{ "file_id": "04_vertical_healthcare_life_sciences", "version": "2026.03.16", "schema_version": "2.2", "status": "Production Authority", "last_authoritative_sync": "2026-03-16", "description": "Comprehensive enumeration library for the Healthcare and Life Sciences vertical. Covers every subdomain where agentic AI is actively deployed as of March 2026: clinical operations and FHIR interoperability, prior authorisation under CMS-0057-F, clinical decision support, medical device AI regulation (FDA SaMD/PCCP), PHI data governance under HIPAA, revenue cycle and claims, patient engagement, pharmacy and medication, and life sciences research and development. Designed for use as OTel span attributes in an agentic AI SDK and as policy vocabulary in an OPA Rego GRC portal.", "vertical_metadata": { "vertical_key": "healthcare_life_sciences", "industry": "Healthcare & Life Sciences", "primary_standards": [ "HL7 FHIR v6.0 (R6 ballot) — Fast Healthcare Interoperability Resources", "HL7 FHIR R4.0.1 — CMS-mandated API baseline (45 CFR 170.215(a)(1))", "HL7 Da Vinci Project — CRD, DTR, PAS Implementation Guides (ePA workflow)", "CMS Interoperability and Prior Authorization Final Rule CMS-0057-F (Jan 2024): metrics Jan 2026, APIs Jan 2027", "ONC 21st Century Cures Rule / HTI-1 Final Rule (Jan 2024) — USCDI v3, SMART on FHIR", "FDA AI/ML SaMD Action Plan — PCCP Final Guidance (December 2024)", "FDA Draft Guidance: AI-Enabled Device Software Functions Lifecycle (January 7, 2025)", "HIPAA Privacy Rule 45 CFR Part 164 Subpart E", "HIPAA Security Rule 45 CFR Part 164 Subpart C — HHS OCR Proposed Update (January 2025)", "HITECH Act — Breach Notification 45 CFR Part 164 Subpart D", "21 CFR Part 11 — Electronic Records and Electronic Signatures", "HITRUST CSF v11 — Healthcare-specific security framework", "ICH E6 R3 Good Clinical Practice — Clinical trial governance", "FDA 21 CFR Part 312 — IND regulations for drug and biologic trials", "CMS Conditions of Participation — Hospital and SNF requirements", "CMS Stars Rating / HEDIS — Quality measure frameworks" ], "primary_source_urls": [ "https://build.fhir.org/", "https://www.cms.gov/cms-interoperability-and-prior-authorization-final-rule-cms-0057-f", "https://www.fda.gov/medical-devices/software-medical-device-samd/artificial-intelligence-software-medical-device", "https://www.hhs.gov/hipaa/for-professionals/security/index.html", "https://hl7.org/fhir/us/davinci-pas/", "https://www.healthit.gov/topic/oncs-cures-act-final-rule" ], "otel_namespace": "healthcare", "opa_namespace": "data.healthcare", "agentic_ai_deployment_context": "As of March 2026, agentic AI in healthcare is deployed across: ambient clinical documentation (AI scribes replacing manual note-taking), autonomous prior authorisation workflows under CMS-0057-F (72h expedited / 7-day standard deadlines in force Jan 2026), AI-powered diagnostics (radiology triage, pathology, ECG interpretation), revenue cycle automation (claims scrubbing, denial management), patient engagement agents (appointment scheduling, chronic disease monitoring), medication management (dose optimisation, interaction checking, prior auth for specialty pharmacy), clinical trial matching and protocol deviation detection, and PHI de-identification for research. HIPAA BAA requirements apply to all agentic AI vendors handling PHI. The HHS OCR proposed January 2025 HIPAA Security Rule update removes required/addressable distinctions and adds mandatory encryption and continuous monitoring — directly affecting agentic AI deployments.", "key_regulatory_risk_note": "CMS-0057-F requires payers to report prior authorisation metrics publicly by March 31, 2026 and implement all five FHIR APIs by January 1, 2027. The proposed HIPAA Security Rule update (January 2025) shortens breach notification timelines and mandates continuous monitoring — agentic AI systems handling ePHI must be included in risk analysis. Over 1,000 FDA-cleared AI/ML-enabled medical devices exist as of end-2024; the December 2024 PCCP final guidance and January 2025 draft guidance govern their lifecycle management." }, "subdomains": [ { "subdomain": "Clinical Operations & FHIR Interoperability", "description": "Covers the core FHIR resource status enumerations that agentic clinical AI systems must use when reading from or writing to EHR systems. These are the exact HL7 FHIR R6 code values — using descriptive strings instead of these codes will break FHIR validation and interoperability.", "fhir_resources": [ "Patient", "Condition", "Observation", "Appointment", "Encounter", "Procedure", "DiagnosticReport", "MedicationRequest" ], "categories": [ { "enum_name": "ClinicalConditionStatus", "label": "Clinical Condition Status", "otel_attribute": "healthcare.condition.clinical_status", "opa_policy_path": "data.healthcare.condition.clinical_status", "rego_input_key": "healthcare_condition_clinical_status", "stability": "stable", "description": "HL7 FHIR R6 condition-clinical ValueSet codes. Used in the Condition resource .clinicalStatus element. These exact hyphenated-lowercase codes must be used for FHIR API compliance.", "permitted_values": [ "active", "recurrence", "relapse", "inactive", "remission", "resolved", "unknown" ], "value_labels": { "active": "Active", "recurrence": "Recurrence", "relapse": "Relapse", "inactive": "Inactive", "remission": "Remission", "resolved": "Resolved", "unknown": "Unknown" }, "source": "HL7 FHIR R6 condition-clinical ValueSet", "source_url": "https://build.fhir.org/ig/HL7/UTG/en/ValueSet-condition-clinical.html" }, { "enum_name": "DiagnosticObservationStatus", "label": "Diagnostic Observation Status", "otel_attribute": "healthcare.observation.status", "opa_policy_path": "data.healthcare.observation.status", "rego_input_key": "healthcare_observation_status", "stability": "stable", "description": "HL7 FHIR R6 ObservationStatus codes. The exact code values required in Observation.status. Agentic diagnostic agents writing to FHIR must use these codes precisely.", "permitted_values": [ "registered", "preliminary", "final", "amended", "corrected", "cancelled", "entered-in-error", "unknown" ], "value_labels": { "registered": "Registered", "preliminary": "Preliminary", "final": "Final", "amended": "Amended", "corrected": "Corrected", "cancelled": "Cancelled", "entered-in-error": "Entered-in-error", "unknown": "Unknown" }, "code_definitions": { "registered": "The existence of the observation is registered, but there is no result yet available", "preliminary": "This is an initial or interim observation: data may be incomplete or unverified", "final": "The observation is complete and there are no further actions needed", "amended": "Subsequent to being Final, the observation has been modified", "corrected": "Subsequent to being Final, the observation has been modified to correct an error in the test result", "cancelled": "The observation is unavailable because the measurement was not started or not completed", "entered-in-error": "The observation has been withdrawn following previous final release", "unknown": "The authoring/source system does not know which of the status values currently applies" }, "source": "HL7 FHIR R6 ObservationStatus ValueSet", "source_url": "https://build.fhir.org/valueset-observation-status.html" }, { "enum_name": "CareAppointmentStatus", "label": "Care Appointment Status", "otel_attribute": "healthcare.appointment.status", "opa_policy_path": "data.healthcare.appointment.status", "rego_input_key": "healthcare_appointment_status", "stability": "stable", "description": "HL7 FHIR R6 AppointmentStatus codes used in Appointment.status. Agentic scheduling agents must use these exact values to maintain FHIR conformance.", "permitted_values": [ "proposed", "pending", "booked", "arrived", "fulfilled", "cancelled", "noshow", "entered-in-error", "checked-in", "waitlist" ], "value_labels": { "proposed": "Proposed", "pending": "Pending", "booked": "Booked", "arrived": "Arrived", "fulfilled": "Fulfilled", "cancelled": "Cancelled", "noshow": "Noshow", "entered-in-error": "Entered-in-error", "checked-in": "Checked-in", "waitlist": "Waitlist" }, "source": "HL7 FHIR R6 AppointmentStatus ValueSet", "source_url": "https://build.fhir.org/valueset-appointmentstatus.html" }, { "enum_name": "EncounterStatus", "label": "Encounter Status", "otel_attribute": "healthcare.encounter.status", "opa_policy_path": "data.healthcare.encounter.status", "rego_input_key": "healthcare_encounter_status", "stability": "stable", "description": "HL7 FHIR R6 EncounterStatus codes used in Encounter.status. Critical for care coordination and billing agents.", "permitted_values": [ "planned", "in-progress", "on-hold", "discharged", "completed", "cancelled", "discontinued", "entered-in-error", "unknown" ], "value_labels": { "planned": "Planned", "in-progress": "In-progress", "on-hold": "On-hold", "discharged": "Discharged", "completed": "Completed", "cancelled": "Cancelled", "discontinued": "Discontinued", "entered-in-error": "Entered-in-error", "unknown": "Unknown" }, "source": "HL7 FHIR R6 EncounterStatus ValueSet", "source_url": "https://build.fhir.org/valueset-encounter-status.html" }, { "enum_name": "ProcedureStatus", "label": "Procedure Status", "otel_attribute": "healthcare.procedure.status", "opa_policy_path": "data.healthcare.procedure.status", "rego_input_key": "healthcare_procedure_status", "stability": "stable", "description": "HL7 FHIR R6 EventStatus codes used in Procedure.status.", "permitted_values": [ "preparation", "in-progress", "not-done", "on-hold", "stopped", "completed", "entered-in-error", "unknown" ], "value_labels": { "preparation": "Preparation", "in-progress": "In-progress", "not-done": "Not-done", "on-hold": "On-hold", "stopped": "Stopped", "completed": "Completed", "entered-in-error": "Entered-in-error", "unknown": "Unknown" }, "source": "HL7 FHIR R6 EventStatus ValueSet (Procedure)", "source_url": "https://build.fhir.org/valueset-event-status.html" }, { "enum_name": "ProcedureProgressState", "label": "Procedure Progress State", "otel_attribute": "healthcare.procedure.progress_state", "opa_policy_path": "data.healthcare.procedure.progress_state", "rego_input_key": "healthcare_procedure_progress_state", "stability": "stable", "description": "HL7 FHIR ProcedureProgressStatusCodes — granular operative and peri-procedural states. Used in Procedure.statusReason