docs(healthcare): add US FDA, UK NHS, and Singapore MOH regulatory variants#24
Merged
Conversation
…ry variants Three new subdirectories each contain a Cedar policy file and a TRACE Trust Record showing how cMCP + TRACE maps to jurisdiction-specific regulatory requirements: - us-fda-samd/: cleared-scope enforcement, HIPAA attestation, FDA SaMD Action Plan 2021 and 21 CFR Part 820 - uk-nhs/: UK GDPR Art. 22 clinician-review gate, NHS DSPT token, UK data residency (uk-south) - sg-moh/: IMDA AI Governance Framework Tier 1/2 consequential-decision gate, PDPA consent reference enforced at call layer, Singapore data residency (ap-southeast-1) healthcare/README.md gains a Regulatory Variants index table.
imran-siddique
force-pushed
the
docs/contribution-scope
branch
from
3e9cd10 to
d1d1f6e
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Adds three jurisdiction-specific policy + TRACE record variants to the healthcare demo, showing how the same cMCP + TRACE architecture maps to different regulatory frameworks. The Cedar policy rules and TRACE record fields change per jurisdiction; the runtime architecture does not.
us-fda-samd/uk-nhs/sg-moh/Updates the healthcare README with a variant index table.
What each variant includes
policy/<name>.cedar-- Cedar policy bundle with jurisdiction-specific forbid rules and@regulationannotationstrace-output/example-<name>-trust-record.json-- TRACE Trust Record withruntime.region,runtime.provider, andcompliance_domains_touchedset for that jurisdictionREADME.md-- what the policy enforces, key TRACE fields for that regulator, and a cross-reference tableKey policy differences
out-of-scope-modalityforbid rule blocks inference on imaging types outside the device's cleared indication of use -- unique to this jurisdictiondspt-requiredforbid), not just a configuration check; UK GDPR Art. 22 uses a "clinical significance" field rather than EU's risk-category modelimda_tieris an explicit context field on every call; Tier 1 (consequential) requires ahuman_review_tokenunconditionally; PDPA consent reference enforced at call time, not just data collectionRelationship to existing demo
The base demo (
healthcare/README.md) covers EU AI Act Art. 14 + HIPAA and remains unchanged. These variants are additive subdirectories following the same file structure.