Skip to main content

Trust · Attestations

Compliant today. Audited soon.

This page is the live registry of every control program that governs Conceptual Health — the standard, the scope, who owns it inside the company, where it stands today, and what document a regulator or enterprise procurement team can pull. We are a young company. We follow the rules now. The third-party audit reports that prove it are scheduled for Phase 2.

Phase 1 · Honesty

We are too new to have third-party audit reports yet. Conceptual Healthcare Corporation is in pre-launch. The control programs below — HIPAA, HITRUST, SOC 2, FedRAMP, FIPS, PCI, WCAG, FDA Part 11, DEA EPCS — are implemented, self-attested, and followed in production. The independent firms who issue the signed letters have not engaged yet, because the engagements run on annual cycles that begin once a company has live customers and a public test surface.

Phase 2 begins when the first paying clinic countersigns its MSA. At that moment we open the first audit cycle for SOC 2 Type II, the first HITRUST r2 engagement, the first independent penetration test, and the first WCAG accessibility audit — in parallel. We will list each firm name on this page only after the engagement letter is countersigned, and we will publish each signed report (or its public summary) the same day it is issued. "Integrity in all we do."

10
Self-attested today
0
Third-party signed
11
Phase 2 pending
Day 1
First audit cycle opens

Standards we follow

The control programs.

For each program: we describe the standard, name the internal owner, and state the current status truthfully. Self-attested means we follow the program but have not yet engaged a third-party auditor. Pending means the first engagement / filing has not yet started. Active means a verifiable third-party result or public registration exists.

Standard
Scope
Issuer / Audit firm
Owner
Status
Document
SOC 2 Type II
AICPA SSAE 18
Security · Availability · Confidentiality · Privacy · Processing Integrity. All production surfaces. Trust Services Criteria 2017 (revised).
Independent CPA firm — not yet engaged
CISO
Pending
First cycle: Phase 2 launch + 90 days
HITRUST CSF r2
CSF v11 · 156 controls
Clinical, DataVault, Pharmacy, Patient Portal, Chain audit lane — full r2 cert across 14 categories. Controls implemented; assessor engagement pending.
HITRUST-authorized External Assessor — not yet engaged
CISO
Pending
Target: Phase 2 + 6 months
FIPS 140-3 Cryptographic Modules
NIST CMVP
All cryptographic primitives use FIPS 140-3 validated implementations: AES-256-GCM (data at rest + in transit), ChaCha20-Poly1305 (CH VPN), TLS 1.3, Ed25519 (signatures), X25519 (key agreement), SHA-256 / SHA-3-256.
NIST CMVP — module library cert (vendor-issued)
Security Engineering
Self-attested
Module library validated; system cert pending
Annual Penetration Test
Independent firm
Network, application, AI prompt-injection, BAA-as-code attestation flow, edge-node signature verification. White-box + black-box. Findings closed within published SLA.
Independent CREST/QSA-aligned firm — not yet engaged
CISO
Pending
First test: Phase 2 launch
HIPAA Privacy + Security + Breach
45 CFR 160 / 164
Covered entity (clinical surfaces) and Business Associate (DataVault, AI inference, audit chain). Privacy Rule, Security Rule (administrative + physical + technical safeguards), Breach Notification Rule.
Self-attested — independent assessment scheduled with Phase 2
Privacy Officer
Self-attested
Continuous · written program
21 CFR Part 11 Validation
FDA
Electronic records and electronic signatures for clinical research data. Validated computer systems, signed audit trails, identity binding, time-stamping. Used in any data-marketplace cohort that backs a clinical study.
Self-attested — third-party validation scheduled with Phase 2
Clinical IT QA
Self-attested
Per-release · validation pending
DEA EPCS Audit
21 CFR 1300 · DEA
Electronic Prescriptions for Controlled Substances. 2-factor identity proofing, two-token signing, tamper-evident audit logs. Required before any Schedule II–V e-prescribing goes live.
DEA-approved EPCS auditor — not yet engaged
Pharmacy Compliance
Pending
First audit before EPCS go-live
FinCEN MSB Registration
31 CFR 1010
Money Services Business registration. KYC / AML program, OFAC screening, SAR / CTR filing, written compliance program. Required before hc.exchange goes live with public spot trading.
FinCEN (U.S. Treasury)
BSA Officer
Pending
Filing in preparation; public registry will list us once accepted
State Money Transmitter Licenses
State financial regulators
hc.exchange will hold an MTL or qualify for an exemption in every operating state. HCR and HCC are commodity-class digital assets (CFTC-aligned, not SEC-registered) — many states therefore treat the spot venue under commodity rules, but MTL coverage is the conservative path.
State financial regulators (NMLS lookup once issued)
CFO + State Counsel
Pending
No states issued yet · NMLS lookup will list us once issued
PCI DSS v4.0 SAQ-D
PCI SSC
Patient and clinic card payments via a PCI-validated processor. SAQ-D scoped; the annual QSA cycle opens once we have a card-present clinic in production. We do not store PAN; CVV is never persisted.
QSA firm — not yet engaged
Treasury Ops
Pending
QSA engagement opens with first card-present clinic
WCAG 2.2 AA Conformance
W3C · Section 508
Patient-facing surfaces built to WCAG 2.2 AA. Skip-link, prefers-reduced-motion, 44×44 touch targets, semantic landmarks, focus visible, contrast ratio AAA where feasible. VPAT 2.4 will be published per major release once an external accessibility firm has engaged.
Independent accessibility firm — not yet engaged
Design Systems
Self-attested
Internal AAA where feasible · external audit pending

