Status: ✅ Implemented
Spec Reference: CL-01-patient-chart-clinical-summary.md
Last Updated: 2026-02-17
Last Verified: 2026-02-19
Table of Contents
- Overview
- Quick Reference
- Decision Tree
- Pattern Library
- Integration Points (from Spec)
- API / Data Contracts
- Labeled Example
- System Boundaries and Data Flow
- Event Contracts
- Security and RLS
- Common Mistakes
- Pre-Flight Checklist
- Related Docs
Overview
CL-01 defines the patient chart shell and clinical summary: unified clinical dashboard, problem list, allergies, timeline, clinical alerts, and break-glass emergency access. It depends on PF (organizations, RBAC, documents, audit, andpf_patient_identities for patient identity) and PM-01 (patient demographics via PF identity). Errata E-1 resolution (adopted): patient identity is provided by pf_patient_identities (PF); cl_patient_charts.patient_id references that table. No direct CL→PM FK.
Quick Reference
Decision Tree
- User requests chart access
- If user has org access (
cl_has_org_access) → allow normal read/write by role. - Else if user has active break-glass (
cl_fn_is_break_glass_authorized) → allow SELECT-only read path. - Else deny.
- When break-glass is requested, justification is required and
cl_fn_record_break_glasswrites immutable audit metadata.
Pattern Library
Integration Points (from Spec)
API / Data Contracts
- Chart data:
cl_patient_charts,cl_problems,cl_allergies; all scoped byorganization_id; RLS via SECURITY DEFINER helpers. - Break-glass: Justification required; time-limited; audit row created via
cl_fn_record_break_glass(PF-04); privacy officer notification. - Patient identity:
pf_patient_identities(PF) is the source of truth;cl_patient_charts.patient_idreferences it.
Labeled Example
Example: Break-Glass RPC payload
System Boundaries and Data Flow
- PF owns: tenant membership + patient identity (
pf_patient_identities). - CL owns: chart shell + clinical summary records (
cl_patient_charts,cl_problems,cl_allergies). - PM consumes shared identity: via PF and integration contracts, not direct CL DB dependency.
- UI requests chart by ID.
- Query includes tenant filter (
organization_id). - RLS checks
cl_has_chart_access. - Only non-deleted rows are returned.
- User submits reason.
cl_fn_record_break_glassvalidates org and chart/org match.- Audit row written.
- Time-limited read access is granted.
Event Contracts
- No CL-01-specific domain events are currently defined. Break-glass events are audit records (PF-04), not event-bus messages. Document future events in EVENT_CONTRACTS.md.
Security and RLS
- RLS on
cl_patient_charts,cl_problems,cl_allergies; USING and WITH CHECK policies rely on SECURITY DEFINER helpers. - UPDATE policies include WITH CHECK.
- 42 CFR Part 2 SUD records require additional consent-based access checks (CL-11).
- PHI access is audit-logged with minimum retention requirements.
Common Mistakes
Pre-Flight Checklist
- Confirm CL-01 tables have RLS + FORCE RLS enabled.
- Confirm UPDATE policies include WITH CHECK.
- Confirm break-glass RPC enforces org and chart consistency checks.
- Confirm all user-facing errors are sanitized.
- Confirm query keys/invalidation include tenant context.