Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.encoreos.io/llms.txt

Use this file to discover all available pages before exploring further.

Version: 1.2.0 Last Updated: 2026-05-18 Owner: Product / Compliance
Source: CL-PM-SPEC-REVIEW, docs/archive/ehr_pm/ehr_research_updated.md, BHRF Coverage Plan 2026-05-18 This document tracks regulatory deadlines, implementation status, responsible spec, and interim procedures for Encore Health OS EHR/PM.

CL-11 (42 CFR Part 2) — Implemented

Deadline: Feb 16, 2026
Status: ✅ Compliant — fully implemented.
  • Spec: CL-11 Consent Management
  • Integration doc: CL-11-consent-management-42cfr-part2-INTEGRATION.md
  • Capabilities: Consent capture (8 types, 4 categories), consent lifecycle (active/expired/revoked), disclosure logging with consent reference, accounting of disclosures export, SUD detection via cl_check_sud_consent(), permission-gated UI. CL-11-EN-01: Electronic consent with e-signature, granular categories (treatment/payment/operations/providers/research), 42 CFR Part 2 § 2.32 redisclosure chain-of-custody audit trail, consent expiration alerts (30/14/7 days), revocation workflow, Part 2 compliance dashboard. Evidence: docs/compliance/evidence/CL-11-EN-01-42cfr-part2-EVIDENCE.md.

Status Legend

StatusMeaning
✅ CompliantImplemented and verified
🟡 In ProgressImplementation underway
⏳ Not StartedSpec exists; 0% implemented
⚠️ OverdueDeadline passed; interim procedures in place
📋 N/ANot applicable or deferred
🏗️ ScaffoldedPartial implementation — core structure (tables, UI shell, audit hooks) in place; vendor integration, gateway, or go-live still pending. Tracker cells may append a percentage (e.g. 🏗️ Scaffolded (70%)) for rough completeness.

