Status: 🏗️ Scaffolded (gateway integration pending vendor selection)
Spec: CL-17-arizona-cspmp-pdmp-integration.md
Last Updated: 2026-02-23
Last Verified: 2026-02-23
Cross-Core Integration Matrix
Overview
CL-17 defines Arizona Controlled Substances Prescription Monitoring Program (CSPMP) / PDMP integration: query-in-workflow for controlled substance prescribing, prescriber attestation, delegate access, and audit trail per A.R.S. § 36-2606. Integration with external gateways (PMP Gateway/NABP, Bamboo Health/Appriss, Arizona HIE) and with CL-06 (e-prescribing) and CL-01 (patient chart). Query-in-workflow (fail-closed): Query-in-workflow MUST be fail-closed. Clinicians must NOT prescribe controlled substances when a required PDMP query fails or is unavailable unless an exception is recorded. Enforce at the application layer and in workflows that usecl_pdmp_queries; see Security and RLS below.
Integration Points
Adapter Architecture (CL-17-EN-01, #1964)
The vendor boundary is thePdmpAdapter seam in
supabase/functions/_shared/pdmp/adapter.ts, mirroring the WENO transport seam
(_shared/weno/transport.ts):
- Interface:
PdmpAdapter.query(input, credentials, config) → PdmpReport+validateConfig(config). Every adapter returns the same normalizedPdmpReport; vendor response shapes never leak past the seam. The normalizedsummaryis persisted verbatim tocl_pdmp_queries.results_summaryand is the shapePdmpResultsViewparses (PdmpResultsSummary). Risk indicators are optional — Arizona’s state-funded Gateway tier returns the Basic PMP report without NarxCare scores. - Registry:
gateway_provider→ adapter (pmp_gateway/bamboo_health→ Bamboo PMP Gateway adapter;arizona_hie→ Contexture slot). Adding a vendor is one registry entry; callers never change. - Fixture track: a deterministic fixture adapter is selected only when the
x-pdmp-fixture: 1header is present and the runtime is non-prod (server-trusted project ref) — unreachable in production by construction. - Go-live gates (fail-closed):
cl_pdmp_configuration.pdmp_adapter_enabled(default false until vendor contract + BAA land — EN-20) → HTTP 412; no vault credential → HTTP 412; vendor adapter awaiting onboarding → HTTP 501. While gated, prescribers remain compliant via the AWARxE portal link-out + manual attestation (query_method='manual') — A.R.S. § 36-2606(F) is method-agnostic (seespecs/cl/research/CL-17-EN-01-RESEARCH.md). - Statutory map: the three registry slots correspond 1:1 to the three integration routes sanctioned by A.R.S. § 36-2606(I) (subsection (H) from 2026-09-12): direct, statewide HIE, third-party vendor. EMR-vendor integration deadline: 2026-12-31.
API / Data Contracts
External gateway (PMP Gateway / Bamboo Health / Arizona HIE)
- Authentication: Credentials MUST be loaded from the platform vault only via
credentials_vault_ref; no API keys or tokens in code or config. Use the existing platform vault pattern. - Request/response: Request/response schemas for PDMP gateway calls to be defined when implementation is chosen (e.g. patient identifiers, date range, prescriber/delegate context). Document in this section when available.
- Resilience (API alignment): Use a per-attempt timeout of 5s (aligned to NFR-1). Retry policy: 2 retries with exponential backoff (initial delay 200ms, multiplier 2, max backoff 1s). Maximum total timeout: 15s; after that the integration MUST fail-closed (do not allow prescribing without recording the failure). Any fail-closed event or gateway unavailability MUST be recorded in
cl_pdmp_querieswithresults_summary.exception_typeset topdmp_unavailable. Include diagnostic fields inresults_summaryfor debugging (e.g.attempt_count,last_error). - Rate limiting: If the gateway documents rate limits, implement client-side throttling per org/facility and document limits in this section when known.
cl_pdmp_queries
- Scope:
organization_id+chart_id; PHI — full RLS. - Key columns:
chart_id,queried_by,queried_on_behalf_of,prescriber_attestation,results_reviewed_at,prescription_id,gateway_transaction_id,gateway_provider,interstate_query,states_queried.
cl_pdmp_configuration
- Scope:
organization_id; org-level gateway and feature toggles. - Key columns:
gateway_provider(CHECK:pmp_gateway|bamboo_health|arizona_hie),auto_query_enabled,interstate_query_enabled,delegate_access_enabled,credentials_vault_ref,pdmp_adapter_enabled(go-live gate, default false),adapter_options(vendor-specific non-secret options, JSONB).
Event Contracts
cl_pdmp_query_completed (Planned — Deferred)
Status: Planned but deferred from initial implementation.Rationale: CL-17 uses synchronous query-in-workflow. The
cl_pdmp_queries table INSERT is the primary audit trail per A.R.S. § 36-2606. A domain event is not required for the core compliance use case. The event will be implemented if downstream consumers need to react to PDMP queries (e.g., CL-08 CDS high-risk alerts, GR compliance automation).
When to implement: When CL-08 or GR needs to subscribe to PDMP query completion for automated processing.
Registered in: src/platform/events/types.ts as KnownEventName (cl_pdmp_query_completed); EVENT_CONTRACTS.md planned events table.
Subscriber controls (required before release):
- Channel subscribers must be explicitly allowlisted and limited to approved consumers (e.g., CL-08 CDS and designated governance automations).
- Consumers must verify active 42 CFR Part 2 consent for the referenced chart before processing protected fields.
- Consumer access to this event payload must be audit-logged with the same rigor as direct
cl_pdmp_queriesaccess.
Security and RLS
- Permission keys (PF-30):
cl.pdmp.queries.view,cl.pdmp.queries.create,cl.pdmp.configuration.manage(see spec for usage). - RLS enabled on
cl_pdmp_queriesandcl_pdmp_configurationwith organization isolation. - Policies: org isolation, prescriber access, delegate access, admin access.
- All policies MUST use SECURITY DEFINER helpers (no direct queries to RLS-protected tables); UPDATE policies MUST include WITH CHECK (constitution §5.2.4).
- Audit (minimalism): Application logs MUST use only non-PII/PHI identifiers: query
id,organization_id, timestamp, and optionallygateway_transaction_idfor correlation. Do NOT log patient or prescriber identifiers. Retain audit records per HIPAA (e.g. 6-year retention) where applicable. INSERT and updates toprescriber_attestation/results_reviewed_atform the A.R.S. § 36-2606 evidence trail.