Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.encoreos.io/llms.txt

Use this file to discover all available pages before exploring further.

Electronic Consent Capture with 42 CFR Part 2 Redisclosure Tracking — Integration Document

Spec: CL-11-EN-01 Parent Integration: CL-11 Consent Management Status: ✅ Implemented Last Updated: 2026-04-09

Overview

This enhancement extends the CL-11 consent management framework with electronic signature consent capture, granular consent categories, and a complete 42 CFR Part 2 redisclosure chain-of-custody audit trail.

Integration Points

PF-01 (Authentication)

  • Pattern: Direct dependency
  • Usage: Signer and staff context must be authenticated before consent signing or redisclosure actions.

PF-02 (Permissions)

  • Pattern: Direct dependency
  • Usage: Enforce scoped permissions (cl.electronic-consent.*, cl.redisclosure-log.*) for consent creation, revocation, and redisclosure operations.

PF-04 (Audit Logging)

  • Pattern: Platform Layer
  • Usage: Immutable disclosure and consent lifecycle audit events written to platform audit infrastructure. Redisclosure log entries supplement PF-04 with Part 2-specific chain-of-custody detail.
  • Pattern: Data (extends parent tables/policies)
  • Usage: Reuses parent consent policy model (cl_consents). This enhancement adds new tables (cl_electronic_consents, cl_redisclosure_log) for e-signature metadata and disclosure tracking.

CL-16 (Future HIE Coordination)

  • Pattern: Deferred / planned
  • Usage: Consent scope and redisclosure constraints are prepared for downstream HIE sharing workflows. No active integration until CL-16 Phase 2.

New Tables

TablePurposeRLS
cl_electronic_consentsSigned consent records with granular categories and e-signature dataOrg-scoped SELECT/INSERT/UPDATE/DELETE via cl_has_org_access()
cl_redisclosure_logImmutable append-only disclosure audit trailOrg-scoped SELECT/INSERT via cl_has_org_access() + explicit privilege revocation of UPDATE/DELETE for all non-superuser roles (including service/elevated roles)

Event Contracts

No new events published by this enhancement. Consent lifecycle events (if added) will follow the pattern in EVENT_CONTRACTS.md.

API Contracts

No new external APIs. Internal hooks and RPC only.

Security

  • All tables enforce RLS with SECURITY DEFINER helpers.
  • cl_redisclosure_log is append-only; RLS (cl_has_org_access()) governs access scope, but immutability must also be enforced by revoking UPDATE/DELETE table privileges for all non-superuser roles (including service/elevated roles).
  • Recommended defense in depth: add a BEFORE UPDATE OR DELETE trigger on cl_redisclosure_log that raises an exception to prevent mutable audit behavior if role grants drift.
  • No PHI payloads in operational logs; redisclosure log stores references/identifiers only.
  • Permission keys gate all UI and mutation operations.

References