary":"Store only signoff metadata, approval role, external artifact reference, date, and hash. Sensitive approvals remain in the external evidence room.","redactionRule":"Never paste signatures, PHI, contracts, credential material, production tokens, legal memos, or customer-confidential artifacts into public SCRIMED surfaces.","missingBecause":"Required regulatory signoff is pending_external.","proofRoutes":["/boundary-release-approvals","/api/boundary-release-approvals"],"workItemHash":"c757a5d658f118b5fcd80e0c0087f10a834d0282c3c90cd81cd28bba809b26dd"},{"id":"clinical-decision-support:signoff:legal","boundaryId":"clinical-decision-support","boundaryName":"Clinical decision support","kind":"signoff-evidence","sourceId":"legal","evidenceName":"External-use claim language approval.","owner":"legal approver","priority":"high","status":"external-evidence-required","requiredBeforeRelease":true,"acceptsRawEvidence":false,"evidenceStorageBoundary":"Store only signoff metadata, approval role, external artifact reference, date, and hash. Sensitive approvals remain in the external evidence room.","redactionRule":"Never paste signatures, PHI, contracts, credential material, production tokens, legal memos, or customer-confidential artifacts into public SCRIMED surfaces.","missingBecause":"Required legal signoff is pending_external.","proofRoutes":["/boundary-release-approvals","/api/boundary-release-approvals"],"workItemHash":"45c08f27d5e72c7992c9635b19fe335bfa95485731103c11e960f307258de745"},{"id":"clinical-decision-support:signoff:security","boundaryId":"clinical-decision-support","boundaryName":"Clinical decision support","kind":"signoff-evidence","sourceId":"security","evidenceName":"No-PHI/PHI runtime boundary validation.","owner":"security approver","priority":"high","status":"internal-evidence-required","requiredBeforeRelease":true,"acceptsRawEvidence":false,"evidenceStorageBoundary":"Store only signoff metadata, approval role, external artifact reference, date, and hash. Sensitive approvals remain in the external evidence room.","redactionRule":"Never paste signatures, PHI, contracts, credential material, production tokens, legal memos, or customer-confidential artifacts into public SCRIMED surfaces.","missingBecause":"Required security signoff is pending_internal.","proofRoutes":["/boundary-release-approvals","/api/boundary-release-approvals"],"workItemHash":"e6af0cd00f44ffced12cdd177ee12dc48a5dc97238b51a0c5bbc71191edc4aa9"},{"id":"clinical-decision-support:signoff:customer","boundaryId":"clinical-decision-support","boundaryName":"Clinical decision support","kind":"signoff-evidence","sourceId":"customer","evidenceName":"Customer clinical governance approval for exact workflow.","owner":"customer approver","priority":"high","status":"customer-evidence-required","requiredBeforeRelease":true,"acceptsRawEvidence":false,"evidenceStorageBoundary":"Store only signoff metadata, approval role, external artifact reference, date, and hash. Sensitive approvals remain in the external evidence room.","redactionRule":"Never paste signatures, PHI, contracts, credential material, production tokens, legal memos, or customer-confidential artifacts into public SCRIMED surfaces.","missingBecause":"Required customer signoff is pending_customer.","proofRoutes":["/boundary-release-approvals","/api/boundary-release-approvals"],"workItemHash":"ea8146fef66bc65aad488499e47d0a4b1fc56195588688a88ebe6291d1836587"},{"id":"autonomous-clinical-action:signoff:clinical","boundaryId":"autonomous-clinical-action","boundaryName":"Autonomous diagnosis, treatment, prescribing, or imaging interpretation","kind":"signoff-evidence","sourceId":"clinical","evidenceName":"Medical director and specialty governance approval.","owner":"clinical approver","priority":"critical","status":"external-evidence-required","requiredBeforeRelease":true,"acceptsRawEvidence":false,"evidenceStorageBoundary":"Store only signoff metadata, approval role, external artifact reference, date, and hash. Sensitive approvals remain in the external evidence room.","redactionRule":"Never paste signatures, PHI, contracts, credential material, production tokens, legal memos, or customer-confidential artifacts into public SCRIMED surfaces.","missingBecause":"Required clinical signoff is pending_external.","proofRoutes":["/boundary-release-approvals","/api/boundary-release-approvals"],"workItemHash":"492eaa8fa3f7dcf3bf237cfb7859d2fb89bb8320c86011222b5f15d8d942e5ef"},{"id":"autonomous-clinical-action:signoff:regulatory","boundaryId":"autonomous-clinical-action","boundaryName":"Autonomous diagnosis, treatment, prescribing, or imaging interpretation","kind":"signoff-evidence","sourceId":"regulatory","evidenceName":"Applicable regulated product pathway approval.","owner":"regulatory approver","priority":"critical","status":"external-evidence-required","requiredBeforeRelease":true,"acceptsRawEvidence":false,"evidenceStorageBoundary":"Store only signoff metadata, approval role, external artifact reference, date, and hash. Sensitive approvals remain in the external evidence room.","redactionRule":"Never paste signatures, PHI, contracts, credential material, production tokens, legal memos, or customer-confidential artifacts into public SCRIMED surfaces.","missingBecause":"Required regulatory signoff is pending_external.","proofRoutes":["/boundary-release-approvals","/api/boundary-release-approvals"],"workItemHash":"82cbd8276f6d4d4b22bfae123bf21c5cf701cf292ca6a859b4edb8ed833241fe"},{"id":"autonomous-clinical-action:signoff:legal","boundaryId":"autonomous-clinical-action","boundaryName":"Autonomous diagnosis, treatment, prescribing, or imaging interpretation","kind":"signoff-evidence","sourceId":"legal","evidenceName":"Malpractice, prescribing, and product-liability review.","owner":"legal approver","priority":"critical","status":"external-evidence-required","requiredBeforeRelease":true,"acceptsRawEvidence":false,"evidenceStorageBoundary":"Store only signoff metadata, approval role, external artifact reference, date, and hash. Sensitive approvals remain in the external evidence room.","redactionRule":"Never paste signatures, PHI, contracts, credential material, production tokens, legal memos, or customer-confidential artifacts into public SCRIMED surfaces.","missingBecause":"Required legal signoff is pending_external.","proofRoutes":["/boundary-release-approvals","/api/boundary-release-approvals"],"workItemHash":"237e1b946332dc53023eb1d4f154dbc357c9c21da673d013c77ac6677807ea4d"},{"id":"autonomous-clinical-action:signoff:customer","boundaryId":"autonomous-clinical-action","boundaryName":"Autonomous diagnosis, treatment, prescribing, or imaging interpretation","kind":"signoff-evidence","sourceId":"customer","evidenceName":"Customer clinical governance and workflow approval.","owner":"customer approver","priority":"critical","status":"customer-evidence-required","requiredBeforeRelease":true,"acceptsRawEvidence":false,"evidenceStorageBoundary":"Store only signoff metadata, approval role, external artifact reference, date, and hash. Sensitive approvals remain in the external evidence room.","redactionRule":"Never paste signatures, PHI, contracts, credential material, production tokens, legal memos, or customer-confidential artifacts into public SCRIMED surfaces.","missingBecause":"Required customer signoff is pending_customer.","proofRoutes":["/boundary-release-approvals","/api/boundary-release-approvals"],"workItemHash":"b7d509199764235f3d09943040ef80c92aee454a7362423ade45ac77a7973023"},{"id":"ehr-writeback:signoff:customer","boundaryId":"ehr-writeback","boundaryName":"EHR writeback and production connector activation","kind":"signoff-evidence","sourceId":"customer","evidenceName":"Customer IT, clinical informatics, and tenant admin approval.","owner":"customer approver","priority":"high","status":"customer-evidence-required","requiredBeforeRelease":true,"acceptsRawEvidence":false,"evidenceStorageBoundary":"Store only signoff metadata, approval role, external artifact reference, date, and hash. Sensitive approvals remain in the external evidence room.","redactionRule":"Never paste signatures, PHI, contracts, credential material, production tokens, legal memos, or customer-confidential artifacts into public SCRIMED surfaces.","missingBecause":"Required customer signoff is pending_customer.","proofRoutes":["/boundary-release-approvals","/api/boundary-release-approvals"],"workItemHash":"9b6f1a2977d2067097b0d8e234f00bc813a8f80f21710b5ab80fd7625c4c38e1"},{"id":"ehr-writeback:signoff:security","boundaryId":"ehr-writeback","boundaryName":"EHR writeback and production connector activation","kind":"signoff-evidence","sourceId":"security","evidenceName":"Vendor/customer security review approval.","owner":"security approver","priority":"high","status":"external-evidence-required","requiredBeforeRelease":true,"acceptsRawEvidence":false,"evidenceStorageBoundary":"Store only signoff metadata, approval role, external artifact reference, date, and hash. Sensitive approvals remain in the external evidence room.","redactionRule":"Never paste