> ## Documentation Index
> Fetch the complete documentation index at: https://docs.encoreos.io/llms.txt
> Use this file to discover all available pages before exploring further.

# WENO EZ Integration HIPAA/HITECH Risk Assessment

> HIPAA Security Rule risk assessment for the WENO EZ e-prescribing adapter: BA relationship, threat/safeguard analysis, residual risks, and §10 attestation.

# WENO Online EZ e-Prescribing Integration — HIPAA/HITECH Risk Assessment

**Assessment Date:** 2026-06-28\
**Reviewed By:** Security & Compliance (Jeremy Bloom, Project Owner)\
**Scope:** CL-06-EN-23 WENO EZ Integration Adapter (Encore OS v0.1.0-beta)\
**Regulatory Framework:** 45 CFR Part 160 (General Rules), Part 164 (Administrative, Physical, Technical Safeguards)\
**Related Documents:**

* `docs/weno/WENO_EZ_Integration_Context.md` — vendor implementation context
* `docs/architecture/integrations/CL-06-EN-23-weno-ez-adapter-INTEGRATION.md` — integration contract
* `specs/cl/specs/CL-06-EN-23-weno-ez-integration-adapter.md` — owning specification
* `docs/weno/WENO_LIVE_VERIFICATION_RUNBOOK.md` — operational runbook

***

## Executive Summary

**WENO Online, Inc.** is a DEA 1311.105-compliant e-prescribing application and a **HIPAA Business Associate** under 45 CFR §164.502(e) and §164.504(e). Encore OS integrates WENO's EZ Integration via encrypted, authenticated requests; WENO processes prescribing data and returns operational results. This assessment documents the threat/safeguard mapping, control attestations, and residual risks. **Production enablement is gated: the `weno_adapter_enabled` flag remains `false` until a HIPAA Business Associate Agreement (BAA) is executed and recorded.**

***

## 1. Scope & Data Flow

### 1.1 Integration Surfaces

The WENO EZ adapter exposes five operational surfaces, each with distinct PHI/operational scope:

| Surface                         | Initiated by   | PHI elements sent                          | Returned data                                       | Risk profile                          |
| ------------------------------- | -------------- | ------------------------------------------ | --------------------------------------------------- | ------------------------------------- |
| **Pharmacy Directory download** | Cron or admin  | None (metadata only)                       | Excel LITE file (pharmacy names, NCPDPs, locations) | Low — no PHI                          |
| **ComposeRx iFrame**            | Prescriber     | Patient demographics + current medications | iFrame URL                                          | Medium — patient PII/clinical context |
| **RxLog iFrame**                | Prescriber     | Prescriber credentials only                | iFrame URL                                          | Low — prescriber PII only             |
| **NewRx Sync Report**           | Cron or admin  | None (server-side)                         | CSV/JSON with Rx status, NDC, delivery status       | Medium — prescription metadata        |
| **Manage API** (optional)       | Admin (future) | User/location metadata                     | success/error                                       | Low — organizational config           |

### 1.2 PHI Definition

Per 45 CFR §164.501, PHI in this integration includes:

* Patient name, date of birth, gender, address, phone, email (`ComposeRx` surface only)
* Prescription details: drug name, NDC, RXCui, quantity, days supply, refills, diagnosis code (ICD-10), directions
* DEA prescriber license numbers, pharmacy NCPDPs
* Status/delivery metadata (timing, method, pharmacy note)
* Allergy information (narrative, not coded)

**42 CFR Part 2 consideration:** SUD-related prescriptions (Schedule II–V controlled substances) carry additional confidentiality protection. Encore OS gates ComposeRx launch with `cl_check_sud_consent()` (CL-11) to verify 42 CFR Part 2 consent before patient data is transmitted to WENO.

