HSCC CWG ยท April 2026

AI Vendor Transparency Package

MyRxWallet's complete disclosure to health system procurement teams. Mapped to the HSCC CWG 7-Phase AI Vendor Lifecycle, NIST AI RMF, HIC-SCRiM, and HICP. Every question answered before you ask it.

Request BAA + Contract Live FHIR Endpoint
Framework Compliance
Every standard the HSCC AI Task Group will evaluate
๐Ÿ›๏ธ
NIST AI RMF
Govern ยท Map ยท Measure ยท Manage
โœ“ IMPLEMENTED
๐Ÿฅ
HIPAA Security Rule
Administrative ยท Technical ยท Physical
โœ“ EXCEEDS
โšก
HICP 2024
Critical Practices 1โ€“10
โœ“ COMPLIANT
๐Ÿ”—
HIC-SCRiM
Supply Chain Risk
โœ“ LIVE MODULE
๐Ÿ“‹
HL7 FHIR R4
ONC (g)(10) Inferno 317/317
โœ“ CERTIFIED
๐Ÿ›ก๏ธ
42 CFR Part 2
SUD Consent Enforcement
โœ“ ENFORCED
Where the Sector Is. Where We Are.
Source: 2025 Healthcare Cybersecurity Benchmarking Study โ€” Censinet/AHA/HSCC/KLAS/Health-ISAC
100%
Our NIST AI RMF
(sector avg: 31%)
100%
Supply Chain Coverage
(sector avg: 52%)
317/317
Inferno Sub-Tests
FULL PASS April 2026
Zero
PHI on MyRxWallet
Servers (ZK Architecture)
HSCC 7-Phase AI Vendor Lifecycle Response
Every phase of the Health Industry Third-Party AI Risk & Supply Chain Transparency Guide (April 2026) โ€” answered

What This Document Is

The HSCC CWG AI Task Group published this 7-phase framework in April 2026 for use by 480+ member health systems evaluating AI vendors. Every health system CIO, CISO, and procurement team will use it. MyRxWallet is the first AI-native EHR to pre-map every requirement before being asked. Use this document in your vendor due diligence review.

