cl_audit_dashboard_configs, cl_module_settings) are subject to change.
Module: Clinical & EHR (CL)Spec: CL-25 Clinical Audit & Compliance Dashboard
Version: current: see docs/VERSIONS.md
Last Updated: 2026-02-24
Overview
This guide covers administrative setup for the Clinical Audit & Compliance Dashboard: dashboard configuration, SLA settings, regulatory calendar, and permissions. The dashboard reads frompf_audit_logs and CL tables; every viewer action (dashboard open, query/filter, break-glass review) is written to pf_audit_logs per NFR-1.
Table of Contents
- Quick Reference
- Permissions
- Dashboard configuration
- SLA settings (break-glass)
- Regulatory calendar
- Settings summary
- Known limitations
- Common Mistakes
- Pre-Flight Checklist
- Troubleshooting
Quick Reference
Permissions
- Assign dashboard access to Compliance Officer, Privacy Officer, or designated audit viewer roles.
- Use finalized permission keys from PF-30 permissions mapping and CL-25 before seeding roles.
- Restrict export (if implemented) to appropriate roles.
Dashboard configuration
- Widgets: Configure which widgets appear (audit viewer, break-glass queue, consent monitor, documentation metrics, Part 2 dashboard, regulatory calendar, anomaly flags).
- Default date range: Set org-level default (e.g. last 7 days, last 30 days) for the audit viewer.
- Configuration is stored in
cl_module_settingsby key until a dedicatedcl_audit_dashboard_configstable is formally introduced and migrated.
SLA settings (break-glass)
- Default SLA: e.g. 24 hours for break-glass review (configurable per org).
- SLA hours: Stored in dashboard config or
cl_module_settings; used to compute due date when a break-glass event is created. - Ensure break-glass events are written to the audit log with the correct action type so the queue can query them.
Regulatory calendar
- Configure regulatory deadlines (e.g. AZDHS, Joint Commission, CARF) with due dates and reminders.
- Add or edit entries via Compliance > Regulatory Calendar (admin) or settings.
- Reminders can be tied to PF-10 notifications or internal reminders.
Settings summary
Known limitations
- Automated remediation actions are out of scope; review and follow-up are manual.
- Real-time alerting is a future enhancement.
- Retention and forwarding of audit log entries follow existing audit log policy; do not change from the dashboard.
Common Mistakes
Pre-Flight Checklist
- Permission mappings verified against CL-25 and PF-30.
- Dashboard settings keys configured in
cl_module_settings. - Break-glass SLA hours configured and tested.
- Regulatory reminder schedule validated.
- Audit logs confirm viewer and review actions are captured.