Approvals Readiness
SCRIMED can operate publicly while future approvals stay gated and evidence-led.
This ladder keeps agents, systems, claims, buyer proof, PHI, security assurance, FDA/CDS/SaMD, ONC, and state care-delivery questions organized without pretending approvals are complete.
Global extension
Domestic approval preparation now rolls into global certification readiness.
SCRIMED Global Approval and Certification Readiness organizes domestic and international privacy, security, AI governance, medical-device, clinical-safety, interoperability, and procurement evidence needed before production healthcare operation. It is readiness planning only. It does not grant legal advice, regulatory approval, HIPAA compliance certification, SOC 2/HITRUST/ISO certification, FDA clearance, ONC certification, EU AI Act conformity, GDPR compliance assurance, NHS approval, MHRA approval, Australian cyber certification, PHI processing authority, public-sector procurement approval, reimbursement assurance, production connector approval, or live clinical care authority.
Operating posture
Move publicly as operations intelligence; move clinically only after evidence and approvals.
SCRIMED Approvals Readiness organizes public operating posture, HIPAA/BAA preparation, SOC 2 and HITRUST readiness, FDA/CDS/SaMD classification, ONC and connector certification planning, state care-delivery review, and buyer-specific release evidence. It does not grant legal approval, HIPAA compliance certification, SOC 2/HITRUST certification, FDA clearance, ONC certification, reimbursement certainty, PHI processing authority, production connector approval, public customer permission, or live clinical care authority.
Tracks
Each approval path has an owner, evidence gate, safe workaround, and hard boundary.
Public claims and intended-use boundary
Keep SCRIMED publicly sellable as healthcare operations intelligence, governed synthetic pilots, evidence organization, and buyer diligence.
- Boundary: Public copy cannot claim diagnosis, treatment, clinical triage, PHI processing, compliance certification, reimbursement certainty, production connector approval, or live clinical care.
- Workaround: Use operations-first language and route regulated claims through Claim Guard, Boundary Resolution, and qualified release authority.
- Owners: Founder, Product, Legal reviewer, Clinical governance reviewer
- Proof: /claims, /boundary-resolution, /qa-claim-guard, /public-market-readiness
HIPAA, BAA, and Security Rule readiness
Prepare SCRIMED to handle healthcare buyer diligence and future PHI/ePHI scopes without enabling PHI by default.
- Boundary: SCRIMED does not currently claim HIPAA compliance certification or production PHI processing authority.
- Workaround: Keep public/product flows synthetic-only or metadata-only while building risk analysis, safeguards, BAA/DPA, breach, access, and vendor evidence.
- Owners: Privacy, Security, Legal, Operations
- Proof: /trust-center, /trust-safety-operations, /pilot-workspace/access, /clinical-authority-readiness
SOC 2, HITRUST, and security assurance
Create a buyer-trust path from readiness controls to independent assurance evidence.
- Boundary: SCRIMED has security and procurement readiness surfaces, but it is not SOC 2 certified, HITRUST certified, ISO certified, FedRAMP authorized, or penetration-test approved unless issued evidence exists.
- Workaround: Use a readiness packet, control inventory, audit logs, vendor-risk responses, and no-sensitive-artifact references before formal attestation.
- Owners: Security, Operations, Engineering, External auditor
- Proof: /trust-safety-operations, /public-market-readiness, /pilot-workspace/access
FDA CDS/SaMD classification
Keep clinical-regulatory exposure controlled while deciding whether any SCRIMED function should intentionally pursue regulated clinical authority.
- Boundary: SCRIMED must not make patient-specific diagnosis, treatment, triage, or autonomous clinical action claims before intended-use and FDA classification review.
- Workaround: Frame current product as operations intelligence and synthetic evaluation; keep clinical outputs draft-only, transparent, and human-reviewed.
- Owners: Product, Regulatory advisor, Clinical governance, Legal
- Proof: /clinical-authority-readiness, /clinical-care-activation, /trust-os, /workflows
ONC, interoperability, and connector approval
Prepare connector, EHR, FHIR, HL7, DICOM, X12, and health IT claims without implying certification or live exchange authority.
- Boundary: Synthetic conformance kits do not equal ONC certification, EHR marketplace approval, payer connection approval, or production data exchange authority.
- Workaround: Use synthetic fixtures, connector contracts, conformance evidence, and partner/customer acceptance gates before live integration.
