# Healthtech Policy

> **Template and counsel-review notice.** This document is a website/app integration template, not a legal opinion. Before publication, replace bracketed placeholders, confirm actual data flows, obtain advice from qualified counsel for each jurisdiction and regulated workflow, and approve final wording through privacy, security, product, marketing, health/clinical, and executive stakeholders. Do not promise controls, certifications, response times, retention periods, or legal rights unless they are actually implemented and operationally supported.


**Effective date:** September 18, 2024  
**Last updated:** September 18, 2024  
**Organization:** NEXQ Inc.  
**Services covered:** NEXQ websites, web applications, protected workspace surfaces, mobile app surfaces, APIs, secure healthcare and healthtech workflow demonstrations, quantum encryption, diagnostics, oncology, longevity, research collaboration, support, and related services  
**Privacy contact:** hello@nexq.us  
**Security contact:** hello@nexq.us  
**Mailing address:** Irvine, CA, United States — contact hello@nexq.us for legal notices


## 1. Scope
This policy applies to healthtech products, digital health tools, wellness applications, telehealth tools, AI-assisted health features, patient engagement platforms, remote monitoring tools, clinical decision support, device integrations, hospital integrations, APIs, mobile apps, and connected devices.

## 2. Regulatory classification gate
Before launch or material change, classify each function as one or more of: general wellness, administrative support, non-device clinical decision support, medical device software, software as a medical device, accessory, interoperability tool, research tool, or customer-configured workflow. Document why FDA oversight does or does not apply and obtain regulatory counsel review.

## 3. FDA digital health controls
For functions that may be regulated medical device software, maintain intended use, indications, labeling, risk analysis, software lifecycle documentation, cybersecurity documentation, validation/verification, postmarket monitoring, complaint handling, change control, and regulatory submission evidence where required. AI-enabled device functions should evaluate predetermined change control plans and total product lifecycle controls where applicable.

## 4. Clinical safety and disclaimers
Do not market healthtech as diagnostic, treatment-recommending, clinically validated, FDA-cleared, FDA-approved, HIPAA-compliant, or appropriate for emergencies unless the statement is evidence-based and approved. Include “not for emergency use” and clinician/patient escalation language where appropriate.

## 5. Data protection
Map each health data element to HIPAA, consumer-health-data, biometric, genetic, children’s, state privacy, contract, and app-store obligations. Health data must not be used for advertising, sale/share, model training, or secondary research without documented legal basis and approvals.

## 6. Security and medical-device cybersecurity
Adopt secure-by-design practices, threat modeling, SBOM, vulnerability management, coordinated vulnerability disclosure, patching, logging, access control, encryption, dependency management, and postmarket cybersecurity monitoring. Medical device cybersecurity requirements should be evaluated for premarket submissions and product updates.

## 7. Telehealth and remote monitoring
Telehealth workflows require consent, licensure, emergency protocols, state-specific limitations, recording rules, prescribing rules, patient identity verification, accessibility, interpreter/language support where applicable, and secure communications. Remote monitoring must address device accuracy, alert fatigue, responsibility allocation, and incident escalation.