for active procedures.", "permitted_values": [ "in-operating-room", "prepared", "anesthesia-induced", "open-incision", "closed-incision", "in-recovery-room" ], "value_labels": { "in-operating-room": "In-operating-room", "prepared": "Prepared", "anesthesia-induced": "Anesthesia-induced", "open-incision": "Open-incision", "closed-incision": "Closed-incision", "in-recovery-room": "In-recovery-room" }, "source": "HL7 FHIR ProcedureProgressStatusCodes ValueSet", "source_url": "https://build.fhir.org/ig/HL7/fhir-extensions/ValueSet-procedure-progress-status-codes.html" }, { "enum_name": "MedicationRequestStatus", "label": "Medication Request Status", "otel_attribute": "healthcare.medication_request.status", "opa_policy_path": "data.healthcare.medication_request.status", "rego_input_key": "healthcare_medication_request_status", "stability": "stable", "description": "HL7 FHIR R6 MedicationrequestStatus codes used in MedicationRequest.status. AI medication management agents must use these codes precisely.", "permitted_values": [ "active", "on-hold", "ended", "stopped", "completed", "cancelled", "entered-in-error", "draft", "unknown" ], "value_labels": { "active": "Active", "on-hold": "On-hold", "ended": "Ended", "stopped": "Stopped", "completed": "Completed", "cancelled": "Cancelled", "entered-in-error": "Entered-in-error", "draft": "Draft", "unknown": "Unknown" }, "source": "HL7 FHIR R6 MedicationrequestStatus ValueSet", "source_url": "https://build.fhir.org/valueset-medicationrequest-status.html" }, { "enum_name": "DiagnosticReportStatus", "label": "Diagnostic Report Status", "otel_attribute": "healthcare.diagnostic_report.status", "opa_policy_path": "data.healthcare.diagnostic_report.status", "rego_input_key": "healthcare_diagnostic_report_status", "stability": "stable", "description": "HL7 FHIR R6 DiagnosticReportStatus codes. AI diagnostic agents (radiology AI, pathology AI) must write results using these exact status codes.", "permitted_values": [ "registered", "partial", "preliminary", "modified", "final", "amended", "corrected", "appended", "cancelled", "entered-in-error", "unknown" ], "value_labels": { "registered": "Registered", "partial": "Partial", "preliminary": "Preliminary", "modified": "Modified", "final": "Final", "amended": "Amended", "corrected": "Corrected", "appended": "Appended", "cancelled": "Cancelled", "entered-in-error": "Entered-in-error", "unknown": "Unknown" }, "source": "HL7 FHIR R6 DiagnosticReportStatus ValueSet", "source_url": "https://build.fhir.org/valueset-diagnostic-report-status.html" }, { "enum_name": "AdverseEventSeverity", "label": "Adverse Event Severity", "otel_attribute": "healthcare.adverse_event.severity", "opa_policy_path": "data.healthcare.adverse_event.severity", "rego_input_key": "healthcare_adverse_event_severity", "stability": "stable", "description": "HL7 FHIR AdverseEventSeverity codes and FDA 21 CFR Part 803 adverse event severity categories. Used by patient safety AI agents for adverse event detection and reporting.", "permitted_values": [ "mild", "moderate", "severe", "life-threatening", "fatal" ], "value_labels": { "mild": "Mild", "moderate": "Moderate", "severe": "Severe", "life-threatening": "Life-threatening", "fatal": "Fatal" }, "regulatory_mappings": { "fda_21_cfr_803": "FDA 21 CFR Part 803 — Medical device adverse event reporting: device-related serious injury or death", "fda_21_cfr_312_32": "FDA 21 CFR 312.32 — IND safety reporting: unexpected serious adverse reactions", "hl7_fhir": "HL7 FHIR R6 AdverseEventSeverity ValueSet" }, "source": "HL7 FHIR R6 AdverseEventSeverity ValueSet; FDA 21 CFR Part 803" } ] }, { "subdomain": "Prior Authorisation & Utilisation Management", "description": "The highest-priority agentic AI subdomain in US healthcare as of March 2026. CMS-0057-F requires payers to meet 72-hour expedited and 7-day standard PA response deadlines beginning January 1, 2026, and to implement the Prior Authorization FHIR API by January 1, 2027. The HL7 Da Vinci CRD/DTR/PAS Implementation Guides define the ePA workflow standard.", "fhir_resources": [ "Claim", "ClaimResponse", "CoverageEligibilityRequest", "CoverageEligibilityResponse" ], "da_vinci_igs": [ "CRD — Coverage Requirements Discovery", "DTR — Documentation Templates and Rules", "PAS — Prior Authorization Support" ], "categories": [ { "enum_name": "PriorAuthorizationStatus", "label": "Prior Authorization Status", "otel_attribute": "healthcare.prior_auth.status", "opa_policy_path": "data.healthcare.prior_auth.status", "rego_input_key": "healthcare_prior_auth_status", "stability": "stable", "description": "Status of a prior authorisation request under CMS-0057-F. Agentic PA systems must track and surface these status values through the CMS-mandated Prior Authorization API.", "permitted_values": [ "received_pending_review", "information_requested_incomplete", "pended_for_clinical_review", "peer_to_peer_review_requested", "approved", "approved_with_modifications", "denied_not_medically_necessary", "denied_experimental_investigational", "denied_benefit_not_covered", "denied_step_therapy_required", "denied_not_prior_authorized", "partial_approval", "cancelled_by_provider", "expired", "appeal_pending", "appeal_approved", "appeal_denied", "external_independent_review_requested", "external_independent_review_complete" ], "value_labels": { "received_pending_review": "Received Pending Review", "information_requested_incomplete": "Information Requested Incomplete", "pended_for_clinical_review": "Pended for Clinical Review", "peer_to_peer_review_requested": "Peer to Peer Review Requested", "approved": "Approved", "approved_with_modifications": "Approved with Modifications", "denied_not_medically_necessary": "Denied not Medically Necessary", "denied_experimental_investigational": "Denied Experimental Investigational", "denied_benefit_not_covered": "Denied Benefit not Covered", "denied_step_therapy_required": "Denied Step Therapy Required", "denied_not_prior_authorized": "Denied not Prior Authorized", "partial_approval": "Partial Approval", "cancelled_by_provider": "Cancelled by Provider", "expired": "Expired", "appeal_pending": "Appeal Pending", "appeal_approved": "Appeal Approved", "appeal_denied": "Appeal Denied", "external_independent_review_requested": "External Independent Review Requested", "external_independent_review_complete": "External Independent Review Complete" }, "regulatory_mappings": { "cms_0057_f": "CMS-0057-F: 72h expedited PA decision; 7-day standard PA decision; metrics reporting Jan 1 2026; PA API Jan 1 2027", "aca_sec_2719": "ACA §2719 — Internal and external appeal processes for adverse benefit determinations", "erisa": "ERISA §503 — Claims procedure and appeal rights for employer-sponsored plans", "cms_ma_cy2024": "CY 2024 MA Final Rule — continuity of care and mid-year PA coverage requirements" }, "use_case": "OPA rule: SLA gate — deny claim for autonomous PA determination when elapsed_hours > 72 (expedited) or elapsed_days > 7 (standard) and status is not in terminal states {approved, denied_*, cancelled_by_provider}. Escalate to human reviewer.", "source": "CMS-0057-F; HL7 Da Vinci PAS IG; ACA Section 2719", "source_url": "https://www.cms.gov/cms-interoperability-and-prior-authorization-final-rule-cms-0057-f" }, { "enum_name": "PADenialReasonCode", "label": "Pa Denial Reason Code", "otel_attribute": "healthcare.prior_auth.denial_reason", "opa_policy_path": "data.healthcare.prior_auth.denial_reason", "rego_input_key": "healthcare_prior_auth_denial_reason", "stability": "stable", "description": "Standardised denial reason codes that CMS-0057-F requires payers to include in PA denial responses and surface through the Prior Authorization API. These must be machine-readable and structured in the FHIR ClaimResponse.", "permitted_values": [ "not_medically_necessary", "experimental_investigational_protocol", "benefit_not_covered_plan", "step_therapy_required", "service_requires_different_provider_type", "frequency_limit_exceeded", "quantity_limit_exceeded", "age_limit_not_met", "diagnosis_does_not_support_service", "documentation_insufficient", "prior_authorization_not_obtained_timely", "service_not_preauthorized", "duplicate_request", "provider_not_in_network", "administrative_error" ], "value_labels": { "not_medically_necessary": "Not Medically Necessary", "experimental_investigational_protocol": "Experimental Investigational Protocol", "benefit_not_covered_plan": "Benefit not Covered Plan", "step_therapy_required": "Step Therapy Required", "service_requires_different_provider_type": "Service Requires Different Provider Type", "frequency_limit_exceeded": "Frequency Limit Exceeded", "quantity_limit_exceeded": "Quantity Limit Exceeded", "age_limit_not_met": "Age Limit not Met", "diagnosis_does_not_support_service": "Diagnosis Does not Support Service", "documentation_insufficient": "Documentation Insufficient", "prior_authorization_not_obtained_timely": "Prior Authorization not Obtained Timely", "service_not_preauthorized": "Service not Preauthorized", "duplicate_request": "Duplicate Request", "provider_not_in_network": "Provider not in Network", "administrative_error": "Administrative Error" }, "regulatory_mappings": { "cms_0057_f": "CMS-0057-F requires specific denial reasons in PA API response and public metric reporting", "cms_ma_denial_reasons": "CMS Medicare Advantage audit requirements for PA denial documentation" }, "source": "CMS-0057-F Prior Authorization API requirements; CMS Medicare Advantage denial reason requirements" }, { "enum_name": "DaVinciWorkflowStep", "label": "Da Vinci Workflow Step", "otel_attribute": "healthcare.prior_auth.davinci_workflow_step", "opa_policy_path": "data.healthcare.prior_auth.davinci_workflow_step", "rego_input_key": "healthcare_prior_auth_davinci_workflow_step", "stability": "stable", "description": "Step in the HL7 Da Vinci electronic prior authorisation workflow. These values track the CRD, DTR, and PAS stages that an ePA orchestration agent moves through.", "permitted_values": [ "crd_coverage_requirement_check", "crd_card_returned_pa_required", "crd_card_returned_pa_not_required", "crd_card_returned_documentation_needed", "dtr_questionnaire_retrieved", "dtr_ehr_prefill_complete", "dtr_adaptive_form_launched", "dtr_documentation_complete", "pas_bundle_submitted", "pas_pended_awaiting_decision", "pas_real_time_decision_received", "pas_status_update_received", "pas_final_decision_received" ], "value_labels": { "crd_coverage_requirement_check": "CRD