Skip to main content

WENO Online EZ e-Prescribing Integration — HIPAA/HITECH Risk Assessment

Assessment Date: 2026-06-28
Reviewed By: Security & Compliance (Jeremy Bloom, Project Owner)
Scope: CL-06-EN-23 WENO EZ Integration Adapter (Encore OS v0.1.0-beta)
Regulatory Framework: 45 CFR Part 160 (General Rules), Part 164 (Administrative, Physical, Technical Safeguards)
Related Documents:
  • docs/weno/WENO_EZ_Integration_Context.md — vendor implementation context
  • docs/architecture/integrations/CL-06-EN-23-weno-ez-adapter-INTEGRATION.md — integration contract
  • specs/cl/specs/CL-06-EN-23-weno-ez-integration-adapter.md — owning specification
  • docs/weno/WENO_LIVE_VERIFICATION_RUNBOOK.md — operational runbook

Executive Summary

WENO Online, Inc. is a DEA 1311.105-compliant e-prescribing application and a HIPAA Business Associate under 45 CFR §164.502(e) and §164.504(e). Encore OS integrates WENO’s EZ Integration via encrypted, authenticated requests; WENO processes prescribing data and returns operational results. This assessment documents the threat/safeguard mapping, control attestations, and residual risks. Production enablement is gated: the weno_adapter_enabled flag remains false until a HIPAA Business Associate Agreement (BAA) is executed and recorded.

1. Scope & Data Flow

1.1 Integration Surfaces

The WENO EZ adapter exposes five operational surfaces, each with distinct PHI/operational scope:

1.2 PHI Definition

Per 45 CFR §164.501, PHI in this integration includes:
  • Patient name, date of birth, gender, address, phone, email (ComposeRx surface only)
  • Prescription details: drug name, NDC, RXCui, quantity, days supply, refills, diagnosis code (ICD-10), directions
  • DEA prescriber license numbers, pharmacy NCPDPs
  • Status/delivery metadata (timing, method, pharmacy note)
  • Allergy information (narrative, not coded)
42 CFR Part 2 consideration: SUD-related prescriptions (Schedule II–V controlled substances) carry additional confidentiality protection. Encore OS gates ComposeRx launch with cl_check_sud_consent() (CL-11) to verify 42 CFR Part 2 consent before patient data is transmitted to WENO.

1.3 Data Flows

All inter-system transfers use HTTPS/TLS 1.2+ (enforced by Supabase edge function environment and WENO’s endpoint HSTS headers).

2. Business Associate Relationship & BAA Requirement

2.1 WENO as a Business Associate

Determination: WENO qualifies as a Business Associate under 45 CFR §164.501(b):
  • WENO receives, maintains, and processes ePrescription data on behalf of Encore OS (a Covered Entity).
  • WENO performs functions or activities involving access to PHI: prescription signing, dispensing coordination, pharmacy network transmission.
  • WENO is not an agent of Encore OS (WENO is an independent vendor with its own legal entity and data handling practices).
HIPAA Obligations:
  • Encore OS (Covered Entity) must have a signed BAA with WENO before any PHI is transmitted (45 CFR §164.504(e)(1)(ii)).
  • WENO must implement administrative, physical, and technical safeguards (45 CFR §164.308, .310, .312) equivalent to Encore OS’s safeguards.
  • WENO must comply with 42 CFR Part 2 (Confidentiality of Alcohol and Drug Abuse Patient Records) for any SUD-related prescriptions.
  • WENO must report any breaches involving Encore OS data per 45 CFR §164.410 and the Breach Notification Rule (45 CFR §164.400 et seq.).