Owner roles are real, named on a controlled internal directory. Status reflects what we can prove publicly today — not what we hope to prove later. When a row flips from Self-attested or Pending to Active, the document link goes live the same day, alongside a governance-log entry on chain.conceptualhealth.com.

In progress

On the roadmap, in writing.

Programs we are building toward but have not yet started. We publish the target so we are on the hook for it. None of these are currently in audit.

FedRAMP Moderate

Federal cloud authorization. Required for federal-agency deployments of the clinical and data-vault surfaces. 3PAO assessment, Authority To Operate (ATO).

Target: Phase 2 + 18 months

ISO 27001 + 27701

Information security and privacy information management. Aligns to enterprise procurement requirements outside the U.S.

Target: Phase 2 + 12 months

FDA SaMD Pre-cert

AI Scribe and Master Equation diagnostic-support modules. Algorithmic transparency, model-card publishing, bias auditing.

Target: rolling, after Phase 2

NCQA HEDIS Certification

Quality measurement reporting for population-health analytics in clinical and corp surfaces.

Target: Phase 2 + 12 months

HITRUST AI Assurance

AI-specific control framework. Aligns to FDA SaMD and NIST AI RMF.

Target: alongside HITRUST r2 cycle

SOC 3 (public summary)

Public-facing summary of the SOC 2 result, suitable for posting unredacted. No NDA required.

Target: with first SOC 2 cycle

How we will publish each result.

  • Engagement letter. Day the firm signs, we post their name, the scope, and the dated engagement letter (redacted of fee terms only).
  • Audit fieldwork. A status entry on this page links to the auditor's evidence-collection schedule.
  • Signed report. Day the report is delivered, the document link goes live. SOC 3 / public-summary versions are unredacted; SOC 2 / Type II / HITRUST detail reports remain NDA-gated through the regulator portal.
  • Governance log. The same event posts to chain.conceptualhealth.com governance log as an on-chain attestation event with the report's SHA-256 hash.
  • No firm name on this page until they have actually performed the work. The same rule we apply to coin.health and coin.healthcare attestations applies here.

Want a document we don't list?

Regulators and audit firms can request gated documents through the regulator portal. Enterprise customers under MSA can pull through their account team. If a document does not exist yet, we will tell you so directly.

Open regulator portal → Compliance hub Transparency report