Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.encoreos.io/llms.txt

Use this file to discover all available pages before exploring further.

Module: Clinical & EHR (CL)
Spec: CL-25 Clinical Audit & Compliance Dashboard
Version: current: see docs/VERSIONS.md
Last Updated: 2026-02-24

Table of Contents

Overview

The Clinical Audit & Compliance Dashboard gives compliance officers and designated staff a single place to monitor PHI access, break-glass events, consent status, documentation quality, and Part 2 compliance. All viewer actions (dashboard open, filters, break-glass review) are logged to the audit log per policy.

Permissions

Access to the dashboard is restricted to roles such as:
  • Compliance Officer
  • Privacy Officer
  • Designated audit viewers (per-org)
If you do not see the dashboard menu, your role may not have access. Contact your administrator.

Quick Reference

I need to…PatternLocation
Query PHI access logsFiltered audit viewer queryPHI access audit (Audit viewer)
Review emergency accessSLA-based break-glass queue reviewBreak-glass review queue
Monitor consent riskConsent status monitor by cohortConsent compliance monitor
Investigate suspicious accessThreshold-based anomaly reviewAnomaly flags

Pre-Flight Checklist

  • Confirm your role includes dashboard access.
  • Set minimum-necessary date range and filters before running audit queries.
  • Verify recipient authorization before exporting any audit data.
  • Confirm escalation/contact path for confirmed anomalies.

Workflows

PHI access audit (Audit viewer)

  1. Navigate to Compliance > Audit Dashboard (or equivalent).
  2. Use filters:
    • Date range: Start and end date for access events.
    • User: Filter by user who performed the action.
    • Patient: Filter by patient (chart) accessed.
    • Action type: e.g. chart open, note view, export.
  3. Run the query. Results show access events from pf_audit_logs and CL sources.
  4. Export (if enabled) for external review or reporting.
⚠️ PHI Notice: Exported audit data may contain protected health information. Limit exports to minimum-necessary scope, send only to authorized recipients, use approved formats/channels, and follow organizational retention/destruction policy.

Break-glass review queue

  1. Open Compliance > Break-Glass Queue.
  2. List shows break-glass access events with due date based on your organization’s configured SLA.
  3. For each event, open the record and review justification.
  4. Mark as Reviewed and complete any required fields (e.g. reviewer note, outcome).
  5. Overdue items are highlighted; track completion for SLA compliance.
  1. Open Compliance > Consent Monitor (or Consent Compliance view).
  2. View aggregated consent status across the population:
    • Expired consents
    • Expiring in 30 / 14 / 7 days
    • Missing consent by type
  3. Use this view to prioritize outreach or renewal workflows.

Documentation quality metrics

  1. Open Compliance > Documentation Quality (or per-provider metrics).
  2. View completeness scores from progress notes:
    • Required fields present
    • Actual begin/end times (not templated)
    • Goal linkage
    • Member response
  3. Use to identify documentation gaps and target training.

Part 2 compliance dashboard

  1. Open Compliance > Part 2 (SUD).
  2. View SUD record access patterns, consent verification rates, and redisclosure notice tracking.
  3. Align with 42 CFR Part 2 and organizational policy.

Regulatory calendar

  1. Open Compliance > Regulatory Calendar.
  2. View configurable deadlines (e.g. AZDHS, Joint Commission, CARF).
  3. Use reminders to prepare for surveys and submissions.

Anomaly flags

  1. The dashboard may highlight Anomaly flags for unusual access (e.g. high volume, after-hours, same-patient repeated access).
  2. Default trigger examples (organization-configurable) include:
    • after-hours access (10pm–6am local time)
    • high-volume access (>10 distinct patient records by same user in 1 hour)
    • same-patient repeated access (>3 accesses by same user in 24 hours)
  3. Review flagged events, document findings, and follow your organization’s Privacy Incident Response procedure for confirmed violations.

Known limitations

  • Dashboard is read-only; no PHI is modified from this module.
  • Real-time alerting is out of scope in the initial release; use scheduled reports or manual review.
  • Export format and retention follow existing audit log policy.

Common Mistakes

MistakeImpactFix
Running broad unfiltered queriesSlow/noisy review outputStart narrow, then expand scope incrementally
Exporting without recipient validationPotential disclosure violationsValidate recipient authorization before export
Assuming missing anomaly flags means no riskMissed compliance issuesConfirm threshold config and investigate related signals

Troubleshooting

IssueWhat to check
No data in date rangeConfirm date range and that audit logging is enabled for the relevant actions.
Missing break-glass eventsVerify break-glass events are written to pf_audit_logs with the expected action type.
Consent view doesn’t match expectationsEnsure CL-11 consent data is live; check filters (org, site).
Slow dashboard loadContact admin; NFR-2 target is p95 < 3s; indexes or materialized views may be needed.

References