Coverage Requirement Check", "crd_card_returned_pa_required": "CRD Card Returned - PA Required", "crd_card_returned_pa_not_required": "CRD Card Returned - PA Not Required", "crd_card_returned_documentation_needed": "CRD Card Returned - Documentation Needed", "dtr_questionnaire_retrieved": "DTR Questionnaire Retrieved", "dtr_ehr_prefill_complete": "DTR EHR Prefill Complete", "dtr_adaptive_form_launched": "DTR Adaptive Form Launched", "dtr_documentation_complete": "DTR Documentation Complete", "pas_bundle_submitted": "PAS Bundle Submitted", "pas_pended_awaiting_decision": "PAS Pended Awaiting Decision", "pas_real_time_decision_received": "PAS Real-Time Decision Received", "pas_status_update_received": "PAS Status Update Received", "pas_final_decision_received": "PAS Final Decision Received" }, "source": "HL7 Da Vinci CRD, DTR, PAS Implementation Guides", "source_url": "https://hl7.org/fhir/us/davinci-pas/" }, { "enum_name": "CoverageEligibilityStatus", "label": "Coverage Eligibility Status", "otel_attribute": "healthcare.coverage.eligibility_status", "opa_policy_path": "data.healthcare.coverage.eligibility_status", "rego_input_key": "healthcare_coverage_eligibility_status", "stability": "stable", "description": "Coverage eligibility determination status from the FHIR CoverageEligibilityResponse resource. AI eligibility verification agents query payer APIs and tag results with these codes.", "permitted_values": [ "active", "cancelled", "draft", "entered-in-error" ], "value_labels": { "active": "Active", "cancelled": "Cancelled", "draft": "Draft", "entered-in-error": "Entered-in-error" }, "code_definitions": { "active": "The Coverage is currently in force", "cancelled": "The Coverage is no longer in force", "draft": "The Coverage was not issued", "entered-in-error": "The Coverage was entered in error" }, "source": "HL7 FHIR R6 CoverageEligibilityResponse.outcome; CoverageStatus ValueSet" } ] }, { "subdomain": "Clinical Decision Support & AI Diagnostics", "description": "Covers AI-driven clinical decision support systems (CDSS), autonomous diagnostic AI, and their regulatory classification. FDA cleared over 1,000 AI/ML-enabled medical devices by end-2024. The CDS Hooks standard governs EHR-integrated CDSS. The December 2024 PCCP Final Guidance governs post-market AI model changes.", "categories": [ { "enum_name": "ClinicalDecisionSupportCategory", "label": "Clinical Decision Support Category", "otel_attribute": "healthcare.cds.category", "opa_policy_path": "data.healthcare.cds.category", "rego_input_key": "healthcare_cds_category", "stability": "stable", "description": "Type of clinical decision support action or alert being surfaced by an AI agent. Maps to the 21st Century Cures Act CDS software definition and ONC HTI-1 Final Rule CDS Hooks certification.", "permitted_values": [ "drug_drug_interaction_alert", "drug_allergy_alert", "drug_dose_check", "duplicate_therapy_alert", "diagnostic_suggestion_radiology", "diagnostic_suggestion_pathology", "diagnostic_suggestion_cardiology", "diagnostic_suggestion_dermatology", "diagnostic_suggestion_ophthalmology", "sepsis_early_warning", "deterioration_risk_score", "septic_shock_early_warning", "care_gap_alert", "preventive_care_reminder", "order_set_recommendation", "prior_auth_requirement_check", "documentation_assistance_ambient_scribe", "predictive_readmission_risk", "predictive_patient_no_show", "social_determinants_screening" ], "value_labels": { "drug_drug_interaction_alert": "Drug Drug Interaction Alert", "drug_allergy_alert": "Drug Allergy Alert", "drug_dose_check": "Drug Dose Check", "duplicate_therapy_alert": "Duplicate Therapy Alert", "diagnostic_suggestion_radiology": "Diagnostic Suggestion Radiology", "diagnostic_suggestion_pathology": "Diagnostic Suggestion Pathology", "diagnostic_suggestion_cardiology": "Diagnostic Suggestion Cardiology", "diagnostic_suggestion_dermatology": "Diagnostic Suggestion Dermatology", "diagnostic_suggestion_ophthalmology": "Diagnostic Suggestion Ophthalmology", "sepsis_early_warning": "Sepsis Early Warning", "deterioration_risk_score": "Deterioration Risk Score", "septic_shock_early_warning": "Septic Shock Early Warning", "care_gap_alert": "Care Gap Alert", "preventive_care_reminder": "Preventive Care Reminder", "order_set_recommendation": "Order Set Recommendation", "prior_auth_requirement_check": "Prior Auth Requirement Check", "documentation_assistance_ambient_scribe": "Documentation Assistance Ambient Scribe", "predictive_readmission_risk": "Predictive Readmission Risk", "predictive_patient_no_show": "Predictive Patient No Show", "social_determinants_screening": "Social Determinants Screening" }, "regulatory_mappings": { "21_cures_cds": "21st Century Cures Act §3060 — CDS software definition and FDA device exemption criteria", "onc_hti1": "ONC HTI-1 Final Rule — CDS Hooks certification criterion (Jan 2024)", "fda_samd": "CDS that is NOT exempt from FDA oversight requires SaMD classification and clearance" }, "source": "ONC 21st Century Cures Rule; HL7 CDS Hooks specification", "source_url": "https://cds-hooks.org/" }, { "enum_name": "FDASaMDRiskClassification", "label": "FDA SaMD Risk Classification", "otel_attribute": "healthcare.fda_samd.risk_class", "opa_policy_path": "data.healthcare.fda_samd.risk_class", "rego_input_key": "healthcare_fda_samd_risk_class", "stability": "stable", "description": "FDA medical device risk classification for AI-enabled Software as a Medical Device (SaMD) under 21 CFR Part 860. The January 2025 FDA draft guidance applies a Total Product Life Cycle (TPLC) approach to AI-DSFs.", "permitted_values": [ "class_i_low_risk_exempt", "class_i_low_risk_510k", "class_ii_moderate_risk_510k", "class_ii_moderate_risk_de_novo", "class_iii_high_risk_pma", "non_device_software_cds_exempt", "non_device_software_ehi_exempt", "predetermined_change_control_plan_pccp" ], "value_labels": { "class_i_low_risk_exempt": "Class I — Low Risk Exempt", "class_i_low_risk_510k": "Class I — Low Risk 510k", "class_ii_moderate_risk_510k": "Class II — Moderate Risk 510k", "class_ii_moderate_risk_de_novo": "Class II — Moderate Risk De Novo", "class_iii_high_risk_pma": "Class III — High Risk Pma", "non_device_software_cds_exempt": "Cds Software Meeting the 21st Century Cures Act Exemption", "non_device_software_ehi_exempt": "Non Device Software Ehi Exempt", "predetermined_change_control_plan_pccp": "Ai-dsf Approved with a Pccp" }, "code_definitions": { "non_device_software_cds_exempt": "CDS software meeting the 21st Century Cures Act exemption — does not meet FDA device definition", "predetermined_change_control_plan_pccp": "AI-DSF approved with a PCCP — can update within pre-approved bounds without new marketing submission" }, "regulatory_mappings": { "fda_pccp_final_guidance": "FDA PCCP Final Guidance (December 2024) — AI-enabled device software function change control", "fda_ai_dsf_draft_2025": "FDA Draft Guidance AI-Enabled Device Software Functions: Lifecycle Management (January 7, 2025)", "21_cures_cds": "21st Century Cures Act — CDS software exemption from device definition" }, "source": "FDA AI/ML SaMD Action Plan; PCCP Final Guidance (Dec 2024); Draft Guidance AI-DSF (Jan 2025)", "source_url": "https://www.fda.gov/medical-devices/software-medical-device-samd/artificial-intelligence-software-medical-device" }, { "enum_name": "PCCPModificationCategory", "label": "Pccp Modification Category", "otel_attribute": "healthcare.fda_samd.pccp_modification_category", "opa_policy_path": "data.healthcare.fda_samd.pccp_modification_category", "rego_input_key": "healthcare_fda_samd_pccp_modification_category", "stability": "stable", "description": "Category of AI/ML SaMD modification under the FDA's Predetermined Change Control Plan (PCCP) Final Guidance (December 2024). Changes within PCCP scope do not require a new marketing submission. Changes outside scope require a new premarket submission.", "permitted_values": [ "performance_improvement_within_pccp_scope", "data_drift_adaptation_within_pccp_scope", "training_data_expansion_within_pccp_scope", "new_indication_outside_pccp_scope", "new_patient_population_outside_pccp_scope", "safety_effectiveness_impacting_change", "labeling_change_required", "algorithm_architecture_change_major", "cybersecurity_patch_minor", "rollback_to_prior_cleared_version" ], "value_labels": { "performance_improvement_within_pccp_scope": "Performance Improvement Within Pccp Scope", "data_drift_adaptation_within_pccp_scope": "Data Drift Adaptation Within Pccp Scope", "training_data_expansion_within_pccp_scope": "Training Data Expansion Within Pccp Scope", "new_indication_outside_pccp_scope": "New Indication Outside Pccp Scope", "new_patient_population_outside_pccp_scope": "New Patient Population Outside Pccp Scope", "safety_effectiveness_impacting_change": "Safety Effectiveness Impacting Change", "labeling_change_required": "Labeling Change Required", "algorithm_architecture_change_major": "Algorithm Architecture Change Major", "cybersecurity_patch_minor": "Cybersecurity Patch Minor", "rollback_to_prior_cleared_version": "Rollback to Prior Cleared Version" }, "regulatory_mappings": { "fda_pccp_final_guidance": "FDA PCCP Final Guidance (December 2024) — three core PCCP elements: Description of Modifications, Modification Protocol, Impact Assessment", "fda_ai_dsf_draft_2025": "FDA Draft Guidance AI-DSF (January 2025) — TPLC approach to AI device changes", "fda_uk_canada_2025": "FDA, MHRA, Health Canada joint PCCP guiding principles (August 2025) — five principles: focused, risk-based, evidence-based, transparent, lifecycle-oriented" }, "source": "FDA PCCP Final Guidance December 2024; FDA/MHRA/Health Canada joint principles August 2025" }, { "enum_name": "AIAmbientDocumentationStatus", "label": "AI Ambient Documentation Status", "otel_attribute": "healthcare.ambient_doc.status", "opa_policy_path": "data.healthcare.ambient_doc.status", "rego_input_key": "healthcare_ambient_doc_status", "stability": "proposed", "description": "Status of an AI ambient documentation (scribe) session. AI ambient documentation is one of the fastest-growing agentic AI use cases in healthcare as of 2026, reducing physician burnout by automating note-writing from clinical conversations.", "permitted_values": [ "session_initiated", "recording_active", "processing_transcript", "draft_note_generated", "clinician_review_pending", "clinician_review_in_progress", "note_amended_by_clinician", "note_signed_and_finalized", "note_cosigned", "session_abandoned_no_note", "phi_redaction_applied" ], "value_labels": { "session_initiated": "Session Initiated", "recording_active": "Recording Active", "processing_transcript": "Processing Transcript", "draft_note_generated": "Draft Note Generated", "clinician_review_pending": "Clinician Review Pending", "clinician_review_in_progress": "Clinician Review in Progress", "note_amended_by_clinician": "Note Amended by Clinician", "note_signed_and_finalized": "Note Signed and Finalized", "note_cosigned": "Note Cosigned", "session_abandoned_no_note": "Session Abandoned No Note", "phi_redaction_applied": "PHI Redaction Applied" }, "regulatory_mappings": { "hipaa_minimum_necessary": "HIPAA minimum necessary standard — AI scribe must not capture more PHI than needed for TPO purposes", "state_recording_consent": "State two-party consent laws — patient consent required in some states before ambient recording", "fda_21_cures_cds": "AI ambient documentation may qualify as CDS-exempt software if it meets 21st Century Cures criteria" }, "source": "Industry ambient AI documentation standards; HIPAA Privacy Rule; 21st Century Cures Act CDS definition" } ] }, { "subdomain": "PHI Data Governance & HIPAA Compliance", "description": "Covers PHI data handling, de-identification, breach notification, and Business Associate Agreement (BAA) management for agentic AI systems. The HHS OCR proposed January 2025 update to the HIPAA Security Rule removes required/addressable distinctions and adds mandatory encryption and continuous monitoring — directly affecting all agentic AI systems handling ePHI.", "categories": [ { "enum_name": "PHIDataHandlingAction", "label": "PHI Data Handling Action", "otel_attribute": "healthcare.phi.handling_action", "opa_policy_path": "data.healthcare.phi.handling_action", "rego_input_key": "healthcare_phi_handling_action", "stability": "stable", "description": "Type of action an agentic AI system is performing on Protected Health Information (PHI). Every PHI-touching action must be logged for HIPAA audit trail purposes.", "permitted_values": [ "collect_intake", "store_ehr", "store_data_warehouse", "transmit_to_covered_entity", "transmit_to_business_associate", "transmit_cross_border", "de_identify_safe_harbor", "de_identify_expert_determination", "re_identify", "disclose_treatment_operations", "disclose_payment", "disclose_public_health_reporting", "disclose_with_written_authorization", "disclose_law_enforcement", "use_for_ai_training_with_authorization", "use_for_ai_training_de_identified", "delete_per_retention_schedule", "breach_containment", "breach_risk_assessment", "breach_notification_individual", "breach_notification_hhs" ], "value_labels": { "collect_intake": "Collect Intake", "store_ehr": "Store EHR", "store_data_warehouse": "Store Data Warehouse", "transmit_to_covered_entity": "Transmit to Covered Entity", "transmit_to_business_associate": "Transmit to Business Associate", "transmit_cross_border": "Transmit Cross-Border", "de_identify_safe_harbor": "De-Identify Safe Harbor", "de_identify_expert_determination": "De-Identify Expert Determination", "re_identify": "Re-Identify", "disclose_treatment_operations": "Disclose Treatment Operations", "disclose_payment": "Disclose Payment", "disclose_public_health_reporting": "Disclose Public Health Reporting", "disclose_with_written_authorization": "Disclose with Written Authorization", "disclose_law_enforcement": "Disclose Law Enforcement", "use_for_ai_training_with_authorization": "Use for AI Training with Authorization", "use_for_ai_training_de_identified": "Use for AI Training - De-Identified", "delete_per_retention_schedule": "Delete Per Retention Schedule", "breach_containment": "Breach Containment", "breach_risk_assessment": "Breach Risk Assessment", "breach_notification_individual": "Breach Notification Individual", "breach_notification_hhs": "Breach Notification HHS" }, "regulatory_mappings": { "hipaa_privacy_164_500": "HIPAA Privacy Rule 45 CFR Part 164 Subpart E — permitted uses and disclosures of PHI", "hipaa_security_164_300": "HIPAA Security Rule 45 CFR Part 164 Subpart C — technical safeguards for ePHI", "hitech_164_400": "HITECH Breach Notification Rule 45 CFR 164 Subpart D — breach notification within 60 days", "hhs_ocr_proposed_2025": "HHS OCR Proposed Security Rule Update (January 2025) — mandatory encryption, continuous monitoring, 30-day breach notification" }, "source": "HIPAA Privacy and Security Rules; HITECH Act; HHS OCR Proposed Security Rule Update January 2025" }, { "enum_name": "PHIDeIdentificationMethod", "label": "PHI De-Identification Method", "otel_attribute": "healthcare.phi.deidentification_method", "opa_policy_path": "data.healthcare.phi.deidentification_method", "rego_input_key": "healthcare_phi_deidentification_method", "stability": "stable", "description": "The method used to de-identify PHI per HIPAA's two approved standards. De-identified data is no longer PHI and can be used freely for AI training. Agentic AI systems accessing health data for training must document which method was applied.", "permitted_values": [ "safe_harbor_18_identifiers_removed", "expert_determination_statistical", "limited_data_set_dua_required", "synthetic_data_generation", "federated_learning_no_data_leaves", "not_deidentified_phi_in_use" ], "value_labels": { "safe_harbor_18_identifiers_removed": "Safe Harbor 18 Identifiers Removed", "expert_determination_statistical": "Expert Determination Statistical", "limited_data_set_dua_required": "Limited Data Set - DUA Required", "synthetic_data_generation": "Synthetic Data Generation", "federated_learning_no_data_leaves": "Federated Learning No Data Leaves", "not_deidentified_phi_in_use": "Not De-Identified PHI In Use" }, "code_definitions": { "safe_harbor_18_identifiers_removed": "HIPAA Safe Harbor: all 18 PHI identifiers removed per 45 CFR 164.514(b)", "expert_determination_statistical": "Expert Determination: statistical/scientific methods demonstrate very small re-identification risk per 45 CFR 164.514(b)(1)", "limited_data_set_dua_required": "Limited Data Set: dates and geographic units above state retained; requires Data Use Agreement per 45 CFR 164.514(e)" }, "regulatory_mappings": { "hipaa_164_514": "HIPAA 45 CFR 164.514 — De-identification of protected health information", "hhs_guidance_deidentification": "HHS Guidance Regarding Methods for De-identification of PHI (2012, updated 2022)" }, "source": "HIPAA 45 CFR 164.514; HHS De-identification Guidance" }, { "enum_name": "BusinessAssociateAgreementStatus", "label": "Business Associate Agreement Status", "otel_attribute": "healthcare.baa.status", "opa_policy_path": "data.healthcare.baa.status", "rego_input_key": "healthcare_baa_status", "stability": "proposed", "description": "Status of Business Associate Agreement (BAA) with an AI vendor handling PHI. HIPAA requires BAAs with all business associates before PHI is shared. Agentic AI vendor BAAs require enhanced clauses addressing AI model training, data retention, and subcontractor chains.", "permitted_values": [ "not_required_no_phi_access", "baa_required_pending_execution", "baa_executed_active", "baa_expired_renewal_required", "baa_terminated_phi_return_delete_pending", "baa_breached_incident_active", "subcontractor_baa_chain_complete", "subcontractor_baa_chain_gap_identified" ], "value_labels": { "not_required_no_phi_access": "Not Required No PHI Access", "baa_required_pending_execution": "Baa Required Pending Execution", "baa_executed_active": "Baa Executed Active", "baa_expired_renewal_required": "Baa Expired Renewal Required", "baa_terminated_phi_return_delete_pending": "Baa Terminated PHI Return Delete Pending", "baa_breached_incident_active": "Baa Breached Incident Active", "subcontractor_baa_chain_complete": "Subcontractor Baa Chain Complete", "subcontractor_baa_chain_gap_identified": "Subcontractor Baa Chain Gap Identified" }, "regulatory_mappings": { "hipaa_164_504": "HIPAA 45 CFR 164.504(e) — BAA requirements for business associates", "hipaa_164_308_b": "HIPAA 45 CFR 164.308(b) — Business associate contracts for security rule", "hitech_sec_13401": "HITECH Section 13401 — Direct liability for business associates" }, "use_case": "OPA rule: block any agentic tool action that would transmit or store PHI with a vendor whose baa_status is not baa_executed_active. Block AI model training on PHI when status is not_required_no_phi_access without first applying de-identification.", "source": "HIPAA 45 CFR 164.504; HITECH Act; HHS Business Associate Guidance" }, { "enum_name": "PHIBreachRiskLevel", "label": "PHI Breach Risk Level", "otel_attribute": "healthcare.phi.breach_risk_level", "opa_policy_path": "data.healthcare.phi.breach_risk_level", "rego_input_key": "healthcare_phi_breach_risk_level", "stability": "proposed", "description": "Risk level assigned to a potential PHI breach by the four-factor HIPAA breach risk assessment. Determines whether a breach notification is required.", "permitted_values": [ "low_risk_notification_not_required", "moderate_risk_notification_required", "high_risk_notification_required", "risk_assessment_pending", "risk_assessment_incomplete", "presumed_breach_notification_required" ], "value_labels": { "low_risk_notification_not_required": "Four-factor Assessment Demonstrates Low Probability PHI Was Compromised", "moderate_risk_notification_required": "Moderate Risk Notification Required", "high_risk_notification_required": "High Risk Notification Required", "risk_assessment_pending": "Risk Assessment Pending", "risk_assessment_incomplete": "Risk Assessment Incomplete", "presumed_breach_notification_required": "Unable to Demonstrate Low Probability" }, "code_definitions": { "low_risk_notification_not_required": "Four-factor assessment demonstrates low probability PHI was compromised — notification not required per 45 CFR 164.402", "presumed_breach_notification_required": "Unable to demonstrate low probability — breach presumed and notification required" }, "regulatory_mappings": { "hipaa_breach_notification_164_402": "HIPAA 45 CFR 164.402 — Four-factor breach risk assessment determines notification