> ## Documentation Index
> Fetch the complete documentation index at: https://docs.encoreos.io/llms.txt
> Use this file to discover all available pages before exploring further.

# Consent Management & 42 CFR Part 2 — Integration

> Feature ID: CL-11 Status: ✅ Implemented — All Phases Complete Regulatory deadline: Feb 16, 2026 Spec Reference: CL-11-consent-management-42cfr-part2.md Last Up…

**Feature ID:** CL-11\
**Status:** ✅ Implemented — All Phases Complete\
**Regulatory deadline:** Feb 16, 2026\
**Spec Reference:** [CL-11-consent-management-42cfr-part2.md](../../../specs/cl/specs/CL-11-consent-management-42cfr-part2.md)\
**Last Updated:** 2026-02-21\
**Last Verified:** 2026-02-21

***

## Overview

CL-11 implements 42 CFR Part 2–compliant consent and disclosure management: single TPO consent, separate SUD counseling notes consent, disclosure accounting, and redisclosure logic. Integration is via Platform Foundation (PF) and internal CL dependencies only; no cross-core dependencies other than PF.

***

## Interim Controls

Until CL-11 is fully implemented, the following controls apply (aligned with [REGULATORY\_COMPLIANCE\_TRACKER.md](../../compliance/REGULATORY_COMPLIANCE_TRACKER.md)):

* **Revocation in writing:** Obtain and file written revocation with effective date per organization policy; do not rely on system to enforce; manual checklist.
* **Separate SUD consent:** Obtain and file written consent for TPO and any SUD-specific disclosure per organization policy; manual tracking.
* **Disclosure accounting:** Maintain a log (spreadsheet or document) of all disclosures with date, recipient, purpose, and consent reference.
* **Consent documentation per disclosure:** Each disclosure must reference the consent that authorizes it; document in the disclosure log.
* **Redisclosure notice:** Include notice that redisclosure is prohibited on any disclosed information.
* **Training:** Ensure staff trained on Part 2 requirements and interim process.

***

## Action checklist

| Owner                | Action                                                                                               | ETA            | Risks                                   | Acceptance           |
| -------------------- | ---------------------------------------------------------------------------------------------------- | -------------- | --------------------------------------- | -------------------- |
| C-suite / Compliance | Notify execs and compliance of missed deadline; approve risk acceptance or expedited implementation  | Immediate      | Regulatory finding until CL-11 complete | *To be signed*       |
| CL / Product         | Complete Phase 1 (schema, RLS, cl\_check\_sud\_consent) and Phase 2 (UI, accounting report) per plan | Per CL-11 plan | Interim controls only until complete    | *To be tracked*      |
| Compliance           | Validate interim procedures and document scope/owner in REGULATORY\_COMPLIANCE\_TRACKER              | Immediate      | Residual risk until full implementation | *To be acknowledged* |

***

## Integration Points (from Spec)

| Dependency                    | Pattern  | Purpose                                                                |
| ----------------------------- | -------- | ---------------------------------------------------------------------- |
| PF-01 (Organizations & Sites) | Direct   | Multi-tenant isolation                                                 |
| PF-02 (RBAC)                  | Direct   | Role-based access; permission keys per PF-30                           |
| PF-11 (Documents)             | Platform | Consent document storage (`document_id` on `cl_consents`)              |
| PF-33 (Digital Signatures)    | Platform | Patient consent signatures                                             |
| CL-01 (Patient Chart)         | Internal | Consent status flags on chart; chart\_id FK                            |
| CL-16 (FHIR)                  | Internal | FHIR Consent resource for interoperability                             |
| All CL modules                | Internal | Consent enforcement for SUD record access via `cl_check_sud_consent()` |

***

## API / Data Contracts

* **Consent enforcement:** Other CL modules call `cl_check_sud_consent(p_chart_id, p_record_type, p_requesting_user)` (SECURITY DEFINER) in RLS policies to gate SUD record access.
* **Consent storage:** `cl_consents` and `cl_disclosure_log`; see spec Data Model. No public REST API; access via Supabase client and RLS.

*(To be expanded with any edge functions or external API contracts.)*

***

## Event Contracts

* No event publishing/subscribing required for MVP. Consent revocation or disclosure logging may trigger events in future phases (e.g. audit, notifications).

*(To be expanded if events are added.)*

***

## Security and RLS

* **Helpers:** `can_access_consents(organization_id, profile_id)`, `can_access_disclosure_log(organization_id, profile_id)`, `cl_check_sud_consent(chart_id, record_type, requesting_user)`.
* **Policies:** SELECT/INSERT/UPDATE (with USING and WITH CHECK) on both tables; tenant isolation via helpers. See spec RLS Requirements and Errata E-2.
* **PHI:** Consent and disclosure data are PHI; no PHI in logs or external AI.

***

## Enhancements (EN-33, EN-34, EN-35) — ✅ All Complete (2026-02-27)

Catalog: [CL-11-ENHANCEMENTS.md](../../../specs/cl/specs/CL-11-ENHANCEMENTS.md). All enhancements implemented.

| Enhancement                                   | Integration summary                                                                                                                                                                                          | Status     |
| --------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | ---------- |
| **EN-33 Consent Expiration Notifications**    | `consent_expiration_reminder_days` column on `cl_module_settings`; `consent-expiration-reminders` edge function (cron); PF-10 notifications via `createNotificationIfNew`. No PHI in payloads.               | ✅ Complete |
| **EN-34 Part 2 Compliance Reporting**         | `cl_part2_compliance_stats` SECURITY DEFINER RPC (counts only, no patient IDs); `cl.compliance_report.view` permission; `Part2ComplianceDashboardPage` at `/cl/compliance-report`.                           | ✅ Complete |
| **EN-35 Patient Portal Consent Self-Service** | `cl_consent_requests` table with RLS FORCE + SECURITY DEFINER helper; portal hooks (`usePortalConsents`, `useConsentRequest`); `PortalConsentsPage` at `/portal/consents`; `ConsentRevocationRequestDialog`. | ✅ Complete |

***

## Related Docs

* [CL-11 Spec](../../../specs/cl/specs/CL-11-consent-management-42cfr-part2.md)
* [CL-11 Enhancements Catalog](../../../specs/cl/specs/CL-11-ENHANCEMENTS.md) — EN-33, EN-34, EN-35
* [REGULATORY\_COMPLIANCE\_TRACKER.md](../../compliance/REGULATORY_COMPLIANCE_TRACKER.md) — 42 CFR Part 2 interim procedures
* [docs/architecture/integrations/index.md](index.md)