Clinical production readiness
SCRIMED now has a tracked task ledger for the work required before clinical production.
This surface separates what SCRIMED can safely sell and operate now from the hard requirements still needed for live clinical care, PHI, EHR connectors, regulated clinical claims, customer go-live, global approvals, and production support.
Operating posture
synthetic-no-phi-demo-pilot-diligence-and-readiness-services
Keep selling no-PHI demos, paid readiness services, synthetic pilots, diligence packets, and governance assessments now while the clinical-production task ledger remains incomplete and externally reviewed.
SCRIMED Clinical Production Readiness is a source-controlled task ledger and operating tracker for the work required before live clinical production, PHI/ePHI scope, production EHR or payer connectivity, patient-impacting AI, regulated clinical claims, customer go-live, and global clinical deployment. It does not grant legal advice, medical advice, regulatory approval, HIPAA compliance, SOC 2/HITRUST/ISO certification, FDA clearance, ONC certification, EU AI Act conformity, GDPR compliance assurance, PHI processing authority, production connector approval, customer permission, launch approval, reimbursement assurance, contractual SLA, revenue guarantee, profit guarantee, securities material, investment advice, valuation assurance, or live clinical care authority.
Tracked tasks
Every required task has an owner, status, missing evidence, current safe use, and retained boundary.
cpr-001: Approve intended use and clinical claim boundaries per product module.
Any patient-specific clinical recommendation, care workflow, triage, or regulated clinical claim.
- Owner: Product, clinical governance, regulatory counsel, and Claim Guard
- Missing: Qualified regulatory counsel review, Named licensed clinical owner, Approved intended-use register, Customer-specific clinical sponsor approval
- Criteria: Module-by-module intended-use memo, Approved public and buyer claim register, Human-review and transparency language, Regulated pathway decision for each clinical feature
- Current use: Keep product language to synthetic workflow intelligence, no-PHI planning, and clinician-reviewed draft support.
- Proof: /clinical-authority-readiness, /clinical-care-activation, /qa-claim-guard, /approvals-readiness
- No diagnosis, treatment, triage, prescribing, patient outreach, or autonomous clinical decision authority.
cpr-002: Stand up licensed clinical governance, safety case, hazard log, and escalation policy.
Live clinical workflows, patient-safety posture, and customer go-live review.
- Owner: Clinical governance, TrustOS, product, and customer clinical sponsor
- Missing: Licensed governance appointment, Customer care-setting scope, Clinical safety signoff, Post-launch safety monitoring cadence
- Criteria: Named licensed medical director or governance board, Clinical safety case, Hazard log and severity taxonomy, Escalation, override, and shutdown policy, Prospective pilot protocol and reviewer rubric
- Current use: Use safety case templates and synthetic scenarios in demos to show discipline without affecting patients.
- Proof: /clinical-authority-readiness, /clinical-care-activation, /trust-os, /health-records
- No live care impact or patient instruction until clinical signoff and customer go-live approval.
cpr-003: Complete HIPAA risk analysis and administrative, physical, and technical safeguard map.
Any PHI/ePHI scope, BAA-backed operation, or healthcare vendor-risk approval.
- Owner: Privacy, security, legal, and operations
- Missing: Qualified privacy/security review, Documented risk treatment, BAA/DPA templates, Subprocessor and access-review register
- Criteria: HIPAA risk analysis, Safeguard matrix, Access-control and audit-control evidence, Encryption, backup, recovery, deletion, and breach workflows, Workforce and vendor risk controls
- Current use: Sell no-PHI evidence rooms, security-readiness posture, and synthetic pilot reviews without claiming HIPAA compliance.
- Proof: /trust-center, /trust-safety-operations, /global-certification-readiness, /pilot-workspace/access
- No PHI or ePHI processing approval and no HIPAA certification claim.
cpr-004: Finalize BAA/DPA, non-PHI determination, data classification, retention, deletion, and legal-hold workflow.
Customer data intake, PHI/ePHI, source records, signed artifacts, and enterprise contracting.
