> ## Documentation Index
> Fetch the complete documentation index at: https://docs.encoreos.io/llms.txt
> Use this file to discover all available pages before exploring further.

# Clinical Audit & Compliance Dashboard — User Guide

> Module: Clinical & EHR (CL) Spec: CL-25 Clinical Audit & Compliance Dashboard Version: current: see docs/VERSIONS.md Last Updated: 2026-02-24

**Module:** Clinical & EHR (CL)\
**Spec:** [CL-25 Clinical Audit & Compliance Dashboard](../../specs/cl/specs/CL-25-clinical-audit-compliance-dashboard.md)\
**Version:** current: see docs/VERSIONS.md\
**Last Updated:** 2026-02-24

***

## Table of Contents

* [Overview](#overview)
* [Permissions](#permissions)
* [Quick Reference](#quick-reference)
* [Pre-Flight Checklist](#pre-flight-checklist)
* [Workflows](#workflows)
* [Known limitations](#known-limitations)
* [Common Mistakes](#common-mistakes)
* [Troubleshooting](#troubleshooting)
* [Related Documentation](#related-documentation)
* [References](#references)

***

## Overview

The Clinical Audit & Compliance Dashboard gives compliance officers and designated staff a single place to monitor PHI access, break-glass events, consent status, documentation quality, and Part 2 compliance. All viewer actions (dashboard open, filters, break-glass review) are logged to the audit log per policy.

***

## Permissions

Access to the dashboard is restricted to roles such as:

* Compliance Officer
* Privacy Officer
* Designated audit viewers (per-org)

If you do not see the dashboard menu, your role may not have access. Contact your administrator.

***

## Quick Reference

| I need to…                    | Pattern                            | Location                                                          |
| ----------------------------- | ---------------------------------- | ----------------------------------------------------------------- |
| Query PHI access logs         | Filtered audit viewer query        | [PHI access audit (Audit viewer)](#phi-access-audit-audit-viewer) |
| Review emergency access       | SLA-based break-glass queue review | [Break-glass review queue](#break-glass-review-queue)             |
| Monitor consent risk          | Consent status monitor by cohort   | [Consent compliance monitor](#consent-compliance-monitor)         |
| Investigate suspicious access | Threshold-based anomaly review     | [Anomaly flags](#anomaly-flags)                                   |

## Pre-Flight Checklist

* [ ] Confirm your role includes dashboard access.
* [ ] Set minimum-necessary date range and filters before running audit queries.
* [ ] Verify recipient authorization before exporting any audit data.
* [ ] Confirm escalation/contact path for confirmed anomalies.

***

## Workflows

### PHI access audit (Audit viewer)

1. Navigate to **Compliance > Audit Dashboard** (or equivalent).
2. Use filters:
   * **Date range:** Start and end date for access events.
   * **User:** Filter by user who performed the action.
   * **Patient:** Filter by patient (chart) accessed.
   * **Action type:** e.g. chart open, note view, export.
3. Run the query. Results show access events from `pf_audit_logs` and CL sources.
4. Export (if enabled) for external review or reporting.

> ⚠️ **PHI Notice:** Exported audit data may contain protected health information. Limit exports to minimum-necessary scope, send only to authorized recipients, use approved formats/channels, and follow organizational retention/destruction policy.

### Break-glass review queue

1. Open **Compliance > Break-Glass Queue**.
2. List shows break-glass access events with due date based on your organization’s configured SLA.
3. For each event, open the record and review justification.
4. Mark as **Reviewed** and complete any required fields (e.g. reviewer note, outcome).
5. Overdue items are highlighted; track completion for SLA compliance.

### Consent compliance monitor

1. Open **Compliance > Consent Monitor** (or Consent Compliance view).
2. View aggregated consent status across the population:
   * Expired consents
   * Expiring in 30 / 14 / 7 days
   * Missing consent by type
3. Use this view to prioritize outreach or renewal workflows.

### Documentation quality metrics

1. Open **Compliance > Documentation Quality** (or per-provider metrics).
2. View completeness scores from progress notes:
   * Required fields present
   * Actual begin/end times (not templated)
   * Goal linkage
   * Member response
3. Use to identify documentation gaps and target training.

### Part 2 compliance dashboard

1. Open **Compliance > Part 2** (SUD).
2. View SUD record access patterns, consent verification rates, and redisclosure notice tracking.
3. Align with 42 CFR Part 2 and organizational policy.

### Regulatory calendar

1. Open **Compliance > Regulatory Calendar**.
2. View configurable deadlines (e.g. AZDHS, Joint Commission, CARF).
3. Use reminders to prepare for surveys and submissions.

### Anomaly flags

1. The dashboard may highlight **Anomaly** flags for unusual access (e.g. high volume, after-hours, same-patient repeated access).
2. Default trigger examples (organization-configurable) include:
   * after-hours access (10pm–6am local time)
   * high-volume access (>10 distinct patient records by same user in 1 hour)
   * same-patient repeated access (>3 accesses by same user in 24 hours)
3. Review flagged events, document findings, and follow your organization’s Privacy Incident Response procedure for confirmed violations.

***

## Known limitations

* Dashboard is read-only; no PHI is modified from this module.
* Real-time alerting is out of scope in the initial release; use scheduled reports or manual review.
* Export format and retention follow existing audit log policy.

***

## Common Mistakes

| Mistake                                      | Impact                          | Fix                                                      |
| -------------------------------------------- | ------------------------------- | -------------------------------------------------------- |
| Running broad unfiltered queries             | Slow/noisy review output        | Start narrow, then expand scope incrementally            |
| Exporting without recipient validation       | Potential disclosure violations | Validate recipient authorization before export           |
| Assuming missing anomaly flags means no risk | Missed compliance issues        | Confirm threshold config and investigate related signals |

***

## Troubleshooting

| Issue                                   | What to check                                                                           |
| --------------------------------------- | --------------------------------------------------------------------------------------- |
| No data in date range                   | Confirm date range and that audit logging is enabled for the relevant actions.          |
| Missing break-glass events              | Verify break-glass events are written to `pf_audit_logs` with the expected action type. |
| Consent view doesn’t match expectations | Ensure CL-11 consent data is live; check filters (org, site).                           |
| Slow dashboard load                     | Contact admin; NFR-2 target is p95 \< 3s; indexes or materialized views may be needed.  |

***

## Related Documentation

* **Specification:** [specs/cl/specs/CL-25-clinical-audit-compliance-dashboard.md](../../specs/cl/specs/CL-25-clinical-audit-compliance-dashboard.md)

***

## References

* [CL-25 Spec](../../specs/cl/specs/CL-25-clinical-audit-compliance-dashboard.md)
* [REGULATORY\_COMPLIANCE\_TRACKER](../compliance/REGULATORY_COMPLIANCE_TRACKER.md)
* [CL-11 Consent Management](../../specs/cl/specs/CL-11-consent-management-42cfr-part2.md)