> ## Documentation Index > Fetch the complete documentation index at: https://docs.encoreos.io/llms.txt > Use this file to discover all available pages before exploring further. # Consent Management & 42 CFR Part 2 — User Guide > Feature: CL-11 Consent Management Last Updated: 2026-02-21 Audience: Clinical staff, Medical Records, Compliance **Feature:** CL-11 Consent Management\ **Last Updated:** 2026-02-21\ **Audience:** Clinical staff, Medical Records, Compliance *** ## Overview The Consent Management module enables your organization to capture, track, and enforce patient consents in compliance with **42 CFR Part 2** (Substance Use Disorder confidentiality) and general HIPAA requirements. It provides: * **Consent capture** for multiple consent types (TPO, SUD counseling notes, legal proceedings, etc.) * **Consent lifecycle management** (active, expired, revoked) * **Disclosure logging** to track every instance of PHI sharing * **Accounting of Disclosures** export for patient requests and audits * **SUD detection** — charts flagged as SUD-indicated require Part 2 consent before access *** ## Permissions Required | Action | Permission Key | | -------------------------------- | -------------------------- | | View consents | `cl.consents.view` | | Create consents | `cl.consents.create` | | Revoke consents | `cl.consents.revoke` | | View disclosure log | `cl.disclosure_log.view` | | Create disclosure entries | `cl.disclosure_log.create` | | Export accounting of disclosures | `cl.disclosure_log.export` | Contact your organization administrator if you need access. *** ## Accessing Consent Management 1. Navigate to a **Patient Chart** (Clinical > Patient Charts > select patient). 2. Click the **"Consents"** tab to view and manage consents. 3. Click the **"Disclosures"** tab to view and log disclosures. *** ## Capturing a New Consent 1. On the **Consents** tab, click **"Add Consent"**. 2. Fill in the required fields: * **Consent Type**: Select the type (e.g., TPO, SUD Counseling Notes, Treatment). * **Category**: Select the category: * **Standard** — General HIPAA consent * **42 CFR Part 2** — SUD-specific consent (required for SUD records) * **Minor** — Consent involving a minor * **Guardian** — Guardian-provided consent * **Purpose**: Describe the purpose of the consent. * **Effective Date**: When the consent takes effect. * **Expiration Date** (optional): When the consent expires. 3. Click **"Create Consent"** to save. ### Key Rules * **SUD records** require a separate consent with category **"42 CFR Part 2"** before staff can access SUD-related documentation. * Consents without an expiration date remain active indefinitely until revoked. * The **"Legal Proceedings"** consent type should be used only for court-ordered or subpoena-related disclosures. *** ## Viewing Consent Status Each consent displays a status badge: | Status | Meaning | | -------------- | ----------------------------------------------- | | 🟢 **Active** | Consent is in effect (not expired, not revoked) | | 🟡 **Expired** | Consent expiration date has passed | | 🔴 **Revoked** | Consent was explicitly revoked | *** ## Revoking a Consent 1. On the **Consents** tab, find the consent to revoke. 2. Click the **"Revoke"** button (requires `cl.consents.revoke` permission). 3. Enter a **Revocation Reason** (required). 4. Click **"Revoke Consent"** to confirm. ### Important * Revocation is **permanent** — a revoked consent cannot be reactivated. * Revocation does **not** retroactively invalidate disclosures made while the consent was active. * After revocation, new disclosures for the covered scope will require a new consent. *** ## Logging a Disclosure Every time PHI is shared externally, a disclosure entry must be created: 1. Go to the **Disclosures** tab on the patient chart. 2. Click **"Log Disclosure"**. 3. Fill in the required fields: * **Disclosed To**: Name/organization receiving the information. * **Purpose**: Reason for the disclosure (e.g., "Continuity of care referral"). * **Record Types Disclosed**: What information was shared. * **Consent Reference**: Select the active consent that authorizes this disclosure. * **Redisclosure Notice Included**: Check this box to confirm the redisclosure prohibition notice was included (required for Part 2 records). 4. Click **"Log Disclosure"** to save. ### 42 CFR Part 2 Redisclosure Notice For SUD-related disclosures, you **must** include the following notice (or equivalent) with the disclosed information: > *"This information has been disclosed to you from records protected by federal confidentiality rules (42 CFR Part 2). The federal rules prohibit you from making any further disclosure of this information unless further disclosure is expressly permitted by the written consent of the person to whom it pertains or as otherwise permitted by 42 CFR Part 2."* *** ## Accounting of Disclosures Export Patients have the right to request an accounting of all disclosures of their PHI: 1. Go to the **Disclosures** tab. 2. Click **"Export Accounting"** (requires `cl.disclosure_log.export` permission). 3. Optionally set a **date range** to filter disclosures. 4. A CSV file will download containing: * Disclosure date * Recipient * Purpose * Record types disclosed * Consent reference * Redisclosure notice status *** ## SUD Detection & Consent Enforcement Charts flagged with **SUD Indicated** in the patient chart flags require a valid **42 CFR Part 2** consent before clinical staff can access SUD-related records. The system automatically: 1. Checks the chart's `sud_indicated` flag. 2. Verifies an active Part 2 consent exists for the chart. 3. Blocks access if no valid consent is found (via database-level enforcement). *** ## Frequently Asked Questions **Q: Can I edit a consent after creating it?**\ A: You can update purpose, scope, and named parties. You cannot change the consent type or category after creation. To change these, revoke the existing consent and create a new one. **Q: What happens when a consent expires?**\ A: The consent status changes to "Expired" automatically. No new disclosures can reference an expired consent. A new consent must be captured if continued disclosure is needed. **Q: Who can hard-delete a consent?**\ A: Only organization administrators can hard-delete consent records. Standard users should use revocation instead. *** ## References * [42 CFR Part 2 Final Rule](https://www.hhs.gov/hipaa/part-2/index.html) * [CL-11 Specification](../../specs/cl/specs/CL-11-consent-management-42cfr-part2.md)