obligation", "hitech_breach_notification": "HITECH — Individual notification within 60 days; HHS notification within 60 days; media notice if >500 in state", "hhs_ocr_proposed_2025": "HHS OCR Proposed Security Rule (January 2025) — shortened notification timelines under consideration" }, "source": "HIPAA Breach Notification Rule 45 CFR 164 Subpart D; HITECH Act; HHS OCR Guidance" } ] }, { "subdomain": "Revenue Cycle & Claims Processing", "description": "Covers AI-driven revenue cycle management including claims scrubbing, denial management, and coding. This is the highest-volume agentic AI deployment in US health system operations. HL7 FHIR R4 is the CMS-mandated standard for electronic claims under CMS-0057-F.", "fhir_resources": [ "Claim", "ClaimResponse", "ExplanationOfBenefit" ], "categories": [ { "enum_name": "ClaimSubmissionStatus", "label": "Claim Submission Status", "otel_attribute": "healthcare.claim.submission_status", "opa_policy_path": "data.healthcare.claim.submission_status", "rego_input_key": "healthcare_claim_submission_status", "stability": "stable", "description": "Defines the allowed values for Claim Submission Status in the Healthcare & Life Sciences catalog so OpenTelemetry spans and OPA policy inputs remain consistent across VeriProof. Terminology aligns to ASC X12 837 Healthcare Claim transaction; HL7 FHIR Claim resource.", "permitted_values": [ "draft", "ready_to_submit", "submitted_clearinghouse", "submitted_payer_direct", "acknowledged_clearinghouse", "rejected_clearinghouse_edit", "accepted_payer", "pending_payer_adjudication", "adjudicated_paid", "adjudicated_denied", "adjudicated_partial", "secondary_claim_required", "voided", "corrected_resubmitted", "appealed", "written_off" ], "value_labels": { "draft": "Draft", "ready_to_submit": "Ready to Submit", "submitted_clearinghouse": "Submitted Clearinghouse", "submitted_payer_direct": "Submitted Payer Direct", "acknowledged_clearinghouse": "Acknowledged Clearinghouse", "rejected_clearinghouse_edit": "Rejected Clearinghouse Edit", "accepted_payer": "Accepted Payer", "pending_payer_adjudication": "Pending Payer Adjudication", "adjudicated_paid": "Adjudicated Paid", "adjudicated_denied": "Adjudicated Denied", "adjudicated_partial": "Adjudicated Partial", "secondary_claim_required": "Secondary Claim Required", "voided": "Voided", "corrected_resubmitted": "Corrected Resubmitted", "appealed": "Appealed", "written_off": "Written Off" }, "regulatory_mappings": { "hipaa_837": "HIPAA EDI 837 — Healthcare claim transaction standard", "cms_timely_filing": "CMS timely filing limits vary by payer: Medicare 1 year; Medicaid state-specific; commercial 90-180 days" }, "source": "ASC X12 837 Healthcare Claim transaction; HL7 FHIR Claim resource" }, { "enum_name": "DenialReasonCategory", "label": "Denial Reason Category", "otel_attribute": "healthcare.claim.denial_reason_category", "opa_policy_path": "data.healthcare.claim.denial_reason_category", "rego_input_key": "healthcare_claim_denial_reason_category", "stability": "stable", "description": "Standardised denial reason categories for AI-driven denial management workflows. Based on CARC (Claim Adjustment Reason Codes) and RARC (Remittance Advice Remark Codes) maintained by the NUBC and Washington Publishing Company.", "permitted_values": [ "eligibility_coverage_issue", "prior_authorization_missing", "prior_authorization_expired", "medical_necessity_not_established", "duplicate_claim", "timely_filing_exceeded", "coordination_of_benefits_required", "non_covered_service", "bundling_unbundling_edit", "coding_error_diagnosis_mismatch", "coding_error_procedure_not_covered", "provider_credentialing_issue", "out_of_network_no_referral", "demographic_mismatch", "missing_required_documentation", "place_of_service_mismatch", "modifier_missing_incorrect", "global_surgical_package_included" ], "value_labels": { "eligibility_coverage_issue": "Eligibility Coverage Issue", "prior_authorization_missing": "Prior Authorization Missing", "prior_authorization_expired": "Prior Authorization Expired", "medical_necessity_not_established": "Medical Necessity not Established", "duplicate_claim": "Duplicate Claim", "timely_filing_exceeded": "Timely Filing Exceeded", "coordination_of_benefits_required": "Coordination of Benefits Required", "non_covered_service": "Non Covered Service", "bundling_unbundling_edit": "Bundling Unbundling Edit", "coding_error_diagnosis_mismatch": "Coding Error Diagnosis Mismatch", "coding_error_procedure_not_covered": "Coding Error Procedure not Covered", "provider_credentialing_issue": "Provider Credentialing Issue", "out_of_network_no_referral": "Out of Network No Referral", "demographic_mismatch": "Demographic Mismatch", "missing_required_documentation": "Missing Required Documentation", "place_of_service_mismatch": "Place of Service Mismatch", "modifier_missing_incorrect": "Modifier Missing Incorrect", "global_surgical_package_included": "Global Surgical Package Included" }, "source": "NUBC CARC/RARC code categories; ASC X12 835 Healthcare Claim Payment; CMS Remittance Advice" }, { "enum_name": "CodingComplianceFlag", "label": "Coding Compliance Flag", "otel_attribute": "healthcare.coding.compliance_flag", "opa_policy_path": "data.healthcare.coding.compliance_flag", "rego_input_key": "healthcare_coding_compliance_flag", "stability": "proposed", "description": "AI coding compliance flags applied during claims scrubbing and audit. AI coding agents must apply these flags before claim submission to reduce denials and OIG audit exposure.", "permitted_values": [ "clean_no_flags", "upcoding_suspected", "undercoding_identified", "unbundling_suspected", "duplicate_code_detected", "diagnosis_procedure_mismatch", "medical_necessity_documentation_gap", "evaluation_management_level_mismatch", "modifier_inappropriate", "payer_specific_edit_triggered", "ncd_lcd_coverage_question", "false_claims_act_risk_elevated", "oid_work_plan_target_code" ], "value_labels": { "clean_no_flags": "Clean No Flags", "upcoding_suspected": "Upcoding Suspected", "undercoding_identified": "Undercoding Identified", "unbundling_suspected": "Unbundling Suspected", "duplicate_code_detected": "Duplicate Code Detected", "diagnosis_procedure_mismatch": "Diagnosis Procedure Mismatch", "medical_necessity_documentation_gap": "Medical Necessity Documentation Gap", "evaluation_management_level_mismatch": "Evaluation Management Level Mismatch", "modifier_inappropriate": "Modifier Inappropriate", "payer_specific_edit_triggered": "Payer Specific Edit Triggered", "ncd_lcd_coverage_question": "Ncd Lcd Coverage Question", "false_claims_act_risk_elevated": "False Claims Act Risk Elevated", "oid_work_plan_target_code": "Oid Work Plan Target Code" }, "regulatory_mappings": { "false_claims_act": "31 USC §3729 — False Claims Act: knowingly submitting false claims to federal health programmes", "oig_compliance": "HHS OIG Annual Work Plan — identifies high-risk billing codes subject to enhanced audit scrutiny", "stark_law": "42 USC §1395nn — Stark Law: physician self-referral prohibitions" }, "source": "CMS NCCI (National Correct Coding Initiative) edits; OIG Work Plan; CMS Medically Unlikely Edits (MUE)" } ] }, { "subdomain": "Patient Engagement & Remote Monitoring", "description": "Covers AI-driven patient engagement, remote patient monitoring (RPM), and chronic disease management. Agentic AI patient outreach agents must comply with HIPAA, TCPA (telephone consumer protection), and state telehealth laws.", "categories": [ { "enum_name": "PatientEngagementChannelType", "label": "Patient Engagement Channel Type", "otel_attribute": "healthcare.patient_engagement.channel", "opa_policy_path": "data.healthcare.patient_engagement.channel", "rego_input_key": "healthcare_patient_engagement_channel", "stability": "stable", "description": "Defines the allowed values for Patient Engagement Channel Type in the Healthcare & Life Sciences catalog so OpenTelemetry spans and OPA policy inputs remain consistent across VeriProof. Terminology aligns to HIPAA Privacy Rule; TCPA; FCC rules; state telehealth statutes.", "permitted_values": [ "ai_voice_agent_outbound", "ai_voice_agent_inbound", "ai_chat_secure_portal", "ai_chat_sms", "ai_chat_mobile_app", "ai_email_automated", "ai_video_visit", "remote_patient_monitoring_device", "wearable_continuous_monitor", "patient_portal_self_service", "in_person_kiosk" ], "value_labels": { "ai_voice_agent_outbound": "AI Voice Agent Outbound", "ai_voice_agent_inbound": "AI Voice Agent Inbound", "ai_chat_secure_portal": "AI Chat Secure Portal", "ai_chat_sms": "AI Chat Sms", "ai_chat_mobile_app": "AI Chat Mobile App", "ai_email_automated": "AI Email Automated", "ai_video_visit": "AI Video Visit", "remote_patient_monitoring_device": "Remote Patient Monitoring Device", "wearable_continuous_monitor": "Wearable Continuous Monitor", "patient_portal_self_service": "Patient Portal Self Service", "in_person_kiosk": "In Person Kiosk" }, "regulatory_mappings": { "hipaa_minimum_necessary": "HIPAA — minimum necessary standard for PHI shared via each channel", "tcpa": "TCPA 47 USC 227 — Telephone Consumer Protection Act: prior express written consent for autodialed or prerecorded calls/texts", "state_telehealth_laws": "State-specific telehealth practice standards and licensure requirements" }, "source": "HIPAA Privacy Rule; TCPA; FCC rules; state telehealth statutes" }, { "enum_name": "RemoteMonitoringAlertLevel", "label": "Remote Monitoring Alert Level", "otel_attribute": "healthcare.rpm.alert_level", "opa_policy_path": "data.healthcare.rpm.alert_level", "rego_input_key": "healthcare_rpm_alert_level", "stability": "proposed", "description": "Alert severity level generated by remote patient monitoring (RPM) AI from wearable or connected device data. Determines escalation pathway.", "permitted_values": [ "within_normal_range", "borderline_monitor_closely", "mild_deviation_patient_notification", "moderate_deviation_care_team_alert", "critical_deviation_immediate_escalation", "device_malfunction_data_unreliable", "missed_measurement_outreach_required", "patient_confirmed_hospitalized" ], "value_labels": { "within_normal_range": "Within Normal Range", "borderline_monitor_closely": "Borderline Monitor Closely", "mild_deviation_patient_notification": "Mild Deviation Patient Notification", "moderate_deviation_care_team_alert": "Moderate Deviation Care Team