Skip to main content
Feature ID: CL-11
Status: ✅ Implemented — All Phases Complete
Regulatory deadline: Feb 16, 2026
Spec Reference: CL-11-consent-management-42cfr-part2.md
Last Updated: 2026-02-21
Last Verified: 2026-02-21

Overview

CL-11 implements 42 CFR Part 2–compliant consent and disclosure management: single TPO consent, separate SUD counseling notes consent, disclosure accounting, and redisclosure logic. Integration is via Platform Foundation (PF) and internal CL dependencies only; no cross-core dependencies other than PF.

Interim Controls

Until CL-11 is fully implemented, the following controls apply (aligned with REGULATORY_COMPLIANCE_TRACKER.md):
  • Revocation in writing: Obtain and file written revocation with effective date per organization policy; do not rely on system to enforce; manual checklist.
  • Separate SUD consent: Obtain and file written consent for TPO and any SUD-specific disclosure per organization policy; manual tracking.
  • Disclosure accounting: Maintain a log (spreadsheet or document) of all disclosures with date, recipient, purpose, and consent reference.
  • Consent documentation per disclosure: Each disclosure must reference the consent that authorizes it; document in the disclosure log.
  • Redisclosure notice: Include notice that redisclosure is prohibited on any disclosed information.
  • Training: Ensure staff trained on Part 2 requirements and interim process.

Action checklist


Integration Points (from Spec)


API / Data Contracts

  • Consent enforcement: Other CL modules call cl_check_sud_consent(p_chart_id, p_record_type, p_requesting_user) (SECURITY DEFINER) in RLS policies to gate SUD record access.
  • Consent storage: cl_consents and cl_disclosure_log; see spec Data Model. No public REST API; access via Supabase client and RLS.
(To be expanded with any edge functions or external API contracts.)

Event Contracts

  • No event publishing/subscribing required for MVP. Consent revocation or disclosure logging may trigger events in future phases (e.g. audit, notifications).
(To be expanded if events are added.)

Security and RLS

  • Helpers: can_access_consents(organization_id, profile_id), can_access_disclosure_log(organization_id, profile_id), cl_check_sud_consent(chart_id, record_type, requesting_user).
  • Policies: SELECT/INSERT/UPDATE (with USING and WITH CHECK) on both tables; tenant isolation via helpers. See spec RLS Requirements and Errata E-2.
  • PHI: Consent and disclosure data are PHI; no PHI in logs or external AI.

Enhancements (EN-33, EN-34, EN-35) — ✅ All Complete (2026-02-27)

Catalog: CL-11-ENHANCEMENTS.md. All enhancements implemented.