Medical & Healthcare AI

AI for medical operations
that won't end up as an
OCR enforcement action.

HIPAA-grade PHI detection and tokenization. 21 CFR Part 11 WORM audit trail. FDA SaMD-aware routing. BAA-ready posture before your first query runs.

Start 30-Day Medical Pilot →
HIPAA Privacy & Security Rule 21 CFR Part 11 compliant FDA SaMD aware PHI tokenization active BAA-ready
Regulatory Foundation

Every layer of the stack.
Not just the checkbox.

Minimum compliance is how you get OCR investigations and FDA warning letters. We exceed the minimums — by design, not accident.

🔒

HIPAA Privacy & Security Rule

Administrative, physical, and technical safeguards enforced at the agent layer. PHI never traverses the model in raw form — tokenized before request, re-hydrated in audit-only context.

45 CFR §§ 164.302–164.318
📋

21 CFR Part 11 Audit Trail

Electronic records and signatures with SEC 17a-4-style WORM immutability. Every query, every response, every gate decision is timestamped, hashed, and tamper-evident from minute one.

21 CFR Part 11.10, 11.50
🧬

FDA SaMD-Aware Routing

Software as a Medical Device detection built into the routing layer. Intents that cross into clinical decision support are flagged, logged, and routed to the medical-auditor agent pool before response.

IMDRF SaMD N10, FDA AI/ML Action Plan
🛡️

HITECH Breach Notification Posture

PHI access is logged at the individual identifier level. Breach notification timelines (60-day rule) are supported by audit log granularity — every PHI touch traceable to request, agent, and timestamp.

HITECH Act § 13402, 45 CFR § 164.400
🌍

EU MDR Awareness

For EU customers: agent routing respects the EU Medical Device Regulation (2017/745) classification framework. High-risk AI Act classifications handled through the same regulatory exceedance posture.

EU MDR 2017/745, EU AI Act Art. 113
📄

BAA-Ready Infrastructure

Business Associate Agreement executed before your first production query. Data processing boundaries, subprocessor chains, and breach notification obligations documented and signed — not assumed.

45 CFR § 164.504(e)
Live Adversarial Demo

PHI injection attempt.
MARCH gate fires. You see why.

A simulated chart-review intent tries to extract protected health information. Watch the MARCH gate intercept it — with a full Transparency Card showing the audit trail.

Medical Adversarial Probe — MARCH Gate
Simulated chart-review intents with PHI leakage attempts
● LIVE
Select an intent
🏥 Select an intent above to see the MARCH gate in action.
Running adversarial probe through MARCH gate…
Regulatory Exceedance

We don't meet the bar.
We move past it.

Compliance theater is building to the minimum and hoping no one looks closely. Here's where we exceed it — specifically.

Encryption
HIPAA requires "addressable" encryption
AES-256-GCM at rest + TLS 1.3 in transit. Non-negotiable.
Audit Retention
HIPAA mandates 6-year retention
Retained beyond minimums with WORM immutability — no deletion, no overwrite.
Audit Immutability
21 CFR Part 11 requires audit trail
SEC 17a-4-style WORM. Hash-chained entries. Tamper-evident by construction.
PHI Handling
HIPAA requires de-identification or minimum necessary
PHI tokenized before model contact. Re-hydration restricted to audit-only contexts.
SaMD Classification
FDA guidance suggests classification review
Automatic SaMD-boundary detection at routing layer. Clinical decision intents flagged before response.
BAA Execution
HIPAA requires BAA before PHI processing
BAA executed at pilot kickoff, before first query. Subprocessor chain documented.
Triple-Gate Architecture

Three gates. Every query.
Full audit trail after each.

Not a post-hoc review. Not a periodic scan. Every query traverses all three gates in sequence — or it doesn't get a response.