Alert", "critical_deviation_immediate_escalation": "Critical Deviation Immediate Escalation", "device_malfunction_data_unreliable": "Device Malfunction Data Unreliable", "missed_measurement_outreach_required": "Missed Measurement Outreach Required", "patient_confirmed_hospitalized": "Patient Confirmed Hospitalized" }, "regulatory_mappings": { "cms_rpm_99453": "CMS CPT 99453/99454/99457/99458 — Remote Physiological Monitoring billing codes", "fda_samd": "RPM devices may qualify as FDA-regulated SaMD depending on intended use and risk class" }, "source": "CMS RPM billing guidelines; industry RPM escalation protocol frameworks; HL7 FHIR Observation resource" }, { "enum_name": "PatientConsentType", "label": "Patient Consent Type", "otel_attribute": "healthcare.patient.consent_type", "opa_policy_path": "data.healthcare.patient.consent_type", "rego_input_key": "healthcare_patient_consent_type", "stability": "stable", "description": "Types of patient consent relevant to healthcare agentic AI. HIPAA's minimum necessary standard applies to all consent-based data uses.", "permitted_values": [ "treatment_payment_operations_tpo", "written_authorization_non_tpo_use", "research_waiver_irb_approved", "public_health_reporting_mandatory", "ai_model_training_written_authorization", "ai_model_training_de_identified_no_consent", "telehealth_informed_consent", "ambient_recording_state_consent", "marketing_opt_in", "care_coordination_data_sharing", "patient_portal_e_access", "right_to_access_request", "right_to_restriction_request", "right_to_amend_request" ], "value_labels": { "treatment_payment_operations_tpo": "Treatment Payment Operations Tpo", "written_authorization_non_tpo_use": "Written Authorization Non Tpo Use", "research_waiver_irb_approved": "Research Waiver Irb Approved", "public_health_reporting_mandatory": "Public Health Reporting Mandatory", "ai_model_training_written_authorization": "AI Model Training Written Authorization", "ai_model_training_de_identified_no_consent": "AI Model Training De Identified No Consent", "telehealth_informed_consent": "Telehealth Informed Consent", "ambient_recording_state_consent": "Ambient Recording State Consent", "marketing_opt_in": "Marketing Opt in", "care_coordination_data_sharing": "Care Coordination Data Sharing", "patient_portal_e_access": "Patient Portal E Access", "right_to_access_request": "Right to Access Request", "right_to_restriction_request": "Right to Restriction Request", "right_to_amend_request": "Right to Amend Request" }, "regulatory_mappings": { "hipaa_164_508": "HIPAA 45 CFR 164.508 — Authorization requirements for uses and disclosures not permitted without authorization", "hipaa_164_510": "HIPAA 45 CFR 164.510 — Uses requiring opportunity to agree or object", "45_cfr_46": "45 CFR Part 46 — Common Rule: IRB and consent requirements for research" }, "source": "HIPAA Privacy Rule; Common Rule 45 CFR Part 46; state ambient recording consent laws" } ] }, { "subdomain": "Pharmacy & Medication Management", "description": "Covers AI-driven pharmacy operations, specialty drug prior authorisation, medication reconciliation, and adherence monitoring. Specialty drug PA is one of the most active agentic AI use cases given its complexity and the CMS-0057-F PA timeline mandates.", "categories": [ { "enum_name": "MedicationPriorAuthStatus", "label": "Medication Prior Auth Status", "otel_attribute": "healthcare.pharmacy.prior_auth_status", "opa_policy_path": "data.healthcare.pharmacy.prior_auth_status", "rego_input_key": "healthcare_pharmacy_prior_auth_status", "stability": "stable", "description": "Specialised prior authorisation status for pharmacy/specialty drug benefits. Maps to the CoverageRequirementsDiscovery (CRD) and Prior Authorization Support (PAS) Da Vinci IG workflows for pharmacy.", "permitted_values": [ "pa_not_required", "pa_required_not_submitted", "pa_submitted_pending", "pa_approved_in_formulary", "pa_approved_off_formulary", "pa_denied_formulary_alternative_available", "pa_denied_step_edit_required", "pa_denied_quantity_limit", "pa_denied_not_medically_necessary", "pa_appealed", "pa_expired_renewal_required", "specialty_hub_enrollment_required", "risk_evaluation_mitigation_strategy_rems" ], "value_labels": { "pa_not_required": "Pa not Required", "pa_required_not_submitted": "Pa Required not Submitted", "pa_submitted_pending": "Pa Submitted Pending", "pa_approved_in_formulary": "Pa Approved in Formulary", "pa_approved_off_formulary": "Pa Approved Off Formulary", "pa_denied_formulary_alternative_available": "Pa Denied Formulary Alternative Available", "pa_denied_step_edit_required": "Pa Denied Step Edit Required", "pa_denied_quantity_limit": "Pa Denied Quantity Limit", "pa_denied_not_medically_necessary": "Pa Denied not Medically Necessary", "pa_appealed": "Pa Appealed", "pa_expired_renewal_required": "Pa Expired Renewal Required", "specialty_hub_enrollment_required": "Specialty Hub Enrollment Required", "risk_evaluation_mitigation_strategy_rems": "Risk Evaluation Mitigation Strategy Rems" }, "regulatory_mappings": { "cms_0057_f": "CMS-0057-F PA timelines apply to pharmacy benefit PA decisions", "fda_rems": "FDA REMS — Risk Evaluation and Mitigation Strategy for high-risk medications" }, "source": "HL7 Da Vinci CRD/DTR/PAS IGs; NCPDP pharmacy standards; FDA REMS database" }, { "enum_name": "MedicationAdherenceStatus", "label": "Medication Adherence Status", "otel_attribute": "healthcare.pharmacy.adherence_status", "opa_policy_path": "data.healthcare.pharmacy.adherence_status", "rego_input_key": "healthcare_pharmacy_adherence_status", "stability": "proposed", "description": "Medication adherence classification generated by AI pharmacy monitoring agents. Used in chronic disease management outreach and HEDIS quality measure reporting.", "permitted_values": [ "adherent_pdc_above_80_pct", "borderline_pdc_60_80_pct", "non_adherent_pdc_below_60_pct", "intentional_discontinuation", "adverse_event_discontinuation", "cost_barrier_identified", "supply_gap_identified", "outreach_attempted_no_response", "outreach_successful_barrier_resolved" ], "value_labels": { "adherent_pdc_above_80_pct": "Proportion of Days Covered (pdc) >= 80%", "borderline_pdc_60_80_pct": "Borderline Pdc 60 80 Pct", "non_adherent_pdc_below_60_pct": "Pdc < 60%", "intentional_discontinuation": "Intentional Discontinuation", "adverse_event_discontinuation": "Adverse Event Discontinuation", "cost_barrier_identified": "Cost Barrier Identified", "supply_gap_identified": "Supply Gap Identified", "outreach_attempted_no_response": "Outreach Attempted No Response", "outreach_successful_barrier_resolved": "Outreach Successful Barrier Resolved" }, "code_definitions": { "adherent_pdc_above_80_pct": "Proportion of Days Covered (PDC) >= 80% — HEDIS adherence measure threshold", "non_adherent_pdc_below_60_pct": "PDC < 60% — significant adherence gap, active intervention required" }, "source": "HEDIS Medication Adherence measures; NCQA PDC calculation methodology; CMS Stars Medication Adherence measures" }, { "enum_name": "DrugInteractionSeverity", "label": "Drug Interaction Severity", "otel_attribute": "healthcare.pharmacy.interaction_severity", "opa_policy_path": "data.healthcare.pharmacy.interaction_severity", "rego_input_key": "healthcare_pharmacy_interaction_severity", "stability": "stable", "description": "Drug-drug, drug-allergy, and drug-disease interaction severity classification used by AI clinical decision support agents at order entry.", "permitted_values": [ "contraindicated_do_not_use", "severe_use_only_if_no_alternative", "moderate_monitor_closely", "minor_clinical_significance_limited", "no_interaction_known", "insufficient_evidence_unknown" ], "value_labels": { "contraindicated_do_not_use": "Contraindicated Do not Use", "severe_use_only_if_no_alternative": "Severe Use Only If No Alternative", "moderate_monitor_closely": "Moderate Monitor Closely", "minor_clinical_significance_limited": "Minor Clinical Significance Limited", "no_interaction_known": "No Interaction Known", "insufficient_evidence_unknown": "Insufficient Evidence Unknown" }, "source": "First DataBank (FDB); Multum; Wolters Kluwer Clinical Drug Information; Lexicomp interaction severity classifications" } ] }, { "subdomain": "Life Sciences: Clinical Trials & Drug Development", "description": "Covers AI deployment in clinical trial operations, pharmacovigilance, and regulatory submissions. Agentic AI in clinical trials is subject to ICH E6 R3 GCP guidelines (updated 2023), FDA 21 CFR Part 312 IND regulations, and 21 CFR Part 11 electronic records requirements.", "categories": [ { "enum_name": "ClinicalTrialStatus", "label": "Clinical Trial Status", "otel_attribute": "healthcare.clinical_trial.status", "opa_policy_path": "data.healthcare.clinical_trial.status", "rego_input_key": "healthcare_clinical_trial_status", "stability": "stable", "description": "Clinical trial operational status per ClinicalTrials.gov registration and ICH E6 R3 GCP lifecycle. Agentic trial management AI must track this status for regulatory submission and site management purposes.", "permitted_values": [ "not_yet_recruiting", "recruiting", "enrolling_by_invitation", "active_not_recruiting", "completed", "suspended", "terminated", "withdrawn", "unknown", "approved_pending_ind", "protocol_amendment_pending", "clinical_hold_fda" ], "value_labels": { "not_yet_recruiting": "Not Yet Recruiting", "recruiting": "Recruiting", "enrolling_by_invitation": "Enrolling by Invitation", "active_not_recruiting": "Active not Recruiting", "completed": "Completed", "suspended": "Suspended", "terminated": "Terminated", "withdrawn": "Withdrawn", "unknown": "Unknown", "approved_pending_ind": "Approved Pending Ind", "protocol_amendment_pending": "Protocol Amendment Pending", "clinical_hold_fda": "Clinical Hold FDA" }, "regulatory_mappings": { "fdaaa_801": "FDAAA Section 801 — ClinicalTrials.gov registration and results reporting requirements", "ich_e6_r3": "ICH E6 R3 Good Clinical Practice (2023) — trial oversight and documentation", "fda_21_cfr_312": "FDA 21 CFR Part 312 — Investigational New Drug (IND) regulations" }, "source": "ClinicalTrials.gov status vocabulary; ICH E6 R3; FDA IND regulations" }, { "enum_name": "ProtocolDeviationSeverity", "label": "Protocol Deviation