- Owner: Legal, privacy, security, customer compliance, and operations
- Missing: Counsel-approved templates, Customer contract execution, Data residency and cross-border review where applicable, Signed customer data authority
- Criteria: BAA and DPA templates reviewed by counsel, Non-PHI determination workflow, Data classification matrix, Retention, deletion, legal hold, and backup policy, Customer-specific data-flow appendix
- Current use: Keep pilots synthetic, metadata-only, or buyer-provided non-PHI with written boundary language.
- Proof: /approvals-readiness, /pilot-workspace/access, /boundary-resolution, /public-market-readiness
- No customer permission, data processing authority, or PHI processing authorization.
cpr-005: Complete security assurance path for SOC 2, HITRUST, ISO 27001, penetration-test, and procurement evidence.
Enterprise vendor-risk acceptance and regulated healthcare procurement.
- Owner: Security, compliance, procurement, and qualified assessors
- Missing: Independent assessor selection, Evidence collection cadence, Customer procurement acceptance, Issued certification or explicit no-certification boundary
- Criteria: Control inventory and owners, Security policy set, Independent assessment or certification plan, Penetration-test and remediation evidence when requested, Vendor-risk questionnaire library
- Current use: Provide security-readiness packets and no-sensitive-artifact evidence links without certification claims.
- Proof: /trust-safety-operations, /global-certification-readiness, /service-reliability, /pilot-workspace/access
- No SOC 2, HITRUST, ISO, penetration-test approval, or customer vendor-risk approval claim.
cpr-006: Enforce production identity, RBAC, SSO, AAL2, access review, least privilege, and credential lifecycle.
Customer SSO, production tenant access, protected proof release, and PHI/ePHI workflows.
- Owner: Security, tenant governance, platform, and customer IT
- Missing: Customer IdP configuration, Production role map, Break-glass approval, Attestation evidence and audit export
- Criteria: Customer SSO acceptance, Role and purpose-of-use matrix, AAL2 operator policy, Access review cadence, Credential rotation, revocation, and emergency access policy
- Current use: Use AAL2 protected synthetic workspaces and no-secret operator packets for demos and diligence.
- Proof: /pilot-workspace/access, /release-continuity, /qa-launch-kit, /qa-buyer-proof-release
- No customer SSO or production invitation authority until customer and security approval.
cpr-007: Validate immutable audit logging, evidence retention, release decisions, reviewer signoffs, and access-log reconciliation.
Clinical accountability, buyer proof release, incident review, and enterprise auditability.
- Owner: TrustOS, release engineering, security, and customer operations
- Missing: Customer-specific audit export acceptance, Legal hold policy, Evidence integrity review, Production incident linkage
- Criteria: Append-only audit policy, Reviewer signoff workflow, Release decision register, Access-log reconciliation, Evidence retention and export runbooks
- Current use: Use buyer proof packets and protected demos to show audit discipline without live clinical action.
- Proof: /qa-buyer-proof-release, /buyer-release-control-run, /pilot-workspace/access, /release-continuity
- Audit evidence does not authorize PHI, release, customer proof, or clinical production.
cpr-008: Complete customer-specific FHIR, HL7 v2, C-CDA, DICOM, X12, payer, and EHR sandbox acceptance tests.
Any production health-record, payer, or EHR integration.
- Owner: Interoperability, health-record safety, security, and customer integration
- Missing: Customer sandbox credentials, Conformance run evidence, Integration monitoring plan, Customer platform approval
- Criteria: Standards map and profile assumptions, Synthetic and sandbox test fixtures, CapabilityStatement/interface profile review, ACK/NACK, reconciliation, provenance, and dead-letter controls, Customer sandbox signoff
- Current use: Sell no-PHI interoperability mapping, fixture validation, and sandbox-readiness assessments.
- Proof: /health-records, /api/health-records/extract, /interoperability, /integrations/fixture-validation
- No live connector, live record retrieval, payer submission, or EHR writeback authority.
cpr-009: Approve EHR writeback, record mutation, payer submission, patient outreach, and production connector execution separately.
Any patient-impacting external-system action.
