Skip to main content

Compliance

Every framework. Every page. On the record.

Conceptual Health is a regulated healthcare network operating under HIPAA, SOC 2, HITRUST, GDPR, state medical-practice acts, FDA pre-cert, and money-transmitter law in 49 states. This page is the index. The threaded posture is the long-form, framework by framework. The regulator portal is the cleared-access door.

Operating numbers

What the company looks like right now.

23active frameworks
147public attestations
≤1 hrbreach-notification SLA
24/7SOC + on-call counsel

Framework grid

Twelve frameworks we live under. Eleven we honor.

The frameworks below are unfolded with status, owner, audit cadence, last-tested date, and the document an auditor can request on the threaded posture page. Tap into any framework name for the long-form record.

Live under

HIPAA

45 CFR 160/164 — Privacy, Security, Breach Notification Rules.

Live under

SOC 2 Type II

Five Trust Service Categories, 12-month observation, Q1 2027 first cycle.

Live under

HITRUST CSF v11

r2 certification, 156 controls, 14 categories, 2-year validity.

Live under

GDPR / UK GDPR

EU 2016/679 — Irish DPC proposed as lead supervisory authority.

Live under

CCPA / CPRA

California Consumer Privacy Act + the 2023 amendments.

Live under

21 CFR Part 11

FDA validation for clinical-research electronic records.

Live under

FDA SaMD

Software-as-a-Medical-Device pre-cert alignment for clinical features.

Live under

State Money-Transmitter Acts

49 states + DC. NMLS lookup once issued.

Live under

FinCEN MSB

31 CFR 1010 — Form 107 filing scheduled Q3 2026.

Live under

DEA EPCS

Electronic prescribing of controlled substances per 21 CFR 1300.

Live under

42 CFR Part 2

Substance-use-disorder records; per-disclosure consent and segregation.

Live under

21st Century Cures

USCDI v3 baseline; FHIR R4 API; zero info-blocking practices.

Honor

WCAG 2.2 AA

Section 508 conformance, VPAT 2.4 in progress.

Honor

NIST CSF 2.0

Tier-4 Adaptive target. NIST 800-66 Rev. 2 as HIPAA-Security implementation reference.

Honor

FedRAMP Moderate

GovCloud-eligible architecture; target ATO Q4 2027.

Honor

FIPS 140-3

CMVP-listed primitives, KMS Cloud-HSM rooted, scheduled rotation.

Honor

PCI DSS v4.0

SAQ-D scope when first card-present clinic launches.

Honor

Token economics

CFTC / SEC / FinCEN / FLSA dual-track posture — see /trust/tokens/.

Honor

Common Rule + IRB

45 CFR 46 — research-marketplace queries above threshold require IRB approval.

Cleared access

If you are a regulator or accredited auditor.

The regulator portal grants 24-hour cleared access to gated documents — SOC 2 Type II detail, pen-test reports, breach forensics, AI model cards, training records — for HHS OCR, HHS OIG, CMS, FDA, FTC, FinCEN, DEA, ONC, SEC, state AGs, state DOIs, state medical boards, state pharmacy boards, state DFRs, EU/UK Data Protection Authorities, PCI QSAs, FedRAMP 3PAOs, HITRUST assessors, and IRBs.

Direct contacts

Four officers. All inboxes monitored.

Privacy Officer: privacy@conceptualhealth.com
Chief Compliance Officer: cco@conceptualhealth.com
Chief Information Security Officer: ciso@conceptualhealth.com
24/7 SOC: soc@conceptualhealth.com