2.2 BAA Status & Production Gate

Current Status: No BAA has been executed or recorded as of 2026-06-28. Production Enablement Gate: The WENO adapter is architecturally gated by the boolean flag weno_adapter_enabled in cl_module_settings.custom_fields. This flag:
  • Defaults to false in all environments (dev, staging, production).
  • Is checked by all WENO cron dispatchers (cl_weno_dispatch_*) before initiating background jobs.
  • Returns ADAPTER_DISABLED error code if any client attempts to launch ComposeRx/RxLog.
  • Prevents any outbound WENO request (cryptographic key check, credential resolution, HTTPS transmission) until an organization explicitly enables it and a BAA is countersigned.
Prerequisite for enabling weno_adapter_enabled = true in production:
  1. Signed WENO BAA recorded in cl_module_settings.custom_fields.weno_baa_executed_date (timestamp).
  2. WENO BAA reviewed and approved by Encore OS Compliance Officer.
  3. Organization’s legal/compliance team confirms BAA aligns with state Medicaid and other applicable regulations (CL-15 for Arizona; PF-96 for multi-state profiles).

3. Threat & Safeguard Analysis

Mapped to HIPAA Security Rule framework: 45 CFR §164.308 (Administrative), §164.310 (Physical), §164.312 (Technical).

3.1 Administrative Safeguards (45 CFR §164.308)

3.2 Technical Safeguards (45 CFR §164.312)

3.3 Physical Safeguards (45 CFR §164.310)

Determination: Not Encore OS’s responsibility — WENO and Supabase own physical security.

4. 42 CFR Part 2 Safeguards (SUD Confidentiality)

Scope: Controlled substances (Schedule II–V), including MOUD (opioid agonists/antagonists) and psychiatric medications used for SUD, are subject to 42 CFR Part 2 extra confidentiality protection.

5. Audit Trail Immutability & Retention

Requirement: 45 CFR §164.312(a)(2) and 42 CFR Part 2 §2.31 mandate immutable audit logs for a minimum retention period. 2-Year Retention Enforcement: PF-04 (audit trail system) implements a cron job that purges audit rows older than 2 years. HIPAA requires 6 years for some records (e.g., breach notification); PF-04 is configurable per organization via audit_retention_days in pf_organizations.custom_fields. Compliance action: Ensure audit_retention_days >= 2190 (6 years) for organizations handling SUD data or covered under state Medicaid (CL-15 requirement).

6. Breach Notification & Incident Response

HIPAA Breach Definition (45 CFR §164.400): Unauthorized acquisition, access, use, or disclosure of PHI that reasonably compromises confidentiality or integrity.

6.1 Detection & Escalation

6.2 Breach Risk Determination

Low Risk (no notification required per 45 CFR §164.404): Unauthorized access where person is unlikely to have obtained, accessed, or acquired PHI (e.g., log file accessed but inaccessible without decryption key). High Risk (notification required): Unauthorized access where person could have obtained PHI (e.g., vault key exposed in code repository; credentials sent in plaintext). Actions upon high-risk breach:
  1. Immediate: Disable affected credentials; rotate EZ key; stop all WENO traffic.
  2. Within 24 hours: Notify CSO, Compliance Officer, Legal.
  3. Within 30 days: Notify affected patients (per 45 CFR §164.404(b)(1)).
  4. Within 60 days: Notify relevant media (if ≥500 residents affected per 45 CFR §164.404(c)).
  5. Within 60 days: Notify HHS Office for Civil Rights (OCR) (per 45 CFR §164.406).

7. Residual Risks & Mitigations


8. Attestation

8.1 Risk Assessment Completed

Attestation: A formal HIPAA Security Rule risk assessment of the WENO Online EZ e-prescribing integration has been completed as of 2026-06-28. The assessment:
  • ✅ Identifies WENO as a HIPAA Business Associate.
  • ✅ Documents all PHI data elements and flows (§1).
  • ✅ Maps threats to HIPAA Administrative, Technical, and Physical Safeguards (§3).
  • ✅ Confirms 42 CFR Part 2 (SUD) gating controls are in place (§4).
  • ✅ Verifies audit trail immutability and retention (§5).
  • ✅ Establishes breach detection and incident response procedures (§6).
  • ✅ Identifies residual risks and mitigation timelines (§7).
This document is the baseline for ongoing compliance monitoring and annual re-assessment.