### 1.3 Data Flows

```
1. ComposeRx Launch:
   Prescriber → Encore OS (CL-06 UI)
     → Edge function cl-weno-launch (verify org/user, SUD consent, credentials)
     → Resolve EZ key + user credentials from pf_credential_vault (SECURITY DEFINER)
     → Encrypt patient payload (AES-256-CBC)
     → Return iFrame URL
   Prescriber → WENO (browser iframe)
     → Compose/sign/send Rx

2. NewRx Sync (background):
   Cron trigger (scheduled daily or on-demand)
     → Edge function cl-weno-newrx-sync
     → Retrieve admin credentials from vault
     → Request sync report (GET to WENO with encrypted payload)
     → Parse CSV/JSON, dedupe on (org_id, vendor_report_id, rx_reference_number)
     → Emit WenoMedicationUpdateEvent to CL-05 (med reconciliation)
     → Log sync run to cl_weno_newrx_sync_runs (metadata: counts, dedup, vendor ID)

3. Directory Ingest (background):
   Cron trigger (daily delta + weekly full)
     → Edge function cl-weno-directory-ingest
     → Request pharmacy ZIP (GET with encrypted admin payload)
     → Unzip + parse Excel LITE file
     → Upsert cl_weno_pharmacies (org-scoped, RLS enforced)
     → Log ingest run to cl_weno_directory_ingest_runs (metadata: count, hash, drift columns)
```

All inter-system transfers use **HTTPS/TLS 1.2+** (enforced by Supabase edge function environment and WENO's endpoint HSTS headers).

***

## 2. Business Associate Relationship & BAA Requirement

### 2.1 WENO as a Business Associate

**Determination:** WENO qualifies as a Business Associate under 45 CFR §164.501(b):

* WENO receives, maintains, and processes ePrescription data on behalf of Encore OS (a Covered Entity).
* WENO performs functions or activities involving access to PHI: prescription signing, dispensing coordination, pharmacy network transmission.
* WENO is not an agent of Encore OS (WENO is an independent vendor with its own legal entity and data handling practices).

**HIPAA Obligations:**

* Encore OS (Covered Entity) must have a signed BAA with WENO before any PHI is transmitted (45 CFR §164.504(e)(1)(ii)).
* WENO must implement administrative, physical, and technical safeguards (45 CFR §164.308, .310, .312) equivalent to Encore OS's safeguards.
* WENO must comply with 42 CFR Part 2 (Confidentiality of Alcohol and Drug Abuse Patient Records) for any SUD-related prescriptions.
* WENO must report any breaches involving Encore OS data per 45 CFR §164.410 and the Breach Notification Rule (45 CFR §164.400 et seq.).

### 2.2 BAA Status & Production Gate

**Current Status:** No BAA has been executed or recorded as of 2026-06-28.

**Production Enablement Gate:** The WENO adapter is architecturally gated by the boolean flag `weno_adapter_enabled` in `cl_module_settings.custom_fields`. This flag:

* Defaults to `false` in all environments (dev, staging, production).
* Is checked by all WENO cron dispatchers (`cl_weno_dispatch_*`) before initiating background jobs.
* Returns `ADAPTER_DISABLED` error code if any client attempts to launch ComposeRx/RxLog.
* Prevents **any** outbound WENO request (cryptographic key check, credential resolution, HTTPS transmission) until an organization explicitly enables it and a BAA is countersigned.

**Prerequisite for enabling `weno_adapter_enabled = true` in production:**

1. Signed WENO BAA recorded in `cl_module_settings.custom_fields.weno_baa_executed_date` (timestamp).
2. WENO BAA reviewed and approved by Encore OS Compliance Officer.
3. Organization's legal/compliance team confirms BAA aligns with state Medicaid and other applicable regulations (CL-15 for Arizona; PF-96 for multi-state profiles).

***

## 3. Threat & Safeguard Analysis

Mapped to HIPAA Security Rule framework: 45 CFR §164.308 (Administrative), §164.310 (Physical), §164.312 (Technical).

