Skip to main content

Compliance · Threaded posture

The long-form. Framework by framework.

Each framework below is unfolded into scope, controls, audit cadence, last-tested date, named owner, and the document an auditor or regulator can request. Print-friendly. Linkable per anchor. Versioned with the date this page was published.

Posture as of: 14 May 2026. Status legend: Active (production, evidence available) · Architected (implemented, awaiting first operational use) · In remediation (gap-closure underway) · Planned (committed roadmap with date) · Tracking (monitoring framework evolution).

Framework

HIPAA · 45 CFR 160/164

Status:Architected · BAA-ready Owner:Acting (Founder); permanent CCO ahead of first BAA Cadence:Continuous · annual sign-off Last reviewed:14 January 2026

Privacy Rule, Security Rule, Breach Notification Rule apply to all PHI. Administrative: Privacy Officer, Security Officer, training, risk assessment per NIST 800-30. Physical/edge: three-tier — edge EHR on clinic Mac Studio/Linux, patient device with AES-256-GCM and Secure Enclave, cloud-only for chain/audit/relay. Technical: unique identifier, auto-logoff, AES-256-GCM at rest, TLS 1.3 in transit, 7-year audit retention. Breach notification SLA: ≤1 hour internal notice to individuals (vs. 60-day HIPAA statutory max), ≤4 hours regulator notice, ≤7-day public report.

Framework

SOC 2 Type II · AICPA SSAE 18

Status:Planned · Q1 2027 observation Owner:Acting (Founder); permanent CISO ahead of SOC 2 observation Cadence:12-month observation, annual cycle thereafter Last reviewed:Engagement pending

Trust Service Categories: Security (CC1–CC9), Availability (A1), Processing Integrity (PI1), Confidentiality (C1), Privacy (P1–P8). Twelve-month observation window in first cycle.

Framework

HITRUST CSF v11

Status:Planned · Phase 3 (Year 2) Owner:Acting (Founder); permanent CISO ahead of HITRUST engagement Cadence:r2 certification, 2-year validity, interim review at month 12 Last reviewed:Engagement pending

156 controls across 14 categories. r2 path for full certification.

Framework

GDPR / UK GDPR · EU 2016/679

Status:Architected · DPA-ready Owner:Acting (Founder); permanent DPO (independent counsel, EU-resident) Cadence:Continuous Last reviewed:DPA template v2026.05

Lead supervisory authority proposed: Irish Data Protection Commission. SCCs Module 2 + UK IDTA for transatlantic transfer. Data-subject access requests: 30 days, 60-day extension on complex matters. Automated decisions (Master Equation) are advisory only, never the sole basis; human override is always logged. EU Representative under Article 27: TBD upon EU-region launch. Full DPA at /legal/dpa/.

Framework

CCPA / CPRA

Status:Architected · operational Owner:Privacy Officer Cadence:Continuous Last reviewed:Self-attested 2026-05

Consumer right to know, delete, correct, opt out of sale/sharing, limit use of sensitive personal information. We do not sell or share for cross-context behavioral advertising. Sensitive-PI processing limited to enumerated purposes.

Framework

21 CFR Part 11 · FDA

Status:Architected · IQ/OQ/PQ on first GxP use Owner:Acting (Founder); permanent Clinical IT lead ahead of first GxP engagement Cadence:Per-system validation Last reviewed:Posture set Q1 2026

Validated computer system. Secure electronic signatures. Tamper-evident audit trails. Trusted timestamps. Part 11 controls scoped to clinical-research data and other GxP-regulated electronic records.

Framework

FDA SaMD · Software-as-a-Medical-Device

Status:Tracking · PCCP guidance Owner:CMO (Lahti, MD); Regulatory Affairs counsel engaged Cadence:Per-release model cards Last reviewed:Pathway alignment 2026-Q2

SaMD Pre-Cert v1.0 alignment. Class II — advisory, not autonomous. Model cards published per release. Bias audit before deployment and continuously.

Framework

State Money-Transmitter Acts · 49 states + DC

Status:Planned · Phase 2 sequence Owner:Pending; BSA/MT counsel engaged ahead of first MTL application Cadence:Per-state license renewal Last reviewed:Matrix-in-progress

Custodian: trust-company affiliate. Surety bonds per-state per state regulation. NMLS lookup will appear here per state once issued.

Framework

FinCEN MSB · 31 CFR 1010

Status:Planned · Form 107 filing Q3 2026 Owner:Pending; ahead of Form 107 Cadence:Annual independent BSA review Last reviewed:Posture set 2026-Q2

Written BSA/AML program. Designated BSA Officer. OFAC screening at onboarding and per-transaction. SAR filing within 30 days. CTR reporting. Annual independent review. FinCEN MSB number will appear here once issued.

