> For clean Markdown of any page, append .md to the page URL.
> For a complete documentation index, see https://blueprint.ziro.health/llms.txt.
> For AI client integration (Claude Code, Cursor, etc.), connect to the MCP server at https://blueprint.ziro.health/_mcp/server.

# Blueprint Checklists

## Compliance Readiness Checklist

* [ ] Determine regulatory classification (FDA, MDR, or exempt)
* [ ] Identify applicable data privacy regulations (HIPAA, GDPR, CCPA)
* [ ] Engage regulatory counsel
* [ ] Begin technical documentation per applicable standards
* [ ] Implement HIPAA-compliant infrastructure
* [ ] Execute BAAs with all vendors handling PHI
* [ ] Conduct Data Protection Impact Assessment (DPIA)
* [ ] Establish Quality Management System (QMS)
* [ ] Appoint Data Protection Officer (DPO) if required

## Design Review Checklist

* [ ] Patient safety review: Can any interaction lead to clinical harm?
* [ ] Health literacy review: Can a user with low health literacy understand this?
* [ ] Accessibility review: WCAG 2.2 AA compliance verified
* [ ] Privacy review: Data minimization and consent flows validated
* [ ] Error prevention review: Are critical errors prevented, not just recoverable?
* [ ] Multi-stakeholder review: Tested with patients, clinicians, and administrators
* [ ] Regulatory review: Design aligns with regulatory requirements

## Pre-Launch Checklist

* [ ] Clinical validation data collected and analyzed
* [ ] Regulatory clearance/approval obtained
* [ ] HIPAA compliance verified (audit logs, encryption, access controls)
* [ ] Security penetration test completed
* [ ] BAAs executed with all partners
* [ ] Insurance coverage secured (cybersecurity, professional liability)
* [ ] Pricing and reimbursement strategy defined
* [ ] Customer support system operational
* [ ] Monitoring and alerting configured
* [ ] Incident response plan documented

## Security Audit Checklist

* [ ] All PHI encrypted at rest (AES-256) and in transit (TLS 1.3)
* [ ] MFA enforced for all production access
* [ ] Least-privilege access implemented for all roles
* [ ] Audit logging enabled for all PHI access
* [ ] Vulnerability scanning integrated into CI/CD
* [ ] Dependency scanning active for third-party libraries
* [ ] Incident response plan tested within last 6 months
* [ ] Penetration test completed within last 12 months
* [ ] Backup and disaster recovery procedures tested