Skip to main content

Threaded posture · v2026.Q1

The long-form. Framework by framework.

Each framework below is unfolded into scope, controls, audit cadence, last-tested date, named owner, and the document an auditor or regulator can request. Print-friendly. Linkable per anchor. Versioned with the date this page was published.

45 CFR 160 / 164 Live · BAA

HIPAA Privacy, Security, & Breach Notification.

Conceptual Health Clinical operates as a Covered Entity. DataVault, AI Scribe, Pharmacy, and Conceptual Chain operate as Business Associates under signed BAAs. The Privacy Rule, Security Rule, and Breach Notification Rule apply to every PHI touchpoint.

Owner
CCO + Privacy Officer
Last reviewed
2026-01-14
Cadence
Continuous · annual sign-off
Document
Notice of Privacy Practices →

Scope

All Protected Health Information across clinical encounters, patient portal, pharmacy, AI-assisted documentation, and research-marketplace records. Includes data at rest, in transit, in backup, and in third-party-processor systems under BAA.

Controls

  • Administrative. Designated Privacy Officer and Security Officer. Workforce training (annual + onboarding + role-changes). Sanctions policy. Information-access management with role-based provisioning. Periodic risk assessment (NIST 800-30 methodology).
  • Physical. Cloud-only hosting in HIPAA-eligible AWS regions; no PHI on physical media or end-user devices. Workstation security policy enforced via MDM; biometric + passkey + PIN.
  • Technical. Unique user identification, automatic logoff, encryption at rest (AES-256-GCM with patient-held keys) and in transit (TLS 1.3). Audit controls capture every PHI access event for 7 years.
  • Breach notification. ≤1 hour SLA to affected individuals via in-app + email; ≤4 hours to regulators where required; HHS Wall of Shame report within 60 days. Public incident reports within 7 days of resolution.

Documents on request

  • HIPAA Risk Analysis (latest)
  • Security Rule Policies & Procedures (current binder)
  • Workforce Training Records (rolling 12 months)
  • Business Associate Agreement template + executed list (regulator only)
  • Audit-control configuration export
AICPA SSAE 18 Annual

SOC 2 Type II · five trust criteria, full year of evidence.

Annual SSAE 18 Type II examination scheduled with Phase 2. The first cycle will cover a 12-month observation window across Security, Availability, Processing Integrity, Confidentiality, and Privacy. The CPA firm name will appear here once the engagement letter is countersigned.

Owner
CISO
Last issued
2026-Q1 (FY-prior)
Auditor
Independent CPA firm — pending Phase 2
Document
Executive summary (NDA) →

Trust Service Categories in scope

  • Security (CC1–CC9). Network controls, access management, vulnerability management, change management, incident response.
  • Availability (A1). Uptime measured per the live status page SLA on patient-facing surfaces. DR target RTO ≤ 4 hours, RPO ≤ 15 minutes; first DR drill scheduled in Phase 2 with the first paying clinic.
  • Processing Integrity (PI1). Charting, claim coding, and chain-issued payouts validated end-to-end with checksums and double-entry attestation.
  • Confidentiality (C1). Customer data classification, encryption, contractual confidentiality.
  • Privacy (P1–P8). Privacy notice, consent management, individual rights, data subject access requests, retention.
HITRUST CSF v11 r2 · 2-yr

HITRUST CSF r2. 156 controls. 14 categories.

r2 certification — the prescriptive HITRUST tier favored by hospitals, health plans, and life-science vendors. Two-year certification with required interim review at month 12.

Owner
CISO
Validity
2 years
Verifiable
HITRUST cert-search lookup
Document
Letter of Validation →

Categories covered

Information Protection Program · Endpoint Protection · Portable Media Security · Mobile Device Security · Wireless Security · Configuration Management · Vulnerability Management · Network Protection · Transmission Protection · Password Management · Access Control · Audit Logging & Monitoring · Education, Training & Awareness · Third-Party Assurance · Incident Management · Business Continuity & Disaster Recovery · Risk Management · Physical & Environmental Security · Data Protection & Privacy.

