Compliance & Security

Last updated: June 18, 2026

Built for healthcare environments where trust is essential.

Neuroline develops voice AI for routine telephone customer contact in healthcare. Because we operate in a sector where privacy, reliability, and human responsibility are central, we intentionally build our technology according to a phased and controllable approach.

Our first applications are administrative: appointment confirmations, callback requests, simple routing, no-show follow-up, and other routine contact moments. In this phase, Neuroline does not make medical decisions, perform autonomous triage, or provide medical advice.

When a conversation falls outside the administrative scope, it is escalated to a staff member.

1. Our principles

At Neuroline we use four principles:

  • Administrative where possible, human where necessary. Voice AI is used for repetitive and administrative processes. Complex, sensitive, or medical questions are forwarded to healthcare professionals.
  • Transparency toward patient and organization. A user must know that they are speaking with a digital assistant. Healthcare organizations must be able to understand what the AI does, which data is processed, and when escalation takes place.
  • Data minimization. Neuroline processes only the data needed for the agreed workflow. For an appointment confirmation, for example, a complete medical record is not needed.
  • Logging and controllability. Call actions, outcomes, and escalations must be controllable. This is important for quality, safety, auditability, and further optimization.

2. No medical decision-making in phase 1

Neuroline deliberately started with clearly defined administrative workflows.

Examples:

  • Confirming an appointment.
  • Creating a callback request.
  • Registering a request to reschedule.
  • Simple routing to the right staff member.
  • Handling administrative questions.
  • Escalating exceptions or medical signals.

3. What Neuroline does not determine in this phase

In this phase, Neuroline does not determine:

  • Whether someone needs medical care.
  • How urgent a care request is.
  • Which treatment is appropriate.
  • Which diagnosis or medical conclusion should be drawn.

Medical assessment remains with the healthcare professional.

4. NEN 7510, ISO 27001, and NIS2 readiness

Neuroline works with Blue Shield IT on further establishing our security and compliance foundation. In doing so, we look at, among other things:

  • NEN 7510 readiness.
  • ISO 27001 controls.
  • NIS2 preparation.
  • Access management.
  • Logging.
  • Incident processes.
  • Data flows.
  • Data processing agreements.
  • Subprocessors.
  • Retention periods.
  • Technical and organizational security measures.

We carry this out in phases. This means that we first make clear where risks are, which measures are already in place, and which steps are needed for further scaling within healthcare organizations.

5. Security-by-design

Neuroline is set up according to the security-by-design principle. This means that security is not added afterward, but is part of product development and implementation from the start.

In doing so, we pay attention to:

  • Secure processing of data.
  • Minimal access to data.
  • Separation of roles and rights.
  • Audit trails.
  • Encryption where appropriate.
  • Monitoring of anomalies.
  • Clear escalation processes.
  • Controlled connections with external systems.

6. Data flow and integrations

For integrations with healthcare systems, we work according to the principle of minimal data exchange.

A simple administrative workflow can, for example, consist of:

  • A healthcare organization or software package sends limited appointment data to Neuroline.
  • Neuroline starts an outbound call or processes an inbound question.
  • The AI agent registers the outcome.
  • The result is sent back to the healthcare organization's system.
  • Exceptions are escalated to a staff member.

7. Examples of feedback

  • Appointment confirmed.
  • Patient not reached.
  • Callback request needed.
  • Patient wants to reschedule.
  • Patient wants to cancel.
  • Question outside scope.
  • Escalation to staff member.

Deeper integrations, such as automatically changing calendars or connections with EHR or practice software, are only set up when governance, consent, security, and responsibility have been clearly documented.

8. Human escalation

Neuroline is designed to escalate when a conversation falls outside the agreed scope.

Escalation can take place when:

  • The patient asks a medical question.
  • The intent is unclear.
  • The AI does not have enough certainty.
  • The question does not fit within the administrative workflow.
  • The patient explicitly wants to speak with a staff member.
  • There is a potentially sensitive situation.

The principle is simple: when in doubt, the conversation goes to a human.

9. AI Act and MDR-aware development

The European AI Act and potential MDR questions make it necessary to determine clearly for each use case what the AI does and which risks are involved.

Neuroline therefore assesses applications per workflow:

  • Is the workflow administrative or medical?
  • Is a decision being made, or is only information being processed?
  • Is there triage, diagnosis, or treatment advice?
  • Is human control present?
  • Which data is needed?
  • Which logging and auditability are required?

Our first applications are deliberately administrative. If Neuroline moves toward more complex intake or triage in the future, that will only happen through a separate validation, governance, and compliance route.

10. Our approach: define scope, then measure, then scale

We believe AI in healthcare can add great value, but only if the sequence is right.

That is why we build in phases:

  • Phase 1 - Administrative workflows. Appointment confirmation, callback requests, simple routing, and administrative follow-up.
  • Phase 2 - Practice validation. Measuring accessibility, error rates, escalations, patient acceptance, workload reduction, and operational value.
  • Phase 3 - Integrations. Controlled connections with practice software, calendars, and other healthcare systems.
  • Phase 4 - More complex care processes. Only when medical review, governance, compliance, and human responsibility have been clearly set up.

11. What Neuroline does not do

To keep our scope clear:

  • Neuroline does not replace a healthcare professional.
  • Neuroline does not make autonomous medical decisions.
  • In phase 1, Neuroline does not perform medical triage.
  • Neuroline does not use medical data that is not needed for the agreed workflow.
  • Neuroline does not claim compliance or certification that has not yet been formally completed.

12. What Neuroline does do

  • Automate routine telephone customer contact.
  • Reduce administrative pressure.
  • Improve accessibility.
  • Structure callback requests.
  • Support appointment confirmations and follow-up.
  • Forward exceptions to staff members.
  • Help healthcare organizations work with voice AI in a controlled and measurable way.

13. Questions about security or compliance?

We are happy to think along with healthcare organizations, software partners, and compliance teams that want to understand how Neuroline can be used safely within their environment.

Disclaimer: Neuroline is currently working on further NEN 7510, ISO 27001, and NIS2 readiness. We do not claim certification before formal assessment has been completed.

Contact us at Joell.veugelers@neuroline.ai.