- Owner: Customer executive sponsor, clinical governance, interoperability, legal, privacy, and security
- Missing: Signed customer production connector authority, Clinical safety signoff, Integration acceptance evidence, Support escalation and rollback test
- Criteria: Explicit action-by-action customer approval, Least-privilege token scope, Human reviewer workflow, Rollback and reconciliation plan, Audit log and shutdown authority
- Current use: Demonstrate draft-only reviewer packets and no-write synthetic simulations.
- Proof: /health-records, /clinical-authority-readiness, /pilot-workspace/access, /boundary-resolution
- No writeback, mutation, outreach, payer submission, or production connector execution.
cpr-010: Complete FDA CDS/SaMD classification, QMS escalation, and premarket pathway decision where required.
Clinical AI functions that could be regulated as medical device software.
- Owner: Regulatory counsel, product, clinical governance, AI platform, and quality
- Missing: Qualified FDA digital-health counsel review, Q-Submission or premarket plan if needed, Clinical evidence plan, Design-control and risk-management artifacts
- Criteria: CDS non-device criteria analysis, SaMD risk classification memo, FDA pathway decision, QMS and design-control escalation plan, Model-change and post-market monitoring policy
- Current use: Position clinical AI as synthetic, planning, operational, or draft support with human review.
- Proof: /global-certification-readiness, /clinical-authority-readiness, /platform-power, /evaluation
- No FDA-cleared, diagnostic, treatment, or autonomous clinical-device claim.
cpr-011: Decide ONC health IT certification, information-blocking, USCDI, SMART/FHIR, and EHR marketplace claim scope.
Certified health IT claims, EHR marketplace positioning, and formal interoperability claims.
- Owner: Interoperability, legal, health IT certification counsel, and platform partnerships
- Missing: ONC/certification counsel review, Marketplace partner requirements, Certification-body or EHR partner evidence where required
- Criteria: Claim scope memo, USCDI and FHIR API mapping, SMART launch and authorization review, Marketplace and partner approval path, Blocked ONC/certified-health-IT language
- Current use: Describe standards-readiness and synthetic conformance without certified health IT claims.
- Proof: /global-certification-readiness, /interoperability, /health-records, /integrations/fixture-validation
- No ONC certification, EHR marketplace approval, or certified connector claim.
cpr-012: Complete AI model inventory, evaluation, red-team, bias, drift, hallucination, source-attribution, and monitoring controls.
Any clinical, operational, payer, or documentation AI workflow with customer reliance.
- Owner: AI platform, TrustOS, QA, clinical governance, security, and product
- Missing: Customer-specific eval acceptance, Clinical reviewer rubric, Model-change policy, Live monitoring and rollback integration
- Criteria: Model and tool inventory, Evaluation datasets and acceptance thresholds, Red-team and adversarial review, Bias and drift monitoring, Source attribution and hallucination controls, Human override and incident learning
- Current use: Use AI evals, Trust Cards, and source-attributed synthetic demonstrations in buyer diligence.
- Proof: /platform-power, /evaluation, /trust-os, /continuous-review-audit
- No live autonomous AI, production model-routing approval, or error-free accuracy guarantee.
cpr-013: Stand up AI management-system evidence for ISO/IEC 42001 alignment and EU high-risk AI readiness.
Global AI assurance, EU high-risk AI planning, and enterprise buyer governance.
- Owner: AI governance, legal, privacy, security, quality, and regional counsel
- Missing: Qualified EU AI Act review, ISO 42001 certification decision, Regional technical documentation pack, Serious incident routing and reporting process
- Criteria: AI policy and objectives, Risk treatment register, Technical documentation, Data governance and logging plan, Human oversight and post-market monitoring process
- Current use: Use AI governance mapping as a high-value diligence offer without conformity or certification claims.
- Proof: /global-certification-readiness, /continuous-review-audit, /platform-power, /trust-os
- No EU AI Act conformity, ISO 42001 certification, or high-risk AI approval claim.
cpr-014: Prove 24/7 support, incident response, breach response, uptime monitoring, escalation, and shutdown authority.
Production customer support and clinical go-live.
