Status: 📋 Spec approved; implementation pending
Spec Reference: CL-26-patient-reported-outcomes-self-service-portal.md
Last Updated: 2026-02-24
Overview
CL-26 defines patient self-service for screenings (PHQ-9, GAD-7, AUDIT-C, DAST-10, C-SSRS), between-session check-ins, read-only treatment plan view, consent self-service, secure messaging, and crisis resources. It extends the patient portal (PM-12) with clinical workflows and depends on CL-02, CL-03, CL-07, CL-10, CL-11, CL-23, PM-12, PM-14.Integration Points (from Spec)
API / Data Contracts
- Patient submissions:
cl_patient_submissions— patient-completed screenings; scoring and status (pending_review → reviewed → incorporated). Consumed by CL-23 for in-basket; clinician review updates status. - Between-session check-ins:
cl_between_session_checkins— mood, medication adherence, crisis flag; append-only. Crisis threshold triggers real-time escalation per FR-1/FR-2. - Treatment plan view: Read-only from CL-03 data; no new tables.
- Consent: View/revoke/sign via CL-11 workflows; CL-26 triggers workflow.
- Messaging: Send/receive via PM-14; non-crisis only.
Event Contracts
- Planned: Submission created (pending_review) → in-basket item in CL-23 when implemented; stub/queue until CL-23 available.
- Crisis: Positive C-SSRS ideation or crisis_flag/crisis_warning_signs → real-time escalation (push/SMS/phone or on-call) plus 988/local resources on confirmation screen.
Security and RLS
- RLS on
cl_patient_submissionsandcl_between_session_checkinsvia SECURITY DEFINER helpers (§5.7); no direct queries to RLS-protected tables in policies. - Patient: SELECT/INSERT only to own chart’s rows (portal identity → chart_id via SECURITY DEFINER).
- Clinician: SELECT/UPDATE via
cl_has_org_access(or equivalent). UPDATE policy oncl_patient_submissionsMUST include WITH CHECK (§5.2.4). - All portal PHI accesses (submissions, treatment plan view, consent, messaging) logged to
pf_audit_logs(NFR-1).