Tracker Table

RegulationDeadlineStatusResponsible SpecOwnerEscalation dateInterim Procedures
42 CFR Part 2 (SUD confidentiality)Feb 16, 2026✅ CompliantCL-11 — CL-11 Integration doc; CL-31 (consumer: SUD consent gating for COD assessments and dual-diagnosis notes via redactSUDFields helper); CL-48 (consumer: SUD consent check before CDA generation, SUD section filtering, redisclosure notice, disclosure logging; 📋 Specification); CL-55 (consumer: virtual group/multi-party event gating, 📋 Specification); CE-54 (consumer: AI triage SUD consent gating — edge function checks consent_obtained on ce_screening_attempts before including SUD fields in AI payload; blocked attempts audit-logged; AI response validated for PHI before storage; 📋 Draft)Implemented: consent capture, revocation, disclosure logging, accounting export, SUD detection via cl_check_sud_consent. CL-31 Planned/in-progress: design/specs for consent capture, revocation, disclosure logging, accounting export and SUD detection via cl_check_sud_consent for COD documentation; interim controls in place; CL-31 will extend Part 2 coverage for COD documentation (redactSUDFields for ASI-6 SUD domains and progress note SUD sections). CL-48 planned: C-CDA generation checks cl_has_sud_consent(chart_id) before including SUD data in CDA sections; excludes SUD medications/diagnoses/notes when consent inactive; attaches redisclosure notice per § 2.32; creates disclosure log entry per § 2.31. CL-55 planned: SUD-related virtual group attendance, recording, export, and event publication must route through CL-11 consent/disclosure policy checks and keep events PHI-free. CE-54 planned: AI triage edge function verifies SUD consent on ce_screening_attempts before processing; SUD fields excluded if consent missing; PHI detection on AI response before storage; structured output prevents re-disclosure (§ 2.32).
ONC HTI-1 / USCDI v3Jan 1, 2026⚠️ OverduePM-01, CL-16, CL-48 (C-CDA R2.1 document format per §170.315(b)(1))Align demographics and export scope with USCDI v3 in new development; certification pathway documented in ONC_CERTIFICATION_ROADMAP.md. CL-48 addresses C-CDA R2.1 generation for Transitions of Care (§170.315(b)(1)).
Arizona CSPMP (PDMP) EMR integrationDec 31, 2026🏗️ Scaffolded (70%)CL-17 — CL-17 Arizona CSPMP/PDMPVendor-Selection LeadRationale (aligns with specs/cl/README.md CL-17 row): PDMP scaffolding (tables, UI shell, audit hooks) is in place; vendor/gateway integration remains pending selection and go-live before Dec 2026. Interim: manual PDMP check outside system until integration live; document query in chart.
HHS Section 504 WCAG 2.1 AA (web accessibility)May 2026🟡 In Progress — Owner: Accessibility Lead (Escalated, weekly updates until May 11, 2026)CL-26, EN-64 — CL-26-EN-64 multi-language portalAccessibility Lead2026-05-11Wave 1 (HIGH-priority). Weekly status updates until May 11, 2026. Immediate task: run WCAG 2.1 AA gap analysis (keyboard navigation, screen-reader checks, form labels, contrast fixes) linked to CL-26-EN-64. Acceptance criteria: portal meets WCAG 2.1 AA; multi-language support per EN-64.
HIPAA EDI — Clearinghouse Transport (45 CFR 162 X12 5010 compliance; 45 CFR 164.312(e)(2)(ii) PHI encryption in transit; 45 CFR 164.312(a)(2)(iv) credential encryption at rest; 45 CFR 164.312(b) audit controls)Ongoing✅ ImplementedPM-15-P2PM-15-P2 Production Clearinghouse Transport2026-04-09PM-15-P2 implements REST-only transport for live X12 5010 claim submission (837P), ERA retrieval (835), eligibility (270/271), acknowledgment processing (999, 277CA), and connection health monitoring. Waystar OAuth2 via Edge Function Secrets. SFTP deferred (Deno Deploy incompatible). 72 unit tests passing. Evidence: docs/compliance/evidence/PM-15-P2-HIPAA-EDI-EVIDENCE.md. Sign-off: specs/pm/PM-15-P2-COMPLIANCE-SIGNOFF.md.
HIPAA EDI — Multi-vendor clearinghouse failover (45 CFR 162 X12 5010 continuity; 45 CFR 164.312(a)/(b)/(e) access, audit, transmission safeguards; 45 CFR 164.308(b)(1), 164.502(e) BAA controls)Ongoing (go-live gate before non-Waystar PHI traffic)✅ Implemented (Waystar live; Availity / Change Healthcare gated by BAA)PM-15-P2-EN-01PM-15-P2-EN-01 Clearinghouse Multi-Vendor Failover · Plan · Tasks · ContextPM / Compliance / Security2026-05-15Adds Availity / Change Healthcare adapter stubs (PHI-blocked until BAA recorded), per-payer route overrides (pm_payer_clearinghouse_routes), and health-based failover with configurable threshold. Routing precedence (payer_override → primary → secondary) implemented as pure resolveVendorRoute() with unit tests. BAA gate enforced in FailoverSettingsCard against pm_clearinghouse_config.custom_fields.baa_approved_vendors. Audit controls: config saves emit failover_config_change; runtime route flips emit clearinghouse_route_failover via resolveVendorRouteWithAudit() (in-memory dedupe per org+payer; PHI-free). Tenant isolation: RLS test tests/rls/pm/pm-clearinghouse-failover.test.ts. Seed data: supabase/seeds/pm/pm-15-p2-en-01-test-data.sql. Evidence: docs/compliance/evidence/PM-15-P2-EN-01-HIPAA-EDI-FAILOVER-EVIDENCE.md. Sign-off: PM-15-P2-EN-01-COMPLIANCE-SIGNOFF.md. Follow-ups (logged in specs/pm/IMPLEMENTATION_LOG.md): mobile Sheet variant, shared <EmptyState />, server-side router audit when submission moves to edge functions, dedicated pm_clearinghouse_baa_approvals table.
HIPAA EDI / CMS COB / AHCCCS Crossover (X12 837P/837I COB segments; 42 CFR Part 411 MSP; AHCCCS crossover procedures)Ongoing✅ ImplementedPM-30PM-30 COB & Secondary ClaimsPM-30 implemented: COB priority order, secondary/tertiary 837P/837I claim generation with COB2300/COB2400 segments, Medicare–AHCCCS dual-eligible crossover routing, and secondary ERA posting. Completed 2026-03-27. MSP situation enumeration (42 CFR Part 411) deferred to post-MVP (see PM-30 Known Limitations). Two pending compliance sign-off items: (1) crossover_routing = 'manual' default acceptable for rollout; (2) MSP reason code not required in MVP COB segments.
HRSA FQHC Sliding Fee / Financial Counseling (42 USC § 254b; HRSA PIN 2014-02)Ongoing📋 SpecificationPM-32, PM-21PM-32 specifies financial counseling workflow (income/FPL collection, assistance program referral tracking, charity care applications with board-approved policy tiers). PM-21 provides sliding fee schedule and discount application. HRSA compliance features (income verification enforcement, annual review reminder) configurable per org via PM-28. Pending: Compliance officer HRSA & HIPAA review required before Phase 1 implementation.
CMS-0057-F (Prior auth APIs)Jan 1, 2027 (Medicaid MC)⏳ Not StartedPM-10Continue manual/portal prior auth; implement Da Vinci CRD/DTR/PAS per PM-10 plan.
HTI-4 NCPDP SCRIPT 2023011Dec 31, 2027⏳ Not StartedCL-06Use current Surescripts version; plan SCRIPT transition in CL-06.