- Owner: Service reliability, TrustOps, security, customer operations, and release steward
- Missing: Named on-call owners, Customer escalation contacts, Incident tabletop results, Support-tier contract language
- Criteria: On-call schedule, Incident and breach runbooks, Severity and escalation matrix, Status communication template, Shutdown authority, Tabletop exercise evidence
- Current use: Package incident-readiness and 24/7 review architecture as trust evidence for buyers and investors.
- Proof: /service-reliability, /trust-safety-operations, /continuous-review-audit, /launch-readiness
- No contractual SLA, managed SOC/MDR, production support guarantee, or clinical emergency response claim.
cpr-015: Validate disaster recovery, backup, recovery time objectives, rollback, regional failover, and business continuity.
Enterprise production resilience and procurement acceptance.
- Owner: Platform, service reliability, security, customer operations, and finance
- Missing: Production environment architecture, Customer resilience requirement, Restore test evidence, Runbook acceptance
- Criteria: Backup and restore test, Recovery objectives, Rollback procedure, Regional failover review, Business continuity plan, Cost and capacity assumptions
- Current use: Use scale and reliability readiness as a structural differentiator in enterprise diligence.
- Proof: /enterprise-scalability, /service-reliability, /launch-readiness, /release-continuity
- No uptime, failover, SLA, managed-service, or disaster-recovery guarantee.
cpr-016: Formalize change management, release control, rollback, post-release review, and production access controls.
Any production deployment, clinical feature promotion, or customer-specific proof release.
- Owner: Release steward, platform, QA, TrustOS, and security
- Missing: Production change calendar, Customer release window process, High-risk feature approval board, Post-release clinical monitoring
- Criteria: Release checklist, Change-risk classification, QA and smoke evidence, Approval signoff, Rollback plan, Post-release review
- Current use: Keep release discipline visible to investors and buyers through public smoke, briefs, and protected proof packets.
- Proof: /release-continuity, /qa-evidence, /buyer-release-control-run, /operational-efficiency
- No release approval, customer proof release, or clinical go-live without signed authority.
cpr-017: Execute customer MSA/SOW/BAA/DPA, service boundaries, billing, insurance, liability, and revenue-recognition review.
Paid clinical production, enterprise buyer commitments, and risk allocation.
- Owner: Legal, finance, accounting, tax, insurance, revenue operations, and deal desk
- Missing: Qualified counsel review, Qualified accounting/tax review, Insurance confirmation, Customer contract execution
- Criteria: Executed contract stack, Service boundary exhibit, Insurance and liability review, Billing and payment readiness, Revenue-recognition and tax review, Change-order and scope creep controls
- Current use: Sell scoped no-PHI paid pilots and readiness services through margin-safe work orders and deal-desk controls.
- Proof: /enterprise-business-ops, /service-delivery, /offerings, /capital-vitality
- No legal, accounting, tax, revenue, reimbursement, profit-margin, insurance, or contract authority.
cpr-018: Complete reimbursement, coding, payer policy, prior-authorization, and claims-submission authority review.
Payer workflow execution, coverage determinations, coding, submissions, or reimbursement claims.
- Owner: Revenue cycle, finance, legal, clinical governance, and customer operations
- Missing: Customer revenue-cycle approval, Payer-policy-specific review, Compliance signoff, Submission authority
- Criteria: CMS/payer policy review, Coding and billing compliance review, Human reviewer assignment, No-guarantee reimbursement language, Measurement methodology accepted by customer
- Current use: Offer denial-risk, prior-authorization packet drafting, and revenue-leakage analysis as human-reviewed draft support.
- Proof: /public-market-readiness, /pilot-deal-room, /health-records, /enterprise-business-ops
- No reimbursement, coverage, coding, payer submission, or financial outcome guarantee.
cpr-019: Complete GDPR, EU AI Act, data residency, DPIA, transfer mechanism, and regional clinical/legal review before global production.
EU or global clinical deployment, personal-data processing, and regional buyer claims.
- Owner: Regional counsel, privacy, AI governance, security, and global partnerships
- Missing: Region-specific legal review, DPIA and transfer decisions, Local clinical/procurement authority, Conformity assessment path where applicable
- Criteria: Controller/processor role map, Lawful basis and DPIA review, DPA/SCC transfer workflow, EU AI Act high-risk triage, Data residency and regional clinical review, Local buyer language approval
- Current use: Run global partner qualification, localization, and synthetic executive evaluations without personal data.
