Feature: PM-25 Value-Based Payment & APM TrackingDocumentation Index
Fetch the complete documentation index at: https://docs.encoreos.io/llms.txt
Use this file to discover all available pages before exploring further.
Date: 2026-03-01
Status: ✅ Complete
RLS Coverage
| Table | RLS Enabled | FORCE RLS | SELECT | INSERT | UPDATE (WITH CHECK) | DELETE |
|---|---|---|---|---|---|---|
pm_vbp_programs | ✅ | ✅ | ✅ pm_has_org_access | ✅ pm_has_org_access | ✅ pm_has_org_access | ❌ (soft delete) |
pm_vbp_measures | ✅ | ✅ | ✅ pm_has_org_access | ✅ pm_has_org_access | ✅ pm_has_org_access | ✅ pm_has_org_access |
pm_vbp_incentive_payments | ✅ | ✅ | ✅ pm_has_org_access | ✅ pm_has_org_access | ✅ pm_has_org_access | ✅ pm_has_org_access |
WITH CHECK to prevent organization_id modification.
Permission Coverage
| Key | Category | Seeded | UI Gates |
|---|---|---|---|
pm.vbp.view | view | ✅ | Program list, detail, measures tab, incentives tab |
pm.vbp.manage | edit | ✅ | Add/Edit/Archive program, Add/Edit/Delete measure, Add/Edit/Delete payment |
Audit Columns
All three tables include:created_at, updated_at, created_by, updated_by. Programs also include deleted_at for soft delete audit trail. All tables have pm_set_updated_at triggers.
Multi-Tenant Isolation
- All mutations include
.eq('organization_id', orgId)defense-in-depth filtering. - RLS uses
pm_has_org_access(organization_id, auth.uid())SECURITY DEFINER helper. - No direct queries to
pf_user_role_assignmentsin RLS policies.
PHI Considerations
- VBP program and measure data does not contain direct PHI.
- Future gap identification (patient attribution) will require PHI access controls per CL-10/CL-15 integration specs.
- No PHI is used in test data; all test values are synthetic.