WENO Online EZ e-Prescribing Integration — HIPAA/HITECH Risk Assessment
Assessment Date: 2026-06-28Reviewed By: Security & Compliance (Jeremy Bloom, Project Owner)
Scope: CL-06-EN-23 WENO EZ Integration Adapter (Encore OS v0.1.0-beta)
Regulatory Framework: 45 CFR Part 160 (General Rules), Part 164 (Administrative, Physical, Technical Safeguards)
Related Documents:
docs/weno/WENO_EZ_Integration_Context.md— vendor implementation contextdocs/architecture/integrations/CL-06-EN-23-weno-ez-adapter-INTEGRATION.md— integration contractspecs/cl/specs/CL-06-EN-23-weno-ez-integration-adapter.md— owning specificationdocs/weno/WENO_LIVE_VERIFICATION_RUNBOOK.md— operational runbook
Executive Summary
WENO Online, Inc. is a DEA 1311.105-compliant e-prescribing application and a HIPAA Business Associate under 45 CFR §164.502(e) and §164.504(e). Encore OS integrates WENO’s EZ Integration via encrypted, authenticated requests; WENO processes prescribing data and returns operational results. This assessment documents the threat/safeguard mapping, control attestations, and residual risks. Production enablement is gated: theweno_adapter_enabled flag remains false until a HIPAA Business Associate Agreement (BAA) is executed and recorded.
1. Scope & Data Flow
1.1 Integration Surfaces
The WENO EZ adapter exposes five operational surfaces, each with distinct PHI/operational scope:1.2 PHI Definition
Per 45 CFR §164.501, PHI in this integration includes:- Patient name, date of birth, gender, address, phone, email (
ComposeRxsurface only) - Prescription details: drug name, NDC, RXCui, quantity, days supply, refills, diagnosis code (ICD-10), directions
- DEA prescriber license numbers, pharmacy NCPDPs
- Status/delivery metadata (timing, method, pharmacy note)
- Allergy information (narrative, not coded)
cl_check_sud_consent() (CL-11) to verify 42 CFR Part 2 consent before patient data is transmitted to WENO.
1.3 Data Flows
2. Business Associate Relationship & BAA Requirement
2.1 WENO as a Business Associate
Determination: WENO qualifies as a Business Associate under 45 CFR §164.501(b):- WENO receives, maintains, and processes ePrescription data on behalf of Encore OS (a Covered Entity).
- WENO performs functions or activities involving access to PHI: prescription signing, dispensing coordination, pharmacy network transmission.
- WENO is not an agent of Encore OS (WENO is an independent vendor with its own legal entity and data handling practices).
- Encore OS (Covered Entity) must have a signed BAA with WENO before any PHI is transmitted (45 CFR §164.504(e)(1)(ii)).
- WENO must implement administrative, physical, and technical safeguards (45 CFR §164.308, .310, .312) equivalent to Encore OS’s safeguards.
- WENO must comply with 42 CFR Part 2 (Confidentiality of Alcohol and Drug Abuse Patient Records) for any SUD-related prescriptions.
- WENO must report any breaches involving Encore OS data per 45 CFR §164.410 and the Breach Notification Rule (45 CFR §164.400 et seq.).
2.2 BAA Status & Production Gate
Current Status: No BAA has been executed or recorded as of 2026-06-28. Production Enablement Gate: The WENO adapter is architecturally gated by the boolean flagweno_adapter_enabled in cl_module_settings.custom_fields. This flag:
- Defaults to
falsein all environments (dev, staging, production). - Is checked by all WENO cron dispatchers (
cl_weno_dispatch_*) before initiating background jobs. - Returns
ADAPTER_DISABLEDerror code if any client attempts to launch ComposeRx/RxLog. - Prevents any outbound WENO request (cryptographic key check, credential resolution, HTTPS transmission) until an organization explicitly enables it and a BAA is countersigned.
weno_adapter_enabled = true in production:
- Signed WENO BAA recorded in
cl_module_settings.custom_fields.weno_baa_executed_date(timestamp). - WENO BAA reviewed and approved by Encore OS Compliance Officer.
- Organization’s legal/compliance team confirms BAA aligns with state Medicaid and other applicable regulations (CL-15 for Arizona; PF-96 for multi-state profiles).
3. Threat & Safeguard Analysis
Mapped to HIPAA Security Rule framework: 45 CFR §164.308 (Administrative), §164.310 (Physical), §164.312 (Technical).3.1 Administrative Safeguards (45 CFR §164.308)
3.2 Technical Safeguards (45 CFR §164.312)
3.3 Physical Safeguards (45 CFR §164.310)
Determination: Not Encore OS’s responsibility — WENO and Supabase own physical security.4. 42 CFR Part 2 Safeguards (SUD Confidentiality)
Scope: Controlled substances (Schedule II–V), including MOUD (opioid agonists/antagonists) and psychiatric medications used for SUD, are subject to 42 CFR Part 2 extra confidentiality protection.5. Audit Trail Immutability & Retention
Requirement: 45 CFR §164.312(a)(2) and 42 CFR Part 2 §2.31 mandate immutable audit logs for a minimum retention period.
2-Year Retention Enforcement: PF-04 (audit trail system) implements a cron job that purges audit rows older than 2 years. HIPAA requires 6 years for some records (e.g., breach notification); PF-04 is configurable per organization via
audit_retention_days in pf_organizations.custom_fields. Compliance action: Ensure audit_retention_days >= 2190 (6 years) for organizations handling SUD data or covered under state Medicaid (CL-15 requirement).
