Compliance & Standards

Every framework. Every page. On the record.

Conceptual Health is a regulated healthcare network operating under HIPAA, SOC 2, HITRUST, GDPR, state medical practice acts, FDA pre-cert, and money-transmitter law in 49 states. This page is the index. The threaded interior is the long-form. The regulator portal is the cleared-access door.

Open threaded posture → Regulator access

Active frameworks

147

Public attestations

≤ 1 hr

Breach-notification SLA

24/7

SOC + on-call counsel

Frameworks

Twelve we live under, eleven we honor.

Tap any card for the threaded posture: scope, controls, audit cadence, attestation document, last-tested date, and the named owner inside the company.

45 CFR 160 / 164 Live · BAA

HIPAA Privacy & Security

Covered entity (clinical), business associate (datavault, AI, chain). Privacy Rule, Security Rule, Breach Notification Rule.

Owner: CCO + Privacy Officer↗

AICPA SSAE 18 Annual

SOC 2 Type II

Trust Services Criteria: Security, Availability, Processing Integrity, Confidentiality, Privacy. Independent CPA-firm audit scheduled with Phase 2.

Renewed Q1 each year↗

HITRUST CSF v11 r2 · 2-yr

HITRUST CSF

r2 certification spanning 156 controls across 14 categories. Interim review every 12 months, full re-cert every 24.

Owner: CISO↗

EU 2016/679 Live · DPA

GDPR + UK GDPR

EU operations under GDPR. UK under UK GDPR + Data Protection Act 2018. Standard contractual clauses for transatlantic transfer.

DPO: Independent counsel, EU↗

Cal. Civ. §1798.100 Live

CCPA / CPRA

California consumer privacy rights honored network-wide regardless of residency. CPRA-grade access, deletion, opt-out workflows.

Owner: Privacy Officer↗

21 CFR Part 11 Validated

FDA 21 CFR Part 11

Electronic records and electronic signatures for clinical research data. Validated computer systems, signed audit trails, secure timestamps.

Owner: Clinical IT QA↗

FDA SaMD Pre-cert

FDA Software-as-a-Medical-Device

AI Scribe and Master Equation diagnostic-support modules in pre-cert pathway. Algorithmic transparency, model-card publishing, bias auditing on deployment.

Owner: CMO + Reg Affairs↗

State MT Acts 49 states

Money-Transmitter Licensing

Conceptual Health Exchange holds money-transmitter licenses or qualifies for exemption in 49 states + DC. Trust company custodies HCR/HCC reserves.

Owner: CFO + State Counsel↗

31 CFR 1010 Pending

FinCEN MSB Registration

Money Services Business filing in preparation. KYC/AML program, OFAC screening, SAR filing capability, written compliance program — implemented and self-attested. Public FinCEN MSB number will appear here once issued.

Owner: BSA Officer↗

21 CFR 1300 Pending · EPCS

DEA EPCS

Electronic Prescriptions for Controlled Substances. Two-factor authentication, identity-proofing, tamper-evident audit logs - implemented and self-attested. DEA-approved EPCS audit scheduled before EPCS go-live (Phase 2).

Owner: Pharmacy Compliance↗

42 CFR Part 2 Live

42 CFR Part 2 (SUD)

Substance use disorder records held to elevated consent standard. Per-disclosure consent, prohibition on re-disclosure without authorization.

Owner: Privacy Officer↗

ONC Cures Act Compliant

21st Century Cures · Info Blocking

USCDI v3 export, FHIR R4 API, individual-access exception support. No information-blocking practices; full data portability on patient request.

Owner: Interop Lead↗

W3C WCAG 2.2 AA target

WCAG 2.2 AA + Section 508

Patient-facing surfaces built to WCAG 2.2 AA: skip-link, prefers-reduced-motion, 44x44 touch targets, focus-visible, AAA contrast where feasible. Independent accessibility audit and VPAT 2.4 publication open with Phase 2.

Owner: Design Systems↗

NIST CSF 2.0 / 800-66 Mapped

NIST Cybersecurity Framework

Controls mapped to NIST CSF 2.0 functions (Govern, Identify, Protect, Detect, Respond, Recover). 800-66 Rev. 2 used as HIPAA Security Rule implementation reference.

Owner: CISO↗

FedRAMP Moderate In progress

FedRAMP Moderate

Authorization in progress for federal-customer surfaces (VA, IHS pilots). 3PAO engaged. ATO target Q4 next year.