8.2 Production Enablement Gate

Critical Prerequisite: Before weno_adapter_enabled is set to true in any production environment:
  1. Business Associate Agreement: A signed HIPAA BAA with WENO Online, Inc. must be on file with Encore OS Legal/Compliance, reviewed by CSO, and documented in cl_module_settings.custom_fields.weno_baa_executed_date.
  2. Compliance Review: Encore OS Compliance Officer confirms BAA compliance with 45 CFR §164.504(e) and state-specific Medicaid regulations (per PF-96 jurisdiction profile).
  3. Incident Response Plan: WENO_INCIDENT_RESPONSE.md exists and defines breach escalation, notification timelines, and organizational contacts.
Responsibility: Compliance Officer (annually) + CSO (on material integration changes).

8.3 WENO EZ Integration Test Plan §10 Compliance

This risk assessment satisfies Test Plan item §10 (“HIPAA/HITECH attestation — risk assessment done? BA-compliance statement.”) with:
  • Formal risk assessment document (this file).
  • Business Associate status determination (§2.1).
  • Threat/safeguard mapping per HIPAA Security Rule (§3).
  • Residual risk acknowledgment (§7).
  • BAA prerequisite gate (§8.2).
  • Production enablement conditions (§8.2).
Evidence artifacts:
  • This document: docs/compliance/WENO-HIPAA-RISK-ASSESSMENT.md
  • Integration contract: docs/architecture/integrations/CL-06-EN-23-weno-ez-adapter-INTEGRATION.md
  • Implementation context: docs/weno/WENO_EZ_Integration_Context.md
  • RLS/audit controls: src/cores/cl/integrations/weno/ code + test suite
  • BAA placeholder: cl_module_settings.custom_fields.weno_baa_executed_date (to be populated upon BAA execution)

9. References

Regulatory Citations

  • 45 CFR Part 160 — General Administrative and Procedural Requirements.
  • 45 CFR Part 164 — Security and Privacy Rule.
    • §164.308 — Administrative Safeguards.
    • §164.310 — Physical Safeguards.
    • §164.312 — Technical Safeguards.
    • §164.502(e) — Permitted uses and disclosures by a covered entity — Business Associates.
    • §164.504(e) — Business Associate Contracts or Other Arrangements.
    • §164.514(b) — De-identification Standard (Safe Harbor).
  • 45 CFR §164.400 et seq. — Breach Notification Rule.
  • 42 CFR Part 2 — Confidentiality of Alcohol and Drug Abuse Patient Records (42 CFR §2.31 disclosure logging; §2.32 redisclosure restriction).
  • 21 CFR Part 1311 — DEA e-Prescribing for Controlled Substances (EPCS) compliance (WENO requirement).

Encore OS Documents

  • constitution.md §4 (Data, Security & Privacy).
  • docs/COMPLIANCE_STANDARDS.md (if exists; placeholder for global compliance framework).
  • docs/weno/WENO_EZ_Integration_Context.md — vendor implementation guide.
  • docs/weno/WENO_LIVE_VERIFICATION_RUNBOOK.md — operational procedures.
  • specs/cl/specs/CL-06-EN-23-weno-ez-integration-adapter.md — owning specification.
  • specs/cl/specs/CL-11-consent-management-42cfr-part2.md — 42 CFR Part 2 consent controls.
  • specs/cl/specs/CL-04-EN-66-note-quality-pre-submission-validation.md — Policy 940 validation (Medicaid context).
  • specs/pf/specs/PF-04-audit-trail-system.md — audit trail lifecycle and retention.
  • specs/pf/specs/PF-96-medicaid-state-compliance-configuration.md — jurisdiction profile system.

Document Version: 1.0
Last Updated: 2026-06-28
Next Review Date: 2027-06-28 (or upon material integration changes)