{"service":"scrimed-clinical-data-governance","status":"clinical-data-governance-policy-engine-ready-no-phi","policyVersion":"scrimed-clinical-data-governance-v2026-07-03","route":"/healthcare-intelligence-os#clinical-data-governance","apiRoute":"/api/clinical-data-governance","briefRoute":"/api/clinical-data-governance/brief","updated":"2026-07-03","dataBoundary":"metadata-and-policy-only-no-live-phi","clinicalCareAuthority":"not-authorized-live-care","productionConnectorAuthority":"not-production-connector-approved","recordMutationAuthority":"not-authorized","patientOutreachAuthority":"not-authorized","payerSubmissionAuthority":"not-authorized","externalModelPhiAuthority":"not-authorized","supportedDataClasses":["public","metadata","aggregate","deidentified","limited-dataset","pii","phi","restricted-clinical","genomic","substance-use","behavioral-health"],"supportedPurposes":["platform-readiness","audit-preparation","internal-testing","customer-sandbox-review","treatment","payment","healthcare-operations","research","patient-access"],"supportedRoles":["public-visitor","internal-operator","tenant-admin","pilot-lead","reviewer","clinician","rcm-operator","compliance-officer","research-reviewer","service-agent"],"supportedActions":["view-metadata","evaluate-policy","prepare-review-packet","semantic-context-request","deidentify","export","store","mutate-record","submit-transaction","patient-contact","connector-activation","model-inference-external","model-inference-private"],"supportedDestinations":["public-api","internal-control-plane","tenant-workspace","customer-controlled-environment","external-model-provider","system-of-record","payer-network","patient-channel","research-workspace"],"policyRules":[{"id":"public-api-no-sensitive-data","name":"Public APIs only expose public, metadata, aggregate, or deidentified control-plane data","appliesTo":["public-api","pii","phi","restricted-clinical","genomic","substance-use","behavioral-health"],"decision":"blocked","control":"Block sensitive or live-data classes from public API destinations.","blockedOrReviewBoundary":"Public routes must not expose patient-identifying, restricted clinical, genomic, or sensitive category data."},{"id":"live-phi-not-enabled","name":"Live PHI and direct patient-identifying data remain disabled","appliesTo":["pii","phi","restricted-clinical"],"decision":"blocked","control":"Reject live-data risk classes under the current product authority.","blockedOrReviewBoundary":"Future customer environments require formal data authority, tenant controls, legal review, and clinical governance."},{"id":"minimum-necessary-required","name":"Minimum necessary access is mandatory","appliesTo":["all non-public requests"],"decision":"blocked","control":"Reject requests that do not affirm minimum necessary access.","blockedOrReviewBoundary":"Healthcare context requests must be narrowed before evaluation."},{"id":"tenant-scope-required","name":"Tenant scope is mandatory for non-public healthcare context","appliesTo":["metadata","aggregate","deidentified","limited-dataset","pii","phi"],"decision":"blocked","control":"Reject requests without tenant boundary where healthcare context is involved.","blockedOrReviewBoundary":"Cross-tenant context is not allowed."},{"id":"external-model-no-phi","name":"External model providers cannot receive PHI under current authority","appliesTo":["external-model-provider","pii","phi","restricted-clinical","genomic"],"decision":"blocked","control":"Reject external model processing for live-data risk classes.","blockedOrReviewBoundary":"External model routing requires approved data boundary, contract path, residency, monitoring, and rollback."},{"id":"human-review-for-deidentified-or-limited-data","name":"Deidentified and limited-dataset workflows require human review before release","appliesTo":["deidentified","limited-dataset","prepare-review-packet","research"],"decision":"requires-human-review","control":"Queue release or research workflows for qualified review.","blockedOrReviewBoundary":"Review approval does not create live-care, outreach, payer, or record-mutation authority."},{"id":"record-mutation-disabled","name":"Record mutation remains disabled","appliesTo":["mutate-record","system-of-record"],"decision":"blocked","control":"Reject EHR, chart, order, and record mutation actions.","blockedOrReviewBoundary":"System-of-record writes require customer go-live approval and connector validation."},{"id":"payer-submission-disabled","name":"Payer transaction submission remains disabled","appliesTo":["submit-transaction","payer-network"],"decision":"blocked","control":"Reject claim, prior authorization, appeal, and payer transaction submission actions.","blockedOrReviewBoundary":"Payer workflows stay evidence-preparation and human-reviewed only."},{"id":"patient-contact-disabled","name":"Patient contact remains disabled","appliesTo":["patient-contact","patient-channel"],"decision":"blocked","control":"Reject patient messaging, email, text, phone, portal, or outreach actions.","blockedOrReviewBoundary":"Patient communication requires approved customer policy, consent, identity, and human send control."},{"id":"connector-activation-disabled","name":"Production connector activation remains disabled","appliesTo":["connector-activation","productionConnectorApproved=false"],"decision":"blocked","control":"Reject connector activation until external approval and customer authority exist.","blockedOrReviewBoundary":"Connector readiness evidence does not equal activation authority."