AHCCCS Policy 320-O, 940Ongoing🟡 PartialCL-02, CL-04, CL-04-EN-66 (canonical Policy 940 gate, 📋 Specification), CL-36 (AI-assisted note quality; delegates to EN-66 for Policy 940 validation, Phase 2, 📋 Specification); CL-40 (intake 18-element assessment + compliance dashboard, 📋 Specification); CL-55 (virtual group modifier/contingency documentation, 📋 Specification); PM-34 (eligibility at encounter, ✅ Complete); PM-41 (intake funnel analytics — AHCCCS 48-72h scheduling compliance report, ⏳ Not started / Draft / 0%)Implement per CL specs; 18-element assessment and progress note elements required. PM-34 is implemented: encounter-level eligibility verification (AHCCCS Policy 940) with auto-trigger 270/271 at check-in (see specs/pm/IMPLEMENTATION_LOG.md PM-34). CL-04-EN-66 is the canonical pre-finalize Policy 940 validation: Phase 1 covers 6 high-risk elements; Phase 2 adds remaining 6 categories (see CL-04-EN-66 Clarification #5). INSERT-only override audit; 6-year HIPAA retention; pf_organizations.ahcccs_contracted enforces FR-8. CL-55 uses PF-96/PF-70 for virtual group modifier suggestions (Arizona profile result 95 + HQ; non-Arizona/state-neutral profiles must not inherit AHCCCS constants) and requires contingency documentation before virtual group start. CL-36 delegates to EN-66 (or shared validatePolicy940) for Policy 940 validation; enforcement modes aligned; single org config. PM-41 is spec only (not implemented): planned AHCCCS AMPM 320-O lead-to-appointment latency reporting, configurable compliance window, and CSV export with exception reasons—interim: no automated compliance audit from PM-41 until implementation; use manual reporting as needed.
HIPAA — Coverage Discovery Vendor BAA (45 CFR 164.502(e), 164.308(b)(1); 45 CFR 164.312(e)(2)(ii) TLS; 42 CFR Part 2 §2.31 no SUD context)Before Phase 1 go-live📋 SpecificationPM-60PM-60 Coverage DiscoveryCompliance Officer / IT SecurityPM-60 sends patient PII (name, DOB, optional SSN) to coverage discovery vendor (Waystar/pVerify/Inovalon). BAA must be signed before production traffic. SSN consent gated per PF-96 jurisdiction profile. No clinical/SUD context sent to vendor (42 CFR Part 2 defense-in-depth). Compliance sign-off: PM-60-COMPLIANCE-SIGNOFF.md.
HIPAA — AI Vendor BAA (45 CFR 164.502(e), 164.308(b)(1))Before Phase 1 go-live⏳ Not StartedCL-36, PM-64Compliance OfficerBAA must be executed with any AI vendor receiving PHI before CL-36 Phase 1 or PM-64 Phase 1 deploys. PM-64 sends de-identified (Safe Harbor §164.514(b)(2)) note metadata to LLM via AWS Bedrock (BAA available); fail-closed PHI redaction; no PHI to LLM ever. Interim: no PHI sent to AI vendors until BAA and Phase 1 are in place.
HIPAA — AI Coding Assistant (45 CFR 164.312 Security; 164.514 De-identification; 42 CFR Part 2 §2.31 SUD consent; HHS healthcare AI guidance; NIST AI RMF)Before Phase 1 go-live📋 SpecificationPM-64PM-64 AI Coding AssistantCompliance Officer / Security / ITPM-64 AI-powered coding assistant: PHI-redacted (Safe Harbor 18 identifiers) note metadata to LLM; fail-closed redaction; suggest-not-execute mandate; immutable audit trail (DELETE forbidden, 7-year retention); SUD consent check (FR-009, 42 CFR Part 2 §2.31); fairness monitoring (PM-50-EN-01); jurisdiction-specific coding rules via PF-96. Tables: pm_ai_coding_suggestions, pm_ai_coding_suggestion_audits. Compliance sign-off: PM-64-COMPLIANCE-SIGNOFF.md.
HIPAA — Telehealth Vendor BAA (45 CFR 164.502(e), 164.308(b)(1), 164.312(e))Before PHI-bearing telehealth go-live🟡 Partial / Pending sign-offPM-13, CL-55Security / Compliance OfficerPM-13 owns telehealth vendor configuration, durable join URLs, session lifecycle, and platform credentials. CL-55 may link UUID-only PM-13 session references but must not enable PHI-bearing virtual group or multi-party video workflows until vendor BAA coverage and encrypted transmission controls are verified in specs/cl/reviews/CL-55-COMPLIANCE-SIGNOFF.md. Interim: do not use unverified telehealth vendors for CL-55 PHI-bearing sessions.
Joint Commission CAMBHCSurvey cycle🟡 PartialCL-01, CL-07, CL-07-EN-01, CL-55, etc.Align documentation and safety (NPSG.15.01.01) per CL specs. CL-07-EN-01 adds Zero Suicide Framework lethal means assessment and safety plan sharing per NPSG.15.01.01. CL-55 adds virtual group technology contingency, backup site, and emergency contact verification requirements.
HTI-2 TEFCAEmerging (2027)⏳ Not StartedCL-16, CL-16-EN-01TEFCA/QHIN enhancement scoped in CL-16-EN-01; continue CL-16 baseline interoperability controls until TEFCA transport and policy gates are implemented.
42 CFR Part 8 (OTP)Ongoing✅ Core Complete | Event consumers pending | PM-31 billing 📋 Specification | CL-34 UDS workflow 📋 Specification | CL-55 virtual OTP group documentation 📋 SpecificationCL-21, CL-34, CL-55, PM-31MAT implemented; event consumers (cl_moud_monitoring_overdue, cl_moud_adherence_risk) pending — see High-priority event consumers below. Full OTP standards via enhancement EN-51 (CL-21). CL-34 adds dedicated UDS workflow with chain-of-custody (§8.12(f)(1): ≥8 tests/year/patient), presumptive/definitive ordering, and OTP rolling-year count reporting (Phase 3). CL-55 documents OTP-relevant virtual group modality, participant evidence, and contingency requirements when the virtual group is OTP-related. PM-31 adds OTP/MAT-specific billing (G2067–G2080, G2215/G2216, H0020, T1012; Medicare + AHCCCS billing periods); status: 📋 Specification. Compliance sign-off: PM-31-COMPLIANCE-SIGNOFF.md.
AHCCCS IAD dual-trackOngoing🟡 PartialCL-15, CL-15-P2-3 (Phase 2.1)AZDHS deadlines implemented (Phase 1); AHCCCS Policy 961 dual-track specified in CL-15 Phase 2.1 (CL-15-PHASE-2-3-EXPANSION.md): org-configurable track selection (AZDHS/AHCCCS/dual), business-day definitions, sentinel classification. Compliance sign-off: specs/cl/reviews/CL-15-PHASE-2-3-COMPLIANCE-SIGNOFF.md.
NCQA HEDIS FUH/FUM (Follow-Up After Hospitalization / ED Visit for Mental Illness, MY 2025)2026-03-31 17:00 MST (submission). Escalation: 2026-03-24 12:00 MST📋 Specification (plan + tasks ready; implementation not started)CL-29-EN-65, CL-15, CL-35Quality Team / Revenue Cycle2026-03-24 12:00 MSTFinal MY 2025 reporting deadline: June 15, 2026 (9:00 PM ET). 42 CFR Part 2 implementation: 0% until consent/QSOA logic enforced and verified. Spec status: Spec complete; plan (CL-29-EN-65-PLAN.md) and tasks (CL-29-EN-65-TASKS.md) ready; 13 tasks across 4 phases; estimated ~9 days effort. Interim: (1) June 1 plan-locked data snapshot; audit-ready manual extraction methodology. (2) Confirm HOQ (House of Quality) submission with Revenue Cycle/Contracts (Feb 6, 2026 window). (3) Enforce Part 2 compliance before payer-facing export. Manual HEDIS FUH/FUM extraction for Q1 2026 AHCCCS VBP. ⚠️ 42 CFR Part 2 review required before enabling payer-facing SUD-diagnosis-based export (authorization or QSOA). Spec: CL-29-EN-65.
Psychotherapy notes (HIPAA 45 CFR 164.501)Ongoing⏳ Not StartedCL-30 (proposed)Do not document psychotherapy process notes in the EHR; maintain separate locked paper/electronic files with restricted access and exclusion from exports until CL-30 is implemented. Enforced by: Compliance/Privacy Officer.