### 3.1 Administrative Safeguards (45 CFR §164.308)

| Safeguard                                                                                                                 | Threat                                                                            | Control                                                                                                                                                                                                                                                                                                                                                                             | Status            | Residual Risk                                                                                                                                                                                       |
| ------------------------------------------------------------------------------------------------------------------------- | --------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| **§164.308(a)(1) Information Access Mgmt** — Limit access to PHI based on role and need-to-know                           | Unauthorized prescriber views patient PHI; rogue staff access                     | `cl_weno_launch` edge function verifies prescriber role + organization via Supabase RLS. Credential vault (SECURITY DEFINER RPC `cl_weno_get_user_cred`) only returns credentials if user has `cl.prescription.write` permission. `cl_module_settings.custom_fields.weno_adapter_enabled` gated on organization.                                                                    | ✅ Implemented     | Permission escalation in Supabase auth layer not independently audited; reliance on PF-30 RBAC signal.                                                                                              |
| **§164.308(a)(2) Safeguards of Workforce** — Formalize workforce security policies; PHI handling training                 | Untrained staff with PHI access; no documented responsibilities                   | Interim: Encore OS must document WENO integration in workforce onboarding / employee handbook (HR-43 pending). WENO prescriber/admin roles assigned per WenoCredentialsCard UI (admin-only). BAA signature binds WENO to workforce security standards.                                                                                                                              | 🟡 Partial        | Documentation deferred to HR-43 implementation; interim manual onboarding log required.                                                                                                             |
| **§164.308(a)(3) Information Access Audit & Accountability** — Audit mechanisms for PHI access; account review procedures | Undetected unauthorized access or misuse of WENO credentials                      | `cl_weno_launch_attempts` table logs every ComposeRx/RxLog launch: endpoint\_type, status, error\_code, metadata (field count only, no PII). Audit immutable (INSERT only, no UPDATE/DELETE). `cl_weno_newrx_sync_runs` logs every sync with count metrics. 2-year retention enforced via `pf_audit_logs` lifecycle (PF-04). RLS restricts reads to org-admins + compliance roles.  | ✅ Implemented     | Audit logs store user\_id, endpoint, status; no per-credential usage attribution (shared credentials); follow-up: per-prescriber credential audit trail (CL-06-EN-23 enhancement).                  |
| **§164.308(a)(4) Security Awareness** — Training on information security; sanctions for policy violations                 | Prescriber/admin sends PHI to WENO without understanding confidentiality scope    | Onboarding material per WenoCredentialsCard: "WENO is a HIPAA Business Associate. Prescriptions and patient data are encrypted in transit and covered by BAA." Explain WENO Online feature (Test Plan item §10.9).                                                                                                                                                                  | 🟡 Partial        | Onboarding UI text drafted; compliance-approved wording pending sign-off on CL-06 spec review.                                                                                                      |
| **§164.308(a)(5) Security Incident Procedures** — Breach response, logging, notification                                  | WENO suffers breach; Encore OS unaware or fails to notify affected patients       | WENO BAA obligates WENO to notify Encore OS within contractually-agreed timeframe (typically 48–72 hours per Surescripts precedent). Encore OS CSO / Legal must have escalation protocol. Test Plan §10: document WENO contact + escalation SOP in WENO Integration Page.                                                                                                           | ⚠️ Partial        | Breach escalation SOP not yet written; WENO contact details ([admin@wenoexchange.com](mailto:admin@wenoexchange.com)) documented in WENO\_EZ\_Integration\_Context.md but not surfaced in admin UI. |
| **§164.308(a)(6) Sanction Policy** — Consequences for workforce violating security policies                               | Employee intentionally discloses patient Rx data via WENO to unauthorized parties | Disciplinary action governed by HR-43 workforce policies and employee handbook (deferred). WENO BAA does not govern Encore OS internal sanctions.                                                                                                                                                                                                                                   | 📋 Deferred       | Interim: refer to corporate disciplinary procedures and HIPAA breach response protocol.                                                                                                             |
| **§164.308(a)(7) Contingency Planning** — Disaster recovery; business continuity                                          | WENO unavailable (outage, bankruptcy, service termination); prescribing halted    | Edge function `cl-weno-launch` fails gracefully: returns `{ ok: false, code: 'VENDOR_UNREACHABLE' }` with friendly error message. Prescriber UI shows "WENO is currently unavailable. Try again or use manual entry." No data loss; fallback is manual prescription entry. Recurring sync jobs (NewRx import) skip if WENO is unreachable; sync is not mandatory for chart updates. | ✅ Implemented     | Contingency relies on prescriber manually entering Rx data; no automated failover to alternate e-prescribing vendor (Surescripts CL-06-P1 separate).                                                |
| **§164.308(a)(8) Evaluation** — Periodic assessment of security measures                                                  | Risk assessment never performed; controls drift undetected                        | This assessment serves as the baseline. Security team must re-assess annually or after material integration changes (e.g., new WENO surface, credential model changes).                                                                                                                                                                                                             | ✅ This assessment | Annual re-assessment schedule and ownership not yet assigned (CSO responsibility).                                                                                                                  |