},{"id":"autonomous-clinical-authority-disabled","name":"Autonomous clinical authority remains disabled","appliesTo":["diagnosis","treatment","prescribing","clinical authority"],"decision":"blocked","control":"Reject attempts to convert governance decisions into autonomous diagnosis, treatment, prescribing, triage, or care authority.","blockedOrReviewBoundary":"Autonomous diagnosis, autonomous treatment, and autonomous prescribing are not authorized."},{"id":"customer-go-live-disabled","name":"Customer go-live approval remains disabled","appliesTo":["go-live","customer launch","production approval"],"decision":"blocked","control":"Reject customer go-live approval claims from policy evaluation output.","blockedOrReviewBoundary":"Customer go-live approval requires qualified external review, customer authority, and release governance."}],"baselineControlEvaluations":[{"id":"public-metadata-readiness","decision":{"status":"allowed","statusCode":200,"policyVersion":"scrimed-clinical-data-governance-v2026-07-03","requestClassification":"metadata-only","allowed":true,"requiresHumanReview":false,"blockers":[],"requiredControls":["tenant scope","minimum necessary","purpose of use","data class classification","consent policy","human review state","data residency","contract readiness","destination policy","no autonomous clinical authority"],"satisfiedControls":["tenant scope","minimum necessary","purpose of use","data class classification","no autonomous clinical authority","consent policy","contract readiness","data residency","human review state","destination policy"],"reviewRequirements":[],"retainedNoGoBoundaries":["live PHI processing is not authorized","production connector activation is not authorized","record mutation is not authorized","payer submission is not authorized","patient outreach is not authorized","external model PHI processing is not authorized","autonomous diagnosis is not authorized","autonomous treatment is not authorized","autonomous prescribing is not authorized","customer go-live approval is not authorized"],"rationale":"Request stays inside SCRIMED's metadata-only, minimum-necessary, tenant-scoped, no-live-PHI governance boundary."}},{"id":"phi-to-external-model","decision":{"status":"blocked","statusCode":403,"policyVersion":"scrimed-clinical-data-governance-v2026-07-03","requestClassification":"live-data-risk","allowed":false,"requiresHumanReview":false,"blockers":["live-data-risk classes are not authorized in the current SCRIMED platform boundary","consent policy is unknown","contract readiness is unknown","external model provider route is not authorized for this request","external model inference is not authorized for this request"],"requiredControls":["tenant scope","minimum necessary","purpose of use","data class classification","consent policy","human review state","data residency","contract readiness","destination policy","no autonomous clinical authority"],"satisfiedControls":["tenant scope","minimum necessary","purpose of use","data class classification","no autonomous clinical authority","destination policy"],"reviewRequirements":["data residency must be confirmed before release or customer-environment use","human review state must be approved or explicitly not required"],"retainedNoGoBoundaries":["live PHI processing is not authorized","production connector activation is not authorized","record mutation is not authorized","payer submission is not authorized","patient outreach is not authorized","external model PHI processing is not authorized","autonomous diagnosis is not authorized","autonomous treatment is not authorized","autonomous prescribing is not authorized","customer go-live approval is not authorized"],"rationale":"Request is blocked by SCRIMED Clinical Data Governance because it crosses current data, connector, destination, consent, or action authority."}},{"id":"deidentified-review-packet","decision":{"status":"requires-human-review","statusCode":202,"policyVersion":"scrimed-clinical-data-governance-v2026-07-03","requestClassification":"deidentified-or-aggregate","allowed":false,"requiresHumanReview":true,"blockers":[],"requiredControls":["tenant scope","minimum necessary","purpose of use","data class classification","consent policy","human review state","data residency","contract readiness","destination policy","no autonomous clinical authority"],"satisfiedControls":["tenant scope","minimum necessary","purpose of use","data class classification","no autonomous clinical authority","consent policy","contract readiness","data residency","destination policy"],"reviewRequirements":["qualified human review is required before release"],"retainedNoGoBoundaries":["live PHI processing is not authorized","production connector activation is not authorized","record mutation is not authorized","payer submission is not authorized","patient outreach is not authorized","external model PHI processing is not authorized","autonomous diagnosis is not authorized","autonomous treatment is not authorized","autonomous prescribing is not authorized","customer go-live approval is not authorized"],"rationale":"Request remains inside metadata or deidentified governance boundaries but requires qualified human review before release or customer-environment use."