signatures, PHI, contracts, credential material, production tokens, legal memos, or customer-confidential artifacts into public SCRIMED surfaces.","missingBecause":"Required security signoff is pending_external.","proofRoutes":["/boundary-release-approvals","/api/boundary-release-approvals"],"workItemHash":"9058cdecc6f85ad50ba39b6047427ced03280d9d4bfc1d5c4f776d61fef1f978"},{"id":"ehr-writeback:signoff:clinical","boundaryId":"ehr-writeback","boundaryName":"EHR writeback and production connector activation","kind":"signoff-evidence","sourceId":"clinical","evidenceName":"Clinical workflow owner approval.","owner":"clinical approver","priority":"high","status":"customer-evidence-required","requiredBeforeRelease":true,"acceptsRawEvidence":false,"evidenceStorageBoundary":"Store only signoff metadata, approval role, external artifact reference, date, and hash. Sensitive approvals remain in the external evidence room.","redactionRule":"Never paste signatures, PHI, contracts, credential material, production tokens, legal memos, or customer-confidential artifacts into public SCRIMED surfaces.","missingBecause":"Required clinical signoff is pending_customer.","proofRoutes":["/boundary-release-approvals","/api/boundary-release-approvals"],"workItemHash":"0d8d21be6671501e9da37e83f9d154e0354f05d5ac4050a32833e5dbb802e215"},{"id":"ehr-writeback:signoff:engineering","boundaryId":"ehr-writeback","boundaryName":"EHR writeback and production connector activation","kind":"signoff-evidence","sourceId":"engineering","evidenceName":"Sandbox, rollback, and audit evidence.","owner":"engineering approver","priority":"high","status":"internal-evidence-required","requiredBeforeRelease":true,"acceptsRawEvidence":false,"evidenceStorageBoundary":"Store only signoff metadata, approval role, external artifact reference, date, and hash. Sensitive approvals remain in the external evidence room.","redactionRule":"Never paste signatures, PHI, contracts, credential material, production tokens, legal memos, or customer-confidential artifacts into public SCRIMED surfaces.","missingBecause":"Required engineering signoff is pending_internal.","proofRoutes":["/boundary-release-approvals","/api/boundary-release-approvals"],"workItemHash":"856dac01f35895eb07867ff2c174e9c716fed7dcdfe5a21299928e0a6e4201d6"},{"id":"payer-submission:signoff:payer","boundaryId":"payer-submission","boundaryName":"Payer submission, prior authorization, claims, and appeals","kind":"signoff-evidence","sourceId":"payer","evidenceName":"Payer or clearinghouse trading-partner approval.","owner":"payer approver","priority":"high","status":"external-evidence-required","requiredBeforeRelease":true,"acceptsRawEvidence":false,"evidenceStorageBoundary":"Store only signoff metadata, approval role, external artifact reference, date, and hash. Sensitive approvals remain in the external evidence room.","redactionRule":"Never paste signatures, PHI, contracts, credential material, production tokens, legal memos, or customer-confidential artifacts into public SCRIMED surfaces.","missingBecause":"Required payer signoff is pending_external.","proofRoutes":["/boundary-release-approvals","/api/boundary-release-approvals"],"workItemHash":"2665e396b6ca6633236f9401052e06d531b3db73a964aacd47c070cadf19b929"},{"id":"payer-submission:signoff:customer","boundaryId":"payer-submission","boundaryName":"Payer submission, prior authorization, claims, and appeals","kind":"signoff-evidence","sourceId":"customer","evidenceName":"Customer RCM and provider submitter approval.","owner":"customer approver","priority":"high","status":"customer-evidence-required","requiredBeforeRelease":true,"acceptsRawEvidence":false,"evidenceStorageBoundary":"Store only signoff metadata, approval role, external artifact reference, date, and hash. Sensitive approvals remain in the external evidence room.","redactionRule":"Never paste signatures, PHI, contracts, credential material, production tokens, legal memos, or customer-confidential artifacts into public SCRIMED surfaces.","missingBecause":"Required customer signoff is pending_customer.","proofRoutes":["/boundary-release-approvals","/api/boundary-release-approvals"],"workItemHash":"144f5e3c1209d0c346c2b9a443a506a29463ce5de20ecd6839cd819d1c36055d"},{"id":"payer-submission:signoff:legal","boundaryId":"payer-submission","boundaryName":"Payer submission, prior authorization, claims, and appeals","kind":"signoff-evidence","sourceId":"legal","evidenceName":"Submission authority and contract review.","owner":"legal approver","priority":"high","status":"external-evidence-required","requiredBeforeRelease":true,"acceptsRawEvidence":false,"evidenceStorageBoundary":"Store only signoff metadata, approval role, external artifact reference, date, and hash. Sensitive approvals remain in the external evidence room.","redactionRule":"Never paste signatures, PHI, contracts, credential material, production tokens, legal memos, or customer-confidential artifacts into public SCRIMED surfaces.","missingBecause":"Required legal signoff is pending_external.","proofRoutes":["/boundary-release-approvals","/api/boundary-release-approvals"],"workItemHash":"e0cb8e0e446773a9f54096ee18a9bee35151050ee3fcf354e452d5097fa4063e"},{"id":"payer-submission:signoff:engineering","boundaryId":"payer-submission","boundaryName":"Payer submission, prior authorization, claims, and appeals","kind":"signoff-evidence","sourceId":"engineering","evidenceName":"X12/FHIR validation, audit, and fail-closed evidence.","owner":"engineering approver","priority":"high","status":"internal-evidence-required","requiredBeforeRelease":true,"acceptsRawEvidence":false,"evidenceStorageBoundary":"Store only signoff metadata, approval role, external artifact reference, date, and hash. Sensitive approvals remain in the external evidence room.","redactionRule":"Never paste signatures, PHI, contracts, credential material, production tokens, legal memos, or customer-confidential artifacts into public SCRIMED surfaces.","missingBecause":"Required engineering signoff is pending_internal.","proofRoutes":["/boundary-release-approvals","/api/boundary-release-approvals"],"workItemHash":"c0089d92457833b79a0b080d41e02fc760f44877010772fb7d613420b8ec7e99"},{"id":"clinical-research-outcomes-learning:signoff:research","boundaryId":"clinical-research-outcomes-learning","boundaryName":"Clinical research, outcomes learning, and human-subject data","kind":"signoff-evidence","sourceId":"research","evidenceName":"IRB or research governance determination.","owner":"research approver","priority":"medium","status":"external-evidence-required","requiredBeforeRelease":true,"acceptsRawEvidence":false,"evidenceStorageBoundary":"Store only signoff metadata, approval role, external artifact reference, date, and hash. Sensitive approvals remain in the external evidence room.","redactionRule":"Never paste signatures, PHI, contracts, credential material, production tokens, legal memos, or customer-confidential artifacts into public SCRIMED surfaces.","missingBecause":"Required research signoff is pending_external.","proofRoutes":["/boundary-release-approvals","/api/boundary-release-approvals"],"workItemHash":"2107256540ae3e997bf2122c4eabd06eabf2f31e21373eeadb0b2022f96ae593"},{"id":"clinical-research-outcomes-learning:signoff:privacy","boundaryId":"clinical-research-outcomes-learning","boundaryName":"Clinical research, outcomes learning, and human-subject data","kind":"signoff-evidence","sourceId":"privacy","evidenceName":"Consent, waiver, DUA, and privacy review.","owner":"privacy approver","priority":"medium","status":"external-evidence-required","requiredBeforeRelease":true,"acceptsRawEvidence":false,"evidenceStorageBoundary":"Store only signoff metadata, approval role, external artifact reference, date, and hash. Sensitive approvals remain in the external evidence room.","redactionRule":"Never paste signatures, PHI, contracts, credential material, production tokens, legal memos, or customer-confidential artifacts into public SCRIMED surfaces.","missingBecause":"Required privacy signoff is pending_external.","proofRoutes":["/boundary-release-approvals","/api/boundary-release-approvals"],"workItemHash":"1a75a6539564df6cae28e18439325003d21d8646f46533878b70fe075b3ab48a"},{"id":"clinical-research-outcomes-learning:signoff:clinical","boundaryId":"clinical-research-outcomes-learning","boundaryName":"Clinical research, outcomes learning, and human-subject data","kind":"signoff-evidence","sourceId":"clinical","evidenceName":"Clinical governance approval for outcome endpoints.","owner":"clinical approver","priority":"medium","status":"external-evidence-required","requiredBeforeRelease":true,"acceptsRawEvidence":false,"evidenceStorageBoundary":"Store only signoff metadata, approval role, external artifact reference, date, and hash. Sensitive approvals remain in the external evidence room.","redactionRule":"Never paste signatures, PHI, contracts, credential material, production tokens, legal memos, or customer-confidential artifacts into public SCRIMED surfaces.","missingBecause":"Required clinical signoff is