✓ Verified
01
PHI / MARCH Gate
Scans the inbound intent for Protected Health Information and clinical decision support boundary crossings. PHI is tokenized; SaMD intents are flagged and routed to the medical-auditor agent pool.
Artifact: MARCH_GATE_INTERCEPT_LOG — every intercept timestamped, hash-signed, and retained immutably.
✓ Verified
02
Corpus Grounding
Response grounded against the medical regulatory corpus: HIPAA, 21 CFR Part 11, FDA SaMD guidance, IMDRF framework, EU MDR. Unverifiable clinical claims are refused, not softened.
Artifact: GROUNDING_SCORE_CARD — sources cited, confidence scored, evidence linked for every response.
✓ Verified
03
Immutable Audit Emit
Every query-response pair — including blocked ones — is written to the 21 CFR Part 11 WORM audit log. Timestamped, hash-chained, and readable by your compliance officer without re-running anything.
Artifact: PART11_AUDIT_ENTRY — gate verdict, agent identity, latency, grounding evidence, and PHI tokenization map.
30-Day Medical Pilot

Run real clinical intents.
See the compliance stack work.

Dedicated medical-auditor agent pool provisioned on day 1. PHI tokenization, MARCH gate, 21 CFR Part 11 WORM audit, and BAA all active before your first production request.

  • MARCH gate + PHI tokenization active from kickoff
  • Dedicated medical-auditor agent pool (10 specialized agents)
  • 21 CFR Part 11 WORM audit trail — every query logged
  • BAA executed before first production query
  • FDA SaMD-aware routing pre-configured
  • Deposit credits month 1 — no lock-in after 30 days
$2,500
30-day pilot deposit · credits month 1
✓ Full credit toward subscription
🔒 Stripe-secured · AES-256-GCM encrypted
📋 BAA executed at kickoff, not after
↩️ Pro-rated refund if you cancel at 30 days
Regulatory Sources

Primary document grounding.

45 CFR Parts 160, 162, 164
HIPAA Privacy + Security Rules
Administrative, physical, and technical safeguard requirements for PHI handling.
21 CFR Part 11
Electronic Records / Signatures
FDA requirements for electronic audit trails, system validation, and access controls.
IMDRF SaMD N10
FDA SaMD Framework
IMDRF classification framework for Software as a Medical Device, adopted by FDA AI/ML Action Plan.
HITECH Act § 13402
Breach Notification
60-day breach notification requirements and audit log granularity needed to support them.
EU MDR 2017/745
EU Medical Device Regulation
Classification framework and clinical evaluation requirements for EU medical device software.
45 CFR § 164.504(e)
Business Associate Agreements
BAA requirements, permitted uses, safeguard obligations, and breach reporting timelines.
Common Questions

FAQ

Is Sturna itself a covered entity or business associate under HIPAA?
Sturna acts as a Business Associate when processing PHI on behalf of covered entities. A BAA is executed at pilot kickoff — before any production PHI is processed. We do not self-certify as a covered entity, but our infrastructure, contractual obligations, and audit posture are designed to meet BA requirements under 45 CFR § 164.504(e).
How does PHI tokenization work without breaking clinical context?
PHI identifiers (name, DOB, MRN, SSN, etc.) are replaced with reversible tokens before the query reaches the model. The model operates on de-identified clinical context. Tokenization keys are held in a separate secure store — the model never sees raw PHI. For audit-only re-hydration (compliance officer review), tokens are resolved in a logged, access-controlled context.
What triggers the FDA SaMD flag? Does it block diagnostic use entirely?
The SaMD boundary detector fires when an intent crosses from "information retrieval" into "clinical decision support" — e.g., requests for diagnosis, treatment recommendations, or prognosis. When triggered, the intent is routed to the medical-auditor agent pool with an elevated grounding threshold and explicit flagging in the audit log. It doesn't block the response; it forces a higher evidence bar and a transparent audit record of the SaMD classification decision.
Does the 21 CFR Part 11 audit trail satisfy FDA system validation requirements?
The audit trail is designed to meet Part 11 requirements: tamper-evident records, controlled access, audit log integrity, and electronic signature attribution. System validation documentation (IQ/OQ/PQ equivalent) is provided as part of the pilot package. Whether this satisfies your specific validation protocol depends on your QMS — we provide the artifacts, your QA team signs off.
What happens at the end of the 30-day pilot?
You review 30 days of audit logs, gate decisions, and grounding scores with your compliance lead. If you convert to a full contract, the $2,500 deposit credits month 1. If you don't, you receive a pro-rated refund for unused days. No lock-in, no pressure — the pilot exists to demonstrate value, not manufacture it.