Purpose
CL-24 is the clinical compliance layer for telehealth. It owns per-patient consent, the pre-session safety checklist, the per-session compliance record (jurisdiction, modality, connectivity), the daily expiry-scan cron, and the integration boundary with PM-13 (operations) and CL-04 (progress notes). This contract is PHI-free in event payloads — IDs only.Ownership boundary
CL-24 owns the per-patient compliance wrapper around telehealth. PM-13 still owns the vendor session and the join URL. CL-04 still owns the progress-note narrative. PM-07 still derives billing modifiers fromclinical_note_finalized. CL-11 still owns 42 CFR Part 2 consent.
Why CL-24 does not publish modifier data: the modifier (95 / FQ / GQ) is a billing decision that depends on payer policy, not a clinical compliance event. PM-07 has owned this since CL-PM-TELEHEALTH v1.1.0. Adding a parallel publisher in CL-24 would create two sources of truth.
Published events (4)
All payloads are PHI-free. All events publish on channelcl_events. All cron-published events set metadata.user_id to the platform system actor UUID 00000000-0000-0000-0000-000000000001 per CL-FW automated publishers.
1. cl_telehealth_consent_captured
2. cl_telehealth_consent_revoked
PM-13 contract: on receipt, PM-13 must refuse to release a join URL for any futurepm_telehealth_sessionswhose linked chart matcheschart_idand whose requiredconsent_typeis now revoked. Re-establishing consent is handled by capturing a new consent row, which re-emitscl_telehealth_consent_captured.
3. cl_telehealth_consent_expiring
4. cl_telehealth_session_safety_completed
Consumed events (2)
CL-24 reads — never republishes — these existing events.clinical_note_finalized (CL-04 → CL-24)
CL-24 backfills cl_telehealth_sessions.progress_note_id when the finalized note’s cl_telehealth_session_id (if set on CL-04) matches a CL-24 session row. CL-24 does not transform or republish this event — PM-07’s billing path is unchanged.
telehealth_session_completed (PM-13 → CL-24)
CL-24 listens to mark its own CL-24 session row “PM-13 side closed” for reporting consistency. Compliance metrics are computed on the CL-24 side; the PM-13 event is informational.
Helper function contract
true iff there exists a row in cl_telehealth_consents for chart_id = p_chart_id, consent_type = p_type, with consented_at <= p_as_of, expires_at > p_as_of, and revoked_at IS NULL.
Caller contract:
- Type values:
'telehealth_general'|'audio_only'. Anything else returnsfalse. - Time semantics:
expires_atis a strict greater-than againstp_as_of— a consent that expires at exactlyp_as_ofis not valid. - Inheritance: the helper does not model the general→audio inheritance rule. The application layer (
useStartTelehealthSession) is responsible for checkingtelehealth_generalfirst when the session is audio-only. - Performance:
STABLE, usesidx_cl_telehealth_consents_chart_type(partial indexWHERE revoked_at IS NULL). Safe to call inline in CHECK contexts or RLS predicates. - Security:
SECURITY DEFINERwith hardenedsearch_path. Callers do not need direct SELECT oncl_telehealth_consents.
Cron contract
RLS contract
Bothcl_telehealth_consents and cl_telehealth_sessions use FORCE ROW LEVEL SECURITY.
No policy queries an RLS-protected table inside its predicate (constitution §5.7).
Error contract
CL-24 surfaces two typed application errors from the start-session orchestrator (useStartTelehealthSession). These are catchable at the call site and have stable error codes for UI messaging.
Non-throw conditions:
- When the corresponding block flag is
false, the orchestrator emits a structured warning toast (cl24.warn.consent/cl24.warn.safety) but does not throw. - All other failure modes (network, RLS denial, database constraint violation) surface as their native Supabase error types and are not wrapped.
Permission keys
Platform integration layer
CL-24 exposes cross-core integration points only through@/platform/clinical/telehealth/. PM-13 and PM-07 never import from @/cores/cl/*.
Currently exported:
TelehealthConsentBadge— visual badge for chart sidebar and PM-13 appointment form.useTelehealthConsentValidity(chartId, type)— read-only validity check.useTelehealthDocumentationEnabled(orgId)— feature-flag read.useTelehealthSessionsByPmIds(pmSessionIds)— bulk lookup for PM-13 session-list join.useChartIdForPatient(patientId)— helper used by the badge mount in PM-13.
Test contract
Per the spec’s Test Plan:- RLS tests (8 + 2 trigger): cross-tenant isolation on both tables; revocation-immutability trigger; safety-checklist CHECK constraint.
- Unit tests: date-math edges on
cl_telehealth_consent_is_valid; safety completion predicate; jurisdiction-mismatch predicate; connectivity-issues append. - Integration tests: start-session block-vs-warn matrix; cron idempotency within 24h window;
clinical_note_finalizedbackfill ofprogress_note_id. - E2E (Playwright): 6 curated user paths — capture consent, revoke consent, complete safety checklist, log connectivity issue, jurisdiction mismatch banner, link progress note.