# SCRIMED Clinical Authority Readiness Brief

Status: clinical-authority-readiness-hard-gates-contained
Authorization status: not-authorized-live-clinical-care
PHI status: not-authorized-production-phi-processing
Legal status: external-counsel-and-contracting-required
Regional status: region-specific-approval-required
Reimbursement status: no-reimbursement-guarantee
Security certification status: not-security-certified
Production clinical status: production-clinical-authorization-blocked

## Boundary
SCRIMED Clinical Authority Readiness prepares the company for live clinical care authority, PHI processing, legal approval, regional regulatory approval, reimbursement review, security certification, and production clinical authorization. It does not grant any of those authorities. SCRIMED remains synthetic-only and review-gated until signed customer scope, qualified counsel review, privacy/security approval, licensed clinical governance, reimbursement policy review, security certification evidence, regional approval, connector validation, incident response, rollback, monitoring, and explicit go-live approval are complete.

This brief is not legal advice, privacy advice, reimbursement advice, security certification, clinical validation, regional regulatory approval, or live clinical authorization.

## Authority Domains
- Live clinical care authority (blocked-before-approval): SCRIMED may demonstrate synthetic workflow intelligence and readiness planning, but it may not deliver care, triage emergencies, diagnose, treat, prescribe, order, or communicate patient instructions. Preparation: Clinical-care gates, Trust Cards, blocked capability lists, human-review controls, and protected clinical activation dossiers are available for review. Retained gate: No patient-impacting workflow until licensed clinical sign-off and customer go-live approval are recorded.
- PHI and ePHI processing authority (customer-specific-required): Public routes, demos, smoke checks, and readiness packets remain synthetic-only or metadata-only. No live patient identifiers, payer member records, or production clinical records are authorized. Preparation: Protected workspaces, AAL2 gates, audit logs, evidence-room metadata controls, provider security review, and procurement evidence registry are in place. Retained gate: No PHI, ePHI, patient record, payer member data, or production credential enters SCRIMED until legal and privacy/security authorization is signed.
- Legal approval and contracting authority (customer-specific-required): SCRIMED materials can describe readiness, pilots, and retained gates. They are not legal advice, executed contracting authority, certification, or production authorization. Preparation: Approved/prohibited claim controls, release decisions, named reviewer sign-offs, distribution lockbox, release authority attestations, and external approval evidence links are active. Retained gate: No public customer claim, live care claim, certified compliance claim, or production deployment claim without qualified release approval.
- Regional regulatory approval (external-approval-required): Global Reach maps priority regions and localization requirements, but it does not create regional legal, procurement, privacy, data-residency, or clinical authorization. Preparation: Region packs, deployment profiles, sovereign-readiness posture, localization questions, and retained approval gates are organized. Retained gate: No production regional launch, government program claim, or local clinical deployment claim until the region-specific authority path is approved.
- Reimbursement, coverage, coding, and payer policy approval (customer-specific-required): SCRIMED can support draft operational intelligence for prior authorization, denial risk, and revenue-cycle review, but it cannot guarantee reimbursement or submit claims without authorized human review. Preparation: Finance methodology gates, KPI definitions, no-guarantee language, protected metric rollups, and public-market operating discipline are available. Retained gate: No coverage determination, final coding, claim submission, denial appeal submission, or reimbursement claim without qualified review.
- Security certification and procurement approval (external-approval-required): SCRIMED has security-ready architecture evidence and protected review workflows, but it does not claim SOC 2, ISO, HITRUST, FedRAMP, penetration-test approval, or customer vendor-risk approval unless those artifacts are actually issued. Preparation: Provider security review, procurement evidence registry, access-log reconciliation, Trust Safety Ops, incident workspaces, and audit packets are active. Retained gate: No security certification, procurement approval, or production security acceptance claim without issued evidence and customer acceptance.
- Production clinical authorization (blocked-before-approval): Production clinical execution is denied. No live workflow may write records, message patients, submit payer transactions, or affect clinical operations without final authorization. Preparation: Customer activation approvals, production SSO readiness, buyer diligence room, command intelligence packets, and clinical activation approval workflow are linked. Retained gate: No production tenant go-live until customer, clinical, legal, privacy, security, support, and SCRIMED release authority sign off.
- Certified health IT and connector approval (external-approval-required): SCRIMED can demonstrate synthetic FHIR, HL7, DICOM, X12, and EHR-readiness concepts, but it does not claim ONC certification, EHR marketplace approval, payer connection approval, or live connector certification. Preparation: Interoperability standards registry, synthetic conformance kits, integration contracts, and deployment profile evidence are active. Retained gate: No production connector read, write, order, referral, claim, imaging retrieval, or record mutation until customer and platform approval are complete.

## Boundary Resolutions
- Live clinical care authority: Keep live care blocked and require intended-use review, licensed governance, safety case, validation protocol, and signed go-live approval. Gate: Licensed clinical sign-off and customer release decision.
- PHI processing: Keep PHI disabled; use synthetic data, metadata-only evidence links, BAA/DPA path, data-flow approval, and safeguard mapping. Gate: Signed BAA/DPA or non-PHI determination plus security acceptance.
- Legal approval: Route claims, PR, case studies, public releases, and customer-specific statements through protected release authority workflows. Gate: Qualified legal and release-authority approval.
- Regional regulatory approval: Use Global Reach for localization and regional readiness while requiring counsel, residency, procurement, and partner validation. Gate: Region-specific counsel and customer/procurement acceptance.
- Reimbursement certainty: Keep reimbursement outputs draft-only and human-reviewed with no-guarantee language and policy-specific review. Gate: Revenue-cycle, legal, payer-policy, and customer approval.
- Security certification: Present readiness controls, evidence references, and gap mapping; do not claim SOC 2, ISO, HITRUST, FedRAMP, or pentest approval without issued evidence. Gate: Issued artifact, scoped assessment, and customer vendor-risk acceptance.
- Production clinical authorization: Require final release decision, production SSO/RBAC, connector acceptance, monitoring, rollback, incident response, and post-launch review. Gate: All-domain go-live packet signed by SCRIMED and customer owners.

