Feature ID: CL-11Documentation Index
Fetch the complete documentation index at: https://docs.encoreos.io/llms.txt
Use this file to discover all available pages before exploring further.
Status: ✅ Implemented — All Phases Complete
Regulatory deadline: Feb 16, 2026
Spec Reference: CL-11-consent-management-42cfr-part2.md
Last Updated: 2026-02-21
Last Verified: 2026-02-21
Overview
CL-11 implements 42 CFR Part 2–compliant consent and disclosure management: single TPO consent, separate SUD counseling notes consent, disclosure accounting, and redisclosure logic. Integration is via Platform Foundation (PF) and internal CL dependencies only; no cross-core dependencies other than PF.Interim Controls
Until CL-11 is fully implemented, the following controls apply (aligned with REGULATORY_COMPLIANCE_TRACKER.md):- Revocation in writing: Obtain and file written revocation with effective date per organization policy; do not rely on system to enforce; manual checklist.
- Separate SUD consent: Obtain and file written consent for TPO and any SUD-specific disclosure per organization policy; manual tracking.
- Disclosure accounting: Maintain a log (spreadsheet or document) of all disclosures with date, recipient, purpose, and consent reference.
- Consent documentation per disclosure: Each disclosure must reference the consent that authorizes it; document in the disclosure log.
- Redisclosure notice: Include notice that redisclosure is prohibited on any disclosed information.
- Training: Ensure staff trained on Part 2 requirements and interim process.
Action checklist
| Owner | Action | ETA | Risks | Acceptance |
|---|---|---|---|---|
| C-suite / Compliance | Notify execs and compliance of missed deadline; approve risk acceptance or expedited implementation | Immediate | Regulatory finding until CL-11 complete | To be signed |
| CL / Product | Complete Phase 1 (schema, RLS, cl_check_sud_consent) and Phase 2 (UI, accounting report) per plan | Per CL-11 plan | Interim controls only until complete | To be tracked |
| Compliance | Validate interim procedures and document scope/owner in REGULATORY_COMPLIANCE_TRACKER | Immediate | Residual risk until full implementation | To be acknowledged |
Integration Points (from Spec)
| Dependency | Pattern | Purpose |
|---|---|---|
| PF-01 (Organizations & Sites) | Direct | Multi-tenant isolation |
| PF-02 (RBAC) | Direct | Role-based access; permission keys per PF-30 |
| PF-11 (Documents) | Platform | Consent document storage (document_id on cl_consents) |
| PF-33 (Digital Signatures) | Platform | Patient consent signatures |
| CL-01 (Patient Chart) | Internal | Consent status flags on chart; chart_id FK |
| CL-16 (FHIR) | Internal | FHIR Consent resource for interoperability |
| All CL modules | Internal | Consent enforcement for SUD record access via cl_check_sud_consent() |
API / Data Contracts
- Consent enforcement: Other CL modules call
cl_check_sud_consent(p_chart_id, p_record_type, p_requesting_user)(SECURITY DEFINER) in RLS policies to gate SUD record access. - Consent storage:
cl_consentsandcl_disclosure_log; see spec Data Model. No public REST API; access via Supabase client and RLS.
Event Contracts
- No event publishing/subscribing required for MVP. Consent revocation or disclosure logging may trigger events in future phases (e.g. audit, notifications).
Security and RLS
- Helpers:
can_access_consents(organization_id, profile_id),can_access_disclosure_log(organization_id, profile_id),cl_check_sud_consent(chart_id, record_type, requesting_user). - Policies: SELECT/INSERT/UPDATE (with USING and WITH CHECK) on both tables; tenant isolation via helpers. See spec RLS Requirements and Errata E-2.
- PHI: Consent and disclosure data are PHI; no PHI in logs or external AI.
Enhancements (EN-33, EN-34, EN-35) — ✅ All Complete (2026-02-27)
Catalog: CL-11-ENHANCEMENTS.md. All enhancements implemented.| Enhancement | Integration summary | Status |
|---|---|---|
| EN-33 Consent Expiration Notifications | consent_expiration_reminder_days column on cl_module_settings; consent-expiration-reminders edge function (cron); PF-10 notifications via createNotificationIfNew. No PHI in payloads. | ✅ Complete |
| EN-34 Part 2 Compliance Reporting | cl_part2_compliance_stats SECURITY DEFINER RPC (counts only, no patient IDs); cl.compliance_report.view permission; Part2ComplianceDashboardPage at /cl/compliance-report. | ✅ Complete |
| EN-35 Patient Portal Consent Self-Service | cl_consent_requests table with RLS FORCE + SECURITY DEFINER helper; portal hooks (usePortalConsents, useConsentRequest); PortalConsentsPage at /portal/consents; ConsentRevocationRequestDialog. | ✅ Complete |
Related Docs
- CL-11 Spec
- CL-11 Enhancements Catalog — EN-33, EN-34, EN-35
- REGULATORY_COMPLIANCE_TRACKER.md — 42 CFR Part 2 interim procedures
- docs/architecture/integrations/index.md