- Owners: Interoperability, Security, Customer integration, Platform partner
- Proof: /interoperability, /interoperability/evaluations, /integrations, /deployment-profiles
State care-delivery and telehealth review
Prevent product, agent, or workflow expansion from accidentally becoming unauthorized care delivery.
- Boundary: SCRIMED does not provide care, prescribe, contact patients, route emergencies, employ clinical judgment, or operate as a telehealth provider.
- Workaround: Keep workflows as enterprise operations planning and clinician-reviewed support until care-delivery counsel, licensed governance, and customer approval exist.
- Owners: Healthcare counsel, Clinical governance, Operations, Customer sponsor
- Proof: /clinical-care-activation, /clinical-authority-readiness, /operations
Buyer-specific release chain
Convert protected proof into shareable buyer evidence only after external approvals, release decisions, reviewers, recipient controls, and audit logs are retained.
- Boundary: Buyer diligence can use protected no-PHI evidence, but buyer-specific external sharing is blocked until release-control gates are satisfied.
- Workaround: Use the protected Buyer Release Control Runbook, verifier, remediation plan, metadata drafts, and checklist without bypassing AAL2 or human review.
- Owners: Founder, Sales, Legal reviewer, Security reviewer
- Proof: /buyer-release-control-run, /pilot-workspace/access, /qa-buyer-proof-release
Agents
Approval-aware agents can organize evidence, but humans retain authority.
Claim Guard Agent
Prevents sales, investor, PR, website, and operator language from crossing into unsupported regulated claims.
- Allowed: Classify claims, Route review triggers, Suggest operations-first wording
- Blocked: Approve public claims, Claim certification, Claim live clinical authority
- Checkpoint: Founder or qualified reviewer approval before public release.
Approval Evidence Router
Maps every future approval artifact to the right external system of record and stores only safe metadata references.
- Allowed: Create evidence checklists, Track owner labels, Track expiration and renewal posture
- Blocked: Store PHI, Store signed sensitive artifacts, Treat metadata references as approval
- Checkpoint: Legal/security/privacy review before artifact retention or external sharing.
Regulatory Classification Agent
Keeps intended-use and FDA/CDS/SaMD classification questions visible before clinical language enters product or sales motion.
- Allowed: Prepare classification questions, Compare intended-use boundaries, Identify review triggers
- Blocked: Provide legal/regulatory opinion, Submit to FDA, Approve clinical claims
- Checkpoint: Digital-health regulatory advisor sign-off.
Security Assurance Agent
Organizes SOC 2/HITRUST readiness evidence and routes gaps to owners.
- Allowed: Map controls, Track evidence freshness, Flag missing audit artifacts
- Blocked: Claim certification, Issue audit opinion, Accept customer vendor risk
- Checkpoint: External auditor or customer vendor-risk acceptance.
Buyer Release Steward
Sequences buyer-specific release gates without bypassing AAL2, qualified review, recipient control, or audit logging.
- Allowed: Read verifier status, Generate remediation plans, Prepare safe metadata drafts
- Blocked: Approve release, Share externally, Store recipient lists or raw logs
- Checkpoint: Named reviewer and release authority sign-off.
Processes
The operating sequence keeps Scrimed moving without crossing approval lines early.
1. Public operations launch
Operate publicly with operations-first language and synthetic evidence.
- Entry: Claims register active, No PHI, No clinical authority claims, Public smoke passes
- Exit: Approved Intended Use Memo, Release-control owner assigned
2. Healthcare trust foundation
Prepare HIPAA, BAA, security, privacy, incident, and vendor-risk evidence.
- Entry: Security owner assigned, Data boundary documented, Subprocessor register started
- Exit: Risk analysis complete, BAA/DPA templates ready, Incident and breach runbooks approved
3. Independent assurance
Move from internal controls to SOC 2/HITRUST-ready external evidence.
- Entry: Control inventory, Audit log evidence, Change management, Access reviews
- Exit: SOC 2 readiness complete, Audit scope selected, Evidence window retained
4. Clinical/regulatory classification
Decide whether any module intentionally enters FDA/CDS/SaMD or care-delivery review.
- Entry: Narrow intended use, Human-review model, Output transparency, Hazard analysis draft
- Exit: Qualified regulatory classification memo, Submission/no-submission decision, Claim language approved
5. Buyer-specific controlled release
Release buyer proof only through retained reviewer, recipient, access, and audit gates.
- Entry: Retained packet evidence, External approval references, Named reviewers, Recipient controls
- Exit: Versioned release decision, Access-log reconciliation, Buyer-safe packet retained