Status: ✅ Implemented — All Phases Complete
Regulatory deadline: Feb 16, 2026
Spec Reference: CL-11-consent-management-42cfr-part2.md
Last Updated: 2026-02-21
Last Verified: 2026-02-21
Overview
CL-11 implements 42 CFR Part 2–compliant consent and disclosure management: single TPO consent, separate SUD counseling notes consent, disclosure accounting, and redisclosure logic. Integration is via Platform Foundation (PF) and internal CL dependencies only; no cross-core dependencies other than PF.Interim Controls
Until CL-11 is fully implemented, the following controls apply (aligned with REGULATORY_COMPLIANCE_TRACKER.md):- Revocation in writing: Obtain and file written revocation with effective date per organization policy; do not rely on system to enforce; manual checklist.
- Separate SUD consent: Obtain and file written consent for TPO and any SUD-specific disclosure per organization policy; manual tracking.
- Disclosure accounting: Maintain a log (spreadsheet or document) of all disclosures with date, recipient, purpose, and consent reference.
- Consent documentation per disclosure: Each disclosure must reference the consent that authorizes it; document in the disclosure log.
- Redisclosure notice: Include notice that redisclosure is prohibited on any disclosed information.
- Training: Ensure staff trained on Part 2 requirements and interim process.
Action checklist
Integration Points (from Spec)
API / Data Contracts
- Consent enforcement: Other CL modules call
cl_check_sud_consent(p_chart_id, p_record_type, p_requesting_user)(SECURITY DEFINER) in RLS policies to gate SUD record access. - Consent storage:
cl_consentsandcl_disclosure_log; see spec Data Model. No public REST API; access via Supabase client and RLS.
Event Contracts
- No event publishing/subscribing required for MVP. Consent revocation or disclosure logging may trigger events in future phases (e.g. audit, notifications).
Security and RLS
- Helpers:
can_access_consents(organization_id, profile_id),can_access_disclosure_log(organization_id, profile_id),cl_check_sud_consent(chart_id, record_type, requesting_user). - Policies: SELECT/INSERT/UPDATE (with USING and WITH CHECK) on both tables; tenant isolation via helpers. See spec RLS Requirements and Errata E-2.
- PHI: Consent and disclosure data are PHI; no PHI in logs or external AI.
Enhancements (EN-33, EN-34, EN-35) — ✅ All Complete (2026-02-27)
Catalog: CL-11-ENHANCEMENTS.md. All enhancements implemented.Related Docs
- CL-11 Spec
- CL-11 Enhancements Catalog — EN-33, EN-34, EN-35
- REGULATORY_COMPLIANCE_TRACKER.md — 42 CFR Part 2 interim procedures
- docs/architecture/integrations/index.md