Skip to main content
Feature ID: CL-17
Status: 🏗️ Scaffolded (gateway integration pending vendor selection)
Spec: CL-17-arizona-cspmp-pdmp-integration.md
Last Updated: 2026-02-23
Last Verified: 2026-02-23

Cross-Core Integration Matrix


Overview

CL-17 defines Arizona Controlled Substances Prescription Monitoring Program (CSPMP) / PDMP integration: query-in-workflow for controlled substance prescribing, prescriber attestation, delegate access, and audit trail per A.R.S. § 36-2606. Integration with external gateways (PMP Gateway/NABP, Bamboo Health/Appriss, Arizona HIE) and with CL-06 (e-prescribing) and CL-01 (patient chart). Query-in-workflow (fail-closed): Query-in-workflow MUST be fail-closed. Clinicians must NOT prescribe controlled substances when a required PDMP query fails or is unavailable unless an exception is recorded. Enforce at the application layer and in workflows that use cl_pdmp_queries; see Security and RLS below.

Integration Points


Adapter Architecture (CL-17-EN-01, #1964)

The vendor boundary is the PdmpAdapter seam in supabase/functions/_shared/pdmp/adapter.ts, mirroring the WENO transport seam (_shared/weno/transport.ts):
  • Interface: PdmpAdapter.query(input, credentials, config) → PdmpReport + validateConfig(config). Every adapter returns the same normalized PdmpReport; vendor response shapes never leak past the seam. The normalized summary is persisted verbatim to cl_pdmp_queries.results_summary and is the shape PdmpResultsView parses (PdmpResultsSummary). Risk indicators are optional — Arizona’s state-funded Gateway tier returns the Basic PMP report without NarxCare scores.
  • Registry: gateway_provider → adapter (pmp_gateway/bamboo_health → Bamboo PMP Gateway adapter; arizona_hie → Contexture slot). Adding a vendor is one registry entry; callers never change.
  • Fixture track: a deterministic fixture adapter is selected only when the x-pdmp-fixture: 1 header is present and the runtime is non-prod (server-trusted project ref) — unreachable in production by construction.
  • Go-live gates (fail-closed): cl_pdmp_configuration.pdmp_adapter_enabled (default false until vendor contract + BAA land — EN-20) → HTTP 412; no vault credential → HTTP 412; vendor adapter awaiting onboarding → HTTP 501. While gated, prescribers remain compliant via the AWARxE portal link-out + manual attestation (query_method='manual') — A.R.S. § 36-2606(F) is method-agnostic (see specs/cl/research/CL-17-EN-01-RESEARCH.md).
  • Statutory map: the three registry slots correspond 1:1 to the three integration routes sanctioned by A.R.S. § 36-2606(I) (subsection (H) from 2026-09-12): direct, statewide HIE, third-party vendor. EMR-vendor integration deadline: 2026-12-31.

API / Data Contracts

External gateway (PMP Gateway / Bamboo Health / Arizona HIE)

  • Authentication: Credentials MUST be loaded from the platform vault only via credentials_vault_ref; no API keys or tokens in code or config. Use the existing platform vault pattern.
  • Request/response: Request/response schemas for PDMP gateway calls to be defined when implementation is chosen (e.g. patient identifiers, date range, prescriber/delegate context). Document in this section when available.
  • Resilience (API alignment): Use a per-attempt timeout of 5s (aligned to NFR-1). Retry policy: 2 retries with exponential backoff (initial delay 200ms, multiplier 2, max backoff 1s). Maximum total timeout: 15s; after that the integration MUST fail-closed (do not allow prescribing without recording the failure). Any fail-closed event or gateway unavailability MUST be recorded in cl_pdmp_queries with results_summary.exception_type set to pdmp_unavailable. Include diagnostic fields in results_summary for debugging (e.g. attempt_count, last_error).
  • Rate limiting: If the gateway documents rate limits, implement client-side throttling per org/facility and document limits in this section when known.

cl_pdmp_queries

  • Scope: organization_id + chart_id; PHI — full RLS.
  • Key columns: chart_id, queried_by, queried_on_behalf_of, prescriber_attestation, results_reviewed_at, prescription_id, gateway_transaction_id, gateway_provider, interstate_query, states_queried.

cl_pdmp_configuration

  • Scope: organization_id; org-level gateway and feature toggles.
  • Key columns: gateway_provider (CHECK: pmp_gateway | bamboo_health | arizona_hie), auto_query_enabled, interstate_query_enabled, delegate_access_enabled, credentials_vault_ref, pdmp_adapter_enabled (go-live gate, default false), adapter_options (vendor-specific non-secret options, JSONB).

Event Contracts

cl_pdmp_query_completed (Planned — Deferred)

Status: Planned but deferred from initial implementation.
Rationale: CL-17 uses synchronous query-in-workflow. The cl_pdmp_queries table INSERT is the primary audit trail per A.R.S. § 36-2606. A domain event is not required for the core compliance use case. The event will be implemented if downstream consumers need to react to PDMP queries (e.g., CL-08 CDS high-risk alerts, GR compliance automation).
When to implement: When CL-08 or GR needs to subscribe to PDMP query completion for automated processing. Registered in: src/platform/events/types.ts as KnownEventName (cl_pdmp_query_completed); EVENT_CONTRACTS.md planned events table. Subscriber controls (required before release):
  • Channel subscribers must be explicitly allowlisted and limited to approved consumers (e.g., CL-08 CDS and designated governance automations).
  • Consumers must verify active 42 CFR Part 2 consent for the referenced chart before processing protected fields.
  • Consumer access to this event payload must be audit-logged with the same rigor as direct cl_pdmp_queries access.
Stub payload (to be finalized when implemented):

Security and RLS

  • Permission keys (PF-30): cl.pdmp.queries.view, cl.pdmp.queries.create, cl.pdmp.configuration.manage (see spec for usage).
  • RLS enabled on cl_pdmp_queries and cl_pdmp_configuration with organization isolation.
  • Policies: org isolation, prescriber access, delegate access, admin access.
  • All policies MUST use SECURITY DEFINER helpers (no direct queries to RLS-protected tables); UPDATE policies MUST include WITH CHECK (constitution §5.2.4).
  • Audit (minimalism): Application logs MUST use only non-PII/PHI identifiers: query id, organization_id, timestamp, and optionally gateway_transaction_id for correlation. Do NOT log patient or prescriber identifiers. Retain audit records per HIPAA (e.g. 6-year retention) where applicable. INSERT and updates to prescriber_attestation / results_reviewed_at form the A.R.S. § 36-2606 evidence trail.