Severity", "otel_attribute": "healthcare.clinical_trial.deviation_severity", "opa_policy_path": "data.healthcare.clinical_trial.deviation_severity", "rego_input_key": "healthcare_clinical_trial_deviation_severity", "stability": "stable", "description": "Severity classification for protocol deviations detected by AI trial monitoring agents. Determines IRB and sponsor reporting requirements.", "permitted_values": [ "minor_deviation_no_reporting", "major_deviation_sponsor_reporting_required", "major_deviation_irb_reporting_required", "serious_breach_fda_irb_reporting_required", "suspected_unexpected_serious_adverse_reaction_susar", "unanticipated_problem_involving_risk" ], "value_labels": { "minor_deviation_no_reporting": "Minor Deviation No Reporting", "major_deviation_sponsor_reporting_required": "Major Deviation Sponsor Reporting Required", "major_deviation_irb_reporting_required": "Major Deviation Irb Reporting Required", "serious_breach_fda_irb_reporting_required": "Serious Breach FDA Irb Reporting Required", "suspected_unexpected_serious_adverse_reaction_susar": "Suspected Unexpected Serious Adverse Reaction Susar", "unanticipated_problem_involving_risk": "Unanticipated Problem Involving Risk" }, "regulatory_mappings": { "ich_e6_r3": "ICH E6 R3 — Protocol deviation reporting requirements", "fda_21_cfr_312_62": "21 CFR 312.62 — Recordkeeping; 312.64 — Investigator reporting obligations", "irb_45_cfr_46_103": "45 CFR 46.103 — IRB reporting of unanticipated problems involving risk" }, "source": "ICH E6 R3 GCP (2023); FDA IND safety reporting; IRB Common Rule requirements" }, { "enum_name": "PharmacoviglianceSignalAction", "label": "Pharmacovigliance Signal Action", "otel_attribute": "healthcare.pharmacovigilance.signal_action", "opa_policy_path": "data.healthcare.pharmacovigilance.signal_action", "rego_input_key": "healthcare_pharmacovigilance_signal_action", "stability": "proposed", "description": "Action taken by AI pharmacovigilance agents on a detected adverse drug event signal. All expedited safety reports to FDA must be submitted within 15 calendar days of awareness.", "permitted_values": [ "signal_detected_under_evaluation", "signal_assessed_no_action_required", "signal_confirmed_label_update_required", "expedited_15_day_alert_submitted_fda", "periodic_safety_report_psur_included", "rems_modification_required", "market_withdrawal_recommended", "field_safety_corrective_action_required", "signal_closed_false_positive" ], "value_labels": { "signal_detected_under_evaluation": "Signal Detected Under Evaluation", "signal_assessed_no_action_required": "Signal Assessed No Action Required", "signal_confirmed_label_update_required": "Signal Confirmed Label Update Required", "expedited_15_day_alert_submitted_fda": "Expedited 15 Day Alert Submitted FDA", "periodic_safety_report_psur_included": "Periodic Safety Report Psur Included", "rems_modification_required": "Rems Modification Required", "market_withdrawal_recommended": "Market Withdrawal Recommended", "field_safety_corrective_action_required": "Field Safety Corrective Action Required", "signal_closed_false_positive": "Signal Closed False Positive" }, "regulatory_mappings": { "fda_21_cfr_312_32": "21 CFR 312.32 — Expedited safety reporting: unexpected serious adverse reactions within 15 days", "iche2b": "ICH E2B R3 — Individual Case Safety Report (ICSR) electronic submission format", "eu_gvp": "EMA Good Pharmacovigilance Practices Module IX — signal management" }, "source": "FDA 21 CFR 312.32; ICH E2B R3; EMA GVP Module IX" }, { "enum_name": "RegulatorySubmissionType", "label": "Regulatory Submission Type", "otel_attribute": "healthcare.regulatory_submission.type", "opa_policy_path": "data.healthcare.regulatory_submission.type", "rego_input_key": "healthcare_regulatory_submission_type", "stability": "stable", "description": "Type of regulatory submission being assembled or reviewed by AI agents in life sciences.", "permitted_values": [ "ind_initial", "ind_annual_report", "ind_safety_report_15_day", "ind_safety_report_expedited", "ind_clinical_hold_response", "nda_original", "nda_supplement_efficacy", "nda_supplement_safety", "nda_cbee_supplement", "bla_original", "bla_supplement", "510k_original", "510k_special", "de_novo_request", "pma_original", "pma_supplement", "pccp_submission", "anda_generic_drug", "eua_emergency_use_authorization" ], "value_labels": { "ind_initial": "Ind Initial", "ind_annual_report": "Ind Annual Report", "ind_safety_report_15_day": "Ind Safety Report 15 Day", "ind_safety_report_expedited": "Ind Safety Report Expedited", "ind_clinical_hold_response": "Ind Clinical Hold Response", "nda_original": "Nda Original", "nda_supplement_efficacy": "Nda Supplement Efficacy", "nda_supplement_safety": "Nda Supplement Safety", "nda_cbee_supplement": "Nda Cbee Supplement", "bla_original": "Bla Original", "bla_supplement": "Bla Supplement", "510k_original": "510(k) Original", "510k_special": "510(k) Special", "de_novo_request": "De Novo Request", "pma_original": "Pma Original", "pma_supplement": "Pma Supplement", "pccp_submission": "Pccp Submission", "anda_generic_drug": "Anda Generic Drug", "eua_emergency_use_authorization": "Eua Emergency Use Authorization" }, "source": "FDA submission type taxonomy; FDA eCTD submission guidance; 21 CFR Part 312 and 314" } ] }, { "subdomain": "Quality, Safety & Regulatory Reporting", "description": "Covers AI-driven healthcare quality reporting, patient safety event management, and CMS Star Ratings. Agentic AI generates HEDIS measures, flags PSEs (Patient Safety Events), and assembles CMS quality metric reports.", "categories": [ { "enum_name": "PatientSafetyEventCategory", "label": "Patient Safety Event Category", "otel_attribute": "healthcare.patient_safety.event_category", "opa_policy_path": "data.healthcare.patient_safety.event_category", "rego_input_key": "healthcare_patient_safety_event_category", "stability": "stable", "description": "NQF (National Quality Forum) and AHRQ patient safety event taxonomy. AI safety monitoring agents flag events using these standardised categories for mandatory reporting and quality improvement.", "permitted_values": [ "serious_reportable_event_nqf", "hospital_acquired_condition_hac", "never_event", "medication_error_harm_reached_patient", "medication_error_near_miss", "fall_with_injury", "fall_without_injury", "healthcare_associated_infection_hai", "pressure_injury_stage_3_4", "wrong_site_wrong_patient_wrong_procedure", "retained_foreign_body_post_procedure", "venous_thromboembolism_preventable", "diagnostic_error_harm_reached", "device_malfunction_adverse_event", "care_delay_adverse_outcome" ], "value_labels": { "serious_reportable_event_nqf": "Serious Reportable Event Nqf", "hospital_acquired_condition_hac": "Hospital Acquired Condition Hac", "never_event": "Never Event", "medication_error_harm_reached_patient": "Medication Error Harm Reached Patient", "medication_error_near_miss": "Medication Error Near Miss", "fall_with_injury": "Fall with Injury", "fall_without_injury": "Fall Without Injury", "healthcare_associated_infection_hai": "Healthcare Associated Infection Hai", "pressure_injury_stage_3_4": "Pressure Injury Stage 3 4", "wrong_site_wrong_patient_wrong_procedure": "Wrong Site Wrong Patient Wrong Procedure", "retained_foreign_body_post_procedure": "Retained Foreign Body Post Procedure", "venous_thromboembolism_preventable": "Venous Thromboembolism Preventable", "diagnostic_error_harm_reached": "Diagnostic Error Harm Reached", "device_malfunction_adverse_event": "Device Malfunction Adverse Event", "care_delay_adverse_outcome": "Care Delay Adverse Outcome" }, "regulatory_mappings": { "cms_hac_reduction": "CMS Hospital-Acquired Condition Reduction Program — payment penalties for preventable HACs", "nqf_serious_reportable_events": "NQF Serious Reportable Events (Never Events) — mandatory state reporting in many states", "joint_commission": "Joint Commission Sentinel Event policy — root cause analysis requirements" }, "source": "NQF Serious Reportable Events; AHRQ Patient Safety Classification; CMS HAC Reduction Program" }, { "enum_name": "QualityMeasurePerformanceStatus", "label": "Quality Measure Performance Status", "otel_attribute": "healthcare.quality.measure_status", "opa_policy_path": "data.healthcare.quality.measure_status", "rego_input_key": "healthcare_quality_measure_status", "stability": "proposed", "description": "Performance classification for a HEDIS or CMS quality measure as determined by AI quality analytics agents.", "permitted_values": [ "top_decile_5_star", "above_average_4_star", "average_3_star", "below_average_2_star", "low_performance_1_star", "excluded_small_denominator", "data_insufficient_reporting_required", "measure_not_applicable", "improvement_required_corrective_action" ], "value_labels": { "top_decile_5_star": "Top Decile 5 Star", "above_average_4_star": "Above Average 4 Star", "average_3_star": "Average 3 Star", "below_average_2_star": "Below Average 2 Star", "low_performance_1_star": "Low Performance 1 Star", "excluded_small_denominator": "Excluded Small Denominator", "data_insufficient_reporting_required": "Data Insufficient Reporting Required", "measure_not_applicable": "Measure not Applicable", "improvement_required_corrective_action": "Improvement Required Corrective Action" }, "regulatory_mappings": { "cms_stars": "CMS Medicare Advantage Star Ratings — financial incentives tied to quality performance", "hedis": "NCQA HEDIS measures — standardised quality measures for health plans", "cms_qi_reporting": "CMS Quality Improvement Reporting — hospital inpatient quality reporting (IQR) program" }, "source": "NCQA HEDIS Technical Specifications; CMS Medicare Advantage Star Rating methodology; CMS IQR program" } ] } ], "opa_rego_policy_patterns": { "description": "Healthcare-specific OPA Rego policy patterns referencing enum values from this file and from 00_core_sdk_and_governance.json. Illustrative patterns, not production policies.", "patterns": [ { "pattern_id": "healthcare.enforce_cms0057f_pa_response_sla", "pattern_name": "enforce_cms0057f_pa_response_sla", "enforcement_effect": "deny", "description": "Enforce CMS-0057-F prior authorisation response time mandates. Block autonomous agent from closing or deferring a PA request when the SLA deadline has been reached — force escalation to human reviewer with required denial reason codes.", "applicable_enums": [ "PriorAuthorizationStatus", "PADenialReasonCode", "DaVinciWorkflowStep" ], "regulatory_basis": "CMS-0057-F CMS-0057-F: 72-hour expedited PA, 7-day standard PA — in force January 1, 2026; public metrics due March 31, 2026", "rego_sketch": "package healthcare.prior_auth\n\nterminal_pa_statuses := {\n \"approved\", \"approved_with_modifications\",\n \"denied_not_medically_necessary\", \"denied_experimental_investigational\",\n \"denied_benefit_not_covered\", \"denied_step_therapy_required\",\n \"denied_not_prior_authorized\", \"partial_approval\",\n \"cancelled_by_provider\", \"expired\"\n}\n\ndeny[msg] {\n input.prior_auth_type == \"expedited\"\n input.hours_since_receipt > 72\n not input.healthcare_prior_auth_status in terminal_pa_statuses\n msg := sprintf(\"CMS-0057-F violation: Expedited PA for request %v has exceeded 72-hour SLA. Status: '%v'. Immediate escalation required.