> ## Documentation Index
> Fetch the complete documentation index at: https://docs.encoreos.io/llms.txt
> Use this file to discover all available pages before exploring further.

# HIPAA & CMS VBP Compliance Evidence

> All UPDATE policies include WITH CHECK to prevent organization_id modification.

**Date:** 2026-03-01\
**Status:** ✅ Complete

***

## RLS Coverage

| Table                       | RLS Enabled | FORCE RLS |         SELECT         |         INSERT         |   UPDATE (WITH CHECK)  |         DELETE         |
| --------------------------- | :---------: | :-------: | :--------------------: | :--------------------: | :--------------------: | :--------------------: |
| `pm_vbp_programs`           |      ✅      |     ✅     | ✅ pm\_has\_org\_access | ✅ pm\_has\_org\_access | ✅ pm\_has\_org\_access |     ❌ (soft delete)    |
| `pm_vbp_measures`           |      ✅      |     ✅     | ✅ pm\_has\_org\_access | ✅ pm\_has\_org\_access | ✅ pm\_has\_org\_access | ✅ pm\_has\_org\_access |
| `pm_vbp_incentive_payments` |      ✅      |     ✅     | ✅ pm\_has\_org\_access | ✅ pm\_has\_org\_access | ✅ pm\_has\_org\_access | ✅ pm\_has\_org\_access |

All UPDATE policies include `WITH CHECK` to prevent `organization_id` modification.

## Permission Coverage

| Key             | Category | Seeded | UI Gates                                                                   |
| --------------- | -------- | :----: | -------------------------------------------------------------------------- |
| `pm.vbp.view`   | view     |    ✅   | Program list, detail, measures tab, incentives tab                         |
| `pm.vbp.manage` | edit     |    ✅   | Add/Edit/Archive program, Add/Edit/Delete measure, Add/Edit/Delete payment |

## Audit Columns

All three tables include: `created_at`, `updated_at`, `created_by`, `updated_by`. Programs also include `deleted_at` for soft delete audit trail. All tables have `pm_set_updated_at` triggers.

## Multi-Tenant Isolation

* All mutations include `.eq('organization_id', orgId)` defense-in-depth filtering.
* RLS uses `pm_has_org_access(organization_id, auth.uid())` SECURITY DEFINER helper.
* No direct queries to `pf_user_role_assignments` in RLS policies.

## PHI Considerations

* VBP program and measure data does not contain direct PHI.
* Future gap identification (patient attribution) will require PHI access controls per CL-10/CL-15 integration specs.
* No PHI is used in test data; all test values are synthetic.
