# SCRIMED Global Approval and Certification Readiness Brief

Status: global-approval-certification-readiness-control-plane-active
Reviewed: 2026-06-25
Tracks: 6
Sources: 10
Gates: 5
Regional packs: 5

## Boundary
SCRIMED Global Approval and Certification Readiness organizes domestic and international privacy, security, AI governance, medical-device, clinical-safety, interoperability, and procurement evidence needed before production healthcare operation. It is readiness planning only. It does not grant legal advice, regulatory approval, HIPAA compliance certification, SOC 2/HITRUST/ISO certification, FDA clearance, ONC certification, EU AI Act conformity, GDPR compliance assurance, NHS approval, MHRA approval, Australian cyber certification, PHI processing authority, public-sector procurement approval, reimbursement assurance, production connector approval, or live clinical care authority.

This brief is not legal advice, regulatory approval, HIPAA compliance certification, SOC 2/HITRUST/ISO certification, FDA clearance, ONC certification, EU AI Act conformity, GDPR compliance assurance, NHS approval, MHRA approval, Australian cyber certification, PHI processing authority, public-sector procurement approval, reimbursement assurance, production connector approval, or live clinical care authority.

## Tracks
- U.S. HIPAA, BAA, and PHI Readiness (evidence-build-required, United States): Prepare SCRIMED for healthcare buyer diligence and future PHI/ePHI scope while keeping current public and pilot flows synthetic-only. Next: Stand up a metadata-only HIPAA evidence room and assign risk-analysis, BAA, breach, access-review, and subprocessor owners. Blocked claims: HIPAA certified, PHI approved, BAA executed, production ePHI processing
- U.S. FDA CDS and SaMD Classification (external-review-required, United States): Prevent clinical-intelligence features from becoming unauthorized device claims while preserving a route to regulated clinical productization if deliberately chosen. Next: Produce a module-by-module intended-use and CDS/SaMD classification memo before adding any patient-specific clinical claim. Blocked claims: FDA cleared, diagnostic device, autonomous clinical decision, medical device approved
- SOC 2, HITRUST, ISO 27001, and ISO 42001 Sequencing (evidence-build-required, Global): Move from internal control readiness to independent security, privacy, and AI governance assurance without claiming certification early. Next: Create a certification sequencing board: SOC 2 readiness first, ISO 42001 AI management in parallel, HITRUST/ISO 27001 after buyer-driven scope. Blocked claims: SOC 2 certified, HITRUST certified, ISO certified, security certified
- EU AI Act, GDPR, and European Health Data Readiness (external-review-required, European Union): Prepare SCRIMED for EU deployment conversations with high-risk AI triage, personal-data governance, cross-border transfer controls, and deployer documentation. Next: Add EU-specific deployment-profile gates for AI Act high-risk triage, GDPR DPIA, SCC/DPA, hosting, and post-market monitoring. Blocked claims: GDPR compliant, EU AI Act conformant, CE marked, EU production approved
- UK NHS DTAC and MHRA Software/AI Readiness (external-review-required, United Kingdom): Prepare SCRIMED for UK NHS and private-provider review with DTAC evidence, clinical-safety controls, MHRA intended-purpose classification, and medical-device escalation gates. Next: Build a UK DTAC/MHRA evidence checklist and attach it to the global buyer localization pack. Blocked claims: NHS approved, DTAC passed, MHRA approved, UK medical device certified
- Australia Essential Eight and Health Deployment Readiness (evidence-build-required, Australia): Prepare SCRIMED for Australian provider, public-sector, and partner diligence with cyber baseline evidence and local privacy/procurement review gates. Next: Add Australia to deployment-profile readiness with Essential Eight evidence labels and privacy/procurement hard stops. Blocked claims: Australian government approved, Essential Eight certified, public-sector approved, health deployment authorized

## Gates
- Intended-use and claim classification: Decide whether each SCRIMED module is operations intelligence, non-device CDS candidate, SaMD review candidate, or blocked care-delivery scope. Owner: Product + clinical governance + regulatory counsel Blocked until complete: diagnosis language, treatment language, autonomous triage, medical-device approval claims
- Privacy and data-boundary approval: Prove whether a workflow remains synthetic/no-PHI/no-personal-data or needs HIPAA, GDPR, DPA, SCC, hosting, consent, and retention controls. Owner: Privacy + legal + security Blocked until complete: production PHI, EU personal-data movement, customer upload, patient outreach
- Security assurance and audit evidence: Move internal controls toward audit-ready evidence for SOC 2, ISO 27001, HITRUST, ISO 42001, and buyer security reviews. Owner: Security + engineering + operations Blocked until complete: SOC 2 certified, HITRUST certified, ISO certified, security approved
- Human oversight and post-market monitoring: Make AI oversight, model drift, incidents, serious malfunctions, and change control inspectable before regulated or global deployment. Owner: TrustOS + quality + clinical governance Blocked until complete: autonomous operation, adaptive model release, high-risk AI conformity, post-market compliance claim
- Regional procurement and localization authority: Confirm local legal, privacy, procurement, hosting, language, accessibility, and partner authority before country-specific sales claims. Owner: Global partnerships + regional counsel + sales Blocked until complete: government approved, country-wide deployment, sovereign-ready approved, local certification complete

