HealthCloud is built for regulated healthcare environments. Every framework below applies directly to AI-powered clinical applications built on our platform.
SaMD
The FDA regulates AI/ML systems that are intended to diagnose, treat, prevent, or mitigate a disease or condition as Software as a Medical Device (SaMD). The key determination is whether the software output drives clinical decision-making.
Device classification under 21 CFR Part 892 or relevant classification regulation
Software Description Document (SDD) describing system architecture and intended use
Algorithm Change Protocol (ACP) for continuous learning systems (Pre-Specs/iSAP)
Clinical validation study with representative patient population
Post-market surveillance plan and performance monitoring
Cybersecurity documentation per FDA 2023 Cybersecurity Guidance
HIPAA
HIPAA requires covered entities and business associates to protect the privacy, security, and availability of PHI. The Security Rule mandates administrative, physical, and technical safeguards for electronic PHI (ePHI).
PHI encrypted at rest using AES-256 across all storage systems
PHI encrypted in transit using TLS 1.3 minimum on all API connections
Multi-factor authentication required for all PHI-touching user accounts
HIPAA audit logs maintained with 180-day minimum retention (HealthCloud: 7 years)
Business Associate Agreements (BAA) in place with all PHI-processing vendors
Breach notification procedures documented and tested annually
Minimum necessary access principle enforced via RBAC on all data access
Annual HIPAA Security Risk Assessment completed and documented
All 8 controls verified as of March 2026 in HealthCloud production environment.
SOC 2
SOC 2 Type II is an audited attestation covering the AICPA Trust Services Criteria: Security, Availability, Processing Integrity, Confidentiality, and Privacy. HealthCloud maintains an annual Type II audit covering all five criteria.
CC6: Logical and Physical Access Controls — user provisioning, MFA, least privilege
CC7: System Operations — monitoring, incident response, change management
CC8: Change Management — SDLC controls, code review, deployment gates
A1: Availability — 99.9% uptime SLA, disaster recovery, capacity planning
PI1: Processing Integrity — data completeness, accuracy validation, error handling
Report available under NDA to qualified enterprise customers. Contact enterprise@healthcloud.ai.
ISO 27001
ISO 27001 is the international standard for Information Security Management Systems (ISMS). HealthCloud aligns its security controls to the ISO 27001:2022 Annex A framework, providing international customers with a recognized security baseline beyond US-specific frameworks.
A.5 Organizational controls — security policies, roles, threat intelligence
A.8 Technological controls — endpoint security, network segmentation, vulnerability management
A.12 Operations security — logging, monitoring, operational procedures
A.14 Supplier relationships — third-party risk, supply chain security
A.18 Compliance — legal, regulatory, and contractual requirements mapping
TEFCA / QHIN
TEFCA establishes a universal governance framework for nationwide health information exchange under ONC oversight. Qualified Health Information Networks (QHINs) are the certified on-ramps. HealthCloud has achieved QHIN designation, enabling developers to access the national network through a single API.
QHIN designation under ONC-approved TEFCA governance framework
FHIR R4 queries supported: Individual Access Services, Treatment, Payment, Operations, Public Health
Patient matching via TEFCA-compliant identity resolution (no demographic data exposure)
Trust bundle adherence for cross-QHIN query routing
Mandatory participation for payers by January 2027 (CMS Final Rule)
HealthCloud's QHIN connection enables developers to access 90%+ of US patient records without separate network agreements.
Enterprise customers receive a full documentation package on request. All documents are UI-only demo links.
FDA SaMD Documentation Template
5.6 MB PDF
HIPAA Security Risk Assessment
2.4 MB PDF
SOC 2 Type II Audit Report
8.1 MB PDF
ISO 27001 Alignment Summary
1.8 MB PDF
TEFCA Participation Guide
1.2 MB PDF
Our compliance team has supported 75+ health system deployments across HIPAA, FDA, SOC 2, and TEFCA. We can help you understand what applies to your use case.