pending_external.","proofRoutes":["/boundary-release-approvals","/api/boundary-release-approvals"],"workItemHash":"f1cce92144aada5f50dfb22272dea831f1b37ad1235dd5ba6ed67302e4678953"},{"id":"clinical-research-outcomes-learning:signoff:engineering","boundaryId":"clinical-research-outcomes-learning","boundaryName":"Clinical research, outcomes learning, and human-subject data","kind":"signoff-evidence","sourceId":"engineering","evidenceName":"Dataset lineage, drift monitoring, and rollback evidence.","owner":"engineering approver","priority":"medium","status":"internal-evidence-required","requiredBeforeRelease":true,"acceptsRawEvidence":false,"evidenceStorageBoundary":"Store only signoff metadata, approval role, external artifact reference, date, and hash. Sensitive approvals remain in the external evidence room.","redactionRule":"Never paste signatures, PHI, contracts, credential material, production tokens, legal memos, or customer-confidential artifacts into public SCRIMED surfaces.","missingBecause":"Required engineering signoff is pending_internal.","proofRoutes":["/boundary-release-approvals","/api/boundary-release-approvals"],"workItemHash":"858c2825401b3a405fe57284e5325c0991924dc4304e429064c141fee6e828c3"},{"id":"security-certification-claims:signoff:legal","boundaryId":"security-certification-claims","boundaryName":"SOC 2, HIPAA, HITRUST, ISO, FDA, ONC, and certification claims","kind":"signoff-evidence","sourceId":"legal","evidenceName":"Approved external-use claim language.","owner":"legal approver","priority":"medium","status":"external-evidence-required","requiredBeforeRelease":true,"acceptsRawEvidence":false,"evidenceStorageBoundary":"Store only signoff metadata, approval role, external artifact reference, date, and hash. Sensitive approvals remain in the external evidence room.","redactionRule":"Never paste signatures, PHI, contracts, credential material, production tokens, legal memos, or customer-confidential artifacts into public SCRIMED surfaces.","missingBecause":"Required legal signoff is pending_external.","proofRoutes":["/boundary-release-approvals","/api/boundary-release-approvals"],"workItemHash":"b7fd25207e59e34ae3bb0288435a930c6eea940703fa646752a82f357b53c941"},{"id":"security-certification-claims:signoff:security","boundaryId":"security-certification-claims","boundaryName":"SOC 2, HIPAA, HITRUST, ISO, FDA, ONC, and certification claims","kind":"signoff-evidence","sourceId":"security","evidenceName":"Security auditor/assessor evidence.","owner":"security approver","priority":"medium","status":"external-evidence-required","requiredBeforeRelease":true,"acceptsRawEvidence":false,"evidenceStorageBoundary":"Store only signoff metadata, approval role, external artifact reference, date, and hash. Sensitive approvals remain in the external evidence room.","redactionRule":"Never paste signatures, PHI, contracts, credential material, production tokens, legal memos, or customer-confidential artifacts into public SCRIMED surfaces.","missingBecause":"Required security signoff is pending_external.","proofRoutes":["/boundary-release-approvals","/api/boundary-release-approvals"],"workItemHash":"da106d0895c29e9fbd6d7cf2ae1270350ca9bbb4ce79cbb8f8798527ffcefa40"},{"id":"security-certification-claims:signoff:regulatory","boundaryId":"security-certification-claims","boundaryName":"SOC 2, HIPAA, HITRUST, ISO, FDA, ONC, and certification claims","kind":"signoff-evidence","sourceId":"regulatory","evidenceName":"Regulator or certification body evidence where applicable.","owner":"regulatory approver","priority":"medium","status":"external-evidence-required","requiredBeforeRelease":true,"acceptsRawEvidence":false,"evidenceStorageBoundary":"Store only signoff metadata, approval role, external artifact reference, date, and hash. Sensitive approvals remain in the external evidence room.","redactionRule":"Never paste signatures, PHI, contracts, credential material, production tokens, legal memos, or customer-confidential artifacts into public SCRIMED surfaces.","missingBecause":"Required regulatory signoff is pending_external.","proofRoutes":["/boundary-release-approvals","/api/boundary-release-approvals"],"workItemHash":"ec7db31dc8103b3413793cff117aef062b1024bb0272e52a8449dba4a2b19fae"},{"id":"security-certification-claims:signoff:finance","boundaryId":"security-certification-claims","boundaryName":"SOC 2, HIPAA, HITRUST, ISO, FDA, ONC, and certification claims","kind":"signoff-evidence","sourceId":"finance","evidenceName":"Auditor engagement and report handling where SOC/audit applies.","owner":"finance approver","priority":"medium","status":"external-evidence-required","requiredBeforeRelease":true,"acceptsRawEvidence":false,"evidenceStorageBoundary":"Store only signoff metadata, approval role, external artifact reference, date, and hash. Sensitive approvals remain in the external evidence room.","redactionRule":"Never paste signatures, PHI, contracts, credential material, production tokens, legal memos, or customer-confidential artifacts into public SCRIMED surfaces.","missingBecause":"Required finance signoff is pending_external.","proofRoutes":["/boundary-release-approvals","/api/boundary-release-approvals"],"workItemHash":"6d70c0ac1a906883158378ffa1c64fd5c8d97aa894b1f3799be15ab4112a61bf"},{"id":"global-operation:signoff:privacy","boundaryId":"global-operation","boundaryName":"Global operation, data residency, GDPR, EHDS, and EU AI Act readiness","kind":"signoff-evidence","sourceId":"privacy","evidenceName":"DPIA, DPA/SCCs, data-residency, and lawful-basis review.","owner":"privacy approver","priority":"medium","status":"external-evidence-required","requiredBeforeRelease":true,"acceptsRawEvidence":false,"evidenceStorageBoundary":"Store only signoff metadata, approval role, external artifact reference, date, and hash. Sensitive approvals remain in the external evidence room.","redactionRule":"Never paste signatures, PHI, contracts, credential material, production tokens, legal memos, or customer-confidential artifacts into public SCRIMED surfaces.","missingBecause":"Required privacy signoff is pending_external.","proofRoutes":["/boundary-release-approvals","/api/boundary-release-approvals"],"workItemHash":"2bb322afe6eadcf3c299baaff97949453aa332330b7c2cc60573885b565df6d2"},{"id":"global-operation:signoff:legal","boundaryId":"global-operation","boundaryName":"Global operation, data residency, GDPR, EHDS, and EU AI Act readiness","kind":"signoff-evidence","sourceId":"legal","evidenceName":"Regional counsel approval.","owner":"legal approver","priority":"medium","status":"external-evidence-required","requiredBeforeRelease":true,"acceptsRawEvidence":false,"evidenceStorageBoundary":"Store only signoff metadata, approval role, external artifact reference, date, and hash. Sensitive approvals remain in the external evidence room.","redactionRule":"Never paste signatures, PHI, contracts, credential material, production tokens, legal memos, or customer-confidential artifacts into public SCRIMED surfaces.","missingBecause":"Required legal signoff is pending_external.","proofRoutes":["/boundary-release-approvals","/api/boundary-release-approvals"],"workItemHash":"1e596bb1e6b75d8251f74bb1e0b2c58385976421e68a53ae748cbc97d0ccefa4"},{"id":"global-operation:signoff:regulatory","boundaryId":"global-operation","boundaryName":"Global operation, data residency, GDPR, EHDS, and EU AI Act readiness","kind":"signoff-evidence","sourceId":"regulatory","evidenceName":"AI Act/regional AI classification approval.","owner":"regulatory approver","priority":"medium","status":"external-evidence-required","requiredBeforeRelease":true,"acceptsRawEvidence":false,"evidenceStorageBoundary":"Store only signoff metadata, approval role, external artifact reference, date, and hash. Sensitive approvals remain in the external evidence room.","redactionRule":"Never paste signatures, PHI, contracts, credential material, production tokens, legal memos, or customer-confidential artifacts into public SCRIMED surfaces.","missingBecause":"Required regulatory signoff is pending_external.","proofRoutes":["/boundary-release-approvals","/api/boundary-release-approvals"],"workItemHash":"92eee58b3c44fd9f59464fdd239fd5dc4d5cdd51852353b8d1572196ffdd0219"},{"id":"global-operation:signoff:customer","boundaryId":"global-operation","boundaryName":"Global operation, data residency, GDPR, EHDS, and EU AI Act readiness","kind":"signoff-evidence","sourceId":"customer","evidenceName":"Customer regional deployment authorization.","owner":"customer approver","priority":"medium","status":"customer-evidence-required","requiredBeforeRelease":true,"acceptsRawEvidence":false,"evidenceStorageBoundary":"Store only signoff metadata, approval role, external artifact reference, date, and hash. Sensitive approvals remain in the external evidence room.","redactionRule":"Never paste signatures, PHI, contracts, credential material, production tokens, legal memos, or customer-confidential artifacts into public SCRIMED surfaces.","missingBecause":"Required customer signoff is