Skip to main content
Contract Version: 1.0.0 Last Updated: 2026-05-28 Status: ✅ Implemented (Phase 1; stage 1 rollout) Owning Core: CL (Clinical) Spec: CL-24 Telehealth Documentation & Compliance Related contract: CL-PM Telehealth

Purpose

CL-24 is the clinical compliance layer for telehealth. It owns per-patient consent, the pre-session safety checklist, the per-session compliance record (jurisdiction, modality, connectivity), the daily expiry-scan cron, and the integration boundary with PM-13 (operations) and CL-04 (progress notes). This contract is PHI-free in event payloads — IDs only.

Ownership boundary

CL-24 owns the per-patient compliance wrapper around telehealth. PM-13 still owns the vendor session and the join URL. CL-04 still owns the progress-note narrative. PM-07 still derives billing modifiers from clinical_note_finalized. CL-11 still owns 42 CFR Part 2 consent.
Why CL-24 does not publish modifier data: the modifier (95 / FQ / GQ) is a billing decision that depends on payer policy, not a clinical compliance event. PM-07 has owned this since CL-PM-TELEHEALTH v1.1.0. Adding a parallel publisher in CL-24 would create two sources of truth.

Published events (4)

All payloads are PHI-free. All events publish on channel cl_events. All cron-published events set metadata.user_id to the platform system actor UUID 00000000-0000-0000-0000-000000000001 per CL-FW automated publishers.
PM-13 contract: on receipt, PM-13 must refuse to release a join URL for any future pm_telehealth_sessions whose linked chart matches chart_id and whose required consent_type is now revoked. Re-establishing consent is handled by capturing a new consent row, which re-emits cl_telehealth_consent_captured.

4. cl_telehealth_session_safety_completed


Consumed events (2)

CL-24 reads — never republishes — these existing events.

clinical_note_finalized (CL-04 → CL-24)

CL-24 backfills cl_telehealth_sessions.progress_note_id when the finalized note’s cl_telehealth_session_id (if set on CL-04) matches a CL-24 session row. CL-24 does not transform or republish this event — PM-07’s billing path is unchanged.

telehealth_session_completed (PM-13 → CL-24)

CL-24 listens to mark its own CL-24 session row “PM-13 side closed” for reporting consistency. Compliance metrics are computed on the CL-24 side; the PM-13 event is informational.

Helper function contract

Semantics: returns true iff there exists a row in cl_telehealth_consents for chart_id = p_chart_id, consent_type = p_type, with consented_at <= p_as_of, expires_at > p_as_of, and revoked_at IS NULL. Caller contract:
  • Type values: 'telehealth_general' | 'audio_only'. Anything else returns false.
  • Time semantics: expires_at is a strict greater-than against p_as_of — a consent that expires at exactly p_as_of is not valid.
  • Inheritance: the helper does not model the general→audio inheritance rule. The application layer (useStartTelehealthSession) is responsible for checking telehealth_general first when the session is audio-only.
  • Performance: STABLE, uses idx_cl_telehealth_consents_chart_type (partial index WHERE revoked_at IS NULL). Safe to call inline in CHECK contexts or RLS predicates.
  • Security: SECURITY DEFINER with hardened search_path. Callers do not need direct SELECT on cl_telehealth_consents.

Cron contract


RLS contract

Both cl_telehealth_consents and cl_telehealth_sessions use FORCE ROW LEVEL SECURITY. No policy queries an RLS-protected table inside its predicate (constitution §5.7).

Error contract

CL-24 surfaces two typed application errors from the start-session orchestrator (useStartTelehealthSession). These are catchable at the call site and have stable error codes for UI messaging.
Throw conditions: Non-throw conditions:
  • When the corresponding block flag is false, the orchestrator emits a structured warning toast (cl24.warn.consent / cl24.warn.safety) but does not throw.
  • All other failure modes (network, RLS denial, database constraint violation) surface as their native Supabase error types and are not wrapped.

Permission keys


Platform integration layer

CL-24 exposes cross-core integration points only through @/platform/clinical/telehealth/. PM-13 and PM-07 never import from @/cores/cl/*. Currently exported:
  • TelehealthConsentBadge — visual badge for chart sidebar and PM-13 appointment form.
  • useTelehealthConsentValidity(chartId, type) — read-only validity check.
  • useTelehealthDocumentationEnabled(orgId) — feature-flag read.
  • useTelehealthSessionsByPmIds(pmSessionIds) — bulk lookup for PM-13 session-list join.
  • useChartIdForPatient(patientId) — helper used by the badge mount in PM-13.

Test contract

Per the spec’s Test Plan:
  • RLS tests (8 + 2 trigger): cross-tenant isolation on both tables; revocation-immutability trigger; safety-checklist CHECK constraint.
  • Unit tests: date-math edges on cl_telehealth_consent_is_valid; safety completion predicate; jurisdiction-mismatch predicate; connectivity-issues append.
  • Integration tests: start-session block-vs-warn matrix; cron idempotency within 24h window; clinical_note_finalized backfill of progress_note_id.
  • E2E (Playwright): 6 curated user paths — capture consent, revoke consent, complete safety checklist, log connectivity issue, jurisdiction mismatch banner, link progress note.

References