- Proof: /global-certification-readiness, /global-reach, /deployment-profiles, /investor-audience-readiness
- No GDPR compliance assurance, EU AI Act conformity, regional approval, or global clinical-production claim.
cpr-020: Decide ISO 13485/QMS, design controls, risk management, human factors, usability, and post-market surveillance scope.
Deliberate medical-device/SaMD productization and clinical production claims.
- Owner: Quality, regulatory counsel, product, clinical governance, and design
- Missing: Quality owner assignment, Regulatory counsel review, Clinical evidence plan, Post-market process and complaint handling
- Criteria: QMS applicability memo, Design-control procedure, Risk-management file, Human factors and usability plan, Post-market surveillance and complaint process
- Current use: Frame QMS readiness as a future production path while selling synthetic validation and quality-readiness planning.
- Proof: /global-certification-readiness, /clinical-authority-readiness, /platform-power, /continuous-review-audit
- No ISO 13485, medical-device QMS, or post-market surveillance approval claim.
cpr-021: Complete customer production go-live checklist, SSO/RBAC acceptance, monitoring, rollback test, support handoff, and shutdown authority.
Any live customer clinical production tenant.
- Owner: Customer executive sponsor, SCRIMED release steward, security, clinical governance, support, and legal
- Missing: Customer go-live approval, Clinical/legal/security/privacy signoffs, Support roster, Production environment validation
- Criteria: Signed production readiness checklist, Customer SSO and RBAC accepted, Monitoring and incident contacts active, Rollback and shutdown tested, Post-launch review cadence approved
- Current use: Use production-readiness packets inside sales operations to prepare without enabling production.
- Proof: /launch-readiness, /pilot-workspace/access, /sales-operations, /service-delivery
- No customer production go-live, automated invitation, SSO activation, or clinical workflow launch.
cpr-022: Create board-level clinical production readiness review cadence with owner, due date, evidence aging, risk acceptance, and blocked-claim review.
Company-level accountability before regulated expansion.
- Owner: Executive Operating Council, TrustOS, legal, finance, clinical governance, and release steward
- Missing: Board/advisor review schedule, Risk acceptance template, Evidence expiration policy, Clinical production decision log
- Criteria: Standing review cadence, Owner matrix, Evidence aging report, Risk acceptance record, Blocked-claim review, Investor and buyer language refresh
- Current use: Use the ledger as a strategic management asset in investor and enterprise buyer conversations.
- Proof: /company-assessment, /clinical-production-readiness, /continuous-review-audit, /public-market-readiness
- Board review does not create clinical, legal, financial, regulatory, or customer authority.
Maximize current capabilities
Scrimed can keep growing through no-PHI services, synthetic pilots, diligence packets, and governed readiness offers.
Synthetic executive operating assessment
Founders, health-system operators, faith-based clinics, investors, and transformation sponsors
- Strategic: Lead with whole-company and buyer-operating clarity while retaining all clinical-production hard stops.
- Financial: Package as a paid discovery, readiness, or board-prep engagement before regulated deployment.
- Structural: Routes every conversation through company score, task ledger, proof routes, and retained boundaries.
- Proof: /company-assessment, /clinical-production-readiness, /offerings
- Blocked claims: clinical production ready, certified, PHI approved, revenue guaranteed
No-PHI health-record and interoperability readiness package
Health-system integration teams, payers, clinics, and EHR reviewers
- Strategic: Turn live-data blockers into standards maps, sandbox plans, source-attribution tests, and safety controls.
- Financial: Sell scoped no-PHI interoperability assessment or sandbox-prep services.
- Structural: Creates customer-specific evidence before requesting credentials or live connector access.
- Proof: /health-records, /interoperability, /integrations/fixture-validation
- Blocked claims: live connector approved, EHR writeback ready, ONC certified, payer submission approved
AI governance and TrustOS diligence review
Compliance reviewers, AI governance committees, security teams, and investors
- Strategic: Position SCRIMED as governance-first healthcare AI without claiming autonomous production authority.