pending_customer.","proofRoutes":["/boundary-release-approvals","/api/boundary-release-approvals"],"workItemHash":"aa238f9f9076efedcdb98a3986b9011c21a5f7efecf3dcbc1c7ce085b312961d"},{"id":"global-operation:signoff:security","boundaryId":"global-operation","boundaryName":"Global operation, data residency, GDPR, EHDS, and EU AI Act readiness","kind":"signoff-evidence","sourceId":"security","evidenceName":"Hosting and transfer-control evidence.","owner":"security approver","priority":"medium","status":"external-evidence-required","requiredBeforeRelease":true,"acceptsRawEvidence":false,"evidenceStorageBoundary":"Store only signoff metadata, approval role, external artifact reference, date, and hash. Sensitive approvals remain in the external evidence room.","redactionRule":"Never paste signatures, PHI, contracts, credential material, production tokens, legal memos, or customer-confidential artifacts into public SCRIMED surfaces.","missingBecause":"Required security signoff is pending_external.","proofRoutes":["/boundary-release-approvals","/api/boundary-release-approvals"],"workItemHash":"53bac97ff30fce960f6b2c5042b3390b650241cab0b1001c3aa747c5418b6d0f"},{"id":"customer-go-live:signoff:customer","boundaryId":"customer-go-live","boundaryName":"Customer go-live and production release","kind":"signoff-evidence","sourceId":"customer","evidenceName":"Named customer go-live approval.","owner":"customer approver","priority":"critical","status":"customer-evidence-required","requiredBeforeRelease":true,"acceptsRawEvidence":false,"evidenceStorageBoundary":"Store only signoff metadata, approval role, external artifact reference, date, and hash. Sensitive approvals remain in the external evidence room.","redactionRule":"Never paste signatures, PHI, contracts, credential material, production tokens, legal memos, or customer-confidential artifacts into public SCRIMED surfaces.","missingBecause":"Required customer signoff is pending_customer.","proofRoutes":["/boundary-release-approvals","/api/boundary-release-approvals"],"workItemHash":"4c2b3053711066f6d86b9c57c043503272e2b9ad8fb82d4aab67743970598c77"},{"id":"customer-go-live:signoff:security","boundaryId":"customer-go-live","boundaryName":"Customer go-live and production release","kind":"signoff-evidence","sourceId":"security","evidenceName":"Customer/security release review.","owner":"security approver","priority":"critical","status":"external-evidence-required","requiredBeforeRelease":true,"acceptsRawEvidence":false,"evidenceStorageBoundary":"Store only signoff metadata, approval role, external artifact reference, date, and hash. Sensitive approvals remain in the external evidence room.","redactionRule":"Never paste signatures, PHI, contracts, credential material, production tokens, legal memos, or customer-confidential artifacts into public SCRIMED surfaces.","missingBecause":"Required security signoff is pending_external.","proofRoutes":["/boundary-release-approvals","/api/boundary-release-approvals"],"workItemHash":"59817b898cc4821c629d4ac0acc0227797c07cd0685af6e28a99917d9297ffaa"},{"id":"customer-go-live:signoff:engineering","boundaryId":"customer-go-live","boundaryName":"Customer go-live and production release","kind":"signoff-evidence","sourceId":"engineering","evidenceName":"Smoke, rollback, observability, and support evidence.","owner":"engineering approver","priority":"critical","status":"internal-evidence-required","requiredBeforeRelease":true,"acceptsRawEvidence":false,"evidenceStorageBoundary":"Store only signoff metadata, approval role, external artifact reference, date, and hash. Sensitive approvals remain in the external evidence room.","redactionRule":"Never paste signatures, PHI, contracts, credential material, production tokens, legal memos, or customer-confidential artifacts into public SCRIMED surfaces.","missingBecause":"Required engineering signoff is pending_internal.","proofRoutes":["/boundary-release-approvals","/api/boundary-release-approvals"],"workItemHash":"05afeb559d15193e78643a0c022f468a775ff1a3642f336536d98686c9e70681"},{"id":"customer-go-live:signoff:operations","boundaryId":"customer-go-live","boundaryName":"Customer go-live and production release","kind":"signoff-evidence","sourceId":"operations","evidenceName":"Support, incident, and communication runbook.","owner":"operations approver","priority":"critical","status":"internal-evidence-required","requiredBeforeRelease":true,"acceptsRawEvidence":false,"evidenceStorageBoundary":"Store only signoff metadata, approval role, external artifact reference, date, and hash. Sensitive approvals remain in the external evidence room.","redactionRule":"Never paste signatures, PHI, contracts, credential material, production tokens, legal memos, or customer-confidential artifacts into public SCRIMED surfaces.","missingBecause":"Required operations signoff is pending_internal.","proofRoutes":["/boundary-release-approvals","/api/boundary-release-approvals"],"workItemHash":"df77a845914c5c0ef3967855be8825e193af6c373ffec2795b819eaab26cca14"},{"id":"customer-go-live:signoff:legal","boundaryId":"customer-go-live","boundaryName":"Customer go-live and production release","kind":"signoff-evidence","sourceId":"legal","evidenceName":"Contract and service-scope approval.","owner":"legal approver","priority":"critical","status":"external-evidence-required","requiredBeforeRelease":true,"acceptsRawEvidence":false,"evidenceStorageBoundary":"Store only signoff metadata, approval role, external artifact reference, date, and hash. Sensitive approvals remain in the external evidence room.","redactionRule":"Never paste signatures, PHI, contracts, credential material, production tokens, legal memos, or customer-confidential artifacts into public SCRIMED surfaces.","missingBecause":"Required legal signoff is pending_external.","proofRoutes":["/boundary-release-approvals","/api/boundary-release-approvals"],"workItemHash":"8df6e1bc55f27faebca09183a8658ae2781ad0f4a098898aed3f1bc24f401a96"}],"evidenceWorkQueueSummary":{"status":"metadata-only-evidence-work-queue-active","workItemCount":133,"criticalWorkItemCount":43,"externalEvidenceRequiredCount":77,"customerEvidenceRequiredCount":16,"internalEvidenceRequiredCount":23,"blockedSensitiveStorageCount":17,"acceptsRawEvidence":false,"allWorkItemsRequiredBeforeRelease":true,"allWorkItemsMetadataOnly":true},"noGoClaims":["live PHI approved","autonomous clinical care approved","diagnosis approved","treatment or prescribing approved","imaging interpretation approved","EHR writeback approved","payer submission approved","production connector approved","certification claim approved","customer go-live approved"],"approvalPaths":[{"id":"live-phi","name":"Live PHI / ePHI processing","preservedBoundary":"No live PHI, patient identifiers, source medical records, production credentials, or raw connector payloads.","currentSafeMode":"synthetic, metadata-only, no-PHI, human-reviewed readiness material with fail-closed production behavior","releaseDecision":"blocked-fail-closed","status":"external-approval-required","canRelieveBoundary":false,"unlocksOnlyAfter":"HIPAA security risk analysis, BAA coverage, tenant isolation, privacy/security review, customer authorization, and incident-response evidence are complete.","approvalSteps":[{"id":"phi-data-inventory","order":1,"name":"PHI data inventory and classification","purpose":"Identify every data type, storage location, processor, subprocesser, retention rule, and access path before live data is accepted.","requiredEvidence":["data-flow diagram","PHI/PII classification table","retention map","subprocessor inventory"],"owner":"Privacy, security, platform, and customer data owner","status":"prepared","matrixStepDocumented":true,"releaseEvidenceSatisfied":true,"blockingCondition":"No live data until all PHI stores and flows are documented.","proofRoutes":["/health-records","/clinical-production-readiness","/api/health-records"]},{"id":"hipaa-risk-analysis","order":2,"name":"HIPAA security risk analysis","purpose":"Complete a formal risk analysis and remediation register before handling ePHI.","requiredEvidence":["risk analysis report","risk treatment plan","control evidence","executive acceptance record"],"owner":"Security officer and qualified HIPAA advisor","status":"external_required","matrixStepDocumented":true,"releaseEvidenceSatisfied":false,"blockingCondition":"No PHI authority until qualified security/privacy review signs the risk analysis.","proofRoutes":["/global-certification-readiness","/risk-register","/trust-center"]},{"id":"baa-subprocessor-coverage","order":3,"name":"BAA and subprocessor coverage","purpose":"Ensure every covered entity, business associate, and subprocessor relationship has the right contractual boundary.","requiredEvidence":["executed BAA","subprocessor BAA/DPA","vendor security review","contract owner approval"],"owner":"Legal, privacy, vendor management, and customer sponsor","status":"external_required","matrixStepDocumented":true,"releaseEvidenceSatisfied":false,"blockingCondition":"No live PHI until signed agreements exist and are retained outside public code.","proofRoutes":["/enterprise-business-ops","/boundary-resolution","/api/boundary-resolution"]},{"id":"phi-tenant-isolation","order":4,"name":"Tenant isolation, audit, and incident response","purpose":"Prove least privilege, tenant separation, audit trails, encryption, alerting, breach response, and access reviews.","requiredEvidence":["RLS/RBAC evidence","audit-log packet","incident response tabletop","access review evidence"],"owner":"Platform, security, privacy, and tenant admin","status":"blocked_pending_evidence","matrixStepDocumented":true,"releaseEvidenceSatisfied":false,"blockingCondition":"No PHI workflow until protected runtime controls are tested with customer-specific approval.","proofRoutes":["/qa-evidence","/release-continuity","/pilot-workspace/access"]}],"requiredSignoffs":[{"lane":"privacy","required":true,"status":"pending_external","evidenceRequired":"Privacy officer approval and live-data processing basis."