1. X12 5010 Transaction Support
2. Credential Security (45 CFR 164.312(a)(2)(iv))
- Credentials stored as Edge Function Secrets (Deno.env.get)
- No credentials in database, logs, or application state
- Vault references in
pm_clearinghouse_configare logical pointers only - OAuth2 tokens are short-lived and not persisted
3. Transport Security (45 CFR 164.312(e)(2)(ii))
- All Waystar API communication uses HTTPS (TLS 1.2+)
- REST transport enforced; no unencrypted channels
- SFTP deferred (would also require TLS/SSH encryption)
4. Audit Trail (45 CFR 164.312(b))
- All transactions logged to
pm_transaction_log(append-only) - Metadata captured: timestamp, transaction type, direction, status, trace number, batch_id
- Batch lifecycle tracked in
pm_transaction_batches - No PHI in log entries (trace numbers and status only)
5. Tenant Isolation (Constitution §5.1)
- All clearinghouse tables scoped by
organization_id - RLS with FORCE prevents cross-tenant access
- Edge functions validate
organization_idon all operations
6. Test Evidence
- Unit tests:
tests/unit/pm/x12/(envelope, 837P, 835, 270/271, 999, 277CA) - Component tests:
tests/unit/pm/components/ClearinghouseHealthBadge.test.tsx
Sign-Off Status
Seespecs/pm/PM-15-P2-COMPLIANCE-SIGNOFF.md for compliance sign-off checklist.