Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.encoreos.io/llms.txt

Use this file to discover all available pages before exploring further.

Feature: CL-11 Consent Management
Last Updated: 2026-02-21
Audience: Clinical staff, Medical Records, Compliance

Overview

The Consent Management module enables your organization to capture, track, and enforce patient consents in compliance with 42 CFR Part 2 (Substance Use Disorder confidentiality) and general HIPAA requirements. It provides:
  • Consent capture for multiple consent types (TPO, SUD counseling notes, legal proceedings, etc.)
  • Consent lifecycle management (active, expired, revoked)
  • Disclosure logging to track every instance of PHI sharing
  • Accounting of Disclosures export for patient requests and audits
  • SUD detection — charts flagged as SUD-indicated require Part 2 consent before access

Permissions Required

ActionPermission Key
View consentscl.consents.view
Create consentscl.consents.create
Revoke consentscl.consents.revoke
View disclosure logcl.disclosure_log.view
Create disclosure entriescl.disclosure_log.create
Export accounting of disclosurescl.disclosure_log.export
Contact your organization administrator if you need access.
  1. Navigate to a Patient Chart (Clinical > Patient Charts > select patient).
  2. Click the “Consents” tab to view and manage consents.
  3. Click the “Disclosures” tab to view and log disclosures.
  1. On the Consents tab, click “Add Consent”.
  2. Fill in the required fields:
    • Consent Type: Select the type (e.g., TPO, SUD Counseling Notes, Treatment).
    • Category: Select the category:
      • Standard — General HIPAA consent
      • 42 CFR Part 2 — SUD-specific consent (required for SUD records)
      • Minor — Consent involving a minor
      • Guardian — Guardian-provided consent
    • Purpose: Describe the purpose of the consent.
    • Effective Date: When the consent takes effect.
    • Expiration Date (optional): When the consent expires.
  3. Click “Create Consent” to save.

Key Rules

  • SUD records require a separate consent with category “42 CFR Part 2” before staff can access SUD-related documentation.
  • Consents without an expiration date remain active indefinitely until revoked.
  • The “Legal Proceedings” consent type should be used only for court-ordered or subpoena-related disclosures.
Each consent displays a status badge:
StatusMeaning
🟢 ActiveConsent is in effect (not expired, not revoked)
🟡 ExpiredConsent expiration date has passed
🔴 RevokedConsent was explicitly revoked
  1. On the Consents tab, find the consent to revoke.
  2. Click the “Revoke” button (requires cl.consents.revoke permission).
  3. Enter a Revocation Reason (required).
  4. Click “Revoke Consent” to confirm.

Important

  • Revocation is permanent — a revoked consent cannot be reactivated.
  • Revocation does not retroactively invalidate disclosures made while the consent was active.
  • After revocation, new disclosures for the covered scope will require a new consent.

Logging a Disclosure

Every time PHI is shared externally, a disclosure entry must be created:
  1. Go to the Disclosures tab on the patient chart.
  2. Click “Log Disclosure”.
  3. Fill in the required fields:
    • Disclosed To: Name/organization receiving the information.
    • Purpose: Reason for the disclosure (e.g., “Continuity of care referral”).
    • Record Types Disclosed: What information was shared.
    • Consent Reference: Select the active consent that authorizes this disclosure.
    • Redisclosure Notice Included: Check this box to confirm the redisclosure prohibition notice was included (required for Part 2 records).
  4. Click “Log Disclosure” to save.

42 CFR Part 2 Redisclosure Notice

For SUD-related disclosures, you must include the following notice (or equivalent) with the disclosed information:
“This information has been disclosed to you from records protected by federal confidentiality rules (42 CFR Part 2). The federal rules prohibit you from making any further disclosure of this information unless further disclosure is expressly permitted by the written consent of the person to whom it pertains or as otherwise permitted by 42 CFR Part 2.”

Accounting of Disclosures Export

Patients have the right to request an accounting of all disclosures of their PHI:
  1. Go to the Disclosures tab.
  2. Click “Export Accounting” (requires cl.disclosure_log.export permission).
  3. Optionally set a date range to filter disclosures.
  4. A CSV file will download containing:
    • Disclosure date
    • Recipient
    • Purpose
    • Record types disclosed
    • Consent reference
    • Redisclosure notice status
Charts flagged with SUD Indicated in the patient chart flags require a valid 42 CFR Part 2 consent before clinical staff can access SUD-related records. The system automatically:
  1. Checks the chart’s sud_indicated flag.
  2. Verifies an active Part 2 consent exists for the chart.
  3. Blocks access if no valid consent is found (via database-level enforcement).

Frequently Asked Questions

Q: Can I edit a consent after creating it?
A: You can update purpose, scope, and named parties. You cannot change the consent type or category after creation. To change these, revoke the existing consent and create a new one. Q: What happens when a consent expires?
A: The consent status changes to “Expired” automatically. No new disclosures can reference an expired consent. A new consent must be captured if continued disclosure is needed. Q: Who can hard-delete a consent?
A: Only organization administrators can hard-delete consent records. Standard users should use revocation instead.

References