Legal, Riesgo y Cumplimiento

Información sobre nuestros estándares de cumplimiento, certificaciones, controles y prácticas de protección de datos

Certification Overview

Elderwise is committed to achieving and maintaining compliance with key industry certifications. Our strategic roadmap outlines our journey toward full certification, with timelines tailored to the complexity and requirements of each standard.

Certification Strategy & Timeline

Compliance Roadmap

Elderwise follows a structured approach to compliance certifications with timelines tailored to each standard's complexity. We prioritize certifications based on market requirements and technical complexity, with our most comprehensive certifications (HITRUST) targeted for Q3 2026, while more focused certifications like ISO 27001 are targeted for completion by Q1 2026.

Certification Process

Documentation Phase

Creation of policies, procedures, and controls documentation

Gap Analysis

Assessment of current practices against certification requirements

Implementation

Deploying necessary controls and remediation activities

Internal Audit

Verification of control effectiveness before external assessment

External Assessment

Official certification audit by accredited third parties

Certification

Receipt of formal certification and continuous monitoring

Current Implementation Status

While formal certifications are in progress, Elderwise has already implemented key security and privacy controls aligned with healthcare standards. Our approach follows industry-standard continuous compliance methodology, emphasizing automated evidence collection, regular assessments, and security by design.

Pre-certification Assurances

We provide interim compliance documentation to customers, including security questionnaire responses, SOC 2 readiness assessments, and draft BAAs/DPAs while formal certification is underway.

Continuous Compliance Monitoring

Following compliance best practices, Elderwise employs continuous monitoring tools to automatically detect and remediate compliance drift, ensuring our systems maintain compliance between formal assessment periods.

Estándares de Atención Médica y Cumplimiento de Elderwise

Última Actualización: 2025-09-27

HIPAA

Objetivo: Operational

Salud Insurance Portability and Accountability Act (HIPAA)

Ley de privacidad y seguridad de atención médica de EE.UU. que rige la PHI.

Relevancia en Atención Médica:

U.S. atención médica privacidad and seguridad requirements governing PHI handling by covered entities and negocio associates.

Requisitos Clave:

Negocio Associate Agreements (BAAs)
Role-based access and MFA
Audit logging and monitoreo
Minimum necessary access
Encriptación in transit and at descanso
Breach notificación procedures
Periodic riesgo evaluaciones and workforce training

Cómo Elderwise Cumple:

BAAs in place with processors, enforced RBAC/MFA/SSO, centralized audit logs, least-privilege defaults, AES-256/TLS 1.3 encriptación, incident response runbooks, and recurring HIPAA training.

GDPR

Objetivo: Operational

EU General Datos Protection Regulation (GDPR)

Regulación de protección de datos de la UE que cubre procesamiento legal y derechos.

Relevancia en Atención Médica:

EU/EEA framework for datos protection, lawful processing, and datos subject rights.

Requisitos Clave:

Lawful basis and consent management
Datos subject rights (access, erasure, portability)
Datos Processing Agreements
Datos Protection by Design and Default
Records of processing activities
International transfer safeguards

Cómo Elderwise Cumple:

Consent capture and audit trails, DPA addenda with vendors, privacidad by design reseñas, DSR workflows, and transfer impact evaluaciones where applicable.

PDPA

Objetivo: Operational

Personal Datos Protection Act (PDPA, Singapore)

Ley de protección de datos de Singapur que enfatiza consentimiento y limitación de propósito.

Relevancia en Atención Médica:

Singapore datos protection obligations for consent, purpose limitation, notificación, and access/correction.

Requisitos Clave:

Consent and notificación
Purpose limitation
Access and correction rights
Protection and retention limits
Datos breach notificación

Cómo Elderwise Cumple:

Localized consent statements, retention schedules, access/correction channels, and breach notificación procedures aligned with PDPC guidance.

ISO27001

Objetivo: Q2 2026

ISO/IEC 27001 Información Seguridad Management System

Estándar SGSI internacional para gestionar riesgos de seguridad de información.

Relevancia en Atención Médica:

International standard for establishing, implementing, maintaining, and continuously improving an ISMS.