21 CFR Part 1304 (Controlled substance recordkeeping)Ongoing✅ CompliantCL-06 EN-21Implemented via cl_controlled_substance_inventory table: Schedule II-V tracking, transaction types (receive/dispense/adjust/count/return/destroy), witness requirement for Schedule II dispensing, lot/expiration tracking, audit trail. Route: /cl/controlled-substances.
21 USC § 827 / DEA ARCOS (Automation of Reports)Ongoing✅ CompliantCL-06 EN-22Implemented via cl_arcos_report_view mapping inventory transactions to ARCOS categories (Receipt/Distribution/Return to Supplier/Destruction). CSV export with date range filter, permission-gated to cl.inventory.admin, audit-logged to pf_audit_logs.
Telehealth complianceOngoing🟡 PartialCL-24 (proposed), CL-55 (virtual group / multi-party telehealth, 📋 Specification), PM-13 (session lifecycle)Basic modality in CL-04; full compliance via proposed CL-24. CL-55 extends telehealth controls to virtual groups and multi-party encounters while PM-13 owns vendor/session lifecycle, durable join URLs, platform credentials, and BAA boundary. Interim: manually document virtual group modality, contingency plan, and recording consent until CL-55 ships; do not store durable join URLs or recording URLs in CL tables.
Arizona recording notice / ARS 13-3005Per recording📋 Specification / Pending sign-offCL-55, CE-10Compliance / Privacy OfficerCL-55 requires ARS 13-3005 recording notice language and participant sign-off evidence for virtual group recordings, but final user-facing copy remains pending in specs/cl/reviews/CL-55-COMPLIANCE-SIGNOFF.md. Interim: do not enable CL-55 recording unless notice/sign-off evidence is manually documented and approved by compliance/privacy.
Information blocking (21st Century Cures)OngoingEscalated / In ProgressCL-16, CL-26, CL-48 (C-CDA document generation and Direct messaging transmission to external providers; Part 2 SUD exclusion documented as §171.202 privacy exception; 📋 Specification)Compliance / Health Information2026-06-30Risk: Potential civil penalties and CMS implications if blocking occurs. Interim: Manual approval workflow for patient data requests; designate a point-of-contact (e.g. ROI/Health Information); provide/redact data per request (paper, secure portal, or encrypted copy) until FHIR/portal are live. Document requests and fulfillment. CL-48 planned: C-CDA generation provides machine-readable document exchange via Direct messaging; Part 2 SUD data exclusion is a recognized privacy exception per 45 CFR §171.202.
Restraint/seclusion (42 CFR 482.13(e))Ongoing⏳ Not StartedCL-13Interim: Staff must document every restraint/seclusion per facility forms; retain records per state/facility policy (e.g. 5+ years). Report incidents per facility policy to designated contacts (e.g. Risk Management, State survey agency). Implement CL-13 Crisis Intervention Documentation when spec is implemented.
TCPA / FDCPA / PCI DSS — Patient Collections (47 USC § 227 automated SMS; 15 USC § 1692 debt collection; PCI DSS SAQ-A)Ongoing📋 SpecificationPM-45PM-45 Patient Payment Plans & CollectionsRevenue Cycle / CompliancePM-45 specifies TCPA-compliant opt-out tracking (pm_patient_communication_preferences), FDCPA-required notice content per aging tier, and PCI compliance (no card data in PM-45 tables; tokenized payment method references only). Pending: FDCPA notice template content review by compliance officer before collections reminders are enabled. Compliance sign-off: PM-45-COMPLIANCE-SIGNOFF.md.
No Surprises Act / Good Faith EstimateJanuary 1, 2022✅ CompletePM-20Revenue Cycle2026-02-28GFE generation from appointment type + CPT + fee schedule; 1/3-business-day delivery compliance; acknowledgment tracking; $400+ dispute workflow. Implemented 2026-02-28.
HIPAA — PF PHI-bearing tablesOngoing✅ CompliantPF-71pf_patient_identities stores MRN (HIPAA PHI per 45 CFR 164.514). Protected by org-scoped RLS (pf_has_org_access), admin-only DELETE (pf_is_org_admin), and audit columns (created_by/updated_by). Data minimization: only id + org_id + mrn stored.
HIPAA Security Rule — Contingency Plan (45 CFR 164.308(a)(7): backup, disaster recovery, emergency mode, testing)Ongoing⏳ Not StartedPF-90PF-90 DR & BCPPlatform / ComplianceInterim: Rely on Supabase project backups and provider runbooks; document manual recovery steps. Target: PF-90 application-layer RTO/RPO policies, encrypted offsite artifacts, tenant-scoped restore workflows, quarterly drills, and compliance evidence packages. Integration: PF-90 Integration.
| Multi-State Medicaid Compliance (state-specific Medicaid rules for CL/PM) | Ongoing | 📋 Specification | PF-96PF-96 Medicaid State Compliance Configuration; CL-55 consumer | Platform / Compliance | — | Current state: AHCCCS (Arizona Medicaid) is hardcoded as the only Medicaid profile. CL/PM behavior, UI labels, filing deadlines, assessment requirements, and billing rules assume Arizona. Target: PF-96 jurisdiction profile system with state-specific rule packs (clinical, billing, compliance) inheriting from a federal baseline. Org-level and site-level profile assignment enables multi-state operations. Arizona ships as the first fully-defined profile with zero regression. CL-55 consumer requirement: virtual group modifier suggestions must resolve through PF-96/PF-70; Arizona 95 + HQ is a profile result, not a universal constant. | | CL-35 Population Health & Care Gap Management (AHCCCS VBP; NCQA HEDIS AMM/IET; CMS MA STARS BH; SAMHSA CCBHC; CARF; HIPAA Privacy 45 CFR 164.514(b); 42 CFR Part 2) | Ongoing | ✅ Implemented | CL-35CL-35 Population Health; FUH/FUM consumed from CL-29-EN-65 | CL / Quality Team | — | AHCCCS VBP: population dashboards + cl-vbp-export CSV with required aggregate columns (org/measure/period/denominator/numerator/rate). NCQA HEDIS: AMM/IET implemented per MY 2026 thresholds (84/180/14/2 days), versioned JSON seed definitions under supabase/seeds/cl_hedis_measure_definitions/, calculator edge function cl-hedis-calculator UPSERTs into cl_quality_measure_periods and emits cl_quality_measure_period_calculated. FUH/FUM owned by CL-29-EN-65 (no duplicate logic). CMS MA STARS: separate MA_STARS variants in seed files; Quality Measures page renders dedicated MA STARS tab. SAMHSA CCBHC: systematic care gap work list, clinician panels, supervisor view, proactive identification of overdue assessments / missing follow-ups / due screenings. CARF: aggregate population dashboard with risk-tier distribution and outcome trends for data-driven program evaluation. HIPAA Privacy: applySmallCellSuppression (n < 5 → <5) on every aggregate hook + edge function; CSV export contains no chart_id/patient_id/mrn; logger sanitization verified statically. 42 CFR Part 2: calculateRiskScore excludes the MOUD component and proportionally redistributes weight when cl_check_sud_consent is false; MOUD never exposed as a dashboard disaggregation dimension. Tests: 30 + integration tests under tests/integration/cl/cl35-compliance-*.test.ts. User guide: docs/cl/population-health-user-guide.md. Admin guide: docs/cl/population-health-admin-guide.md. Integration: CL-35, CL–FA VBP, CL–FW Events. |