- Financial: Package AI inventory, model-route, eval, red-team, and claims-guard review as a service line.
- Structural: Connects platform power, TrustOS, continuous review, and future certification evidence.
- Proof: /platform-power, /trust-os, /evaluation, /continuous-review-audit
- Blocked claims: live autonomous AI, error-free AI, EU AI Act conformant, ISO 42001 certified
Buyer diligence and proof-release workbench
Enterprise buyers, procurement, vendor-risk teams, and board reviewers
- Strategic: Make proof sharing auditable, recipient-controlled, claim-guarded, and no-PHI by design.
- Financial: Improves close confidence for paid pilots by giving buyers controlled evidence without over-disclosure.
- Structural: Forces AAL2, release decision, reviewer signoff, recipient control, and access-log reconciliation.
- Proof: /qa-buyer-proof-release, /buyer-release-control-run, /pilot-workspace/access
- Blocked claims: customer permission, public distribution approved, PHI included, security certified
Service delivery workbench for no-PHI paid pilots
Clinics, health systems, payers, operational teams, and enterprise sponsors
- Strategic: Convert broad interest into scoped work orders with acceptance criteria and hard boundaries.
- Financial: Protects gross margin through packaged scope, price floors, change control, and deliverable templates.
- Structural: Creates repeatable delivery lanes before clinical production dependencies are complete.
- Proof: /offerings, /service-delivery, /enterprise-business-ops
- Blocked claims: SOW executed, SLA guaranteed, PHI authorized, profit guaranteed
Investor and clinic readiness packets
Angel investors, private investors, strategic partners, faith-based clinics, and public-sector sponsors
- Strategic: Turn the current platform into a credible story of traction, gates, evidence, and disciplined upside.
- Financial: Supports fundraising and sponsorship conversations without securities, valuation, or revenue promises.
- Structural: Links audiences to the exact packet, proof route, blocked claims, and next action.
- Proof: /investor-audience-readiness, /capital-vitality, /growth-engine, /public-market-readiness
- Blocked claims: securities offer, investment advice, valuation assurance, revenue guarantee
Enterprise operations and margin lock
Enterprise buyers, board, finance, and delivery leadership
- Strategic: Make Scrimed look and behave like a serious enterprise vendor before production authority exists.
- Financial: Controls price floor, scope creep, billing readiness, revenue recognition triage, and tax review.
- Structural: Runs proposals through deal desk, qualified review, margin model, and blocked-claim checks.
- Proof: /enterprise-business-ops, /service-delivery, /capital-vitality
- Blocked claims: audited financials, tax advice, profit margin guarantee, contract authority
24/7 review and innovation operating loop
Internal operators, investors, security reviewers, and innovation partners
- Strategic: Shows that Scrimed improves accuracy, evidence freshness, claims control, security drift, and future research continuously.
- Financial: Supports premium pilot pricing through governance, monitoring, and continuous-improvement evidence.
- Structural: Keeps internal research, quantum exploration, agent loops, incident learning, and release quality inside review gates.
- Proof: /continuous-review-audit, /qa-evidence, /service-reliability, /operational-efficiency
- Blocked claims: managed SOC, autonomous remediation, public quantum claim, certification
Launch-safe public product and demo motion
Prospects, demo attendees, pilots, advisors, and early investors
- Strategic: Maximizes today's platform surface without crossing PHI, production, clinical, or certification boundaries.
- Financial: Enables demos, paid discovery, pilot intake, and evidence-driven follow-up now.
- Structural: Keeps branded-domain smoke, navigation, onboarding, and launch hard stops explicit.
- Proof: /launch-readiness, /client-onboarding, /product, /demos
- Blocked claims: public launch approval, clinical production ready, customer result guaranteed, live PHI
Global certification and approval roadmap service
Global partners, regional buyers, strategic investors, and health systems
- Strategic: Turns global complexity into a visible roadmap rather than an unbounded promise.
- Financial: Can be sold as readiness assessment, localization prep, and diligence package support.
