Skip to main content
Spec: PM-55 Created: 2026-05-06 Status: 📝 Planned (WS1 — schema + permissions)

Overview

PM-55 implements the ONC HTI-1 (45 CFR 170.315(b)(11) and (g)(10)) Patient Access API, exposing USCDI v3 / US Core 7.0 FHIR R4 resources via SMART App Launch with OAuth2. It also delivers the 21st Century Cures Act §4004 information-blocking review workflow for Compliance Officers. PM-55 is the canonical PM owner of FHIR access logging, app-authorization consent, and information-blocking dispositions.

Integration Points

Platform Foundation Dependencies

Same-Core Dependencies

Cross-Core Dependencies

Pending IOU: CL-11 must publish cl.part2_consent_granted / cl.part2_consent_revoked events and provide cl_part2_check() helper. Tracked in PENDING_CONTRACTS.md.

Events Published

All event payloads are PHI-free (IDs + categorical fields only). See EVENT_CONTRACTS.md for schemas.

Events Consumed


Database Tables

All tables include organization_id, created_at, updated_at, custom_fields JSONB (except append-only audit tables — pending governance confirmation). FK on pm_patient_access_consents.consent_id references cl_consents.id.

Permissions

See spec § Permission Inventory. Constants exposed via PM_PERMISSIONS in src/platform/permissions/constants.ts.

Compliance References

  • ONC HTI-1: 45 CFR 170.315(b)(11), (g)(10)
  • 21st Century Cures Act §4004 — Information Blocking
  • HIPAA Privacy (45 CFR 164.524) and Security (45 CFR 164.312)
  • 42 CFR Part 2 — SUD confidentiality (gating via CL-11)
  • US Core IG 7.0 / USCDI v3
Pending Compliance Officer signoff: specs/pm/reviews/PM-55-COMPLIANCE-SIGNOFF.md.