High-priority event consumers (patient safety / compliance)

ItemResponsible SpecStatusOwnerTarget dateNotes
cl_moud_monitoring_overdueCL-21⏳ No consumerEngineering / CL2026-05-31Implement reliable consumer/alerting (test cases, monitoring/SLAs); cron or event consumer; verify in REGULATORY_COMPLIANCE_TRACKER and ARCH-NOTES.
cl_moud_adherence_riskCL-21⏳ No consumerEngineering / CL2026-05-31Same as above; prioritize with cl_moud_monitoring_overdue.
cl_assessment_completed (PM-07)CL-02, PM-07⏳ Consumer not verifiedPM / Billing2026-06-30Next priority after MOUD events; verify consumer for charge-capture; prevents silent charge-capture failures.
cl_group_session_documented (PM-07)CL-14, CL-14-EN-01, PM-07🟡 CL-14-EN-01 adds new subscriber for encounter generation; PM-07 consumer TBDPM / Billing2026-06-30CL-14-EN-01 subscribes to cl_group_session_documented for encounter generation; PM-07 consumer still needs verification. Event name corrected from cl_group_session_completed per CL-PM-GROUP-SESSIONS.md contract.

HR module — Human Resources Workforce Compliance

Status: Tracked below. Detailed requirements, spec mapping, and authoritative references: HR_WORKFORCE_COMPLIANCE_TRACKING.md. FCRA/TCPA gates: FCRA_TCPA_COMPLIANCE_TRACKING.md.
RegulationDeadlineStatusResponsible SpecOwnerEscalation dateInterim Procedures
FLSA (minimum wage, overtime, classification)Ongoing🟡 PartialHR-05, HR-07, HR-29Time tracking and payroll in place; HR-29 provides FLSA classification engine (exempt/non-exempt per 29 CFR 541), duties test documentation, salary threshold monitoring, reclassification workflow, and DOL audit reports. Arizona minimum wage tracking needed in HR-07.
Arizona Wage Payment Act (ARS 23-353 final pay)Ongoing🟡 PartialHR-30HR-30 specifies final-paycheck automation and deadline tracking per ARS 23-353 (7 working days involuntary; next payday or 3 working days after demand for voluntary).
Arizona Earned Paid Sick Time (ARS 23-371)Ongoing⏳ Not StartedPending specInterim: Track accrual manually; implement dedicated spec/workflow for ARS 23-371 accrual and usage tracking.
FMLA (family/medical leave)Ongoing⏳ Not StartedHR-06Interim: Track FMLA requests manually; maintain eligibility records (12 months / 1,250 hours). Implement HR-06 leave management for automated eligibility and tracking.
ERISA / COBRA (benefits, continuation coverage)Ongoing⏳ Not StartedHR-11Interim: Benefits administered externally; COBRA notices managed by TPA. Implement HR-11 benefits module for tracking.
ACA employer mandate (1095-C, FTE tracking)Annual (Jan 31)⏳ Not StartedHR-11Interim: FTE count managed via payroll; 1095-C prepared by benefits administrator.
I-9 / E-Verify (employment eligibility)Within 3 days of hire🟡 PartialHR-01, HR-03, HR-26Interim: HR-03 EN-3 implements I-9/W-4 forms in onboarding; E-Verify integration pending (HR-26). Manual E-Verify submission per Arizona mandate (ARS 23-214) until integration live.
FCRA (background checks)Per-hire🟡 PartialHR-09, HR-09-P5Detailed tracking in FCRA_TCPA_COMPLIANCE_TRACKING.md. Checkr integration designed; sign-off gates pending.
TCPA (SMS consent)Per-message🟡 PartialHR-09-P5Detailed tracking in FCRA_TCPA_COMPLIANCE_TRACKING.md. Consent framework designed; sign-off gates pending.
EEOC / Title VII / ADA / GINA (anti-discrimination)Ongoing📋 PolicyHR-01, HR-14, HR-14-ENHANCEMENTS (HR-14 EN-1), HR-09-ENHANCEMENTS (HR-09 EN-1)Organizational policy; hiring workflows in HR-01. HR-14 EN-1 (when implemented): ADA interactive process, accommodations, and HIPAA-aligned medical file handling per spec. HR-09 EN-1: structured interview scorecards for documented, consistent selection criteria (Uniform Guidelines). EEO-1 data export for applicable employers.
HIPAA Privacy Rule — workforce training documentation (45 CFR 164.530(b))Ongoing⏳ Not StartedHR-31, HR-03Interim: Paper sign-off or LMS exports. Target: HR-31 electronic acknowledgments, versioning, audit exports. See HR_WORKFORCE_COMPLIANCE_TRACKING.md §3.3.
OSHA / ADOSH (workplace safety)Ongoing⏳ Not StartedHR-01 (incidents), HR-31 (policy acknowledgments)Interim: Manual OSHA 300 log; safety programs per ADOSH requirements. Implement incident tracking in HR-01. HR-31 provides acknowledgment evidence for safety-related HR policies (complements operational programs).
Credentialing (state licensure, NPI, payer, AZ fingerprint clearance)Ongoing🟡 PartialHR-02, HR-28Credential tracking in HR-02; AZ fingerprint clearance (ARS 36-425.03): HR-28. Payer credentialing and other gaps remain tracked under HR-02.
Workers’ compensation (ARS 23-961)Ongoing📋 ExternalHR-11Insurance carrier manages claims; system tracks incident data.
IRS worker classification / 1099-NEC (independent contractors)Ongoing (tax year reporting Jan 31)⏳ Not StartedHR-34, HR-PAY-04Interim: Maintain IC agreements, factor tests, and W-9s outside the system; finance aggregates pay for 1099-NEC per existing FA-10/HR processes. Target: HR-34 for contractor records, classification documentation, and approved time → HR-PAY-04 for 1099-NEC inputs. See HR-34 spec.

RH module — Recovery Housing Compliance

Status: Tracked below. Detailed requirements, spec mapping, and authoritative references: RH_RECOVERY_HOUSING_COMPLIANCE_TRACKING.md.
RegulationDeadlineStatusResponsible SpecOwnerEscalation dateInterim Procedures
Arizona DHS sober living home licensure (ARS 36-2062, AAC Title 9 Ch 12)Before operation🟡 PartialRH-06, RH-01License application and renewal tracked in RH-06; inspection tracking partial. Distinct from BHRF below: sober living = non-clinical recovery housing.
Arizona BHRF licensure (A.A.C. R9-10-701 to R9-10-722, adult subclass)Before operation / per AZDHS renewal cycle⏳ Not StartedCL-68 (clinical residential lifecycle), GR-27 (facility licensure, staffing minimums, incident timeframes, retention), PM-74 (per-diem billing & BHRF prior authorization)BHRF is a licensed clinical residential level of care — distinct from recovery housing. Clinical lifecycle (15-day comprehensive assessment, LOC at admission, treatment-plan cadence, restraint linkage, discharge) reuses CL-02/03/04/13-EN-01/29 via CL-68. Licensure/staffing(awake/on-call/BHP/RN/clinical-director≥10)/incident timeframes (death 1 working day, self-injury 2 working days, abuse immediate per ARS 46-454/13-3620, sentinel 6 hours, restraint-injury 24 hours)/retention (adult 6 years, A.R.S. § 12-2297) in GR-27. Per-diem (H0018/H0019/T2048, POS 56) + AHCCCS 5-day urgent exemption + continued-stay PA in PM-74. Cross-core lifecycle: CL-GR-PM-BHRF-EPISODE-LIFECYCLE. State-variable values via PF-96. Interim: manual licensure/clinical-timeliness/per-diem tracking until specs implemented.
NARR National Standard 3.0 (Levels I–IV)Ongoing⏳ Not StartedRH-01, RH-05, RH-11Interim: Self-classify recovery homes per NARR levels; document governance structure. AzRHA certification recommended. Spec: RH-11.
Fair Housing Act (disability, group homes)Ongoing📋 PolicyRH-01, RH-02Organizational policy; system must not discriminate in waitlist/placement. Reasonable accommodation tracking needed.
Fire and life safety (local codes, NFPA)Ongoing⏳ Not StartedRH-01, RH-06, RH-10Interim: Manual fire inspection tracking per property; ensure posted evacuation plans and working detectors. Spec: RH-10.
Arizona Title 36 (patient rights, grievances)Ongoing📋 PolicyRH-09, RH-02Resident rights via residency agreements; grievance workflow: RH-09.
HIPAA / 42 CFR Part 2 (resident SUD data)Ongoing🟡 PartialCL-11, RH-04, RH-04-EN-4CL-11 consent management covers Part 2; UDS access controls: RH-04-EN-4.
Zoning compliance (per property)Before operation⏳ Not StartedRH-01Interim: Zoning attestation provided at DHS licensing; track per property.