},{"lane":"security","required":true,"status":"pending_external","evidenceRequired":"Security risk acceptance and remediation closure."},{"lane":"legal","required":true,"status":"pending_external","evidenceRequired":"BAA/DPA and subprocessor agreement approval."},{"lane":"customer","required":true,"status":"pending_customer","evidenceRequired":"Customer tenant authorization for live PHI scope."},{"lane":"engineering","required":true,"status":"pending_internal","evidenceRequired":"Protected runtime, RLS, audit, and incident evidence."}],"evidenceArtifacts":["HIPAA risk analysis","BAA register","tenant isolation proof","audit log packet"],"sourceReferences":["HHS HIPAA Security Rule risk analysis guidance","HHS sample business associate agreement provisions"],"blockedUntil":["all signoffs are approved","all release evidence is satisfied","customer scope is explicit"],"safeWorkaround":"Use synthetic fixtures, de-identified metadata planning, and no-PHI Health Records Safety Exchange reviews.","releaseHash":"5366e6d20895bfa5782fbdde388db50c9f90c80a94dfade17d0be123ffdbf021"},{"id":"clinical-decision-support","name":"Clinical decision support","preservedBoundary":"No final diagnosis, treatment recommendation, triage replacement, clinical validation claim, or autonomous clinical authority.","currentSafeMode":"synthetic clinical readiness scoring, evidence cards, uncertainty display, and human-review-only clinical workflow support","releaseDecision":"blocked-fail-closed","status":"external-approval-required","canRelieveBoundary":false,"unlocksOnlyAfter":"Intended use, FDA/CDS analysis, clinical safety case, validation protocol, evidence visibility, and clinician governance are approved.","approvalSteps":[{"id":"cds-intended-use","order":1,"name":"Intended-use and user-control definition","purpose":"Define whether SCRIMED informs, drafts, prioritizes, recommends, or drives a clinical action.","requiredEvidence":["intended-use statement","user role map","clinical authority map","claim guard review"],"owner":"Clinical product, medical director, regulatory counsel, and claim guard owner","status":"prepared","matrixStepDocumented":true,"releaseEvidenceSatisfied":true,"blockingCondition":"No CDS expansion until intended use and claim boundaries are explicit.","proofRoutes":["/clinical-authority-readiness","/qa-claim-guard","/clinical-robustness-lab"]},{"id":"cds-regulatory-classification","order":2,"name":"FDA/CDS/SaMD classification review","purpose":"Determine whether the workflow remains non-device CDS or requires regulated software review.","requiredEvidence":["regulatory memo","SaMD/CDS assessment","excluded/regulated rationale","external counsel review"],"owner":"Regulatory counsel, clinical safety, and executive approver","status":"external_required","matrixStepDocumented":true,"releaseEvidenceSatisfied":false,"blockingCondition":"No public clinical authority claim until regulatory classification is complete.","proofRoutes":["/global-certification-readiness","/boundary-resolution","/risk-register"]},{"id":"clinical-validation-protocol","order":3,"name":"Clinical validation and safety protocol","purpose":"Test performance, contraindications, bias, missing-data behavior, evidence grounding, and escalation criteria.","requiredEvidence":["validation protocol","synthetic and retrospective test plan","bias analysis","clinical safety case"],"owner":"Clinical QA, specialty reviewer, data science, and safety officer","status":"external_required","matrixStepDocumented":true,"releaseEvidenceSatisfied":false,"blockingCondition":"No clinical validation claim until protocol results are reviewed and approved.","proofRoutes":["/clinical-robustness-lab","/scrimed-os","/api/scrimed-os/upgrade-batch"]},{"id":"clinician-final-authority","order":4,"name":"Clinician final authority workflow","purpose":"Keep final judgment with the licensed clinician and make evidence, uncertainty, and limitations inspectable.","requiredEvidence":["human-in-the-loop policy","review queue evidence","escalation policy","evidence card requirements"],"owner":"Medical director, clinical governance, Trust Engine owner, and product owner","status":"tracked","matrixStepDocumented":true,"releaseEvidenceSatisfied":false,"blockingCondition":"High-risk clinical outputs remain blocked unless reviewed.","proofRoutes":["/scrimed-trustops","/trust-center","/clinical-care-activation"]}],"requiredSignoffs":[{"lane":"clinical","required":true,"status":"pending_external","evidenceRequired":"Medical director and specialty reviewer signoff."},{"lane":"regulatory","required":true,"status":"pending_external","evidenceRequired":"FDA/CDS/SaMD classification approval."},{"lane":"legal","required":true,"status":"pending_external","evidenceRequired":"External-use claim language approval."},{"lane":"security","required":true,"status":"pending_internal","evidenceRequired":"No-PHI/PHI runtime boundary validation."},{"lane":"customer","required":true,"status":"pending_customer","evidenceRequired":"Customer clinical governance approval for exact workflow."}],"evidenceArtifacts":["intended-use memo","regulatory classification","clinical safety case","validation report"],"sourceReferences":["FDA Clinical Decision Support Software guidance"],"blockedUntil":["clinical safety case approved","regulatory classification complete","customer governance signed"],"safeWorkaround":"Offer synthetic Clinical Robustness Lab reviews, evidence summaries, and clinician-reviewed draft support only.","releaseHash":"e10f6630fc430147932988e1195108e19a657bbc508473c0f621fc386a2c0c64"},{"id":"autonomous-clinical-action","name":"Autonomous diagnosis, treatment, prescribing, or imaging interpretation","preservedBoundary":"No autonomous diagnosis, treatment, prescribing, order placement, pharmacy action, or imaging interpretation.","currentSafeMode":"recommendation-free readiness analysis, safety linting, draft-only education, and clinician-governed review queues","releaseDecision":"blocked-fail-closed","status":"blocked-fail-closed","canRelieveBoundary":false,"unlocksOnlyAfter":"A separate regulated clinical product pathway, malpractice coverage, medical governance, prescribing compliance, and production safety case are approved.","approvalSteps":[{"id":"autonomous-authority-ban","order":1,"name":"Autonomous authority ban retained","purpose":"Keep SCRIMED from acting as the clinician of record or final medical authority.","requiredEvidence":["hard-stop policy","route headers","human-review queue","clinical authority audit"],"owner":"Clinical governance and platform safety","status":"prepared","matrixStepDocumented":true,"releaseEvidenceSatisfied":true,"blockingCondition":"Autonomous care remains blocked by design.","proofRoutes":["/clinical-authority-readiness","/clinical-care-activation","/api/scrimed-os/upgrade-batch"]},{"id":"regulated-product-pathway","order":2,"name":"Regulated product pathway","purpose":"Create a separate regulatory strategy before any autonomous medical action is considered.","requiredEvidence":["regulatory strategy","quality management plan","clinical evaluation plan","post-market monitoring plan"],"owner":"Regulatory counsel, medical director, quality, and executive sponsor","status":"external_required","matrixStepDocumented":true,"releaseEvidenceSatisfied":false,"blockingCondition":"No autonomous action until applicable regulator and clinical governance path is complete.","proofRoutes":["/global-certification-readiness","/risk-register"]},{"id":"prescribing-ehr-pharmacy-compliance","order":3,"name":"Prescribing, ordering, EHR, and pharmacy compliance","purpose":"Separate prescribing and medication action workflows from educational or draft-only support.","requiredEvidence":["EPCS/e-prescribing review","order-entry controls","malpractice coverage","pharmacy workflow approval"],"owner":"Medical director, legal, pharmacy compliance, and customer clinical lead","status":"external_required","matrixStepDocumented":true,"releaseEvidenceSatisfied":false,"blockingCondition":"No prescribing or medication action without licensed clinician and required legal/compliance evidence.","proofRoutes":["/health-records","/boundary-resolution"]}],"requiredSignoffs":[{"lane":"clinical","required":true,"status":"pending_external","evidenceRequired":"Medical director and specialty governance approval."