### 3.2 Technical Safeguards (45 CFR §164.312)

| Safeguard                                                                                            | Threat                                                                               | Control                                                                                                                                                                                                                                                                                                                                                                                                                                                                                         | Status        | Residual Risk                                                                                                                                                                                                                                                                                                                                                                                    |
| ---------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------ | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
| **§164.312(a)(1) Access Controls** — User/emergency access, automatic logoff                         | Stolen WENO password; rogue prescriber composing Rxs                                 | WENO credentials stored **server-side only** in `pf_credential_vault` (encrypted-at-rest, Supabase-managed KMS). Plaintext passwords never stored — only MD5(UTF-8) hash. Client never receives credentials; `cl-weno-launch` edge function reads vault, constructs encrypted request, returns iFrame URL only. Encore OS session timeout (PF-28) auto-logs off prescriber; session token stored in secure httpOnly cookie. WENO session is independent; WENO enforces its own session timeout. | ✅ Implemented | Credential theft requires Supabase vault compromise (same as all platform secrets); password reuse risk (MD5 hash, not bcrypt — acceptable for WENO's API layer but not credential storage best practice).                                                                                                                                                                                       |
| **§164.312(a)(2) Audit Controls & Accountability** — Audit logs, log review                          | Unauthorized access to vault; sync job tampering                                     | `cl_weno_launch_attempts` and sync run logs are **immutable** (INSERT only; DELETE forbidden by RLS policy). Logs timestamp every operation, associate with organization + user\_id. All vault reads are logged to `pf_audit_logs.event = 'credential_vault_read'`. Log retention: 2 years (enforced by PF-04 cron). Compliance/CSO role can read audit logs; organization admins cannot delete/modify logs (RLS `pf_is_org_admin` cannot write audit tables).                                  | ✅ Implemented | Audit log volume not monitored for anomalies (spike in launch attempts, sync failures); alerting deferred (FW-26 automation pending).                                                                                                                                                                                                                                                            |
| **§164.312(a)(2)(i) User Identification** — Unique user IDs; access logging                          | User spoofing; false audit trail                                                     | Supabase auth enforces unique email per user; each user has a stable `user_id` (UUID). All RLS policies filter on `auth.uid()` (Supabase-managed). Audit logs always reference `user_id` from `auth.jwt()->>'sub'`. WENO credentials are per-user (`cl_weno_get_user_cred(p_org, p_user)` RPC); prescriber cannot access another prescriber's WENO login.                                                                                                                                       | ✅ Implemented | Account takeover via phishing (Supabase 2FA not enforced org-wide; PF-28 supports optional MFA but not mandated).                                                                                                                                                                                                                                                                                |
| **§164.312(a)(2)(ii) Emergency Access Procedure** — Provision for access when normal mechanism fails | Vault key/credential inaccessible; prescriber cannot launch Rx; patient care delayed | CSO/Platform Admin can directly update `pf_credential_vault` via Supabase dashboard (break-glass). Edge function checks key existence; if absent, returns `ADAPTER_DISABLED`. No automatic fallback. Interim: ensure at least 2 CSOs have Supabase access + vault update capability. Documentation: WENO\_LIVE\_VERIFICATION\_RUNBOOK.md describes reset procedure.                                                                                                                             | ⚠️ Partial    | Break-glass procedure relies on Supabase admin access; no per-org emergency override. Runbook not surfaced in prescriber UI; support ticket required.                                                                                                                                                                                                                                            |