}},{"id":"ehr-mutation-request","decision":{"status":"blocked","statusCode":403,"policyVersion":"scrimed-clinical-data-governance-v2026-07-03","requestClassification":"metadata-only","allowed":false,"requiresHumanReview":false,"blockers":["record mutation and system-of-record writes are not authorized"],"requiredControls":["tenant scope","minimum necessary","purpose of use","data class classification","consent policy","human review state","data residency","contract readiness","destination policy","no autonomous clinical authority"],"satisfiedControls":["tenant scope","minimum necessary","purpose of use","data class classification","no autonomous clinical authority","consent policy","contract readiness","data residency","destination policy"],"reviewRequirements":["human review state must be approved or explicitly not required"],"retainedNoGoBoundaries":["live PHI processing is not authorized","production connector activation is not authorized","record mutation is not authorized","payer submission is not authorized","patient outreach is not authorized","external model PHI processing is not authorized","autonomous diagnosis is not authorized","autonomous treatment is not authorized","autonomous prescribing is not authorized","customer go-live approval is not authorized"],"rationale":"Request is blocked by SCRIMED Clinical Data Governance because it crosses current data, connector, destination, consent, or action authority."}},{"id":"internal-semantic-context","decision":{"status":"allowed","statusCode":200,"policyVersion":"scrimed-clinical-data-governance-v2026-07-03","requestClassification":"metadata-only","allowed":true,"requiresHumanReview":false,"blockers":[],"requiredControls":["tenant scope","minimum necessary","purpose of use","data class classification","consent policy","human review state","data residency","contract readiness","destination policy","no autonomous clinical authority"],"satisfiedControls":["tenant scope","minimum necessary","purpose of use","data class classification","no autonomous clinical authority","consent policy","contract readiness","data residency","human review state","destination policy"],"reviewRequirements":[],"retainedNoGoBoundaries":["live PHI processing is not authorized","production connector activation is not authorized","record mutation is not authorized","payer submission is not authorized","patient outreach is not authorized","external model PHI processing is not authorized","autonomous diagnosis is not authorized","autonomous treatment is not authorized","autonomous prescribing is not authorized","customer go-live approval is not authorized"],"rationale":"Request stays inside SCRIMED's metadata-only, minimum-necessary, tenant-scoped, no-live-PHI governance boundary."}}],"validation":{"status":"passed","checks":[{"id":"policy-rules-cover-no-go-boundaries","passed":true,"detail":"Policy rules must retain live data, connector, record mutation, payer, patient outreach, external model, clinical authority, and go-live boundaries."},{"id":"live-data-risk-blocked","passed":true,"detail":"Baseline live-data-risk request must be blocked."},{"id":"record-mutation-blocked","passed":true,"detail":"Record mutation requests must be blocked."},{"id":"deidentified-release-reviewed","passed":true,"detail":"Deidentified release or customer review packets must require human review unless already approved."},{"id":"metadata-policy-allowed","passed":true,"detail":"Metadata-only, minimum-necessary public readiness requests can be allowed."}]},"boundary":"SCRIMED Clinical Data Governance evaluates metadata-only policy requests for purpose of use, role, data class, consent, tenant scope, minimum necessary access, destination, human review, residency, and contract readiness. It does not ingest live records, store PHI, approve production connectors, mutate records, submit payer transactions, contact patients, authorize external model PHI processing, diagnose, treat, prescribe, or approve customer go-live.","safety":{"allowed":true,"status":"allowed","statusCode":200,"policyVersion":"scrimed-safety-governance-v2026-06-29","route":"/api/clinical-data-governance","requestedAction":"clinical data governance metadata policy evaluation","inputClassification":"synthetic-no-phi","phiDetected":false,"synthetic":true,"matchedAllowedActions":["synthetic-evaluation","audit-preparation"],"matchedBlockedActions":[],"reason":"Request stays inside SCRIMED's current synthetic, no-PHI, human-reviewed readiness boundary.","noGoBoundaries":["Live PHI/ePHI, patient identifiers, source charts, production credentials, or live records.","Autonomous or final diagnosis, triage replacement, or clinical decision authority.","Autonomous treatment plans, patient-specific care instructions, or therapy selection.","Medication prescribing, medication changes, order placement, or pharmacy actions.","Patient texting, calling, emailing, portal messaging, or outreach automation.","Claims submission, prior authorization submission, appeal filing, or reimbursement assurance.","EHR writeback, chart filing, record mutation, order entry, or connector writes.","Production EHR, payer, device, imaging, or third-party connector activation approval.","HIPAA, SOC 2, HITRUST, FDA, ONC, clinical validation, security, or accessibility certification claims."]}}