\", [input.request_id, input.healthcare_prior_auth_status])\n}\n\ndeny[msg] {\n input.prior_auth_type == \"standard\"\n input.days_since_receipt > 7\n not input.healthcare_prior_auth_status in terminal_pa_statuses\n msg := sprintf(\"CMS-0057-F violation: Standard PA for request %v has exceeded 7-day SLA. Status: '%v'. Immediate escalation required.\", [input.request_id, input.healthcare_prior_auth_status])\n}\n\ndeny[msg] {\n input.healthcare_prior_auth_status in {\"denied_not_medically_necessary\", \"denied_experimental_investigational\"}\n count(input.denial_reason_codes) == 0\n msg := \"CMS-0057-F: PA denial requires at least one structured denial reason code for API response and metric reporting\"\n}" }, { "pattern_id": "healthcare.block_phi_storage_to_unencrypted_memory", "pattern_name": "block_phi_storage_to_unencrypted_memory", "enforcement_effect": "deny", "description": "Deny memory write operations storing PHI to non-encrypted memory stores.", "applicable_enums": [ "DataSensitivityClassification", "AgentMemoryOperation", "MemoryType" ], "regulatory_basis": "HIPAA Security Rule 45 CFR 164 Subpart C; EU AI Act Article 10", "rego_sketch": "package healthcare.data\n\ndeny[msg] {\n input.gen_ai_memory_operation == \"storage\"\n input.gen_ai_data_sensitivity == \"phi_hipaa\"\n input.encryption_at_rest != true\n msg := \"PHI storage to unencrypted memory store is prohibited under HIPAA Security Rule 45 CFR 164.312(a)(2)(iv)\"\n}" }, { "pattern_id": "healthcare.block_phi_training_without_authorization_or_deidentification", "pattern_name": "block_phi_training_without_authorization_or_deidentification", "enforcement_effect": "deny", "description": "Block any agentic AI system from using PHI for model training unless either a valid written patient authorization exists or the data has been properly de-identified per HIPAA 45 CFR 164.514.", "applicable_enums": [ "PHIDataHandlingAction", "PHIDeIdentificationMethod", "BusinessAssociateAgreementStatus" ], "regulatory_basis": "HIPAA Privacy Rule 45 CFR 164.508 (authorization); 45 CFR 164.514 (de-identification); HITECH Act", "rego_sketch": "package healthcare.phi\n\npermitted_training_methods := {\n \"safe_harbor_18_identifiers_removed\",\n \"expert_determination_statistical\",\n \"synthetic_data_generation\",\n \"federated_learning_no_data_leaves\"\n}\n\ndeny[msg] {\n input.healthcare_phi_handling_action == \"use_for_ai_training_de_identified\"\n not input.healthcare_phi_deidentification_method in permitted_training_methods\n msg := sprintf(\"HIPAA 164.514 violation: De-identification method '%v' does not satisfy HIPAA Safe Harbor or Expert Determination requirements for model training\", [input.healthcare_phi_deidentification_method])\n}\n\ndeny[msg] {\n input.healthcare_phi_handling_action == \"use_for_ai_training_with_authorization\"\n not input.patient_authorization_on_file == true\n msg := \"HIPAA 164.508 violation: Using PHI for AI model training without specific written patient authorization\"\n}" }, { "pattern_id": "healthcare.fda_samd_block_change_outside_pccp_scope", "pattern_name": "fda_samd_block_change_outside_pccp_scope", "enforcement_effect": "deny", "description": "Block deployment of an AI-enabled medical device software update that falls outside the approved PCCP scope, requiring a new FDA marketing submission before the change can be deployed.", "applicable_enums": [ "FDASaMDRiskClassification", "PCCPModificationCategory" ], "regulatory_basis": "FDA PCCP Final Guidance (December 2024); FDA Draft Guidance AI-DSF (January 2025); 21 USC §360e", "rego_sketch": "package healthcare.fda_samd\n\noutside_pccp_scope := {\n \"new_indication_outside_pccp_scope\",\n \"new_patient_population_outside_pccp_scope\",\n \"safety_effectiveness_impacting_change\",\n \"algorithm_architecture_change_major\"\n}\n\ndeny[msg] {\n input.healthcare_fda_samd_risk_class != \"non_device_software_cds_exempt\"\n input.healthcare_fda_samd_pccp_modification_category in outside_pccp_scope\n msg := sprintf(\"FDA PCCP violation: Modification category '%v' is outside approved PCCP scope. New 510(k)/De Novo/PMA marketing submission required before deployment.\", [input.healthcare_fda_samd_pccp_modification_category])\n}" }, { "pattern_id": "healthcare.hipaa_baa_gate_for_phi_sharing", "pattern_name": "hipaa_baa_gate_for_phi_sharing", "enforcement_effect": "deny", "description": "Block any agentic tool call that would transmit or store PHI with a third-party vendor whose Business Associate Agreement is not active and current.", "applicable_enums": [ "PHIDataHandlingAction", "BusinessAssociateAgreementStatus" ], "regulatory_basis": "HIPAA 45 CFR 164.504(e) — BAA requirements; HITECH Section 13401 — direct BA liability", "rego_sketch": "package healthcare.hipaa\n\nphi_sharing_actions := {\n \"transmit_to_business_associate\",\n \"transmit_cross_border\",\n \"store_data_warehouse\"\n}\n\nvalid_baa_statuses := {\"baa_executed_active\"}\n\ndeny[msg] {\n input.healthcare_phi_handling_action in phi_sharing_actions\n not input.healthcare_baa_status in valid_baa_statuses\n msg := sprintf(\"HIPAA 164.504(e) violation: PHI cannot be transmitted to vendor — BAA status is '%v'. Valid BAA required before any PHI sharing.\", [input.healthcare_baa_status])\n}" }, { "pattern_id": "healthcare.require_adverse_event_escalation_for_serious_samd_events", "pattern_name": "require_adverse_event_escalation_for_serious_samd_events", "enforcement_effect": "require_hitl_approval", "description": "Block automated closure of a patient safety event involving a SaMD/AI-enabled medical device classified as severe, life-threatening, or fatal without mandatory FDA adverse event report preparation.", "applicable_enums": [ "AdverseEventSeverity", "PatientSafetyEventCategory", "FDASaMDRiskClassification" ], "regulatory_basis": "FDA 21 CFR Part 803 — Medical Device Reporting; FDA 21 CFR 803.50 — device manufacturer 30-day MDR; FDA 21 CFR 803.53 — 5-day MDR for device malfunction likely to cause serious injury", "rego_sketch": "package healthcare.patient_safety\n\nfda_reportable_severities := {\"severe\", \"life-threatening\", \"fatal\"}\n\nfda_regulated_risk_classes := {\n \"class_ii_moderate_risk_510k\",\n \"class_ii_moderate_risk_de_novo\",\n \"class_iii_high_risk_pma\",\n \"predetermined_change_control_plan_pccp\"\n}\n\ndeny[msg] {\n input.healthcare_adverse_event_severity in fda_reportable_severities\n input.healthcare_fda_samd_risk_class in fda_regulated_risk_classes\n input.device_involved == true\n input.fda_mdr_report_status != \"prepared_pending_submission\"\n msg := sprintf(\"FDA 21 CFR 803 violation: SaMD adverse event with severity '%v' requires Medical Device Report (MDR) preparation before case closure\", [input.healthcare_adverse_event_severity])\n}" } ] }, "agent_registry_fields": { "description": "Recommended fields for registering a healthcare-domain agentic AI system in the GRC portal. Supplements the core agent identity schema from 00_core_sdk_and_governance.json.", "fields": [ { "field": "hipaa_covered_entity_type", "type": "string", "description": "Whether this agent operates as part of a covered entity (health plan, healthcare provider, clearinghouse) or business associate. Determines HIPAA direct liability. Use values such as covered_entity_health_plan, covered_entity_provider, covered_entity_clearinghouse, business_associate, or subcontractor_business_associate.", "required_when": "All agents handling PHI" }, { "field": "baa_executed_with_vendor", "type": "boolean", "description": "True if a current, signed Business Associate Agreement is in place with the AI vendor. Required before PHI can be processed by the agent.", "required_when": "All agents where the AI platform vendor is a business associate" }, { "field": "fda_samd_class", "type": "enum", "enum_ref": "FDASaMDRiskClassification", "description": "FDA SaMD risk classification if this agent qualifies as an AI-enabled device software function. Drives PCCP and marketing submission obligations.", "required_when": "Diagnostic AI, clinical decision support AI that is not 21st Century Cures CDS-exempt" }, { "field": "pccp_approved", "type": "boolean", "description": "True if this AI-enabled medical device has an approved Predetermined Change Control Plan per FDA PCCP Final Guidance (December 2024).", "required_when": "FDA-regulated AI/ML SaMD" }, { "field": "cms_0057_f_pa_api_compliant", "type": "boolean", "description": "True if this PA agent supports the CMS-mandated Prior Authorization FHIR API per CMS-0057-F. API deadline: January 1, 2027.", "required_when": "All payer PA agents for Medicare Advantage, Medicaid, and ACA plans" }, { "field": "fhir_version", "type": "string", "description": "The HL7 FHIR version this agent's data exchange is based on. CMS-0057-F requires FHIR R4.0.1 at minimum for mandated APIs. Supported values include R4.0.1, R4B, R5, and R6_ballot.", "required_when": "All agents participating in FHIR-based data exchange" }, { "field": "clinical_decision_support_cds_hooks_enabled", "type": "boolean", "description": "True if this agent delivers clinical decision support via the HL7 CDS Hooks standard required by ONC HTI-1 Final Rule.", "required_when": "CDS agents integrated with certified EHR technology" }, { "field": "ambient_documentation_patient_consent_obtained", "type": "boolean", "description": "True if patient consent has been obtained for ambient AI recording per applicable state two-party consent law.", "required_when": "AI ambient documentation (scribe) agents in two-party consent states" } ] } }