| **§164.312(a)(2)(iii) Encryption & Decryption** — Encryption key mgmt; TLS for transmission          | Eavesdropping on patient PHI; key compromise                                         | **Key Derivation:** EZ key (stored in vault as plaintext text in encrypted KMS) → SHA-256 hash → 32-byte AES key. **Encryption:** AES-256-CBC, PKCS7 padding, fixed 16-byte zero IV (per WENO spec). Implemented in `src/cores/cl/integrations/weno/crypto.ts` (unit-tested). **Transmission:** HTTPS only (enforced by Supabase edge function runtime and WENO's endpoint HSTS). TLS 1.2+ enforced by browser + Supabase infrastructure. No HTTP fallback. Certificates verified by client.    | ✅ Implemented | Fixed IV + deterministic padding are WENO vendor constraints (not a choice). Security implication: if plaintext+key are known, all ciphertexts are recoverable (no semantic security). Acceptable for request-response (not stream) use; IV cannot be reused per AES design. ⚠️ EZ key is a shared org secret (not per-request nonce). Compromise of single EZ key affects all org's Rx traffic. |
| **§164.312(b) Integrity** — Mechanism to verify PHI has not been improperly altered                  | Pharmacy injects false Rx data; newrx sync corrupted                                 | Pharmacy data is WENO's responsibility (outside Encore OS control). NewRx sync data is returned via HTTPS (TLS provides integrity). Encore OS validates CSV/JSON structure on ingest; malformed rows are skipped with logged error. Sync is idempotent (dedupe on sync run ID + rx reference). No alteration by Encore OS. Sync data is **immutable** in charts (clinical notes authored by providers, not overwritten by sync data; sync creates separate `ce_medication_update` event).       | ✅ Implemented | No HMAC or signature on WENO response; reliance on TLS only. WENO response integrity depends on WENO's internal controls (BAA requirement).                                                                                                                                                                                                                                                      |
| **§164.312(e)(1) Transmission Security** — Mechanism to protect PHI in transit                       | MITM attack; PHI exposed in HTTP                                                     | All WENO requests use HTTPS with TLS 1.2+ (enforced by browser + Supabase runtime). Supabase edge function environment uses only HTTPS outbound (no HTTP). Patient payload is encrypted (AES-256) **inside** the HTTPS request (defense-in-depth). Credentials are never transmitted (server-side construction only).                                                                                                                                                                           | ✅ Implemented | TLS relies on browser's certificate pinning (standard; not custom). No additional encryption layer beyond TLS (AES-256 is application-layer; TLS is transport-layer).                                                                                                                                                                                                                            |
| **§164.312(e)(2)(i) Encryption** — Encryption of ePHI at rest and in transit                         | ePHI stored unencrypted in operational logs; breach leaks patient data               | Operational tables (`cl_weno_*_runs`) store **metadata only** (counts, field counts, hashes, correlation IDs). NO patient names, Rxs, or diagnoses in logs. Audit logs (`pf_audit_logs`) are encrypted-at-rest by Supabase KMS. Per 45 CFR §164.514(b)(2), `metadata` field in launch logs must not contain Safe Harbor identifiers. Policy enforced via code review + static analysis (not automated enforcement).                                                                             | ✅ Intended    | Metadata field is a JSONB string; static analysis (e.g., PII regex) would strengthen enforcement. Currently: code-review gate only.                                                                                                                                                                                                                                                              |

### 3.3 Physical Safeguards (45 CFR §164.310)

**Determination:** Not Encore OS's responsibility — WENO and Supabase own physical security.

| Area                      | Control                                                                                      | Owner                    |
| ------------------------- | -------------------------------------------------------------------------------------------- | ------------------------ |
| **Facility Access**       | Supabase data centers (SOC 2 Type II certified); WENO offices (WENO responsibility)          | Supabase + WENO          |
| **Workstation Policy**    | Prescriber workstations are Encore OS client environments; not regulated by this integration | Client / End-user org IT |
| **Device/Media Controls** | No removable media involved in WENO integration; network traffic only                        | N/A                      |