},{"lane":"regulatory","required":true,"status":"pending_external","evidenceRequired":"Applicable regulated product pathway approval."},{"lane":"legal","required":true,"status":"pending_external","evidenceRequired":"Malpractice, prescribing, and product-liability review."},{"lane":"customer","required":true,"status":"pending_customer","evidenceRequired":"Customer clinical governance and workflow approval."}],"evidenceArtifacts":["regulated product strategy","clinical governance charter","malpractice review","post-market plan"],"sourceReferences":["FDA CDS/SaMD analysis","DEA EPCS review if controlled substances are in scope"],"blockedUntil":["separate regulated pathway approved","licensed clinician workflow established"],"safeWorkaround":"Use draft-only education, documentation support, and clinician-reviewed safety/evidence summaries.","releaseHash":"ee48d433d3367a9b0838e713002aa118162e1b75e3b2c778807cb27361385cb3"},{"id":"ehr-writeback","name":"EHR writeback and production connector activation","preservedBoundary":"No EHR writeback, chart filing, record mutation, order entry, or production connector approval.","currentSafeMode":"readiness architecture, sandbox-only connector planning, synthetic FHIR validation, and human-reviewed writeback design","releaseDecision":"blocked-fail-closed","status":"external-approval-required","canRelieveBoundary":false,"unlocksOnlyAfter":"Customer authorization, EHR vendor app registration, scoped SMART/FHIR permissions, sandbox validation, rollback plan, and clinical signoff are complete.","approvalSteps":[{"id":"ehr-read-only-sandbox","order":1,"name":"Read-only sandbox validation","purpose":"Start with non-production FHIR/SMART testing before any write scope is requested.","requiredEvidence":["sandbox app registration","read-only scope list","FHIR conformance results","audit trace"],"owner":"Interoperability, platform, and customer IT","status":"tracked","matrixStepDocumented":true,"releaseEvidenceSatisfied":false,"blockingCondition":"No writeback until read-only sandbox behavior is proven.","proofRoutes":["/interoperability","/clinical-data-fabric","/health-records"]},{"id":"write-scope-approval","order":2,"name":"Write-scope and change-control approval","purpose":"Approve exact FHIR resources, fields, users, rollback behavior, and human signoff rules.","requiredEvidence":["scope request","change-control ticket","rollback plan","human signoff policy"],"owner":"Customer IT, clinical informatics, security, and SCRIMED platform","status":"customer_required","matrixStepDocumented":true,"releaseEvidenceSatisfied":false,"blockingCondition":"No write scope without customer and EHR governance approval.","proofRoutes":["/clinical-care-activation","/release-continuity","/qa-evidence"]},{"id":"ehr-production-connector-review","order":3,"name":"Production connector review","purpose":"Complete vendor security review, tenant-specific secrets handling, and connector release evidence.","requiredEvidence":["vendor approval","security review","secret-handling proof","tenant admin approval"],"owner":"Customer IT, vendor relations, security, and release engineering","status":"external_required","matrixStepDocumented":true,"releaseEvidenceSatisfied":false,"blockingCondition":"No production connector activation without external approval evidence.","proofRoutes":["/pilot-workspace/access","/release-continuity","/boundary-resolution"]}],"requiredSignoffs":[{"lane":"customer","required":true,"status":"pending_customer","evidenceRequired":"Customer IT, clinical informatics, and tenant admin approval."},{"lane":"security","required":true,"status":"pending_external","evidenceRequired":"Vendor/customer security review approval."},{"lane":"clinical","required":true,"status":"pending_customer","evidenceRequired":"Clinical workflow owner approval."},{"lane":"engineering","required":true,"status":"pending_internal","evidenceRequired":"Sandbox, rollback, and audit evidence."}],"evidenceArtifacts":["SMART/FHIR app registration","scope approval","sandbox test evidence","rollback plan"],"sourceReferences":["ONC API/FHIR certification criteria","EHR vendor app approval process"],"blockedUntil":["customer write-scope approval exists","vendor connector approval exists","rollback tested"],"safeWorkaround":"Generate draft packets and human-readable summaries for manual review outside SCRIMED writeback paths.","releaseHash":"bffd1ce5c88e3ed7102a9ab55769f6e5552627f9971a1ede8c2a411771e0d4b0"},{"id":"payer-submission","name":"Payer submission, prior authorization, claims, and appeals","preservedBoundary":"No autonomous payer submission, claim filing, prior authorization submission, appeal filing, or reimbursement guarantee.","currentSafeMode":"synthetic payer workflow planning, draft packets, RCM intelligence, and human-reviewed payer readiness material","releaseDecision":"blocked-fail-closed","status":"external-approval-required","canRelieveBoundary":false,"unlocksOnlyAfter":"Trading partner agreement, payer/clearinghouse approval, X12/FHIR validation, provider attestation, and human submitter approval are complete.","approvalSteps":[{"id":"payer-workflow-scope","order":1,"name":"Payer workflow scope and provider attestation","purpose":"Separate draft support from actual claim, prior-auth, or appeal submission.","requiredEvidence":["workflow scope","provider attestation policy","submitter role map","claim guard review"],"owner":"RCM owner, legal, customer billing leader, and provider submitter","status":"prepared","matrixStepDocumented":true,"releaseEvidenceSatisfied":true,"blockingCondition":"No payer transmission until authorized submitter workflow is approved.","proofRoutes":["/offerings","/platform-power","/qa-claim-guard"]},{"id":"trading-partner-approval","order":2,"name":"Trading partner and payer approval","purpose":"Complete payer or clearinghouse onboarding before any production transaction.","requiredEvidence":["trading partner agreement","payer enrollment","clearinghouse approval","test transaction evidence"],"owner":"Customer RCM, payer relations, clearinghouse/vendor owner, and legal","status":"external_required","matrixStepDocumented":true,"releaseEvidenceSatisfied":false,"blockingCondition":"No payer submission without payer/clearinghouse authorization.","proofRoutes":["/enterprise-business-ops","/boundary-resolution"]},{"id":"x12-fhir-validation","order":3,"name":"X12/FHIR validation and human review","purpose":"Validate transaction format, attachments, provenance, and reviewer disposition before production transmission.","requiredEvidence":["X12/FHIR conformance","attachment validation","audit envelope","human reviewer signoff"],"owner":"Interoperability, RCM operations, and human submitter","status":"blocked_pending_evidence","matrixStepDocumented":true,"releaseEvidenceSatisfied":false,"blockingCondition":"No automated submission until conformance and human review evidence exist.","proofRoutes":["/clinical-data-fabric","/workflows/execution-attempts","/qa-evidence"]}],"requiredSignoffs":[{"lane":"payer","required":true,"status":"pending_external","evidenceRequired":"Payer or clearinghouse trading-partner approval."},{"lane":"customer","required":true,"status":"pending_customer","evidenceRequired":"Customer RCM and provider submitter approval."},{"lane":"legal","required":true,"status":"pending_external","evidenceRequired":"Submission authority and contract review."},{"lane":"engineering","required":true,"status":"pending_internal","evidenceRequired":"X12/FHIR validation, audit, and fail-closed evidence."}],"evidenceArtifacts":["trading partner agreement","test transaction packet","human submitter policy","audit envelope"],"sourceReferences":["CMS Interoperability and Prior Authorization final rule","X12/FHIR transaction validation"],"blockedUntil":["payer/clearinghouse approval exists","human submitter approved","transaction validation passed"],"safeWorkaround":"Create draft prior-auth and claims packets for human review without transmitting to payers.","releaseHash":"aeb45559072d24b60e97d5ab49462bd7e9041061fcc12c8a615bd58a9b13097a"},{"id":"clinical-research-outcomes-learning","name":"Clinical research, outcomes learning, and human-subject data","preservedBoundary":"No live patient research, outcomes learning from identifiable data, or human-subject research claims without protocol review.","currentSafeMode":"synthetic research workflows, literature synthesis planning, and no-PHI evaluation registries","releaseDecision":"blocked-fail-closed","status":"external-approval-required","canRelieveBoundary":false,"unlocksOnlyAfter":"IRB determination or approval, consent/waiver analysis, protocol, privacy review, and data-minimization controls are complete.","approvalSteps":[{"id":"research-purpose-protocol","order":1,"name":"Research purpose and protocol","purpose":"Define whether the activity is quality improvement, operations, research, or human-subject research.","requiredEvidence":["research/operations