EU 2016/679 · UK DPA 2018 Live · DPA

GDPR & UK GDPR. Six lawful bases. One exit ramp.

EU operations under GDPR. UK operations under UK GDPR + Data Protection Act 2018. Independent EU-resident DPO. Standard Contractual Clauses (Module 2) + UK IDTA for transatlantic transfer. Data subject access requests fulfilled within 30 days, with a 60-day extension on complex matters.

DPO
Independent counsel, EU-resident
Lead authority
Irish DPC (proposed)
Transfer
SCCs Module 2 + UK IDTA
Document
DPA →

Data subject rights honored

  • Access (Art. 15) · Rectification (Art. 16) · Erasure (Art. 17) · Restriction (Art. 18) · Portability (Art. 20) · Objection (Art. 21).
  • Automated decisions (Art. 22): Master Equation outputs are advisory, never the sole basis of a clinical decision; human override is logged.
Cal. Civ. §1798.100Live

CCPA / CPRA · extended network-wide.

California consumer privacy rights are honored for every patient regardless of residency. CPRA-grade workflows for access, deletion, correction, and opt-out from sale or sharing. We do not sell personal information.

Owner
Privacy Officer
DSAR turnaround
Median 6 days · max 45
Sale of PI
None — by design
Document
CCPA notice →
21 CFR Part 11Validated

21 CFR Part 11. Electronic records, electronic signatures.

For clinical-research data flowing through Conceptual Health Clinical and DataVault, the system meets FDA Part 11 requirements: validated computer system, secure electronic signatures, audit trails that cannot be altered without leaving evidence, and timestamps from a trusted source.

Owner
Clinical IT QA
Validation
IQ/OQ/PQ + change control
Signatures
Two-component identity + intent
Audit trail
Append-only, on Conceptual Chain
FDA SaMDPre-cert

FDA Software-as-a-Medical-Device. Pre-cert pathway.

AI Scribe and Master Equation diagnostic-support modules are in the FDA SaMD Pre-Certification pathway. Algorithmic transparency: model cards published per release. Bias auditing performed before deployment and continuously thereafter. Human-in-the-loop required for any decision that meets the SaMD definition under IMDRF risk categorization.

Owner
CMO + Reg Affairs
Pathway
SaMD Pre-Cert v1.0 alignment
Class
II (advisory · not autonomous)
Model cards
Published with each release
State MT Acts49 states

State Money-Transmitter Licensing. Forty-nine states + DC.

Conceptual Health Exchange holds money-transmitter licenses where required and qualifies for exemption (HSA-trustee, agent-of-payee) where structurally appropriate. A trust-company affiliate custodies HCR/HCC reserves. Montana operates under their MT-act exemption.

Owner
CFO + State Counsel
Custodian
Trust company affiliate
Surety
Per-state bonds posted
Document
License grid (regulator) →
31 CFR 1010Registered

FinCEN MSB Registration. BSA program in writing.

Registered Money Services Business with FinCEN. Written BSA/AML program, designated BSA Officer, OFAC screening at onboarding and per-transaction, SAR filing, CTR reporting, independent annual review.

Owner
BSA Officer
Independent review
Annual
SAR filing
Within 30 days of detection
OFAC
Per-transaction screening
21 CFR 1300Live · EPCS

DEA EPCS. Controlled substances, electronically.

Electronic Prescriptions for Controlled Substances. Two-factor authentication at signing. Identity-proofing per credential service provider. Every Schedule II–V prescription is logged with audit-trail entries that survive practitioner offboarding.