Framework

DEA EPCS · 21 CFR 1300

Status:Architected · prescriber identity-proofing pending Owner:Pending; ahead of first DEA-registered prescriber Cadence:Biennial third-party EPCS-cert audit Last reviewed:Posture set 2026-Q1

Two-factor identity proofing: hardware key + biometric. PDMP integrated per-state. Biennial third-party EPCS-cert audit. Two-token signing for each prescription.

Framework

42 CFR Part 2 · SUD records

Status:Architected · SUD-data segmentation Owner:Acting (Founder); permanent Privacy Officer ahead of first Part 2 program Cadence:Per-disclosure consent Last reviewed:Posture set 2026-Q1

Per-disclosure consent. Re-disclosure prohibition. Segregation within DataVault. Court order protocol per §2.64–2.67.

Framework

21st Century Cures · ONC Cures Act

Status:Active · USCDI v3 baseline Owner:Acting (Founder); permanent Interop lead ahead of first ONC-certified deployment Cadence:Per USCDI release Last reviewed:v3 active, v4–v6 forward-compliance, v7 comment filed

USCDI v3 export available. FHIR R4 API. Individual-access exception fully supported. Zero information-blocking practices. Bulk export via FHIR $export async.

Framework

WCAG 2.2 AA · W3C accessibility

Status:In remediation · VPAT 2.4 in progress Owner:Acting (Founder) Cadence:Annual third-party (first cycle: Phase 2) Last reviewed:Per-release validation

VPAT v2.4 per major release. Issues triaged on 30/60/90 day SLA depending on severity. Feedback: accessibility@conceptualhealth.com. Statement at /legal/accessibility/.

Framework

NIST CSF 2.0 · 800-66

Status:Active · controls mapped Owner:Acting (Founder) Cadence:Annual review Last reviewed:Mapping complete 2026-Q1

Tier 4 (Adaptive) target. All controls mapped to NIST CSF 2.0 functions (Govern, Identify, Protect, Detect, Respond, Recover). NIST 800-66 Rev. 2 used as HIPAA Security Rule implementation reference. NIST 800-53 Rev. 5 for FedRAMP-track surfaces.

Framework

FedRAMP Moderate

Status:Tracking · GovCloud-eligible Owner:Pending; sponsoring federal agency required to commence Cadence:Continuous monitoring once authorized Last reviewed:3PAO engaged 2026-Q2

SSP under continuous improvement. Target ATO: Q4 2027. Federal-customer pilots under interim arrangements pending ATO.

Framework

FIPS 140-3

Status:Tracking · FIPS-eligible primitives Owner:Acting (Founder) Cadence:Scheduled + on-revocation rotation Last reviewed:KMS configuration audited 2026-Q1

KMS Cloud-HSM rooted, CMVP-listed. Algorithms: AES-256-GCM, TLS 1.3, Ed25519. Key rotation: scheduled annually and on revocation event.

Framework

PCI DSS v4.0

Status:Architected · SAQ-D scope (pending QSA) Owner:Acting (Founder); permanent Treasury Ops ahead of fiat-deposit launch Cadence:Annual, calendar Q1 Last reviewed:Scope set 2026-Q1

Scope: SAQ-D (QSA engagement Phase 2). Tokenization: processor vault; no PAN or CVV touches CH infrastructure. Annual recertification, calendar Q1.

Framework

Token economics · CFTC / SEC / FinCEN / FLSA

Status:Architected · counsel-engaged · dual-track Owner:Counsel of record + Chief Compliance Officer Cadence:Posture review on each regulator action Last reviewed:Posture v1.0 reviewed 2026-05-16

HCR and HCC designed as digital commodities under 7 U.S.C. §1a(9). Both hard-capped at 21B. Neither sold by Company; only on-network revenue is 0.5% protocol settlement fee. CFTC classification not yet confirmed — LabCFTC Innovation Office engagement underway; conservative dual-track posture maintained pending determination. SEC: tokens earned for work, not sold for investment; no profit-from-others'-efforts representation made. FinCEN: CVC-administrator analysis underway. IRS: ordinary income at FMV on receipt. FLSA / Florida wage: cash wages in USD at or above minimum; HCC to employees is supplemental work-credit, never wage-satisfying. Marketing scan: no price prediction, no "buy"/"invest" framing. Full analysis at /trust/tokens/.

Framework

Common Rule + IRB · 45 CFR 46

Status:Architected · IRB-ready Owner:Pending; ahead of first research engagement Cadence:Per-study Last reviewed:Posture set 2026-Q1

Research Marketplace queries above de-identified-count threshold require IRB approval. Consent unit: per-record. Revocation: one tap, takes effect immediately. FDA Human Subjects Regulations (21 CFR 50/56) honored where applicable.

Acting officers

Why so many rows say "Acting (Founder)."

While the company is pre-launch, the founder holds the Acting role across multiple frameworks. Each row identifies the permanent role being sequenced (CCO, CISO, Privacy Officer, Interop lead, Clinical IT lead, etc.) and the trigger event for that hire — typically the first regulator engagement, the first paying clinic, or the first BAA. Sequence and named candidates are available behind the regulator portal on request.