#
HSCC Requirement
MyRxWallet Answer
1
Use Case Justification
Can the vendor prove clinical value? Patient outcomes data? Risk-benefit analysis?
Our Answer
ONC-certified patient-controlled health record with real-time drug interaction checks (NLM RxNav), DSCSA drug provenance verification (FDA openFDA), and FDA recall alerts. Clinical value = patient safety, not productivity theater. Patient Data Royalty marketplace incentivizes data quality. Trial participants tracked via Clinical Trial NFT (FDA 21 CFR 312 + ICH GCP E6).
2
Vendor Due Diligence
SOC 2 Type II? HIPAA BAA availability? AI usage disclosure? Sub-processor list?
Our Answer
โœ“ BAA available immediately โ€” email info@myrxwallet.io
โœ“ SOC 2 Type II โ€” bundled with Schellman audit engagement (in progress)
โœ“ ONC Certified Developer โ€” Inferno 317/317 PASS, April 2026
โœ“ CAGE Code: 9VNZ7 ยท UEI: RKYFJECN9GL3 ยท EIN: 99-2045560
โœ“ Sub-processors: Zero third-party AI APIs touch PHI. Our AI (Sentinel) runs on-premises on our own VPS. NLM RxNav and FDA openFDA are government APIs (public drug data only).
โœ“ Zero-knowledge architecture: a MyRxWallet server breach cannot expose patient PHI.
3
Contract Negotiation
AI liability terms? SLAs? Data ownership clauses? Audit rights?
Our Answer
โœ“ Data ownership: Patient-owned NFT architecture โ€” patients own their data, not us
โœ“ SLA: 99.9% uptime target, nginx + systemd watchdog on DigitalOcean VPS
โœ“ AI liability: Sentinel AI decisions are advisory only; clinical decisions remain with licensed providers
โœ“ Audit rights: Full FHIR R4 audit log at /api/v1/fhir/r4/AuditEvent
โœ“ FHIR export: Patient data exportable at any time via $export (HL7 Bulk Data IG v2.0.0)
4
Implementation
Onboarding documentation? Staff training? Integration testing?
Our Answer
โœ“ API documentation: myrxwallet.io/developer.html โ€” sandbox keys issued instantly
โœ“ SMART on FHIR App Launch 2.0.0 โ€” any FHIR-compatible EHR connects in minutes
โœ“ CCD/C-CDA importer โ€” patients self-import from any existing EHR
โœ“ CMS Blue Button + Payer API OAuth integration โ€” automated data pull
โœ“ TEFCA/QHIN application submitted โ€” Health Gorilla pathway
โœ“ Staff training: role-based portal (Admin/Provider/Patient) with contextual tooltips
5
Ongoing Monitoring
Sentinel/monitoring system? Audit logs? Anomaly detection?
Our Answer
โœ“ MyRx-Sentinel AI Agent v2.0 โ€” real-time HIPAA violation detection, screenshot guard, incident log
โœ“ Drug recall monitoring โ€” FDA openFDA webhook integration
โœ“ Anomaly detection โ€” AI daily ops agent flags abnormal lab values, drug interactions
โœ“ MyRx Identity Guard โ€” breach monitoring (HIBP integration), medical ID theft detection
โœ“ On-chain audit trail โ€” Hyperledger Fabric 2.5, tamper-evident, 4 channels
6
Incident Response
Documented IR plan? AI-specific incident types? Breach notification timeline?
Our Answer
โœ“ Zero-knowledge architecture: server breach = no PHI exposed (HIPAA breach threshold not met)
โœ“ NFT instant lock โ€” patient can lock their health record with one tap in emergency
โœ“ Sentinel incident log โ€” every HIPAA violation attempt logged with incident ID
โœ“ HIPAA 60-day breach notification timeline supported โ€” built into incident workflow
โœ“ MyRx-DAO Governance โ€” Sentinel AI operates under defined governance rules even during incidents
7
End-of-Life Transition
Data portability? FHIR export? Offboarding plan?
Our Answer
โœ“ FHIR Bulk Data $export โ€” all patient data exportable as NDJSON in one API call
โœ“ CCD/C-CDA format export available
โœ“ Patient owns NFT โ€” data access follows the patient, not the contract
โœ“ No data lock-in: zero proprietary formats, all USCDI v3 compliant fields
โœ“ GDPR Art. 17 Right to Erasure โ€” Medical Records Sharding module supports cryptographic erasure
Zero-Knowledge Architecture โ€” Why a Breach Is Not a HIPAA Breach
The HSCC CWG "Secure by Design and Default" standard for third-party vendors โ€” we built it first
๐Ÿฅ Legacy EHR Architecture
PHI storagePlaintext in vendor DB
Server breach resultHIPAA breach โ€” notify patients
EncryptionAt-rest only
Data ownerVendor
Supply chain riskAny sub-processor breach = exposure
AI audit trailVendor-controlled logs
๐Ÿ›ก๏ธ MyRxWallet Zero-Knowledge Architecture
PHI storageAES-256-GCM encrypted, patient-keyed
Server breach resultCiphertext only โ€” not a HIPAA breach
EncryptionField-level + HKDF-SHA256 key derivation
Data ownerPatient (NFT-bound)
Supply chain riskDrug Provenance NFT โ€” lot-level tracking
AI audit trailHyperledger Fabric โ€” immutable, on-chain
AI System Disclosure
Full transparency on every AI component โ€” per NIST AI RMF Govern 1.7 requirement
AI SystemFunctionTraining DataOutput TypeHuman OverrideBias Controls
MyRx-Sentinel Health monitoring, drug interactions, recall alerts, anomaly detection NLM RxNav (government API), FDA openFDA (government API) โ€” no patient PHI used for training Advisory alerts only โœ“ Always โ€” provider reviews all alerts Government data sources only; no proprietary training sets
Identity Verification Agent Document + selfie confidence scoring for patient enrollment Confidence threshold algorithm (โ‰ฅ75% required). No facial recognition database. Approve/flag/reject โœ“ Always โ€” flagged cases go to admin review Threshold-based, not ML model dependent
MyRx-Score Engine Patient health engagement scoring (300โ€“850 scale) Patient's own health data only โ€” no external benchmarking datasets Engagement score (not clinical diagnosis) โœ“ Always โ€” advisory only, not used for clinical decisions Score is patient-relative, not compared to demographic cohorts
Daily Ops Agent Scheduling optimization, anomaly detection, platform health Platform operational data only (not patient clinical data) System alerts and admin notifications โœ“ Always No demographic variables in operational models
Ready to onboard?
We respond to enterprise inquiries within 24 hours. BAA, pilot agreement, and SOC 2 bridge letter available on request.
Request Enterprise Package Explore API Sandbox CISO One-Pager
info@myrxwallet.io  ยท  702.546.8686  ยท  CAGE: 9VNZ7  ยท  UEI: RKYFJECN9GL3  ยท  EIN: 99-2045560
ยฉ 2026 MyRxWallet North America Corporation ยท MyRxWalletยฎ is a registered trademark ยท All AI systems advisory only โ€” not a substitute for licensed clinical judgment ยท Compliance ยท Privacy