FA module — Finance & Accounting compliance

Status: Tracked below. Detailed deadlines, spec mapping, and authoritative references: FA_FINANCIAL_COMPLIANCE_TRACKING.md.
RegulationDeadlineStatusResponsible SpecOwnerEscalation dateInterim Procedures
IRS 1099-MISC/NEC (vendor payments)Jan 31 annually🟡 PartialFA-10 (85%)Generate forms via FA-10; file paper or use IRS FIRE/IRIS when e-file enhancement is implemented. Ensure W-9 collection per FA-03.
IRS W-2 (employee wages)Jan 31 annually🟡 PartialFA-10 + HR-07Generate W-2 via FA-10 from HR-07 payroll data; distribute to employees by Jan 31. File with SSA per current process until e-file live.
IRS Form 941 (quarterly payroll tax)Quarterly (last day of month after quarter)🟡 PartialFA-10Prepare 941 from FA-10/HR-07 data; file and pay by deadline. Use IRS e-file when enhancement implemented.
IRS Form 940 (annual FUTA)Jan 31 annually🟡 PartialFA-10Prepare 940 from payroll data; file by Jan 31.
FASB ASC 958 (nonprofit financial statements)Ongoing (annual audit)✅ CompliantFA-23Use FA-23 Statement of Financial Position, Statement of Activities, Statement of Functional Expenses; FA-07 for trial balance and fund-based reporting.
GAAP revenue timing / multi-period & deferred revenueOngoing (month-close, audit)⏳ Not StartedFA-18Interim: Manual recognition schedules and journal entries; reconcile deferred balances outside the module. Target: FA-18 straight-line schedules, period recognition runs, GL linkage, and audit trail. See FA_FINANCIAL_COMPLIANCE_TRACKING.md §2.
OMB Uniform Guidance (2 CFR 200)Ongoing (grant lifecycle)⏳ Not StartedFA-13 (spec only)Interim: Track grant budgets and expenditures in spreadsheets or external tools; document allowable costs and procurement per 2 CFR 200. Implement FA-13 (Project Accounting & Grant Tracking) for system support.
Single Audit (2 CFR 200 Subpart F)Annual (if federal awards > $750K)⏳ Not StartedNo specInterim: Prepare Schedule of Expenditures of Federal Awards (SEFA) and support single audit via external auditor and manual data export until dedicated spec is implemented.
Federal Financial Report (FFR/SF-425)90 days after budget period; 120 days final⏳ Not StartedFA-13 (data support)Interim: Prepare from project/GL data; submit via PMS. Implement FA-13 to improve data availability.
Financial internal controls (SOX-analogous)Ongoing⏳ Not StartedFA-25 (spec only)Interim: Enforce segregation of duties via role assignments; retain GL audit trail (FA-02 append-only ledger). Implement FA-25 audit log viewer, segregation-of-duties report, and export-to-auditor when spec is implemented.
IRS Form 990 data preparationAnnual (May 15 for calendar-year)📋 Out of scopeFA-10 (deferred)Tax return preparation (990) handled by external CPA. Functional expense categorization (Program/G&A/Fundraising) supported in FA-23 for 990 reporting input.
State nonprofit (Arizona)Ongoing📋 N/ANo specArizona Corporation Commission annual report: File by formation anniversary date (ARS 10-11622). Include directors/officers, principal office, activities, certificate of disclosure, statement that tax returns have been filed. Extension up to 6 months available. Use org profile/board data for content; no system automation. See azcc.gov and ARS 10-11622.

GR module — Governance & Risk Compliance

Status: Tracked below. Detailed requirements, spec mapping, and authoritative references: GR_GOVERNANCE_COMPLIANCE_TRACKING.md.
RegulationDeadlineStatusResponsible SpecOwnerEscalation dateInterim Procedures
CARF Behavioral Health accreditationSurvey cycle⏳ Not StartedGR-08, CL-10, CL-15, CL-15-P2-3 (Phase 3.3)Interim: Manual survey preparation; policy library and QIP outside system. Implement GR-08 for survey readiness. CL-15 Phase 3.3 adds CARF survey readiness dashboard with pre-survey checklist and readiness scoring (consumes GR-08 data via platform layer).
Joint Commission CAMBHC accreditationSurvey cycle⏳ Not StartedGR-08, CL-07, CL-15Interim: Manual NPSG compliance tracking; tracer preparation outside system.
NCQA HEDIS behavioral health measuresAnnual⏳ Not StartedCL-15, CL-10, CL-15-P2-3 (Phase 3.2)Interim: Manual measure calculation; implement CL-15 reporting for automated HEDIS calculation. CL-15 Phase 3.2 adds automated QM calculation from CL-10 outcomes for HEDIS/CARF measures (FUH, FUM, IET, AMM). Part 2 consent gating required for IET/SUD measures per compliance sign-off.
SAMHSA NOMs (National Outcome Measures)Per grant⏳ Not StartedCL-10Interim: Manual outcome data collection and reporting per grant requirements.
Arizona mandatory reporting (ARS 46-454, ARS 13-3620)Immediately upon knowledge📋 SpecificationGR-09 (intake), GR-14 (automation), GR-08, CL-13Interim: Staff trained on mandatory reporting obligations; manual reporting to APS/DCS/law enforcement. GR-09 provides incident intake; GR-14 automates obligation creation and deadline tracking.
AHCCCS critical incident reporting (AMPM 1620-O)Per policy timeline (verbal: 8 business hrs, written: 40 business hrs)📋 SpecificationGR-09 (intake), GR-14 (automation)Interim: Manual AHCCCS critical incident reporting per policy. GR-09 captures incident; GR-14 generates AHCCCS report package with business-day deadline calculator.
Nonprofit governance (SOX whistleblower/document retention, COI)Ongoing⏳ Not StartedGR-03Interim: Board maintains policies manually; whistleblower and COI policies in place per IRS best practice.