- Structural: Coordinates region, privacy, AI, cyber, clinical, procurement, and data-residency gates.
- Proof: /global-certification-readiness, /global-reach, /deployment-profiles
- Blocked claims: global approval, GDPR compliant, EU AI Act conformant, regional clinical authorization
Go-live gates
The same five gates block live clinical use until real authority exists.
Clinical authority and intended use
Approved intended-use statement, clinical governance owner, hazard analysis, human-review policy, and regulated-product pathway decision.
- Blocks: diagnosis, treatment, triage, patient messaging, clinical recommendations
PHI/ePHI and privacy authority
Executed BAA/DPA or written non-PHI determination, HIPAA risk analysis, data classification, retention, deletion, and breach process.
- Blocks: PHI ingestion, patient identifiers, source records, production credentials
Production connector and EHR/payer authority
Customer sandbox acceptance, conformance evidence, least-privilege connector policy, monitoring, rollback, and platform/customer approval.
- Blocks: live FHIR reads, EHR writeback, HL7 feeds, payer submissions, record mutation
Security assurance and vendor-risk acceptance
Independent assessment path, control inventory, access reviews, incident response, backup/recovery evidence, subprocessor register, and customer acceptance.
- Blocks: security certification claims, production vendor acceptance, enterprise go-live
Customer production go-live authority
Signed go-live checklist, SOW/MSA/BAA/DPA alignment, SSO/RBAC acceptance, monitoring, 24/7 escalation, rollback, shutdown, and post-launch review cadence.
- Blocks: production tenant activation, customer SSO, automated invites, live workflows
Next sequence
Work these first while current capability motions continue.
Source references
Official sources anchor the task ledger; qualified reviewers still make final determinations.
HHS HIPAA Security Rule
Anchor HIPAA risk analysis, ePHI safeguard mapping, access controls, audit controls, incident response, BAA/DPA, and breach-process readiness.
https://www.hhs.gov/hipaa/for-professionals/security/index.htmlFDA Clinical Decision Support Software Guidance
Anchor intended-use, human-review transparency, non-device CDS criteria, and escalation to regulated device review where claims require it.
https://www.fda.gov/regulatory-information/search-fda-guidance-documents/clinical-decision-support-softwareFDA AI/ML Software as a Medical Device
Anchor AI-enabled SaMD lifecycle controls, model-change governance, performance monitoring, transparency, clinical evidence, and quality-management escalation.
https://www.fda.gov/medical-devices/software-medical-device-samd/artificial-intelligence-and-machine-learning-software-medical-deviceONC Health IT Certification and Interoperability
Anchor ONC certification, API, interoperability, USCDI, and health-IT connector claim review before SCRIMED represents certified health IT capability.
https://www.healthit.gov/topic/certification-ehrs/about-onc-health-it-certification-programNIST Cybersecurity Framework 2.0
Anchor cyber governance, risk identification, protection, detection, response, recovery, and enterprise security operating evidence.
https://www.nist.gov/cyberframeworkNIST AI Risk Management Framework
Anchor AI inventory, risk measurement, model evaluation, human oversight, incident learning, and TrustOS evidence language.
https://www.nist.gov/itl/ai-risk-management-frameworkEU Artificial Intelligence Act
Anchor EU high-risk AI triage, technical documentation, logs, data governance, human oversight, cybersecurity, robustness, accuracy, and post-market planning.
https://digital-strategy.ec.europa.eu/en/policies/regulatory-framework-aiEuropean Commission GDPR Legal Framework
Anchor controller/processor role mapping, lawful basis, DPIA, cross-border transfer, data-subject rights, retention, deletion, and DPA/SCC workflows.
https://commission.europa.eu/law/law-topic/data-protection/legal-framework-eu-data-protection_enISO 13485 Medical Devices Quality Management
Anchor medical-device quality management escalation if SCRIMED enters regulated medical-device or SaMD territory.
https://www.iso.org/standard/59752.htmlISO/IEC 42001 AI Management System
Anchor AI management-system policy, objectives, risk treatment, traceability, audit cadence, and continual improvement.
https://www.iso.org/standard/42001Hard stops