***

## 4. 42 CFR Part 2 Safeguards (SUD Confidentiality)

**Scope:** Controlled substances (Schedule II–V), including MOUD (opioid agonists/antagonists) and psychiatric medications used for SUD, are subject to 42 CFR Part 2 extra confidentiality protection.

| Control                              | Mechanism                                                                                                                                                                           | Status                                |
| ------------------------------------ | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------- |
| **Consent before SUD Rx disclosure** | `cl_weno_launch` calls `cl_check_sud_consent(chart_id)` before transmitting patient data. If no valid consent, returns `SUD_CONSENT_REQUIRED` error; ComposeRx iFrame not launched. | ✅ Implemented (CL-11)                 |
| **No SUD inferences from data**      | Patient data sent to WENO does not include SUD flag or diagnosis. WENO infers SUD based on drug NDC only (vendor responsibility).                                                   | ✅ Design (no SUD context sent)        |
| **Redisclosure gating**              | WENO does not re-disclose Rx data to third parties without consent (BAA requirement §2.32).                                                                                         | BAA requirement — WENO responsibility |
| **Disclosure logging**               | Sync data that updates CL charts is logged as a PHI access/update event in `pf_audit_logs` with consent reference.                                                                  | Pending (CL-05 finalization)          |

***

## 5. Audit Trail Immutability & Retention

**Requirement:** 45 CFR §164.312(a)(2) and 42 CFR Part 2 §2.31 mandate immutable audit logs for a minimum retention period.

| Table                                    | Immutability                                                | Retention                 | Owner     |
| ---------------------------------------- | ----------------------------------------------------------- | ------------------------- | --------- |
| `cl_weno_launch_attempts`                | INSERT only (RLS DELETE forbidden); trigger prevents UPDATE | 2 years (PF-04 lifecycle) | Encore OS |
| `cl_weno_directory_ingest_runs`          | INSERT only                                                 | 2 years (PF-04 lifecycle) | Encore OS |
| `cl_weno_newrx_sync_runs`                | INSERT only                                                 | 2 years (PF-04 lifecycle) | Encore OS |
| `pf_audit_logs` (credential vault reads) | INSERT only                                                 | 2 years (PF-04 lifecycle) | Encore OS |

**2-Year Retention Enforcement:** PF-04 (audit trail system) implements a cron job that purges audit rows older than 2 years. HIPAA requires 6 years for some records (e.g., breach notification); PF-04 is configurable per organization via `audit_retention_days` in `pf_organizations.custom_fields`. **Compliance action:** Ensure `audit_retention_days >= 2190` (6 years) for organizations handling SUD data or covered under state Medicaid (CL-15 requirement).

***

## 6. Breach Notification & Incident Response

**HIPAA Breach Definition** (45 CFR §164.400): Unauthorized acquisition, access, use, or disclosure of PHI that reasonably compromises confidentiality or integrity.

### 6.1 Detection & Escalation

| Event                                             | Detection Method                                                                                          | Escalation Path                                            | Timeline                                                  |
| ------------------------------------------------- | --------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------- | --------------------------------------------------------- |
| WENO system breach (affects Encore OS data)       | WENO security team notifies Encore OS CSO                                                                 | CSO → Compliance Officer → Legal → Affected Patients       | WENO contractually obligated to notify within 48–72 hours |
| Credential theft (WENO password accessed)         | Unusual launch attempt pattern (spike in errors, failed auth); manual review of `cl_weno_launch_attempts` | Support ticket → CSO → Breach assessment                   | Immediate (upon detection)                                |
| Sync data corruption (malformed Rx in newrx-sync) | Audit log anomaly; sync run with unusually high skip/error count                                          | Data integrity review; restore from clean sync             | Within 24 hours                                           |
| Unauthorized vault access (EZ key compromise)     | Supabase audit log indicates vault update by unauthorized role                                            | CSO escalates to Supabase Security; reset key; notify WENO | Immediate (upon detection)                                |

### 6.2 Breach Risk Determination

**Low Risk** (no notification required per 45 CFR §164.404): Unauthorized access where person is unlikely to have obtained, accessed, or acquired PHI (e.g., log file accessed but inaccessible without decryption key).