determination","protocol","dataset description","analysis plan"],"owner":"Research lead, clinical operations, privacy, and principal investigator if required","status":"tracked","matrixStepDocumented":true,"releaseEvidenceSatisfied":false,"blockingCondition":"No live outcomes learning until protocol classification is complete.","proofRoutes":["/scrimed-os","/clinical-robustness-lab","/risk-register"]},{"id":"irb-consent-review","order":2,"name":"IRB, consent, and waiver review","purpose":"Obtain independent determination or approval when human-subject research may be involved.","requiredEvidence":["IRB determination","consent or waiver memo","data-use agreement","privacy review"],"owner":"IRB, principal investigator, privacy, and legal","status":"external_required","matrixStepDocumented":true,"releaseEvidenceSatisfied":false,"blockingCondition":"No human-subject data use until IRB/consent path is resolved.","proofRoutes":["/global-certification-readiness","/boundary-resolution"]},{"id":"outcome-learning-governance","order":3,"name":"Outcome learning governance","purpose":"Govern feedback loops so models do not silently drift or learn from unauthorized patient data.","requiredEvidence":["model update policy","dataset lineage","drift monitoring","human review queue"],"owner":"MLOps, clinical QA, privacy, and research governance","status":"blocked_pending_evidence","matrixStepDocumented":true,"releaseEvidenceSatisfied":false,"blockingCondition":"No continuous learning from live data until governance and monitoring are approved.","proofRoutes":["/scrimed-trustops","/api/scrimed-build-roadmap/strategic-execution","/observability"]}],"requiredSignoffs":[{"lane":"research","required":true,"status":"pending_external","evidenceRequired":"IRB or research governance determination."},{"lane":"privacy","required":true,"status":"pending_external","evidenceRequired":"Consent, waiver, DUA, and privacy review."},{"lane":"clinical","required":true,"status":"pending_external","evidenceRequired":"Clinical governance approval for outcome endpoints."},{"lane":"engineering","required":true,"status":"pending_internal","evidenceRequired":"Dataset lineage, drift monitoring, and rollback evidence."}],"evidenceArtifacts":["IRB determination","protocol","DUA","dataset lineage","drift monitoring report"],"sourceReferences":["HHS 45 CFR 46 Common Rule"],"blockedUntil":["IRB/consent path complete","privacy review complete","learning governance approved"],"safeWorkaround":"Use synthetic scenarios, public literature, and reviewer-created SME expectations without live patient data.","releaseHash":"f5b64feb70e6f3c77db138e09c9d95732cd4238fce85037eb9fa6606abf5973a"},{"id":"security-certification-claims","name":"SOC 2, HIPAA, HITRUST, ISO, FDA, ONC, and certification claims","preservedBoundary":"No certification, clearance, validation, compliance-completion, or audited-report claims unless independently verified.","currentSafeMode":"readiness mapping, evidence collection, control preparation, and claim-safe diligence material","releaseDecision":"blocked-fail-closed","status":"external-approval-required","canRelieveBoundary":false,"unlocksOnlyAfter":"Qualified auditor, assessor, regulator, or certification body evidence exists for the exact claim and scope.","approvalSteps":[{"id":"claim-inventory","order":1,"name":"Claim inventory and prohibited language control","purpose":"Map every external trust, privacy, security, clinical, and regulatory claim to evidence and authority.","requiredEvidence":["claim register","approved language list","prohibited claim list","release owner"],"owner":"Legal, security, marketing, and executive approver","status":"prepared","matrixStepDocumented":true,"releaseEvidenceSatisfied":true,"blockingCondition":"No external claim without claim guard evidence.","proofRoutes":["/qa-claim-guard","/trust-center","/public-market-readiness"]},{"id":"soc2-readiness-audit","order":2,"name":"SOC 2 readiness and audit path","purpose":"Prepare controls and evidence before pursuing a Type I or Type II attestation report.","requiredEvidence":["control matrix","evidence vault","auditor engagement","management assertion"],"owner":"Security, compliance, finance, legal, and independent CPA auditor","status":"external_required","matrixStepDocumented":true,"releaseEvidenceSatisfied":false,"blockingCondition":"No SOC 2 claim until the independent report exists.","proofRoutes":["/enterprise-readiness","/risk-register","/release-continuity"]},{"id":"regulatory-certification-review","order":3,"name":"Regulatory and certification body review","purpose":"Route FDA, ONC, HITRUST, ISO, accessibility, and global claims to the right authority.","requiredEvidence":["scope memo","assessor/regulator evidence","scope limitations","approved public language"],"owner":"Regulatory counsel, compliance, assessor, and executive approver","status":"external_required","matrixStepDocumented":true,"releaseEvidenceSatisfied":false,"blockingCondition":"No certification or clearance language until independent authority is retained.","proofRoutes":["/global-certification-readiness","/approvals-readiness","/boundary-resolution"]}],"requiredSignoffs":[{"lane":"legal","required":true,"status":"pending_external","evidenceRequired":"Approved external-use claim language."},{"lane":"security","required":true,"status":"pending_external","evidenceRequired":"Security auditor/assessor evidence."},{"lane":"regulatory","required":true,"status":"pending_external","evidenceRequired":"Regulator or certification body evidence where applicable."},{"lane":"finance","required":true,"status":"pending_external","evidenceRequired":"Auditor engagement and report handling where SOC/audit applies."}],"evidenceArtifacts":["claim register","control matrix","auditor report","certification scope memo"],"sourceReferences":["AICPA SOC suite","applicable regulator/certification body scope"],"blockedUntil":["independent report or certification evidence exists","claim language approved"],"safeWorkaround":"Say SCRIMED is preparing for audit/readiness review; do not claim certification, clearance, or compliance completion.","releaseHash":"283d92647b1535e778bc2bfbb029e203022e69d012680baf728188561b89edaa"},{"id":"global-operation","name":"Global operation, data residency, GDPR, EHDS, and EU AI Act readiness","preservedBoundary":"No global launch, regional regulatory approval, data-residency approval, public-sector procurement approval, or EU AI Act compliance claim.","currentSafeMode":"regional readiness mapping, synthetic localization, data-residency planning, and qualified-review routing","releaseDecision":"blocked-fail-closed","status":"external-approval-required","canRelieveBoundary":false,"unlocksOnlyAfter":"Regional counsel, privacy review, DPA/SCCs where needed, DPIA, data-residency decision, AI Act classification, and customer approval are complete.","approvalSteps":[{"id":"regional-data-map","order":1,"name":"Regional data map and lawful basis","purpose":"Define region, entity, data categories, processors, cross-border transfer path, and lawful basis.","requiredEvidence":["regional data map","lawful basis memo","processor list","transfer mechanism"],"owner":"Privacy, legal, regional counsel, and customer sponsor","status":"tracked","matrixStepDocumented":true,"releaseEvidenceSatisfied":false,"blockingCondition":"No regional launch claim until the data map and lawful basis are reviewed.","proofRoutes":["/global-reach","/global-certification-readiness","/deployment-profiles"]},{"id":"dpia-dpa-residency","order":2,"name":"DPIA, DPA/SCCs, and data residency review","purpose":"Document privacy risk, processor commitments, transfer controls, and hosting/residency decision.","requiredEvidence":["DPIA","DPA/SCCs","residency decision","hosting control evidence"],"owner":"Privacy, legal, security, hosting owner, and customer data protection officer","status":"external_required","matrixStepDocumented":true,"releaseEvidenceSatisfied":false,"blockingCondition":"No regional processing until privacy and residency evidence exists.","proofRoutes":["/enterprise-scalability","/production-architecture","/risk-register"]},{"id":"eu-ai-act-classification","order":3,"name":"AI Act and regional AI classification","purpose":"Classify the AI use case and document obligations before public regional claims.","requiredEvidence":["AI Act classification","high-risk obligation map if applicable","human oversight plan","post-market monitoring plan"],"owner":"Regulatory counsel, AI governance, clinical safety, and regional owner","status":"external_required","matrixStepDocumented":true,"releaseEvidenceSatisfied":false,"blockingCondition":"No EU AI Act or regional AI compliance claim until classification is approved.","proofRoutes":["/scrimed-os","/scrimed-trustops","/global-certification-readiness"]}],"requiredSignoffs":[{"lane":"privacy","required":true,"status":"pending_external","evidenceRequired":"DPIA, DPA/SCCs, data-residency, and lawful-basis review."},{"lane":"legal","required":true,"status":"pending_external","evidenceRequired":"Regional counsel approval."