## Regional Packs
- United States (launch): Sell governed synthetic evaluations and no-PHI workflow intelligence while HIPAA, FDA, and SOC 2 evidence matures. Hard stops: PHI authority, clinical authority, production connector approval, security assurance evidence
- European Union (strategic): Use no-personal-data strategic evaluations and EU buyer localization packs before EU personal-data or high-risk AI commitments. Hard stops: GDPR role/lawful-basis approval, high-risk AI conformity route, EU hosting decision, medical-device review
- United Kingdom (strategic): Offer UK synthetic pilot proof with DTAC-style diligence packets while medical-device and NHS assurance remain gated. Hard stops: NHS assurance, clinical safety signoff, MHRA/medical-device route, ICO/privacy review
- Australia (watch): Use cyber-aligned partner discovery and synthetic pilots while Essential Eight and local privacy evidence are prepared. Hard stops: buyer security acceptance, privacy counsel review, public-sector procurement, production data approval
- Middle East strategic markets (strategic): Lead with executive synthetic evidence, deployment profiles, and qualified partner review before national-program or sovereign claims. Hard stops: government authority, data residency approval, local hosting decision, qualified partner signoff

## Source Review
- HHS HIPAA Security Rule (United States): SCRIMED needs a HIPAA risk analysis, safeguard map, BAA/DPA pathway, breach process, access review, and subprocessor register before PHI or ePHI scope. Source: https://www.hhs.gov/hipaa/for-professionals/security/index.html
- FDA Clinical Decision Support Software Guidance (United States): SCRIMED must maintain intended-use analysis, human-review transparency, non-device CDS criteria review, and SaMD escalation gates before clinical recommendation claims. Source: https://www.fda.gov/regulatory-information/search-fda-guidance-documents/clinical-decision-support-software
- FDA Artificial Intelligence in Software as a Medical Device (United States): If SCRIMED deliberately enters regulated SaMD territory, it needs QMS, clinical evidence, risk management, performance monitoring, change control, transparency, and regulatory counsel before launch. Source: https://www.fda.gov/medical-devices/software-medical-device-samd/artificial-intelligence-and-machine-learning-software-medical-device
- NIST AI Risk Management Framework (United States): SCRIMED should map AI inventory, risk taxonomy, measurement routines, model evaluation, incident response, and TrustOS evidence to NIST AI RMF language. Source: https://www.nist.gov/itl/ai-risk-management-framework
- EU Artificial Intelligence Act (European Union): SCRIMED needs EU high-risk triage, technical documentation, data governance, logs, human oversight, post-market monitoring, serious-incident routing, and conformity-assessment planning before EU production claims. Source: https://digital-strategy.ec.europa.eu/en/policies/regulatory-framework-ai
- European Commission GDPR Legal Framework (European Union): SCRIMED needs GDPR role mapping, lawful-basis review, DPIA, DPA/SCC workflows, data-subject rights process, retention schedule, transfer mechanism, and DPO escalation before EU personal-data scope. Source: https://commission.europa.eu/law/law-topic/data-protection/legal-framework-eu-data-protection_en
- ISO/IEC 42001:2023 (Global): SCRIMED should build an AI Management System with policy, objectives, risk treatment, traceability, transparency, audit cadence, and continuous improvement before pursuing ISO 42001 certification. Source: https://www.iso.org/standard/42001
- NHS Digital Technology Assessment Criteria (United Kingdom): SCRIMED needs a UK buyer pack for clinical safety, data protection, security, interoperability, usability, accessibility, DSPT alignment, and medical-device escalation. Source: https://digital.nhs.uk/services/digital-technology-assessment-criteria-dtac
- MHRA Software and AI as a Medical Device Change Programme (United Kingdom): SCRIMED needs UK intended-purpose classification, clinical evidence plan, post-market surveillance model, change-control process, cybersecurity evidence, and MHRA counsel before UK clinical claims. Source: https://www.gov.uk/government/publications/software-and-ai-as-a-medical-device-change-programme/software-and-ai-as-a-medical-device-change-programme-roadmap
- Australian Cyber Security Centre Essential Eight (Australia): SCRIMED should map Australian buyer security diligence to Essential Eight maturity evidence, incident reporting, access hardening, patching, backups, application controls, and logging. Source: https://www.cyber.gov.au/business-government/asds-cyber-security-frameworks/essential-eight