# SCRIMED Health Records Safety Exchange Brief

Status: health-records-safety-exchange-control-plane-active
Capability count: 5
Extraction stages: 5
Safety checks: 6
Boundary resolutions: 5
Workarounds: 20

## Boundary
SCRIMED Health Records Safety Exchange defines no-PHI health-record ingestion, extraction, normalization, interoperability, and patient-safety controls for synthetic and customer-approved sandbox evaluation. It does not authorize live PHI ingestion, production EHR access, patient matching, diagnosis, treatment, emergency triage, order entry, prescribing, payer submission, patient outreach, autonomous clinical decisions, record mutation, or production connector execution.

This brief is not PHI processing approval, production EHR authorization, ONC certification, TEFCA participation approval, payer submission authority, clinical validation, medical advice, diagnosis, treatment, or live-care authorization.

## Capabilities
- FHIR health-record intake and normalization (synthetic-ready): formats fhir-bundle; standards FHIR R4/R4B, US Core, USCDI, SMART App Launch; blocked live FHIR read, EHR writeback, patient matching, clinical decision automation
- HL7 v2 event and results extraction (customer-sandbox-required): formats hl7-v2-message; standards HL7 v2 ADT, HL7 v2 ORM/OML, HL7 v2 ORU, deployment-specific interface profiles; blocked production ADT feed, result posting, order mutation, unreviewed segment inference
- C-CDA and document intelligence extraction (metadata-only): formats c-cda-document, unstructured-note, csv-export; standards C-CDA, FHIR DocumentReference, LOINC, SNOMED CT, Atlas evidence layer; blocked live note ingestion, patient-specific summary release, diagnosis extraction claim, unreviewed document upload
- Imaging record and DICOM metadata routing (metadata-only): formats dicom-metadata; standards DICOM, DICOMweb, FHIR ImagingStudy, IHE ATNA; blocked pixel-data ingestion, diagnostic interpretation, PACS retrieval, imaging result writeback
- Payer, coverage, and prior-authorization record extraction (external-review-required): formats x12-prior-auth, fhir-bundle, csv-export; standards FHIR Coverage, FHIR Claim, FHIR ExplanationOfBenefit, X12 278, CMS prior authorization APIs; blocked payer submission, benefit determination, claim filing, reimbursement guarantee

## Extraction Stages
- Intake gate: Accepted source-format declaration and rejected live-data signal list.. Gate: Block PHI, patient identifiers, payer member data, credentials, production URLs, and source records.
- Schema and profile detection: FHIR/HL7/C-CDA/DICOM/X12 profile hypothesis with version uncertainty.. Gate: Require human confirmation before treating a profile as deployment truth.
- Extraction and normalization: Canonical extraction map, missing-field register, terminology queue, and provenance ledger.. Gate: Draft-only output; no diagnosis, treatment, order, payer, outreach, or writeback action.
- Patient-safety lint: Safety-check results for identity, units, medications, allergies, stale facts, provenance, and action boundary.. Gate: Critical findings block release and route to a qualified reviewer.
- Reviewer packet: Reviewer-ready packet with workarounds, blocked actions, retained gates, and proof routes.. Gate: Human approval required before customer sandbox, PHI, connector, or production workflow expansion.

## Patient Safety Checks
- PHI and live-record blocker (critical): Payload declares PHI, patient identifiers, payer member IDs, production URLs, credentials, or live clinical records. Mitigation: Reject request and return no-storage boundary guidance. Workaround: Use synthetic fixtures, metadata-only references, or customer-approved sandbox data after signed controls.
- Patient identity and matching guard (critical): Request asks SCRIMED to match, merge, deduplicate, or select a live patient. Mitigation: Block patient matching and route to customer MPI/identity governance. Workaround: Use synthetic patient placeholders and show the required MPI acceptance test.
- Unit, terminology, and semantic drift lint (high): Labs, vitals, medications, procedures, or conditions lack units, code-system version, or mapping provenance. Mitigation: Mark extracted facts as unresolved and require terminology review. Workaround: Expose a mapping queue with LOINC, SNOMED CT, RxNorm, ICD, CPT/HCPCS, and local-code placeholders.
- Medication and allergy review guard (critical): Medication, allergy, or interaction context is requested for clinical use. Mitigation: Keep output draft-only and require pharmacist/clinician review before any care action. Workaround: Generate a review checklist instead of advice, prescribing, or patient instruction.
- Stale, conflicting, or unattributed source guard (high): Extracted facts conflict across sources or lack timestamp/provenance. Mitigation: Block fact promotion into reviewer packet until source conflict is resolved. Workaround: Create a missing-evidence register and route to the customer records owner.
- Writeback and patient-action blocker (critical): Request asks for EHR mutation, order entry, outreach, payer submission, triage, or final clinical recommendation. Mitigation: Reject the action and preserve a no-authority audit event. Workaround: Produce a human-reviewed draft packet and retain the live-action gate.

## Boundary Resolutions
- Live PHI and patient identifiers: Public and synthetic routes reject PHI and live records; extraction evaluator requires syntheticOnly=true. Workaround: Use synthetic fixtures, metadata-only references, and customer sandbox placeholders. Gate: Signed BAA/DPA or non-PHI determination, privacy/security review, retention policy, and customer approval.
- Production EHR, HIE, payer, imaging, and device connectors: Connector work remains standards-aware and synthetic until partner acceptance testing exists. Workaround: Run conformance kits, fixture validation, CapabilityStatement review, and sandbox mapping packets. Gate: Customer sandbox approval, partner acceptance, security review, purpose-of-use, consent, audit, monitoring, and rollback.
- Patient safety and clinical action: Outputs are draft-only, source-attributed, reviewer-gated, and blocked from clinical action. Workaround: Produce reviewer checklists, missing-data registers, and escalation queues instead of recommendations. Gate: Licensed clinical governance, intended-use review, validation protocol, safety case, and customer go-live approval.
- Patient matching and longitudinal record assembly: SCRIMED does not match live patients or merge production longitudinal records. Workaround: Use synthetic identity placeholders and route matching to customer MPI or identity-governance owners. Gate: Customer MPI acceptance tests, identity policy, consent path, error reconciliation, audit, and clinical owner approval.
- Payer submission and reimbursement outcomes: SCRIMED creates synthetic prior-auth support packets and missing-evidence lists only. Workaround: Route payer work to human RCM review and customer payer-policy owners. Gate: Payer/trading-partner approval, X12/FHIR API testing, coding review, legal review, and customer release authority.

## Operating Rules
- Reject PHI, patient identifiers, payer member IDs, production credentials, source records, and production endpoints in public or synthetic workflows.
- Use FHIR, HL7 v2, C-CDA, DICOM/DICOMweb, X12, USCDI, TEFCA, and terminology standards as readiness contracts, not live connector approval.
- Keep patient matching, diagnosis, treatment, triage, prescribing, patient outreach, payer submission, and record mutation blocked.
- Route ambiguous mappings, missing provenance, stale facts, medication/allergy safety, and units/terminology conflicts to qualified human review.
- Require customer sandbox approval, privacy/security/legal review, clinical governance, consent/purpose-of-use, audit, monitoring, rollback, and go-live approval before live data exchange.

## Next Actions
- Attach Health Records Safety Exchange to every interoperability, clinical-care activation, and buyer integration conversation.
- Use the extraction evaluator to convert synthetic record requests into reviewer packets and retained gates.
- Promote only standards-mapped, source-attributed, human-reviewed, no-PHI evidence into buyer diligence.
- Create customer-specific sandbox acceptance tests before any live connector work.