Compliance & Security
HIPAA-compliant, FDA-aligned, clinically governed
FDA Non-Device Clinical Decision Support
ConceptualHealth.AI satisfies all four criteria under 21st Century Cures Act Section 3060(a) to qualify as non-device CDS software.
| # | Criterion | Our Implementation |
|---|---|---|
| 1 | Not intended to replace clinical judgment | Generates suggestions for provider review. No autonomous decisions. |
| 2 | Intended for clinicians to independently review | Outputs are suggestions in EHR. Must be accepted, modified, or rejected by the clinician. |
| 3 | Provides supporting info enabling independent review | Shows contributing data points, axis scores, and reasoning_chain for full transparency. |
| 4 | Does not require reliance on the software | Any licensed clinician can interpret results with existing clinical knowledge. |
Note: The External API (Tiers 2 – 9) operates exclusively on de-identified aggregate data — further removed from FDA device jurisdiction.
HIPAA Architecture
No PHI in Training
DataVault HIPAA Safe Harbor de-identification. All 18 identifiers removed. AI NLP scrubs free text.
No PHI in Inference
Clinic-local inference uses patient’s own data on-premise. External API uses de-identified aggregate only.
No PHI in Transit
SecureMesh (ChaCha20-Poly1305) for clinic-to-clinic. All API traffic over TLS 1.3.
No Cloud Storage
All data resides on self-sovereign Mac Studios. Zero PHI leaves the clinic network.
Audit Trail
Every API query is logged with the following fields:
- Requester identity (DataVault account ID)
- Query parameters (no response content stored)
- Timestamp (UTC, millisecond precision)
- HCC cost deducted
7-year retention per HIPAA requirements. Logs are HMAC-SHA256 chain-signed to prevent tampering.
Access Control
Identity Verification
DataVault account with institutional verification required for all API access.
Rate Limiting
Per-account and per-endpoint rate limits prevent abuse and ensure fair access.
Anomaly Detection
Automated monitoring flags unusual query patterns, volume spikes, and access anomalies.
Auto-Suspend
Accounts exhibiting suspicious patterns are automatically suspended pending review.
Security Specifications
Encryption at Rest
AES-256-GCM
Audit Chain
HMAC-SHA256
Transport Security
TLS 1.3
Network Mesh
WireGuard VPN (SecureMesh)
Certifications
HIPAA
Compliant
Section 508
Compliant
SOC 2 Type II
Planned
HITRUST
Planned
Questions about compliance?
Our team is ready to discuss how ConceptualHealth.AI meets your organization's security and regulatory requirements.
Contact Us