Requisitos Clave:

Riesgo management program
ISMS governance and documentación
Seguridad controls per Annex A
Continuous improvement cycle

Cómo Elderwise Cumple:

Formal ISMS scope definition, riesgo register, policies and control mapping, internal audits, and readiness for certification.

SOC2

Objetivo: Q2 2026

SOC 2 Type II (Seguridad, Availability, Confidentiality)

Attestation of seguridad controls effectiveness over a period (Type II).

Relevancia en Atención Médica:

Attestation of control effectiveness over a reseña period per AICPA Trust Services Criteria.

Requisitos Clave:

Documented policies and procedures
Seguridad monitoreo and alerting
Change and incident management
Vendor riesgo management

Cómo Elderwise Cumple:

Control mapping to TSC, evidence collection automation, continuous monitoreo, quarterly control testing, and external audit readiness.

HITRUST

Objetivo: 2026

HITRUST CSF

Marco de seguridad certificable centrado en atención médica que armoniza múltiples estándares.

Relevancia en Atención Médica:

Atención Médica-focused certifiable framework harmonizing HIPAA, ISO, NIST, and other requirements.

Requisitos Clave:

Riesgo-based control selection
Policy/procedure implementation
Validation and scoring
External evaluación

Cómo Elderwise Cumple:

Scope definition for PHI systems, control inheritance where applicable, and staged readiness toward validated evaluación.

HSA

Objetivo: Q2 2026

Singapore HSA Guidance (Médico Technologies)

Guía de HSA de Singapur para tecnologías médicas y software.

Relevancia en Atención Médica:

Regulatory guidance for médico device software and salud tech solutions in Singapore.

Requisitos Clave:

Riesgo classification and documentación
Quality management alignment
Clínico and cybersecurity considerations

Cómo Elderwise Cumple:

Alignment with HSA advisories, documentación of intended use and riesgo controls; leverage ISO 14971/IEC 62304 where applicable.

HITECH

Objetivo: Q1 2026

HITECH Act (Breach Notificación)

Mejoras de notificación de violaciones y aplicación de EE.UU. a HIPAA.

Relevancia en Atención Médica:

U.S. breach notificación and enforcement enhancements to HIPAA.

Requisitos Clave:

Breach riesgo evaluación
Timely notificaciones
Media and HHS reporting thresholds

Cómo Elderwise Cumple:

Incident response runbooks, evidence preservation, decision trees for materiality and reporting timelines.

FHIR

Objetivo: Operational

HL7 FHIR (Interoperability)

Estándar moderno de interoperabilidad para intercambio estructurado de datos clínicos.

Relevancia en Atención Médica:

Modern atención médica interoperability standard for structured clínico datos exchange.

Requisitos Clave:

FHIR recursos and profiles
RESTful APIs and conformance
Seguridad and authorization (SMART on FHIR)

Cómo Elderwise Cumple:

FHIR-first datos modeling for core entities, versioned profiles, and OAuth2/OpenID Conectar for seguro access.

HL7

Objetivo: Operational

HL7 v2/v3 Messaging

Estándares de mensajería de atención médica utilizados por HCE y laboratorios.

Relevancia en Atención Médica:

Legacy and current atención médica messaging standards widely used by EHRs and labs.

Requisitos Clave:

Mensaje formats and segments
Ack/error handling
Transport and seguridad

Cómo Elderwise Cumple:

Adapters for HL7 v2.x integración where required, normalization to internal schemas, and seguro transport.

ISO13485

Objetivo: 2026

ISO 13485 Médico Devices QMS

Estándar de sistema de gestión de calidad para dispositivos médicos.

Relevancia en Atención Médica:

Quality management standard for organizations involved in médico device lifecycle.

Requisitos Clave:

Documented QMS
Design and development controls
Riesgo management and traceability
Post-market surveillance

Cómo Elderwise Cumple:

Progressive QMS adoption for applicable software modules; align with regulatory pathways if device classification applies.

ISO42001

Objetivo: 2026

ISO/IEC 42001 AI Management System

Estándar de sistema de gestión de IA para gobernanza responsable de IA.

Relevancia en Atención Médica:

Framework for governing responsible AI systems across lifecycle.

Requisitos Clave:

AI riesgo management and controls
Datos governance and transparency
Monitoreo and continuous improvement

Cómo Elderwise Cumple:

Map existing controls to AI riesgos, define KPIs and documentación for transparency, and institute model governance workflows.