IT module — Information Security Compliance

Status: Tracked below. Detailed requirements, spec mapping, and authoritative references: IT_SECURITY_COMPLIANCE_TRACKING.md.
RegulationDeadlineStatusResponsible SpecOwnerEscalation dateInterim Procedures
HIPAA Security Rule (45 CFR 164 Subpart C)Ongoing🟡 PartialIT-05, PF-30, PF-01, PF-40Auth (PF-01), RBAC (PF-30), audit logging (PF-40), TLS in place. Risk analysis, training, incident response, contingency planning needed.
HITECH Act (breach notification)Within 60 days of breach⏳ Not StartedIT-05, PF-44Interim: Manual breach assessment and notification. Implement IT-05 breach response workflow.
NIST CSF 2.0 (cybersecurity framework)Best practice⏳ Not StartedIT-05Interim: Align security program with NIST CSF functions; formal maturity assessment needed.
CIS Controls v8 (critical security controls)Best practice🟡 PartialIT-05Some controls in place (access management, data protection); formal CIS assessment needed.
Arizona ARS 18-552 (data breach notification)45 days from breach📋 HIPAA exemptionIT-05HIPAA-covered entities following HIPAA breach rules are exempt; ensure HIPAA compliance.
SOC 2 Type IIIf required by customers⏳ Not StartedIT-05Interim: Evaluate need based on payer/customer requirements. Supabase has SOC 2; Encore Health OS readiness pending.
PCI DSS (if payment processing)Ongoing📋 Assessment neededIT-05Interim: If using Stripe tokenization, SAQ-A scope; assess and document.
OAuth/API credentials at rest (HIPAA §164.312)Before production go-live⏳ Deferred (E-2)IT-05, FA-30, CE-07, HR-09, CE-03Tracking (Security Audit F4): fa_ramp_connections (access_token, refresh_token), ce_email_accounts (OAuth tokens), hr_job_board_integrations (API keys), ce_ringcentral_subscriptions (webhook tokens) currently store credentials as plaintext TEXT. Supabase Vault is installed; migration plan exists but implementation deferred. Interim: Restrict access via RLS; no new plaintext credential columns. Target: migrate to vault.create_secret() and store only vault secret IDs in tables.

PF module — Platform Foundation Compliance

Status: PF implements HIPAA technical safeguards (auth, RBAC, audit logging, encryption) tracked under the IT section above. Accessibility compliance tracked below.
RegulationDeadlineStatusResponsible SpecOwnerEscalation dateInterim Procedures
WCAG 2.1 AA / Section 504 (web accessibility, HHS rule)May 11, 2026 (15+ employees)⏳ In ProgressPF-93 (platform a11y infra, axe CI); CL-26, EN-64 (multi-language portal)Accessibility Lead2026-02-27Interim: Follow WCAG 2.1 AA guidelines in new development; audit existing UI. HHS rule applies to all organizations receiving federal funding (Medicare/Medicaid). Phased: 15+ employees by May 2026; <15 by May 2027.
Actions: Assign leadership escalation; run rapid WCAG 2.1 AA gap analysis; prioritize keyboard, screen-reader, form-labels, and contrast fixes; engage accessibility consultant.
Cadence: Weekly status updates until May 11, 2026 deadline.
HIPAA technical safeguards (§164.312)Ongoing🟡 PartialPF-01, PF-30, PF-40, PF-91Auth (PF-01), RBAC (PF-30), audit logging (PF-40), TLS in place. PF-91 (📋 Specification): continuous compliance dashboard, PHI column classification, RLS/audit drift detection, evidence packages — see PF-91. See IT section for full HIPAA Security Rule tracking.
HIPAA audit controls & activity review (§164.312(b), §164.308(a)(1)(ii)(D))Ongoing⏳ Not StartedPF-91, PF-04, PF-40Interim: RLS and audit coverage proven at CI; manual evidence assembly for surveys. Target: PF-91 automates control status, access patterns, and downloadable audit evidence (ZIP/PDF/CSV) per org. PF-91 spec, integration doc.
42 CFR Part 2 — platform monitoring & evidenceOngoing⏳ Not StartedCL-11 (consent), PF-91 (dashboard/enforcement layer)CL-11 implements consent capture and disclosure logging (✅). PF-91 adds SUD-tagged column classification, drift alerts, and audit packages; does not replace CL-11 storage.
MFA (multi-factor authentication) (§164.312(d), NIST SP 800-66r2)Before production go-live⏳ Deferred (W-3)PFTracking (Security Audit F8): MFA not yet enforced on Supabase project. Enable TOTP in Supabase Dashboard: Authentication → Providers → enable MFA; require for platform_admin and org_admin roles where possible. Document in IT_SECURITY_COMPLIANCE_TRACKING.md when enabled.
ONC Certification (45 CFR Part 170)Per ONC timeline🟡 PartialPF, CL-16, PM-01Tracked in ONC_CERTIFICATION_ROADMAP.md.
Data retention (per data type)Ongoing⏳ Not StartedPFInterim: Retention policies documented per module; automated enforcement needed.