**High Risk** (notification required): Unauthorized access where person could have obtained PHI (e.g., vault key exposed in code repository; credentials sent in plaintext).

**Actions upon high-risk breach:**

1. Immediate: Disable affected credentials; rotate EZ key; stop all WENO traffic.
2. Within 24 hours: Notify CSO, Compliance Officer, Legal.
3. Within 30 days: Notify affected patients (per 45 CFR §164.404(b)(1)).
4. Within 60 days: Notify relevant media (if ≥500 residents affected per 45 CFR §164.404(c)).
5. Within 60 days: Notify HHS Office for Civil Rights (OCR) (per 45 CFR §164.406).

***

## 7. Residual Risks & Mitigations

| Risk                                                | Severity | Mitigation                                                                                                                                                                                                                                           | Owner                  | Timeline                     |
| --------------------------------------------------- | -------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------- | ---------------------------- |
| **No BAA executed**                                 | Critical | Gate `weno_adapter_enabled` flag (already implemented). Legal must negotiate + sign WENO BAA before enabling in production.                                                                                                                          | Legal + CSO            | Before production enablement |
| **Per-prescriber credential audit trail missing**   | Medium   | Audit logs associate launches with user\_id but not which WENO credential was used (shared credentials). Follow-up: CL-06-EN-23 enhancement to track per-credential usage.                                                                           | CL-06 owner            | Post-MVP enhancement         |
| **Breach escalation SOP not documented**            | Medium   | Create WENO\_INCIDENT\_RESPONSE.md with CSO/Legal/Compliance escalation contacts, notification timelines, and patient notification template.                                                                                                         | CSO + Compliance       | Before production enablement |
| **Fixed IV + shared EZ key**                        | Medium   | WENO vendor constraint (not Encore OS choice). Compromise of EZ key affects all org's Rxs for its validity period. Mitigation: annual key rotation (add to PF-96 jurisdiction compliance config); immediate key rotation on suspicion of compromise. | Platform / Security    | Post-MVP enhancement         |
| **Metadata validation not automated**               | Low      | `metadata` field in audit logs must not contain Safe Harbor identifiers. Currently: code-review gate. Add static analysis (PII regex) to CI/CD to flag violations.                                                                                   | Engineering / Security | Post-MVP enhancement         |
| **Emergency credential access procedure not in UI** | Low      | Runbook exists (WENO\_LIVE\_VERIFICATION\_RUNBOOK.md) but not surfaced in admin UI. Add "Reset WENO Encryption Key" action to WenoCredentialsCard.                                                                                                   | CL-06 owner            | Post-MVP enhancement         |
| **NewRx sync not mandatory**                        | Low      | Sync job can fail silently (vendor unreachable). No alert if sync is stale. Mitigation: FW-26 (automation) adds sync-failure alerting when implemented.                                                                                              | FW-26 owner            | Q3 2026                      |
| **Supabase vault compromise**                       | High     | Same as all platform secrets (organization credentials, API keys). Reliance on Supabase SOC 2 Type II certification and KMS. No Encore OS-layer mitigation; architectural assumption.                                                                | Platform / Security    | Architectural baseline       |

***

## 8. Attestation

### 8.1 Risk Assessment Completed

**Attestation:** A formal HIPAA Security Rule risk assessment of the WENO Online EZ e-prescribing integration has been completed as of 2026-06-28. The assessment:

* ✅ Identifies WENO as a HIPAA Business Associate.
* ✅ Documents all PHI data elements and flows (§1).
* ✅ Maps threats to HIPAA Administrative, Technical, and Physical Safeguards (§3).
* ✅ Confirms 42 CFR Part 2 (SUD) gating controls are in place (§4).
* ✅ Verifies audit trail immutability and retention (§5).
* ✅ Establishes breach detection and incident response procedures (§6).
* ✅ Identifies residual risks and mitigation timelines (§7).