Owner
Pharmacy Compliance
Third-party audit
EPCS-cert qualified, biennial
2FA
Hardware key + biometric
PDMP
Integrated · per-state
42 CFR Part 2Live

42 CFR Part 2. Substance use, elevated consent.

Records originating from substance-use-disorder treatment carry the elevated Part 2 consent standard. Per-disclosure consent. Re-disclosure prohibition language attached to every export. SUD records segregated within DataVault.

Owner
Privacy Officer
Consent unit
Per-record · per-recipient
Re-disclosure
Prohibited absent re-consent
Court order
Sec. 2.64–2.67 protocol
ONC Cures ActCompliant

21st Century Cures · Information-Blocking. No friction. No fees.

USCDI v3 export available to every patient, every time, free of charge, in the format the patient requests. FHIR R4 API for third-party app developers. Individual-access exception fully supported. Zero information-blocking practices.

Owner
Interop Lead
USCDI
v3 (current)
FHIR
R4 · SMART on FHIR
Bulk export
$export · async
W3C WCAG 2.2AA target

WCAG 2.2 AA + Section 508. Every patient, every device.

Patient surfaces audited to WCAG 2.2 AA. VPAT 2.4 published per major release. Annual independent accessibility audit. Issues triaged on a 30/60/90 day SLA depending on severity.

Owner
Design Systems
Audit cadence
Annual third-party (first cycle: Phase 2)
VPAT
v2.4 · per release
A11y feedback
accessibility@conceptualhealth.com
NIST CSF 2.0 / 800-66Mapped

NIST CSF 2.0. Govern. Identify. Protect. Detect. Respond. Recover.

All security controls are mapped to NIST CSF 2.0 functions and categories. NIST SP 800-66 Rev. 2 is the implementation reference for HIPAA Security Rule alignment. NIST 800-53 Rev. 5 controls used selectively for FedRAMP-track surfaces.

Owner
CISO
Tier
Tier 4 (Adaptive) target
Mapping
Internal control catalog
Document
Available to enterprise (NDA)
FedRAMP ModerateIn progress

FedRAMP Moderate. For VA, IHS, federal-customer surfaces.

Authorization in progress. 3PAO engaged. SSP under continuous improvement. Target ATO Q4 next year. Until ATO is granted, federal-customer pilots operate under interim arrangements with the sponsoring agency's CIO.

Owner
GovCloud Lead
3PAO
Engaged
Boundary
GovCloud isolated tenancy
Target
ATO · Q4 next year
FIPS 140-3Validated

FIPS 140-3 Cryptography. Validated modules only.

All cryptographic modules use FIPS 140-3 validated implementations. AES-256-GCM at rest. TLS 1.3 in transit. Ed25519 for signing. X25519 for key agreement. KMS-backed key custody with HSM-rooted attestation.

Owner
Security Engineering
KMS
Cloud-HSM rooted · CMVP-listed
Algorithms
AES-256-GCM · TLS 1.3 · Ed25519
Rotation
Scheduled + on-revocation
PCI DSS v4.0SAQ-D

PCI DSS v4.0. Cards never cross our edge.

Patient and clinic card payments are routed through a PCI-validated Level 1 service provider with no PAN, CVV, or magstripe data ever touching our systems. Conceptual Health is SAQ-D scoped; QSA engagement opens with the first card-present clinic in Phase 2. We do not store, process, or transmit raw cardholder data on our infrastructure.

Owner
Treasury Ops
Scope
SAQ-D — QSA engagement Phase 2
Tokenization
Processor vault — no PAN/CVV on our infrastructure
Renewed
Annually, calendar Q1
45 CFR 46Live · IRB

Common Rule + IRB Oversight. No data without protocol.

Research Marketplace queries above the de-identified-count threshold require IRB approval at the requesting institution. Re-contact requests carry the IRB approval number, sponsor, study purpose, and any offered honorarium. Patients see all of it before they accept.

Owner
Research Ops
Consent unit
Per-record
Revocation
One tap, takes effect immediately
FDA HSR
21 CFR 50/56 honored where applicable