Skip to main content
Source: CL-PM-SPEC-REVIEW, docs/archive/ehr_pm/ehr_research_updated.md, BHRF Coverage Plan 2026-05-18 This document tracks regulatory deadlines, implementation status, responsible spec, and interim procedures for Encore OS EHR/PM.
How we stay current: automated tripwires (Federal Register, curated AZ/AHCCCS/CMS/ONC sources, deadline alerts) plus a deep-dive agent file issues against the specs below. See Regulatory Monitoring & Automation for the runbook.

CL-11 (42 CFR Part 2) — Implemented

Deadline: Feb 16, 2026
Status: ✅ Compliant — fully implemented.
  • Spec: CL-11 Consent Management
  • Integration doc: CL-11-consent-management-42cfr-part2-INTEGRATION.md
  • Capabilities: Consent capture (8 types, 4 categories), consent lifecycle (active/expired/revoked), disclosure logging with consent reference, accounting of disclosures export, SUD detection via cl_check_sud_consent(), permission-gated UI. CL-11-EN-01: Electronic consent with e-signature, granular categories (treatment/payment/operations/providers/research), 42 CFR Part 2 § 2.32 redisclosure chain-of-custody audit trail, consent expiration alerts (30/14/7 days), revocation workflow, Part 2 compliance dashboard. Evidence: docs/compliance/evidence/CL-11-EN-01-42cfr-part2-EVIDENCE.md.

Status Legend


Tracker Table

| Multi-State Medicaid Compliance (state-specific Medicaid rules for CL/PM) | Ongoing | 📋 Specification | PF-96PF-96 Medicaid State Compliance Configuration; CL-55 consumer | Platform / Compliance | — | Current state: AHCCCS (Arizona Medicaid) is hardcoded as the only Medicaid profile. CL/PM behavior, UI labels, filing deadlines, assessment requirements, and billing rules assume Arizona. Target: PF-96 jurisdiction profile system with state-specific rule packs (clinical, billing, compliance) inheriting from a federal baseline. Org-level and site-level profile assignment enables multi-state operations. Arizona ships as the first fully-defined profile with zero regression. CL-55 consumer requirement: virtual group modifier suggestions must resolve through PF-96/PF-70; Arizona 95 + HQ is a profile result, not a universal constant. | | CL-35 Population Health & Care Gap Management (AHCCCS VBP; NCQA HEDIS AMM/IET; CMS MA STARS BH; SAMHSA CCBHC; CARF; HIPAA Privacy 45 CFR 164.514(b); 42 CFR Part 2) | Ongoing | ✅ Implemented | CL-35CL-35 Population Health; FUH/FUM consumed from CL-29-EN-65 | CL / Quality Team | — | AHCCCS VBP: population dashboards + cl-vbp-export CSV with required aggregate columns (org/measure/period/denominator/numerator/rate). NCQA HEDIS: AMM/IET implemented per MY 2026 thresholds (84/180/14/2 days), versioned JSON seed definitions under supabase/seeds/cl_hedis_measure_definitions/, calculator edge function cl-hedis-calculator UPSERTs into cl_quality_measure_periods and emits cl_quality_measure_period_calculated. FUH/FUM owned by CL-29-EN-65 (no duplicate logic). CMS MA STARS: separate MA_STARS variants in seed files; Quality Measures page renders dedicated MA STARS tab. SAMHSA CCBHC: systematic care gap work list, clinician panels, supervisor view, proactive identification of overdue assessments / missing follow-ups / due screenings. CARF: aggregate population dashboard with risk-tier distribution and outcome trends for data-driven program evaluation. HIPAA Privacy: applySmallCellSuppression (n < 5 → <5) on every aggregate hook + edge function; CSV export contains no chart_id/patient_id/mrn; logger sanitization verified statically. 42 CFR Part 2: calculateRiskScore excludes the MOUD component and proportionally redistributes weight when cl_check_sud_consent is false; MOUD never exposed as a dashboard disaggregation dimension. Tests: 30 + integration tests under tests/integration/cl/cl35-compliance-*.test.ts. User guide: docs/cl/population-health-user-guide.md. Admin guide: docs/cl/population-health-admin-guide.md. Integration: CL-35, CL–FA VBP, CL–FW Events. |

High-priority event consumers (patient safety / compliance)


HR module — Human Resources Workforce Compliance

Status: Tracked below. Detailed requirements, spec mapping, and authoritative references: HR_WORKFORCE_COMPLIANCE_TRACKING.md. FCRA/TCPA gates: FCRA_TCPA_COMPLIANCE_TRACKING.md.

RH module — Recovery Housing Compliance

Status: Tracked below. Detailed requirements, spec mapping, and authoritative references: RH_RECOVERY_HOUSING_COMPLIANCE_TRACKING.md.

FA module — Finance & Accounting compliance

Status: Tracked below. Detailed deadlines, spec mapping, and authoritative references: FA_FINANCIAL_COMPLIANCE_TRACKING.md.

GR module — Governance & Risk Compliance

Status: Tracked below. Detailed requirements, spec mapping, and authoritative references: GR_GOVERNANCE_COMPLIANCE_TRACKING.md.

IT module — Information Security Compliance

Status: Tracked below. Detailed requirements, spec mapping, and authoritative references: IT_SECURITY_COMPLIANCE_TRACKING.md.

PF module — Platform Foundation Compliance

Status: PF implements HIPAA technical safeguards (auth, RBAC, audit logging, encryption) tracked under the IT section above. Accessibility compliance tracked below.

CE module — Community Engagement Communications Compliance

Status: Tracked below. Detailed requirements: CE_COMMUNICATIONS_COMPLIANCE_TRACKING.md.

Modules with dedicated sections above

Low-regulation modules (FW, FM, LO)

These modules have minimal or no direct regulatory exposure. Compliance requirements are inherited from other modules.
  • FW (Forms & Workflow): Infrastructure module. No direct regulatory obligations. PHI handling inherited from PF (HIPAA technical safeguards) and CL (42 CFR Part 2). Form content validation and access controls enforced by the platform layer. No dedicated compliance tracking needed.
  • FM (Facilities Management): Building and facility operations. Potential OSHA workplace safety requirements (tracked under HR for employer obligations) and ADA physical accessibility (operational, not system-level). Fire code compliance tracked under RH for recovery housing properties. No direct FM-specific regulations requiring system-level compliance tracking.
  • LO (Logistics & Inventory): Supply chain and inventory management. Controlled substance inventory management (DEA, 21 CFR Part 1304) is owned by CL-06, not LO. General inventory has no specific regulatory requirements. No dedicated compliance tracking needed.

Interim Procedures (42 CFR Part 2)

Until CL-11 is fully implemented:
  1. Consent: Obtain and file written consent for TPO and any SUD-specific disclosure per organization policy. Do not rely on system to enforce; manual checklist.
  2. Disclosure log: Maintain a log (spreadsheet or document) of all disclosures with date, recipient, purpose, and consent reference.
  3. Redisclosure: Include notice that redisclosure is prohibited on any disclosed information.
  4. Training: Ensure staff trained on Part 2 requirements and interim process.

New Regulatory Requirements (May 2026 Analysis)

The following requirements were identified in the May 2026 ONC Certification Strategy & Regulatory Readiness analysis. See docs/compliance/ONC_REGULATORY_READINESS_IMPLEMENTATION_PLAN.md for full implementation plan.

References

Enhancement references (internal RFC)