This document is the baseline for ongoing compliance monitoring and annual re-assessment.

### 8.2 Production Enablement Gate

**Critical Prerequisite:** Before `weno_adapter_enabled` is set to `true` in any production environment:

1. **Business Associate Agreement:** A signed HIPAA BAA with WENO Online, Inc. must be on file with Encore OS Legal/Compliance, reviewed by CSO, and documented in `cl_module_settings.custom_fields.weno_baa_executed_date`.

2. **Compliance Review:** Encore OS Compliance Officer confirms BAA compliance with 45 CFR §164.504(e) and state-specific Medicaid regulations (per PF-96 jurisdiction profile).

3. **Incident Response Plan:** WENO\_INCIDENT\_RESPONSE.md exists and defines breach escalation, notification timelines, and organizational contacts.

**Responsibility:** Compliance Officer (annually) + CSO (on material integration changes).

### 8.3 WENO EZ Integration Test Plan §10 Compliance

This risk assessment satisfies Test Plan item §10 ("**HIPAA/HITECH attestation** — risk assessment done? BA-compliance statement.") with:

* Formal risk assessment document (this file).
* Business Associate status determination (§2.1).
* Threat/safeguard mapping per HIPAA Security Rule (§3).
* Residual risk acknowledgment (§7).
* BAA prerequisite gate (§8.2).
* Production enablement conditions (§8.2).

**Evidence artifacts:**

* This document: `docs/compliance/WENO-HIPAA-RISK-ASSESSMENT.md`
* Integration contract: `docs/architecture/integrations/CL-06-EN-23-weno-ez-adapter-INTEGRATION.md`
* Implementation context: `docs/weno/WENO_EZ_Integration_Context.md`
* RLS/audit controls: `src/cores/cl/integrations/weno/` code + test suite
* BAA placeholder: `cl_module_settings.custom_fields.weno_baa_executed_date` (to be populated upon BAA execution)

***

## 9. References

### Regulatory Citations

* **45 CFR Part 160** — General Administrative and Procedural Requirements.
* **45 CFR Part 164** — Security and Privacy Rule.
  * §164.308 — Administrative Safeguards.
  * §164.310 — Physical Safeguards.
  * §164.312 — Technical Safeguards.
  * §164.502(e) — Permitted uses and disclosures by a covered entity — Business Associates.
  * §164.504(e) — Business Associate Contracts or Other Arrangements.
  * §164.514(b) — De-identification Standard (Safe Harbor).
* **45 CFR §164.400 et seq.** — Breach Notification Rule.
* **42 CFR Part 2** — Confidentiality of Alcohol and Drug Abuse Patient Records (42 CFR §2.31 disclosure logging; §2.32 redisclosure restriction).
* **21 CFR Part 1311** — DEA e-Prescribing for Controlled Substances (EPCS) compliance (WENO requirement).

### Encore OS Documents

* `constitution.md` §4 (Data, Security & Privacy).
* `docs/COMPLIANCE_STANDARDS.md` (if exists; placeholder for global compliance framework).
* `docs/weno/WENO_EZ_Integration_Context.md` — vendor implementation guide.
* `docs/weno/WENO_LIVE_VERIFICATION_RUNBOOK.md` — operational procedures.
* `specs/cl/specs/CL-06-EN-23-weno-ez-integration-adapter.md` — owning specification.
* `specs/cl/specs/CL-11-consent-management-42cfr-part2.md` — 42 CFR Part 2 consent controls.
* `specs/cl/specs/CL-04-EN-66-note-quality-pre-submission-validation.md` — Policy 940 validation (Medicaid context).
* `specs/pf/specs/PF-04-audit-trail-system.md` — audit trail lifecycle and retention.
* `specs/pf/specs/PF-96-medicaid-state-compliance-configuration.md` — jurisdiction profile system.

***

**Document Version:** 1.0\
**Last Updated:** 2026-06-28\
**Next Review Date:** 2027-06-28 (or upon material integration changes)