},{"lane":"regulatory","required":true,"status":"pending_external","evidenceRequired":"AI Act/regional AI classification approval."},{"lane":"customer","required":true,"status":"pending_customer","evidenceRequired":"Customer regional deployment authorization."},{"lane":"security","required":true,"status":"pending_external","evidenceRequired":"Hosting and transfer-control evidence."}],"evidenceArtifacts":["DPIA","DPA/SCCs","AI Act classification","regional deployment profile"],"sourceReferences":["GDPR framework","EU AI Act","regional health-data rules"],"blockedUntil":["regional counsel approves","privacy transfer basis approved","customer regional scope approved"],"safeWorkaround":"Use synthetic regional readiness packs and keep production data inside the approved existing environment.","releaseHash":"795bee1378a5bd9b59d5901dd89d8b82b26fb575fcda25bd453cb9bc1b94eeaa"},{"id":"customer-go-live","name":"Customer go-live and production release","preservedBoundary":"No customer go-live approval, production connector approval, production clinical workflow approval, or managed-service commitment.","currentSafeMode":"buyer diligence, synthetic pilots, protected AAL2 evidence, and human-reviewed release packets","releaseDecision":"blocked-fail-closed","status":"customer-required","canRelieveBoundary":false,"unlocksOnlyAfter":"Customer acceptance, security review, clinical/operational owner signoff, rollback plan, support plan, and release authority are complete.","approvalSteps":[{"id":"pilot-acceptance-criteria","order":1,"name":"Pilot acceptance criteria and scope control","purpose":"Define exact users, data boundary, workflows, excluded actions, success metrics, and rollback conditions.","requiredEvidence":["pilot charter","acceptance criteria","excluded action list","measurement plan"],"owner":"Customer sponsor, SCRIMED delivery, product, and legal","status":"prepared","matrixStepDocumented":true,"releaseEvidenceSatisfied":true,"blockingCondition":"No go-live without signed pilot/customer scope.","proofRoutes":["/pilot-demo-commercial-readiness","/service-delivery","/client-onboarding"]},{"id":"release-readiness-evidence","order":2,"name":"Release readiness evidence","purpose":"Run smoke, security, support, rollback, audit, and protected workspace checks before release decision.","requiredEvidence":["release packet","smoke evidence","security review","rollback plan","support runbook"],"owner":"Release engineering, security, support, and customer IT","status":"blocked_pending_evidence","matrixStepDocumented":true,"releaseEvidenceSatisfied":false,"blockingCondition":"No customer go-live until current evidence packet is complete and approved.","proofRoutes":["/release-continuity","/qa-evidence","/launch-readiness"]},{"id":"formal-go-live-approval","order":3,"name":"Formal go-live approval","purpose":"Collect named approval from customer, SCRIMED executive owner, security, support, and clinical/operational owner if applicable.","requiredEvidence":["release decision","named approvals","customer acceptance","communication plan"],"owner":"Customer sponsor, SCRIMED executive, release owner, and support lead","status":"customer_required","matrixStepDocumented":true,"releaseEvidenceSatisfied":false,"blockingCondition":"No go-live before named approvals are retained.","proofRoutes":["/pilot-workspace/access","/boundary-resolution","/investor-readiness"]}],"requiredSignoffs":[{"lane":"customer","required":true,"status":"pending_customer","evidenceRequired":"Named customer go-live approval."},{"lane":"security","required":true,"status":"pending_external","evidenceRequired":"Customer/security release review."},{"lane":"engineering","required":true,"status":"pending_internal","evidenceRequired":"Smoke, rollback, observability, and support evidence."},{"lane":"operations","required":true,"status":"pending_internal","evidenceRequired":"Support, incident, and communication runbook."},{"lane":"legal","required":true,"status":"pending_external","evidenceRequired":"Contract and service-scope approval."}],"evidenceArtifacts":["pilot charter","release packet","rollback plan","customer acceptance","support runbook"],"sourceReferences":["customer contract","release authority packet","security review"],"blockedUntil":["customer acceptance exists","release packet approved","support and rollback are proven"],"safeWorkaround":"Run synthetic demos, no-PHI pilots, and protected diligence rooms until customer go-live authority exists.","releaseHash":"139bc047a9250d60d3dd913aafb5d67734a9aa99655bc45b8803c3d45a6eb953"}],"releaseDecisions":[{"allowed":false,"status":"blocked-fail-closed","statusCode":403,"boundaryId":"live-phi","reason":"Boundary remains blocked until every required approval step, evidence artifact, and signoff is satisfied.","missingSteps":["hipaa-risk-analysis","baa-subprocessor-coverage","phi-tenant-isolation"],"pendingSignoffs":["privacy","security","legal","customer","engineering"],"releaseDecision":"blocked-fail-closed"},{"allowed":false,"status":"blocked-fail-closed","statusCode":403,"boundaryId":"clinical-decision-support","reason":"Boundary remains blocked until every required approval step, evidence artifact, and signoff is satisfied.","missingSteps":["cds-regulatory-classification","clinical-validation-protocol","clinician-final-authority"],"pendingSignoffs":["clinical","regulatory","legal","security","customer"],"releaseDecision":"blocked-fail-closed"},{"allowed":false,"status":"blocked-fail-closed","statusCode":403,"boundaryId":"autonomous-clinical-action","reason":"Boundary remains blocked until every required approval step, evidence artifact, and signoff is satisfied.","missingSteps":["regulated-product-pathway","prescribing-ehr-pharmacy-compliance"],"pendingSignoffs":["clinical","regulatory","legal","customer"],"releaseDecision":"blocked-fail-closed"},{"allowed":false,"status":"blocked-fail-closed","statusCode":403,"boundaryId":"ehr-writeback","reason":"Boundary remains blocked until every required approval step, evidence artifact, and signoff is satisfied.","missingSteps":["ehr-read-only-sandbox","write-scope-approval","ehr-production-connector-review"],"pendingSignoffs":["customer","security","clinical","engineering"],"releaseDecision":"blocked-fail-closed"},{"allowed":false,"status":"blocked-fail-closed","statusCode":403,"boundaryId":"payer-submission","reason":"Boundary remains blocked until every required approval step, evidence artifact, and signoff is satisfied.","missingSteps":["trading-partner-approval","x12-fhir-validation"],"pendingSignoffs":["payer","customer","legal","engineering"],"releaseDecision":"blocked-fail-closed"},{"allowed":false,"status":"blocked-fail-closed","statusCode":403,"boundaryId":"clinical-research-outcomes-learning","reason":"Boundary remains blocked until every required approval step, evidence artifact, and signoff is satisfied.","missingSteps":["research-purpose-protocol","irb-consent-review","outcome-learning-governance"],"pendingSignoffs":["research","privacy","clinical","engineering"],"releaseDecision":"blocked-fail-closed"},{"allowed":false,"status":"blocked-fail-closed","statusCode":403,"boundaryId":"security-certification-claims","reason":"Boundary remains blocked until every required approval step, evidence artifact, and signoff is satisfied.","missingSteps":["soc2-readiness-audit","regulatory-certification-review"],"pendingSignoffs":["legal","security","regulatory","finance"],"releaseDecision":"blocked-fail-closed"},{"allowed":false,"status":"blocked-fail-closed","statusCode":403,"boundaryId":"global-operation","reason":"Boundary remains blocked until every required approval step, evidence artifact, and signoff is satisfied.","missingSteps":["regional-data-map","dpia-dpa-residency","eu-ai-act-classification"],"pendingSignoffs":["privacy","legal","regulatory","customer","security"],"releaseDecision":"blocked-fail-closed"},{"allowed":false,"status":"blocked-fail-closed","statusCode":403,"boundaryId":"customer-go-live","reason":"Boundary remains blocked until every required approval step, evidence artifact, and signoff is satisfied.","missingSteps":["release-readiness-evidence","formal-go-live-approval"],"pendingSignoffs":["customer","security","engineering","operations","legal"],"releaseDecision":"blocked-fail-closed"}],"selfTest":{"unknownBoundaryFailsClosed":true,"livePhiFailsClosed":true,"clinicalDecisionSupportFailsClosed":true,"customerGoLiveFailsClosed":true,"noAutomaticRelease":true,"everyPathHasHash":true,"everyPathHasRequiredSignoffs":false,"everyPendingStepHasEvidenceWorkItem":true,"everyPendingSignoffHasEvidenceWorkItem":true,"noWorkItemAcceptsRawEvidence":true,"workQueueCannotReleaseBoundaries":true},"operatorRule":"The matrix can complete the approval path documentation, but it cannot relieve a boundary. A separate named human release decision must be created after all evidence and signoffs are approved.","nextAction":"Attach each preserved boundary to its evidence packet, assign the missing signoff owners, and keep the runtime fail-closed until approved release decisions exist.","updated":"2026-07-03"}