Data Protection & Compliance

Elderwise is committed to maintaining the highest standards of data protection and regulatory compliance in healthcare technology, with a progressive certification roadmap for completion between Q3 2025 and Q4 2026.

Legal Documents & Compliance Materials

Data Protection & Security Contacts

Data Protection Officer:dpo@elderwise.ai

EU Representative (Art. 27 GDPR):eu-rep@elderwise.ai

APAC Representative:apac-rep@elderwise.ai

Security Team:security@elderwise.ai

Vulnerability Reporting:security-alerts@elderwise.ai

Certification Roadmap

Elderwise's phased certification timeline:

Q3 2025: FHIR & HL7 interoperability certifications
Q4 2025: GDPR compliance validation
Q2 2026: ISO 27001 certification (audit in progress)
February 2026: ISO 42001 (AI Management System) certification
Q2 2026: HIPAA, HITECH & HSA certifications
Q3 2026: SOC 2 Type II & HITRUST CSF certifications
Q4 2026: ISO 13485 certification & continuous compliance monitoring

Healthcare-Specific Security Features

for all sensitive health information
for healthcare provider access
aligned with clinical workflows
for all actions on protected health information
Secure API design for healthcare system integrations
Context-aware access controls for different care settings
Session timeout controls for clinical environments
Secure offline caching for emergency care scenarios

Healthcare Infrastructure Security

Hosting in ISO 27001 certified data centers
Region-specific data residency options for regulatory compliance
Regular vulnerability scanning and penetration testing
Disaster recovery with 99.9% uptime commitment
Infrastructure as Code (IaC) for secure, consistent deployments
Network segmentation for clinical vs. administrative data
24/7 infrastructure monitoring with healthcare-specific alerts
Continuous security control validation using automated tools

Continuous Compliance Program

Automated compliance monitoring tools
Regular internal audits specific to healthcare requirements
Vendor security assessment program for all third parties
Compliance training for all staff, with healthcare-specific modules
Quarterly security steering committee with clinical stakeholders
Real-time compliance monitoring dashboard for leadership visibility
Automated evidence collection to streamline certification maintenance

Healthcare Data Governance Framework

Data Collection in Healthcare Context

Explicit consent mechanisms for patient data with healthcare-specific language
Transparent data collection purposes aligned with clinical needs
Minimized data collection following principles of medical necessity
Special handling procedures for sensitive medical categories
Patient-centric approach to data ownership and control

Healthcare Data Retention

Retention policies aligned with medical record requirements by jurisdiction
Secure, compliant data archiving for long-term medical records
Automated data deletion when retention periods expire
Special provisions for pediatric and geriatric record retention
Data lifecycle management specific to clinical documentation standards

Clinical Data Processing

Processing limited to intended healthcare purposes
Secure analytics for population health insights
De-identified data use for research and development
Validation processes for algorithm-assisted clinical reference tools
Secure federated learning techniques for model improvements

Patient Data Rights

Patient access to personal health information
Correction mechanisms for inaccurate health data
Data portability between healthcare providers
Special handling for vulnerable populations and proxy access
Transparent record of all third-party data sharing

Elderwise Healthcare Compliance Commitment:

Our compliance strategy follows Vanta's recommended "security by design" principles, embedding healthcare compliance requirements into our development process from inception to deployment. We recognize that healthcare data security directly impacts patient outcomes and provider efficiency, so our approach integrates technical safeguards with clinical workflow considerations to create a secure environment that enhances rather than impedes care delivery. Our compliance program emphasizes both regulatory adherence and the ethical responsibility we have to protect sensitive health information.

Certification Overview

Certification Strategy & Timeline

Compliance Roadmap

Certification Process

Documentation Phase

Creation of policies, procedures, and controls documentation

Gap Analysis

Assessment of current practices against certification requirements

Implementation

Deploying necessary controls and remediation activities

Internal Audit

Verification of control effectiveness before external assessment

External Assessment

Official certification audit by accredited third parties

Certification

Receipt of formal certification and continuous monitoring

Current Implementation Status

Pre-certification Assurances

We provide interim compliance documentation to customers, including security questionnaire responses, SOC 2 readiness assessments, and draft BAAs/DPAs while formal certification is underway.