Aescleon

AESCLEON

MVP Data Scope & HIPAA Positioning
Revision 1
Effective Date: December 15, 2025
Confidential – For Review Purposes Only

Executive Summary

This document outlines the intentional data scope, compliance posture, and phased regulatory strategy for the Aescleon platform during its Minimum Viable Product (MVP) phase. Aescleon is designed as a logistics and coordination tool for surgeons and medical device vendors and does not collect or process Protected Health Information (PHI) at this stage.

The purpose of this document is to provide clarity to surgeons, advisors, legal counsel, and internal stakeholders regarding why HIPAA does not apply to the MVP today, what safeguards are in place to prevent PHI usage, and how the platform will intentionally transition to HIPAA compliance if future product value requires it.

Intended Audience

Surgeons and early adopters
Legal and compliance advisors
Internal Aescleon team members
Strategic partners (under review context)

Confidentiality Notice

This document is confidential and provided for evaluation and discussion purposes only. It may not be distributed, reproduced, or shared externally without prior written consent from Aescleon.

Why This Platform Is Not HIPAA-Regulated (MVP Phase)

Overview

Aescleon is designed as a logistics and coordination platform for surgeons and medical device vendors. Its purpose is to support scheduling, availability, and operational planning — not patient care, documentation, or clinical communication. The platform enables visibility into case timing, resource planning, and coordination between authorized parties who already participate in surgical workflows.

At the MVP stage, Aescleon does not collect, store, transmit, or process Protected Health Information (PHI) as defined under HIPAA. As a result, the platform is not subject to HIPAA compliance requirements at this time. This is an intentional product decision made to validate workflow value before expanding into regulated use cases.

Why HIPAA Does Not Apply

HIPAA applies only when a system handles Protected Health Information (PHI), meaning health information that identifies an individual patient or can reasonably be used to identify one. Aescleon does not contain PHI because no patient-identifying data is collected, expected, or encouraged as part of the platform's normal or intended use.

Information such as surgery date, time, and facility alone does not identify a patient and is commonly used for lawful operational coordination among authorized parties. These data points support planning and availability, but do not identify an individual. Because PHI is not part of the system's intended or normal use, Aescleon does not function as a HIPAA-regulated system or Business Associate.

Design Intent: PHI Is Explicitly Prohibited

Aescleon is intentionally designed so that PHI is not required, not expected, and not appropriate for use. Any entry of PHI would constitute user misuse rather than system design. The platform's value proposition is achieved entirely through operational coordination, without reliance on patient-identifiable data. This mirrors how general-purpose scheduling, calendar, and coordination tools are lawfully used in healthcare environments when they are not configured for PHI.

Product & UI Controls Implemented to Prevent PHI

No patient-specific fields (no patient name, MRN, DOB, age, diagnosis, or clinical notes).
System-generated, non-descriptive case identifiers that cannot be user-labeled or edited.
Logistics-only data model limited to date, time, facility, surgeon, vendor, surgery type/procedure category for device and equipment logistics, and generic equipment needs.
Chat functionality, if enabled, is labeled for logistics only with no patient prompts.
No file or image attachments permitted in MVP to prevent accidental upload of clinical material.
No message previews displayed in notifications.
Explicit 'No PHI' warnings shown on login and first chat use, with user acknowledgment.
Clear acceptable use policy prohibiting PHI.
Ability for administrators to remove messages or records if misuse is discovered.
No HIPAA, patient messaging, or clinical language used in marketing, UI, or onboarding.

Good-Faith Compliance Posture

Although HIPAA compliance is not required at this stage, Aescleon demonstrates good-faith intent by clearly defining scope, discouraging prohibited use, designing UI to avoid PHI entry, and responding appropriately to misuse if it occurs. This approach aligns with industry norms for healthcare-adjacent software operating outside regulated data workflows.

Summary

Aescleon does not handle PHI. HIPAA applies to data rather than environments. Logistics-only coordination does not trigger HIPAA. The platform's design, UI, and policies explicitly prohibit PHI, and the MVP is intentionally scoped to remain non-HIPAA.

Aescleon MVP FAQ

What does MVP mean in the context of Aescleon?

MVP stands for Minimum Viable Product. In the context of Aescleon, the MVP is a deliberately scoped early version of the platform designed to validate core workflow value—such as scheduling visibility, logistics coordination, and communication between surgeons and vendors—without introducing regulated patient-identifiable data. The MVP focuses on learning and iteration before expanding scope or regulatory obligations.

Do we need HIPAA compliance for the MVP?

No. HIPAA applies only when a system is designed to collect, store, transmit, or process Protected Health Information (PHI). Aescleon's MVP does not handle patient-identifiable data and therefore does not require HIPAA compliance. The platform operates at the logistics and coordination layer rather than the clinical or patient documentation layer.

What is PHI and when would it apply to Aescleon?

PHI is health information that both relates to a patient's health or care and identifies, or can reasonably be used to identify, that individual. PHI would apply to Aescleon only if patient names, MRNs, DOBs, diagnoses, or similar identifiers became part of the intended workflow.

Can surgery date, time, and hospital be cross-referenced with outside data to identify a patient?