CE module — Community Engagement Communications Compliance

Status: Tracked below. Detailed requirements: CE_COMMUNICATIONS_COMPLIANCE_TRACKING.md.
RegulationDeadlineStatusResponsible SpecOwnerEscalation dateInterim Procedures
CAN-SPAM Act (commercial email)Ongoing⏳ Not StartedCE-09, CE-16Interim: Manual compliance with CAN-SPAM in email campaigns. CE-09 implements headers, subject lines, ad identification, physical address, unsubscribe link. CE-16 centralizes email suppression registry (ce_suppressions) and consent evidence for opt-out list management (CS-05, CS-06).
TCPA (SMS messaging)Per-message⏳ Not StartedCE-08, CE-16Interim: No automated SMS until consent framework implemented. CE-08 owns consent collection UI/flow, business hours, sender ID, 10DLC. CE-16 stores consent evidence (ce_consent_evidence), manages suppression registry, and enforces pre-send validation (TC-01–TC-04).
Arizona call recording (ARS 13-3005, HB 2038)Per-call⏳ Not StartedCE-10Interim: Play recording notice at call start; obtain consent for interstate calls.
FCC Do Not Call (telemarketing)Per-campaign⏳ Not StartedCE-10, CE-16Interim: Manual DNC list check before outbound marketing calls. CE-16 owns DNC registry import (ce-import-dnc-registry edge function) and internal DNC list via ce_suppressions (FCC-01, FCC-02). CE-10 consumes suppression check before outbound calls.
Federal Anti-Kickback Statute (AKS) / Stark Law (referral relationships)Ongoing⏳ Not StartedCE-53Compliance / LegalInterim: Referral influence analytics remain informational only; no compensation-based referral recommendations or inducement workflows until legal review and controls are implemented.
HIPAA Privacy/Security + 42 CFR Part 2 (contact document upload and AI extraction)Ongoing (Phase 2 go-live gate)📋 SpecificationCE-59CE-59 Contact Document Management & AI ExtractionCE / Compliance / SecurityCE-59 adds contact-level document storage with potential PHI/SUD content. Phase 2 AI extraction remains blocked until redaction/no-disclosure controls and compliance sign-off are complete. Sign-off artifact path: specs/ce/reviews/CE-59-COMPLIANCE-SIGNOFF.md. Interim: manual review only; no outbound AI extraction for unapproved SUD-sensitive content.
HIPAA Privacy/Security for contact history audit trail (45 CFR 164.312(a),(b); 45 CFR 164.502 minimum-necessary)Before CE-60 production go-live📋 SpecificationCE-60CE-60 Contact Activity History & Audit TrailCE Product / Security / ComplianceCE-60 adds immutable contact history events and profile-change tracking. Required controls: org-scoped RLS, split permissions (ce.contacts.history.view, ce.contacts.history.sensitive_view), and default masking/redaction for sensitive values. Interim: rely on existing CE access controls; do not expose unredacted historical value details outside explicitly authorized views.
HIPAA Privacy/Security for intake insurance identifiers (45 CFR 164.502, 164.514, 164.312)Before CE-65 production go-live📋 SpecificationCE-65CE-65 Pipeline Tile Customization & Dashboard EmbedsCE Product / Security / ComplianceCE-65 adds insurance_carrier and insurance_member_id capture/display in CE contacts and pipeline contexts. Interim controls until implementation complete: (1) enforce org-scoped access only, (2) mask member IDs outside authorized detail views, (3) prohibit cleartext IDs in telemetry/logs/events, (4) require permission-gated unmasked access. Platform-wide HIPAA safeguards remain tracked in IT/PF rows.
HIPAA Privacy/Security for lead urgency + requested services metadata (45 CFR 164.502 minimum-necessary; 45 CFR 164.312 audit/access controls)Before CE-58 production go-live📋 SpecificationCE-58CE-58 Lead Creation Enhancements — Urgency Visibility & Requested ServicesCE Product / Security / ComplianceCE-58 introduces lead-level urgency/service-intent metadata surfaced in pipeline UI. Required controls: org-scoped access, non-color-only urgency rendering, sanitized error/log payloads, audit coverage for urgency/requested_services changes, and CE-16 consent/suppression boundary for any downstream outreach usage. Compliance sign-off: CE-58-COMPLIANCE-SIGNOFF.md.

Modules with dedicated sections above

Low-regulation modules (FW, FM, LO)

These modules have minimal or no direct regulatory exposure. Compliance requirements are inherited from other modules.
  • FW (Forms & Workflow): Infrastructure module. No direct regulatory obligations. PHI handling inherited from PF (HIPAA technical safeguards) and CL (42 CFR Part 2). Form content validation and access controls enforced by the platform layer. No dedicated compliance tracking needed.
  • FM (Facilities Management): Building and facility operations. Potential OSHA workplace safety requirements (tracked under HR for employer obligations) and ADA physical accessibility (operational, not system-level). Fire code compliance tracked under RH for recovery housing properties. No direct FM-specific regulations requiring system-level compliance tracking.
  • LO (Logistics & Inventory): Supply chain and inventory management. Controlled substance inventory management (DEA, 21 CFR Part 1304) is owned by CL-06, not LO. General inventory has no specific regulatory requirements. No dedicated compliance tracking needed.

Interim Procedures (42 CFR Part 2)

Until CL-11 is fully implemented:
  1. Consent: Obtain and file written consent for TPO and any SUD-specific disclosure per organization policy. Do not rely on system to enforce; manual checklist.
  2. Disclosure log: Maintain a log (spreadsheet or document) of all disclosures with date, recipient, purpose, and consent reference.
  3. Redisclosure: Include notice that redisclosure is prohibited on any disclosed information.
  4. Training: Ensure staff trained on Part 2 requirements and interim process.

New Regulatory Requirements (May 2026 Analysis)

The following requirements were identified in the May 2026 ONC Certification Strategy & Regulatory Readiness analysis. See docs/compliance/ONC_REGULATORY_READINESS_IMPLEMENTATION_PLAN.md for full implementation plan.
RegulationRequirementDeadlineOwning SpecStatusPriority
DEA EPCS (21 CFR 1311)Third-party audit for controlled substance e-prescribingBefore MAT prescribing launchCL-64⏳ Not StartedP1
EKRA (18 U.S.C. § 220)Anti-kickback compliance for NorthSight relationshipImmediatePF-107⏳ Not StartedP0
HITRUST e1Security assessment by authorized external assessor12 monthsPF-109⏳ Not StartedP2
Section 1557 ACALanguage access, TTY, nondiscrimination in patient portalOngoingPF-93 (update)🟡 Partially CoveredP2
ADA Title III / DOJ RuleWCAG 2.1 AA for patient-facing web propertiesHHS May 2026PF-93🟡 In ProgressP2
SAMHSA SUPTRS/TEDSTreatment episode reporting for block-grant compliancePer grant cycleGR-26⏳ Not StartedP3
USCDI+ BHFHIR BH profiles mappingProactive alignmentCL-16-EN-03⏳ Not StartedP2
DS4P §170.315(b)(7)/(b)(8)Privacy segmentation for SUD data in FHIR/C-CDABefore production FHIR exchangeCL-63⏳ Not StartedP1
HTI-4 NCPDP SCRIPT 2023011E-prescribing standard upgradeJan 1, 2028CL-06 (update)⏳ Not StartedP2
DEA Telemedicine RegistrationMAT-via-telehealth prescribing rulesPending final rule (2026?)CL-64📋 MonitoringP2
Contexture ParticipationHIE connectivity for AHCCCS DAP/TI 2.030 days (business)PF-108⏳ Not StartedP1
OIG Info Blocking CMP$1M per violation for HIT developersLive since Sept 2023PM-55🟡 In ProgressP1
ONC API ConditionsTerms, fees, transparency governance for FHIR APIsBefore API publicationPM-72⏳ Not StartedP2
DSI Transparency §170.315(b)(11)Source attribute disclosures for AI featuresBefore AI shipsCL-65⏳ Not StartedP2
Surescripts CertificationProduction e-prescribing staged onboardingBefore eRx launchPM-73⏳ Not StartedP3

References

Enhancement references (internal RFC)