Owner: GovCloud Lead↗

FIPS 140-3 Validated

FIPS 140-3 Cryptography

All cryptographic modules use FIPS 140-3 validated implementations. AES-256-GCM, TLS 1.3, Ed25519 signing, X25519 key agreement.

Owner: Security Engineering↗

PCI DSS v4.0 SAQ-D pending

PCI DSS v4.0

Patient and clinic card payments are routed through a PCI-validated processor with no PAN ever touching our systems. Conceptual Health is SAQ-D scoped; QSA engagement opens with the first card-present clinic in Phase 2.

Owner: Treasury Ops↗

45 CFR 46 Live · IRB

Common Rule + IRB Oversight

Research Marketplace gated by IRB approval. Common Rule and FDA HSR. Approved IRB partners; per-record consent; revocable in one tap.

Owner: Research Ops↗

Coverage matrix

Which framework applies to which surface.

Conceptual Health is not one product — it is a network. Some frameworks apply network-wide, others scope to specific surfaces. This matrix is the truth table.

Framework ↓ · Surface →

Clinical EHR

Patient Portal

DataVault

Pharmacy

Exchange

Chain

AI Scribe

HIPAA

●

◐

●

SOC 2 Type II

●

HITRUST CSF

●

—

◐

●

21 CFR Part 11

●

—

●

◐

—

●

DEA EPCS

●

—

●

—

State MT Acts + FinCEN

—

◐

—

●

—

42 CFR Part 2 (SUD)

●

—

●

21st Century Cures

●

◐

—

◐

—

WCAG 2.2 AA

●

◐

●

● Full coverage · ◐ Partial / scope-limited · — Not applicable

Document vault

The papers, signed and dated.

Public documents are downloadable. Audit-summary and pen-test documents are gated to NDA-signed enterprise customers and regulators-with-credentials via the regulator portal.

HIPAA Notice of Privacy Practices

v4.2 · Effective 2026-01-01 · 14 pp.

Read

Patient Terms of Service

v6.1 · Effective 2026-02-15 · 22 pp.

Read

Business Associate Agreement (template)

v3.0 · Mutual execution · 11 pp.

Read

EU/UK Data Processing Addendum

SCCs Module 2 · UK IDTA · 18 pp.

Read

SOC 2 Type II report (executive summary)

FY-current · NDA-gated · 6 pp. summary

NDA

HITRUST CSF r2 Letter of Validation

v11 · 156 controls · cert-search verifiable

NDA

Annual penetration test (summary)

Independent QSA-aligned firm · prior FY

NDA

Transparency Report (current)

Government requests · breach log · uptime

Read

Security Architecture Whitepaper

v2.4 · Public · 28 pp.

Read

Attestation index (all)

Live registry · last refreshed today

Read

For regulators & auditors

A door, not a hallway. Cleared access in 24 hours.

If you represent OCR, HHS, FDA, FTC, SEC, a state attorney general, a state DOI, a state medical board, or an accredited audit firm, the regulator portal grants credentialed access to gated documents (SOC 2 detail, pen-test reports, breach forensics, AI model cards, training records) within 24 hours of identity verification.

Open regulator portal → Or talk to a human

Named, on the record

Who to call. By name. By role.

Compliance is people, not process. Every framework has a named owner inside the company. For HIPAA-covered concerns, our Privacy Officer responds in one business day. For breach-coordination, our SOC is reachable 24/7.

Privacy Officer

privacy@conceptualhealth.com · +1 (555) 010-PRIV

HIPAA inquiries, individual rights requests (access, amendment, accounting), accounting-of-disclosures, Notice of Privacy Practices.

Chief Compliance Officer

cco@conceptualhealth.com · +1 (555) 010-COMP

Framework-level matters, regulatory correspondence, audit coordination, OCR/HHS/AG inquiries, MOU/MOA negotiation.

Chief Information Security Officer

ciso@conceptualhealth.com · +1 (555) 010-CISO

Security architecture, SOC 2 / HITRUST / NIST, vulnerability disclosure (security.txt), penetration testing windows, vendor risk reviews.

24/7 Security Operations Center

soc@conceptualhealth.com · +1 (555) 010-SOC0

Active incidents, suspected breach reports, government emergency-access requests under 45 CFR 164.512.