No. Surgery date, time, and facility alone do not identify a patient and are not considered PHI. For example, a vendor may know they are scheduled at Norton Hospital on Tuesday at 2:00 PM, but that information alone does not identify who the patient is. Identifying a patient would require access to separate hospital systems or records that the user already lawfully has. HIPAA does not classify operational scheduling data as PHI simply because identification could theoretically occur using external systems.

What happens if a user enters PHI anyway?

Any entry of PHI is treated as misuse. The content may be removed, the user reminded of acceptable use, and the incident documented. One-off misuse does not convert the platform into a PHI system, so long as PHI is not expected, encouraged, or tolerated as normal behavior.

Why do we include 'No PHI' warnings and pop-ups?

These warnings clarify scope, reinforce acceptable use, and demonstrate good-faith design intent. They help prevent accidental misuse and align the platform with how general-purpose coordination tools are responsibly used in healthcare environments.

What would trigger HIPAA in the future?

HIPAA would apply if Aescleon intentionally supports patient-identifiable communication, introduces patient-specific data fields, markets PHI safety, or integrates directly with systems that contain PHI.

Phase 2: Transition to PHI-Supported Use

If early adopters determine that handling patient-identifiable information provides clear and necessary value, Aescleon will intentionally transition to a HIPAA-regulated platform in a dedicated Phase 2 rollout. PHI will not be enabled until all required safeguards, agreements, and infrastructure are in place.

Formal determination that PHI is required for core product value.
HIPAA-compliant system architecture and hosting environment.
Execution of Business Associate Agreements (BAAs) with covered entities and vendors as applicable.
Encryption of PHI in transit and at rest.
Role-based access controls and user authentication.
Audit logging and monitoring of PHI access.
Defined data retention, deletion, and breach response policies.
Updated Terms of Service, Privacy Policy, and user agreements.
Explicit user consent before PHI features are enabled.

User Acknowledgment & Acceptance

By signing below, the undersigned acknowledges that Aescleon is intended solely for logistics and operational coordination during the MVP phase and must not be used to transmit, store, or discuss patient-identifiable health information (PHI). The undersigned agrees to comply with this limitation during use of the platform.

Name (Printed):

Role (Surgeon / Vendor / Other):

Organization:

Signature:

Date:

Aescleon Acceptance

The undersigned representative of Aescleon acknowledges the scope and limitations described in this document and affirms that the platform is intentionally designed and operated as a non-PHI system during the MVP phase.

Aescleon Representative (Printed):

Title:

Signature:

Date:

Executive Summary

Why This Platform Is Not HIPAA-Regulated (MVP Phase)

Overview

Aescleon MVP FAQ

What does MVP mean in the context of Aescleon?

Do we need HIPAA compliance for the MVP?

What is PHI and when would it apply to Aescleon?

Can surgery date, time, and hospital be cross-referenced with outside data to identify a patient?

What happens if a user enters PHI anyway?

Why do we include 'No PHI' warnings and pop-ups?

What would trigger HIPAA in the future?

Phase 2: Transition to PHI-Supported Use

Formal determination that PHI is required for core product value.

HIPAA-compliant system architecture and hosting environment.

Execution of Business Associate Agreements (BAAs) with covered entities and vendors as applicable.

Encryption of PHI in transit and at rest.

Role-based access controls and user authentication.

Audit logging and monitoring of PHI access.

Defined data retention, deletion, and breach response policies.

Updated Terms of Service, Privacy Policy, and user agreements.

Explicit user consent before PHI features are enabled.

User Acknowledgment & Acceptance

Name (Printed):

Role (Surgeon / Vendor / Other):

Organization:

Signature:

Date:

Aescleon Acceptance

Aescleon Representative (Printed):

Title:

Signature:

Date:

HIPAA Positioning and Data Scope

AESCLEON

Executive Summary

Intended Audience

Confidentiality Notice

Why This Platform Is Not HIPAA-Regulated (MVP Phase)

Overview

Why HIPAA Does Not Apply

Design Intent: PHI Is Explicitly Prohibited

Product & UI Controls Implemented to Prevent PHI

Good-Faith Compliance Posture

Summary

Aescleon MVP FAQ

What does MVP mean in the context of Aescleon?

Do we need HIPAA compliance for the MVP?

What is PHI and when would it apply to Aescleon?

Can surgery date, time, and hospital be cross-referenced with outside data to identify a patient?

What happens if a user enters PHI anyway?

Why do we include 'No PHI' warnings and pop-ups?

What would trigger HIPAA in the future?

Phase 2: Transition to PHI-Supported Use

User Acknowledgment & Acceptance

Aescleon Acceptance

HIPAA Positioning and Data Scope

AESCLEON

Executive Summary

Intended Audience

Confidentiality Notice

Why This Platform Is Not HIPAA-Regulated (MVP Phase)

Overview

Why HIPAA Does Not Apply

Design Intent: PHI Is Explicitly Prohibited

Product & UI Controls Implemented to Prevent PHI

Good-Faith Compliance Posture

Summary

Aescleon MVP FAQ

What does MVP mean in the context of Aescleon?

Do we need HIPAA compliance for the MVP?

What is PHI and when would it apply to Aescleon?

Can surgery date, time, and hospital be cross-referenced with outside data to identify a patient?

What happens if a user enters PHI anyway?

Why do we include 'No PHI' warnings and pop-ups?

What would trigger HIPAA in the future?

Phase 2: Transition to PHI-Supported Use

User Acknowledgment & Acceptance

Aescleon Acceptance