6. Breach Notification & Incident Response
HIPAA Breach Definition (45 CFR §164.400): Unauthorized acquisition, access, use, or disclosure of PHI that reasonably compromises confidentiality or integrity.6.1 Detection & Escalation
6.2 Breach Risk Determination
Low Risk (no notification required per 45 CFR §164.404): Unauthorized access where person is unlikely to have obtained, accessed, or acquired PHI (e.g., log file accessed but inaccessible without decryption key). High Risk (notification required): Unauthorized access where person could have obtained PHI (e.g., vault key exposed in code repository; credentials sent in plaintext). Actions upon high-risk breach:- Immediate: Disable affected credentials; rotate EZ key; stop all WENO traffic.
- Within 24 hours: Notify CSO, Compliance Officer, Legal.
- Within 30 days: Notify affected patients (per 45 CFR §164.404(b)(1)).
- Within 60 days: Notify relevant media (if ≥500 residents affected per 45 CFR §164.404(c)).
- Within 60 days: Notify HHS Office for Civil Rights (OCR) (per 45 CFR §164.406).
7. Residual Risks & Mitigations
8. Attestation
8.1 Risk Assessment Completed
Attestation: A formal HIPAA Security Rule risk assessment of the WENO Online EZ e-prescribing integration has been completed as of 2026-06-28. The assessment:- ✅ Identifies WENO as a HIPAA Business Associate.
- ✅ Documents all PHI data elements and flows (§1).
- ✅ Maps threats to HIPAA Administrative, Technical, and Physical Safeguards (§3).
- ✅ Confirms 42 CFR Part 2 (SUD) gating controls are in place (§4).
- ✅ Verifies audit trail immutability and retention (§5).
- ✅ Establishes breach detection and incident response procedures (§6).
- ✅ Identifies residual risks and mitigation timelines (§7).
8.2 Production Enablement Gate
Critical Prerequisite: Beforeweno_adapter_enabled is set to true in any production environment:
-
Business Associate Agreement: A signed HIPAA BAA with WENO Online, Inc. must be on file with Encore OS Legal/Compliance, reviewed by CSO, and documented in
cl_module_settings.custom_fields.weno_baa_executed_date. - Compliance Review: Encore OS Compliance Officer confirms BAA compliance with 45 CFR §164.504(e) and state-specific Medicaid regulations (per PF-96 jurisdiction profile).
- Incident Response Plan: WENO_INCIDENT_RESPONSE.md exists and defines breach escalation, notification timelines, and organizational contacts.
8.3 WENO EZ Integration Test Plan §10 Compliance
This risk assessment satisfies Test Plan item §10 (“HIPAA/HITECH attestation — risk assessment done? BA-compliance statement.”) with:- Formal risk assessment document (this file).
- Business Associate status determination (§2.1).
- Threat/safeguard mapping per HIPAA Security Rule (§3).
- Residual risk acknowledgment (§7).
- BAA prerequisite gate (§8.2).
- Production enablement conditions (§8.2).
- This document:
docs/compliance/WENO-HIPAA-RISK-ASSESSMENT.md - Integration contract:
docs/architecture/integrations/CL-06-EN-23-weno-ez-adapter-INTEGRATION.md - Implementation context:
docs/weno/WENO_EZ_Integration_Context.md - RLS/audit controls:
src/cores/cl/integrations/weno/code + test suite - BAA placeholder:
cl_module_settings.custom_fields.weno_baa_executed_date(to be populated upon BAA execution)
9. References
Regulatory Citations
- 45 CFR Part 160 — General Administrative and Procedural Requirements.
- 45 CFR Part 164 — Security and Privacy Rule.
- §164.308 — Administrative Safeguards.
- §164.310 — Physical Safeguards.
- §164.312 — Technical Safeguards.
- §164.502(e) — Permitted uses and disclosures by a covered entity — Business Associates.
- §164.504(e) — Business Associate Contracts or Other Arrangements.
- §164.514(b) — De-identification Standard (Safe Harbor).
- 45 CFR §164.400 et seq. — Breach Notification Rule.
- 42 CFR Part 2 — Confidentiality of Alcohol and Drug Abuse Patient Records (42 CFR §2.31 disclosure logging; §2.32 redisclosure restriction).
- 21 CFR Part 1311 — DEA e-Prescribing for Controlled Substances (EPCS) compliance (WENO requirement).
Encore OS Documents
constitution.md§4 (Data, Security & Privacy).docs/COMPLIANCE_STANDARDS.md(if exists; placeholder for global compliance framework).docs/weno/WENO_EZ_Integration_Context.md— vendor implementation guide.docs/weno/WENO_LIVE_VERIFICATION_RUNBOOK.md— operational procedures.specs/cl/specs/CL-06-EN-23-weno-ez-integration-adapter.md— owning specification.specs/cl/specs/CL-11-consent-management-42cfr-part2.md— 42 CFR Part 2 consent controls.specs/cl/specs/CL-04-EN-66-note-quality-pre-submission-validation.md— Policy 940 validation (Medicaid context).specs/pf/specs/PF-04-audit-trail-system.md— audit trail lifecycle and retention.specs/pf/specs/PF-96-medicaid-state-compliance-configuration.md— jurisdiction profile system.
Document Version: 1.0
Last Updated: 2026-06-28
Next Review Date: 2027-06-28 (or upon material integration changes)