## Evidence Packs
- Protected clinical authority evidence room: /pilot-workspace/access#clinical-authority-evidence-room / /api/pilot-workspaces/{workspaceSlug}/clinical-authority-evidence-room/packet. Protected metadata-only authority readiness; not clinical, legal, PHI, reimbursement, security, regional, connector, or production approval.
- Protected clinical authority owner matrix: /pilot-workspace/access#clinical-authority-owner-matrix / /api/pilot-workspaces/{workspaceSlug}/clinical-authority-owner-matrix/packet. Protected owner labels and routing metadata only; not signed approval, authority, legal advice, certification, reimbursement certainty, or live clinical authorization.
- Protected clinical authority artifact intake checklist: /pilot-workspace/access#clinical-authority-artifact-intake / /api/pilot-workspaces/{workspaceSlug}/clinical-authority-artifact-intake/packet. Protected metadata references only; not artifact upload, signed approval, PHI processing, legal advice, certification, reimbursement certainty, production authorization, or live clinical authorization.
- Protected authority artifact references: /pilot-workspace/access#authority-artifact-references / /api/pilot-workspaces/{workspaceSlug}/authority-artifact-references/packet. External references only; not artifact storage, URL storage, signed approval, PHI processing, legal advice, certification, reimbursement certainty, production authorization, public distribution, or live clinical authorization.
- Protected authority renewal queue and QA harness: /pilot-workspace/access#authority-artifact-references / /api/pilot-workspaces/{workspaceSlug}/authority-artifact-references/renewal-queue. Operational readiness and QA verification only; not clinical, legal, security, reimbursement, regional, connector, production, distribution, or live-care authority.
- Clinical activation dossier: /pilot-workspace/access / /api/pilot-workspaces/{workspaceSlug}/clinical-activation-dossier/packet. AAL2-protected and no-PHI; not live clinical authorization.
- External approval evidence: /pilot-workspace/access / /api/pilot-workspaces/{workspaceSlug}/external-approval-evidence/packet. Stores evidence references and reviewer status, not sensitive source artifacts.
- Provider security review: /pilot-workspace/access / /api/pilot-workspaces/{workspaceSlug}/provider-security-reviews/packet. Readiness evidence only; not security certification.
- Procurement evidence registry: /pilot-workspace/access / /api/pilot-workspaces/{workspaceSlug}/procurement-evidence/packet. No sensitive artifact storage and no certification claim.
- Clinical authority readiness brief: /clinical-authority-readiness / /api/clinical-authority-readiness/brief. Public readiness summary; not legal advice or production authorization.

## Operating Modes
- Governed synthetic evaluation: permitted now = yes. Use this as the default sellable pilot and enterprise evaluation motion.
- De-identified or customer-approved shadow evaluation: permitted now = no. Prepare the packet now, but do not ingest data until the determination and scope are signed.
- Clinician-supervised prospective pilot: permitted now = no. Keep all outputs draft-only and human-reviewed; no autonomous clinical action.
- Production clinical execution: permitted now = no. Do not activate until every retained gate has an accountable signed approval record.

## Source References
- HHS HIPAA Security Rule Summary: PHI/ePHI readiness must include administrative, physical, and technical safeguards, risk analysis, access review, and incident detection before production processing. https://www.hhs.gov/hipaa/for-professionals/security/laws-regulations/index.html
- HHS Business Associate Contracts: A BAA path or non-PHI determination is a retained gate before SCRIMED can receive, maintain, transmit, or create PHI for a covered entity or business associate workflow. https://www.hhs.gov/hipaa/for-professionals/covered-entities/sample-business-associate-agreement-provisions/index.html
- FDA Clinical Decision Support Software Guidance: Intended use, clinical claims, user role, output transparency, and medical-device boundaries must be reviewed before patient-specific clinical decision support claims. https://www.fda.gov/regulatory-information/search-fda-guidance-documents/clinical-decision-support-software
- ONC Health IT Certification Program: Connector, certified-health-IT, and interoperability claims require conformance evidence and appropriate certification, marketplace, or customer acceptance where applicable. https://healthit.gov/certification-health-it/
- NIST Cybersecurity Framework 2.0: Security certification preparation should map governance, identification, protection, detection, response, and recovery evidence before procurement or production claims. https://www.nist.gov/cyberframework
- CMS Medicare Coverage Determination Process: Reimbursement and coverage claims must remain workflow-specific and policy-reviewed; SCRIMED should not guarantee coverage, payment, coding, or claim outcomes. https://www.cms.gov/medicare/coverage/determination-process
- SCRIMED protected workspace, TrustOS, and clinical activation controls: Current product evidence supports synthetic pilot diligence, human review, auditability, protected packets, and retained gates, not live clinical authorization.

## Next Operator Actions
- Keep all current buyer demos, public APIs, and pilot workflows synthetic-only or metadata-only.
- Use this readiness layer as the front door for hard-gate discussions with buyers, counsel, security, clinical governance, and reimbursement reviewers.
- Select one narrow intended use and care setting before any regulatory or clinical approval discussion.
- Prepare BAA/DPA, data-flow, risk-analysis, and safeguard mapping before any PHI request is accepted.
- Collect external approval evidence as protected metadata links, not sensitive documents, until the storage authority path is signed.
- Require signed release authority before any public claim, security certification claim, regional launch claim, reimbursement claim, or production clinical go-live.